Defining Exceptions for Devices

You can configure custom settings for specified devices or device types. These device settings are typically used as exceptions to settings defined in Media Encryption & Port Protection rules.

You can define device-specific exceptions for:

• One device, which is based on its serial number.
  You must enter the device serial number.
• A device model, which is based on the device ID.
  You must enter the device ID.
• A device type, such as Windows Portable Devices or Imaging Devices.
• A user defined device group (storage devices only).

Editing Device Details

These properties are configured for each device that is connected to a client with Media Encryption & Port Protection:

• Device Name - Enter a unique device display name, which cannot contain spaces or special characters (except for the underscore and hyphen characters).
• Device Connection - Select the connection type Internal, External or Unknown (required).
• Device Category - Select a device category from the list.
• Device Serial Number - Enter the device serial number. You can use wild card characters in the serial number to apply this device definition to more than one physical device.
• Extra Information - Configure whether the device shows as fixed disk device (Hard Drive with Master Boot Record), a removable device (Media without Master Boot Record) or None.
• Icon - Select an icon to show in the GUI.
• Device ID Filter - Enter a filter string that identifies the device category (class). Devices are included in the category when the first characters in a Device ID match the filter string. For example, if the filter string is My_USB_Stick, the following devices are members of the device category:

  My_USB_Stick_40GB

  My_USB_Stick_80GB

• Allow encryption - Select this option if the device can be encrypted (storage devices only).
• Can generate device arrival audit event - Select this option to create a log entry when this device connects to an endpoint computer (Event ID 11 or 20 only).

Creating a Device with Automatic Device Discovery

You can use the Device Discovering Wizard to create new devices that have been connected to endpoint computers.

To create a device with the Device Discovering Wizard:

1. Open the Storage Devices Read Access, Storage Devices Write Action, or Peripheral Devices Access action.
2. In the Device Overrides section of the Edit Properties window, click Add device.
3. In the Device Override Settings window, select Create a new device.
4. Click Next.
5. Select Add discovered device from user logs.
6. Click Next.
7. Select a device from the list. If necessary, search or filter to find the device.
8. Click Next.
9. Optional: Edit the device details.
10. Click Next.
11. Optional: Add this device to one or more device groups (storage devices only).
12. Click Next.
13. Define the behavior of the device. The options shown are based on which action you are editing:
    • For Storage Devices Write Access see Configuring a Write Action.
    • For Storage Device Read Access see Configuring the Read Action.
    • For Peripheral device access:
      • Access type: Block or Allow
      • Log type: Log or None
14. Click Finish.

Creating a Device Manually

You can manually define a device that was not inserted into a client computer.

To manually create a new device:

1. Open the Storage Devices Read Access, Storage Devices Write Action, or Peripheral Devices Access action.
2. In the lower section of the Edit Properties window, click Add device.
3. In the Device Override Settings window, select Create a new device.
4. Click Next.
5. Select Manually configure device.
6. Click Next.
7. Enter the device details.
8. Click Next.
9. Optional: Add this device to one or more device groups (storage devices only).
10. Define the behavior of the device. The options shown are based on which action you are editing:
    • For Storage Devices Write Access see Configuring a Write Action.
    • For Storage Device Read Access see Configuring the Read Action.
    • For Peripheral device access:
      • Access type: Block or Allow
      • Log type: Log or None
11. Click Finish.

Editing Device Access Setting

You can change the settings for an individual device or category of devices.

To change the access settings for existing devices from the Policy Rule Base:

1. Open the Storage Devices Read Access, Storage Devices Write Action, or Peripheral Devices Access action.
2. In the Device Overrides area of the Edit Properties window, select a device or group and click Edit device.
3. If you selected a group, Add or Remove objects until the Selected Objects list contains all applicable devices.
4. Select or clear these options as applicable. The options that show are based on the action you are working with.
   • For Storage Devices Write Access see Configuring a Write Action.
   • For Storage Device Read Access see Configuring the Read Action.
   • For Peripheral device access:
     • Access type: Block or Allow
     • Log type: Log or None
5. Click OK.
6. Click OK.

To change the access settings for devices from the Reporting tab:

1. In the Reporting tab > Media Encryption & Port Protection, right-click a device and select Add device as exception.

   The Device Override Settings open.

2. Edit the device details as necessary.

Using Wild Card Characters

You can use wild card characters in the Device Serial Number field to apply a definition to more than one physical device. This is possible when the device serial numbers start with the same characters.

For example: If there are three physical devices with the serial numbers 1234ABC, 1234BCD, and 1234EFG, enter 1234* as the serial number. The device definition applies to all three physical devices. If you later attach a new physical device with the serial number 1234XYZ, this device definition automatically applies the new device.

The valid wild card characters are:

The '*' character represents a string that contains one or more characters.

The '?' character represents one character.

Examples:

Serial Number with Wildcard	Matches	Does Not Match
1234*	1234AB, 1234BCD, 12345	1233
1234???	1234ABC, 1234XYZ, 1234567	1234AB, 1234x, 12345678

Because definitions that use wildcard characters apply to more endpoints than those without wildcards, rules are enforced in this order of precedence:

1. Rules with serial numbers containing * are enforced first.
2. Rules with serial numbers containing ? are enforced next.
3. Rules that contain no wildcard characters are enforced last.

For example, rules that contain serial numbers as shown here are enforced in this order:

1. 12345*
2. 123456*
3. 123????
4. 123456?
5. 1234567