0 Replies Latest reply on Jul 9, 2013 3:37 AM by mreco

    How to allow individual iPhones / iPads / Android

    mreco

      Hello,

       

      I have implemented a policy in DLP that blocks all devices of the classes 'PortableDevice' and 'Imaging Device'.

      This results in iPhones, iPad and Android phones being blocked, exactly like wewant.

       

      Some devices, however, need to be allowed. So, I register the devices serial numberand exclude the device from the policy.

      This works fine, with the following exceptions:

       

      Android:

      An Android phone is being blocked when connected as Media device or as Camera Device. Whenset to mass storage mode, our 'removable storage' policy is applied.

      When a user sets the phone to USB debug mode, the phone will be connected to the computer.

       

      In the screenshot, the first connection is as camera, the second as media device andthe third as ‘USB debug’ device.

       

      android.jpg

       

      How can Iprevent this from happening? I don’t want our users to be able to do this, butit seems impossible to block, since the class is ‘USB Controllers’. If I blockthis class, the USB controllers from allowed devices (all other classes than ‘portable’or ‘imaging’) will also be blocked (like controllers in HUBs and so on).

       

      iPhone/iPad:

      An iPhone or iPad is being blocked by our policy, except when I allow a connection basedon USB Serial number. This works fine and the iPhone / iPad is allowed based onits’ serial number. The device is also shown by Windows as a ‘portable device’and I can browse the device.

       

      Allowed iPhone:

       

      iphone.jpg

       

      Allowed iPad:

       

      iPad.jpg

       

       

      Now, when a user has iTunes installed, this doesn’t work anymore. The device is seen as twodevices:

       

      block.jpg

       

      The ‘Apple Mobile Device USB Driver’ is allowed and seen as the device with the allowedserial number (it would have been blocked by our policy, because we block the ‘06h– Image’ device class).

       

      block1.jpg

       

      The device itsel f(‘MTP USB Device’) is now blocked, because the USB serial numer is notassociated with this device:

       

      block2.jpg

       

      The device is now able to synchronise via iTunes over the USB Driver device, but still the 'device is blocked'  message is shown and the user is not able to browse the device via Windows Explorer.

       

      How can I prevent this from happening? How can I allow individual iPhones / iPads?

       

      How does this work with USB, why is the iPhone / iPad seen as two devices when iTunes is installed?

       

      Thanks for your help!