Skip to content

Endpoint: Peripheral Control

Peripheral control lets you control access to peripherals and removable media.

If you need to exempt individual peripherals from that control you should use a Peripheral Control Policy in Sophos Central Admin.

Set up Peripheral Control

This video explains how to set up a Peripheral Control policy and includes troubleshooting advice.

Manage Peripherals

In Manage Peripherals, select how you want to control peripherals:

  • Monitor but do not block (all peripherals will be allowed): If you select this, access to all peripherals is allowed, regardless of any settings below. All peripherals used will be detected but you can't set access rules for them.
  • Control access by peripheral type and add exemptions: If you select this, you can go on to set access policies for peripheral types.


You can't add peripheral exemptions at the global level, so you will need to do this at the sub-estate level.

Set Access Policies

The MTP/PTP category includes devices such as phones, tablets, cameras and media players that connect using the MTP or PTP protocols.

For each peripheral type, you can change the access policy:

  • Allow: Peripherals are not restricted in any way.
  • Block: Peripherals are not allowed at all.
  • Read Only: Peripherals can be accessed only for reading.

The Bluetooth, Infrared, and Modem categories don't have the Read Only option.

The Wireless Network Adaptor category has a Block Bridged option. This prevents bridging of two networks.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Desktop Messaging is on by default.


If you switch off Desktop Messaging you will not see any notification messages related to peripheral control.

Click in the message box and enter the text you want to add.