Working with Device Control Policies

Setting Global Device Policy

The global device policy applies to all the devices on your network.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the Device Control Global Policy.
Click Edit.
The Global Device Policy dialog opens.

Set the Operation Mode:

Option	Description
Audit mode	Non-blocking mode that allows users unlimited access to peripheral devices, while providing logging information that can be used to create usage policies later.
Policy enforcement mode	Enforces the policies configured in Manage > Device Control Policies.

Set the Logging:

Option	Description
Log all endpoint events	Every event is logged and can be viewed using a Device Event Log Query. For more information, see Working with Device Event Log Queries.
Exclude endpoint events that match any of these rules.	Add edit rules for filtering out events that match specific criteria. For more information about how to create rules, see Device Event Filtering Rules.

On the Global Device Policy dialog, click OK.
The new Global Device Policy settings are saved and effective immediately.

Device Event Filtering Rules

When creating or editing a Global Device Policy, you can configure the policy to exclude certain endpoint events so that the logs don't consume excessive disk space.

Purpose and Best Practices

By default, Global Device Policies records all Device Control events to a log. These logs can consume excessive server disk space if left unattended. To prevent log over-consumption, you can exclude trivial events using Device Event Filtering Rules. These rules identify different Device Control events that contain data and values that you define. These events are not recorded in the future. Disk space consumption is reduced and Device Event Log Queries are truncated.

Generally, you should filter events from a Global Device Policy when they occur repeatedly. Remember, when reviewing log queries, you're looking for exceptional events, not common ones. If you see a common pattern, filter it out.

Note:

Device Event Filtering Rules can only be added to the Device Control Global Policy; you cannot add these exclusions to any other policy.
After configuring Device Event Filtering Rules, they are not applied to Device Event Log Queries retroactively.

Rule Descriptions and Buttons

While working with Device Event Filtering Rules, you can add as many filters as you'd like to reduce the amount of data that the Global Device Policy captures.

When you begin creating a Device Event Filtering Rule, type a Rule description. This is the text you'll use to identify the rule from the Global Device Policy dialog.
To add a new filter, click Add, and then select from the drop-down lists to define Rule Filter Criteria.
To remove an old filter, select it and click Delete.
When you're done adding or deleting filters, click OK to accept changes and close the dialog.

Rule Filter Criteria

Column	Description
Field¹	The types of data available for use in filter rules. Field drop-downs include: File Name: Excludes Device Control events based on their file name. Event Type: Excludes events based on their type. Device Name: Excludes events based on the device name. Device Type: Excludes events based on a device class. File Size: Excludes Device Control events that impact files of a defined size. Log Entry (Agent Local): Excludes events based on the time that it occurred on the endpoint. Endpoint Name: Excludes events based on the endpoint name. Message: Excludes events based on attached custom messages. Model ID: Excludes events based on a device model's ID. NT User: Excludes events based on the user account logged in during the event. Path: Excludes events based on a file path (which may or may not include the file itself). Process Name: Excludes events based on process names that appear within Windows Task Manager. Reason: Excludes events based on a reason. Unique ID: Excludes events based on a device's unique ID. User SID: Excludes events based on a user's Security Identifier in Windows. Log Entry (UTC): Excludes events based on the time it occurred on the server.
Operator	The types of operators that can be used to exclude events. Operators include: = : Filters the selected field to exclude the exact value defined. ≠ : Filters the selected field to exclude any value that is not defined. Contains: Filters the selected field to exclude any event containing the value that's defined. Does Not Contain: Filters the selected field to exclude any event that does not contain the value that's defined. Starts With: Filters the selected field to exclude events starting with the value that's defined. Ends With: Filters the selected field to exclude events that end with the values that's defined. Regular Expression Matches: Filters the selected field to exclude events that match a regular expression. More information about regular expression. Regular Expr. Doesn't Match: Filters the selected field to exclude events that do not match a regular expression.
Value¹	A numerical value or character string to be used with the field and operator.

Column

Description

Field¹

The types of data available for use in filter rules. Field drop-downs include:

File Name: Excludes Device Control events based on their file name.
Event Type: Excludes events based on their type.
Device Name: Excludes events based on the device name.
Device Type: Excludes events based on a device class.
File Size: Excludes Device Control events that impact files of a defined size.
Log Entry (Agent Local): Excludes events based on the time that it occurred on the endpoint.
Endpoint Name: Excludes events based on the endpoint name.
Message: Excludes events based on attached custom messages.
Model ID: Excludes events based on a device model's ID.
NT User: Excludes events based on the user account logged in during the event.
Path: Excludes events based on a file path (which may or may not include the file itself).
Process Name: Excludes events based on process names that appear within Windows Task Manager.
Reason: Excludes events based on a reason.
Unique ID: Excludes events based on a device's unique ID.
User SID: Excludes events based on a user's Security Identifier in Windows.
Log Entry (UTC): Excludes events based on the time it occurred on the server.

