This issue has been solved.

SEP - Application and Device Control - disable portable devices

Created: 03 Oct 2012 | Updated: 12 Oct 2012
PeterMakto's picture
PeterMakto Partner Accredited
Login to vote
0 0 Votes

Dear Gents,

 

I've a problem with Android Devices. I have to make this devices Read Only, but the Application Control rules do not want to work.

Please Help to find any solution.

View Inline Image

 

View Inline Image

 

View Inline Image

 

 I've tried a lot of opportunities, like:

View Inline Image

 

Does anyone have any experience about the Android Decives?

Please help me to find an acceptable solution

 

Thank you and Best Regards

A.

 

 

 

 

Quick Look Solution

Your approach is okay from my

Your approach is okay from my point of view.

Have a look at this web site that has a lot of known USB IDs. Perhaps it helps you to get more precise device id parts. There is a file (usb.ids) that contains a lot of IDs. However, no warranty.

 

Filed Under

Tags:
, , , , , , , , , , , ,

Comments

Chetan Savade
Symantec Employee
Accredited
03
Oct
2012
Votes
+1

Hi, Check the following

Hi,

Check the following articles

Application/Device Control - Use of Wildcards for Device ID's

https://www-secure.symantec.com/connect/idea/appli... .

How Symantec Endpoint Protection Device Control processes Windows device GUIDs and device IDs.

http://www.symantec.com/docs/HOWTO60964

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH103401

How to Block 3G modems in Application and Device Policy

http://www.symantec.com/connect/articles/how-block...

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&

Ashish-Sharma
Accredited
03
Oct
2012
Votes
0

  How to Block or Allow

 

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH175220

Check this thread

https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-how-can-i-disable-those-wifi-tethering-usb-device

https://www-secure.symantec.com/connect/forums/how-prevent-reading-files-sepm-121

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

greg12
03
Oct
2012
Votes
+1

Here is a very useful

Here is a very useful documentation covering your issues:

http://www.symantec.com/connect/sites/default/files/Application%20and%20Device%20Control_V1%202_4_0.pdf

See page 20 where Device IDs and wildcards are explained. And starting on page 26, you get a good tip how you can centrally monitor device IDs in your environment. So you can get a survey of existing devices.

It's better to use Device Control for blocking; it's far easier than Application Control.

BTW, the USB\VID* device ID seems too generic to me. For example, to block all Samsung Galaxies S II you could try this string (not tested, no warranty): USB\VID_04E8&PID_6860\*
 

PeterMakto
Partner
Accredited
04
Oct
2012
Votes
0

Dear Gents,   thank you for

Dear Gents,

 

thank you for your suggestions. I checked the documents, I think we could find the right solution. I know, the Device bloking is mutch easier, but the customer wants to charge they android devices via USB, so primarily we try the application control.

 

Thanks

Attila

Ashish-Sharma
Accredited
04
Oct
2012
Votes
0

Devices such as Androids,

Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged.  On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled.

http://www.symantec.com/business/support/index?page=content&id=TECH175220

https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

 

Check this thread

https://www-secure.symantec.com/connect/forums/disable-charging-ipod

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

Riya31
04
Oct
2012
Votes
0

Hi , Please

Hi ,

Please refer

Problem

How can I ensure that Symantec Endpoint Protection clients have read-only access to USB drives?
 

 

Solution

To limit SEP clients to read-only USB drive access, create/edit and assign an appropriate Application and Device Control policy using the following steps:
  1. Install Symantec Endpoint Protection, including the Network Threat Protection feature, on the clients where USB drives will be used
  2. Ensure that the clients is communicating with the Symantec Endpoint Protection Manager (SEPM)
  3. Log on to the SEPM console and click on the Policies tab in the left hand window pane
  4. Select Application and Device Control
  5. Create a new policy or edit an existing Application and Device Control policy
  6. Click on Application Control and select the following options:
    • Make all removable drives read-only
    • Block writing to USB drives
  7. Assign the policy to the client(s) in question
  8. Reboot the client(s) to implement the policy.

 

 

PeterMakto
Partner
Accredited
11
Oct
2012
Votes
0

Hi, Thank you for your help.

Hi,

Thank you for your help. It seems, the problem can not be solved with the Application Control.

We came up with an alternate solution. We disable all of the vendor ID's of the Android devices, and we'll make exceptions when necessary.

 

Android_ZTE Device: USB\VID_19D2*
Android_Sony Device: USB\VID_0FCE*
Android_Samsung Device: USB\VID_04E8*
Android_Motorola Device: USB\VID_22B8*
Android_LG Device: USB\VID_1004*
Android_Huawei Device: USB\VID_12D1*
Android_HTC Device: USB\VID_0BB4*

 

Best Regards

A

 

greg12
11
Oct
2012
Votes
0
SOLUTION

Your approach is okay from my

Your approach is okay from my point of view.

Have a look at this web site that has a lot of known USB IDs. Perhaps it helps you to get more precise device id parts. There is a file (usb.ids) that contains a lot of IDs. However, no warranty.

 

PeterMakto
Partner
Accredited
12
Oct
2012
Votes
0

Hi Greg,   we elaborate the

Hi Greg,

 

we elaborate the policy based from this site. http://www.linux-usb.org/usb.ids

But it's the same. It was very useful. Thank you for your help.

 

Br.

A