Skip Navigation

Device policy: External Device Control settings

You can control how
CylancePROTECT
devices connect to USB mass storage devices. When you enable external device control, you can configure one of the following actions for the USB device types:
  • Full access: Allows read, write, and delete access to the external USB storage device.
  • Block: Blocks the device from accessing the external USB storage device.
  • Read only: Allows read-only access to external USB storage devices.
    • For
      Windows
      devices, read only is not supported for Android and iOS external USB storage devices.
    • For
      macOS
      devices, the read only action is not supported.
Note the following considerations for external device control:
  • Requires the
    CylancePROTECT Desktop
    agent for
    Windows
    version 2.1.1410 or later.
  • Requires the
    CylancePROTECT Desktop
    agent for
    macOS
    version 3.3.1000 or later.
  • Device control does not affect USB peripherals such as a mouse or keyboard.
  • Device control is not supported for SD cards. However, if utilized with a USB card reader device, device control might detect the USB device.
  • When device control is enabled, all USB mass storage devices that are inserted are logged, along with the action that was applied (full access, read only, or block).  If the action is set to read only or block, and desktop notifications are enabled, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events in the management console (Protection > External Devices).
Setting
Description
Windows
device control
Enable device control for
Windows
devices. See the table below for the USB device types that you can configure controls for.
macOS
device control
Enable device control for
macOS
devices. See the table below for the USB device types that you can configure controls for.
External device exclusion: Add Exclusion
You can add exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices.
The vendor ID is required. The product ID and serial number are optional and can be used if you want to make the exclusion more specific. To ensure that you are using the correct information for each exclusion, you can enable device control and insert a device to check the log entry in the management console (Protection > External devices).
Note the following when adding exclusions:
  • The exclusion list is shared between Windows and
    macOS
    devices when device control is enabled for both OS platforms.
  • Not all manufacturers use a serial number for their products. Some manufacturers use the same serial number for multiple products.
  • External storage exclusions are not editable. Add new exclusions as necessary and delete any exclusions that are no longer required.
  • Each device policy has a limit of 5000 exclusions.
  • If you want to import a large number of exclusions, click Import Icon CylancePROTECT > Download template. Populate the .csv template, then click Import Icon CylancePROTECT to upload the file. You can import a maximum of 500 entries per template file. The Vendor ID and Access (Full Access, Read Only, Block) values are required. For more information, see KB 65484.

USB device types

USB device type
Supported OS
Description
Android
Windows
A portable device running
Android OS
(for example, a smartphone or tablet). When an
Android
device is connected, its device type might be identified as
Android
, Still image, or
Windows
portable device. If you want to block
Android
devices, consider blocking Still image and
Windows
portable device as well.
iOS
Windows
A portable
Apple
device running
iOS
(for example,
iPhone
or
iPad
). Some
iOS
devices will not charge when device control is enabled, and set to block unless the device is powered off.
Apple
includes their charging capability within functions of the device that are required for the
CylancePROTECT
iOS
device blocking capability.
Still image
Windows
Devices with frame capture and frame grabbers, including scanners, digital cameras, and multi-mode video cameras. Note that Canon cameras are considered a Windows portable device, not a still image device.
USB CD DVD RW
Windows
macOS
A USB optical drive.
USB drive
Windows
macOS
A USB hard drive or USB flash drive.
VMWare USB passthrough
Windows
A VMware virtual machine client that has USB devices connected to the host.
Windows
portable device
Windows
Portable devices that use the
Windows
Portable Device (WPD) driver technology, for example, mobile phones, digital cameras, and portable media players.