Device Control Settings

In the Device Control settings, define the policy inheritance, turn Device Control on or off, and select which device events are reported to the Activity log. The same settings apply to Windows and macOS endpoints.

Compatibility and Limitations

  • Some Bluetooth settings apply to Windows Agents only.
  • Bluetooth Device Control requires Management version Grand Canyon or later.
  • Bluetooth Device Control on macOS requires Agent version 3.2 or later.
  • USB Allow Read Only requires Management version Houston or later.
  • USB Allow Read Only on macOS is only for mass storage devices.

Configure Device Control settings

By default, Device Control is disabled at the Global and Site level. When it is first enabled, all Sites and Groups inherit the Firewall Control policy from the Global or Site policy.

By default, Agents have Device Control disabled, until they connect to a Site or Group with an enabled Device Control policy.

To configure Device Control settings:

  1. Open the EDRPolicy where a rule is to be added
  2. Navigate to the Device Control tab
  3. Click the Settings icon
  4. If it is not already enabled, click the presented Enable Device Control button
  5. Use the toggle to turn the inheritance (from the Default Group EDR Policy) On or Off
  6. If inheritance is On, the other settings are disabled because they are inherited

    If you turn Off inheritance, the other settings become enabled.

  7. Select which device events are reported to the Activity log:
    • USB & Bluetooth: Report allowed connections in Activity log - Creates logs when devices are connected and disconnected
    • USB & Bluetooth: Report blocked connections in Activity log - Creates a log when a device is blocked
    • USB: Report connected device with Read-Only permissions in Activity log - Creates a log event when a device with read-only permissions is connected
    • Bluetooth: Disable RFCOMM for all devices (Windows only) - Use this setting to disable or enable the RFComm profile. Bluetooth RFCOMM can be blocked or allowed only for ALL Bluetooth devices. It cannot be blocked or allowed for specific devices.
    • Note:  Device Control rules that block or allow Bluetooth devices do not impact the RFComm functionality.

    • USB: Change Read-Only permission settings in all rules to Read & Write - Use this setting to change the behavior of all read-only rules to allow both read and write. This setting is useful if read-only permission settings are causing issues with your system. The actual definition of the read-only rules do not change.
    • This option is available from Management version Houston.

    • Disable Device Control - This disables the feature for your currently selected EDR Policy - you must turn Off inheritance before you can disable Device Control.
    • Existing rules remain in the policy but become inactive. When you enable Device Control again, the rules will become active with their latest Enabled or Disabled state