MTP/PTP device controls is too broad
Suggestion: Split MTP/PTP out into multiple categories (webcams/printers/scanners/mobile devices), or keep it as is, but create an "advanced configuration" section where each type of device is listed with it's own Allow/Block option.
If I allow MTP/PTP, I allow access to the storage on mobile devices. This is obviously a security concern for companies with DLP requirements.
If I block MTP/PTP, I block mobile phone storage, but also printers, scanners, cameras and possibly more I'm unaware of. So now I have to manually add these devices to the exemption policy on a per device basis, creating a LOT of additional work as the admin.
I was told by support that adding a peripheral by "Model", would allow all devices with the same model name, but this was not the case.
If I added "Integrated Webcam" enforce by "Model", this does not allow all integrated webcams to work, I have to on a case by case basis allow the integrated cam for each user.
There are other things to consider for this suggestion as well, such as allowing printing/scanning, but blocking access to the SD card reader on a printer.
No plans to implement at this time
Robert Tuck commented
Treating Integrated Cameras separately would really help.
Marcus Oddo commented
This would make our jobs a lot easier. Why do we have to make exemption one-by-one, user-by-user?
So what that says to me is the product team thinks there is no room for improvement in device controls. We've been Sophos Central customers for a year and I've not seen a single improvement to device controls in that time. This feature request could make Endpoint Protection a stronger product and a lot easier to manage.