5.2 Communication Hardware Policy

The following instructions assume that you are on the Configure Communication Hardware Settings page in the Create New Communication Hardware Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Communication Hardware policy (see Editing a Policy’s Details).

The Communication Hardware policy controls access for communication hardware, including being able to completely disable a hardware type (Bluetooth, wired, wireless, and so forth) or limit a hardware type to specific adapters.

5.2.1 Configure Communication Hardware Settings

This panel lets you control which communication hardware is enabled on a device.

General Settings

The General Settings let you configure the access for the following communication hardware:

  • 1394 (FireWire): Controls the IEEE 1394 bus.

  • IrDA: Controls the infrared access port.

  • Bluetooth: Controls Bluetooth access if the device is using the Widcomm Bluetooth Stack software driver to provide the access. Other Bluetooth drivers are not supported.

  • Serial: Controls the serial communication ports.

  • Parallel: Controls the parallel communication ports.

  • Dialup/Cellular: Controls the dialup and cellular adapters.

  • Wired: Controls the wired network adapters.

  • Wi-Fi: Controls the Wi-Fi network adapters.

  • Virtual: Controls the virtual network adapters. Virtual network adapters are programs (rather than actual physical adapters) that allow devices to connect to a network. Virtual private network (VPN) software uses virtual network adapters.

Choose from the following options to configure the communication hardware access. Not all of the options are available for each hardware type.

  • Enable: Enable access for the hardware. If you select this option for dialup/cellular, wired, or Wi-Fi hardware in a location-based policy, you can use the Approved Adapters list to restrict access to specific adapters.

  • Disable: Disable access for the hardware.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherit this setting from other Communication Hardware policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Communication Hardware policies assigned to the user’s groups, folders, or zone.

  • Disable Dialup/Cellular When Wired: Disable dialup and cellular access if a wired connection is enabled.

  • Disable Wi-Fi When Wired: Disable Wi-Fi access if a wired connection is enabled.

Approved Adapters

By default, if you allow access for dialup, wired, or wireless hardware, all adapters are allowed. If you want to allow only specific adapters, you can add the adapters to the appropriate Approved Adapters lists (wired, Wi-Fi, or dialup).

When you add an adapter to a list (Wired, Wi-Fi, or Dialup), only the adapters in the approved list are allowed. For example, if you add Adapter1 and Adapter2 to the Approved Wi-Fi Adapters list, those two adapters are the only Wi-fi adapters that are allowed communication access.

The following table provides instructions for managing the approved adapter lists:

Task

Steps

Add an adapter

  1. Click the tab (Approved Wired Adapters, Approved Wi-Fi Adapters, or Approved Dialup/Cellular Adapters) where you want to add the adapter.

  2. Click Add.

  3. Fill in the following fields to define the adapter:

    Name: Specify the adapter name. Names are not case sensitive.

    The Name field is a partial match field, meaning that the name only needs to match any part of an adapters name for that adapter to be approved. For example, Adapter1 not only matches Adapter1 but also matches Adapter10 and Acme Adapter100. The more complete the name, the more limited the matches.

    MAC Address: This field applies only to Wi-Fi and wired adapters; it does not apply to dialup/cellular adapters.

    The MAC address, which is a unique identifier assigned by the manufacturer of the network adapter, is optional. You can use it to more narrowly identify the adapter you want to approve.

    Specify the MAC address using the following format: xx:xx:xx:xx:xx:xx. For example, 01:C0:23:45:67:89.

  4. Click OK to add the adapter to the approved list.

Modify an adapter’s settings

  1. Click the tab (Approved Wired Adapters, Approved Wi-Fi Adapters, or Approved Dialup/Cellular Adapters) with the adapter you want to modify.

  2. Click the adapter name.

  3. Modify the settings as desired.

  4. Click OK to save the changes.

Remove an adapter

  1. Click the tab (Approved Wired Adapters, Approved Wi-Fi Adapters, or Approved Dialup/Cellular Adapters) with the adapter you want to remove.

  2. Select the check box next to the adapter name, then click Delete.

  3. Click OK to confirm removal of the adapter.

5.2.2 Disable Adapter Bridging Control Settings

This panel lets you prevent a device’s network adapters from being bridged. Bridging, which enables the device to act as a hub for access to multiple network segments, can create a significant breach in your network security.

Adapter Bridging

Select one of the following options:

  • Enable: Enables adapter bridging.

  • Disable: Disables adapter bridging.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherit this setting from other Communication Hardware policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Communication Hardware policies assigned to the user’s groups, folders, or zone.

Use Disable Adapter Bridging Message

This setting is available only if adapter bridging is disabled.

Select this option to display a message dialog box when adapter bridging is disabled and a user attempts to create a bridge. Use the Title of Message Window, Body, and Message Hyperlink fields to create the message you want displayed.