We just started enforcing the blocking of removable media in ePO. We created a USB rule filled with definitions to allow particular USB External Hard Drives on the network by Serial number, and to block the rest. It blocks iPods just fine, old, and new ipods (with the exception of the touch) fine, as it is shown as removable storage devices.
Now here's the problem. iPod Touch's, and iPhones are still able to be plugged in the network. I notice that they show up as Camera's/Scanners on Windows machines. I'm looking for a way to block these? And if I make a new rule with definition, will it be a Plug N Play Rule/Definition or a USB Removable Rule/Defintiion? Thanks for the help!
On a side question, is there a way we can block devices by manufacterer, such as Apple devices in general? Or are Product ID's still required?
With a bit of plagiarism for the enemy
Create a new plug and play definition specifiying vendor id "05ac" (Apples vendor ID) and build your block rule based on that.
No idea if it works as i don't have any Apple devices to test with. Also i was able to create the definition in my DLP 9.2 on ePO 4.6 hopefully it's the same in yours.
I use plug and play definition using the 05AC as the vendor ID for the definition. The iPhones do not register as removable storage, so if you create as that type you will not block them. One note however: The rule blocks everything, so your device will not show up as "Apple iPhone" in the logs as it blocks at the root hub of the device.
Well the PnP device rule just specifying the Vendor ID 05AC did not work. I just plugged my iPhone and it installed without DLP popping up. I'm going to try the Product ID as well, and see if that works. Any help in what else I can do would be awesome. My other concern is also Droid phones and tablets.
I have not used just the vendor ID. I do have a list of the Vid/Pids to block for the iPhones and iPads.
I also can provide a good starting list for android. I will post later.
The Apple phone products do not show up as removable storage devices, so you will have to create a PnP device definition to block them. They are all USB Vendor ID 05AC as stated before, the product IDs are listed below:
12A0: iPhone 4s
1297: iPhone 4
1290: iPhone Original
1292: iPhone 3G
1294: iPhone 3Gs
129F: iPad 2
HTC Androids (Vendor ID 0BB4):
0FFE, 0FF9, 0FF8, 0FFF, 0CA5, 0CA2, 0C9E, 0C97, 0C99, 0C94, 0C91, 0C8D, 0C87, 0C5F, 0C01
Motorola Androids (Vendor ID 22B8):
41D6, 41D9, 41DB, 41DE, 4285, 42B3, 42B4, 42B5, 42B6, 42B7, 42B8, 42B9, 7087, 4287, 42BA, 42A3, 2D67, 2D66, 4316, 42D6, 42F6, 2D78, 6426, 70C6, 42E0, 2D84, 708D, 708F, 7086
Motorola Androids (Vendor ID 0C44):
Samsung Androids (Vendor ID 04E8):
681D, 685B, 681C, 685E, 6860, 6877, 689E
Samsung Androids (Vendor ID 05C6):
The installation guide of DLP recommends setting rules in monitor only mode in a generic configuration to gather information about your environment. Using the events created by the monitored events, in this case plug and play events for usb devices, the VID/PID can be obtained for the specific devices you are trying to block. You can then create your rule based off that criteria to block.
Can you not just create a rule that blocks imaging devices with Apple VID?