Supported Permission Types
There are several levels of permission that can be enforced with Device Control. While not all permission levels are supported by all classes, the most common classes are the most flexible. Here are the permissions that you can enforce, by device class.
Permission Type |
Description |
Device Classes Supported |
---|---|---|
Block All Access |
Both read and write access to the device is blocked. |
All device classes. Human Interface Devices (HID) and the primary hard drive are never blocked. Keyboards are the one exception—they can be configured to be blocked when a keylogger is detected. |
Read Only |
Data may be transferred from the device to the endpoint. |
|
Read+Write |
Data may be written from the endpoint to the device, and read from the device to the endpoint. Read permission is required to grant write permission. |
All device classes. |
Encrypt |
The user may encrypt devices or media. You can configure:
These configuration settings are discussed later in this paper. |
|
Export to Media (encryption key) |
This permission allows end users to place the encryption key on the device itself. The key is password protected. Access to the encrypted data requires:
|
|
Export to File (encryption key) |
This permission allows end users to place an encryption key on a separate file during the encryption process. This file is password protected. Access to the encrypted data requires:
|
|
Import from File (encryption key) |
This permission allows the user to use an exported encryption key file to unlock an encrypted device. |
|
Decrypt |
This permission allows end users to to destroy the data on an encrypted device. This action formats the device as a new, unencrypted volume. Data on the device is lost. Decrypt should not be confused with unlocking an encrypted device to access the data on the device. |
|
Copy Limit |
This permission limits the amount of data that a user can copy to external devices in a 24- hour period. Setting reasonable copy limits can reduce data loss. |
|
Shadowing (filename only) |
This permission records the name of files that are transferred to or from devices. All details (such as the machine name, user name, and timestamp) are also recorded. The shadowed copy can be accessed from the Endpoint Security Console. |
|
Shadowing (full file) |
This permission retains a copy of every file transferred to or from devices. The shadowed copy can be accessed from the Endpoint Security Console. |
1 Write Only |
File Type Filtering |
This permission allows you to control the specific file types that can be copied to or from devices. The file content is inspected. The file extension (which can be altered) is not used for enforcement. You can control the import and export of file types separately. For example, you may allow the reading of Microsoft Office documents but only allow the writing of PDF files. |
|