Advanced Device Control

While working with data storage devices such as CD/DVDs and USB-based devices such as pen drives, organizations are concerned with the following:

• Autorun feature does not activate any infection.
• Unnecessary data or applications do not clog the systems.

This feature allows the administrators to create policies with varying rights. For example, administrators can block complete access to removable devices, give read-only and no write access so that nothing can be written on the external devices. They can also customize access to admin configured devices. Once the policy is applied to a group, the access rights are also applied. You can use the exception list to exclude the devices from the device control policy.

Advanced Device Control

To configure policy for Advanced Device Control, follow these steps:

1. Create Container/feature policy for Advanced Device Control.
2. On the Feature Policy page, you can see list of settings with expand sign and toggle button. Expand and enable settings that you want to configure.
3. Enable Advanced Device Control.
4. Expand Storage Devices. The following list of storage devices is displayed:
   • USB Storage Device
   • CD/DVD
   • Internal Card Reader
   • Internal Floppy Drive
   • ZIP Drive
     For the above devices, select the permissions as per your requirement.
5. Enable and expand Card Readers. The following list of Card Readers is displayed:
   • Card Reader Device (MTD)
   • Card Reader Device (SCSI)
     For the above devices, select the permissions as per your requirement.
6. Enable and Expand Wireless and Wired. The following list of networks is displayed:
   • Wi-Fi (Customize)
   • Bluetooth

     For the above network, select the permissions as per your requirement.

   • USB Tethering

To authorize Wi-Fi connections, click Customize link.The ‘Authorized Wi-Fi Connections’ dialog appears.
Select one of the following options.

• Allow for all Wi-Fi access points
• Allow only for authorized Wi-Fi access points – If you select this option, do the following.
1. Enter SSID in the text box.
2. Enter BSSID in the text box.
3. Click Add. The network data is added. You can delete the data with help of Delete button.
4. Click Ok.

Note
Customize (Authorized Wi-Fi connections) feature is not supported on Mac operating system.

7. Enable and expand Mobile & Portable Devices. The following list of Mobile & Portable Devices is displayed:
   • Windows Portable Device
   • iPhone
   • iPad
   • iPod
   • BlackBerry
   • Mobile Phones (Symbian)
   • Scanner & Imaging Devices
     For the above devices, select the permissions as per your requirement.
8. Enable and expand Interface. The following list of Interface mode is displayed:
   • FireWire Bus
   • Serial Port
   • SATA controller
   • Thunderbolt
   • PCMCIA Device
   • USB
     For the above interfaces, select the permissions as per your requirement.
9. Enable and expand Camera. For Webcam, select the permissions as per your requirement.
10. Enable and expand Others. The following list of other devices is displayed:
    • Local Printers
    • Teensy Board
    • Network Share
    • Unknown Device
      For the above devices, select the permissions as per your requirement.
11. Enable and expand Exceptions. Ensure that you have added the devices in Configuration > Device Control > Add devices. Then do the following:
    1. Click Add. The ‘Managed Devices’ dialog appears.
    2. Select one or more devices to add to the exception list.
    3. Click Add. The devices are added in the Exceptions list.
    4. Set the access permissions as required.You can delete the devices with help of Delete button.
12. To save your setting, click Save Policy.
    This policy is applied to all the devices that are configured in the list. Even if you add a device, the same policy will apply unless you customize the policy.
    Importantly, if you have customized the settings and later you want to revert to the default settings, click the Reset Default button.

For Windows Clients

• Only NTFS is supported for Partial encryption.
• USB Pen Drives with GUID Partition Table (GPT) Partition Style cannot be added for authorization.
• If an authorized and encrypted device is formatted, the device will be treated as unauthorized. Hence, Administrator will need to add the device again in Device Control and configure the policies accordingly.
• Some devices (e.g. Nokia phones, BlackBerry phones) may need system reboot or device reattachment for device access rights to be applied.
• On blocking SATA Controller from Advanced Device Control, you may frequently see SATA Controller blocked prompts even when actual blocking is not performed.
• While any ongoing session of Webcam or Bluetooth is in progress, changing access right to block will not interrupt this current ongoing session. The device may need reattachment or system reboot for access rights to be applied.

