I can write a rule for a USB storage device and when applied I can plug in a Thumb Drive and it says: "Access Denied". It also shows up in the incident manager.
When I write a rule for any Apple Device using the Apple VID and when applied and I plug in an iPhone, or any other Apple device, the proper notification pops up and it is recorded in the incident manager, it even says the action was "Blocked".
The problem is that the user can still read from the device and copy data from it. Is this normal or is there something I'm missing?
I tried to block by VID/PID, Serial Number, Class etc, no matter what I can always read from the device, even though Incident Manager shows the action as "Blocked".
There are two type of Apple devices we account for: 1) iOS (iPhone, iPad, iPod Touch, etc), 2) non-iOS (traditional iPod's).
non-iOS apple devices are essentially Removable Storage, and that is how windows sees the device. We use a Removable Storage Device Rule to block writing to ALL Removable Storage devices (iPod, USB stick, memory card, etc).
We use a specific PnP Device Rule to block access to iOS Devices (can only block iOS, can not set to read-only), this doesn't effect traditional iPod's (the Removable Storage Rule controls those):
USB Class Code = 06h Image
VID = 05AC
Apple devices can be seen by Windows differently depending on if iTunes is installed or not installed, worth playing around with this and documenting your observations.