For any of the device control features in Carbon Black App Control to be enabled, you must activate device control settings on policies.
Each policy can have its own device control configuration. These settings allow you to activate blocking for any combination of the following:
- banned devices and/or unapproved devices
- write and/or execute operations
You cannot block read operations on devices, but you can enable reporting so that when a file is read on a banned or unapproved device, an event is generated.
You enable device control on the Edit Policy page for policies that have already been created. Device Control Settings do not appear on the Add Policy page for a new policy you are creating.
For policies in Visibility mode, you can choose any device control setting, but no device operations are blocked. To block device activity, a policy must be in Control mode.
The following table shows the effects of specific choices for Device Control settings.
Setting |
Active |
Off |
Report Only |
---|---|---|---|
Block writes to unapproved removable devices |
Tracks write operations to unapproved removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement). Notes: — All devices are unapproved by default, so be certain you want to block everything you haven’t explicitly approved before activating this setting. — Blocking writes to removable devices does not block writes to CD/DVD media. |
Permits write operations to removable devices; does not report the event. |
Permits write operations and reports them as events. |
Block writes to banned removable devices |
Tracks write operations to banned removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement). Note: Blocking writes to removable devices does not block writes to CD/DVD media. |
Permits write operations to banned removable devices; does not report the event. |
Permits write operations and reports them as events. |
Report reads from unapproved removable devices |
Choice not available. |
Permits reads from unapproved removable devices; does not report the event. |
Permits reads and reports them as events. |
Report reads from banned removable devices |
Choice not available. |
Permits reads from banned removable devices; does not report the event. |
Permits reads and reports them as events. |
Block execution from unapproved removable devices |
Tracks execution of files on unapproved removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement). Note: All devices are unapproved by default, so be certain you want to block all devices not explicitly approved before activating this setting. |
Permits files on unapproved removable-device to execute unless the file itself is banned by another rule; does not report the event. |
Permits executions and reports them as events. |
Block execution from banned devices |
Tracks execution of files on banned removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement). |
Permits execution of files on banned removable-device unless the file is banned by another rule; does not report the event. |
Permits executions and reports them as events. |
In the Default, Template and Local Approval policies, device controls are all set to Off (no blocking or reporting) except for the settings that block writes and executions to banned devices, which are Active. You can change this for all except the Local Approval Policy. Changing the settings in the Template Policy before you create other policies can save time in policy configuration.
Enable Device Control for a Policy
Use this procedure to enable device control for a policy.