5.9 USB Connectivity Policy

The following instructions assume that you are on the Configure USB Connectivity Settings page in the Create New USB Connectivity Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing USB Connectivity policy (see Editing a Policy’s Details).

The USB Connectivity policy lets you control whether or not a device supports USB devices. You can allow all USB devices, block all USB devices, or control access for groups or individual USB devices based on attributes such as Device Class, Manufacturer, Product, and Serial Number.

5.9.1 Configure USB Devices

Select whether or not USB connections are supported:

  • Enable: Enables support for USB connections by keeping a device’s USB bus active. You can then enable or disable access for groups of USB devices or individual devices.

  • Disable: Disables support for USB connections by deactivating a device’s USB bus. All USB devices (keyboards, mice, storage devices, and so forth) are disabled. If you select this option, the remaining options (Default Device Access, Device Group Access Settings, and USB Device Access Settings) do not apply and are disabled.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other USB Connectivity policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any USB Connectivity policies assigned to the user’s groups, folders, or zone.

5.9.2 Choose the Default Device Access

Some USB devices might not match any of the device groups or individual devices you define in this policy. Select the default access (Enable, Disable, or Inherit) to assign to those USB devices.

5.9.3 Configure Device Group Access Settings

You can specify access settings for each of the device groups listed in the following table. Each group is defined by a specific base class code. When a device’s base class matches a group, the device receives the group’s access setting.

Device Group

Base Class Code

Examples

Human Interface Device (HID)

03h

Mice, keyboards, game controllers

Mass Storage Class

08h

Flash drives, external hard drives, personal digital assistants (PDAs), mobile phones, cameras, Windows portable devices (WPDs)

Printing Class

07h

Printers

Scanning/Imaging (PTP)

06h

Scanners, any device that uses the Picture Transfer Protocol

Select one of the following access settings for each group:

  • Disable: Disable access for all devices that are members of the device group.

    If there are individual devices in the group for which you want to enable access, you can enable them in the Configure USB Device Access Settings. A device’s individual access setting overrides its group access setting.

    For example, assume that your organization only supports SanDisk USB devices. You could disable the Mass Storage Class so that all removable storage devices are blocked and then use the USB Device Access Settings list to enable all SanDisk devices.

  • Enable: Enable access for all devices that are members of the device group.

    If there are individual devices in the group for which you want to disable access, you can disable them in the Configure USB Device Access Settings. A device’s individual access setting overrides its group access setting.

  • Default Device Access: Give the device group the access specified by the Default Device Access setting.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherit this setting from other USB Connectivity policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any USB Connectivity policies assigned to the user’s groups, folders, or zone.

5.9.4 Configure USB Device Access Settings

The device groups use one attribute (Device Class) as the match criterion. If you have devices whose access you want to control based on matching different or additional attributes, you can use the USB Device Access Settings list.

The individual device access settings override the device group access settings. For example, assume that the only mass storage device you want to allow is the Acme USB2 drive. In the Device Group Access Settings, you set Mass Storage Class to Disable. You then add the Acme USB2 to the USB Device Access Settings list and set the access to Enable. The individual setting for the Acme USB2 overrides its group setting, so the device is allowed.

Devices are evaluated against the USB Device Access Settings list from top to bottom. A device is assigned the access setting for the first device definition it matches, even if it matches another definition lower in the list. For example, assume that you want to disable all SanDisk devices except for the SanDisk Ultra. You add the SanDisk Ultra to the list and set the access to Enable. You then add a general SanDisk definition to the list and set the access to Disable. As long as the SanDisk Ultra definition is listed before the SanDisk definition in the list, the SanDisk Ultra is allowed.

The following table provides instructions for managing the USB Device Access Settings list:

Task

Steps

Additional Details

Create a new device

  1. Click Add > Create New.

  2. Select the access you want assigned to the device:

    • Disable: Disable access.

    • Enable: Enable access.

    • Default Device Access: Give the device the access specified by the Default Device Access setting.

  3. (Optional) Add a comment to further identify the device.

    The Comment field is not a match field. It is used only in ZENworks Control Center to identify the device.

  4. On the Recommended tab, fill in the fields you want to use as match criteria for the device.

  5. On the Advanced tab, fill in the fields you want to use as match criteria for the device.

  6. Click OK to add the device to the list.

The fields on the Recommended tab are typically sufficient to use for the match criteria. As a best practice, we recommend that you use the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes.

The Manufacturer, Product, and Friendly Name fields are substring match. For example, “San”, and “SanDisk” both match all SanDisk devices while “SanDisk Cruzer” and “Cruzer” match all SanDisk Cruzer devices but excludes all other SanDisk devices.

The Serial Number, Vendor ID, and Product ID fields are exact match. Be aware that not all devices have unique serial numbers. To guarantee a unique match based on a serial number, use the Vendor ID and Product ID fields as well.

The Recommended fields are not case sensitive.

The fields on the Advanced tab can be used to refine the match criteria in order to isolate very specific devices. Use of these fields can literally restrict a device definition so that it only matches a single device on a specific USB port on a specific computer.

All of the Advanced fields are exact match. They are not case sensitive.

Copy an existing device from another policy

  1. Click Add > Copy Existing.

  2. Select the USB Connectivity policies whose devices you want to copy.

  3. Click OK.

All devices included in the other USB Connectivity policies are copied. If necessary, you can edit the copied devices after they are added to the list.

Import a device from a policy export file

  1. Click Add > Import.

  2. In the Select Source of Data list, make sure that Existing Policy/Component is selected.

  3. In the Select the Exported File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK to add the devices to the list.

All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list.

For information about exporting devices, see Export a device.

Import a device from a Device Scanner file

  1. Click Add > Import.

  2. In the Select Source of Data list, select ZESM Device Scanner Tool.

  3. In the Select the Data File field, click to display the Select File dialog box.

  4. Click Browse, select the export file, then click Open.

  5. Click OK.

  6. Select the fields you want to import for each device in the data file.*

    The recommended fields are selected by default. As a best practice, we recommend that you import the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes.

  7. Click OK to import the devices.

* The Access field must be selected on import if you want the access setting that is defined in the Device Scanner file to map to the USB Device Access Setting.

For information on how Access settings map, see Access Import Mapping..

For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks Endpoint Security Utilities Reference.

Enable or disable a device

  1. Locate the device in the list

  2. In the Enabled column, select the check box to enable the device.

    or

    Deselect the check box to disable the device.

When you add a device, it is enabled by default. You can disable a device to save it in the policy but no longer have it applied.

Edit a device

  1. Click the device name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an device

  1. Select the check box next to the device name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export a device

  1. Select the check box next to the device name.

    You can select multiple devices to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete a device

  1. Select the check box next to the device name, then click Delete.

  2. Click OK to confirm deletion of the device.

 

Access Import Mapping

Device Scanner Access Setting

USB Device Access Setting

Allow

Enable

Block

Disable

Always Allow

Enable

Always Block

Disable

Default Access

Default Device Access