A.9 USB Connectivity Policy

The following instructions assume that you are on the Configure USB Connectivity Settings page in the Create New USB Connectivity Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing USB Connectivity policy (see Section 13.0, Editing a Policy’s Details).

The USB Connectivity policy lets you control whether or not a device supports USB devices. You can allow all USB devices, block all USB devices, or control access for groups or individual USB devices based on attributes such as Device Class, Manufacturer, Product, and Serial Number.

Watch a video that demonstrates how to create a USB Connectivity policy.

A.9.1 USB Devices

Select whether or not USB connections are supported:

  • Enable: Enables support for USB connections by keeping a device’s USB bus active. You can then enable or disable access for groups of USB devices or individual devices.

  • Disable: Disables support for USB connections by deactivating a device’s USB bus. All USB devices (keyboards, mice, storage devices, and so forth) are disabled. If you select this option, the remaining options (Default Device Access, Device Group Access Settings, and USB Device Access Settings) do not apply and are disabled.

  • Inherit: Inherits this setting from other USB Connectivity policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any USB Connectivity policies assigned to the user’s groups, folders, or zone.

A.9.2 Default Device Access

Some USB devices might not match any of the device groups or individual devices you define in this policy. Select the default access (Enable, Disable, or Inherit) to assign to those USB devices.

A.9.3 Device Group Access Settings

Many USB devices fall into one of the four groups shown in the following table:

Device Group

Base Class Code

Examples

Human Interface Device (HID)

03h

Mice, keyboards, game controllers

Mass Storage Class

08h

Flash drives, external hard drives, personal digital assistants (PDAs), mobile phones, cameras, Windows portable devices (WPDs)

Printing Class

07h

Printers

Scanning/Imaging (PTP)

06h

Scanners, any device that uses the Picture Transfer Protocol

You specify access settings for each of the groups. When a device’s base class matches a group, the device receives the group’s access setting.

The three most common uses for the device group access settings are to:

  • Disable access for an entire device group such as the Scanning/Imaging (PTP) group.

  • Create whitelists for device groups. To create a whitelist, you disable access for a device group and then use the USB Device Access Settings list to define the enabled devices. For example, you might disable all Mass Storage Class devices and then enable specific removable storage devices.

  • Create blacklists for device groups. To create a blacklist, you enable access for a device group and then use the USB Device Access Settings list to define the disabled devices. For example, you might enable all Printing Class devices and then disable specific printers.

Select one of the following access settings for each group:

  • Always Disable: Always disable access. This setting takes precedence over all other access settings for the group’s devices.

    For example, assume that you set the Scanner/Imaging (PTP) group access to Always Disable. You then define a scanner in the USB Device Access Settings list and give it Always Enable access. The Always Disable access setting overrides the Always Enable access setting and the scanner is still blocked. Or, in another USB Connectivity policy you set the Scanner/Imaging (PTP) group access to Always Enable and assign the two policies to the same user. The Always Disable access setting overrides the Always Enable setting.

    Because a USB device can receive multiple access settings (group setting for this policy, device setting for this policy, and group or device settings for other USB Connectivity policies) but only one access setting can be enforced, you should make sure you understand how access conflicts are resolved.

  • Always Enable: Always enable access. This setting takes precedence over all access settings for group members except Always Disable.

    For example, if a member of the group is also defined in the USB Device Access Settings list and assigned Disable access, this group access setting overrides that setting and allows access. However, if the device is given Always Disable access, that setting takes precedence and the device is disabled.

  • Disable: Disable access. This setting takes precedence over the Enable setting.

    Use this setting to create a whitelist for the device group. For example, to create a whitelist for removable storage devices, set the Mass Storage Class access to Disable so that all removable storage devices are blocked. Then, use the USB Device Access Settings list to define the allowed removable storage devices (the whitelist) and assign Always Enable access to each device.

  • Enable: Enable access.

    Use this setting to create a blacklist for the device group. For example, to create a blacklist for printers, set the Printing Class access to Enable so that all printers are allowed. Then, use the USB Device Access Settings list to define the disabled printers (the blacklist) and assign Always Disable access to each device.

  • Default Device Access: Give the device group the access specified by the Default Device Access setting.

  • Inherit: Inherit this setting from other USB Connectivity policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any USB Connectivity policies assigned to the user’s groups, folders, or zone.

A.9.4 USB Device Access Settings

The device groups use one attribute (Device Class) as the match criterion. If you have devices whose access you want to control based on matching different or additional attributes, you can use the USB Device Access Settings list.

For example, assume that the only mass storage device you want to allow is the Acme USB2 drive. In the Device Group Access Settings, you set Mass Storage Class to Disable. You then add the Acme USB2 to the USB Device Access Settings list and set the access to Always Enable.

It is possible that a detected device might match multiple device groups or devices. When this occurs, only one access level is assigned to the device. For information about how conflicts are resolved, see Conflict Resolution.

The following table provides instructions for managing the USB Device Access Settings list:

Task

Steps

Additional Details

Create a new device

  1. Click Add > Create New.

  2. Select the access you want assigned to the device:

    • Always Disable: Always disable access. This setting takes precedence over all other access settings for the device.

    • Always Enable: Always enable access. This setting takes precedence over all access settings for the device except Always Disable.

    • Disable: Disable access. This setting takes precedence over the Enable setting.

    • Enable: Enable access.

    • Default Device Access: Give the device the access specified by the Default Device Access setting.

    • Inherit: Inherit this setting from other USB Connectivity policies assigned higher in the policy hierarchy.

