While working with data storage devices such as CD/DVDs and USB-based devices such as pen drives, organizations are concerned with the following:
• Autorun feature does not activate any infection.
• Unnecessary data or applications do not clog the systems.
This feature allows the administrators to create policies with varying rights (device authentication capability). For example, administrators can block complete access to removable devices, give read-only and no write access so that nothing can be written on the external devices. They can also customize access to admin configured devices. Once the policy is applied to a group, the access rights are also applied. You can use the exception list to exclude the devices from the device control policy.
- On Windows XP SP1 and prior operating systems, you will not be able to block devices other than USB storage devices.
- Advance Device Control feature is not supported on Apple’s M1 chip.
Creating policy for Advanced Device Control
To create a policy for Advanced Device Control, follow these steps:
-
Log on to the Seqrite Endpoint Security Web console.
-
Go to Settings > Client Settings > Advanced Device Control.
-
To enable device control, select the Enable Advanced Device Control check box.
-
Under Select Access Policy for Device Types section, select a category from the following options:
- Storage Device
- Card Readers
- Wireless
- Mobile & Portable devices
- Interface
- Camera
- Others
-
For the corresponding device under that category select one of the following:
- Block
- Allow
- Read only
Options under any category are available only if you select the main category check box.
-
To save your setting, click Save Policy.
This policy is applied to all the devices that are configured in the list. Even if you add a device, the same policy will apply unless you customize the policy.
Authorize Wi-Fi connections
You can add authorized Wi-Fi access points so that only authorized Wi-Fi connection is established.
To add authorized access points, follow these steps:
- Select the Wireless check box.
- For Wi-Fi, select Allow or Block if wired connection is available option. The Customize link is enabled.
- Click the Customize link.The Authorized Wi-Fi connections dialog appears.
- If you select Allow for all Wi-Fi access points, all Wi-Fi connections can be established.
- If you select Allow only for authorize Wi-Fi access points, enter network data to create the authorized wi-Fi connection as the following:
- Enter SSID.
- Though the text box name is MAC Address, enter the BSSID in the text box.
- Click Add.
- Click Ok**.**
You can delete the access point if not required with help of Delete button.
Notes:
For Windows Clients
- Only NTFS is supported for Partial encryption.
- USB Pen Drives with GUID Partition Table (GPT) Partition Style cannot be added for authorization.
- If an authorized and encrypted device is formatted, the device will be treated as unauthorized. Hence, Administrator will need to add the device again in Device Control and configure the policies accordingly.
- USB devices connected to the systems in the network of SEPS 7.6 server will not be enumerated in Admin Settings > Server > Manage Devices > Add Devices > Network Devices list.
- Some devices (e.g. Nokia phones, BlackBerry phones) may need system reboot or device reattachment for device access rights to be applied.
- On blocking SATA Controller from Advanced Device Control, you may frequently see SATA Controller blocked prompts even when actual blocking is not performed.
- While any ongoing session of Webcam or Bluetooth is in progress, changing access right to block will not interrupt this current ongoing session. The device may need reattachment or system reboot for access rights to be applied.
- External CD/DVD reader will not be enumerated in Admin Settings > Server > Manage Devices > Add Devices > Network Devices list and also exception rule cannot be created for the same.
For Mac Clients
- If the option Read only is selected in Advanced Device Control of SEPS and a USB device is attached, such a device may not be accessible from the left pane in Finder for some time.
- If a USB device is already attached to the machine and you are installing Mac client, the device may not be shown as mounted for a fraction of seconds.
- If an NTFS USB device is attached to the machine during installation of Mac client, two copies of the attached USB may be visible for a few seconds.
- If a USB device is to be shown as mounted or un-mounted using terminal commands, the Device Control policy will not apply to that device.
- If you are installing Mac client on Mac OSx 10.9 while an FAT USB device is attached to the machine, such a device will not be displayed as mounted. To show the device mounted, you need to disconnect the device and reconnect it.
- iDevices, Internal Card Reader, Webcam, CD-DVD, mobile phones and HFS encrypted devices may need device reattachment for device access rights to be applied.
- Exception functionality will not be applicable for Bluetooth, Wi-Fi, Webcam, External CD-DVD.
- Mobile phones except iDevices that are connected in ‘USB Mass Storage’ mode will be detected under USB storage device category.
- Mobile phones connected in MTP mode will be detected under ‘Windows Portable Devices’ category.
- Blocking functionality will not work for Blackberry mobile if the mobile is connected to Mac system in Sync Media.
- USB storage device won’t be formatted with Mac OS extended (Journaled, Encrypted) file format.
- The ‘Authorized Wi-Fi connections’ feature is not supported on Mac operating system.
- Bluetooth blocking functionality does not work on macOS Monterey 12, though Device Control Blocked prompt appears.
For Linux clients
- MTP/PTP based phones are not supported, whereas UMS based phones are supported.
- The Read only option set for internal CD/DVD on the EPS server, is treated as Blocked on the Linux client.
- Wireless adaptors are not supported.
- Bluetooth USB dongle may not be supported on some operating systems.
- In all supported Linux OS, internal CD-DVD tray may open and close itself multiple times if the block mode is set for CD-DVD.
- If DC configuration is changed from Read-only mode to Allow mode, the USB drives may not work accordingly.
- UMS Mobile Phones do not work in Read-only mode. Changing the mode using the option available in the device will connect it to the endpoint. If the device is plugged out, the device in a particular mode does not change the mode automatically.
- Exception functionality will not be applicable for Bluetooth and External CD-DVD.
Adding exceptions to the device control list
You can add exceptions for removable devices that are used by authorized persons so that the devices are excluded from the policy.
To add devices to the exceptions list you must first authorize the devices by adding the device to the server as follows:
- Log on to the Seqrite Endpoint Security Web console.
- Go to Admin Settings > Server > Manage Devices.
- Click Add Devices.
- Select from Network Devices, USB Devices, or Other Devices.If you want to add a USB Device, select USB Device and in the Add Device dialog box, add the device name and click OK.If you want to add a network device, select Network Devices. The list of devices detected in the network is displayed. Select the device and click OK.If you want to add any other device, select the Other Device option, select device type, and in the Add Device dialog box, add the required details such as; Device name, Device Vendor ID, Product ID, and the serial number. Click OK,
- Click Settings > Client Settings > Advanced Device Control.Ensure that the option for Enable Advanced Device Control is selected.
- Click Exceptions.
- Click Add.
- Select one or more devices to add to exception from the devices displayed in the list.
- Click OK.
- Click Yes to the Managed Devices confirmation dialog box.
- Set the access permissions as required.
- Click Save Policy.
The permissions set for the device added by the USB by Serial Number option has the highest priority.
Adding Device to Server
To know about how to add a device to the server, see Manage Devices.