Device control Skip Navigation

Device control

Device control protects devices by controlling USB mass storage devices connecting to devices in the organization. When you enable device control, you can allow full access, read-only, or block USB mass storage devices, such as USB flash drives, external hard drives, and smartphones. As part of the policy, you can also use exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices only.
Device control does not affect USB peripherals such as a mouse or keyboard. For example, when you create a policy to block all USB mass storage device types, a user can still use a USB keyboard.
Device control is available for
Windows
devices that are running agent version 1410 and later only.
When device control is enabled, all USB mass storage devices that are inserted are logged, along with the policy action that was applied (full access, read-only, or block).  If the policy action is set to read-only or block, and desktop notifications are enabled on the device, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events on the
Protection > External Devices
screen in the console.
Device control policy actions
Policy action
Description
Block
This setting blocks the device from accessing external USB storage devices.
Read Only
This setting allows read-only access to external USB storage devices. Read-only access allows devices to view the contents of an external USB device but does not allow write or delete access to the USB device.
The following USB device types can be configured for read-only access:
  • Still image
  • USB CD/DVD RW
  • USB drive
  • VMWare USB passthrough
  • Windows portable device
Full Access
This setting allows read, write, and delete access to the external USB storage devices.
Supported device types for device control
Device type
Description
Android
This is a portable device running
Android
OS, such as a smartphone or a tablet.
When an
Android
device is connected, its device type might be identified as
Android
, Still Image, or
Windows
Portable Device. If you want to block
Android
devices, consider blocking Still Image and
Windows
Portable Device as well.
iOS
This is an portable
Apple
device running
iOS
, such as an
iPhone
or
iPad
.
Some
iOS
devices will not charge when device control is enabled and set to block unless the device is powered off.
Apple
includes their charging capability within functions of the device that are required for our
iOS
device blocking capability. Non-
Apple
devices do not bundle their charging capability in this manner and are not impacted.
Still Image
This device class includes scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers.
The agent sees Canon cameras as a
Windows
Portable Device, not as a Still Image device.
USB CD DVD RW
This is a USB optical drive.
USB Drive
This is a USB hard drive or USB flash drive.
VMware USB Passthrough
This is a
VMware
virtual machine client that has USB devices connected to the host.
Windows Portable Device
These are portable devices that use the
Microsoft
Windows
Portable Device (WPD) driver technology, such as mobile phones, digital cameras, and portable media players.
SD cards are not supported by device control at this time, however if utilized with a USB based reader, the USB device may be detected by device control.