7 Replies Latest reply on Apr 5, 2017 10:27 AM by nicholas.klebs

    DLP 9.4 and Android Devices not being blocked


      I'm facing a problem with my DLP, latest version, and Android devices.


      I was able to create the rules to stop all USB thumb drives to work, for example, and Apple devices as well. After all, these devices have built-in policies that work fine.


      But in my company I have many people that uses Android cell phones and tablets, and I cannot find a way to block them as well. I tried using Removable Storage Device Rules, by blocking all the Removable storage devices, which works fine for thumb drives and removable HDs, and tried a Plug And Play Device Rule, blocking Windows Portable Devices classes and Device Compatible ID containing "MS_COMP_MTP". Even though the devices being recognized as this, the DLP is still not doing anything with it and the phones are still opening like a thumb drive without any kind of control. Has anybody seen this already? Any advices?




        • 1. Re: DLP 9.4 and Android Devices not being blocked

          Have you tried it without Device Compatible ID containing MS_COMP_MTP? I don't think you have to be more specific than Windows Portable Device. Plus if it's connected as a camera the MTP version won't work. Android devices can connect as an MTP or camera.  If your rule isn't working my guess is they're connecting as cameras.

          • 2. Re: DLP 9.4 and Android Devices not being blocked



            In my tests I'm facing the same behavior as Johnny did, for example using a HTC connected as MTP or PTP the rules for Android Devices or Windows Portable Devices aren't doing anything. In fact, I might as well block any type of device connected through USB and still be able to use them to transfer data. But this happens strictly with Portable Devices where after you access them you are able to see  phone partitions for Internal storage and Removable Storage, aka Micro SD. How could it be blocked, as camera for example, but not blocking other Imaging devices such as built in Webcam or Scanners?




            • 3. Re: DLP 9.4 and Android Devices not being blocked

              Was a solution found here?

              • 4. Re: DLP 9.4 and Android Devices not being blocked

                Are you able to transfer data to the Android phone - or just read data from it?


                Essentially you need to figure out the different "types" of devices the device can connect to the PC as. 


                With iOS this is two devices - 1) when iTunes isn't installed (shows up as a digital camera), 2) when iTunes is installed with the "Apple Device Class"


                With Android this can get a bit more complicated.  Most recent Android phones allow you to change the type of device the PC recognizes it as (PTP, MTP, Charge Only, etc).

                Some manufactures also provide synch conduits and drivers that can influence how the device is seen by the computer (and then by Device Control).

                Start tracking all the different Device Properties with the vendor driver present (this is probably getting way less common) and also not installed - and with the different device options to connect to the PC as.......

                Android Phones with External Storage (Memory card that can be easily removed) should be managed by the same Removable Storage rule that controls USB Drives and Removable Storage, this would be in addition to the next point. Android Phones themselves (controlling access to the internal storage of the device) should be managed by a PnP rule (only restriction available with PnP is to block access to device).


                We are currently blocking Android Devices with a PnP rule that blocks MTP devices and another PnP rule that blocks PTP devices, (any Android Phone with external storage is handled by existing RS/RM rule).

                MTP Device Definition - "Windows Portable Devices" Device Class, and "USB\MS_COMP_MTP" Device Compatible ID.

                PTP Device Definition - "Windows Portable Devices" Device Class, and "06h - Image" USB Class Code.

                1 of 1 people found this helpful
                • 5. Re: DLP 9.4 and Android Devices not being blocked

                  Would this work for all androids ??? please note that some androids are generic and some mobile vendors modify the android code.


                  Also is there any recommendations on client windows (group policy, user rights /access rights etc ... )

                  • 6. Re: DLP 9.4 and Android Devices not being blocked

                    It's easy to block MTP devices in DLP 9.4. (tutorial also available on youtube) https://www.youtube.com/watch?v=3akV4B21AdQ


                    But in my case its a little bit more complicated. I only want to block writing to MTP devices, read should be permited.


                    In the PnP Device Rule - Prevent Action could only be "No Action" or "Block"


                    In the Removable Storage Device Rule - Reaction - Prevent Action could be "No Action", "Block" or "Read-only"


                    I've also noticed that you can't charge your android phone when full block of MTP device.


                    Could you provide any advices or a solution ?

                    • 7. Re: DLP 9.4 and Android Devices not being blocked

                      The only devices that can be set to Read-Only are the ones where the OS (Windows/Mac) controls the File System of the device - this is all Removable Media (USB Flash Drive, CD/DVD, external hard drive, Memory Card).


                      Devices that control their own file system (MTP, PTP, Mobile Devices, etc) DLPe and the OS can not control access to the File System - the only control that can be enforced is blocking access to the device outright - this is the case for all PNP devices and the DLPe PNP Device Rules.


                      A side effect of blocking some PNP devices is that the device will not charge.  When some devices can not make a connection to the device driver (because the device is blocked in this case) the programmed communication can not occur between the host and the device and the device chooses to not allow charging to occur.  I have observed this with all iOS devices and some Android devices.

                      I know McAfee was able to figure a way around this issue with iOS devices with DLPe, but with Android that would involve way too many devices and manufactures to account for.  Our company made this simple by putting in place a Policy that any personally owned Mobile Device is not allowed to connect to a corporate PC - even to charge.  Corporate devices are not blocked and thus charging works fine.

                      A work around to this is a Power Only USB cable - one that doesn't have the facility to transfer data.

                      1 of 1 people found this helpful