cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 12
Report Inappropriate Content
Message 11 of 30

Re: HDLP Device Control (iPhones and IPODs)

Hi any update for this? i want to block Iphone and don't know what rule to use? If you have multi iphones device that blocking by PID/VID maybe not usefull. Thanks!

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

Hi,

In our experience Apple devices present themselves as Plug and Play devices and are seen as USB, Imaging or Windows Portable device and invariably have Apple in their name.

What you need to do is:

1. Define your Device - for Apple we use a number of seciions - Bus Type: USB Device - Device Class: Imaging Device & Windows Portable Device - Device Name: Apple (Partial Match)

The main issue people seem to have is that the want to block but allow the iPhone to charge from the USB - Blocking it does not allow this as far as we are aware.

Another issue for Plug and Play Device is there is no Read-Only option like there is for RSD. There are numerous devices such as cameras, iPhones etc. that would be allowed charge and copy data to (Warning: Malware Risk) the host system but not allowed remove data from the Host system.

With Android becoming more and more of a mobile threat to organisations it would be advisable to block those OS devices from transferring data to your network.

Regards,

Caveo Systems Technical Support (McAfee Security Alliance ELITE Partner)

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

Hello Cisadmin,

Can you tell how config RO access to Apple device? I tried but it is not work. I have block or RW access to Apple devices but RO acces does not work.

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

Hi bibl2008,

The standard process we find works for allowing Apple devices to charge and make them read only is:

1. Create a Removable Storage Device Definition for Apple devices using Vendor ID - 05AC for Apple.

2. Create a Removable Storage Device Rule with Actions of Monitor and Read Only.

3. Apply to Everyone and Local User Assignment Group.

You cannot create a Plug and Play Device rule for Apple devices that will make them Read Only - you can only Block, Monitor and Notify User for those rules. In order for you to be able to allow your devices to charge and be RO you will need to create your rules as above because a blocking P&P rule does not allow the device to charge.

If the above rule does not work for you please review your other rules - if you have other rules that "Block" and can be associated with Apple Devices then that device will be blocked as Device Control will go with the most secure rule.

Please make sure to test thoroughly in your environment before putting any suggestions in to production.

Regards,

Caveo Systems Technical Support (McAfee Security Alliance ELITE Partner)

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

Cisadmin thanks for reply,

I have two rules for SmartPhones: 1 for block all (blockALL):

BlockALL.png

and 2 for RO (RO):

RO.png

When a domain user does not belong domain groups MDC.Smartphone_RO and MDC.Smartphone_RW SmartPhones was blocked. But when a domain user belong to domain group MDC.Smartphone_RO it has full access to Smartphone. Can you tell me why?

Re: HDLP Device Control (iPhones and IPODs)

Thanks for the screen shots. Sorry to butt in on the convo and go off track but I am on ePo 4.5 with Device Control 9.1. I see Smart phones as PNP devices only. Removeable storage rules cannot detect them.

Can I ask what version of Device Control you are on in order for it to detect smart phones storage as 'Removeale storage' rather then PNP ? Or is it the ePo version upgrade I require to see this or both !? Would like the read only function but not possible with my version I believe.

Thanks

Superhoop

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

I have 4.6 ePO and 9.2 DLP Agent and as I have described above is my rule for RSD for RO access does not work.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 18 of 30

Re: HDLP Device Control (iPhones and IPODs)

Hi,

This is exactly our setup but did not disabled phone charging especially on iPhones, though it locked down the USB completely but I guessed the device is using the voltage supplied by the USB port, which the ports are always supplying (sometimes even when the computer is "off").

Everything else works fine, disabled all USB, CD, DVD, with the exemption of Encrypted USB. Also I figured out that the USB charges all USB Powered fan, which then makes sense to me that this is a DLP - Data Loss Protection and NOT PLP - Power Loss Protection as long as no Data is compromised.

I Also tired this: Bus Type - USB, Device Class - Imaging devices/Windows Portable, Device Name - Apple, USB Vendor/Product ID (VID/PID Codes), USB HUB - Bus Type and Class Code (09h - hub)/06h- Image etc.), No Joy.

The good news - Data NOT compromised and no phones visible even device manager disabled them all

hope this helps

Rgds

Highlighted

Re: HDLP Device Control (iPhones and IPODs)

Blocking Apple's Vendor ID in a Plug and Play Device Definition has worked for us. 

Edit the field for Vendor ID/Product ID and only fill in the Vendor field.  Leave the Product ID blank.

VID: 05AC

This seems block all Apple devices, so you don't need to worry about the different product ID's.

(This was tested using an iPhone4, iPod Nano and iPad3)

Highlighted
Level 12
Report Inappropriate Content
Message 20 of 30

Re: HDLP Device Control (iPhones and IPODs)

I'm glad to see others bringing this to light.    

That HDLP doesn't ship with a policy that blocks these exceedingly common devices that can be enabled out of the box without having research it is, frankly, asinine.   

Dear McAfee:   publish a KB on this.     And don't do the cop out of "everyone's needs are different..."    No, everyone who wants to block USB mass storage nearly all also want to block mass storage that mounts as an imaging device on hugely popular smartphones that outnumber actual usb thumb drives these days.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community