How to block access to smartphones using Device Control

Version 8

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 9.0 and OlderEndpoint Manager 2016.xEndpoint Manager 2017.x

    Issue

     

    When using device control to block access to storage volumes, some Android and Apple smartphones are still accessible. The reason this occurs is that the device class specified by the hardware manufacturer is defined as something other than as a storage volume so it is not blocked by the device control storage volume settings.

     

     

    Resolution

     

    Determine the device class of the hardware in question and modify your device control setting to add an exception that will block the device class using the following steps:

    1. Determine the device class for your device using the following steps:
      1. Connect the device to your machine and ensure it shows up under device manager.
      2. Right-click the device in device manager and select properties
      3. On the details tab select the device class property
      4. Make a note of this value.
        1. Note: The device class for most smartphones that have been reviewed is WPD
    2. Adding the Exception

              a. On the core, open Security Activity and drill down into Device Control/ Other Blocked Devices/ and Select an activity item in the right window. (you may need to modify the start and end date parameters).

              b. Right-Click the item.

              c. Add Exception, and modify the fields with these values:
                  Description: WPD
                  Parameter: Class
                  Value: WPD
                  Access: Deny

              d. Then check the Device Control Settings to make sure the Devices\ Exception is listed and set to Block

              e. From the agent settings screen, create an “install/update security component” task to update the appropriate client devices with the new device control setting.