cancel
Showing results for 
Search instead for 
Did you mean: 
cdobol
Level 10

Blocking Non Removable Mass Storage Devices - What Do You Do?

I know this topic has come up many times before, but I am wondering how people block writing to devices that do not show up as removable mass storage.  I have seen suggestions from blocking all image and portable device classes, to maintaining a list of VID/PIDs.  I'm not sure either one of those options will work for us. I'm just curious how everyone handles this.  With more and more devices being released this is becoming a bigger concern in our company.

0 Kudos
13 Replies
vimalnavis
Level 13

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

Other than the options you mentioned, the only other thing that you can do is to wait for 9.3 Patch 1. If I am not mistaken, this version adds native support for MTP.

pierce
Level 13

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

Try a plug n play device rule to block device class 'windows portable devices' that will block all those pesky mobile phones from connecting. However it will also disable windows 7 charging iphone devices.... which is either good or bad depending on your persepective.

0 Kudos
cdobol
Level 10

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

9.3 patch 1 came out and it claims it supports MTP.   I loaded it up in my test environment and it still appears I need to have a plug and play rule that blocks all 'windows portable devices' in order to stop copying things to my Android Phone.  Maybe I am missing something in the policy to add MTP  as a removable storage device.... Still looking and I opened a SR.  If I find anything I will post it here.

0 Kudos
vimalnavis
Level 13

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

Can you provide more details on what devices you need to block? If those device do not use MTP, then the MTP support will not help you.

0 Kudos
cdobol
Level 10

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

Here is the device I am trying to make read only via a RMSD rule: Andrioid JB, HTC One.  I connect via USB and it shows up as a Windows Portable Device which I can navigate and get to storage on the device.   I was under the impression that this uses MTP and 9.3 P1 should be able to recognize this as such and apply removable storage rules to the device (like read only).  As mentioned earlier in this thread I know I can block Windows Portable Devices via P&P rules, but that just blocks the entire device and I can't make it read-only.  Its possible I'm just confusing this a bit; just so I am clear, where do you actually set MTP rules (or where do they get applied)?  From the documentation its not clear if something has to be modified in the policy or if its somehting that is automatically detected.  Thanks for any assistance.

Device Class GUID:

EEC5AD98-8080-425F-922A-DABF3DE3F69A

Device Class Name:

Portable Devices

Device Name:

HTC6500LVW

Device Compatible ID:

USB\MS_COMP_MTP

Device Instance ID:

USB\VID_0BB4&PID_0EBF&MI_00\6&A6BC602&0&0000

Bus Type:

USB

Vendor ID:

0BB4

Product ID:

0EBF

Message was edited by: cdobol on 12/6/13 7:12:38 AM EST
0 Kudos
ssadlocha
Level 10

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

I am trying to do something similar. I want to allow reading from devices and charging of phones, but I can't do it. A device detection rule will allow it, but it seems that there is a double detection with smartphones. The first uses the rule, the second shows the device as a Windows Portable Device and bypasses the device rule. A PnP rule will block this, but block it completely and not allow charging. It seems that there is no way to get what I need. I have tried numerous parameters on the rules, but nothing seems to work.

0 Kudos

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

MTP rule is supposed to work with Removable Storage Protection rule and not with any Device Rules.

You can apply a rule to block all content being copied to all removable storage devices, and this will help you in achieving block of copying to MTP devices while allowing to charge them.

Ensure Portable devices handler is enabled.

Hope I could help

J.L.

0 Kudos

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

The way that MTP blocking has been implemented in 9.3.1 is nothing short of retarded.

We have RS rules in place that makes Removable Storage on all bus types read-only with the exception of EERM-encrypted devices (and using EEFF to enforce encryption of USB media).  This works beautifully for non-MTP RS.  Now, because MTP is enforced via an RSPR and not a RSDR, blocking write access to this is impossible without affecting our EERM-encrypted devices.  It just prevents writing content on all removable storage devices now, inlcuding our EERM-encrypted devices when the RSPR rule is in force.

Why is there no mechanism to exclude/include devices by definition in the RSPR rule or some way of differentiating between MTP and normal RS-based devices?

Anyone have any suggestions?

Cheers

Jaco

0 Kudos
cdobol
Level 10

Re: Blocking Non Removable Mass Storage Devices - What Do You Do?

So if I understand this correctly....

You can make a device read-only that uses MTP via a Removable Storage Protection Rule.

You can NOTmake a device read-only that uses MTP via a Removable Storage Device Rule.

If that is the case to the point above, if we have 'approved devices' there is no way to enable/disable the MTP Removable Storage Protection Rule to specific devices only. 

Am I correctly interpreting how this works?

0 Kudos