Operator

The types of operators that can be used to exclude events. Operators include:

= : Filters the selected field to exclude the exact value defined.
≠ : Filters the selected field to exclude any value that is not defined.
Contains: Filters the selected field to exclude any event containing the value that's defined.
Does Not Contain: Filters the selected field to exclude any event that does not contain the value that's defined.
Starts With: Filters the selected field to exclude events starting with the value that's defined.
Ends With: Filters the selected field to exclude events that end with the values that's defined.
Regular Expression Matches: Filters the selected field to exclude events that match a regular expression. More information about regular expression.
Regular Expr. Doesn't Match: Filters the selected field to exclude events that do not match a regular expression.

Value¹

A numerical value or character string to be used with the field and operator.

To see examples of filter Field text or Value syntax, see Review > Device Event Log Queries and then view a Completed query.

Creating a Device Class Policy

Device class policies are policies that apply to an entire device class.

Prerequisites:

You must have Manage Global Device Control Policies access rights.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Click Create > Create class policy.
The Device Class Policy wizard appears.
Specify the policy details.
1. Enter the Policy name.
2. Select the Override priority.
  You can choose between Normal (Default) and High (Overrides Normal Priority) .
3. Select the Device class to which the policy will apply.

Specify the policy rules.

Option	Description
Permission settings (Define read, write and other permissions.)	Enables the Permission Settings panel later in the wizard, where you can define which permissions users will have based on this policy.
Shadow settings (Store a copy of data written to or read from devices.)	Enables the Shadow Settings panel later in the wizard. File shadowing lets you to track the data that is being read, written to, or written from a device. It can be enabled for: COM/Serial Ports DVD/CD Drives Floppy Disk Drives LPT/Parallel Ports Modem / Secondary Network Access Device Portable Devices Printers Removable Storage Devices For Printers specifically, shadowing involves storing a copy of all information sent to a printer during a print job governed by this policy. This information can later be viewed administratively via log queries by sending the same content to the same printer or another printer of the same model. See File Shadowing for more information.
Daily copy limit	Sets the amount of data (in MB) per day that a user can copy. Floppy Disk Drives Portable Devices Removable Storage Devices Only one copy limit setting per device class will be enforced. For example, copy limits configured for removable storage devices apply to hard drives and non-hard drives. To avoid ambiguity, it is recommended that you do not combine copy limit policies and permissions policies.

Option

Description

Permission settings (Define read, write and other permissions.)

Enables the Permission Settings panel later in the wizard, where you can define which permissions users will have based on this policy.

Shadow settings (Store a copy of data written to or read from devices.)

Enables the Shadow Settings panel later in the wizard.

File shadowing lets you to track the data that is being read, written to, or written from a device. It can be enabled for:

COM/Serial Ports
DVD/CD Drives
Floppy Disk Drives
LPT/Parallel Ports
Modem / Secondary Network Access Device
Portable Devices
Printers
Removable Storage Devices

For Printers specifically, shadowing involves storing a copy of all information sent to a printer during a print job governed by this policy. This information can later be viewed administratively via log queries by sending the same content to the same printer or another printer of the same model.

See File Shadowing for more information.

Daily copy limit

Sets the amount of data (in MB) per day that a user can copy.

Floppy Disk Drives
Portable Devices
Removable Storage Devices

Only one copy limit setting per device class will be enforced. For example, copy limits configured for removable storage devices apply to hard drives and non-hard drives. To avoid ambiguity, it is recommended that you do not combine copy limit policies and permissions policies.

Select the desired policy enforcement option.

Option	Description
Always	The policy applies at all times.
Online only	The policy applies only when the endpoint/user/group is connected to the server.
Offline only	The policy applies only when the endpoint/user/group is disconnected from the server.
Scheduled	The policy applies only during a set schedule.
Temporary	The policy allows one-time access for a specified period.

Depending on the option you choose, additional settings are available in the right-side box.

Select whether you want the policy to be applicable immediately.

Option	Description
Enable	Activates the policy immediately when you finish configuring it. (default)
Disable	Lets you to delay when the policy takes effect. You can activate the policy later on the Manage > Device Control Policies page by selecting it and clicking Enable.

