Showing results for 
Search instead for 
Did you mean: 
Level 7

Use Device Control (DLP Endpoint 9.3 Patch 2) to make Apple devices Read-Only

There seems to be an issue with Device Control when it comes to Apple Devices.  The product guide states:

Removable storage protection rule enhancement

Devices using media transfer protocol can be protected using an enhancement of the removable

storage protection rule.

Media Transfer Protocol (MTP) is used for transferring files and associated metadata from computers to

mobile devices such as smartphones. MTP devices are not traditional removable devices because the

device implements the file system, not the computer it is connected to. An enhancement to the

removable storage protection rule allows it to intercept MTP transfers and apply security policies. Only

USB connections are currently supported.

When the Portable Devices handler on the Agent Configuration | Miscellaneous tab is enabled, all removable

storage protection rules can be applied to MTP devices as well as other removable devices.


The handler works with all data transfers made by Windows Explorer. It does not work with iOS

devices, which use iTunes to manage the data transfers. One alternative strategy with iOS devices is

to use a Removable Storage Device rule to set the devices to read-only.

I have found this to not be the case.  I will provide 2 scenarios.

Scenario #1) Apple device plugged into a computer without ITunes installed.  It pops up, you can browse through the files, but it is read only due to the Removable Storage Protection Rule with MTP enabled.

Quick correction for Scenario #1)  It appears I was incorrect with the Removable Storage Protection Rule with MTP blocking the Apple Device.  On a machine without DLP Endpoint installed - the Apple Iphone is Read-Only because I don't have iTunes installed. 

Scenario #2) Apple device plugged into a computer WITH ITunes installed.  I launch ITunes and can copy files back and forth freely.

The solution in the product guide is to create a Device Definition using the VID/PID field and use 05AC as the VID.  Then create a Removable Storage Device Rule, include the Device Definition, set it to Monitor, Read Only(or Block), Notify User.

This doesn't work.  If someone actually does have this working, please let me know - but I don't believe it's functional.

So far, the only way that I have been able to block Apple Devices (I've only tested with one iPhone so far 4S) - is to create a Plug & Play Device Rule with the Apple Device Definition (VID 05AC).  The problem with this, as many people here have mentioned before, the only option with a Plug & Play Device Rule is to completely block the device - which prevents it from charging.

If I am missing something here, please let me know.  Has anyone successfully made Apple devices Read-Only, using a Removable Storage Device Rule?


Message was edited by: slateythree on 6/5/14 9:07:54 AM CDT

Message was edited by: slateythree on 6/5/14 10:31:46 AM CDT
0 Kudos