Adding Device control rules
A Device control rule defines an action to take when a device meeting the rule criteria is connected to the computer.
Type a description of the rule into the Name field for better identification. Click the toggle next to Rule enabled to disable or enable this rule; this can be useful if you do not want to delete the rule permanently.
Apply during—Enables you to apply created rule during the certain time. From the drop-down menu, select created time slot. See more information about Timeslots.
Device type
Choose the external device type from the drop-down menu (Disk storage/Portable device/Bluetooth/FireWire/...). Device type information is collected from the operating system and can be seen in the system Device manager if a device is connected to the computer. Storage devices include external disks or conventional memory card readers connected via USB or FireWire. Smart card readers include all readers of smart cards with an embedded integrated circuit, such as SIM cards or authentication cards. Examples of imaging devices are scanners or cameras. Because these devices only provide information about their actions and do not provide information about users, they can only be blocked globally.
|
The user list functionality is not available for the modem device type. The rule will be applied for all users and the current user list will be deleted. |
Action
Access to non-storage devices can either be allowed or blocked. In contrast, rules for storage devices enable you to select one of the following rights settings:
- Allow—Full access to the device will be allowed.
- Block—Access to the device will be blocked.
- Write Block—Only read access to the device will be allowed.
- Warn—Each time that a device is connected, the user will be notified if it is allowed/blocked, and a log entry will be made. Devices are not remembered, a notification will still be displayed for subsequent connections of the same device.
Note that not all Actions (permissions) are available for all device types. If it is a device of storage type, all four Actions are available. For non-storage devices, there are only three Actions available (for example Write Block is not available for Bluetooth, therefore Bluetooth devices can only be allowed, blocked or warned).
Criteria type
Select Device group or Device.
Additional parameters shown below can be used to fine-tune rules for different devices. All parameters are case-sensitive and support wildcards (*, ?):
- Vendor—Filter by vendor name or ID.
- Model—The given name of the device.
- Serial—External devices usually have their own serial numbers. In the case of a CD/DVD, this is the serial number of the given media, not the CD drive.
|
If these parameters are undefined, the rule will ignore these fields while matching. Filtering parameters in all text fields are case-sensitive and support wildcards (a question mark (?) represents a single character, whereas an asterisk (*) represents a string of zero or more characters). |
|
To view information about a device, create a rule for that type of device, connect the device to your computer and then check the device details in the Device control log. |
Logging Severity
- Always—Logs all events.
- Diagnostic—Logs information needed to fine-tune the program.
- Information—Records informative messages, including successful update messages, plus all records above.
- Warning—Records critical errors and warning messages and sends them to ERA Server.
- None—No logs will be recorded.
Rules can be limited to certain users or user groups by adding them to the User list:
- Add—Opens the Object types: Users or Groups dialog window that enables you to select desired users.
- Delete—Removes the selected user from the filter.
|
User list limitations The User list cannot be defined for rules with specific Device types:
|
Notify user—If a device blocked by an existing rule is inserted, a notification window will be displayed.