The names of the users and user groups assigned to a device
type are shown in the list of accounts on the top left-hand side of
the Permissions dialog box.
To add a new user or user group to the list of accounts, click
on the Add button. You can add several accounts
simultaneously.
To delete a record from the list of accounts, use the
Delete button. Using Ctrl and/or Shift you
can highlight and remove several records simultaneously.
Use the Set Default button to
set default permissions for devices.
Using special time control, you can define a time when the
selected user or user group will or will not have access to
devices. Time control appears at the top-right side of the
Permissions dialog box. Use the left mouse button and select
the allowed time. To select a denied time, use the right mouse
button. Also, you can use the keyboard to set times - arrow keys
for navigation and the spacebar to toggle allowed/denied
time.
To define which actions on devices are to be allowed for a
user or user group, set the
appropriate rights. All rights are divided into three groups:
Generic, Encrypted and Special Permissions.
Each group has its own set of rights:
- Generic - Generic rights do
not apply to devices that are recognized by DeviceLock Service as
encrypted devices.
Read - to enable data
reading from the device. Applies to all device types except
Clipboard and Printer.
Write - to enable the data
writing to the device. With the exception of Windows Mobile
and iPhone, this right can be enabled for all devices only
if Read is selected in the Generic group. It can't be
disabled for BlackBerry, Bluetooth, Infrared
port, Parallel port, Serial port and WiFi
device types. When Write is disabled for USB and FireWire
ports it has the following effects: storage devices such as flash
drives, floppies, hard disks, optical drives, etc. can be read, but
not written to; non-storage devices such as printers, scanners,
etc. can't be accessed.
Format - to enable the
formatting, checking, and any other direct access of drives. You
can enable this right only if Read is selected in the
Generic group. Applies only to FireWire port,
Floppy, Hard disk, Removable and USB
port device types. When this right is enabled for USB and
FireWire ports it affects only storage devices plugged into these
ports.
Eject - to enable ejection
of the media. You can enable this right only if Read is
selected in the Generic group. This right controls only
ejection via software. Hardware ejection using the eject button on
a device's front panel can't be prevented. Applies only to
FireWire port, Floppy, Optical Drive,
Removable and USB port device types. When this right
is enabled for USB and FireWire ports it affects only storage
devices plugged into these ports.
Execute - to enable remote
code execution on the device's side. Applies only to the Windows
Mobile device type.
Modem - to enable use of the
Internet Tethering feature. Applies only to the iPhone
device type.
Print - to enable document
printing. Applies only to the Printer device type.
Copy to clipboard - to
enable data pasting from the clipboard. Applies only to the
Clipboard device type. This right automatically grants full
access to the clipboard.
Mapped Drives Read - to
enable data reading from mapped drives during a terminal session.
Applies only to TS Devices.
Mapped Drives Write - to
enable data writing to mapped drives during a terminal session.
Applies only to TS Devices.
Serial Port Access - to
enable access to serial ports during a terminal session. Applies
only to TS Devices.
USB Devices Access - to
enable access to USB devices during a terminal session. Applies
only to TS Devices.
Clipboard Incoming Text - to
enable pasting text data from the clipboard to a terminal session/
virtual machine. Applies only to TS Devices.
Clipboard Outgoing Text - to
enable pasting text data from the clipboard from a terminal
session/ virtual machine. Applies only to TS Devices.
Clipboard Incoming Image -
to enable pasting graphical data from the clipboard to a terminal
session/ virtual machine. Applies only to TS Devices.
Clipboard Outgoing Image -
to enable pasting graphical data from the clipboard from a terminal
session/ virtual machine. Applies only to TS Devices.
Clipboard Incoming Audio -
to enable pasting audio data from the clipboard to a terminal
session/ virtual machine. Applies only to TS
Devices.
Clipboard Outgoing Audio -
to enable pasting audio data from the clipboard from a terminal
session/ virtual machine. Applies only to TS
Devices.
Clipboard Incoming File - to
enable pasting files from the clipboard to a terminal session/
virtual machine. Applies only to TS Devices.
Clipboard Outgoing File - to
enable pasting files from the clipboard from a terminal session/
virtual machine. Applies only to TS Devices.
