USB Port Security: deny by default but allow IT dept

Hi mark.broge,

USB/PS is one of the more complex setups in Desktop Authority (DA). The first thing to note is that each USB/PS element starts with a “Default” permission set that is set to Allow every device type and uses the Group “Everyone”. It’s important not to change this.

To begin you will create a new permission set in addition to the existing “Default” permission set. In this example the new USB/PS permission set will be called “Lockdown”.  If you want to lock down ALL devices but exclude HID devices just use the checkbox for that “Disable all USB devices (Except HID)”.

Next you need to edit the “Users” section of you new Lockdown permission set. By default its set to “Everyone”. If you want this to apply to everyone but your IT team then it will need to be changed as your IT team is a member of “Everyone”. Your easiest way to configure this is to just create a new Active Directory group (example: “USB Lockdown”) and just add the users you want to lockdown to this AD group.
Then remove “Everyone” from the Users section and add your new USB Lockdown AD group.

Next use the USB Exceptions tab to Allow any specific devices that you want users to have access to.

Finally Validation Logic. Before USB/PS can apply any permission sets it needs to be installed on the user’s machine. For me I find it easiest to look at USB/PS’s Validation Logic tab as “Where do I want USB/PS installed?”.

Validation Logic and Settings/Permission Sets are two separate things. Having a user or group listed in Permission Sets does not automatically mean that they are going to get any USB/PS settings. The Permission Sets will only apply to machines that have USB/PS installed which is defined in the Validation Logic tab.  

When configuring USB/PS’s Validation Logic, I find that it's best to use only machine names or machine OUs and not user names or user OUs. This is because users can move from one machine to another and if they are used for Validation Logic then any machine that they log into will install USB/PS. That’s not recommended. It's best to have USB/PS install to the machines and use the Settings/Permission Sets to define what rights users get.

So if you want USB/PS to install on every machine you can leave Validation Logic Rules blank.
If you only want it install on a subset of machines then you can use some Active Directory variable.
    Example: Organizational Unit (Computer) =“Lab Computers”

Important Note: The install of USB/PS on client machines requires a reboot. This will also happen after Desktop Authority is upgraded.

Hi mark.broge,

USB/PS is one of the more complex setups in Desktop Authority (DA). The first thing to note is that each USB/PS element starts with a “Default” permission set that is set to Allow every device type and uses the Group “Everyone”. It’s important not to change this.

To begin you will create a new permission set in addition to the existing “Default” permission set. In this example the new USB/PS permission set will be called “Lockdown”.  If you want to lock down ALL devices but exclude HID devices just use the checkbox for that “Disable all USB devices (Except HID)”.

Next you need to edit the “Users” section of you new Lockdown permission set. By default its set to “Everyone”. If you want this to apply to everyone but your IT team then it will need to be changed as your IT team is a member of “Everyone”. Your easiest way to configure this is to just create a new Active Directory group (example: “USB Lockdown”) and just add the users you want to lockdown to this AD group.
Then remove “Everyone” from the Users section and add your new USB Lockdown AD group.

Next use the USB Exceptions tab to Allow any specific devices that you want users to have access to.

Finally Validation Logic. Before USB/PS can apply any permission sets it needs to be installed on the user’s machine. For me I find it easiest to look at USB/PS’s Validation Logic tab as “Where do I want USB/PS installed?”.

Validation Logic and Settings/Permission Sets are two separate things. Having a user or group listed in Permission Sets does not automatically mean that they are going to get any USB/PS settings. The Permission Sets will only apply to machines that have USB/PS installed which is defined in the Validation Logic tab.  

When configuring USB/PS’s Validation Logic, I find that it's best to use only machine names or machine OUs and not user names or user OUs. This is because users can move from one machine to another and if they are used for Validation Logic then any machine that they log into will install USB/PS. That’s not recommended. It's best to have USB/PS install to the machines and use the Settings/Permission Sets to define what rights users get.

So if you want USB/PS to install on every machine you can leave Validation Logic Rules blank.
If you only want it install on a subset of machines then you can use some Active Directory variable.
    Example: Organizational Unit (Computer) =“Lab Computers”

Important Note: The install of USB/PS on client machines requires a reboot. This will also happen after Desktop Authority is upgraded.