Click Next.
If you selected Permission settings on the Policy Details panel, the Permission Settings panel displays.

[Optional] Specify the permission users will have based on this policy.

Option	Description
Block all access	Restricts the use of all devices of this class to prevent information from getting out.
Allow the following permissions	Select the types of permissions to allow. Available permissions (dependent on the type of device): Read Write FireWire ATA/IDE SCSI PCMCIA Bluetooth IrDA See Permission Settings for a Policy for more information.

Option

Description

Block all access

Restricts the use of all devices of this class to prevent information from getting out.

Allow the following permissions

Select the types of permissions to allow. Available permissions (dependent on the type of device):

Read
Write
FireWire
ATA/IDE
SCSI
PCMCIA
Bluetooth
IrDA

See Permission Settings for a Policy for more information.

Select the Connections to which the permissions are to apply.
Dependent on the type of device class policy you are creating, the available connections are:

All
USB
FireWire
ATA/IDE
SCSI
PCMCIA
Bluetooth
IrDA

If you are creating a Removable Storage Devices device class policy, select the type of Drives to which the permissions are to apply.

Option	Description
Both drive types	Permissions are applied to both hard drives and non-hard drives.
Hard drives only	Permissions are only applied to hard disk drive (HDD) drives.
Non hard drives only	Permissions are only applied to non hard disk drives, for example solid-state drives (SSD).

[Optional] If you are creating a Removeable Storage Devices or DVD/CD Drives device class policy, select the type of Encryption to which the permissions are to apply.

Option	Description
Self contained encryption	Encryption is self-contained on the device, allowing only those with an encryption key to access the information.
Unencrypted/Unknown encryption type	Information is either unencrypted or encrypted with an unknown type of encryption.

Review the phrase in the Rule definition section to ensure you have selected the permissions and connections you want.
Click Next.
If you selected File Filters on the Policy Details panel, the File Filters panel displays.
Specify the file filtering options.

Option	Description
Allow all file types	All files types can be accessed.
Allow only the file types selected below	Only file types you select from a list can be accessed.
Allow Import	User can copy files from the external device to the local hard drive.
Allow Export	User can copy files from the local hard drive to the external device.

For more information on file filters, see File Type Filtering.

Click Next.
If you selected Shadow settings on the Policy Details panel, the Shadow Settings panel displays.

Specify the shadow settings.
Shadow files are stored in <install_dir>\DeviceControl\Shadow.

Device Class Policy Type	Options
COM/Serial Ports DVD/CD Drives Floppy Disk Drives LPT/Parallel Ports Modem / Secondary Network Access Device Portable Devices Removable Storage Devices	For both the Read and Write sections: Do not shadow: No content is shadowed. Full file content: Saves a copy of the entire file. File name only: Records only the file name.
Printers	Do not shadow printed content: This setting can be used to prevent shadowing for specific assignment targets. For example, if you shadow printed content for a specific AD Group you can prevent shadowing for a specific user within that group by selecting this setting and assigning the policy to that user. Shadow printed content: This setting is used to store a copy of all information sent to a printer during a print job governed by this policy. This information...

Device Class Policy Type

Options

COM/Serial Ports
DVD/CD Drives
Floppy Disk Drives
LPT/Parallel Ports
Modem / Secondary Network Access Device
Portable Devices
Removable Storage Devices

For both the Read and Write sections:

Do not shadow: No content is shadowed.

Full file content: Saves a copy of the entire file.

File name only: Records only the file name.

Printers

Do not shadow printed content: This setting can be used to prevent shadowing for specific assignment targets. For example, if you shadow printed content for a specific AD Group you can prevent shadowing for a specific user within that group by selecting this setting and assigning the policy to that user.

Shadow printed content: This setting is used to store a copy of all information sent to a printer during a print job governed by this policy. This information...

Review the phrase in the Rule definition section to ensure you have selected the shadow settings you want.
Click Next.
The Assign policy page opens.
This page is skipped when the wizard is launched from the Groups, Endpoints, or Users page of the Manage menu.

Select the group, endpoint, or user to which the policy applies.

Option	Description
To add groups of endpoints	Select a group or groups from the Groups list. Click Add.
To add individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Add.
To add individual users or user groups	Select users or usergroups from the Users list. Click Add.
To remove groups of endpoints	Select a group or groups from the Groups list. Click Remove.
To remove individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Remove.
To remove individual users or user groups	Select users or usergroups from the Users list. Click Remove.

