Device policy: External Device Control settings
You can control how
CylancePROTECT
devices connect to USB mass storage devices. When you enable external device control, you can configure one of the following actions for the USB device types:
- Full access: Allows read, write, and delete access to the external USB storage device.
- Block: Blocks the device from accessing the external USB storage device.
- Read only: Allows read-only access to external USB storage devices.
- ForWindowsdevices, read only is not supported for Android and iOS external USB storage devices.
- FormacOSdevices, the read only action is not supported.
Note the following considerations for external device control:
- Requires theCylancePROTECT Desktopagent forWindowsversion 2.1.1410 or later.
- Requires theCylancePROTECT Desktopagent formacOSversion 3.3.1000 or later.
- Device control does not affect USB peripherals such as a mouse or keyboard.
- Device control is not supported for SD cards. However, if utilized with a USB card reader device, device control might detect the USB device.
- When device control is enabled, all USB mass storage devices that are inserted are logged, along with the action that was applied (full access, read only, or block). If the action is set to read only or block, and desktop notifications are enabled, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events in the management console (Protection > External Devices).
Setting | Description |
---|---|
Windows device control | Enable device control for Windows devices. See the table below for the USB device types that you can configure controls for. |
macOS device control | Enable device control for macOS devices. See the table below for the USB device types that you can configure controls for. |
External device exclusion: Add Exclusion | You can add exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices. The vendor ID is required. The product ID and serial number are optional and can be used if you want to make the exclusion more specific. To ensure that you are using the correct information for each exclusion, you can enable device control and insert a device to check the log entry in the management console (Protection > External devices). Note the following when adding exclusions:
|
USB device types
USB device type | Supported OS | Description |
---|---|---|
Android | Windows | A portable device running Android OS (for example, a smartphone or tablet). When an Android device is connected, its device type might be identified as Android , Still image, or Windows portable device. If you want to block Android devices, consider blocking Still image and Windows portable device as well. |
iOS | Windows | A portable Apple device running iOS (for example, iPhone or iPad ). Some iOS devices will not charge when device control is enabled, and set to block unless the device is powered off. Apple includes their charging capability within functions of the device that are required for the CylancePROTECT iOS device blocking capability. |
Still image | Windows | Devices with frame capture and frame grabbers, including scanners, digital cameras, and multi-mode video cameras. Note that Canon cameras are considered a Windows portable device, not a still image device. |
USB CD DVD RW | Windows macOS | A USB optical drive. |
USB drive | Windows macOS | A USB hard drive or USB flash drive. |
VMWare USB passthrough | Windows | A VMware virtual machine client that has USB devices connected to the host. |
Windows portable device | Windows | Portable devices that use the Windows Portable Device (WPD) driver technology, for example, mobile phones, digital cameras, and portable media players. |