Managing access to mobile devices

Kaspersky Endpoint Security lets you manage Android and iOS mobile devices. Mobile devices belong to the category of portable devices (MTP). Therefore, to configure access to mobile devices, you must edit the access settings for portable devices (MTP).

When a mobile device is connected to the computer, the operating system determines the device type. If Android Debug Bridge (ADB), iTunes or their equivalent applications are installed on the computer, the operating system identifies mobile devices as ADB or iTunes devices. In all other cases, the operating system may identify the mobile device type as a portable device (MTP) for file transfer, a PTP device (camera) for image transfer, or another device. The device type depends on the model of the mobile device and the selected USB connection mode. Kaspersky Endpoint Security lets you configure individual access rules for mobile devices in the ADB application. In all other cases, Device Control allows access to mobile devices in accordance with portable devices (MTP) access rules, including access to mobile devices in the iTunes application.

Access to mobile devices

Mobile devices belong to the category of portable devices (MTP), therefore the settings for them are the same. You can select one of the following modes of access to mobile devices:

Allow . Kaspersky Endpoint Security allows full access to mobile devices. You can open, create, modify, copy, or delete files on mobile devices using the file manager or ADB and iTunes applications. You can also charge the battery of the device by connecting the mobile device to a USB port of the computer.
Block . Kaspersky Endpoint Security restricts access to mobile devices in the file manager and ADB and iTunes applications. The application allows access only to trusted mobile devices. You can also charge the battery of the device by connecting the mobile device to a USB port of the computer.
Depends on connection bus . Kaspersky Endpoint Security allows connecting to mobile devices in accordance with the USB connection status (Allow or Block ).
By rules . Kaspersky Endpoint Security restricts access to mobile devices in accordance with rules. In the rules, you can configure access rights (read / write) to portable devices (MTP), select users or a group of users that can have access to portable devices (MTP), and configure an access schedule for portable devices. You can also restrict access to devices using the ADB application.

Configuring mobile device access rules

How to configure mobile device access rules in Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Device Control.
Under Device Control settings, select the Types of devices tab.
The table lists access rules for all devices that are present in the classification of the Device Control component.
In the context menu for the Portable devices (MTP) device type, configure the mobile device access mode: Allow , Block , or Depends on connection bus .
To configure mobile device access rules, double-click to open the list of rules.
Configure the mobile device access rule:
1. In the Access rules block, click the Add button.
  This opens a window for adding a new mobile device access rule.
2. Assign a priority to the rule entry. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
  A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
  
  For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
  
  The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
3. Under Rule for users and groups, select users or groups of users.
4. Click OK.
Under Schedules for the selected access rule, configure a mobile device access schedule for users.
Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
Configure mobile device access permissions for users.
Save your changes.

How to configure mobile device access rules in Web Console and Cloud Console

In the main window of the Web Console, select Devices → Policies & Profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → Device Control.
In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classification of the Device Control component.
Select the Portable devices (MTP) device type.
This opens portable devices (MTP) access rights.
Under Configuring device access rules, configure the mobile devices access mode: Allow, Block, Depends on connection bus, or By rules.
If you select the By rules mode, you must add access rules for devices. To do so, under Users' rules, click the Add button and configure the mobile device access rule:
1. Under Users' rules, select users or groups of users for access to mobile devices.
2. Use the Access via ADB check box to configure access to mobile devices in the ADB application.
3. Assign a priority to the rule entry. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
  A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
  
  For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
  
  The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
4. Under Schedule for access to devices, configure a mobile device access schedule for users.
  Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
Save your changes.

How to configure mobile device access rules in the interface of the application

In the main application window, click the button.
In the application settings window, select Security Controls → Device Control.
In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component classification.
In the Access To Storage Devices block, click the Portable devices (MTP) link.
This opens a window containing the portable devices (MTP) access rules.
Under Access, configure the mobile devices access mode: Allow, Block, Depends on connection bus, or By rules.
If you select the By rules mode, you must add access rules for devices.
1. In the Users' rights block, click the Add button.
  This opens a window for adding a new mobile device access rule.
2. Assign a priority to the rule entry. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
  A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
  
  For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
  
  The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
3. Under State, turn on the mobile device access rule.
4. Under Access rulesconfigure mobile device access permissions for users.
5. Under Users, select users or groups of users for access to mobile devices.
6. Under Rule schedule, configure a device access schedule for users.
  Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
Save your changes.

As a result, user access to mobile devices is restricted in accordance with rules. If you have prohibited access to mobile devices in the ADB application, Kaspersky Endpoint Security displays a notification, and ADB does not detect the mobile device.

Trusted mobile devices

Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.

The procedure for adding a trusted mobile device is exactly the same as for other types of trusted devices. You can add a mobile device by ID or by device model.

To add a trusted mobile device by ID, you will need a unique ID (Hardware ID – HWID). You can find the ID in device properties by using operating system tools (see figure below). The Device Manager tool lets you do this. IDs of portable devices (MTP) and ADB devices are different even for the same mobile device. The ID of a portable device (MTP) may look like this: 15131JECB07440. The ID of an ADB device may look like this: 6&370DEC2A&0&0001. Adding devices by ID is convenient if you want to add several specific devices. You can also use masks.

If you installed the ADB application after connecting a device to the computer, the unique ID of the device may be reset. This means that Kaspersky Endpoint Security will identify this device as a new device. If a device is trusted, add the device to the trusted list again.

To add a trusted mobile device by device model, you will need its Vendor ID (VID) and Product ID (PID). You can find the IDs in device properties by using operating system tools (see figure below). Template for entering the VID and PID: VID_18D1&PID_4EE5. Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you can add all devices of this model.

Portable device (MTP) properties window in Device Manager. ADB device properties window in Device Manager.

Device ID in Device Manager

Page top