When using device control to block access to storage volumes, some Android and Apple smartphones are still accessible. The reason this occurs is that the device class specified by the hardware manufacturer is defined as something other than as a storage volume so it is not blocked by the device control storage volume settings.
Determine the device class of the hardware in question and modify your device control setting to add an exception that will block the device class using the following steps:
- Determine the device class for your device using the following steps:
- Connect the device to your machine and ensure it shows up under device manager.
- Right-click the device in device manager and select properties
- On the details tab select the device class property
- Make a note of this value.
- Note: The device class for most smartphones that have been reviewed is WPD
- Modify the device control settings on the core to add an exception that will block the device:
- On the core open the device control settings
- Select the devices section of the settings
- On the exceptions tab click add to add an exception
- Enter a description for the exception
- On the parameter drop down select class
- For value enter the value for the device class that you determined in step 1.
- Note: The device class for most smartphones that have been reviewed is WPD.
- Ensure that the option to block the device is selected.
- Click Ok to save the device control settings
- From the agent settings screen, create an “install/update security component” task to update the appropriate client devices with the new device control setting.
3. Adding the Exception in LDMS 9.6 or LDMS 2016
a. On the core open Security Activity and drill down into Device Control/ Other Blocked Devices/ and Select an activity item in the right window. (you may need to modify the start and end date parameters).
b. Right Click the item
c. Add Exception, and modify the fields with these values:
d. Then check the Device Control Settings to make sure the Devices\ Exception is listed and set to Block
e. From the agent settings screen, create an “install/update security component” task to update the appropriate client devices with the new device control setting.