Supported Permission Types

There are several levels of permission that can be enforced with Device Control. While not all permission levels are supported by all classes, the most common classes are the most flexible. Here are the permissions that you can enforce, by device class.

Permission Type	Description	Device Classes Supported
Block All Access	Both read and write access to the device is blocked.	All device classes. Human Interface Devices (HID) and the primary hard drive are never blocked. Keyboards are the one exception—they can be configured to be blocked when a keylogger is detected.
Read Only	Data may be transferred from the device to the endpoint.	Citrix Network Shares CD/DVD Drives Floppy Disk Drives LPT/Parallel Ports Removable Storage Devices
Read+Write	Data may be written from the endpoint to the device, and read from the device to the endpoint. Read permission is required to grant write permission.	All device classes.
Encrypt	The user may encrypt devices or media. You can configure: Encryption methods Access methods These configuration settings are discussed later in this paper.	CD/DVD Drives Removable Storage Devices
Export to Media (encryption key)	This permission allows end users to place the encryption key on the device itself. The key is password protected. Access to the encrypted data requires: The device The encryption password	CD/DVD Drives Removable Storage Devices
Export to File (encryption key)	This permission allows end users to place an encryption key on a separate file during the encryption process. This file is password protected. Access to the encrypted data requires: The device The encryption key file The encryption password	CD/DVD Drives Removable Storage Devices
Import from File (encryption key)	This permission allows the user to use an exported encryption key file to unlock an encrypted device.	CD/DVD Drives Removable Storage Devices
Decrypt	This permission allows end users to to destroy the data on an encrypted device. This action formats the device as a new, unencrypted volume. Data on the device is lost. Decrypt should not be confused with unlocking an encrypted device to access the data on the device.	CD/DVD Drives Removable Storage Devices
Copy Limit	This permission limits the amount of data that a user can copy to external devices in a 24- hour period. Setting reasonable copy limits can reduce data loss.	CD/DVD Drives Removable Storage Devices
Shadowing (filename only)	This permission records the name of files that are transferred to or from devices. All details (such as the machine name, user name, and timestamp) are also recorded. The shadowed copy can be accessed from the Endpoint Security Console.	CD/DVD Drives Floppy Disk Drives Removable Storage Devices
Shadowing (full file)	This permission retains a copy of every file transferred to or from devices. The shadowed copy can be accessed from the Endpoint Security Console.	COM/Serial Ports¹ CD/DVD Drives Floppy Disk Drives LPT/Parallel Ports¹ Modem/Secondary NIC¹ Removable Storage Devices ¹ Write Only
File Type Filtering	This permission allows you to control the specific file types that can be copied to or from devices. The file content is inspected. The file extension (which can be altered) is not used for enforcement. You can control the import and export of file types separately. For example, you may allow the reading of Microsoft Office documents but only allow the writing of PDF files.	CD/DVD Drives Floppy Disk Drives Removable Storage Devices