35.4 USB Device Access Settings

The device groups use one attribute (Device Class) as the match criterion. If you have devices whose access you want to control based on matching different or additional attributes, you can use the USB Device Access Settings list.

The individual device access settings override the device group access settings. For example, assume that the only mass storage device you want to allow is the Acme USB2 drive. In the Device Group Access Settings, you set Mass Storage Class to Disable. You then add the Acme USB2 to the USB Device Access Settings list and set the access to Enable. The individual setting for the Acme USB2 overrides its group setting, so the device is allowed.

Devices are evaluated against the USB Device Access Settings list from top to bottom. A device is assigned the access setting for the first device definition it matches, even if it matches another definition lower in the list. For example, assume that you want to disable all SanDisk devices except for the SanDisk Ultra. You add the SanDisk Ultra to the list and set the access to Enable. You then add a general SanDisk definition to the list and set the access to Disable. As long as the SanDisk Ultra definition is listed before the SanDisk definition in the list, the SanDisk Ultra is allowed.

The following table provides instructions for managing the USB Device Access Settings list:

Task	Steps	Additional Details
Create a new device	Click Add > Create New. Select the access you want assigned to the device: Disable: Disable access. Enable: Enable access. Default Device Access: Give the device the access specified by the Default Device Access setting. (Optional) Add a comment to further identify the device. The Comment field is not a match field. It is used only in ZENworks Control Center to identify the device. On the Recommended tab, fill in the fields you want to use as match criteria for the device. On the Advanced tab, fill in the fields you want to use as match criteria for the device. Click OK to add the device to the list.	The fields on the Recommended tab are typically sufficient to use for the match criteria. As a best practice, we recommend that you use the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes. The Manufacturer, Product, and Friendly Name fields are substring match. For example, “San”, and “SanDisk” both match all SanDisk devices while “SanDisk Cruzer” and “Cruzer” match all SanDisk Cruzer devices but excludes all other SanDisk devices. The Serial Number, Vendor ID, and Product ID fields are exact match. Be aware that not all devices have unique serial numbers. To guarantee a unique match based on a serial number, use the Vendor ID and Product ID fields as well. The Recommended fields are not case sensitive. The fields on the Advanced tab can be used to refine the match criteria in order to isolate very specific devices. Use of these fields can literally restrict a device definition so that it only matches a single device on a specific USB port on a specific computer. All of the Advanced fields are exact match. They are not case sensitive.
Copy an existing device from another policy	Click Add > Copy Existing. Select the USB Connectivity policies whose devices you want to copy. Click OK.	All devices included in the other USB Connectivity policies are copied. If necessary, you can edit the copied devices after they are added to the list.
Import a device from a policy export file	Click Add > Import. In the Select Source of Data list, make sure that Existing Policy/Component is selected. In the Select the Exported File field, click to display the Select File dialog box. Click Browse, select the export file, then click Open. Click OK to add the devices to the list.	All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list. For information about exporting devices, see Export a device.
Import a device from a Device Scanner file	Click Add > Import. In the Select Source of Data list, select ZESM Device Scanner Tool. In the Select the Data File field, click to display the Select File dialog box. Click Browse, select the export file, then click Open. Click OK. Select the fields you want to import for each device in the data file.* The recommended fields are selected by default. As a best practice, we recommend that you import the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes. Click OK to import the devices.	* The Access field must be selected on import if you want the access setting that is defined in the Device Scanner file to map to the USB Device Access Setting. For information on how Access settings map, see Access Import Mapping.. For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks 11 SP4 Endpoint Security Utilities Reference.
Enable or disable a device	Locate the device in the list In the Enabled column, select the check box to enable the device. or Deselect the check box to disable the device.	When you add a device, it is enabled by default. You can disable a device to save it in the policy but no longer have it applied.
Edit a device	Click the device name. Modify the fields as desired. Click OK.
Rename an device	Select the check box next to the device name, then click Edit > Rename. Modify the name as desired. Click OK.
Export a device	Select the check box next to the device name. You can select multiple devices to export. Click Edit > Export. Save the file. The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.
Delete a device	Select the check box next to the device name, then click Delete. Click OK to confirm deletion of the device.

Access Import Mapping

Device Scanner Access Setting	USB Device Access Setting
Allow	Enable
Block	Disable
Always Allow	Enable
Always Block	Disable
Default Access	Default Device Access