I am still having problems with blocking USB Storage Devices.
I have a rule set up that I think should block all USB Storage Devices EXCEPT ones that I have specifically allowed. However it is still blocking devices that I have allowed.
The rule INCLUDES Bus Type of USB
The rule EXCLUDES Devices that are in a list of allowed devices (defined by "USB Device Serial Number"). I have also had to add devices by "Device Instance ID" where DLP Monitor does not list the Serial Number. These are both contained in the same list, hopefully it works as an OR list.
So, a few questions -
Why are devices that are in my excluded list still being blocked?
In DLP Monitor, why do some devices not display a USB Serial Number?
Can I use the Device Instance ID instead? What exactly is the Device Instance ID?
When entering device parameters, what does "allow partial match" mean? I have seen that the last digit on the Device Instance ID sometimes changes.
What is your objective here? Is it to block all USB storage device (a USB device with a file system) or want to block all the USB device (any device with a USB bus type)? If you are worried about data loss then you should be blocking USB devices with file system rather than blocking devices with USB bus type only (like some USB keyboard, mouse with no storage).
Still if you want to block all devices with USB bus type, try to create definiton by taking the help of export device parameter feature in DLP 9.0 (check the product guide) and see if that helps!
The various options in the definiton work as "And" and various options within option work as "Or" -> like if you select bus type "USB" and file type "NTFS", that will work as "AND". But if you choose multiple options within option like USB bus, Bluetooth, Firewire etc, those work as "Or".
In majority cases I see the definiton is not defined correctly, so check your definiton for excluded devices carefully. As mentioned take the help of - export device parameters feature.
You can use device instance id. Try to use PID/VID instead.
Partial match means it will match a pattern from the whole word or sentence you are providing while checking.
What we're trying to do is completley block file access to USB memory sticks and cameras that aren't supplied by us, but allow access to devices supplied by us. We have been supplying them and entering thier USB serial number into a Removable Storage Definition list, thinking that all would be ok when we made our blocking rule live.
How would we define a USB device with a file system? How would we differentiate between known and unknown devices?
We can't use PID/VID because someone could purchase a device the same as we a supplying and use it.
We are using "export device parameters" to get the USB serial number and/or device instance id.
thanks so far,
When you are creating the device definiton:
Choose bus type USB and file system as NTFS, FAT etc (exclude CDFS and UDFS). - This should be universal USB with file type definiton that you want to block
Create specific definition for your excluded devices - When you use export parameter to create your definiton it exports everything. Try to fine-tune that a little bit by selecting the must need ones first, like USB bus type, serial numbers or other features you consider unique to the product.
Check your user assignment group also if you are including the right users!
I think we have finally got it sorted.
We have now created separate Removable Storage Device Definition lists, one containing devices' Device Instance IDs and one containing USB Device Serial Numbers.
We use both lists in one rule and devices seem to be being blocked/allowed correctly.
One thing that does seem to be happening however is that the Device Instance ID seems to change if the device is connected to a different PC - the last numbers in the chain change. Here is an example of a Samsung camera connected, in turn to two different PCs.
Device Instance ID: USBSTOR\DISK&VEN_SAMSUNG&PROD_DIGITAL_CAMERA&REV_\6&14D66548&0
Device Instance ID: USBSTOR\DISK&VEN_SAMSUNG&PROD_DIGITAL_CAMERA&REV_\6&21CB4A3&0
Is this behaviour expected? I have noticed that some Device Instance IDs contain USB Serial Numbers, but others succh as those above, do not.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center