FAQ

How do we disable the use of all USB ports?

Universally blocking access to your USB ports usually isn't productive. A better practice is to manage devices connecting to the ports rather than the ports themselves.

However, if you still want to block access to specific ports, such as USB ports, create a Port Control policy from Manage > Device Control Policies. Select the Permission settings on the first page of the wizard. On the second page select Block all access, and select the desired port. On the last page of the wizard, assign the policy to Everyone from the Users panel. All access to that port, regardless of device, is blocked.

How do we allow our users to encrypt devices when needed?

Refer to the Policy Permission Settings: What Permissions to Give Users on What Devices section in this document for details on configuring a policy this way.

How do we force any data written to USB flash drives to be encrypted (users can read any USB flash drive)?

Refer to the Policy Permission Settings: What Permissions to Give Users on What Devices section in this document for details on configuring a policy this way.

People need to use data from our organization off site. How do I allow this practice while keeping the data safe?

Allow for password-based access to encrypted devices. See the section Policy Permission Settings: What Permissions to Give Users on What Devices for details on the settings required to allow this.

I need to know what users are copying to devices. How do I accomplish this?

Use the Shadowing feature. See File Shadowing for more information.

I need a secure solution that can't be bypassed easily. Can users with Administrative rights bypass Device Control?

No, they can't. The Endpoint Security Agent cannot be disabled, even by users with administrative rights. The enforcement kernel driver loads before the users logs on, so protection is enabled for the entire user session.

I only want my employees to use company issued (or approved) devices (makes and models).

Use Device Collections to allow the device models you want to allow. No policy or effort is required to block all other devices.

What considerations should I make when creating different policies for laptops, workstations, and servers?

Consider what devices are appropriate on each of those endpoint types.

For example, Wi-Fi adapters should be allowed on laptops, but should probably be blocked on workstations and servers. Another example is tape drives—allow this device for servers, but not laptops and workstations.

Also, refer to the following sections in this document:

• DC Install SK-NDIS Driver
• DC Detection Interval & DC Device Event Upload Interval.

How do I limit use of specific devices to specific people?

Assign these permissions by using Device Collections. Place the permitted devices in a Device Collection, and then create a policy for that collection that is assigned to the appropriate user groups or users.

How do I stop permission changes from displaying on user endpoints?

These notifications can be suppressed with the Agent permission change notifications setting on the Tools > Options.

I don't want to allow rogue / unmanaged devices (such as keyloggers, Wi-Fi adaptors, etc.) that are prohibited in my organization. How do I account for all possibilities?

Because Device Control denies devices by default, you need only manage the devices that you want to allow. Any other device that connects to your endpoints is denied access.

I want to monitor use now, and then decide if we want to enforce policies later. Is that possible?

Yes. Device Control includes an Audit mode, in which the system logs device activity on endpoints without enforcing any policy.

How to I block a specific device, now!

The device is blocked by default unless it falls within the scope of an existing policy. In that case, you can disable the policy, or search for the device in the Device Library, add it to a new Collection, and create a Collection Policy that specifically blocks access to that device. This explicit blocking of access takes priority over any other policies.

We only allow specific media on these machines. How can I limit the DVDs that people can use?

Optical media can be added to Media Collections in the same way devices can be added to device collections. You then create a Media Collection policy that allows access only to those discs.

I want to manage my permissions with AD instead of in your console. Is that possible?

Yes, after initial configuration of the policies, many customers manage user's permission levels through the use of AD groups. See Synchronize With Active Directory for a more detailed description.

I want to be able to define groups of machines and manage them that way. Does Device Control allow that?

Yes, the Endpoint Security Console has flexible endpoint group creation and management. You should create groups and apply Agent Policy Sets to control reboot behavior and the installation of the NDIS driver. Servers, laptops, desktops, and unattended machines have different needs and can be handled differently.