This article provides an overview of the forthcoming Device Control update that will support Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) devices on Windows.
Versions in the Preview subscription will only be available for a short period of time, subsequent versions will also contain the new features. For a full explanation of the lifecycle and subscription policy please see the knowledgebase article: Software subscriptions in Enterprise Console v 5.2.1 and above
Applies to the following Sophos product(s) and version(s)
Sophos Cloud Managed Endpoint
Sophos Anti-Virus for Windows 2000+ 10.3.0
Device Control MTP/PTP Support (From version 10.3.2)
From version 10.3.2, device control will support MTP and PTP devices (Currently only available in the Preview package subscription). This update allows the administrator to set a policy in Device Control to govern their required access.
Common types of MTP devices include Blackberry, iPhone and various types of Android smart phone. PTP is commonly used on digital cameras.
Note: Some devices can be switched between MTP and removable storage mode, for example, Blackberry smart phones. When connected to a PC in removable storage mode, you must configure a Removable Storage policy in Device control.
Frequently Asked Questions (FAQ)
When will this feature be available?
This device control feature is currently available only in the Preview package subscription.
What will the device type be shown as in a Device Control policy?
'Media Devices (10.3.2 and above)' will be shown as a new device Type in your Device Control policy Configuration tab.
If I change the Status for 'Media Devices (10.3.2 and above)' to Blocked what will happen on older SAV endpoints?
Any configuration setup for this device type will only function on endpoints with SAV 10.3.2 and above, all other versions will ignore this setting. The type of device listed will be visible to all customers regardless of the subscribed packages or Sophos console version.
Can I control files being sent to PTP/MTP devices over WiFi (Samsung Kies / iTunes)?
Since there is no physical connection to the computer, device control cannot control the transfer of data from devices connecting over WiFi. Sophos Client Firewall can be configured to block such transfers.
Why has my 'all-in-one scanner'/webcam/printer device been blocked?
In order to provide complete coverage on all platforms some additional devices may be unexpectedly blocked. This occurs when the device connected to the computer presents itself as an 'Imaging device', this device type is used by some popular smart phones (e.g. Apple iPhone). You use the 'Add exemption' button in your Device Control policy to allow these devices to operate fully.
Since blocking MTP/PTP devices in my Device Control policy, devices like the Apple iPhone are unable to charge from a computer USB port, is this expected behavior?
Yes, as a result of setting Device Control to block MTP/PTP device access, some devices (such as the Apple iPhone) will not be able to charge via a USB port on the endpoint.
As an example: From testing an iPhone running iOS 8.1 it was observed that if the phone was plugged into the computer before the policy to block was enabled, the phone continued to show the symbol for charging. Once the phone was unplugged and reattached it was no longer able to charge itself. You may also want to read the discussion on our community: Allowing Apple Devices to Charge?.
Note: We do not maintain a list of devices that are still able to charge when the status is set to Blocked in Device Control.