About the Storage Volumes section of Ivanti EPS Device Control

Version 8

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    Q1: If storage volumes are set as full access and an exception is added that gives “No access” to the Bus type “USB”, what is the result?



    A1: The device cannot be accessed due to the “No Access” USB bus type exception.

    Applicable lines from DCM.XML:

    <Removable Access="Full">
    <Exception id="Bus_Type" value="USB" override="DenyAll" />


    Q2: If I then add another exception for a Hardware ID, Device Instance Path or Volume Serial Number, what is the result?


    A2: The device still cannot be accessed based on the first exception entered.   The top most exception is read and the following exceptions are ignored.

    <Removable Access="Full">  
    <Exception id="Bus_Type" value="USB" override="DenyAll" />   
    <Exception id="Volume_Serial" value="7204-A7C7" override="Full" />


    So in this case, it reads that the USB bus type has been set to be denied.  It does not continue on to the next exception.

    Note: Exceptions in the console are sorted alphabetically immediately after they are entered.  However, in the DCM.XML that controls the behavior on the client, the exceptions are sorted by the order they were created


    Q3: What if the overall Storage Volumes option is set to “No Access” and an exception is added that gives the bus type “USB” Full Access?



    A3: Due to the exception allowing the USB bus Full Access, all USB based volumes are allowed.

    - <Volumes>
    - <Removable Access="DenyAll">
    <Encryption MaxFileSize="0" Type="AES256" PWHint="true" />
    <UnknownVolumes Access="removable_policy" />
    <Exception id="Bus_Type" value="USB" override="Full" />
    <NotifyUser Type="Popup">Unauthorized storage device detected.</NotifyUser>


    Q4: If the overall Storage Volumes policy is set to “No Access”, and the USB Bus Type is set to “Full Access” through an added exception, and another exception is then added to Deny access based on Hardware ID, Device Instance Path or Volume Serial, what is the result?


    A4: The device will still be allowed access due to the initial “Full Access” exception for bus type “USB”.   Remember that only the first exception that applies to that particular device will be set, all further exceptions will be ignored.


    Q5: If the overall Storage Volumes policy is set to “No Access” and a number of devices need to be allowed, can this be done?

    A5: These devices can be added by Hardware ID, Device Instance ID, or Volume Serial number.   However, if an overall restriction is higher up in the Exceptions list, the “Full Access” or “Read Only Access” rule will not apply.


    Remember, the rules are applied in the order they were entered.   However, the console sorts the rules alphabetically.   LANDESK is currently considering adding the functionality to move the Exceptions up and down the list within the Console.


    The best way to check to see specifically what Device Control policies are in place is to view the DCM.XML in the LDCLIENT\HIPS folder on the client.


    In addition you may want to consider using the Devices section of Device Control.  This differs from Storage Volumes.   This section allows you to block based on Interface, Device Type, and add Exceptions in a similar fashion to the Storage Volumes section.


    View this GIF for more information.