Agent settings: Device control
Tools > Security and Compliance > Agent settings > Security > Endpoint security > Device control
Use this dialog box to create and edit Device Control settings.
This dialog box contains the following pages.
About the General settings page
Use this page to name the settings and enable device control on a client configured with the settings.
- Name: Identifies the settings. This name appears in the main Device Control window.
- Enable device control: Turns on Device Control on a client configured with the settings.
About the Storage volumes page
Use this page to specify options for storage volumes that connect to a client configured with this setting.
- Storage volumes: Specifies the access level for any storage volume that wasn't present on the client when the setting was installed. (Note that if a device containing a volume was attached when the setting was installed, the Ivanti Endpoint Security service will allow that device in the future, even though it may be removable.)
- Full access: Allows read and write access to a connecting storage volume.
- Read only access: Allows users to read from but not write to a connecting storage volume.
- Force encryption: Enforces file encryption on a connecting storage volume. An encryption utility is deployed that enables file encryption on a storage device connecting to a client with this setting. Files are encrypted when written to a storage device and decrypted when read from the device. Access is allowed only by providing the correct password that is defined when creating an encrypted folder on the USB storage device.
IMPORTANT: First create an encrypted folder on the USB device: When a storage device is configured for file encryption, users must initially create an encrypted folder before they can copy files to the device with the encryption utility (go to Start Ivanti Management > Ivanti Encryption Utility. Specify a password when creating the encrypted folder. If the Allow password hints option is enabled (see below), the user will have the option of entering a hint that can help them remember the password, although the password hint is not required. - No access: Prevents the use of storage volumes connecting to a client configured with this device control setting. You can customize which types of devices are still allowed by selecting specific device types on the Device page.
- Exceptions: Click to create exceptions to the access level for storage volumes. You can add exceptions based on hardware ID, media serial, or bus type. Endpoint Manager 2024 and newer also allow you to import and export (in CSV format) the exceptions list.
Export an agent setting by right right-clicking it and selecting Export. You can do this for a device control agent setting in Agent settings > Security > Endpoint Security > Device Control.
Import the exception list from an exported agent setting by first editing a device control agent setting. On the Devices page, select the Exceptions tab, right-click a device control exception, and select Import. - Encryption options:
- Storage space allocated for encryption: Specifies the amount of space on a storage device that can be used for encrypted files.
- Allow password hints: Lets the end user enter a hint that can help them remember the encrypted folder password. The password hint can't be an exact match to the password itself. The password hint can't exceed 99 characters in length. (Note that even if the password hint field is available to enter text, the user is not required to enter a hint.)
- Notify end user: Displays a message box when a user connects an unauthorized storage device.
About the Configure exception (for storage volumes) dialog box
Use this dialog box to create an exception to the access level for storage volumes.
- Description: Enter any description you want to identify this exception.
- Parameter: Select the parameter type (hardware ID, volume serial, or bus type).
- Value: If the hardware ID parameter is selected, enter a value string.
- Access: Specifies the access level for this exception (full access, read-only access, encrypted only, no access).
About the Devices page
Use the tabs on this page to configure devices, interfaces, and manage exceptions.
Devices tab
Select a device, and in the Access column, select whether you want to Allow, Block, or Always allow the device.
Notify end user: Displays a message box when a user connects an unauthorized device.
Interfaces tab
Select an interface, and in the Access column, select whether you want to Allow or Block the device.
Block wireless LAN 802.11X: Blocks a wireless LAN802.11X connection.
Notify end user: Displays a message box when a user connects an unauthorized device.
Exceptions tab
Use the exceptions tab to configure exceptions for detected devices. An exception allows a specific device to connect even if that device's class is blocked. Use the filters at the top of the Configure exception window to filter the list. Select the devices you want an exception for, and decide whether you want the exception based on the instance path or hardware ID. Add the selected exceptions by clicking Add to exception list.
About the Shadow copy page
Use this page to enable and configure shadow copy on managed devices configured with this setting.
Shadow copy lets you track what files have been copied to and from the device by making a duplicate (or shadow) copy of those files in a local directory.
- Enable shadow copy: Turns on shadow copy on managed devices with this setting.
- Log events only: Indicates that only the file copy activity is recorded in a log file, not the actual files that are being copied.
- Local cache settings: Specifies the location on the local drive where the shadow copy files and log file are stored.
- Exceptions: Click to create exceptions. You can add exceptions based on hardware ID, media serial, or bus type.
About the CD/DVD/Blu-ray page
Use this page to control CD/DVD/Blu-ray connections
- CD/DVD/Blu-ray drives: Select the access level you want for these drives. Click Exceptions if you want exceptions for specific drives or drive types.
- Devices / Interfaces: Use the check boxes to block devices and interfaces from accessing the client.
- Exceptions: Click to create exceptions to blocked devices and interfaces. You can add exceptions based on hardware_id, class, service, enumerator, vendor_id, device_id, or vendor_device_id.
- CD / DVD drives: Specifies the access level for CD / DVD drives.
- Exceptions: Click to create exceptions to the access level for CD / DVD drives. You can add exceptions based on hardware ID, media serial, or bus type.
- Notify end users: Displays a message box when a user connects an unauthorized device.