Device control via PolicyManager

Device control can be used to restrict access to external storage media. USB sticks, CD/DVD drives with write or read permissions as well as cameras can have their use restricted.

Overeview

Under "Status", you can specify whether the restrictions should apply to all users of the respective client or only for users who do not have administrator rights (or whether device control is not active on the client).

With the "Allow the users to report blocked devices" checkbox, you can enable users to ask for permission to enable a specific device.

Under "Devices", you can restrict the use of different device types using the following settings.

List of permissions:

  • Read / Write: There is full access to the device.

  • Read: Media can only be read, saving data is not permitted

  • Deny access: Both read and write access to the device are not permitted. The device cannot be used by the user.

  • Temporary release: If a device has been temporarily released due to a request in the Security events module, the time period is displayed here. Click on the X symbol to deactivate the temporary release immediately.

You can use the Exceptions settings to allow device usage that you had previously restricted in some way (read / prohibit access). When you click on the Add button, a dialog box opens in which you can add an exception.

Exceptions

First select the device type for which you want to create an exception.

  • Rule enabled: The exception is only active if this checkbox is ticked.

  • Type: There are two possible types of exceptions to choose from here.

    • Device type-based exception: The exception is created for the device type as a whole

    • Hardware ID/medium ID based exception: The exception is only created for the specific device instance (e.g. a specific DVD or a specific USB stick) that you specify under "Hardware ID/Medium ID".

  • Authorization: Select the type of access to be allowed.

  • Hardware ID/Medium ID: If you are creating a hardware ID/medium ID-based exception, enter the respective ID here. Click on the …​ button to determine a specific hardware or medium ID.

    To determine the hardware or medium ID, the corresponding client must be resolvable and accessible on TCP port 7169 via the name.
Determine hardware id
Hardware ID
Determine medium id
Medium ID

  • Devices: Select "Use medium ID" to display medium IDs (e.g. CD/DVD) or "Use hardware ID" to display hardware IDs.

    • Define Windows user/group: If the exception is to be restricted to certain Windows users or groups, enter them here. If you want to enter several users or groups, these should be separated by a line break or a comma.

    • Comment: Here you can add a comment to the exception (e.g. to distinguish between similar exceptions later on).

Windows portable devices

Windows portable devices (WPD) describes devices that are recognized by Windows as mobile devices. There are no restrictions, which operating systems are recognized.

You can use the setting to restrict access to the devices when they are connected to a client PC. This works in exactly the same way as you already know from other storage media. In this way, you prevent mobile devices being used as a USB stick replacement when these are restricted.