Controlling External Device
===========================
- External devices are all devices that can be connected to the Windows system.
- You can find in Device Manager such as USB flash drives, USB disk drives, external USB hard drives, printers, keyboards, mice, and more.
- You can control an external device by disabling or removing the external device so that it can request approval for a set period of time.
- (*External device can be any device found in Device Manager that knows the class name and vendor name. For example, class name = "Universal Serial Bus Controller" / device name = "USB Mass Storage Device"*) )
Step 1. Create Device Group
---------------------------
- A device group is a function that defines a set of devices required for control. It can be used for blocking or exception on the policy.
#. Go to **Policy** in the top panel.
#. Go to **External Device Group** in the left Policy panel.
#. Click **Tasks > Create.**
#. Find **General** section enter unique **ID name.** (*e.g. "USB Storage
Devices"*)
#. Find **Settings** section enter the following:
- **Class Name**: “**Some-Name**†found in Device Manager. (*e.g. Universal
Serial Bus controllers*)
- **Device Name**: “**Some-Vendor-Name**†found in Device Manager Details.
(*e.g. USB Mass Storage Device*)
- **Device Description**: “**Description of device**†found in Device
Manager Details.
- **Removable Device**: Select option for device removable properties.
- **USB Vendor**: Specify USB Vendor name.
- **USB Model**: Specify USB Model name.
- **USB Serial No.**: Specify USB Serial Number.
.. note:: Conditions must be defined in accordance with the language settings of the endpoints operating system.
#. Click **Add.**
#. Click **Save.**
**Configuration Examples :**
+------------------+----------------------------------------+---------------------------------------------+
| Device Type | Class Name | Name |
+==================+========================================+=============================================+
| External Storage | Universal Serial Bus controllers | USB Mass Storage Device |
+------------------+----------------------------------------+---------------------------------------------+
| | Storage controllers | USB Attached SCSI (UAS) Mass Storage Device |
+------------------+----------------------------------------+---------------------------------------------+
| | Portable Devices | \* |
+------------------+----------------------------------------+---------------------------------------------+
| Optical Device | DVD/CD-ROM drives | \* |
+------------------+----------------------------------------+---------------------------------------------+
| Printer | Printers | \* |
+------------------+----------------------------------------+---------------------------------------------+
Step 2. Create External Device Policy
-------------------------------------
+ Control External Device Policy defines the device groups to block or allow the target to perform device control.
+ When the plugin is uploaded, the device policy for the basic output device is provided as a template. (Device Control Policy ID: Data Leakage Prevention)
#. Go to **Policy** in the top panel.
#. Go to **Policy > External Device Policy** in the left Policy panel.
#. Click **Tasks > Create**
#. Find **General** section enter unique **ID name.** (*e.g. "USB Storage Policy"*)
#. Find **Node Group** section click **Assign** and choose **Node Group**
#. Find **External Devices** section click **Assign** and choose **USB Storage Devices.** (You can select **Default Device Group** below.)
#. Click **Save.**
#. Click **Apply.**
**External Device Exceptions :**
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **Bluetooth** |- Devices in Bluetooth class |
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **CD/DVD/Floppy** |- Devices in CD-ROM, Floppy Disk Drive Class |
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **Local Printer** |- Printer connected directly to the local PC (removes devices belonging to printer class) |
| |- Remove the device because the local printer can print out even if it is "disabled" in the device list. |
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **USB Disk** |- USB type storage device (a disk drive whose instance path starts with 'USBSTOR') |
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **USB Network Adapter** |- Network adapter connected via a USB port (network adapter whose instance path in the device properties starts with 'USB')|
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **USB Tethering** |- Network adapter connected via USB cable to the mobile device (network adapter with service property usbrndis or Netaapl) |
| |- If you are connected via Android, the network adapter uses the usbrndis service, and the iPhone uses the Netaapl service.|
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
| **Wireless Network Adapter** |- Wireless Network Card Device |
+------------------------------+---------------------------------------------------------------------------------------------------------------------------+
#. If there is exception devices, you can create an exception group and assign it to **External Device Exceptions** like Step.1.
#. Click the **Create** button.
Step 3. Configure Control External Device Plugin
------------------------------------------------
#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy > Agent Action** in the left Policy panel.
#. Find and click **Control External Device.**
#. Find **Agent Action > Control Methods** section and choose to **Disable** or **Uninstall.**
#. Click **Update.**
Step 4. Enable Agent Action on Node Policy
------------------------------------------
#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy** in the left Policy panel.
#. Click the **desired Policy ID** in Node Policy window.
#. Find **Agent Action**. Click **Assign.**
#. Find **Control External Device** in the **Available** section. Select and drag it into the **Selected** section.
#. Click **Add.**
#. Click **Update.**