Creating and Editing Device Control Rules 

Create and edit rules for a specific EDR Profile to allow or block devices based on device identifiers.

When you create a rule, it applies to the currently selected EDR Profile.

On Windows, if a USB device is already connected to an endpoint, new rules and rule changes do not affect it. Rules will apply the next time the device connects to the endpoint.

On macOS, changes apply to devices that are already connected to an endpoint.

Notes on Rules for Bluetooth

  • Rules for the Bluetooth interface are based on Bluetooth device attributes
  • On Windows, explicit rules for Bluetooth LE (Low Energy) devices based on Hardware attributes or Device version are not supported - You can Block all LE devices from connecting to endpoints by setting a rule to block all devices with Interface, Bluetooth.
  • For Windows Bluetooth rules, the device and endpoint must be paired after the SW EDR Agent that supports Bluetooth is installed or upgraded. If the endpoint and device were already paired before the Agent supported bluetooth, reboot the endpoint to activate the rule, or re-pair the endpoint and device.

Device Control Rule Attributes for all Rules

Column Description Values
Interface Physical interface to which the rule applies USB or Bluetooth
Rule Name A descriptive name Free text, up to 50 characters. Must be unique within the EDR Policy
Rule Type USB device - its Class or vendor/serial/product identifier

Bluetooth device - its version number or hardware identifier
See Device Control Rule Attributes per Interface table below.
scope The scope for which the rule applies Pre-set as the EDR Profile you have accessed
Action Defines if Agents Block or Allow use of devices that match the rule parameters Allow Read & Write

Allow Read Only

Block
Status State of the rule Enabled - Active (if Device Control is enabled)

Disabled - Not active

Device Control Rule Attributes per Interface

Column Description Interface Values
Class Device Class as defined by the Interface standard (USB Device Class or Bluetooth Major Device Class) USB

Bluetooth

Class selected from the list, or Any if not defined

USB: If you select a class that applies to the whole device, the whole device is blocked. If you select a class that only applies to one interface of a device, the other interfaces will still be available

Minor Class Minor Device Class, as defined by the Interface standard (Bluetooth Minor Device Class) Bluetooth First select a Class, then select a Minor class from the list
Vendor ID Vendor Identifier USB

Bluetooth
Free text for relevant devices or Any if not defined
Product ID Product Identifier, unique for a specific product module, per vendor ID, and Interface USB

Bluetooth
Free text for relevant devices or Any if not defined
Serial ID Unique identifier of some physical USB devices USB Free text for relevant devices or Any if not defined

Supported for USB mass storage devices only (support for all Device Classes will be added in future releases). N/A for other devices
Bluetooth version Select to define a Bluetooth rule by a Bluetooth standard version (which is also the Bluetooth LMP version) Bluetooth Select version

For Allow rules, that version and higher are allowed

For Block rules, that version and lower are blocked

Note: If the IDs of a device change, for example, due to a firmware upgrade, rules that were defined for the previous IDs will not work. Create new rules for the new IDs, or create rules based on Class.

Rule Creation

To create a rule:

  1. Open the EDR Policy where a rule is to be added
  2. Navigate to the Device Control tab
  3. Click New rule - It does not matter which rule set shows: USB or Bluetooth, you can make new rules for either interface
  4. In the New Rule dialog, enter the details of the rule:
    • Rule name - Enter a descriptive name for the rule. The rule name must be different from other rule names EDR Policy
    • Best Practice:  Include the reason for the rule in the name to aid identification later

    • Interface - Select the type of device to which the rule applies.
    • Rule Type - Select the criteria for the rule.
    • Scope - This is taken automatically from the currently selected EDR Policy
    • Action - define if Agents block or allow use of devices that match the rule parameters
      • Bluetooth - Allow or Block
      • USB - Allow Read & Write, Allow Read Only or Block

    On Windows and macOS, Allow Read Only is supported only on USB Mass Storage devices that are identified in the operating system as Hard Disk Controller, Disk Drive, or CDROM. Device Control does not apply to objects that do not match these identifiers.

    Windows identifies these devices by their class:

    • USB Device Class = Mass Storage Device
    • Microsoft Device Setup Class = HDC, DiskDrive, CDROM
  5. Click Continue to define the specifics of the device identifiers
  6. For example, if you selected USB Interface, and Class as the Rule Type, select the class, such as Video or Mass Storage

    If you selected Bluetooth Interface and Hardware Identifiers, click Specific and define one of the identifiers

  7. (Optional): Add more specific identifiers - If you add more identifiers, the rule only applies if all identifiers match a device
  8. Identifiers that are not explicitly defined are set to the default value, which is Any

  9. Select whether or not to Enable rule immediately after saving
  10. Click Save rule

Enable or Disable a rule

  • If a rule is Disabled - it is never active but shows in the policy with the Disabled Status
  • If a rule is Enabled - it is active if Device Control is enabled
    • If Device Control is disabled for the current EDR Profile, the rule keeps the status Enabled but is not active - It will become active automatically if Device Control is enabled.

To enable or disable a rule:

  1. Open the EDR Policy where a rule is to be enabled or disabled
  2. Navigate to the Device Control tab
  3. Select one or more rules and click Actions > Disable or Enable as is required
  4. Or click on an individual rule

    In the Rule Details window, click Options > Disable or Enable as is required

Editing Rules

Note: When you edit a rule, you cannot change the Rule Type or Interface.

To edit a rule:

  1. Open the EDR Policy where a rule is to be edited
  2. Navigate to the Device Control tab
  3. Select the rule to be edited
  4. In the Rule Details window, click Edit
  5. Make the required changes in the Rule Details
  6. Click Save changes