Unable to exclude Bluetooth devices from being blocked by Application and Device Control policy
search cancel

Unable to exclude Bluetooth devices from being blocked by Application and Device Control policy

book

Article ID: 154335

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to block ALL Bluetooth devices but allow specific devices using an Application and Device Control (ADC) policy.  Adding the Device ID (for the specific device to allow) into the SEPM and configure it properly in the exclude section of the policy, the item is still blocked.

Cause

When using the Class ID (preconfigured in the SEPM) to block either Bluetooth Devices (generic) or Bluetooth Radios, it blocks the Bluetooth receiver from being used in the system (whether it is integrated or USB).  In this case, no exception made will allow any device be used on this system because the Bluetooth receiver itself is being blocked.

Example:

If the device to allow is a Bluetooth mouse, the Device ID will most likely show up as a HID\HID_MOUSE* rather than a BT* device.  Making an exclusion for a specific HID device will not affect blocking of ALL Bluetooth Devices (generic) or Bluetooth Radio allowing the mouse to work.

Because a device connects to the computer through Bluetooth does not guarantee that it will have a Bluetooth Device ID, some will however.  This is where the problem stems from.

 

Resolution

The workaround will vary depending on how granularity is needed, the more granular, the more work involved. 

  1. Gather a list of device's to disallow to connect to the Bluetooth receiver (ie, headset, keyboard, mouse, phone, this list could be quite long and this is where most of the work will come in)
  2. Generate the Class ID for these devices (most are already present in the SEPM)
  3. Generate the Device ID of the Bluetooth receiver in use.  It will likely either start with BTH\ or ROOT\BTW
  4. Generate the Device ID of the items to specifically allow (ie your specific type of headset)
  5. In the Device policy, block all the Class ID's from Step 1 and either BT* and/or ROOT\BTW\* (to block both generic and radio).
  6. In the Device policy, exclude the specific Device ID for the Bluetooth receiver and the specific Device ID for the item to allow.