Controlling External Device

  • External devices are all devices that can be connected to the Windows system.
  • You can find in Device Manager such as USB flash drives, USB disk drives, external USB hard drives, printers, keyboards, mice, and more.
  • You can control an external device by disabling or removing the external device so that it can request approval for a set period of time.
  • (External device can be any device found in Device Manager that knows the class name and vendor name. For example, class name = "Universal Serial Bus Controller" / device name = "USB Mass Storage Device") )

Step 1. Create Device Group

  • A device group is a function that defines a set of devices required for control. It can be used for blocking or exception on the policy.
  1. Go to Policy in the top panel.

  2. Go to External Device Group in the left Policy panel.

  3. Click Tasks > Create.

  4. Find General section enter unique ID name. (e.g. "USB Storage Devices")

  5. Find Settings section enter the following:

    • Class Name: “Some-Name” found in Device Manager. (e.g. Universal Serial Bus controllers)
    • Device Name: “Some-Vendor-Name” found in Device Manager Details. (e.g. USB Mass Storage Device)
    • Device Description: “Description of device” found in Device Manager Details.
    • Removable Device: Select option for device removable properties.
    • USB Vendor: Specify USB Vendor name.
    • USB Model: Specify USB Model name.
    • USB Serial No.: Specify USB Serial Number.

    Note

    Conditions must be defined in accordance with the language settings of the endpoints operating system.

  6. Click Add.

  7. Click Save.

Configuration Examples :

Device Type Class Name Name
External Storage Universal Serial Bus controllers USB Mass Storage Device
  Storage controllers USB Attached SCSI (UAS) Mass Storage Device
  Portable Devices *
Optical Device DVD/CD-ROM drives *
Printer Printers *

Step 2. Create External Device Policy

  • Control External Device Policy defines the device groups to block or allow the target to perform device control.
  • When the plugin is uploaded, the device policy for the basic output device is provided as a template. (Device Control Policy ID: Data Leakage Prevention)
  1. Go to Policy in the top panel.
  2. Go to Policy > External Device Policy in the left Policy panel.
  3. Click Tasks > Create
  4. Find General section enter unique ID name. (e.g. "USB Storage Policy")
  5. Find Node Group section click Assign and choose Node Group
  6. Find External Devices section click Assign and choose USB Storage Devices. (You can select Default Device Group below.)
  7. Click Save.
  8. Click Apply.

External Device Exceptions :

Bluetooth
  • Devices in Bluetooth class
CD/DVD/Floppy
  • Devices in CD-ROM, Floppy Disk Drive Class
Local Printer
  • Printer connected directly to the local PC (removes devices belonging to printer class)
  • Remove the device because the local printer can print out even if it is "disabled" in the device list.
USB Disk
  • USB type storage device (a disk drive whose instance path starts with 'USBSTOR')
USB Network Adapter
  • Network adapter connected via a USB port (network adapter whose instance path in the device properties starts with 'USB')
USB Tethering
  • Network adapter connected via USB cable to the mobile device (network adapter with service property usbrndis or Netaapl)
  • If you are connected via Android, the network adapter uses the usbrndis service, and the iPhone uses the Netaapl service.
Wireless Network Adapter
  • Wireless Network Card Device
  1. If there is exception devices, you can create an exception group and assign it to External Device Exceptions like Step.1.
  2. Click the Create button.

Step 3. Configure Control External Device Plugin

  1. Go to Policy in the top panel.
  2. Go to Policy > Node Policy > Agent Action in the left Policy panel.
  3. Find and click Control External Device.
  4. Find Agent Action > Control Methods section and choose to Disable or Uninstall.
  5. Click Update.

Step 4. Enable Agent Action on Node Policy

  1. Go to Policy in the top panel.
  2. Go to Policy > Node Policy in the left Policy panel.
  3. Click the desired Policy ID in Node Policy window.
  4. Find Agent Action. Click Assign.
  5. Find Control External Device in the Available section. Select and drag it into the Selected section.
  6. Click Add.
  7. Click Update.