Managing access to mobile devices
Kaspersky Endpoint Security allows you to control access to data on mobile devices running Android and iOS. Mobile devices belong to the category of portable devices (MTP). Therefore, to configure data access on mobile devices, you need to edit the access settings for portable devices (MTP).
When a mobile device is connected to the computer, the operating system determines the device type. If Android Debug Bridge (ADB), iTunes or their equivalent applications are installed on the computer, the operating system identifies mobile devices as ADB or iTunes devices. In all other cases, the operating system may identify the mobile device type as a portable device (MTP) for file transfer, a PTP device (camera) for image transfer, or another device. The device type depends on the model of the mobile device and the selected USB connection mode. Kaspersky Endpoint Security lets you configure individual access permissions for data on mobile devices in ADB applications, iTunes, or the file manager. In all other cases, Device Control allows access to mobile devices in accordance with portable devices (MTP) access rules.
Access to mobile devices
Mobile devices belong to the category of portable devices (MTP), therefore the settings for them are the same. You can select one of the following modes of access to mobile devices:
- Allow . Kaspersky Endpoint Security allows full access to mobile devices. You can open, create, modify, copy, or delete files on mobile devices using the file manager or ADB and iTunes applications. You can also charge the battery of the device by connecting the mobile device to a USB port of the computer.
- Block . Kaspersky Endpoint Security restricts access to mobile devices in the file manager and ADB and iTunes applications. The application allows access only to trusted mobile devices. You can also charge the battery of the device by connecting the mobile device to a USB port of the computer.
- Depends on connection bus . Kaspersky Endpoint Security allows connecting to mobile devices in accordance with the USB connection status (Allow or Block ).
- By rules . Kaspersky Endpoint Security restricts access to mobile devices in accordance with rules. In the rules, you can configure access rights (read / write), select users or a group of users that can have access to mobile devices, and configure an access schedule for mobile devices. You can also restrict access to data on mobile devices through the ADB and iTunes applications.
Configuring mobile device access rules
Access rules for portable devices (MTP), ADB devices, and iTunes devices are configured differently. For portable devices (MTP) and ADB devices, you can configure rules for individual users or groups of users and create a schedule for when the rules will apply. For iTunes devices, you cannot do that. You can only allow or deny access to data through the iTunes application for all users.
How to configure mobile device access rules in Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → Device Control.
- Under Device Control settings, select the Types of devices tab.
The table lists access rules for all devices that are present in the classification of the Device Control component.
- In the context menu for the Portable devices (MTP) device type, configure the mobile device access mode: Allow , Block , or Depends on connection bus .
- To configure mobile device access rules, double-click to open the list of rules.
- Configure the mobile device access rule:
- In the Access rules block, click the Add button.
This opens a window for adding a new mobile device access rule.
- In the Priority field, set the rule write priority. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
- Under Rule for users and groups, select users or groups of users. Create a list of users from Active Directory.
- Click OK.
- Under Schedules for the selected access rule, configure a mobile device access schedule for users.
Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
- Configure users' access permissions to mobile devices in the file manager (Read / Write).
- Configure the access to data on a mobile device through the ADB application using the Access via ADB check box.
If the check box is cleared, when the mobile device is connected, the ADB application is prevented from detecting the device.
- Under Access via iTunes, configure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes application for all users. Configuring a separate access schedule for iTunes devices is not possible.
- Save your changes.
How to configure mobile device access rules in Web Console and Cloud Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → Device Control.
- In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classification of the Device Control component.
- Select the Portable devices (MTP) device type.
This opens portable devices (MTP) access rights.
- Under Configuring device access rules, configure the mobile devices access mode: Allow, Block, Depends on connection bus, or By rules.
- If you select the By rules mode, you must add access rules for devices. To do so, under Users, click the Add button and configure the mobile device access rule:
- In the Rule of access to devices field, set the rule write priority. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
- Under Users, select users or groups of users for access to mobile devices. Create a list of users from Active Directory.
- Under Schedule for access to devices, configure a mobile device access schedule for users.
Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
- Configure users' access permissions to mobile devices in the file manager (Read / Write).
- Configure the access to data on a mobile device through the ADB application using the Access via ADB check box.
If the check box is cleared, when the mobile device is connected, the ADB application is prevented from detecting the device.
- Under Access via iTunes, configure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes application for all users. Configuring a separate access schedule for iTunes devices is not possible.
- Save your changes.
How to configure mobile device access rules in the interface of the application
- In the main application window, click the button.
- In the application settings window, select Security Controls → Device Control.
- In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component classification.
Types of devices in the Device Control component
- In the Access To Storage Devices block, click the Portable devices (MTP) link.
This opens a window containing the portable devices (MTP) access rules.
- Under Access, configure the mobile devices access mode: Allow, Block, Depends on connection bus, or By rules.
- If you select the By rules mode, you must add access rules for devices.
- In the Users' rights block, click the Add button.
This opens a window for adding a new mobile device access rule.
- In the Priority field, set the rule write priority. A rule includes the following attributes: user account, schedule, permissions (read / write / ADB access), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
- Under State, turn on the mobile device access rule.
- Under Access rules, configure mobile device access permissions for users.
- Under Users, select users or groups of users for access to mobile devices. Create a list of users from Active Directory.
- Under Schedule for access to devices, configure a device access schedule for users.
Configuring a separate access schedule for ADB devices is not possible. You can configure a common access schedule for ADB devices and portable devices (MTP).
- Under Access via iTunes, configure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes application for all users. Configuring a separate access schedule for iTunes devices is not possible.
- Save your changes.
As a result, user access to mobile devices is restricted in accordance with rules. If you have prohibited access to mobile devices in the ADB and iTunes applications, when you connect a mobile devices, the ADB and iTunes applications are prevented from detecting the mobile device.
Trusted mobile devices
Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.
The procedure for adding a trusted mobile device is exactly the same as for other types of trusted devices. You can add a mobile device by ID or by device model.
To add a trusted mobile device by ID, you will need a unique ID (Hardware ID – HWID). You can find the ID in device properties by using operating system tools (see figure below). The Device Manager tool lets you do this. IDs of portable devices (MTP) and ADB, iTunes devices are different even for the same mobile device. The ID of a portable device (MTP) may look like this: 15131JECB07440
. The ID of an ADB device may look like this: 6&370DEC2A&0&0001
. Adding devices by ID is convenient if you want to add several specific devices. You can also use masks.
If you installed the ADB or iTunes applications after connecting a device to the computer, the unique ID of the device may be reset. This means that Kaspersky Endpoint Security will identify this device as a new device. If a device is trusted, add the device to the trusted list again.
To add a trusted mobile device by device model, you will need its Vendor ID (VID) and Product ID (PID). You can find the IDs in device properties by using operating system tools (see figure below). Template for entering the VID and PID: VID_18D1&PID_4EE5
. Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you can add all devices of this model.
Device ID in Device Manager
Page top