Appendix D - Permissions for Harmony Mobile Protect App

This appendix describes the permissions required for Harmony Mobile Protect App in Android and iOS devices, to ensure that the Harmony Mobile solution operates as expected. The permissions required are based on commonly used policies and features activated for each tenant.

The permissions must be granted automatically by the UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. or by the end-users on the protected mobile devices.

Permissions for Android Devices

Permission	Description
Location Permission	Allows an application to access the device location. Harmony Mobile uses this permission to enrich the threat event reports with location.
Notification Permission	Allows an application to display notifications on the device. Harmony Mobile uses this permission to: Notify mobile devices that a policy update is available so that the policy can be enforced in a timely manner, instead of waiting for the next policy polling time (occurs once per day/24 hours by default). Notify any security event to the end-user and offering mitigation actions for events which require manual intervention from the end-user (For example, delete files, uninstall a malicious or risky mobile app, disconnect from an unsecure WiFi).
Network Permission	Allows an application to intersect the mobile device network traffic. Harmony Mobile uses this permission to bring up a local VPN to inspect the data traffic and mitigate any detected network threat.
Camera	Allows an application to use the device's camera. Harmony Mobile uses this permission to scan QR code in the on-boarding process.
Background Activity	Allows an application to run in the background without being killed by the OS to save battery.
Admin privileges	Required when Harmony Mobile is integrated with Knox Agent on Samsung Android devices.
External Storage	Required if the policy includes storage scan.
SMS Permission	Allows Harmony Mobile to scan SMS messages for malicious URLs.

Permissions for iOS Devices

Permission

Description

Location Permission

Allows an application to access the device location. Harmony Mobile uses this permission to enrich threat event reports with the location.

Notification Permission

Allows an application to display notifications on the device. Harmony Mobile uses this permission to:

Notify mobile devices that a policy update is available so that the policy can be enforced in a timely manner, instead of waiting for the next policy polling time (occurs once per day/24 hours by default).
Wake-up the iOS.

VPN User Consent

Allows an application to intersect the mobile device network traffic. Harmony Mobile uses this permission to bring up a local VPN to inspect the data traffic and mitigate any detected network threat.

Camera

Allows an application to use the camera. Harmony Mobile uses this permission to scan QR code in the on-boarding process.

Local Network Permission

Allows ONP to establish direct connection to the local DNS Domain Name System. A hierarchical distributed naming system for computers, services, or resources connected to the internet or a private network. Used to translate names into IP addresses. server(s). ONP requires this permission to access the local network to send TCP/UDP requests. In most home networks, the router serves as the DNS server, so ONP requires local network permission to send direct DNS request (UDP) to the local DNS server.

Note - The only thing ONP does after accessing your local network is sending the direct DNS resolution requests to avoid malicious DNS resolutions.

SMS Filtering

Allows Harmony Mobile to scan SMS messages for malicious URLs. To enable SMS filtering on the end-user device, see Preventing SMS Phishing in Harmony Mobile Protect App for iOS User Guide.

Permissions and Features Dependencies

The following table shows the permissions required to enforce the policy features in Android and iOS devices.

Permissions	Notification	Location (Android)	Network VPN (iOS)	Local Network (iOS)	Query Packages (Android)	Storage Access (Android)	Camera	Knox Agent (Android)	Ignore Battery Optimization
Features
Application Malware and Side Loading detection	Mandatory				Mandatory				Mandatory
Application Malware and Side Loading detection and blocking	Mandatory							Mandatory	Mandatory
Malicious Process Control								Mandatory
Risky Application Traffic Blocking (Android)	Mandatory		Mandatory	Mandatory					Mandatory
Malicious URL Access Blocking	Mandatory		Mandatory	Mandatory					Mandatory
Conditional Access	Mandatory		Mandatory	Mandatory					Mandatory
On-device File Download Prevention	Mandatory		Mandatory	Mandatory					Mandatory
File Protection – Storage Scan	Mandatory					Mandatory			Mandatory
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.	Mandatory		Mandatory	Mandatory					Mandatory
Application Category Based Blocking	Mandatory		Mandatory	Mandatory					Mandatory
QR code based On-Boarding	Mandatory						Mandatory		Mandatory
Unsecure WiFi *	Mandatory	Mandatory (For Android version lower than 13)							Mandatory
NEARBY_WIFI_DEVICES		Mandatory (For Android version 13 and above)
MitM detection	Mandatory								Mandatory
Rogue Access Detection	Mandatory	Mandatory							Mandatory
Wake-up iOS devices	Mandatory

* On Android, Harmony Mobile can report the SSID Service Set Identifier. The technical term for a wireless network name that you see when you connect your device to your wireless home network. only if the Protect App runs in foreground and is granted the required permissions.