cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Blocking iPhone Device Generally, Monitoring access for selected few.

Hello,

OS: Windows 7

DLP: 9.3.4

I'm trying to use DLP (Device Control) to block Apple iPhones from being connected. To do this, I have created a device definition named "Apple iPhone Devices" with the Vendor ID 05AC and the required Product IDs.

I've then created a User Assignment Group named "TLE Blocked Apple iPhone", which includes the Active Directory "Domain Users" group, and excludes an Active Directory group named "DLP-iPhone" which contains users that are allowed to connect their iPhones.

I've then created a Device Rule named "Block: Apple iPhones". This is configured to include the "Apple iPhone Devices", have the Block and Monitor action, and be assigned "TLE Blocked Apple iPhone" group.

By itself this will work and the general users will be blocked from connecting their iPhones, unless they are in the exclude group.

However, I have a requirement to record (monitor) the connection of the device for the allowed users.

I've created a second User Assignment Group named "TLE Allowed Apple iPhone", which is the reverse of the TLE Blocked Apple iPhone" group - it excludes the Active Directory "Domain Users" group, and includes an Active Directory group named "DLP-iPhone" which contains users that are allowed to connect their iPhones.

I've then created a Device Rule named "Alow: Apple iPhones". This is configured to include the "Apple iPhone Devices", have the Monitor action, and be assigned "TLE Allowed Apple iPhone" group.

However, in this configuration I do not get the expected/hoped solution.

If the test user is not a member of the Active Diredctory group "DLP-iPhone", then the user is correctly blocked from connecting an Apple iPhone device.

If the test user is a member of the Active Directory group "DLP-iPhone", then the user is allow to access the connected iPhone - BUT - no monitoring event is generated. If I look under "DLP Incident Manager", it doesn't record that the user connected the iPhone.

Can you advise what I am doing wrong please?.

I've attached a PDF containing screenshots of the various aspects of the configuration I'm talking about.

Thank you


Iain Chapman


Message was edited by: Iain Chapman
Added version / OS information.
Added expectation

1 Reply
Highlighted

Re: Blocking iPhone Device Generally, Monitoring access for selected few.

Recommendations from how I have this configured (i'll try and use your rule name nomenclature)....

User assignment group:

"TLE Blocked Apple iPhone" - include "Domain Users" - exclude"DLP-iPhone"

"TLE Allowed Apple iPhone" - include "DLP-iPhone"


Device Rules: - looks good.


Device Definition:

iOS.png

We use just the VID of apple, along with a USB Class Code of '06h', and Device Class = USB.

We have had good success with this to block all iOS devices, and not need to maintain every iOS model (PID).


Severity:

Our take on this is reverse of other security tools.

The rule with a restrictive action like "block" means an end user can not transfer data to the device and is a low severity event.

A rule that allows access to an otherwise restricted device is introducing potential risk, and is a higher severity event.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community