On the Endpoint Protection > Device Control > Exceptions tab you can create protection exceptions for devices. An exception always allows something which is forbidden by the device policy assigned to a computer group. Exceptions are made for computer groups, therefore an exception always applies to all computers of the selected group(s).
The Exceptions list automatically shows all detected devices that are blocked or access-restricted by the applied device control policies. For floppy drives technically cannot be distinguished, if multiple floppy drives are connected, only one entry will be displayed which serves as a placeholder for all floppy drives.
To add an exception for a device, proceed as follows:
Click the Edit button of the device.
The Edit Device dialog box opens.
Make the following settings:
Allowed: Add the computer groups for which this device should be allowed.
Read only or bridged: Add the computer groups for which this device should be allowed in read-only mode (applies to storage devices) or bridged mode (applies to network devices).
Apply to all: If you select this option, the current settings will be applied to all devices with the same device ID. This is for example useful if you want to assign a generic exception to a set of USB sticks of the same type.
Mode: This option is only available when you unselect the Apply to all checkbox. In this case you have to specify what becomes of other devices having the generic exception. If you want to keep the generic exception for the affected devices, select Keep for others. If you want to delete the generic exception, click Delete for others.
Tip – For more information and examples concerning generic exceptions, see section Working With Generic Device Exceptions below.
Comment (optional): Add a description or other information.
Click Save.
The computer groups along with their exceptions will be displayed with the edited device.
Note – Once a device exists on the Exceptions list, it will stay on the list until you delete it using the Delete button. Typically you would delete a device after the corresponding hardware device has been removed irrevocably (e.g., optical drive does not exist any longer) or after changing your device policies (e.g., wireless network adapters are now generally allowed). When you delete a device which is still in use, a message box opens that you need to confirm with OK. After that the device will be deleted from the list. If an exception existed for this device, the exception will automatically be invalidated, i.e. the current device policy will be applied to the device.
A generic device exception is an exception which is automatically applied to all devices having the same device ID.
Save the exception.
The exception will be applied to all devices having the same device ID.
Save the exception.
The edited device will have an individual exception, whereas the others will keep the generic exception.
Save the exception.
The settings of all devices with the same device ID and where the Apply to all checkbox is selected will be changed accordingly.
Save the exception.
The exceptions of all devices with the same device ID and where the Apply to all checkbox was selected will be deleted. Only the edited device still has an exception—an individual one.
| © 2019 Sophos Limited | Sophos UTM 9.600 |