To align with industry standards for data protection and security, there is a need to restrict file transfers via USB ports on Android devices using an MDM solution. This enables connecting Android devices only to authorized USB devices based on specific USB configurations. Samsung offers OEM configurations that facilitate restricted USB port access through OTG cables for designated USB devices.
Purpose
This article aims to guide restricting USB port access to specific USB devices using an OTG cable on Samsung devices.
Prerequisite
- Should have a SureMDM Account.
- Applicable only for Samsung Devices.
- The devices should be Fully Managed Device (Device Owner Mode).
Steps
- Login to the SureMDM Console.
Note: The below steps can be configured in the default profile if a default profile is set on the console or a new profile can be created, if not set.
- Navigate to the Profiles > Android > Add > Primary Profile > System Settings > Sync and Storage > Check the option Disable USB File Transfer.
Navigate to the OEM Config Policy in the same profile and select the OEM Config Policy App as Knox Service Plugin.
- Once the Knox Service Plugin is selected, below are the configurations that should be made:
Under Advanced Restriction Policy, Set USB Device Connection Type to Default:
Allow USB Devices for default access by Application (Configure profiles below) – Disabled:
Under Tethering Controls, disable the below options:
Allow USB tethering – Disabled
Allow USB media player – Disabled
Allow USB host storage – Disabled
Setup USB exception list – this control is used to configure one or more classes of USB devices or USB composite devices on the mobile device. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list. Hence, here we add all the USB composite Devices that you would like to whitelist/allow.
Below is an example of the USB composite devices that are allowed:
Allow USB debugging – Disabled
Allow developer mode – Disabled
Under Application Management Policies, configure the below setting:
Allow USB Devices for default access by Application (Configure profiles below) – Disabled
Under Allowed USB devices for Application Configuration, configure the below settings:
Application Name – Enter the package of the application
Note: Any third party application can be installed to know the product ID and vendor ID of the USB inserted to the device. Once installed enter the application package name in the application name field.
Under USB Devices Configuration, configure the below settings:
Product Id (Hex value) – Enter the product ID of the USB inserted into the device
Vendor Id (Hex value) – Enter the vendor ID of the USB inserted to the device
Conclusion: Once the above configurations are made in the profile and applied on the device, the end users will be restricted from accessing any other external device other than the one that is allowed in the profile.
Need help? CONTACT US