Recommended settings

The device control policy specifies which storage and networking devices are authorized for use on computers. When setting up your device control policy, consider the following:

  • Use the Detect but do not block devices option to detect but not block controlled devices. To do this, you must first set the status to Blocked for each device type you want to detect. The software will not scan for any device types you have not specified. Initially defining a report only policy enables you to gain a better view of device use across your network.
  • Use the device control Event Viewer to quickly filter block events for investigation. You can access the Event Viewer by clicking Events > Device Control Events.
  • Use the Report Manager to create trend reports on device control events by computer or user.
  • Consider providing tighter access control for computers of users with access to sensitive information.
  • Plan a list of device exemptions prior to rolling out a policy that blocks devices. For example, you may want to allow the use of optical drives within the art team.
  • The "Secure Removable Storage" category can be used to automatically authorize hardware-encrypted USB storage devices from various supported vendors. A full list of supported vendors is available on the Sophos website. For a list of supported secure removable storage devices, see knowledge base article 63102.
  • When adding device exemptions to the device control policy, identify the reason for a device exemption or who requested it in the Comment field.
  • Use the custom desktop messaging options to provide users with additional guidance when a controlled device is discovered. For example, you could provide a link to your company's device use policy.
  • If you want a network device to become enabled (such as Wi-Fi adapters) when the computer is physically disconnected from the network, select the Block bridged option when setting access levels for network devices.
    Note The Block bridged mode significantly reduces the risk of network bridging between a corporate network and a non-corporate network. The mode is available for both wireless and modem types of devices. The mode works by disabling either wireless or modem network adapters when an endpoint is connected to a physical network (typically through an Ethernet connection). Once the endpoint is disconnected from the physical network, the wireless or modem network adapters are seamlessly re-enabled.
  • Ensure you are certain about blocking a device prior to rolling out your policy. Be aware of all users scenarios, especially in relation to WiFi and network devices.
    Caution Policy changes are made from the Sophos Enterprise Console server to the computer through the network; therefore, once the network is blocked, it cannot be unblocked from Sophos Enterprise Console since the computer cannot accept additional configuration from the server.