Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP - Application and Device Control - disable portable devices

Created: 03 Oct 2012 • Updated: 12 Oct 2012 | 9 comments
PeterMakto's picture
This issue has been solved. See solution.

Dear Gents,

I've a problem with Android Devices. I have to make this devices Read Only, but the Application Control rules do not want to work.

Please Help to find any solution.

 I've tried a lot of opportunities, like:

Does anyone have any experience about the Android Decives?

Please help me to find an acceptable solution

Thank you and Best Regards

A.

Comments 9 CommentsJump to latest comment

Chetan Savade's picture

Hi,

Check the following articles

Application/Device Control - Use of Wildcards for Device ID's

https://www-secure.symantec.com/connect/idea/appli... .

How Symantec Endpoint Protection Device Control processes Windows device GUIDs and device IDs.

http://www.symantec.com/docs/HOWTO60964

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH103401

How to Block 3G modems in Application and Device Policy

http://www.symantec.com/connect/articles/how-block...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

greg12's picture

Here is a very useful documentation covering your issues:

http://www.symantec.com/connect/sites/default/files/Application%20and%20Device%20Control_V1%202_4_0.pdf

See page 20 where Device IDs and wildcards are explained. And starting on page 26, you get a good tip how you can centrally monitor device IDs in your environment. So you can get a survey of existing devices.

It's better to use Device Control for blocking; it's far easier than Application Control.

BTW, the USB\VID* device ID seems too generic to me. For example, to block all Samsung Galaxies S II you could try this string (not tested, no warranty): USB\VID_04E8&PID_6860\*
 

PeterMakto's picture

Dear Gents,

thank you for your suggestions. I checked the documents, I think we could find the right solution. I know, the Device bloking is mutch easier, but the customer wants to charge they android devices via USB, so primarily we try the application control.

Thanks

Attila

Ashish-Sharma's picture

Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged.  On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled.

http://www.symantec.com/business/support/index?page=content&id=TECH175220

https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

Check this thread

https://www-secure.symantec.com/connect/forums/disable-charging-ipod

Thanks In Advance

Ashish Sharma

Riya31's picture

Hi ,

Please refer

Problem

How can I ensure that Symantec Endpoint Protection clients have read-only access to USB drives?
 

Solution

To limit SEP clients to read-only USB drive access, create/edit and assign an appropriate Application and Device Control policy using the following steps:
  1. Install Symantec Endpoint Protection, including the Network Threat Protection feature, on the clients where USB drives will be used
  2. Ensure that the clients is communicating with the Symantec Endpoint Protection Manager (SEPM)
  3. Log on to the SEPM console and click on the Policies tab in the left hand window pane
  4. Select Application and Device Control
  5. Create a new policy or edit an existing Application and Device Control policy
  6. Click on Application Control and select the following options:
    • Make all removable drives read-only
    • Block writing to USB drives
  7. Assign the policy to the client(s) in question
  8. Reboot the client(s) to implement the policy.
PeterMakto's picture

Hi,

Thank you for your help. It seems, the problem can not be solved with the Application Control.

We came up with an alternate solution. We disable all of the vendor ID's of the Android devices, and we'll make exceptions when necessary.

Android_ZTE Device: USB\VID_19D2*
Android_Sony Device: USB\VID_0FCE*
Android_Samsung Device: USB\VID_04E8*
Android_Motorola Device: USB\VID_22B8*
Android_LG Device: USB\VID_1004*
Android_Huawei Device: USB\VID_12D1*
Android_HTC Device: USB\VID_0BB4*

Best Regards

A

greg12's picture

Your approach is okay from my point of view.

Have a look at this web site that has a lot of known USB IDs. Perhaps it helps you to get more precise device id parts. There is a file (usb.ids) that contains a lot of IDs. However, no warranty.

SOLUTION
PeterMakto's picture

Hi Greg,

we elaborate the policy based from this site. http://www.linux-usb.org/usb.ids

But it's the same. It was very useful. Thank you for your help.

Br.

A