This article provides an overview of the forthcoming Device Control update that will support Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) devices on Windows.
Versions in the Preview subscription will only be available for a short period of time, subsequent versions will also contain the new features. For a full explanation of the lifecycle and subscription policy please see the knowledgebase article: Software subscriptions in Enterprise Console v 5.2.1 and above
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+ 10.3.0Enterprise ConsoleSophos Cloud Managed Endpoint
From version 10.3.2, device control will support MTP and PTP devices (Currently only available in the Preview package subscription). This update allows the administrator to set a policy in Device Control to govern their required access.
Common types of MTP devices include Blackberry, iPhone and various types of Android smart phone. PTP is commonly used on digital cameras.
Note: Some devices can be switched between MTP and removable storage mode, for example, Blackberry smart phones. When connected to a PC in removable storage mode, you must configure a Removable Storage policy in Device control.
This device control feature is currently available only in the Preview package subscription.
'Media Devices (10.3.2 and above)' will be shown as a new device Type in your Device Control policy Configuration tab.
Any configuration setup for this device type will only function on endpoints with SAV 10.3.2 and above, all other versions will ignore this setting. The type of device listed will be visible to all customers regardless of the subscribed packages or Sophos console version.
Since there is no physical connection to the computer, device control cannot control the transfer of data from devices connecting over WiFi. Sophos Client Firewall can be configured to block such transfers.
In order to provide complete coverage on all platforms some additional devices may be unexpectedly blocked. This occurs when the device connected to the computer presents itself as an 'Imaging device', this device type is used by some popular smart phones (e.g. Apple iPhone). You use the 'Add exemption' button in your Device Control policy to allow these devices to operate fully.
Yes, as a result of setting Device Control to block MTP/PTP device access, some devices (such as the Apple iPhone) will not be able to charge via a USB port on the endpoint.
As an example: From testing an iPhone running iOS 8.1 it was observed that if the phone was plugged into the computer before the policy to block was enabled, the phone continued to show the symbol for charging. Once the phone was unplugged and reattached it was no longer able to charge itself. You may also want to read the discussion on our community: Allowing Apple Devices to Charge?.
Note: We do not maintain a list of devices that are still able to charge when the status is set to Blocked in Device Control.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.