Appendix D - Permissions for Harmony Mobile Protect App

This appendix describes the permissions required for Harmony Mobile Protect App in Android and iOS devices, to ensure that the Harmony Mobile solution operates as expected. The permissions required are based on commonly used policies and features activated for each tenant.

The permissions must be granted automatically by the UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. or by the end-users on the protected mobile devices.

Permissions for Android Devices

Permission

Description

Location Permission

Allows an application to access the device location. Harmony Mobile uses this permission to enrich the threat event reports with location.

Notification Permission

Allows an application to display notifications on the device. Harmony Mobile uses this permission to:

  • Notify mobile devices that a policy update is available so that the policy can be enforced in a timely manner, instead of waiting for the next policy polling time (occurs once per day/24 hours by default).

  • Notify any security event to the end-user and offering mitigation actions for events which require manual intervention from the end-user (For example, delete files, uninstall a malicious or risky mobile app, disconnect from an unsecure WiFi).

Network Permission

Allows an application to intersect the mobile device network traffic. Harmony Mobile uses this permission to bring up a local VPN to inspect the data traffic and mitigate any detected network threat.

Camera

Allows an application to use the device's camera. Harmony Mobile uses this permission to scan QR code in the on-boarding process.

Background Activity

Allows an application to run in the background without being killed by the OS to save battery.

Admin privileges

Required when Harmony Mobile is integrated with Knox Agent on Samsung Android devices.

External Storage

Required if the policy includes storage scan.

SMS Permission

Allows Harmony Mobile to scan SMS messages for malicious URLs.

Permissions for iOS Devices

Permission

Description

Location Permission

Allows an application to access the device location. Harmony Mobile uses this permission to enrich threat event reports with the location.

Notification Permission

Allows an application to display notifications on the device. Harmony Mobile uses this permission to:

  • Notify mobile devices that a policy update is available so that the policy can be enforced in a timely manner, instead of waiting for the next policy polling time (occurs once per day/24 hours by default).

  • Wake-up the iOS.

VPN User Consent

Allows an application to intersect the mobile device network traffic. Harmony Mobile uses this permission to bring up a local VPN to inspect the data traffic and mitigate any detected network threat.

Camera

Allows an application to use the camera. Harmony Mobile uses this permission to scan QR code in the on-boarding process.

Local Network Permission

Allows ONP to establish direct connection to the local DNSClosed Domain Name System. A hierarchical distributed naming system for computers, services, or resources connected to the internet or a private network. Used to translate names into IP addresses. server(s). ONP requires this permission to access the local network to send TCP/UDP requests. In most home networks, the router serves as the DNS server, so ONP requires local network permission to send direct DNS request (UDP) to the local DNS server.

Note - The only thing ONP does after accessing your local network is sending the direct DNS resolution requests to avoid malicious DNS resolutions.

SMS Filtering

Allows Harmony Mobile to scan SMS messages for malicious URLs. To enable SMS filtering on the end-user device, see Preventing SMS Phishing in Harmony Mobile Protect App for iOS User Guide.

Permissions and Features Dependencies

The following table shows the permissions required to enforce the policy features in Android and iOS devices.

Permissions

Notification

Location

Network VPN

(iOS)

Local Network

(iOS)

Query Packages

(Android)

Storage Access

(Android)

Camera

Knox Agent

(Android)

Ignore Battery

Optimization

Features

Application Malware and Side Loading detection

Mandatory

 

 

 

Mandatory

 

 

 

Mandatory

Application Malware and Side Loading detection and blocking

Mandatory

 

 

 

 

 

 

Mandatory

Mandatory

Malicious Process Control

 

 

 

 

 

 

 

Mandatory

 

Risky Application Traffic Blocking (Android)

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

Malicious URL Access Blocking

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

Conditional Access

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

On-device File Download Prevention

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

File Protection – Storage Scan

Mandatory

 

 

 

 

Mandatory

 

 

Mandatory

URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

Application Category Based Blocking

Mandatory

 

Mandatory

Mandatory

 

 

 

 

Mandatory

QR code based On-Boarding

Mandatory

 

 

 

 

 

Mandatory

 

Mandatory

Unsecure WiFi

Mandatory

Mandatory

 

 

 

 

 

 

Mandatory

MitM detection

Mandatory

 

 

 

 

 

 

 

Mandatory

Rogue Access Detection

Mandatory

Mandatory

 

 

 

 

 

 

Mandatory

Wake-up iOS devices

Mandatory