1 Reply Latest reply on Nov 3, 2015 2:31 PM by nicholas.klebs

    Blocking iPhone Device Generally, Monitoring access for selected few.

    ICHAPMAN

      Hello,

       

      OS: Windows 7

      DLP: 9.3.4

       

      I'm trying to use DLP (Device Control) to block Apple iPhones from being connected. To do this, I have created a device definition named "Apple iPhone Devices" with the Vendor ID 05AC and the required Product IDs.

       

      I've then created a User Assignment Group named "TLE Blocked Apple iPhone", which includes the Active Directory "Domain Users" group, and excludes an Active Directory group named "DLP-iPhone" which contains users that are allowed to connect their iPhones.

       

      I've then created a Device Rule named "Block: Apple iPhones". This is configured to include the "Apple iPhone Devices", have the Block and Monitor action, and be assigned "TLE Blocked Apple iPhone" group.

       

      By itself this will work and the general users will be blocked from connecting their iPhones, unless they are in the exclude group.

       

      However, I have a requirement to record (monitor) the connection of the device for the allowed users.

       

      I've created a second User Assignment Group named "TLE Allowed Apple iPhone", which is the reverse of the TLE Blocked Apple iPhone" group - it excludes the Active Directory "Domain Users" group, and includes an Active Directory group named "DLP-iPhone" which contains users that are allowed to connect their iPhones.

       

      I've then created a Device Rule named "Alow: Apple iPhones". This is configured to include the "Apple iPhone Devices", have the Monitor action, and be assigned "TLE Allowed Apple iPhone" group.

       

      However, in this configuration I do not get the expected/hoped solution.

       

      If the test user is not a member of the Active Diredctory group "DLP-iPhone", then the user is correctly blocked from connecting an Apple iPhone device.

       

      If the test user is a member of the Active Directory group "DLP-iPhone", then the user is allow to access the connected iPhone - BUT - no monitoring event is generated. If I look under "DLP Incident Manager", it doesn't record that the user connected the iPhone.

       

      Can you advise what I am doing wrong please?.

       

      I've attached a PDF containing screenshots of the various aspects of the configuration I'm talking about.

       

      Thank you


      Iain Chapman


       

      Message was edited by: Iain Chapman Added version / OS information. Added expectation

        • 1. Re: Blocking iPhone Device Generally, Monitoring access for selected few.
          nicholas.klebs

          Recommendations from how I have this configured (i'll try and use your rule name nomenclature)....

           

          User assignment group:

          "TLE Blocked Apple iPhone" - include "Domain Users" - exclude"DLP-iPhone"

          "TLE Allowed Apple iPhone" - include "DLP-iPhone"


          Device Rules: - looks good.


          Device Definition:

          iOS.png

          We use just the VID of apple, along with a USB Class Code of '06h', and Device Class = USB.

          We have had good success with this to block all iOS devices, and not need to maintain every iOS model (PID).


          Severity:

          Our take on this is reverse of other security tools.

          The rule with a restrictive action like "block" means an end user can not transfer data to the device and is a low severity event.

          A rule that allows access to an otherwise restricted device is introducing potential risk, and is a higher severity event.