Skip to main content

Managing permission rules and exclusions

Device Control allows managing device permissions as follows:

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

Rules

The Rules section allows defining the permissions for devices connected to the target endpoints.

policies_device_control_rules_p_48263_en.png

To set permissions for the type of device that you want:

  1. Go to Device Control > Rules.

  2. Click the device name in the available table.

  3. Select one permission type from the available options. The available set of permissions may vary according to the device type:

    • Allowed: the device can be used on the target endpoint.

    • Blocked: the device cannot be used on the target endpoint. In this case, each time the device is connected to the endpoint, the security agent will prompt a notification stating that the device has been blocked.

      Important

      Connected devices previously blocked are not automatically unblocked by changing the permission to Allowed. The user must restart the system or reconnect the device to be able to use it.

    • Read-Only: only the read functions can be used with the device.

    • Custom: define different permissions for each type of port from the same device, such as Firewire, ISA Plug & Play, PCI, PCMCIA, USB, etc. In this case, the list of components available for the selected device is displayed, and you can set the permissions that you want for each component.

      For example, for External Storage, you can block only USB, and allow all the other ports to be used.

      policies_device_control_rules_external_device_cpo_48263_en.png

Exclusions

After setting the permission rules for different types of devices, you may want to exclude certain devices or product types from these rules.

policies_device_control_exclusions_cp_48263_en.png

You can define device exclusions:

  • By Device ID (or Hardware ID), to designate individual devices that you want to exclude.

  • By Product ID (or PID), to designate a range of devices produced by the same manufacturer.

To define device rule exclusions:

  1. Go to Device Control > Exclusions.

  2. Enable the Exclusions option.

  3. Click the add.pngAdd button at the upper side of the table.

  4. Select the method you want to use for adding exclusions:

    • Manually - In this case, you need to enter each Device ID or Product ID that you want to exclude, provided you have at hand the list of appropriate IDs:

      1. Select the exclusion type (by Product ID or by Device ID).

      2. In the Exclusions field, enter the IDs that you want to exclude.

        Note

        Quotation marks are not required when entering the exclusion path.

      3. In the Description field, enter a name that will help you identify the device or the range of devices.

      4. Select the permission type for specified devices (Allowed or Blocked).

      5. Click Save.

      Note

      You can manually configure wildcard exclusions based on Device ID, by using the syntax wildcards:deviceID. Use the question mark (?) to replace one character, and the asterisk (*) to replace any number of characters in the deviceID. For example, for wildcards:PCI\VEN_8086*, all devices containing the string PCI\VEN_8086 in their ID will be excluded from the policy rule.

      Exclusions based on wildcards are not supported on macOS.

    • From discovered devices - In this case, you can select the Devices IDs or Product IDs to exclude from a list of all discovered devices in your network (concerning the managed endpoints only):

      1. Select the exclusion type (by Product ID or by Device ID).

      2. In the Exclusions table, select the IDs that you want to exclude:

        • For Device IDs, select each device to exclude from the list.

        • For Product IDs, by selecting one device, you will exclude all the devices having the same Product ID.

      3. In the Description field, enter a name that will help you identify the device or the range of devices.

      4. Select the permission type for specified devices (Allowed or Blocked).

      5. Click Save.

    Important

    • Devices already connected to endpoints at the Bitdefender Endpoint Security Tools installation will be discovered only after restarting the corresponding endpoints.

    • Connected devices previously blocked are not automatically unblocked by setting an exception with the permission Allowed. The user must restart the system or reconnect the device to be able to use it.

All device exclusions will appear in the Exclusions table.

To remove an exclusion:

  1. Select the exclusion in the table.

  2. Click the Delete button at the upper side of the table.

    policies_device_control_exclusions_delete_cp_48263_en.png

    The exclusion is deleted without requiring confirmation.