The selected groups, users, or endpoints are displayed in the Assigned List .

Click Finish.
The Device Class Policy wizard closes.

A new policy is created for the selected device class. The policy is displayed in the Device Control Policies page.

Creating a Device Collection Policy

Device collection policies allow you to define access rights for specific devices rather than an entire device class. Use the Device Collection Policy wizard to create policies for device collections.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Click Create > Device collection policy.
The Device Collection Policy wizard appears.
Type a name for the policy in the Policy Name field.
Select the class to which the policy will apply from the Device class drop-down list.
The device collection section becomes active.
You can either add an existing collection or create a new one.
[Optional] To add an existing collection:
1. Click Add.
  The Add Collections from Library dialog opens.
2. Type a collection name in the Search collection name field and click Search.
  A list of collections is displayed.
3. Select the collection you want to add.
4. Click Add Collections.
5. Click OK.
  The Add Collections from Library dialog closes.
6. [Optional] Select the Disable option to delay the activation of the policy.
  By default, the Enable option is selected, which activates the policy immediately upon completing the creation process.
[Optional] To create a new collection:
1. Click Add New Collection.
  Step Result: The New Collection dialog displays.
2. Type the name of the collection in the Collection name field.
3. Click OK.
  The New Collection dialog and the collection appears in the collections list.
Click Next.
The Device Collection Policy dialog opens.
[Optional] Select the Permission settings check box to define read, write, and other permissions.
[Optional] Select the Shadow settings check box to define read, write, and other permissions.
Shadow settings can only be enabled for the COM/Serial Ports, CD/DVD Drives, Floppy Disk Drives, LPT/Parallel Ports, and Removable Storage Devices classes.
[Optional] Select the Daily copy limit check box. Specify a copy limit value in the text box.
Select the desired policy enforcement option. You can choose from the following options:

Option	Description
Always	The policy will apply at all times.
Online only	The policy will apply only when the endpoint/user/group is connected to the server.
Offline only	The policy will apply only when the endpoint/user/group is disconnected from the server.
Scheduled	The policy will apply only during a set schedule. To set the schedule: Enter the start time in the From field. Enter the end time in the To field. Select the check boxes for the days of the week in which the policy will be applied.
Temporary	The policy will give one-time access for a specified period. To specify the enforcement period: Select the Immediately option to begin enforcing the policy upon completion of the policy creation process. Select the date and time option and enter a date (mm/dd/ yyyy format) and a time (hh:mm AM/PM format) to designate an enforcement start time in the future. Enter a date (mm/dd/yyyy format) and a time (hh:mm AM/PM format) to designate an enforcement end time in the future.

You can click on the clock icon to view and select a list of times in half hour increments and the calendar icon to view and select dates using a calendar.

Click Next.
The Permission Settings page opens.
Specify the permission details.
For more information on setting permissions, refer to Permission Settings for a Policy.
1. Select the Allow access with following radio button and then select the desired permissions check boxes. The available permissions vary according to device class.
2. Select the connections you want to apply the permissions to in the Connections group box. The available connections vary according to device class.
3. Select the applicable drives in the Drives group box. The availability of drives varies according to device class.
4. [Optional] Specify the type of encryption in the Encryption group box. The availability of encryption options varies according to device class.
Click Next.
The File Filters page opens.
This page will only appear if you select File Filters in the Permission Settings page.

Specify the file filtering options.
For more information on file filters, see File Type Filtering.
Click Next.
The Shadow Settings page opens.
This page will only appear if you select Shadow settings in the Policy details page.

Specify the shadow settings.
Shadow files are stored in <install_dir>\DeviceControl\Shadow.

Device Class Policy Type	Options
COM/Serial Ports DVD/CD Drives Floppy Disk Drives LPT/Parallel Ports Modem / Secondary Network Access Device Portable Devices Removable Storage Devices	For both the Read and Write sections: Do not shadow: No content is shadowed. Full file content: Saves a copy of the entire file. File name only: Records only the file name.
Printers	Do not shadow printed content: This setting can be used to prevent shadowing for specific assignment targets. For example, if you shadow printed content for a specific AD Group you can prevent shadowing for a specific user within that group by selecting this setting and assigning the policy to that user. Shadow printed content: This setting is used to store a copy of all information sent to a printer during a print job governed by this policy. This information...

Device Class Policy Type

Options

COM/Serial Ports
DVD/CD Drives
Floppy Disk Drives
LPT/Parallel Ports
Modem / Secondary Network Access Device
Portable Devices
Removable Storage Devices

For both the Read and Write sections:

Do not shadow: No content is shadowed.

