How to roll out a device control policy

By default, device control is turned off and all devices are allowed. We recommend that you introduce device control as follows:

  1. Consider which devices you want to control.
  2. Enable device control scanning, and select the Detect but do not block devices option to detect but not block controlled devices. To do this, you must first set the status to Blocked for each device type you want to detect. The software will not scan for any device types you have not specified.

    At this time, you have one device control policy for your entire network.

  3. Use the device control Event Viewer to view which devices are being used, and determine the device types that you want to block. You can access the Event Viewer by clicking Events > Device Control Events.
  4. To grant access to devices differently for various computer groups, create different policies for different groups. For example, you may not want to allow removable storage devices for human resources and finance departments, but allowing them for IT and sales departments is acceptable.
  5. Exempt the instances or model types that you do not want to block. For example, you can exempt a specific USB key (instance) or all Vodafone 3G modems (model type).
  6. Determine which devices you want to block and change their status to Blocked. You can also allow read-only access to certain storage devices.
  7. Configure your policy to block controlled devices that are detected by clearing the Detect but do not block devices option.

By taking this approach, you avoid generating large numbers of alerts and blocking devices that your users may need. For more information on setting up device control policy, see the Sophos Enterprise Console help.