How to use Application and Device Control to block all USB devices except those I specifically want to allow

Article:TECH105770  |  Created: 2008-01-30  |  Updated: 2009-01-11  |  Article URL http://www.symantec.com/docs/TECH105770
Article Type
Technical Solution

Product(s)

Issue



How to block all the USB type devices (e.g. mice, keyboards, USB drives, etc), yet allow a single specific device (such as an Administrator's USB key) to function


Solution



Before you create the exception, you'll need to gather the Hardware ID from the specific device.

**NOTE**

You must create exclusions for each individual device. If there are, for example, 15 different Administrator USB keys, you will need to create 15 different exclusions, one for each device. The only other alternative to this is to not block all USB devices.

Gather the Device ID of device(s) to exclude using the DevViewer tool:
  1. Double click DevViewer.exe tool located on CD2 in the /Tools/NoSupport/DevViewer folder.
  2. Plug in the device you want to gather the Device ID from.
  3. Run the DevViewer.exe tool and browse to find the device. USB keys are, for example, located under Universal Serial Bus controllers/USB Mass Storage Device
  4. Select the device, and on the right you will see information about the device.
  5. Copy down the entire Device ID. The Device ID should look similar to this:

    USB\VID_054C&PID_0243\1206092800314
  6. Exit the DevViewer Tool.

Create the exclusion:
  1. Open the Symantec Endpoint Protection Manager (SEPM) console.
  2. Click Policies.
  3. Click Policy Components.
  4. Click Hardware Devices.
  5. Click Add a Hardware Device...
  6. Enter a name for the exclusion.
  7. Click Device ID.
  8. Enter the Device ID exactly as seen in the DevViewer tool.
  9. Click OK.

Assign the exclusion:
  1. Click Policies.
  2. Click Application and Device Control.
  3. Double click the policy you wish to edit.
  4. Click Device Control.
  5. In Devices Excluded From Blocking, click Add.
  6. Click the exclusion you created earlier, then click OK.
  7. Click OK.

**NOTE**

While not required, it is advisable to set up a message using Notify users when devices are blocked. This will let users know when Application and Device control blocks access to a device, rather than simply blocking it and not letting the user know.





Legacy ID



2008083110540548


Article URL http://www.symantec.com/docs/TECH105770


Terms of use for this information are found in Legal Notices