While working with data storage devices such as CD/DVDs and USB-based devices such as pen drives, organizations are concerned with the following:
- Autorun feature does not activate any infection.
- Unnecessary data or applications do not clog the systems.
This feature allows the administrators to create policies with varying rights. For example, administrators can block complete access to removable devices, give read-only and no write access so that nothing can be written on the external devices. They can also customize access to admin configured devices. Once the policy is applied to a group, the access rights are also applied. You can use the exception list to exclude the devices from the device control policy.
Advanced Device Control
To configure policy for Advanced Device Control, follow these steps:
- Create Container/feature policy for Advanced Device Control.
- On the Feature Policy page, you can see list of settings with expand sign and toggle button. Expand and enable settings that you want to configure.
- Enable Advanced Device Control.
- Expand Storage Devices. The following list of storage devices is displayed:
- USB Storage Device
- CD/DVD
- Internal Card Reader
- Internal Floppy Drive
- ZIP Drive
For the above devices, select the permissions as per your requirement.
- Enable and expand Card Readers. The following list of Card Readers is displayed:
- Card Reader Device (MTD)
- Card Reader Device (SCSI)
For the above devices, select the permissions as per your requirement.
- Enable and Expand Wireless and Wired. The following list of networks is displayed:
- Wi-Fi (Customize)
- Bluetooth
For the above network, select the permissions as per your requirement.
- USB Tethering
- Allow for all Wi-Fi access points
- Allow only for authorized Wi-Fi access points – If you select this option, do the following.
- Enter SSID in the text box.
- Enter BSSID in the text box.
- Click Add. The network data is added. You can delete the data with help of Delete button.
- Click Ok.
- Enable and expand Mobile & Portable Devices. The following list of Mobile & Portable Devices is displayed:
- Windows Portable Device
- iPhone
- iPad
- iPod
- BlackBerry
- Mobile Phones (Symbian)
- Scanner & Imaging Devices
For the above devices, select the permissions as per your requirement.
- Enable and expand Interface. The following list of Interface mode is displayed:
- FireWire Bus
- Serial Port
- SATA controller
- Thunderbolt
- PCMCIA Device
- USB
For the above interfaces, select the permissions as per your requirement.
- Enable and expand Camera. For Webcam, select the permissions as per your requirement.
- Enable and expand Others. The following list of other devices is displayed:
- Local Printers
- Teensy Board
- Network Share
- Unknown Device
For the above devices, select the permissions as per your requirement.
- Enable and expand Exceptions. Ensure that you have added the devices in Configuration > Device Control > Add devices. Then do the following:
- Click Add. The ‘Managed Devices’ dialog appears.
- Select one or more devices to add to the exception list.
- Click Add. The devices are added in the Exceptions list.
- Set the access permissions as required.You can delete the devices with help of Delete button.
- To save your setting, click Save Policy.
This policy is applied to all the devices that are configured in the list. Even if you add a device, the same policy will apply unless you customize the policy.
Importantly, if you have customized the settings and later you want to revert to the default settings, click the Reset Default button.
To authorize Wi-Fi connections, click Customize link.The ‘Authorized Wi-Fi Connections’ dialog appears.
Select one of the following options.
Note
Customize (Authorized Wi-Fi connections) feature is not supported on Mac operating system.
For Windows Clients
- Only NTFS is supported for Partial encryption.
- USB Pen Drives with GUID Partition Table (GPT) Partition Style cannot be added for authorization.
- If an authorized and encrypted device is formatted, the device will be treated as unauthorized. Hence, Administrator will need to add the device again in Device Control and configure the policies accordingly.
- Some devices (e.g. Nokia phones, BlackBerry phones) may need system reboot or device reattachment for device access rights to be applied.
- On blocking SATA Controller from Advanced Device Control, you may frequently see SATA Controller blocked prompts even when actual blocking is not performed.
- While any ongoing session of Webcam or Bluetooth is in progress, changing access right to block will not interrupt this current ongoing session. The device may need reattachment or system reboot for access rights to be applied.
For Mac Clients
- If the option Read only is selected in Advanced Device Control of SEPS and a USB device is attached, such a device may not be accessible from the left pane in Finder for some time.
- If a USB device is already attached to the machine and you are installing Mac client, the device may not be shown as mounted for a fraction of seconds.
- If an NTFS USB device is attached to the machine during installation of Mac client, two copies of the attached USB may be visible for a few seconds.
- If a USB device is to be shown as mounted or un-mounted using terminal commands, the Device Control policy will not apply to that device.
- If you are installing Mac client on Mac OSx 10.9 while an FAT USB device is attached to the machine, such a device will not be displayed as mounted. To show the device mounted, you need to disconnect the device and reconnect it.
- iDevices, Internal Card Reader, Webcam, CD-DVD, mobile phones and HFS encrypted devices may need device reattachment for device access rights to be applied.
- Exception functionality will not be applicable for Bluetooth, Wi-Fi, Webcam, External CD-DVD.
- Mobile phones except iDevices that are connected in ‘USB Mass Storage’ mode will be detected under USB storage device category.
- Mobile phones connected in MTP mode will be detected under ‘Windows Portable Devices’ category.
- Blocking functionality will not work for Blackberry mobile if the mobile is connected to Mac system in Sync Media.
- USB storage device would not be formatted with Mac OS extended (Journaled, Encrypted) file format.
For Linux clients
- The Read only option set for internal CD/DVD on the EPS server, is treated as Blocked on the Linux client.
- Wireless adapters are not supported.
- Bluetooth USB dongle may not be supported on some operating systems.
- In all supported Linux OS, internal CD-DVD tray will not open if block mode is set for CD-DVD”
- If DC configuration is changed from Read-only mode to Allow mode, the USB drives may not work accordingly.
- UMS Mobile Phones do not work in Read-only mode. Changing the mode using the option available in the device will connect it to the endpoint. If the device is plugged out, the device in a particular mode does not change the mode automatically.