Full file content: Saves a copy of the entire file.

File name only: Records only the file name.

Printers

Do not shadow printed content: This setting can be used to prevent shadowing for specific assignment targets. For example, if you shadow printed content for a specific AD Group you can prevent shadowing for a specific user within that group by selecting this setting and assigning the policy to that user.

Shadow printed content: This setting is used to store a copy of all information sent to a printer during a print job governed by this policy. This information...

Click Next.
The Assign policy page opens.
This page is skipped when the wizard is launched from the Groups, Endpoints, or Users page of the Manage menu.

Select the group, endpoint, or user the policy will apply to.
Click Finish.
The Device Collection Policy wizard closes.

A new policy is created for the selected device collection. The policy is displayed in the Device Control Policies page.

Creating a Media Collection Policy

Media collection policies are policies created to grant permissions to media collections in the Device Library.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Click Create > Create media collection policy.
The Media Collection Policy wizard appears.
Type the Policy name.
To add an existing collection, click Add.
The Add Collections from Library dialog opens.
Type a collection name in the Search collection name field.
Click Search.
A list of collections is displayed.
Select the collection you want to add.
Click Add Collections.
The selected collection is added to the right side of the dialog.
Click OK.
The Add Collections from Library dialog closes.
Select whether you want the policy to be applicable immediately.
The Enable radio button is selected by default. If you do not want the policy to be auto-enabled, select Disable.
You must manually select enable before the policy will be applicable.
Click Next.
The Assign policy page opens.
This page is skipped when the wizard is launched from the Groups, Endpoints, or Users page of the Manage menu.

Select the group, endpoint, or user the policy will apply to.
Click Finish.
A new policy is created for the selected media collection. The policy is displayed in the Device Control Policies page.

Creating a Port Control Policy

Define permissions for all or specific port connections, such as USB, FireWire, and Bluetooth, which are enforced at all times.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Click Create > Port control policy.
The Port control policy wizard appears.
Type the Policy name.
Use a name that reflects the organizational or functional need the policy fulfills (for example, Users with USB restrictions)
Select the Override priority.
You can choose between Normal (Default) and High (Overrides Normal Priority).
Select the Permission settings check box.
Select whether you want the policy to be applicable immediately.
The Enable radio button is selected by default. If you want to delay when the policy will begin working, select Disable.
Click Next.
The Permission Settings page opens.
In the Permissions section, select the permissions you want to associate with the policy:
- Block all access
- Allow the following permissions: select Read and Write
In the Apply Permissions to section, select the connections you want to associate with the permissions:
- All
- USB
- FireWire
- ATA/IDE
- SCSI
- PCMCIA
- Bluetooth
- IrDA
Click Next.
The Assign policy to users, groups and/or endpoints page opens.
Select the group, endpoint, or user to which the policy applies.

Option	Description
To add groups of endpoints:	Select a group or groups from the Groups list. Click Add.
To add individual endpoints:	Select an endpoint or endpoints from the Endpoints list. Click Add.
To add individual users or user groups:	Select users or usergroups from the Users list. Click Add.
To remove groups of endpoints:	Select a group or groups from the Groups list. Click Remove.
To remove individual endpoints:	Select an endpoint or endpoints from the Endpoints list. Click Remove.
To remove individual users or user groups:	Select users or usergroups from the Users list. Click Remove.

The selected groups, users, or endpoints are displayed in the Assigned List .

Click Finish.
The Port Control Policy wizard closes.

A new policy is created for the selected ports. The policy is displayed in the Device Control Policies page.

Assigning a Policy

The Assign Policy page of the policy creation wizard allows you to assign the policies to one or more users, user groups, endpoints, or endpoint groups. If the policy is launched from the Groups, Endpoints, or Users pages, it is assigned automatically.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy you want to assign.
Click Assign.
The Assign policy dialog for the selected policy type opens.
Click the tab corresponding to the parent category of the user or endpoint you want to assign. You can choose from the following options:
- Groups
- Endpoints
- Users
The selected parent category expands.
Select the desired individual or group.
Click Add.
The selected item appears in the Assigned list.
[Optional] Remove any previously assigned items.

Select the item you want to remove from the Assigned list.
Click Remove.
The item is removed from the Assigned list .

Click OK.
The Assign policy dialog closes.

The policy is assigned to the selected group, user, or endpoint. The Device Control Policies page is automatically refreshed to show the updated assignment status.

