The Ivanti Device Control Options Page

The Ivanti Device Control (Device Control) Options page lets you view global Device Control options and edit them to suit your needs.

General settings

Option

Description

Syslog server address for endpoint events

Specify the third-party syslog server to be used. This field must contain either an IP address or a hostname, optionally followed by a port number. The field is empty by default.

Cryptographic compliance mode

Select True to force endpoints to use FIPS140-2 Level 2 encryption when encrypting devices and media.

Agent status and update notifications

Select the status changes that generate an endpoint notification.

Agent permission change notifications

Select the messages related to permission changes the agent will show endpoint users.

Agent action on detect USB keylogger

Select the action to be performed when an agent detects a new USB keyboard connection, which could potentially be a USB keylogger.

  • Disabled
  • Notify user: User is notified on-screen to check for the presence of a keylogger.
  • Log event: A Detected keyloggers event is logged.
  • Notify user and log event: User is notified on-screen to check for the presence of a keylogger and a Detected keyloggers event is logged
  • Block keyboard and notify user: The new USB keyboard connection is blocked and the user notified on-screen to check for the presence of a keylogger.
  • Block keyboard and log event: The new USB keyboard connection is blocked and a Detected keyloggers event is logged.
  • Block, notify and log event: The new USB keyboard connection is blocked, user notified on-screen to check for the presence of a keylogger, and a Detected keyloggers event is logged.
  • Exclusive mode (Lock/block, notify and log event): The new USB keyboard connection is blocked, user notified on-screen to check for the presence of a keylogger, and a Detected keyloggers event is logged. This mode can be used to detect a USB Rubber Ducky device, which is a keyboard emulation device that can inject payloads capable of, for example, changing system settings and retrieving data.

Online state definition

  • Server connectivity: Enforces online and/or offline permission rules for device use when the client has no connectivity with any Application Server. This is the default value.
  • Wired connectivity: Enforces online and/or offline permission rules for device use when the client has an active wired network interface connection.

Shadowing related options

Option

Description

Server shadow directory

Specify the location on the server where shadowed files are to be saved. The default location is %InstallDirectory%\DeviceControl\Shadow

When user tries to write to a CD / DVD in a format that doesn't support shadowing

Select the action the agent is to perform when a user attempts to write to a CD / DVD in a format that does not support shadowing. The default action is: Deny writing to the CD / DVD (no shadowing occurs)

Encryption settings

Option

Description

Enforce password complexity

Select True to enforce that all encryption passwords have at least three of the desired attributes (uppercase letters, lowercase letters, digits, non-alphanumeric symbols).

Password minimum length

Specify the minimum password length allowed when users create a password for an encrypted device on an endpoint. The default value is 6.

Agent notifies user about encryption option when connecting an un-encrypted device

Select True to inform the user about encrypting an unencrypted device. By default the user is not notified.

Unencrypted device connected prompt

Enter a custom text to display upon connection of an unencrypted device when an endpoint user has the option to encrypt. The text entered will be followed by: Do you want to encrypt <drive letter>?

Automatically clear unused space

Select True to overwrite unused space on an encrypted device, deleting any existing data.

Retain data when encrypting device

Select the action the agent is to perform on existing data on a device during encryption.

Agent encryption grace period

Specify the number of hours a non-Easy Exchange encrypted removable device is to be available after a plug-unplug operation when the endpoint has not yet sent its log to the server.

Microsoft CA key provider

Select Enable (Decentralized) (default) for the system to employ a user’s certificate to control access to an encrypted device. A user whose certificates are associated with a device will have access to it without the need to enter a password.

Important: A Microsoft Certificate Authority must be implemented in the environment.

Automatic certificate generation

This option becomes active when the Microsoft CA key provider option is set to Enable and is set to Disabled by default.

Select Enable to use automatic certificate generation.

Ensure auto-enrollment is enabled in the Microsoft Management Console (MMC), otherwise the domain administrator will need to approve each enrollment request before a certificate can be retrieved and installed.

Important: Only default user certificate templates are supported.