External Devices Control Settings
-
Lets you to define a list of devices that should be blocked on endpoints using this profile.
For example, you can block access to USB storage devices, human interface devices, Bluetooth devices, infrared devices, IDE ATA/ATAPI controllers.
-
Xcitium blocks access to devices connected through both serial and parallel ports and creates a log of their connection activities.
-
You can create exclusions for external devices which you want to allow to connect to managed endpoints. Devices can be added as exclusion by specifying their Device Ids. You can use wildcard characters in the device ID if you want to include a series of devices with similar device IDs.
Configure External Devices Control Settings
-
Click 'Assets' > 'Configuration Templates' > 'Profiles'
-
Open the Windows profile you want to work on
Click the 'External Devices Control' tab then 'Edit', if it has already been added to the profile
OR
Click 'Add Profile Section' > 'External Devices Control' if it hasn't yet been added
-
Enable Device Control - Enable or disable the external device control feature. This is useful if you want to configure external device control settings for a profile during its creation and enable it at a later time.
-
Log detected devices - Enable or disable logging of external device connection attempts on endpoints that use this profile. The logs can be viewed from 'Security Sub Systems' > 'Device Control' interface. See View History of External Device Connection Attempts for more details.
-
Show notifications when devices disabled or enabled - Select whether or not a notification is to be shown to end-user when a connected device is blocked or allowed.
The 'External Devices Control' settings interface contains two tabs:
-
Blocked Device Classes - Define the list of types of external devices to be blocked at the endpoints
-
Exclusions - Specify the devices that should be excluded from blocking and allowed access at the endpoints
Blocked Device Classes
The 'Blocked Device Classes' tab displays a list of types of device that are blocked as per the profile and allows you to add/remove new device types.
Blocked Device Classes - Column Descriptions |
|
---|---|
Column Header |
Description |
Device Class |
The device type as per global hardware classification |
Class ID |
The Globally Unique Identifier (GUID) of the device class |
Tip. Block 'Portable Devices' in addition to 'USB storage devices' if you want to stop users connecting their phones to access the phone's memory card |
Add device types to be blocked
-
Click 'Add' at the top of the list
The 'Add Device Class' dialog appears with a list of device types.
-
Select the device types to be added to the block list and click 'Ok'.
-
Repeat the process to add more device types.
Remove a device type from the list
-
Select the device type from the list and click 'Delete'
-
Click 'Confirm' to remove the device type from the blocked list.
Exclusions
The 'Exclusions' tab displays a list of external devices that are exempt from the block rule and so allowed access to the endpoint(s).
Exclusions - Column Descriptions |
|
---|---|
Column Header |
Description |
Device Custom Name |
Displays the name of the device. |
Device ID |
Displays the unique device identifier of the device. |
To get Device ID for an External Device
Device manager is a feature of Microsoft Windows that detects and list hardware devices and their status information. The device driver settings and information is also stored here.
To open the Device Manager
- Click Start button, type Device Manager and then press the Enter key
Or
- Right-click the Start button or press the Windows Logo + X key combination on the keyboard and, form the list, click to select Device Manager.
- The Device Manager window divides all the devices on your computer into categories.
- To find a specific device, click the arrow next to its category, as shown in the image at the right.
- It expands that category, listing all its devices. You can then double-click a specific device to view its properties, status, and driver information.
- To get device ID double click the device> click 'Details'> select 'Device instance path' from the property dropdown button
- The device ID will be displayed, copy the value.
- Click 'Ok'
Add a device to be excluded
-
Click 'Add' at the top of the list
The 'Add Device Class' dialog will appear with a list of device types.
-
Enter a label for the device in the 'Device Custom Name' field (optional)
-
Enter the unique device identifier in the 'Device ID' field
Tip: You can use a wildcard character '*' in the Device ID if you want to cover a range of devices with similar IDs. For example, to include all USB storage devices whose device IDs start with "4C5310", you could enter: USBSTORDISK&VEN_SANDISK4C5310* |
-
Click 'Add'
The device will be added to the exclusions list and will be allowed access at the endpoint(s).
Remove a device from exclusions
-
Select the device and click 'Delete'
-
Click 'Confirm' to remove the item from the list
-
Click the 'Save' button save the 'External Devices Control' settings.