USB Port Security: deny by default but allow IT dept

Hi, DA newbie here. We're trying to make the logic work in our environment and I could use some guidance from more experienced DA administrators.

 

By default, we would like to restrict all non-HID USB devices while allowing the IT team (In an OU and a Security Group) full access.

 

Individual users who are approved for specific uses - say, downloading pictures from a camera, or using a USB stick to transfer postal meter data - should be allowed to use ONLY that device and ONLY on the computer they are approved for.

 

I don't want a user to have access to USB mass storage except for an approved device. Recommendations on how to configure? The DA video on the support site is not very helpful and it's so tiny I can't see what settings are being applied.

 

Thanks in advance for any and all assistance.

Parents
  • I am not an expert on the ins and outs of the USB device capabilities and their rules so hopefully an expert can chime in...

    Because you have a couple of different scenarios I would create a few rules. One for admins: set up a permissions set with the user list being your group of admins and allowing all actions and a permission set for everyone else that denies most things - be careful as many people use wireless keyboard/mice.

    Then you can create a set of Device Exception rules, that allows that specific user to use that specific device. Because it is user-based it will work on any computer but only for that person and that user.

    I've never looked at the VID and PID fields of the device exception fields and if you could generate a class of approved devices using them, if not its going to be tedious to set up a rule for each and every device you want to allow. You could have a lot to manage!

    Hope that helps!
    Mark
Reply
  • I am not an expert on the ins and outs of the USB device capabilities and their rules so hopefully an expert can chime in...

    Because you have a couple of different scenarios I would create a few rules. One for admins: set up a permissions set with the user list being your group of admins and allowing all actions and a permission set for everyone else that denies most things - be careful as many people use wireless keyboard/mice.

    Then you can create a set of Device Exception rules, that allows that specific user to use that specific device. Because it is user-based it will work on any computer but only for that person and that user.

    I've never looked at the VID and PID fields of the device exception fields and if you could generate a class of approved devices using them, if not its going to be tedious to set up a rule for each and every device you want to allow. You could have a lot to manage!

    Hope that helps!
    Mark
Children
No Data