Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=server-protection-peripheral-control

Server Peripheral Control Policy

Peripheral Control lets you control access to peripherals and removable media for Windows servers. You can monitor your servers for peripheral devices, block access to new and existing peripherals, allow read-only access for some peripheral types, and exempt individual peripherals from that control.

Configure Peripheral Control

This video explains how to set up a Peripheral Control policy and includes troubleshooting advice.

Create a Peripheral Control policy

To create a Peripheral Control policy, go to My Products > Server > Policies. See Create or Edit a Policy.

Make sure the policy is active, then click Settings to manage peripherals.

Note

If an option is locked, your partner or Enterprise administrator has applied global settings.

Manage peripherals

Under Manage peripherals, you can decide how you want to manage peripheral devices in your environment. Select one of the following options:

  • Disable peripheral control: Turn off Peripheral Control. Peripherals aren't monitored or blocked.
  • Monitor but do not block (all peripherals will be allowed): All peripherals are allowed regardless of any changes to peripheral types. Sophos monitors and records all peripherals detected on Sophos-managed servers.
  • Control access by peripheral type and add exemptions: Select the action to take for all peripheral devices based on their type.

Devices and actions

Use the drop-down lists to select the action you want to take for each peripheral type. The types of devices you can manage and the actions you can take on each type are as follows:

  • Bluetooth: Select Allow or Block.
  • Secure removable storage: Select Allow, Read Only, or Block.
  • Floppy Drive: Select Allow, Read Only, or Block.
  • Infrared: Select Allow or Block.
  • Modem: Select Allow or Block.
  • Optical Drive: Select Allow, Read Only, or Block.
  • Removable storage: Select Allow, Read Only, or Block.
  • Wireless: Select Allow, Block Bridged, or Block. Block Bridged prevents the bridging of two networks and doesn't generate any block alerts or events.
  • MTP/PTP: Select Allow or Block. This category includes devices such as phones, tablets, cameras, and media players that connect using Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP).

Warning

Setting network peripherals such as Modem and Wireless to Block can prevent your servers from accessing the network and communicating with Sophos Central to receive policy updates. Make sure you have exceptions in place for your approved network peripherals before setting these types to Block. Otherwise, you'll need physical access to the servers to override the policy and restore the network connection.

Peripheral Exemptions

Click Peripheral Exemptions to see a list of peripheral exemptions and their details.

To add new exemptions for specific devices or apply less restrictive controls, do as follows:

  1. Click Add Exemptions.
  2. In the Add Peripheral Exemptions dialog, you see a list of all peripherals detected on endpoint computers and servers by policies set to Monitor but do not block (all peripherals will be allowed).
  3. Select the peripherals to which you want to apply the exemption.

  4. In the Policy column, use the drop-down list to assign a specific access policy to an exempt peripheral.

    Note

    If you try to set a stricter access policy for an individual peripheral than for its peripheral type, Sophos ignores the exemption setting for the individual device and shows a warning icon beside it.

  5. In the Enforce By column, use the drop-down menu to apply the peripheral exemption to all peripherals that share the same Model ID or Instance ID.

  6. Click Add Exemption(s).

Desktop Messaging

You can add a message to the standard Peripheral Control notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Note

If you switch off Desktop Messaging, you won't see any notification messages related to Peripheral Control on the server.

Click in the message box and enter the text you want to add.