White-Listed Devices

When you select a user or group under the USB Devices White List node in the console tree, the details pane lists the devices included in the white list for that user or group.

•Manage - Depending on whether the device is in the regular or offline white list, opens a dialog box that allows you to define the online (regular) or offline USB Devices White List.

•USB Devices Database - Opens a dialog box where you can add devices to the USB Devices Database, making them available for adding to the white list.

•Reinitialize - Select this flag to force the white-listed device to reinitialize (replug) when a new user logs in. Some USB devices (such as the mouse) cannot work without reinitializing, so it is recommended to select this flag for non-storage devices. It is also advisable to clear this flag for data storage devices (flash drives, optical drives, external hard drives, etc.).

Important: DeviceLock Service can’t reinitialize USB devices whose drivers do not provide for software replug of device. If there is no access to such a device from the white list, the user must remove the device from the USB port and then insert it back to restart the driver.

•Control As Type - When this flag is selected, access control for white-listed devices is disabled only at the interface (USB) level. If the white-listed device (e.g. USB Flash Drive) belongs to both levels: interface (USB) and type (Removable), the permissions as well as auditing, shadowing and alerts settings (if any) for the type level will be applied anyway. Otherwise, if this flag is cleared, access control at the type level is also disabled. For example, by clearing the Control As Type flag for a USB Flash Drive you can bypass security checking at the Removable device type level.

•Read-only - When this flag is selected, only read access to the white-listed storage device is allowed. If the device doesn’t support read-only access then access to the device is blocked.

•Allow Audit & Shadowing as Type - Enables auditing, shadowing and alerting for the white-listed device at the type level according to settings defined in Auditing, Shadowing & Alerts, for all device types this device belongs to.

Attempts to use a removable device added to the USB Devices White List may fail with the “Access is denied” error. This issue is usually because the user does not have permission for removable devices. Note that permission check for removable USB devices is performed at both the interface level (USB port) and type level (Removable). If the user is not allowed to use removable devices, whitelisting such a device will not suffice unless permission control by device type is disabled in the white list.

To resolve the issue, grant the user permission to access removable devices (for instructions on how to set permissions, see Permissions (Regular Profile)), or clear the Control As Type flag for the given whitelisted device.

If the same device is added to the white list for different users, then changing the Control As Type flag for this device for one of the users will change it for all users as well. The Control As Type and Reinitialize flags apply to devices, not users, so changing them affects all users for whom this device is whitelisted.

It is not possible to set the Control As Type flag differently for different users of the same device. As a workaround, you can define the device as unique for some users and define it as a model for others (for more information on identifying USB devices, see Device Model vs. Unique Device). In this way, you can create two white list entries for the same device with different Control As Type flag settings.