5.9 Storage Device Control Policy

The following instructions assume that you are on the Configure Storage Device Control Settings page in the Create New Storage Device Control Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Storage Device Control policy (see Editing a Policy’s Details).

The Storage Device Control policy enables control of the Windows AutoPlay feature and access to removable storage devices. You can define the default access control for all removable storage devices and, if required, override that setting with different access controls for the device types indicated below:

  • CD/DVD: Controls access to any devices listed under DVD/CD-ROM drives in Windows Device Manager.

  • Floppy Drive: Controls access to any devices listed under Floppy drives in Windows Device Manager.

  • Removable Storage: Controls access to any devices reporting as removable storage under Disk drives in Windows Device Manager.

  • Portable Device: Controls access to any devices reporting as Windows Portable Devices under Disk drives in Windows Device Manager.

5.9.1 Configure AutoPlay/AutoRun

The AutoPlay/AutoRun setting can only be configured on a global Storage Device Control policy. It is not available on location-based policies. This means that it is always applied regardless of the device’s location.

This setting controls the Windows AutoPlay feature. AutoPlay performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content. Select one of the following options:

  • Enable: Enables both AutoPlay and AutoRun.

  • Disable AutoRun: Disables the AutoRun feature so that autorun.inf instructions are not executed. AutoPlay is not disabled so music, video, and picture applications are still launched.

  • Disable AutoPlay/AutoRun: Disables both the AutoPlay and AutoRun features.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.

5.9.2 Configure Removable Storage Device Access

You control access to storage devices by selecting a default access control for all device types and then enabling or disabling an override access control for individual device types. The access control options are defined below:

  • Read/Write: Enables the user to have full access to the device on the client computer.

  • Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

  • Read Only: Enables read access and disable write access. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.

Default Access

The Default Access setting enables you to have one control for all removable storage devices when you want them to have the same access control. This includes FireWire, Windows Portable devices, storage cards, USB devices, and any other devices reported as removable storage under Disk drives in Windows Device Manager. If you want to have a different control for device types that use access overrides, you can use the Default Access Overrides configuration to implement those controls.

Default Access Overrides

Use the options in the Default Access Overrides configuration to select an individual access control for any of the three storage device types CD/DVD, Floppy Drive, or USB Device. Select the applicable check box to enable access control selection or deselect a check box to disable an override and reset that device type to the Default Access setting.

Exception Lists

The access controls for USB and WPD devices can include an exception list when the Default Access override option is enabled for these device types. This feature provides the capability to define access controls by device makes, models, or even individual devices if required. For example. Your Default Access control could be set to Disable, your Portable Device Access control could be set to Read Only, and devices in the Exception List could be set to Read/Write.

Each device that you add to an Exception List must include an access assignment. The Default Access setting is used as the default access assignment for (1) any device you import that does not have an access assignment and (2) any device you create whose access you set to Default Access.

Select from the following options:

  • Default Access: Use the control that is defined in the Default Access setting.

  • Read/Write: Enables read and write access.

  • Read Only: Enables read access and disables write access. When users attempt to write to the device, they receive an error message that the action has failed.

  • Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message that the action has failed.

The following table provides instructions for managing an Exception List:

Task

Steps

Additional Details

Create a new device

  1. Click Add > Create New.

  2. Select the access you want assigned to the device:

    • Default Access: Give the device the access specified by the Default Access setting.

    • Read/Write: Enable read and write access.

    • Read Only: Enable read access and disable write access. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.

    • Disable: Disable access.

  3. (Optional) Add a comment to further identify the device.

    The Comment field is not a match field. It is used only in ZENworks Control Center to identify the device.

  4. On the Recommended tab, fill in the fields you want to use as match criteria for the device.

  5. On the Advanced tab, fill in the fields you want to use as match criteria for the device.

  6. Click OK to add the device to the list.

The fields on the Recommended tab are typically sufficient to use for the match criteria. As a best practice, we recommend that you use the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes.

The Manufacturer and Product fields are substring match. For example, “San”, and “SanDisk” both match all SanDisk devices while “SanDisk Cruzer” and “Cruzer” match all SanDisk Cruzer devices but excludes all other SanDisk devices.

The Serial Number, Vendor ID, and Product ID fields are exact match. Be aware that not all devices have unique serial numbers. To guarantee a unique match based on a serial number, use the Vendor ID and Product ID fields as well.

The Recommended fields are not case sensitive.

The fields on the Advanced tab can be used to refine the match criteria in order to isolate very specific devices. Use of these fields can literally restrict a device definition so that it only matches a single device on a specific port on a specific computer.

All of the Advanced fields are exact match. They are not case sensitive.

Copy an existing device from another policy

  1. Click Add > Copy Existing.

  2. Select the USB Connectivity policies whose devices you want to copy.

  3. Click OK.

All devices included in the other Storage Device Control policies are copied. If necessary, you can edit the copied devices after they are added to the list.

Import a device from a policy export file

  1. Click Add > Import.

  2. In the Select Source of Data list, make sure that Existing Policy/Component is selected.

  3. In the Select the Exported File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK to add the devices to the list.

All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list.

For information about exporting devices, see Export a device.

Import a device from a Device Scanner file

  1. Click Add > Import.

  2. In the Select Source of Data list, select ZESM Device Scanner Tool.

  3. In the Select the Data File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK.

  6. Select the fields you want to import for each device in the data file.*

    The recommended fields are selected by default. As a best practice, we recommend that you import the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes.

  7. Click OK to import the devices.

* The Access field must be selected on import if you want the access setting that is defined in the Device Scanner file to map to the Preferred Device List Access setting. Read Only has no Device Scanner mapping and must be selected manually.

For information on how Access settings map, see Control Access Import Mapping (Exception List).

For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks Endpoint Security Utilities Reference.

Enable or disable a device

  1. Locate the device in the list

  2. In the Enabled column, select the check box to enable the device.

    or

    Deselect the check box to disable the device.

When you add a device, it is enabled by default. You can disable a device to save it in the policy but no longer have it applied.

Edit a device

  1. Click the device name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an device

  1. Select the check box next to the device name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export a device

  1. Select the check box next to the device name.

    You can select multiple devices to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete a device

  1. Select the check box next to the device name, then click Delete.

  2. Click OK to confirm deletion of the device.

 

Control Access Import Mapping (Exception List)

Device Scanner Access Setting

Exception List Setting

Allow

Read/Write

Block

Disable

Always Allow

Read/Write

Always Block

Disable

Default Access

Default Access

No mapping

Read Only