The Kaspersky Endpoint Security for Business solution contains a number of functions with similar names that can be somewhat confusing. In this case we are talking about Mobile Device Protection (part of Mobile Device Management) and Device Control. The purpose of these tools differs though, and will be explained in detail in this post. One of the key parameters of corporate infrastructure security is its transparency and liability to system administration. In other words, the system administrator needs to know where, when and what is going on and have the option to reduce the chance of emergency situations happening down to a minimum. These functions do just that, although differently, and they are focused on varying classes of devices.
Mobile Device Management is a set of features designed firstly to simplify the administration of mobile devices connected to the corporate network, and secondly to provide data protection for work-related files.
As for the administration, our solution supplies IT professionals with information about the activities of all mobile devices connected to the corporate LAN, enforcing security policies. In addition, it helps to remotely configure the protection settings on each individual device or a group of devices. Network administrators can create, for example, a kind of a corporate portal with hyperlinks to certain programs and send employees emails or SMS with links to the approved settings and applications. Until the user follows the links, access to corporate data will be denied. See more information on that in our April article. As for the protection of mobile devices, we already mentioned that it is primarily data protection on gadgets used by employees at work. As a rule, those are their personal devices which may and often do store both personal information and corporate files. If they are stored without any protection, it is troublesome. Devices are lost and stolen and could eventually be infected with malware. Accordingly, protection implies preventive measures above all to prevent data leaking, loss or malware penetration into corporate resources. The Mobile Device Protection function makes it possible to encrypt data on mobile devices at the level of individual files or folders, and there are full disks or partition encryption functions available on devices under iOS. So if the device unexpectedly changes its “owner,” the working files are unobtainable. There is also an option to create separate containers for storing different types of data. You can also enable automatic encryption of the container and determine which programs may access certain resources on the device and which may not. Because smartphones and tablets are pretty easy to lose, there is an urgent need to secure work data. With the help of relevant functions of Kaspersky Endpoint Security you can block the lost device, locate it (and try to get it back) or remove any corporate data and personal files on it, if necessary. In the case of replacing the SIM card of the stolen device, you will not just know the phone number of the new “owner,” but still be able to use the remote anti-theft functions.
Finally, system administrators need to be able to control launching applications on mobile devices with access to corporate networks. The Default Permit mode blocks programs that are in the denylist, and the Default Deny mode blocks all programs that are not in the allowlist. In addition, there is automatic detection of attempts at rooting or unauthorized firmware upgrading, which is fraught with problems itself. The purpose of the Device Control function is not about tablets and smartphones, but about external drives such as flash drives or portable disks. This process has to be controlled for various reasons. Firstly, these devices may be infected by malware, and secondly, they are potential vectors of data leaks. Unfortunately, we cannot exclude data theft. Kaspersky Lab’s Device Control allows regulating the access of devices, depending on their connection, types or serial numbers. If all the user drives are inventoried (the ideal case!) then no inappropriate drives may connect to the network. You can also set the time when the connection of external storage devices is allowed. For example, you can deny connection of removable devices after the end of the work day.