Device control policy

Note This feature is not included with all licenses. If you want to use it, you might need to change your license.
Warning Sophos device control should not be deployed alongside device control software from other vendors.

Device control enables you to prevent users from using unauthorized external hardware devices, removable storage media, and wireless connection technologies on their computers. This can help to significantly reduce your exposure to accidental data loss and restrict the ability of users to introduce software from outside of your network environment.

Removable storage devices, optical disk drives, and floppy disk drives can also be set to provide read-only access.

Using device control, you can also significantly reduce the risk of network bridging between a corporate network and a non-corporate network. The Block bridged mode is available for both wireless and modem types of device. The mode works by disabling either wireless or modem network adapters when an endpoint is connected to a physical network (typically through an Ethernet connection). Once the endpoint is disconnected from the physical network, the wireless or modem network adapters are seamlessly re-enabled.

By default, device control is turned off and all devices are allowed.

If you want to enable device control for the first time, we recommend that you:

  • Select device types to control.
  • Detect devices without blocking them.
  • Use device control events to decide which device types to block and which, if any, devices should be exempt.
  • Detect and block devices or allow read-only access to storage devices.

For more information about the recommended settings for device control, see the Sophos Enterprise Console policy setup guide.

If you use role-based administration:

  • You must have the Policy setting - device control right to configure a device control policy.
  • You can't edit a policy if it is applied outside your active sub-estate.