For Mac Clients

• If the option Read only is selected in Advanced Device Control of SEPS and a USB device is attached, such a device may not be accessible from the left pane in Finder for some time.
• If a USB device is already attached to the machine and you are installing Mac client, the device may not be shown as mounted for a fraction of seconds.
• If an NTFS USB device is attached to the machine during installation of Mac client, two copies of the attached USB may be visible for a few seconds.
• If a USB device is to be shown as mounted or un-mounted using terminal commands, the Device Control policy will not apply to that device.
• If you are installing Mac client on Mac OSx 10.9 while an FAT USB device is attached to the machine, such a device will not be displayed as mounted. To show the device mounted, you need to disconnect the device and reconnect it.
• iDevices, Internal Card Reader, Webcam, CD-DVD, mobile phones and HFS encrypted devices may need device reattachment for device access rights to be applied.
• Exception functionality will not be applicable for Bluetooth, Wi-Fi, Webcam, External CD-DVD.
• Mobile phones except iDevices that are connected in ‘USB Mass Storage’ mode will be detected under USB storage device category.
• Mobile phones connected in MTP mode will be detected under ‘Windows Portable Devices’ category.
• Blocking functionality will not work for Blackberry mobile if the mobile is connected to Mac system in Sync Media.
• USB storage device would not be formatted with Mac OS extended (Journaled, Encrypted) file format.
• Bluetooth blocking functionality does not work on macOS Monterey 12 and above on Intel, though Device Control Blocked prompt appears. However, it effectively functions for ARM64 architecture-based machines
• The ‘Authorized Wi-Fi connections’ feature is not supported on Mac operating system.
• If the Wi-Fi connection is inadvertently blocked by the Admin via policy, the Wi-Fi connection on the respective Mac endpoint will be disconnected. To re-enable it from the endpoint, please follow the steps below:
• Login to Endpoint Protection Cloud Console > Click ‘Endpoint Protection’ > click ‘Status’ tab > select Mac endpoint from where Wi-Fi gets disabled > click ‘Client Actions’ > select ‘Temporary Device Access’ from drop down list > click ‘Submit’ > set time duration as per requirement under ‘Allow temporary access for’ and ‘Use OTP within’ > Click ‘Generate OTP’ > Note down the generated OTP.

• Now go to the Mac endpoint system > click Seqrite Endpoint Protection system tray icon > select ‘Allow Temporary Device Access’ from the drop-down list > Enter the OTP which is generated at EPP Console. Now devices will get accessible for defined time interval set in the EPP console.

• Again go to the EPP Cloud console > click ‘Policies > click edit on respective policy of Mac endpoint > click ‘Advance Device Control’ tab > click ‘Wireless and Wired’ > Allow the ‘Wi-Fi’ and Save policy.

• Enable Wi-Fi on Mac endpoint.

• Admin can ask user to click on ‘Sync Now’ from Seqrite Endpoint Protection system tray icon drop down list from respective Mac endpoint or wait for heartbeat and once that is success then Admin can ask user to click the “Temporary device access” from Seqrite Endpoint Protection system tray icon drop down list or it will expire automatically after set time in the EPP Cloud console under Allow Temporary Device Access.

• Following is a comparison of device types across different Mac systems:
  

  Devices	Device Types	Mac Intel System	Mac ARM64 System
  Storage Devices	USB Storage Device	√	√
  	Internal CD/DVD	√	√
  	Internal Card Reader	√	X
  	Internal Floppy Drive	X	X
  	ZIP Drive	X	X
  Wireless	Wi-Fi	√	√
  	Bluetooth	√	√
  Interface	FireWire Bus	√	X
  	Serial Port	X	X
  	SATA Controller	X	X
  	Thunderbolt	√	X
  	PCMCIA Device	X	X
  	USB	√	X
  Others	Local Printers	√	√
  	Teensy Board	X	X
  	Network Share	X	X
  	Unknown Device	X	X
  Card Readers	Card Reader Device (MTD)	X	X
  	Card Reader Device (SCSI)	X	X
  Mobile & Portable Devices	Windows Portable Device	√	X
  	iPhone	√	X
  	iPad	√	X
  	iPod	√	X
  	BlackBerry	X	X
  	Mobile Phones (Symbian)	X	X
  	Scanner & Imaging Devices	X	X
  Camera	Webcam	√	X
  Temporary Device Access		√	√
  Device Exceptions		√	√

  For Linux clients

  • The Read only option set for internal CD/DVD on the EPS server, is treated as Blocked on the Linux client.
  • Wireless adapters are not supported.
  • Bluetooth USB dongle may not be supported on some operating systems.
  • In all supported Linux OS, internal CD-DVD tray will not open if block mode is set for CD-DVD”
  • If DC configuration is changed from Read-only mode to Allow mode, the USB drives may not work accordingly.
  • UMS Mobile Phones do not work in Read-only mode. Changing the mode using the option available in the device will connect it to the endpoint. If the device is plugged out, the device in a particular mode does not change the mode automatically.