Device Control allows configuring user access to local and network printers.
Local printer control
Kaspersky Embedded Systems Security controls local printer connection over the following buses: USB, Serial Port (COM), Parallel Port (LPT).
Kaspersky Embedded Systems Security controls the connection of local printers to COM and LPT ports only on the level of the bus. That is, to prevent the connection of printers to COM and LPT ports, for the Local printers device type, select the Depends on connection bus mode and prohibit the connection of devices to COM and LPT buses.
For printers connected to USB, the application exercises control on two levels: device type (local printers) and connection bus (USB).
You can select one of the following access modes to local printers via USB:
Allow. Kaspersky Embedded Systems Security grants full access to local printers to all users. Users can connect printers and print documents using the means that the operating system provides.
Block. Kaspersky Embedded Systems Security blocks the connection of local printers. The application allows connecting only trusted printers.
Depends on connection bus. Kaspersky Embedded Systems Security allows connecting to local printers in accordance with the USB bus connection status (Allow or Block).
By rules. To control printing, you must add printing rules. In the rules, you can select users or a group of users for which you want to allow or block access to printing documents on local printers.
Network printer control
Kaspersky Embedded Systems Security allows configuring access to printing on network printers. You can select one of the following access modes to network printers:
Allow and do not log. Kaspersky Embedded Systems Security does not control printing on network printers. The application grants access to printing to all users and does not save information about printing to the event log.
Allow. Kaspersky Embedded Systems Security grants access to printing on network printers to all users.
Block. Kaspersky Embedded Systems Security restricts access to network printers for all users. The application allows access only to trusted printers.
By rules. To control printing, you must add printing rules. In the rules, you can select users or a group of users for which you want to allow or block access to printing documents on network printers.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select Local activity control.
In the Device Control section, click Settings.
Select the Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
Under Device Control settings, select the Types of devices tab.
The Types of devices tab shows access rules for all devices that are included in the Device Control component classification.
Configure the printer access rules:
For Local printers and Network printers device types, configure access rules: Allow, Block, Allow and do not log (only for network printers), Depends on connection bus (only for local printers), By rules.
If you select the Depends on connection bus access mode, you must configure access rules for connection interfaces on the Connection buses tab.
If you select the By rules access mode, you must configure printing rules:
Double-click the Local printers and Network printers device type to open access rule properties.
Select the users or groups of users to which you want to apply the printing rule. To do so, click the Add button.
This opens a window for adding a new printing rule.
Assign a priority to the rule entry. A rule entry includes the following attributes: user account, action (allow/block), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Action, configure user access to printing on the printer.
Click Users and groups and select users or groups of users for access to printing. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Click OK.
Save your changes. To apply the policy on computers, close the locks .
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Embedded Systems Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Local activity control → Device Control and click the Configure button.
The Device Control window opens.
Select the Enable Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
In the Device Control Settings block, click Access rules for devices and Wi-Fi networks.
A window opens with access rules for all devices that are included in the Device Control component classification.
Configure the printer access rules:
For Local printers and Network printers device types, select an access mode: Allow, Block, Allow and do not log (only for network printers), Depends on connection bus (only for local printers), By rules.
If the access mode is not available in the drop-down menu, open the properties of the access rule by double-clicking the device type.
If you select the Depends on connection bus access mode, you must go back to the window with general Device Control settings, click Connection buses, and configure access rules for connection interfaces.
If you need to configure printing:
Double-click the Local printers or Network printers device type to open access rule properties.
Select the By rules access mode.
Select the users or groups of users to which you want to apply the printing rule. To do so, click the Add button.
This opens a window for adding a new printing rule.
Assign a priority to the rule entry. A rule entry includes the following attributes: user account, action (allow/block), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Action, configure user access to printing on the printer.
Under Users and groups, click Add and select users or groups of users for access to printing. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Click OK.
Save your changes. To apply the policy on computers, close the locks .
In the Kaspersky Embedded Systems Security Console tree, select Computer Control → Device Control.
In the results pane of the Device Control node, click Properties.
The Properties:Device Control window opens.
Select the Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
Under Device Control settings, select the Types of devices tab.
A window opens with access rules for all devices that are included in the Device Control component classification.
Configure the printer access rules:
For Local printers and Network printers device types, configure access rules: Allow, Block, Allow and do not log (only for network printers), Depends on connection bus (only for local printers), By rules.
If you select the Depends on connection bus access mode, you must configure access rules for connection interfaces on the Connection buses tab.
If you select the By rules access mode, you must configure printing rules:
Double-click the Local printers and Network printers device type to open access rule properties.
Select the users or groups of users to which you want to apply the printing rule. To do so, click the Add button.
This opens a window for adding a new printing rule.
Assign a priority to the rule entry. A rule entry includes the following attributes: user account, action (allow/block), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Action, configure user access to printing on the printer.
Click Users and groups and select users or groups of users for access to printing. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
or Block 
).
. Kaspersky Embedded Systems Security does not control printing on network printers. The application grants access to printing to all users and does not save information about printing to the event log.
.
.