Novell Doc: ZENworks 11 SP2 Endpoint Security Policies Reference - Storage Device Control Policy

A.8 Storage Device Control Policy

The following instructions assume that you are on the Configure Storage Device Control Settings page in the Create New Storage Device Control Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing Storage Device Control policy (see Section 13.0, Editing a Policy’s Details).

This Storage Device Control policy lets you control access to CD/DVD drives, floppy drives, and removable storage drives. For each drive, you can allow full access, allow read access only, disable all access, or default to the global Storage Device Control policy setting.

Watch a video that demonstrates how to create a Storage Device Control policy.

A.8.1 AutoPlay/AutoRun

The AutoPlay/AutoRun setting can only be configured on a global Storage Device Control policy. It is not available on location-based policies. This means that it is always applied regardless of the device’s location.

This setting controls the Windows AutoPlay feature. AutoPlay performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content. Select one of the following options:

Enable: Enables both AutoPlay and AutoRun.
Disable AutoRun: Disables the AutoRun feature so that autorun.inf instructions are not executed. AutoPlay is not disabled so music, video, and picture applications are still launched.
Disable AutoPlay: Disables both the AutoPlay and AutoRun features.
Inherit: Inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.

A.8.2 Storage Device Categories

You can control access to the following categories of storage devices:

CD/DVD: Controls access to any devices listed under DVD/CD-ROM drives in Windows Device Manager.
Floppy Drive: Controls access to any devices listed under Floppy drives in Windows Device Manager.
Removable Storage: Controls access to any devices reporting as removable storage under Disk drives in Windows Device Manager.

For each storage device, select one of the following options:

Enable: Enables read and write access.
Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.
Read Only: Enables read access and disable write access. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.
Inherit: Inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.

A.8.3 Enable Preferred Device List in the Policy

The Removable Storage access setting applies to all removable storage devices (RSDs). This includes FireWire devices, storage cards, USB devices, and any other devices reported as removable storage under Disk drives in Windows Device Manager.

The Preferred Device list applies only to USB devices. Select this option if you want to override the Removable Storage access setting for specific USB devices.

Default Device Access

Each device you add to the Preferred Device list must include an access assignment. The Default Device Access setting is used as the default access assignment for 1) any device you import that doesn’t have an assignment and 2) any device you create whose access you set to Default Access. Select from the following options:

Enable: Enables read and write access.
Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message that the action has failed.
Read Only: Enables read access and disable write access. When users attempt to write to the device, they receive an error message that the action has failed.
Inherit: Inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.

Preferred Device List

The following table provides instructions for managing the Preferred Device list:

Task	Steps	Additional Details
Create a new device	Click Add > Create New. Fill in the following fields: Name: Specify a name to identify the device in the ZENworks system. This name is required, but is not used to determine device matches, so it can be any name. Serial Number: Specify the device’s serial number. This is an exact match field. If the serial number you enter is not identical to the serial number of the detected device, the detected device is not a match. The serial number and description are the two fields used to determine if a detected device matches this definition. You must fill in at least one of the fields. Description: Specify the device description. This is a partial match field, meaning that the description only needs to match any part of a device’s description. For example, Device1 not only matches Device1 but also matches Device10 and USB Device100. The more complete the description, the more specific the match. Comment: Specify any text you want to help identify the device in your system. This field is not used to determine device matches. Access: Select Enable to provide full read/write access. Select Disable to prevent all access. Select Read Only to provide read access but block write access. Select Default Access to use the Default Device Access setting. Click OK to add the device to the list.
Copy an existing device from another policy	Click Add > Copy Existing. Select the Storage Device Control policies whose devices you want to copy. Click OK.	All devices included in the other Storage Device Control policies are copied. If necessary, you can edit the copied devices after they are added to the list.
Import a device from a policy export file	Click Add > Import. In the Select Source of Data list, select Existing Policy/Component. Click to display the Select File dialog box. Click Browse, select the export file, then click OK. Click OK to add the devices to the list.	All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list. For information about exporting devices, see Export a device.
Import a device from a Device Scanner file	Click Add > Import. In the Select Source of Data list, select ZESM Device Scanner Tool. In the Select the Exported File field, click to display the Select File dialog box. Click Browse, select the export file, then click Open. Click OK twice to add the devices to the list. Click a device to view the data fields included in the device definition. Modify the device data fields if necessary. Click OK to save the changes.	For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks 11 SP2 Endpoint Security Utilities Reference.
Edit a device	Click the device name. Modify the fields as desired. Click OK.
Export a device	Select the check box next to the device name. You can select multiple devices to export. Click Edit > Export. Save the file. The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.
Delete a device	Select the check box next to the device name, then click Delete. Click OK to confirm deletion of the device.