Clipboard Incoming Unidentified
Content - to enable pasting any other uncategorized content
from the clipboard to a terminal session/ virtual machine. Applies
only to TS Devices.
Clipboard Outgoing Unidentified
Content - to enable pasting any other uncategorized content
from the clipboard from a terminal session/ virtual machine.
Applies only to TS Devices.
- Encrypted - encrypted rights
only apply to devices that are recognized by DeviceLock Service as
encrypted devices.
Read - to enable data
reading from an encrypted device. Applies only to the
Removable device type.
Write - to enable data
writing to an encrypted device. You can enable this right only if
Read is selected in the Encrypted group. Applies only
to the Removable device type.
Format - to enable the
formatting, checking, and any other direct access of encrypted
drives. You can enable this right only if Read is selected
in the Encrypted group. Applies only to the Removable
device type.
- Special Permissions - these
rights only apply to iPhone, Windows Mobile,
Palm and Clipboard device types. The content types
(Calendar, Contacts, Tasks, etc.) that are controlled by
these rights for iPhone, Windows Mobile, and Palm devices represent
the same content types that exist in iTunes, HotSync, Microsoft
ActiveSync and WMDC applications. For Palm devices, you can enable
any Write right only if the corresponding Read right
is also enabled.
Read Calendar - to enable
reading the calendar on a mobile device from a PC.
Write Calendar - to enable
writing to a calendar on a mobile device from a PC.
Read Contact - to enable
reading contacts on a mobile device from a PC.
Write Contact - to enable
writing contacts from a PC to a mobile device.
Read E-mail - to enable
reading e-mails on a mobile device from a PC. For iPhone, this
content type represents e-mail account settings but not messages
because iTunes doesn't support sync of messages.
Write E-mail - to enable
writing e-mails from a PC to a mobile device. For iPhone, this
content type represents e-mail account settings but not messages
because iTunes doesn't support sync of messages.
Read Attachment - to enable
reading e-mail attachments on a Windows Mobile device from a PC.
You can enable this right only if Read E-mail is selected in
the Special Permissions group.
Write Attachment - to enable
writing e-mail attachments from a PC to a Windows Mobile device.
You can enable this right only if Write E-mail is selected
in the Special Permissions group.
Read Favorite - to enable
reading favorites on a Windows Mobile device and iPhone from a
PC.
Write Favorite - to enable
writing favorites from a PC to a Windows Mobile device and
iPhone.
Read File - to enable
reading files on a mobile device from a PC. For iPhone, data flows
of the Applications iTune's type are treated as
files.
Write File - to enable
writing files from a PC to a mobile device. For a Palm device this
right also enables Write Document in the Special
Permissions group. For iPhone, data flows of the
Applications iTune's type are treated as files.
Read Media - to enable
reading media content using Windows Media Player on a Windows
Mobile device and reading media files on a Palm device and iPhone
from a PC. You can enable this right only if Read Files is
selected in the Special Permissions group. For a Windows
Mobile device, this option also requires selecting Execute
from the Generic group. For iPhone, the media content type
consists of the following iTunes types: Ringtones,
Music, Audiobooks, Photos, Podcasts
(Audio & Video), Movies, TV shows, Rented
Movies.
Write Media - to enable
writing media content using Windows Media Player to a Windows
Mobile device and writing media files to a Palm device and iPhone
from a PC. You can enable this right only if Write Files is
selected in the Special Permissions group and, for a Windows
Mobile device, if Execute is selected from the
Generic group. For iPhone, the media content type consists
of the following iTunes types: Ringtones, Music,
Audiobooks, Photos, Podcasts (Audio &
Video), Movies, TV shows, Rented
Movies.
Read Backup - to enable
creating the iPhone backup by reading the device data from a PC.
NOTE:An
iPhone device is backed up by iTunes each time users sync with
iTunes (automatically on the first sync, every time they connect it
to the computer). To allow synchronization to complete
successfully, grant the Read Backup permission to users for the
iPhone device type. Otherwise, if iTunes automatically creates a
backup of their iPhone, the synchronization session will be
interrupted.
