Have you tried it without Device Compatible ID containing MS_COMP_MTP? I don't think you have to be more specific than Windows Portable Device. Plus if it's connected as a camera the MTP version won't work. Android devices can connect as an MTP or camera. If your rule isn't working my guess is they're connecting as cameras.
In my tests I'm facing the same behavior as Johnny did, for example using a HTC connected as MTP or PTP the rules for Android Devices or Windows Portable Devices aren't doing anything. In fact, I might as well block any type of device connected through USB and still be able to use them to transfer data. But this happens strictly with Portable Devices where after you access them you are able to see phone partitions for Internal storage and Removable Storage, aka Micro SD. How could it be blocked, as camera for example, but not blocking other Imaging devices such as built in Webcam or Scanners?
Was a solution found here?
1 of 1 people found this helpful
Are you able to transfer data to the Android phone - or just read data from it?
Essentially you need to figure out the different "types" of devices the device can connect to the PC as.
With iOS this is two devices - 1) when iTunes isn't installed (shows up as a digital camera), 2) when iTunes is installed with the "Apple Device Class"
With Android this can get a bit more complicated. Most recent Android phones allow you to change the type of device the PC recognizes it as (PTP, MTP, Charge Only, etc).
Some manufactures also provide synch conduits and drivers that can influence how the device is seen by the computer (and then by Device Control).
Start tracking all the different Device Properties with the vendor driver present (this is probably getting way less common) and also not installed - and with the different device options to connect to the PC as.......
Android Phones with External Storage (Memory card that can be easily removed) should be managed by the same Removable Storage rule that controls USB Drives and Removable Storage, this would be in addition to the next point. Android Phones themselves (controlling access to the internal storage of the device) should be managed by a PnP rule (only restriction available with PnP is to block access to device).
We are currently blocking Android Devices with a PnP rule that blocks MTP devices and another PnP rule that blocks PTP devices, (any Android Phone with external storage is handled by existing RS/RM rule).
MTP Device Definition - "Windows Portable Devices" Device Class, and "USB\MS_COMP_MTP" Device Compatible ID.
PTP Device Definition - "Windows Portable Devices" Device Class, and "06h - Image" USB Class Code.
Would this work for all androids ??? please note that some androids are generic and some mobile vendors modify the android code.
Also is there any recommendations on client windows (group policy, user rights /access rights etc ... )
It's easy to block MTP devices in DLP 9.4. (tutorial also available on youtube) https://www.youtube.com/watch?v=3akV4B21AdQ
But in my case its a little bit more complicated. I only want to block writing to MTP devices, read should be permited.
In the PnP Device Rule - Prevent Action could only be "No Action" or "Block"
In the Removable Storage Device Rule - Reaction - Prevent Action could be "No Action", "Block" or "Read-only"
I've also noticed that you can't charge your android phone when full block of MTP device.
Could you provide any advices or a solution ?
1 of 1 people found this helpful
The only devices that can be set to Read-Only are the ones where the OS (Windows/Mac) controls the File System of the device - this is all Removable Media (USB Flash Drive, CD/DVD, external hard drive, Memory Card).
Devices that control their own file system (MTP, PTP, Mobile Devices, etc) DLPe and the OS can not control access to the File System - the only control that can be enforced is blocking access to the device outright - this is the case for all PNP devices and the DLPe PNP Device Rules.
A side effect of blocking some PNP devices is that the device will not charge. When some devices can not make a connection to the device driver (because the device is blocked in this case) the programmed communication can not occur between the host and the device and the device chooses to not allow charging to occur. I have observed this with all iOS devices and some Android devices.
I know McAfee was able to figure a way around this issue with iOS devices with DLPe, but with Android that would involve way too many devices and manufactures to account for. Our company made this simple by putting in place a Policy that any personally owned Mobile Device is not allowed to connect to a corporate PC - even to charge. Corporate devices are not blocked and thus charging works fine.
A work around to this is a Power Only USB cable - one that doesn't have the facility to transfer data.