For any of the device control features in Carbon Black App Control to be enabled, you must activate device control settings on policies.

Each policy can have its own device control configuration. These settings allow you to activate blocking for any combination of the following:

  • banned devices and/or unapproved devices
  • write and/or execute operations

You cannot block read operations on devices, but you can enable reporting so that when a file is read on a banned or unapproved device, an event is generated.

You enable device control on the Edit Policy page for policies that have already been created. Device Control Settings do not appear on the Add Policy page for a new policy you are creating.

For policies in Visibility mode, you can choose any device control setting, but no device operations are blocked. To block device activity, a policy must be in Control mode.

Note: The effect of the settings on drives with removable media, such as CD/DVD drives, differs from the effect on devices with non-removable media. Burning a CD or DVD does not constitute a “Write” operation. If you want to block burning of CD/DVD media, ban the media-burning software application.

The following table shows the effects of specific choices for Device Control settings.

Table 1. Device Control Setting Behavior

Setting

Active

Off

Report Only

Block writes to unapproved removable devices

Tracks write operations to unapproved removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement).

Notes:

— All devices are unapproved by default, so be certain you want to block everything you haven’t explicitly approved before activating this setting.

— Blocking writes to removable devices does not block writes to CD/DVD media.

Permits write operations to removable devices; does not report the event.

Permits write operations and reports them as events.

Block writes to banned removable devices

Tracks write operations to banned removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement).

Note: Blocking writes to removable devices does not block writes to CD/DVD media.

Permits write operations to banned removable devices; does not report the event.

Permits write operations and reports them as events.

Report reads from unapproved removable devices

Choice not available.

Permits reads from unapproved removable devices; does not report the event.

Permits reads and reports them as events.

Report reads from banned removable devices

Choice not available.

Permits reads from banned removable devices; does not report the event.

Permits reads and reports them as events.

Block execution from unapproved removable devices

Tracks execution of files on unapproved removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement).

Note: All devices are unapproved by default, so be certain you want to block all devices not explicitly approved before activating this setting.

Permits files on unapproved removable-device to execute unless the file itself is banned by another rule; does not report the event.

Permits executions and reports them as events.

Block execution from banned devices

Tracks execution of files on banned removable devices and blocks them in all Control mode policies (High, Medium and Low Enforcement).

Permits execution of files on banned removable-device unless the file is banned by another rule; does not report the event.

Permits executions and reports them as events.

In the Default, Template and Local Approval policies, device controls are all set to Off (no blocking or reporting) except for the settings that block writes and executions to banned devices, which are Active. You can change this for all except the Local Approval Policy. Changing the settings in the Template Policy before you create other policies can save time in policy configuration.

Enable Device Control for a Policy

Use this procedure to enable device control for a policy.

Procedure

  1. On the console menu, choose Rules > Policies. The Policies page opens.
  2. On the Policies page, click the View Details button next to the name of the policy whose device settings you want to edit. The Edit Policy page opens.
  3. Click the Device Control Settings tab.
    The Device Control Settings tab on the Edit Policy page
  4. On the Device Control Settings panel, choose Active for any setting you want to enable, Off for any setting you want to disable, and Report Only for any setting for which you want the App Control Server to report file activity on devices but not enforce the setting.
    Note that you cannot block Read access to devices, so Active is not a choice for the two Read settings. See Device Control Setting Behavior for details about the effects of each setting.
  5. You can change (or eliminate) the notifier that appears when a device setting blocks file access. To do this, make a choice on the Notifier menu next to each setting whose notifier you want to change. See Endpoint Notifiers and Approval Requests for more options and more information.
  6. When the Device Settings and their notifiers are edited to your preferences, click the Save button (to remain on the page) or the Save & Exit button. Your changes are saved for that policy.
  7. Repeat this procedure for each policy whose Device Settings you want to change.