| Description | This article describes why Android device file events are not detected in USB policies. |
| Scope | FortiDLP. |
| Solution |
Computers use a different protocol to communicate with Android devices, compared to USB devices. The Reveal Agent is able to restrict read/write to Android but is currently only able to detect USB mass storage events for the purpose of triggering policies.
Although Android devices can mimic the behaviour of USB storage devices, where a user can read, write, and delete files on them, the Reveal Agent is unable to detect these events through USB-based policies because of a difference in the protocol used. Communications between computers and Android devices are driven by the Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP), while communications to USB devices are driven by the USB mass storage protocol. As the Reveal Agent currently only monitors USB mass storage events (for related policies), MTP and PTP events will not trigger these policies. However, it is possible to restrict read/write access to Android devices (see below).
Methods to enable direct monitoring of MTP events are currently being investigated by the NextDLP development team.
Affected File Transfer Policies
How to block read and/or write access to Android devices: It is possible to block read/write access to Android (WPD) devices for some/all users via agent configuration.
Each of these keys can take the value allow or deny, and these values can be applied without needing to restart the agent or host machine.
Important Note: It is also possible to block WPD devices via Group Policy (GPO) through Computer Configuration -> Administrative Templates -> System -> Removable Storage Access. If GPO is used to control these settings, it is highly recommended not to use this functionality in the Reveal Platform, to prevent any potential conflicts. |
