USB Devices White List
The devices white list allows you to authorize only specific devices that will not be locked regardless of any other settings. The intention is to allow special devices but lock all other devices.
Devices in the white list can be defined individually for every user and group.
NOTE: Audit is not performed for users' attempts to access a whitelisted device while users' attempts to insert or remove a whitelisted device are audited.
There are two ways to identify devices in the white list:
1. Device Model - represents all devices of the same model. Each device is identified by a combination of Vendor Id (VID) and Product Id (PID).
This combination of VID and PID describes a unique device model but not a unique device unit. It means that all devices belonging to the certain model of the certain vendor will be recognized as the one authorized device.
2. Unique Device - represents a unique device unit. Each device is identified by a combination of Vendor Id (VID), Product Id (PID) and Serial Number (SN).
Not all devices have serial numbers assigned. A device can be added to the white list as a Unique Device only if its manufacturer has assigned a serial number to it at the production stage.
Two steps are required to authorize a device:
1. Add the device to the devices database, making it available for adding to the white list.
2. Add the device to the white list for the specified user/group. In effect, this designates the device as authorized and allows it for this user/group at the interface (USB) level.
To define the white list, select Manage or Manage Offline from the context menu available with a right mouse click. Alternatively, you can press the appropriate button on the toolbar.
In the USB Devices Database list at the top of the dialog box, you can see devices that were added to the database.
Once devices are added from the database to the white list of a certain user, they become authorized devices for which access control is disabled when this user is logged in.
You can add a device to the USB Devices White List in two steps:
1. Select a user or user group for which this device should be allowed.
Press the Add button under the Users list to add the user/group. To delete the record from the Users list, press the Delete button.
2. Select the appropriate device record in the USB Devices Database list and press the Add button.
If the device has an assigned serial number, it can be added to the white list two times: as Device Type and as Unique Device. In this case Device Type has a priority over Unique Device.
When the Control as Type flag is checked, access control for white listed devices is disabled only on the interface (USB) level. If the white listed device (e.g. USB Flash Drive) belongs to both levels: interface (USB) and type (Removable), the permissions (if any) for the type level will be applied anyway.
Otherwise, if the Control as Type flag is unchecked, access control on the type level is also disabled. For example, by disabling the Control as Type flag for the USB Flash Drive you can bypass security checking on the Removable level.
NOTE: When you add a USB composite device (a device that is represented in the system by a parent composite device and one or more child interface devices) to the USB Devices White List, consider the following:
If you add any device of a USB composite device to the white list, access control is disabled for all devices of the composite device at the interface (USB port) level. If the white listed device belongs to both levels: interface (USB) and type ( for example, Removable) and the Control as Type check box is selected, the permissions (if any) for the type level will be applied anyway.
When the Read-only check box is selected, only read access is granted to the white listed storage device. If this device doesn't support read-only access then access to this device is blocked.
To enable auditing, shadowing and alerting for the white listed device at the type level according to settings defined in Auditing, Shadowing & Alerts (for all device types to which this device belongs to), select the Allow Audit & Shadowing as Type check box.
If it is necessary to force the white listed device to reinitialize (replug) when the new user is logged in, check the Reinitialize flag.
Some USB devices (like the mouse) won't work without being reinitialized, so it is recommended to keep this flag checked for non-storage devices.
It is recommended to keep the Reinitialize flag unchecked for storage devices (such as flash drives, optical drives, external hard drives and so on).
Some USB devices can't be reinitialized from DeviceLock Service. It means that their drivers do not support the software replug. If such a device was white listed but doesn't work, the user should remove it from the port and then insert it again manually to restart the device's driver.
To edit a device's description, select the appropriate record in USB Devices White List and press the Edit button.
Press the Delete button to delete a selected device's record (use Ctrl and/or Shift to select several records simultaneously).
To save the white list to an external file, press the Save button, then select the name of the file.
To load a previously saved white list, press the Load button and select a file that contains the list of devices.
If you need to manage the devices database, you can press the USB Devices Database button and open the appropriate dialog box.
NOTE: If you add an iPhone device to the USB Devices White List, access control is disabled for both the iPhone and its camera at the interface (USB port) level. Thus, you cannot allow access to iPhone and deny access to its camera at the interface (USP port) level. In the USB devices database, an iPhone device is identified as the "Apple Mobile Device USB Driver".
However, it is possible to allow access to iPhone's camera and deny access to iPhone. To do this, you can use any of the following methods:
Method 1. To allow access to iPhone's camera, add the iPhone to the USB Devices White List and select the Control as Type check box. To deny access to iPhone, set the No Access permission for the iPhone device type.
Method 2. To allow access to iPhone's camera, clear the Access control for USB scanners and still image devices check box in Security Settings. To deny access to iPhone, set the No Access permission for the USB port device type.