Adding Device control rules

A Device control rule defines the action that will be taken when a device meeting the rule criteria is connected to the computer.


Enter a description of the rule into the Name field for better identification. Click the switch next to Rule enabled to disable or enable this rule; this can be useful if you don't want to delete the rule permanently.

Device type

Choose the external device type from the drop-down menu (Disk storage/Portable device/Bluetooth/FireWire/...). The types of devices are inherited from the operating system and can be seen in the system Device manager assuming the device is connected to the computer. Storage devices include external disks or conventional memory card readers connected via USB or FireWire. Smart card readers include all readers of smart cards with an embedded integrated circuit, such as SIM cards or authentication cards. Examples of imaging devices are scanners or cameras, these devices do not provide information about users, only about their actions. This means that imaging devices can only be blocked globally.


Access to non-storage devices can either be allowed or blocked. In contrast, rules for storage devices allow you to select one of the following rights settings:

Read/Write - Full access to the device will be allowed.

Block - Access to the device will be blocked.

Read Only - Only read access to the device will be allowed.

Warn - Each time that a device is connected, the user will be notified if it is allowed/blocked, and a log entry will be made. Devices are not remembered, a notification will still be displayed upon subsequent connections of the same device.

Please note that not all rights (actions) are available for all device types. If a device has storage space, all four actions are made available. For non-storage devices, there are only two (for example Read Only is not available for Bluetooth , so Bluetooth devices can only be allowed or blocked).

Additional parameters shown below can be used to fine-tune rules and tailor them to devices. All parameters are case-insensitive:

Vendor - Filter by vendor name or ID.

Model - The given name of the device.

Serial - External devices usually have their own serial numbers. In the case of a CD/DVD, this is the serial number of the given media, not the CD drive.

note_icon_note NOTE

If these three descriptors are empty, the rule will ignore these fields when matching. Filtering parameters in all text fields are case-insensitive and no wildcards (*, ?) are supported.

In order to figure out the parameters of a device, create a rule to allow that type of device, connect the device to your computer and then review the device details in the Device control log.


Always - Logs all events.

Diagnostic - Logs information needed to fine-tune the program.

Information - Records informative messages, including successful update messages, plus all records above.

Warning - Records critical errors and warning messages.

None - No logs will be recorded.

Rules can be limited to certain users or user groups by adding them to the User list:

Add - Opens the Object types: Users or Groups dialog window that allows you to select desired users.

Remove - Removes the selected user from the filter.

note_icon_note NOTE

All devices can be filtered by user rules (for example imaging devices do not provide information about users, only about invoked actions).