6 Replies Latest reply on Oct 15, 2014 9:51 AM by vimalnavis

    Block mobile devices with HDLP

    llamamecomoquieras

      Hi,

       

      I would like to block all mobiles devices (apple, Samsung...) with HDLP only and not USB or other devices. I would like to block everything without putting all the Vendor ID and Device ID for each Device as that is impossible because the high number of Vendor/Device id that exists.

       

      Any help configurin that rule?

       

      HDLP 9.3 patch 2

       

      Best regards,

       

      Jose Maria

        • 1. Re: Block mobile devices with HDLP

          I don't see how this could be possible - a USB key and a cellphone which supports USB storage are exactly the same as far as the OS is concerned - both are simply Generic USB storage devices. The only difference is the vendor ID etc.

           

          What exactly is your use case? I am confused as to why you'd want to allow USB sticks, but not allow USB storage phones etc?

           

          Apple is a little different as it does not present itself as a generic USB storage device etc, but same question - why is a USB stick ok, but a phone, not?

          • 2. Re: Block mobile devices with HDLP
            llamamecomoquieras


            Hi,

             

            Well, we have an USB rule that is already blocking USB as expected, but Mobile phones are not considered USB protection rule as they are considered plug and play. So What we need is a rule that can block all the mobiles phones without needs to put every Vendor ID. I have tested a plug and play rule setting up the Vendor ID and it is blocked but it is impossible definí for each provider (apple, Samsung) the Vendor id

             

            Best regards,

             

            Jose Maria

            • 3. Re: Block mobile devices with HDLP
              moriega

              Greetings,

              The way we were able to get this to work was by creating a Device Definition with the below Parameters. When a device is plugged in to the system, in Device Manager you will see it under the Portable Devices category. You may need to create exception definitions (bluetooth, imaging devices, etc). You can then select these definitions as excluded to prevent them from being blocked in the rule.

               

              Bus Type: USB

              Device Class: Windows Portable Devices (screen shot inserted)

               

              Also, keep in mind you may have some users that will need an exception, so you may need to have two rules, one rule to block and one rule to just monitor. Hope that helps.

               

              DLP Definition.png

              • 4. Re: Block mobile devices with HDLP
                llamamecomoquieras

                Hi moriega,

                 

                I have done a quick test and it works perfect!! I need to test deeply but thank you very much for your big help

                Best regards,

                 

                Jose Maria

                • 5. Re: Block mobile devices with HDLP
                  moriega

                  Jose,

                  You're welcome. Happy to hear that it worked out for you.

                  • 6. Re: Block mobile devices with HDLP

                    I would suggest that you enforce the USB + WPD definition in Monitor for a period of time before blocking. Cameras and scanners will match the above definition as well.

                    Smart phones connect to the OS using a MTP protocol. If your intent is to protect sensitive data from being copied to Smart phones, in v9.3 MTP is supported by Removable Storage Protection rule.

                    This does not allow you to set the device as Read-Only though.