Device control
Device control protects devices by controlling USB mass storage devices connecting to devices in the organization. When you enable device control, you can allow full access, read-only, or block USB mass storage devices, such as USB flash drives, external hard drives, and smartphones. As part of the policy, you can also use exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices only.
Device control does not affect USB peripherals such as a mouse or keyboard. For example, when you create a policy to block all USB mass storage device types, a user can still use a USB keyboard.
Device control is available for
Windows
devices that are running agent version 2.1.1410 and later only.When device control is enabled, all USB mass storage devices that are inserted are logged, along with the policy action that was applied (full access, read-only, or block). If the policy action is set to read-only or block, and desktop notifications are enabled on the device, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events on the
Protection > External Devices
screen in the console.Device control policy action | Description |
---|---|
Block | This setting blocks the device from accessing external USB storage devices. |
Read Only | This setting allows read-only access to external USB storage devices. Read-only access allows devices to view the contents of an external USB device but does not allow write or delete access to the USB device. The following USB device types can be configured for read-only access:
|
Full Access | This setting allows read, write, and delete access to the external USB storage devices. |
Supported device types | Description |
---|---|
Android | This is a portable device running Android OS, such as a smartphone or a tablet.When an Android device is connected, its device type might be identified as Android , Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Device as well. |
iOS | This is an portable Apple device running iOS , such as an iPhone or iPad .Some iOS devices will not charge when device control is enabled and set to block unless the device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non-Apple devices do not bundle their charging capability in this manner and are not impacted. |
Still Image | This device class includes scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers. The agent sees Canon cameras as a Windows Portable Device, not as a Still Image device. |
USB CD DVD RW | This is a USB optical drive. |
USB Drive | This is a USB hard drive or USB flash drive. |
VMware USB Passthrough | This is a VMware virtual machine client that has USB devices connected to the host. |
Windows Portable Device | These are portable devices that use the Microsoft Windows Portable Device (WPD) driver technology, such as mobile phones, digital cameras, and portable media players. |
Device control is not supported for SD cards at this time. However, if utilized with a USB card reader device, device control might detect the USB device.