This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Does Cortex XDR Device Control blocks mobile hotspots through USB?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Does Cortex XDR Device Control blocks mobile hotspots through USB?

Go to solution
maksymilianjan
L1 Bithead

‎09-14-2022 05:43 AM

Hello!

 

I recently had this situation where a computer with a security policy with every setting in device control set to block allow internet connection through USB + smartphone. 

 

Did you have any similar situations? I have checked device control violations and there are some about some smartphones but the connections was allowed so maybe Cortex only blocks when the smartphone is used to transfer files?

 

Any help would be appreciated!

 

Thanks,

Max

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
timurphy
L3 Networker

‎09-14-2022 08:23 AM

Hi @maksymilianjan ,

 

Is this a Windows device you are trying to block the device on?

 

As you have noticed, a smartphone connected to a PC can have multiple device classes depending on what functionality is being utilized. In the case of file transfers, those can easily be blocked if the device is categorized as one of the default device classes supported by Cortex XDR and a Device Management profile is applied to the endpoint and set to block that device class. In the case of network tethering, the device class is probably something different.

 

For Windows, by default Cortex XDR will allow you to act on Disk Drives, CD-Rom Drives, Floppy Disk Drives, or Windows Portable Devices; however, you can also add custom device classes.

 

To create a custom device class, you will need to reference this document from Microsoft which lists all of the device classes in the OS: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classe...

 

Copy the ClassGuid for the category of devices you would like to control from Cortex XDR - the class could vary depending on the vendor and model of device used, but you can check Device Manager on the endpoint to help with identifying the device class in this case of the tethered smartphone connection.

 

To add the device class to Cortex XDR, go to Endpoints>Policy Management>Settings>Device Management and then select "New Device" - this is where you will paste the ClassGuid value and specify a name. After you save the entry, this will become a device class you can manage through your Device Configuration profile.

 

There will be a dropdown menu under the "Custom Device Types" heading where you can select any device classes you've added into Cortex XDR:

 

timurphy_0-1663164964030.png

 

I would use extreme caution with this approach however in this particular use case as tethered connections will often be considered Network Adapters. In that case, you probably wouldn't want to block all network adapters across your endpoints. 

 

Regards,

Tim

View solution in original post

(1)
4 REPLIES 4

Go to solution
timurphy
L3 Networker

‎09-14-2022 08:23 AM

Hi @maksymilianjan ,

 

Is this a Windows device you are trying to block the device on?

 

As you have noticed, a smartphone connected to a PC can have multiple device classes depending on what functionality is being utilized. In the case of file transfers, those can easily be blocked if the device is categorized as one of the default device classes supported by Cortex XDR and a Device Management profile is applied to the endpoint and set to block that device class. In the case of network tethering, the device class is probably something different.

 

For Windows, by default Cortex XDR will allow you to act on Disk Drives, CD-Rom Drives, Floppy Disk Drives, or Windows Portable Devices; however, you can also add custom device classes.

 

To create a custom device class, you will need to reference this document from Microsoft which lists all of the device classes in the OS: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classe...

 

Copy the ClassGuid for the category of devices you would like to control from Cortex XDR - the class could vary depending on the vendor and model of device used, but you can check Device Manager on the endpoint to help with identifying the device class in this case of the tethered smartphone connection.

 

To add the device class to Cortex XDR, go to Endpoints>Policy Management>Settings>Device Management and then select "New Device" - this is where you will paste the ClassGuid value and specify a name. After you save the entry, this will become a device class you can manage through your Device Configuration profile.

 

There will be a dropdown menu under the "Custom Device Types" heading where you can select any device classes you've added into Cortex XDR:

 

timurphy_0-1663164964030.png

 

I would use extreme caution with this approach however in this particular use case as tethered connections will often be considered Network Adapters. In that case, you probably wouldn't want to block all network adapters across your endpoints. 

 

Regards,

Tim

(1)

Go to solution
mfakhouri
L3 Networker

‎09-14-2022 08:23 AM

Hi Max,

 

If the USB-connected device is not one of the following built-in classes in the configuration profile, you may need to add a custom device class.

.

  • Disk Drives
  • CD-Rom Drives
  • Floppy Disk Drives
  • Windows Portable Devices

 

To add a custom USB-connected device class (available for Windows only), go to Endpoints > Policy Management > Settings > Device Management > + New Device. When creating a custom device class, a class GUID must be supplied from the official ClassGuid identifier. Select the GUID that matches your desired USB-connected device and select save. After creation, this new device class can be added to your device configuration/exception profile, which can then be used to block your desired connection after implementing it into your policy.

 

Please refer to the Device Control documentation for additional details:

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/harde...

Go to solution
maksymilianjan
L1 Bithead
In response to mfakhouri

‎09-14-2022 08:26 AM

Thanks for the info this is what I was looking for. Very self explanatory.

Go to solution
maksymilianjan
L1 Bithead
In response to timurphy

‎09-14-2022 08:27 AM

Thanks, this is the solution I was looking for. I will proceed with caution as you said it would be unfortunate to isolate all of the endpoints thus losing control of them in the console. 

  • 1 accepted solution
  • 2499 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks