Security Settings Description

•Access control for USB HID - If enabled, allows DeviceLock Service to audit and control access to Human Interface Devices (mouse, keyboard, and so on) plugged into the USB port. Otherwise, even if the USB port is locked, Human Interface Devices continue to function as usual and audit is not performed for these devices.

•Access control for USB printers - If enabled, allows DeviceLock Service to audit and control access to printers plugged into the USB port. Otherwise, even if the USB port is locked, printers continue to function as usual and audit is not performed for these devices.

•Access control for USB scanners and still image devices - If enabled, allows DeviceLock Service to audit and control access to scanners and still image devices plugged into the USB port. Otherwise, even if the USB port is locked, these devices continue to function as usual and audit is not performed for these devices.

•Access control for USB Bluetooth adapters - If enabled, allows DeviceLock Service to audit and control access to Bluetooth adapters plugged into the USB port. Otherwise, even if the USB port is locked, Bluetooth adapters continue to function as usual and audit is not performed for these devices.

This parameter affects audit and access control on the interface (USB) level only. If the device belongs to both levels, the permissions and audit rules (if any) for the type (Bluetooth) level will be applied anyway.

•Access control for USB storage devices - If enabled, allows DeviceLock Service to audit and control access to storage devices (such as flash drives) plugged into the USB port. Otherwise, even if the USB port is locked, storage devices continue to function as usual and audit is not performed for these devices.

This parameter affects audit and access control on the interface (USB) level only. If the device belongs to both levels: interface and type, the permissions and audit rules (if any) for the type (Removable, Floppy, Optical Drive or Hard disk) level will be applied anyway.

•Access control for USB audio devices - If enabled, allows DeviceLock Service to audit and control access to audio devices (such as headsets and microphones) plugged into the USB port. Otherwise, even if the USB port is locked, these devices continue to function as usual and audit is not performed for these devices.

•Access control for USB cameras - If enabled, allows DeviceLock Service to audit and control access to Web cameras plugged into the USB port. Otherwise, even if the USB port is locked, these devices continue to function as usual and audit is not performed for these devices.

•Access control for USB and FireWire network cards - If enabled, allows DeviceLock Service to audit and control access to network cards plugged into the USB or FireWire (IEEE 1394) port. Otherwise, even if the USB or FireWire port is locked, network cards continue to function as usual and audit is not performed for these devices.

•Access control for FireWire storage devices - If enabled, allows DeviceLock Service to audit and control access to storage devices plugged into the FireWire port. Otherwise, even if the FireWire port is locked, storage devices continue to function as usual and audit is not performed for these devices.

This parameter affects audit and access control on the interface (FireWire) level only. If the device belongs to both levels: interface and type, the permissions and audit rules (if any) for the type (Removable, Floppy, Optical Drive or Hard disk) level will be applied anyway.

•Access control for serial modems (internal & external) - If enabled, allows DeviceLock Service to audit and control access to modems plugged into the COM port. Otherwise, even if the COM port is locked, modems continue to function as usual and audit is not performed for these devices.

•Access control for virtual Optical Drives - If enabled, allows DeviceLock Service to audit and control access to virtual (software emulated) CD/DVD/BD-ROMs. Otherwise, even if the CD/DVD/BD device is locked, virtual drives continue to function as usual and audit is not performed for these devices.

•Access control for virtual printers - If enabled, allows DeviceLock Service to audit and control access to virtual printers which do not send documents to real devices, but instead print to files (for example, PDF converters). Otherwise, even if the physical printer is locked, virtual printers continue to print as usual and audit is not performed for them.

•Access control for intra-application copy/paste clipboard operations - If enabled, allows DeviceLock Service to audit and control access to copy/paste operations within an application. Otherwise, even if the clipboard is locked, access control for copy/paste operations within one application is disabled and audit is not performed for them.

•Block FireWire controller if access is denied - If enabled, allows DeviceLock Service to disable FireWire controllers when the Everyone account has No Access permissions for the FireWire port device type.

•Switch PostScript printer to non-PostScript mode - If enabled, DeviceLock Service makes PostScript printers act like non-PostScript printers. This resolves an issue in which DeviceLock Service is unable to create a correct shadow copy of printed data and perform content analysis of data sent to printers that use a PostScript driver.

•Treat TS forwarded USB devices as regular ones - If enabled, allows DeviceLock Service to control access to all USB devices redirected during a Citrix XenDesktop/MS RemoteFX session according to the rights set for the USB port device type. Otherwise, DeviceLock Service controls access to all USB devices redirected during a Citrix XenDesktop/MS RemoteFX session according to the USB Devices Access right set for TS Devices.

•Access control for Bluetooth HID - If enabled, allows DeviceLock Service to audit and control access to Human Interface Devices (mouse, keyboard, and so on) connected via Bluetooth. Otherwise, even if Bluetooth is locked, Human Interface Devices continue to function as usual and audit is not performed for these devices.

This parameter affects audit and access control on the type (Bluetooth) level only. If the device belongs to both levels: interface and type, the permissions and audit rules (if any) for the interface (USB) level will be applied anyway.

Security Settings are similar to the device white list (see USB Devices White List (Regular Profile)) but there are three major differences:

1. Using Security Settings you can only allow a whole class of device. You cannot allow only a specific device model, while locking out all other devices of the same class.

For example, by disabling Access control for USB storage devices, you allow the use of all USB storage devices, no matter their model and vendor. By specifying the one USB Flash Drive model you want to allow on the devices white list, you ensure that all other USB storage devices remain locked out.

2. Using Security Settings you can only select from the predefined device classes. If the device does not belong to one of the predefined classes, then it cannot be allowed.

For example, there is no specific class for smart card readers in Security Settings, so if you want to allow a smart card reader when the port is locked, you should use the devices white list.

3. Security Settings cannot be defined on a per-user basis; they affect all users of the local computer. However, devices in the white list can be defined individually for the every user and group.

Note: Security Settings work only for those devices that are using standard Windows drivers. Some devices are using proprietary drivers and their classes cannot be recognized by DeviceLock Service. Hence, access control to such devices cannot be disabled via Security Settings. In this case you may use the devices white list to authorize such devices individually (see USB Devices White List (Regular Profile)).