Assigning a Device Control Policy on an Endpoint

You can assign one or more Device Control policies on an endpoint's Details page.

Select Manage > Endpoints.
Click the hyperlinked name of the desired endpoint.
The endpoint's Details page opens to the Information tab.
Click the Device Control Policies tab.
The Device Control Policies tab opens, displaying any policies that are currently assigned to the endpoint.
Click Assign.
The Assign Policy dialog opens.
Select one or more policies to assign to the endpoint.
Click OK.
The dialog closes and the policy is added to the list on the Device Control Policies tab.

One or more Device Control policies have been assigned to the endpoint.

Unassigning a Single Policy

Unassigning policies require users to have Assign Global Device Control Policies access rights. You can unassign a policy only if it has been previously assigned to a group, user, or endpoint.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy you want to unassign.
Verify that the selected policy assignment status is Assigned.
The Unassign button becomes active.
Click Unassign.
The Unassign Policy dialog opens.
Click OK.
The Unassign Policy dialog closes.

The selected policy is unassigned. The Device Control Policies page is automatically refreshed to show the updated policy assignment status.

Unassigning Multiple Policies

Unassigning multiple policies allows you to simultaneously dissociate policies from their assigned users, endpoints, or group. Policies that are unassigned can subsequently be assigned to other users, endpoints, or groups.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policies you want to unassign.
Verify that the assignment status for the selected policies is Assigned.
The Unassign button becomes active.
Click Unassign.
The Unassign Policy dialog opens.
Click the arrow next to a policy name in the dialog, to view more details about that policy.
Click Yes.
The Unassign Policy dialog closes.

The selected policies are unassigned. The Device Control Policies page is automatically refreshed to show the updated policy assignment status.

Editing a Policy

You can edit a policy as desired. While editing a policy, you can define permissions, specify shadowing and logging options, change assigned users and endpoints, and so on.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy you want to edit.
Filter the Policy Name and Device Class or Device Collection columns to locate the policies.
Click Edit.
The Policy Wizard dialog opens.
The policy wizard that opens will depend on the type of policy you are editing.
Edit the policy details as desired.
Click Finish.
The Policy Wizard dialog closes.

The selected policy is edited.

Enabling Policies

You can enable policies that are currently disabled. You can only enable those policies that are already assigned to users, endpoints, or groups.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy or policies you want to enable.
Filter the Policy Name and Device Class or Device Collection columns to locate the policies.
Click Enable.
The Enable Policy dialog opens.
Click Yes.
The Enable Policy dialog closes.

The selected policies are enabled.

Disabling Policies

You can disable policies without deleting them. This allows you to retain policy details if you want to enable policies again.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy or policies you want to disable.
Filter the Policy Name and Device Class or Device Collection columns to locate the policies.
Click Disable.
The Disable Policy dialog opens.
Click Yes.
The Disable Policy dialog closes.

The selected policies are disabled.

Deleting a Policy

You can delete a policy if you no longer require it. Any previously-created policy can be deleted as long as it is not assigned to an endpoint, user, or group.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy you want to delete.
Ensure that the policy you are deleting is in an Unassigned state. If you try to delete an assigned policy, you will receive an error message.
Click Delete.
The Delete Policy dialog opens.
Click Yes to confirm the deletion.
The Delete Policy dialog closes.

The selected policy is deleted.

Exporting Policies

You can export information about Ivanti Device Control policies to a .csv (comma separated value) file. Exported policy information includes policy name, policy status, assignment status, device class, device collection, and the date of the last policy update.

Select Manage > Device Control Policies.
The Device Control Policies page opens.
Select the policy you want to export.
Filter the Policy Name and Device Class or Device Collection columns to locate the policies.
Click Export.
The policy details are exported to a .csv file.

Creating Policies for a Group

You can create and administer permissions for a group of endpoints directly in the Groups page.

Select Manage > Groups.
The Groups page opens.
Select Device Control Policies from the View drop-down list.
Select the group for which you want to create the policy.
Click Create.
A drop-down list appears.
Select the type of policy you want to create.
You can choose among device class, device collection, and media policies.

The policy wizard for the selected policy type opens.

Creating Policies for Users

You can create and administer permissions for a group of users directly in the Users page.

Select Manage > Users.
The Users page opens.
Select the user group for which you want to create the policy.
Select Device Control Policies from the View drop-down list.
Click Create.
A drop-down list appears.
Select the type of policy you want to create.
You can choose among device class, device collection, and media policies.

The policy wizard for the selected policy type opens.