Skip Navigation

Device control

Device control protects devices by controlling USB mass storage devices connecting to devices in the organization. When you enable device control, you can allow full access, read-only, or block USB mass storage devices, such as USB flash drives, external hard drives, and smartphones. As part of the policy, you can also use exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices only. Device control is available for the Windows platform only.
Device control does not affect USB peripherals such as a mouse or keyboard. For example, when you create a policy to block all USB mass storage device types, a user can still use a USB keyboard.
Device control is available for the Windows platform only.
As part of a device control policy, administrators can also define exceptions to the policy. This is done by using the vendor ID, product ID, and serial number to specify the exception. Minimally, the vendor ID must be entered, but the product ID and serial number can also be used for a more specific exception.
When device control is enabled, all USB mass storage devices that are inserted are logged, along with the policy action that was applied (full access, read-only, or block).  If the policy action is set to read-only or block, and desktop notifications are enabled on the device, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events on the Protection > External Devices screen in the console.
An Android device could connect and be identified as Android, Still Image, or Windows portable device. If you want to block Android devices, consider blocking Still Image and Windows portable device as well.
Device Control Setting
Description
Blocked
This device type is blocked from accessing the endpoint it is connected to.
Full Access
This device type is allowed to access the endpoint it is connected to.
Read-Only
This device type is allowed to connect to the endpoint and view contents, without the ability to write or copy to it. Available for Windows-based devices only.
The following USB device types can be configured for read-only access:
  • Still image
  • USB CD/DVD RW
  • USB drive
  • VMWare USB passthrough
  • Windows portable device
Supported device types for device control
Device type
Description
Android
This is a portable device running Android OS, like a smartphone or a tablet. This type of device does not support read-only.
Note
: An Android device could connect and be identified as Android, Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Device as well.
iOS
This is an Apple portable device running iOS, like an iPhone or an iPad. This type of device does not support read-only.
Note
: Some iOS devices will not charge when device control is enabled and set to block unless the device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non-Apple devices do not bundle their charging capability in this manner and are not impacted.
Still Image
This device class includes scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers.
The agent sees Canon cameras as a Windows Portable Device, not as a Still Image device.
USB CD DVD RW
This is a USB optical drive.
USB Drive
This is a USB hard drive or USB flash drive.
VMware USB Passthrough
This is a VMware virtual machine client that has USB devices connected to the host.
Windows Portable Device
These are portable devices that use the Microsoft Windows Portable Device (WPD) driver technology, such as mobile phones, digital cameras, and portable media players.