This article describes how to block or allow specific devices in Symantec Endpoint Protection (SEP) using Application and Device Control (ADC) features.
There are two ways that devices can be identified in SEP:
There are advantages and disadvantages of using either method and there is a different functionality for each method.
This article discusses these two IDs and how to use them in SEP.
A Class ID is a generic category of devices that are designated by the Windows operating system. A Class ID is always listed as a GUID. Here are examples of Class IDs (GUID):
In SEP, wildcards are not supported on Class IDs.
For a list of Class IDs, click here.
A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device. A Device ID can be more effective for blocking or allowing devices because it is made by concatenating a list of data about the particular device. Device IDs are generally in a more readable format.
Here are two common formats for Device IDs:
Here are examples of Device IDs:
For Device IDs wildcards are supported: * and ?.
Here are examples of using wildcards:
Any USB storage device
Any USB Disk
Any USB SanDisk drive
Any USB SanDisk Micro Cruzer drive
A specific SanDisk device
It is recommended to use Device IDs over Class IDs in most cases.
Both the Class IDs and the Device IDs can be added to the SEPM under Policy Components > Hardware Devices section.
On the SEP CD or DVD, under the Tools\NoSupport folder look for Device Viewer (DevViewer). The Device Viewer can be used to get either the Class ID or the Device ID of a particular device. It would assist copying the IDs to the Clipboard and then paste into the SEPM.
The Device Viewer also gives the ability to view devices by type or by connection.
SEP has the ability to block devices using either Application Control or Device Control. Device Control gives the ability to completely disable a device. When a device has been disabled this way, it will be seen as disabled in the Windows Device manager. Device Control can ensure that the device specified cannot be used in the SEP client system at all. Device Control can use both Class IDs and Device IDs.
Device Control can also block devices at any node in the tree. If a device is blocked at one node then all devices below that node (all children) will be blocked also. Conversely if a device is excluded on a particular node, then all the devices above that node will also be excluded.
Note: Devices such as Androids, iphones, and other types of portable devices will not be able be charged when blocked by deviceid with Device Control.
Application Control feature assists in performing more granular blocking of devices. Application Control is a very powerful engine that controls blocking or allowing reads, writes or execute commands on a device, including controlling what applications may be used.
For example: Creating a policy using Application Control to block any program that is running off a USB drive from changing the registry or modifying files on the host computer. With Application Control, Device IDs could be used. Class IDs will not work. Device IDs are allowed in the following places:
Only blocking a device with Application Control that is at the end of a node in the tree could be performed, unless the end node is "Generic volume" or "Storage volume". In these two cases, the device that is one up from the last node (the parent of the last node) would be blocked.
Most Device IDs that are supported by Application Control will have one of these types:
Note: Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them. Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.
USB Root Hub blocking of devices except mouse and keyboard Reference: https://support.symantec.com/en_US/article.TECH161779.html