Symantec.com
VERITAS.com
Partners
About Symantec
cartCart
WelcomeProducts & ServicesSecurity ResponseSupportSolutions & IndustriesLicensingTrainingStore
Enterprise
Symantec.com > Enterprise > Support > Knowledge Base


PRINT THIS PAGE PRINT THIS PAGE

How to use Application and Device Control to block all USB devices except those I specifically want to allow

Question/Issue:
How to block all the USB type devices (e.g. mice, keyboards, USB drives, etc), yet allow a single specific device (such as an Administrator's USB key) to function


Solution:
Before you create the exception, you'll need to gather the Hardware ID from the specific device.

**NOTE**

You must create exclusions for each individual device. If there are, for example, 15 different Administrator USB keys, you will need to create 15 different exclusions, one for each device. The only other alternative to this is to not block all USB devices.

Gather the Device ID of device(s) to exclude using the DevViewer tool:

  1. Double click DevViewer.exe tool located on CD2 in the /Tools/NoSupport/DevViewer folder.
  2. Plug in the device you want to gather the Device ID from.
  3. Run the DevViewer.exe tool and browse to find the device. USB keys are, for example, located under Universal Serial Bus controllers/USB Mass Storage Device
  4. Select the device, and on the right you will see information about the device.
  5. Copy down the entire Device ID. The Device ID should look similar to this:

    USB\VID_054C&PID_0243\1206092800314
  6. Exit the DevViewer Tool.

Create the exclusion:
  1. Open the Symantec Endpoint Protection Manager (SEPM) console.
  2. Click Policies.
  3. Click Policy Components.
  4. Click Hardware Devices.
  5. Click Add a Hardware Device...
  6. Enter a name for the exclusion.
  7. Click Device ID.
  8. Enter the Device ID exactly as seen in the DevViewer tool.
  9. Click OK.

Assign the exclusion:
  1. Click Policies.
  2. Click Application and Device Control.
  3. Double click the policy you wish to edit.
  4. Click Device Control.
  5. In Devices Excluded From Blocking, click Add.
  6. Click the exclusion you created earlier, then click OK.
  7. Click OK.

**NOTE**

While not required, it is advisable to set up a message using Notify users when devices are blocked. This will let users know when Application and Device control blocks access to a device, rather than simply blocking it and not letting the user know.



Document ID: 2008083110540548
Last Modified: 05/11/2009
Date Created: 08/30/2008
Operating System(s): Windows XP Professional Edition
Product(s): Endpoint Protection 11
Release(s): Endpoint Protection 11.0.2


Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation