Controlling External Device
===========================

- External devices are all devices that can be connected to the Windows system.
- You can find in Device Manager such as USB flash drives, USB disk drives, external USB hard drives, printers, keyboards, mice, and more.
- You can control an external device by disabling or removing the external device so that it can request approval for a set period of time.
- (*External device can be any device found in Device Manager that knows the class name and vendor name. For example, class name = "Universal Serial Bus Controller" / device name = "USB Mass Storage Device"*) )

Step 1. Create Device Group
---------------------------

- A device group is a function that defines a set of devices required for control. It can be used for blocking or exception on the policy.


#. Go to **Policy** in the top panel.
#. Go to **External Device Group** in the left Policy panel.
#. Click **Tasks > Create.**
#. Find **General** section enter unique **ID name.** (*e.g. "USB Storage
   Devices"*)
#. Find **Settings** section enter the following:

   - **Class Name**: “**Some-Name**” found in Device Manager. (*e.g. Universal
     Serial Bus controllers*)
   - **Device Name**: “**Some-Vendor-Name**” found in Device Manager Details.
     (*e.g. USB Mass Storage Device*)
   - **Device Description**: “**Description of device**” found in Device
     Manager Details.
   - **Removable Device**: Select option for device removable properties.
   - **USB Vendor**: Specify USB Vendor name.
   - **USB Model**: Specify USB Model name.
   - **USB Serial No.**: Specify USB Serial Number.

   .. note:: Conditions must be defined in accordance with the language settings of the endpoints operating system.  
   
#. Click **Add.**
#. Click **Save.**

**Configuration Examples :**

+------------------+----------------------------------------+---------------------------------------------+
| Device Type      | Class Name                             | Name                                        |
+==================+========================================+=============================================+ 
| External Storage | Universal Serial Bus controllers       | USB Mass Storage Device                     |
+------------------+----------------------------------------+---------------------------------------------+
|                  | Storage controllers                    | USB Attached SCSI (UAS) Mass Storage Device |
+------------------+----------------------------------------+---------------------------------------------+
|                  | Portable Devices                       | \*                                          |
+------------------+----------------------------------------+---------------------------------------------+
| Optical Device   | DVD/CD-ROM drives                      | \*                                          |
+------------------+----------------------------------------+---------------------------------------------+
| Printer          | Printers                               | \*                                          |
+------------------+----------------------------------------+---------------------------------------------+

Step 2. Create External Device Policy
-------------------------------------

+ Control External Device Policy defines the device groups to block or allow the target to perform device control.
+ When the plugin is uploaded, the device policy for the basic output device is provided as a template. (Device Control Policy ID: Data Leakage Prevention)

#. Go to **Policy** in the top panel.
#. Go to **Policy > External Device Policy** in the left Policy panel.
#. Click **Tasks > Create**
#. Find **General** section enter unique **ID name.** (*e.g. "USB Storage Policy"*)
#. Find **Node Group** section click **Assign** and choose **Node Group**
#. Find **External Devices** section click **Assign** and choose **USB Storage Devices.** (You can select **Default Device Group** below.)
#. Click **Save.**
#. Click **Apply.**

**External Device Exceptions :**

  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **Bluetooth**                |- Devices in Bluetooth class                                                                                               |
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **CD/DVD/Floppy**            |- Devices in CD-ROM, Floppy Disk Drive Class                                                                               |
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **Local Printer**            |- Printer connected directly to the local PC (removes devices belonging to printer class)                                  |
  |                              |- Remove the device because the local printer can print out even if it is "disabled" in the device list.                   |
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **USB Disk**                 |- USB type storage device (a disk drive whose instance path starts with 'USBSTOR')                                         |
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **USB Network Adapter**      |- Network adapter connected via a USB port (network adapter whose instance path in the device properties starts with 'USB')|
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **USB Tethering**            |- Network adapter connected via USB cable to the mobile device (network adapter with service property usbrndis or Netaapl) |
  |                              |- If you are connected via Android, the network adapter uses the usbrndis service, and the iPhone uses the Netaapl service.|
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+
  | **Wireless Network Adapter** |- Wireless Network Card Device                                                                                             |
  +------------------------------+---------------------------------------------------------------------------------------------------------------------------+

#. If there is exception devices, you can create an exception group and assign it to **External Device Exceptions** like Step.1.
#. Click the **Create** button.

Step 3. Configure Control External Device Plugin
------------------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy > Agent Action** in the left Policy panel.
#. Find and click **Control External Device.**
#. Find **Agent Action > Control Methods** section and choose to **Disable** or **Uninstall.**
#. Click **Update.**

Step 4. Enable Agent Action on Node Policy
------------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy** in the left Policy panel.
#. Click the **desired Policy ID** in Node Policy window.
#. Find **Agent Action**. Click **Assign.**
#. Find **Control External Device** in the **Available** section. Select and drag it into the **Selected** section.
#. Click **Add.**
#. Click **Update.**