Enable Audit Mode
Device Control contains a feature called Audit mode. When this mode is turned on, Device Control logs all devices that connect to your endpoints.
What is Audit Mode?
After you install the Device Control module on your endpoints, you should place the Global Device Policy in Audit mode, a mode that configures your endpoints to:
- Log all device events that occur.
- Continue allowing devices to connect to endpoints. In other words, Device Control does not block devices from connecting.
Why are we turning on Audit mode? For two reasons:
- User activity logging
Right now, you probably have little data about what device access users require to do their jobs. By placing the Global Device Policy in Audit mode, the endpoint will log device events and then upload them to the Endpoint Security Server. You can then use this data to shape your Device Control policies later.
- Ease of transition
If the Global Device Policy's other mode (Policy enforcement mode) is enabled when you install the Device Control endpoint module, all devices begin enforcing the default Device Control policies.
At this time, Policy enforcement mode is inappropriate because your default policies will likely conflict with custom Device Control policies as you create them, creating volatile permissions for your users. Audit mode allows users to continue accessing their devices while you configure the policy to a level more appropriate for your organization.
To Enable Audit Mode:
- Select Manage > Device Control Policies.
- Select the Device Control Global Policy and click Edit.
- Make sure that the Global Device Policy is in Audit mode.
- After you select Audit mode, click Finish.
The Global Device Policy dialog opens.
We'll have more information about the default device class policies listed beneath the Device Control Global Policy later in Default Device Class Policies. Don't worry about them for now though.