To avoid interrupting the
synchronization process, users should set iTunes to sync only the
content to which they are allowed access.
Write Backup - to enable
restoring iPhone by writing the device backup data from a
PC.
Read Note - to enable
reading notes on a mobile device from a PC. For a Palm device this
right controls Memos and Note Pad content
types.
Write Note - to enable
writing notes from a PC to a mobile device. For a Palm device this
right controls Memos and Note Pad content
types.
Read Pocket Access - to
enable reading Pocket Access databases on a Windows Mobile device
from a PC.
Write Pocket Access - to
enable writing Pocket Access databases from a PC to a Windows
Mobile device.
Read Task - to enable
reading tasks on a mobile device from a PC.
Write Task - to enable
writing tasks from a PC to a mobile device.
Read Expense - to enable
reading Palm Expense application data on a Palm device from a
PC.
Write Expense - to enable
writing Palm Expense application data from a PC to a Palm
device.
Read Document - to enable
reading Palm documents on a Palm device from a PC. You can enable
this right only if Read Files is selected in the Special
Permissions group.
Write Document - to enable
writing Palm documents from a PC to a Palm device. You can enable
this right only if Write Files is selected in the Special
Permissions group.
Read Unidentified Content -
to enable reading any other uncategorized content type on a Windows
Mobile device from a PC.
Write Unidentified Content -
to enable writing any other uncategorized content type from a PC to
a Windows Mobile device.
Copy Text - to enable
pasting text data from the clipboard.
Copy Image - to enable
pasting graphical data from the clipboard.
Copy Audio - to enable
pasting audio data from the clipboard.
Copy File - to enable
pasting files from the clipboard.
Screenshot - to enable
capturing screen shots of the entire screen, the active window or
any segment of the screen to the clipboard.
NOTE:Because screen shots captured using screen capture tools and
utilities are saved directly to files while screen shots captured
by pressing the PRINT SCREEN key are first copied to the clipboard
and then must be pasted into a separate program (for example,
Microsoft Word or Paint), different access rights are required to
control access to screen shots. To allow users to capture screen
shots using screen capture tools and utilities, you must grant them
only the Screenshot right. To allow users to capture screen shots
by pressing the PRINT SCREEN key, you must grant them the
Screenshot and Copy Image rights.
If users do not have the
Screenshot right, they cannot capture screen shots using the
PrintScrn key or screen capture tools and utilities.
Copy Unidentified Content -
to enable pasting any other uncategorized content type from the
clipboard.
NOTE:The Copy Text, Copy Image, Copy
Audio, Copy File, and Copy Unidentified Content rights do not
control data copying to the clipboard. Users can always copy data
to the clipboard regardless of the rights they
have.
NOTE: If the access (read and/or write) to some content
type is denied during the iPhone or Windows Mobile synchronization
process, you have to replug the device in order to continue using
the iPhone or Windows Mobile device.
When users attempt to synchronize a Palm handheld device
over a network and DeviceLock denies access to some content type,
the synchronization session is interrupted. To avoid this
situation, users should set the HotSync application to sync only
the content to which they are allowed access before attempting
synchronization.
If all Allow rights are enabled for the user account it
means that this account has "full access" rights. If all
Deny rights are enabled for the user account it means that
this account has "no access" rights. If neither Allow nor
Deny rights are enabled for the user account it means that
this account inherits access rights from its user group (if there
is no group to inherit rights from, then this account has "no
access" rights).
NOTE: The "no access" right has a priority over all other
rights. It means that if the group to which some user belongs has
the "no access" right but this user has "full access", the user
still can't access a device. If you want to deny access for some
user or group, you can just remove it from the account's list, it
is not necessary to add it with "no access".
Also, the Everyone user has a priority over all other
accounts. It means that if Everyone has the "no access" right, no
one can access a device.
Even if you deny access to hard disks, users with local
administrative privileges (the SYSTEM user and members of
the local Administrators group) still can access the
partition where Windows is installed and running.
We recommend that you add only those accounts (users and/or
groups) to the list which should be able to access a device.
If the account's list is empty (contains no records at all)
then no one can access a device.
Also, it is recommended to add the SYSTEM user with
"full access" to hard disks and optical drives.