About access rules

Device access rule is the setting that determines which users can access devices that are installed on the client device or connected to it, as well as the time when users can access these devices.

For each device type, you can specify the following access modes: Allow, Block, or DependsOnBus. If the DependsOnBus value is specified, access to the device is defined by the connection bus access rule.

For some device types, you can also specify the ByRule access mode, which means that access to the device is determined by a configured access rule. If you try to perform an operation with a device for which the access mode is set to ByRule but there is no rule active at the time of access, the operation will be blocked.

A connection bus access rule allows or blocks access to the connection bus (USB or FireWire). For each connection bus, you can specify the following access modes: Allow or Block. For example, you can allow or block connection of all USB devices. You can also limit access to specific USB devices or only to USB drives; access to other USB devices is denied.

Examples:

To deny access to all USB devices except the specified one, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=<device ID>

To deny access to all USB devices, but allow access to all USB drives, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=USBSTOR*

By default, device access rules are created for all types of devices according to the classification of the Device Control component. Such rules grant users full access to devices if access to the connection buses of the respective device types is allowed.

You can edit device access rules and connection bus access rules.

Page top