This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control doesnt block Smartphones

Cheers Sophos Community,

I have yet another problem with Device Control. I blocked all USB access and only allow scanned devices per exception. Today a user could just plug in his Iphone and load photos of it. In reaction I tested my android phone. After I plugged it in, it didnt show as storage but still got connected and was showing as media device. 

This is a serious Issue because people can just plug in their untested device and take data or put harmful software into the environment.

I have seen in another post that this was discussed as a feature request in 2015. 

Any Ideas how to block Smartphones per UTM WebAdmin?

UTM Version: 9.406-3 / Endpoint Protection Version: 11.0.9 UTM

Yours truly

David



This thread was automatically locked due to age.
  • Hi David,

    A long time ago in a galaxy far far away someone came up with a beautiful universal protocol known as MTP, the Media Transfer Protocal. Basically people got fed up with having to have custom software everywhere for phones and Android/Apple spearheaded this and designed their OS to connect to PCs using MTP. What this means is the devices aren't actually mounted as removable storage but instead are mounted as a media device. When you're browsing the device, things load like it's a removable storage (ish), what's actually happening is the PC is querying the devices MTP server and is getting formatted data in return but not the actual files them self like you would a mounted device like a USB stick.

    The Endpoint protection from the UTM does not have the ability to intercept and control MTP devices unfortunately so you cannot block these.

    Tbh, the Endpoint protection provided and managed by the UTM was a great idea by Astaro (and apparently is what put them on Sophos' radar) but nowadays it's a gimmick at best. Realistically you will want something cool and "sexy" like Sophos Central or a custom managed Sophos Endpoint on premise.

    Sorry to be the bearer of bad news!

    Emile

  • Hello Emile,

    Thanks for these humorous bad news. You actually made me chuckle!

    The way you put it, I don't think it will be included in Sophos UTM in the near future. Looks like I am gonna have to talk to my boss for a new investment. Thanks again for your quick reply.

    David