Device control protects devices by controlling USB mass storage devices connecting to devices in the organization. When you enable device control, you can allow full access, read-only, or block USB mass storage devices, such as USB flash drives, external hard drives, and smartphones. As part of the policy, you can also use exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices only.
Device control does not affect USB peripherals such as a mouse or keyboard. For example, when you create a policy to block all USB mass storage device types, a user can still use a USB keyboard.
Device control is available for
Windowsdevices that are running agent version 2.1.1410 and later only.
When device control is enabled, all USB mass storage devices that are inserted are logged, along with the policy action that was applied (full access, read-only, or block). If the policy action is set to read-only or block, and desktop notifications are enabled on the device, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events on the
Protection > External Devicesscreen in the console.
Device control policy action
This setting blocks the device from accessing external USB storage devices.
This setting allows read-only access to external USB storage devices. Read-only access allows devices to view the contents of an external USB device but does not allow write or delete access to the USB device.
The following USB device types can be configured for read-only access:
This setting allows read, write, and delete access to the external USB storage devices.
Supported device types
This is a portable device running
AndroidOS, such as a smartphone or a tablet.
Androiddevice is connected, its device type might be identified as
Android, Still Image, or
WindowsPortable Device. If you want to block
Androiddevices, consider blocking Still Image and
WindowsPortable Device as well.
This is an portable
iOS, such as an
iOSdevices will not charge when device control is enabled and set to block unless the device is powered off.
Appleincludes their charging capability within functions of the device that are required for our
iOSdevice blocking capability. Non-
Appledevices do not bundle their charging capability in this manner and are not impacted.
This device class includes scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers.
The agent sees Canon cameras as a
WindowsPortable Device, not as a Still Image device.
USB CD DVD RW
This is a USB optical drive.
This is a USB hard drive or USB flash drive.
VMware USB Passthrough
This is a
VMwarevirtual machine client that has USB devices connected to the host.
Windows Portable Device
These are portable devices that use the
WindowsPortable Device (WPD) driver technology, such as mobile phones, digital cameras, and portable media players.
Device control is not supported for SD cards at this time. However, if utilized with a USB card reader device, device control might detect the USB device.