  3. Fill in the fields you want to use as the device filter.

    The fields or attributes that you define create the filter used to determine device matches. All fields in the filter must match an attribute provided by the device in order to have a match. If the device does not provide an attribute that is required, or if the provided attribute is incorrect, the device does not match.

    Be aware of the following when defining fields:

    • All fields from USB Version to BCD Device are always supplied by USB devices. The other fields might or might not be supplied, or they might differ from one machine to another. Whenever possible, you should use the USB Version to BCD Device fields for your match criteria.

    • All fields are exact matches with the exception of Manufacturer, Product, and Friendly Name, which allow partial matches.

    • Fields are case-insensitive.

    • The Name and Comment fields are not used in the filter.

  4. Click OK to add the device to the list.

A USB device can receive multiple access settings (group setting for this policy, device setting for this policy, and group or device settings for other USB Connectivity policies), but only one access setting can be enforced. You should make sure you understand how access conflicts are resolved.

You can use the access options to create a whitelist or a blacklist. For example:

  • To create a blacklist for removable storage devices, use the Device Group Access Settings to set the Mass Storage Class access to Enable. Then, add the disabled removable storage devices (the blacklist) and assign Always Disable access to each device.

  • To create a whitelist for printers, set the Printing Class access to Disable so that all printers are disabled. Then, use the Device Group Access Settings list to define the allowed printers (the whitelist) and assign Always Enable access to each device.

Copy an existing device from another policy

  1. Click Add > Copy Existing.

  2. Select the USB Connectivity policies whose devices you want to copy.

  3. Click OK.

All devices included in the other USB Connectivity policies are copied. If necessary, you can edit the copied devices after they are added to the list.

Import a device from a policy export file

  1. Click Add > Import.

  2. In the Select Source of Data list, make sure that Existing Policy/Component is selected.

  3. In the Select the Exported File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK to add the devices to the list.

All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list.

For information about exporting devices, see Export a device.

Import a device from a Device Scanner file

  1. Click Add > Import.

  2. In the Select Source of Data list, select ZESM Device Scanner Tool.

  3. In the Select the Exported File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK twice to add the devices to the list.

  6. Click a device to view the data fields included in the device definition.

    In most cases, the following fields are sufficient to provide accurate matches for a device:

    • Serial Number

    • Vendor ID

    • Product ID

    The more data fields that you include in a device definition, the more you limit the number of matches for that device. If you include all of the data fields for a scanned device, you can literally isolate the device definition to the specific USB port on the computer where the device was scanned.

  7. Modify the device data fields as necessary.

  8. Click OK to save the changes.

For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks 11 SP3 Endpoint Security Utilities Reference.

Enable or disable a device

  1. Locate the device in the list

  2. In the Enabled column, select the check box to enable the device.

    or

    Deselect the check box to disable the device.

When you add a device, it is enabled by default. You can disable a device to save it in the policy but no longer have it applied.

Edit a device

  1. Click the device name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an device

  1. Select the check box next to the device name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export a device

  1. Select the check box next to the device name.

    You can select multiple devices to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete a device

  1. Select the check box next to the device name, then click Delete.

  2. Click OK to confirm deletion of the device.

 

A.9.5 Conflict Resolution

When a device is detected, its attributes (Device Class, Manufacturer, Product, and so forth) are compared to the attributes associated with the device groups in the Device Groups Access Settings list and the devices in the USB Device Access Settings list. In some cases, the device might match more than one group and device. For example, a removable storage device defined in the USB Device Access Settings list would also match the Mass Storage Class group.

In order to know which access setting to apply to a USB device, the Endpoint Security Agent uses the USB Connectivity policy to build an access filter to evaluate devices. If multiple USB Connectivity policies apply, the Endpoint Security Agent uses all of the policies to build the access filter.

The filter includes each access setting (Always Disable, Always Enable, and Allow) and the device groups and devices assigned to the setting. For example, assume the following group and device assignments for each access setting:

Access Setting

Group Assignments

Device Assignment

Always Disable

 

Mouse1

Thumbdrive5, Thumbdrive2

Always Enable

Human Interface Device

Printer4, Printer3, Printer1

Disable

Printing Class

Scanner1

Block

Mass Storage Class

Scanning/Imaging (PTP

Printer2

A USB device is evaluated against the filter beginning with the highest-priority setting (Always Disable) and continuing to the lowest-priority setting (Enable). If the device matches one of the device groups or devices assigned to the access setting, the device receives that access setting and the evaluation ends.

Consider the following examples:

  • Mouse1(a Human Interface Device) is detected. It is evaluated against the first setting (Always Disable). Because Mouse1 matches the Mouse1 device assignment for the Always Disable setting, Mouse1 is blocked and no further evaluation is required.

  • Mouse4 (a Human Interface Device) is detected. It is evaluated against the Always Disable setting. Mouse4 does not match any Always Disable assignments (group or device), so it is evaluated against the Always Enable assignments. Because Mouse4 is a Human Interface Device and that device group is assigned the Always Enable setting, Mouse4 is allowed and no further evaluation is required.

  • Thumbdrive1 and Thumbdrive5 (two Mass Storage Class devices) are detected. Thumbdrive5 is blocked because Always Disable (the device assignment) takes priority over Enable (the Mass Storage Class group assignment). Thumbdrive1 is allowed because it is included in the Mass Storage Class group assignment (Enable) and it does not match a device assignment.

  • Printer2 and Printer4 (two Printing Class devices) are detected. Printer4 is allowed because Always Enable (the device assignment) takes priority over Disable (the Printing Class group assignment). Printer2 is blocked because Disable (the Printing Class group assignment) takes priority over Enable (the device assignment).