Managing Devices

You can configure custom settings for specified devices or device types. These device settings are typically used as exceptions to settings defined in Media Encryption & Port Protection rules.

There are two types of devices:

  • Storage Device - Removable media device on which users can save data files. Examples include: USB storage devices, SD cards, CD/DVD media and external disk drives.

  • Peripheral Device - Devices on which users cannot save data and that cannot be encrypted.

Click the icon to filter your view.

New devices are added manually or are automatically discovered by the Endpoint Server.

You can view Manually added devices or Discovered devices. In the Device Type column, you can see if the device is a storage device or a peripheral device.

Managing Storage and Peripheral Devices

To manually add a new device:

  1. Click Asset Management > Media Devices > Storage & Peripheral.

  2. From the View list, select Manually added devices.

  3. Click .

  4. Select :

    • Storage Device

      The New Storage Device window appears.

    • Peripheral Device

      The New Peripheral Device window appears.

  5. Enter these:

    • Name - Enter a unique device display name, which cannot contain spaces or special characters (except for the underscore and hyphen characters).

    • Applies to – This setting is valid for peripheral devices only.

    • Connection Type- Select the connection type Internal, External or Unknown (required).

    • Category - Select a device category from the list.

    • Serial Number - Enter the device serial number. You can use wild card characters in the serial number to apply this device definition to more than one physical device. See Using Wild Card Characters.

    • Extra Information - Configure whether the device shows as fixed disk device (Hard Drive with Master Boot Record), a removable device (Media without Master Boot Record) or None.

    • Device ID Filter - Enter a filter string that identifies the device category (class). Devices are included in the category when the first characters in a Device ID match the filter string. For example, if the filter string is My_USB_Stick, these devices are members of the device category:

      • My_USB_Stick_40GB

      • My_USB_Stick_80GB

    • Supported Capabilities:

      • Log device events - Select this option to create a log entry when this device connects to an endpoint computer (Event ID 11 or 20 only).

      • Allow encryption - Select this option if the device can be encrypted (storage devices only).

  6. Assign Groups (relevant for storage devices only):

    1. To assign the device to an existing group, from the existing group list, select a group.

    2. To assign the device to a new group, in the create a new group field, enter the new group name.

    3. If you do not want to add the device to any group, select do not add to group.

  7. Click Finish.

To add an exclusion to a device:

  1. Click Asset Management > Media Devices > Storage & Peripheral.

  2. Right-click the applicable device and select Exclude.

    The Device Override Settings window appears.

  3. Configure the required Read Policy and Write Policy (relevant to storage devices only). For more information on the configuration options, see Configuring the Read Action and Configuring the Write Action

  4. Define Behavior (relevant for peripheral devices only):

    1. From the Rule(s) list, select a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

    2. From the Access type list, select Accept or Block.

    3. From the Log type list, select a log.

    4. Add details in the Description field.

  5. Click Finish.

Note - If a device has an exclusion already in place, the new exclusion overrides an existing exclusion.

The Discovered devices view lists the details of the devices automatically discovered by the Endpoint server.

To edit a device:

  1. Click Asset Management > Media Devices > Storage & Peripheral.

  2. Right-click the applicable device and select Edit.

    The Edit Peripheral Device window opens.

  3. Enter these:

    • Name - Enter a unique device display name, which cannot contain spaces or special characters (except for the underscore and hyphen characters).

    • Applies to – This setting is valid for peripheral devices only.

    • Connection Type- Select the connection type Internal, External or Unknown (required).

    • Category - Select a device category from the list.

    • Serial Number - Enter the device serial number. You can use wild card characters in the serial number to apply this device definition to more than one physical device. See Using Wild Card Characters.

    • Extra Information - Configure whether the device shows as fixed disk device (Hard Drive with Master Boot Record), a removable device (Media without Master Boot Record) or None.

    • Device ID Filter - Enter a filter string that identifies the device category (class). Devices are included in the category when the first characters in a Device ID match the filter string. For example, if the filter string is My_USB_Stick, these devices are members of the device category:

      • My_USB_Stick_40GB

      • My_USB_Stick_80GB

    • Supported Capabilities:

      • Log device events - Select this option to create a log entry when this device connects to an endpoint computer (Event ID 11 or 20 only).

      • Allow encryption - Select this option if the device can be encrypted (storage devices only).

  4. Assign Groups (relevant for storage devices only):

    1. To assign the device to an existing group, from the existing group list, select a group.

    2. To assign the device to a new group, in the create a new group field, enter the new group name.

    3. If you do not want to add the device to any group, select do not add to group.

  5. Configure the required Read Policy and Write Policy (relevant to storage devices only). For more information on the configuration options, see Configuring the Read Action and Configuring the Write Action.

