How to add exceptions for USB Sticks to device blocking

Version 10

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    This document shall describe the necessary steps to add an Exception to the Device Blocking, so that a USB Stick can be used.

     

     

     

    Set Blocking rule within the Agent config

    1)      I added the following device blocking rule.

         I blocked only the Write access for Storage Volumes. No other devices are getting blocked.

    1-usb.png

    2)      After deployment of this rule with the Agent config.

    a.      I can access the USB Stick

              2-usb.png

     

    b.      But I can no longer write data to the USB Stick

              3-usb.png

     

     

    Now I do want to enable this USB Stick to have write access

    1)      At first I check the device ID of this USB Stick (just to be sure)

    a.      To do so I right click the Drive and choose Properties

    b.      Under the “Hardware” Tab choose the USB Stick and click again properties

              4-usb.png

     

    c.       Within the detail I can look up the Device IDs.

    Note that this device ID may not be unique to one device. All your USB Sticks may have the same IDs.

     

       5-usb.png

     

    d.      I now check the DCM.log in the LDCLIENT\HIPS directory just for clarification.

           6-usb.png

     

         The Device is listed and I can proceed.

     

    2)      Within the LANDESK console I check the Security activities.

         To see the USB Stick being listed as blocked on my test machine

                           7-usb.png

              I check that the Device ID matches with my notes from the previous steps

     

    3)      To add the exception for this USB Stick

         - I right-click on the entry and choose “Add Exception”.

              The following Dialog should show up.

     

                              8-usb.png

                                  I do have the option to add the Exception by Hardware ID or by Volume Serial.

            Note that an exception made by Hardware ID matches all Devices with this Hardware ID.

     

    This seems just too confining for a company with just a few different types of USB Sticks. But due to the fact that USB Sticks are sold freely anyone may buy a USB Stick with a matching Hardware ID. It might be safer, but more work consuming to choose the Volume Serial for Exceptions.

     

    a.       I will use the Hardware ID to add the exception.

    b.      The exception is being added to the Device Blocking rule. To check this open the Security configagain and check the exception list under storage devices

          9-usb.png

     

     

    4)      Now this new Device Blocking rule needs to be pushed to the client

         -  to have immediate effect. The client will check the core form time to time to see if an updated config is present. But this may need to long for the customer. To Push the config to the device.

     

     

    a.       Go to your security configuration and schedule a change of settings

           10-usb.png

     

    b.      Give the Task a name and choose if it should only be a Push or also being supported by a policy.

    11-usb.png

     

      It is vital to choose which Endpoint Security Setting should being pushed to the clients. A mistake here may have unwanted side-effects

     

    c.       After this is done the devices should be added as target to the scheduled task and the task started,to send this new config out to the clients.

         12-usb.png

     

    5)      Now I am able to write files to this device

                          13-usb.png

     

    Some shortcuts to add Device Blocking exceptions without the need to check logs.

     

    If the exception is to be made on the Hardware ID

    1)      Insert the USB Stick into your Admin PC
    2)      Check the device ID of this USB Stick

    a.      To do so I rightclickthe Drive and choose Properties

    b.      Under the “Hardware” Tap choose the USB Stick and click again properties

              15-usb.png

     

    c.     Within the detail I can look up the Device IDs and note the Hardware ID for further use.

     

    Note that this device ID may not be unique to one device. All your USB Sticks may have the same IDs.

         16-usb.png

     

    d.      In the Ivanti EPM Console choose the Device Control Setting for which the exception shall be added. Right click this Setting and choose “edit”.

    e.      Open the Exception list under Storage Volumes and click add.

              17-usb.png

     

    f.       In the following dialog enter a description and the Hardware ID of the device you wish to allow under Value.

     

                                18-usb.png

    If the exception is to be made on the Volume serial

     

    The volume serial is more unique than the Hardware ID of an USB Stick and should be used if the exception shall only be made for this single USB Stick.

    It is quite cumbersome to check the logs of the Device Blocking Service prior to enter the correct Volume Serial.

     

    It is possible for an administrator of Ivanti EPM to add Exceptions based on Volume serials prior to sending the USB Stick to the user.

     

    To do so

    1)      Insert the USB Stick into your Admin PC
    2)      In the Ivanti EPM Console choose the Device Control Setting for which the exception shall be added.

         Rightclickthis Setting and choose “edit”.

    a.       Open the Exception list under Storage Volumes and click add.

         19-usb.png

     

    b.      In the following dialog enter a description.

    c.      Choose Volume serial as Parameter the click on the ... Button behind the value Field.

    d.      In the upcoming dialog choose the USB Device the Exception shall be made for

          20-usb.png

     

          e.      The correct Volume Serial is automatically entered into the value field.