An administrator can establish visibility for the file content read from and written to devices connected to clients. This type of visibility is referred to as file shadowing.
File shadowing can be applied to the following device classes:
- COM/Serial Ports
- DVD/CD Drives
When burning to a CD/DVD/BD, files burned only during a single/first session are shadowed.
- LPT/Parallel Ports
- Floppy Disk Drives
You can assign shadowing only to the main printer class under default settings or to a special PC under machine-specific settings.
Only print jobs sent to printers that use the Microsoft Windows Print Spooler service are shadowed.
- Removable Storage Devices
You can also apply file shadowing to:
- Device groups
- Computer-specific devices or device model types
- In the Management Console, select View > Modules > Device Explorer.
- From the Default settings division of the Device Explorer hierarchy, right-click a device, device class, or device type.
- Select Add Shadow from the right-mouse menu.
- Click Add.
The Select Group, User, Local Group, Local User dialog opens.
- Select the user or user group and click Next.
The Choose Bus dialog opens.
- Select All or individual bus types.
Important: The available bus types shown are dependent upon the device class you select. The Encryption panel is only active, with all options selected by default, for the Removable Storage Devices and DVD/CD Drives device classes.
- Select a Drive option.
- Click Next.
The Choose Permissions dialog opens.
- In the Read and/or Write panels, choose one of the following options:
- Click Next.
- From the Finish dialog, click Finish.
The shadow rule permission details are shown in the Permissions column of the Device Explorer hierarchical structure. The shadow permission details are displayed in the Permissions column of the Device Explorer module. A value of R means that shadowing is enabled for files read to and from the device, W means that it is on when files are written to and from the device; no letter means that shadowing is enabled for both reading and writing files. You can review shadowed files using the Log Explorer module.
File content copying is not active.
File content copying is not active; only the file name for a file copied to or from a device is saved in the Ivanti Device and Application Control database.
File content copying is active.
Restriction: Only the Write panel is active for the COM/Serial Ports, LPT/Parallel Ports and Printers device classes.
Specifying where shadow files are stored
Using shadowing on large environments can lead to great storage requirements. To better handle this need, you can change the default path where shadow files are stored. In this case you can use your storage servers or even better, using third party applications that mount cloud storage drives, you can store your shadow files in the cloud.
You do this using two values of type REG_SZ in the registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters:
DataFileDirectory - the location used to store shadow files and scan files, and also used for temporary purposes when agents upload logs, shadow files, and scan files.
TempFileDirectory - optionally, if the server specified in DataFileDirectory is remote, the location specified here is used to offload the intensive usage of the temporary accesses to a local folder or a close share with low latency.
- Permissions Dialog
- Default Settings Permissions Priority
- File Filters
- BitLocker Encrypted Devices
- Working with Custom File Types
- File Type Filtering and Data Loss Prevention Combination Matrix
- Assigning Permission to a BitLocker Encrypted Device
- Assign Permissions by Devices
- Assign Permission by Computers
- Manage Online Permission
- Manage Offline Permissions
- Assign Scheduled Permissions to Users
- Assign Temporary Permissions to Users
- Manage Shadowing
- Add Copy Limit
- Remove Copy Limit
- Add Event Notification
- Manage Event Notification
- Creating a Data Loss Prevention (DLP) Filter
- Assigning a Data Loss Prevention Filter to a Specific User or Group