  6. Define Behavior (relevant for peripheral devices only):

    1. From the Rule(s) list, select a rule.

    2. From the Access type list, select Accept or Block.

    3. From the Log type list, select a log.

    4. Add details in the Description field.

  7. Click Finish.

Managing Storage Device Groups

You can create groups for storage devices. Using device groups facilitates policy management because you can create exclusion rules for an entire group of devices instead of per one device each time.

To create a new device group, or click Asset Management > Media Devices > Storage Device Groups. You can create new groups or edit existing groups.

Note - You cannot delete groups that are in use.

To create a Storage Device Group:

  1. Click Asset Management > Media Devices > Storage Device Groups.

  2. Click New.

    The Create Storage Device Group window appears.

  3. In the Group Name field, enter a name.

  4. (Optional) In the Comments field, enter your comments.

    For example, USB storage device.

  5. To add devices to the group, click .

  6. Select the devices and click OK.

  7. To delete the device, select the device and click .

Using Wild Card Characters

You can use wild card characters in the Serial Number field to apply a definition to more than one physical device. This is possible when the device serial numbers start with the same characters.

For example: If there are three physical devices with the serial numbers 1234ABC, 1234BCD, and 1234EFG, enter 1234* as the serial number. The device definition applies to all three physical devices. If you later attach a new physical device with the serial number 1234XYZ, this device definition automatically applies the new device.

The valid wild card characters are:

The '*' character represents a string that contains one or more characters.

The '?' character represents one character.

Examples:

Serial Number with Wildcard

Matches

Does Not Match
1234* 1234AB, 1234BCD, 12345 1233
1234??? 1234ABC, 1234XYZ, 1234567 1234AB, 1234x, 12345678

Because definitions that use wildcard characters apply to more endpoints than those without wildcards, rules are enforced in this order of precedence:

  1. Rules with serial numbers containing * are enforced first.

  2. Rules with serial numbers containing ? are enforced next.

  3. Rules that contain no wildcard characters are enforced last.

For example, rules that contain serial numbers as shown here are enforced in this order:

  1. 12345*

  2. 123456*

  3. 123????

  4. 123456?

  5. 1234567

Viewing Events

Harmony Endpoint allows you to monitor activities related to storage and peripheral devices as events and if required, change the device details and status. For example, if a device that should be allowed was blocked and vice versa.

Column

Description
Event Time Date and time when the device was connected to the endpoint.
Status Whether the device was blocked or allowed.

Device Name

Name of the device.

Device Type

Type of device.

Category

Category of the device.

Serial Number

Serial number of the device.

User Name

Name of the user.

Computer Name

Name of the computer.

To modify the device details and status:

  1. Click Asset Management > Media Devices > Events.

  2. Right-click the event and select Exclude.

    The Device Override Settings window opens.

  3. Enter these:

    • Name - Enter a unique device display name, which cannot contain spaces or special characters (except for the underscore and hyphen characters).

    • Applies to – This setting is valid for peripheral devices only.

    • Connection Type- Select the connection type Internal, External or Unknown (required).

    • Category - Select a device category from the list.

    • Serial Number - Enter the device serial number. You can use wild card characters in the serial number to apply this device definition to more than one physical device. See Using Wild Card Characters.

    • Extra Information - Configure whether the device shows as fixed disk device (Hard Drive with Master Boot Record), a removable device (Media without Master Boot Record) or None.

    • Device ID Filter - Enter a filter string that identifies the device category (class). Devices are included in the category when the first characters in a Device ID match the filter string. For example, if the filter string is My_USB_Stick, these devices are members of the device category:

      • My_USB_Stick_40GB

      • My_USB_Stick_80GB

    • Supported Capabilities:

      • Log device events - Select this option to create a log entry when this device connects to an endpoint computer (Event ID 11 or 20 only).

      • Allow encryption - Select this option if the device can be encrypted (storage devices only).

  4. Assign Groups (relevant for storage devices only):

    1. To assign the device to an existing group, from the existing group list, select a group.

    2. To assign the device to a new group, in the create a new group field, enter the new group name.

    3. If you do not want to add the device to any group, select do not add to group.

  5. Configure the required Read Policy and Write Policy (relevant to storage devices only). For more information on the configuration options, see Configuring the Read Action and Configuring the Write Action.

  6. Define Behavior (relevant for peripheral devices only):

    1. From the Rule(s) list, select a rule.

    2. From the Access type list, select Accept or Block.

    3. From the Log type list, select a log.

    4. Add details in the Description field.

  7. Click Finish.