ZENworks Endpoint Security Management - USB Device Control

December 2016

This document provides test scenarios that show you how to use ZENworks Endpoint Security Management to control users’ access to USB mass storage devices.

1.0 Disabling Access to USB Mass Storage Devices

As the ZENworks administrator, you want to prohibit users from accessing USB mass storage devices on ZENworks managed devices. The following steps help you import a predefined USB Connectivity policy that disables USB mass storage devices and then assign the policy to devices.

  1. Import the policy:

    1. Copy the following files to a directory on the ZENworks Primary Server:

      When you click a filename, the file will either be opened, saved, or you will be prompted to open or save it. You need to save the file. If it opens, click File > Save.

      If you downloaded the Endpoint Security Resource Kit, you can copy the files from the PolicyExamples directory.

    2. On the Primary Server, open a command prompt, change to the directory where you copied the two files, then run the following command:

      zman epi "USB - Mass Storage Class Disabled" policykey.txt USB-MassStorageClass-Disabled.xml

    3. When prompted, enter your ZENworks administrator username and password.

      The following message is displayed if the policy is successfully imported:

      Successfully created the object "USB - Mass Storage Class Disabled" in "/Policies".

  2. In ZENworks Control Center, click Policies, then click the USB - Mass Storage Class Disabled policy to display its properties.

  3. Click the Details tab.

    The policy is a global policy that enables USB device access. The USB Mass Storage Class option is set to Disable, which blocks access to USB mass storage devices. The access settings for the other device classes are inherited from other USB Connectivity policies assigned to the device or user.

  4. Click the Relationships tab.

  5. In the Device Assignments panel, add the devices to which you want to assign the policy. When prompted how to resolve policy conflicts, choose User Precedence.

  6. Test the policy on one of the assigned devices:

    1. On the device, right-click the ZENworks icon, then click Refresh to retrieve the new policy.

    2. When the device finishes refreshing, right-click the ZENworks icon, and select Technical Application to display the ZENworks Agent, then click Policies and make sure the USB - Mass Storage Class Disabled policy has been successfully applied.

    3. Insert a USB device into the machine.

    4. Open Windows Explorer and look for the USB device in the list of drives. The USB device should not be listed.

2.0 Enabling Users to Access Specific USB Mass Storage Devices

This scenario assumes that you have already applied a USB Connectivity policy that disables access to all USB mass storage devices on your ZENworks managed devices. If you have not, complete the Disabling Access to USB Mass Storage Devices scenario before continuing.

Your ZENworks administrators have a set of USB mass storage devices that you want to allow them to access, but they are being blocked by the device-assigned USB Connectivity policy. You want to override this restriction on your ZENworks administrators’ machines in order to allow them to use their USB devices.

To ensure that the USB devices are accessible only when a ZENworks administrator is logged in, you need to apply a user-assigned USB Connectivity policy that overrides the device-assigned policy already assigned to your machines. The following steps help you 1) identify the attributes for the USB mass storage devices you want to allow, 2) import a predefined USB Connectivity policy that is preconfigured to allow specific USB mass storage devices, 3) modify the policy’s list of allowed devices to include your devices, and then 4) assign the policy to your ZENworks administrators.

  1. Use the ZENworks Device Scanner to discover the information for the USB devices you want to allow:

    1. In ZENworks Control Center, download the Device Scanner tool. To do so, click Home > Download ZENworks Tools (under Common Tasks) to display the ZENworks Download page. Click Administrative Tools, then click the Endpoint Security tab. Click ZESMDeviceScannerUtilitySetup.exe to download the Device Scanner to your local machine.

    2. Double-click ZESMDeviceScannerUtilitySetup.exe to install the Device Scanner.

    3. Plug in the USB devices.

      If you need to scan more devices than you have USB ports, you can perform multiple scans.

    4. Launch the Device Scanner (Start menu > All Programs > Novell > ZENworks > ZES Device Scanner > ZES Device Scanner).

    5. Click Scan Devices to scan the USB devices.

    6. If you have additional USB devices to scan, plug them in, then click Scan Devices again.

      When you are done scanning devices, each device should have an entry in the USB Devices list.

  2. Import the policy:

    1. Copy the following files to a directory on the ZENworks Primary Server:

      When you click a filename, the file will either be opened, saved, or you will be prompted to open or save it. You need to save the file. If it opens, click File > Save.

      If you downloaded the Endpoint Security Resource Kit, you can copy the files from the PolicyExamples directory.

    2. On the Primary Server, open a command prompt, change to the directory where you copied the two files, then run the following command:

      zman epi "USB - Mass Storage Devices Enabled" policykey.txt USB-MassStorageDevices-Enabled.xml

    3. When prompted, enter your ZENworks administrator username and password.

      The following message is displayed if the policy is successfully imported:

      Successfully created the object "USB - Mass Storage Devices Enabled" in "/Policies".

  3. In ZENworks Control Center, click Policies, then click the USB - Mass Storage Devices Enabled policy to display its properties.

  4. Click the Details tab.

    The policy is a global policy with all access settings inherited from other USB Connectivity policies assigned to the device or user. The USB Device Access Settings list includes one USB device, PNY USB 64 GB, that is specifically defined and assigned Always Enabled access. It is included as an example for you to use when adding your USB devices to the list.

  5. To add a device to the list:

    1. Click Add > Create New to display the Add USB Connectivity Controls dialog box.

    2. In the Access field, select Enable.

    3. In the Name field, provide a display name for the USB device.

    4. Fill in the Product, Friendly Name, and Serial Number fields with the USB device information captured by the Device Scanner.

    5. Click OK to add the device to the list, and click Apply to save the changes.

  6. Click the Relationships tab.

  7. In the User Assignments panel, add the ZENworks administrators to whom you want to assign the policy.

  8. Test the policy on one of the ZENworks administrators devices:

    1. On the device, make sure the ZENworks administrator is logged in.

    2. Right-click the ZENworks icon, then click Refresh to retrieve the new policy.

3.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.

Copyright © 2016 Novell, Inc., a Micro Focus company. All Rights Reserved.