Device Policies

What is a Device Policy

It's possible to pre-configure access rights for specified USB devices for specified user accounts or user groups.

For example, you can to deny access to mass storage devices for all users, except administrators. Another example is allowing access to a specified model of a signature pad for a specified user and auto-connect that signature pad upon user logon.

In other words, Device Policy specifies the action for a USB device (or groups of USB devices) on user logon.

Device Policy

On the screenshot above, there are several configured device groups (Audio device, Communications device, HID device, etc). There is a policy action configured for the Mass Storage device group. The policy denies using Mass storage devices for Everyone.

So, in this case, each time user tries to connect a mass storage USB device, the program blocks that attempt and denies connection of the USB device.

Device Groups

Device Group is a set of properties that identifies certain USB devices. It can also identify a single USB device. The following parameters are used: VID, PID, Serial number, Class, Subclass, Protocol.

Edit Device Group

In order to identify a group of USB devices it is possible to specify only several properties.

Device Group Matching

If several groups match for a USB device, the group with the highest priority is used. Device group has the highest priority if all properties are specified. Each property has its own priority weight:

Property Priority
VID 00100000 (32)
PID 00010000 (16)
Serial 00001000 (8)
Class 00000100 (4)
Subclass 00000010 (2)
Protocol 00000001 (1)

For example, there are two groups. The first one contains VID and Serial, the second one contains Serial and Class and Subclass. In such case the first group has higher priority.

In order to avoid collisions, it's prohibited to create several groups with identical property values.

If a USB device is a composite device, several Device Groups with the same priority can match such USB device (the number of Device Groups depends on the number of interfaces of the composite USB device). In this case the action with the highest priority will be selected (see Policy Action Matching).

Policy Actions

Policy Action specifies what action will be performed for a new USB device for a specified user. The following actions are supported:

Action Description
Deny The USB device is prohibited from connecting
Allow It's allowed to connect the USB device
Auto-connect The USB device will be connected automatically on user logon
Auto-connect, prevent disconnection The USB device will be connected automatically on user logon. The user is not able to disconnect that USB device

It's possible to configure several Policy Actions for a Device Group.

For example, there is a device group called "Webcams". There are two policy actions configured for this group. The first one allows connection for the usergroup Accounting. The second one denies connection for the user Alice.

If the USB device does not match any Device Group, the device is allowed for connection (Allow action).

Policy Action Matching

If the USB device matches a certain Device Group, the program chooses the proper Policy Action for that USB device for the logged user.

If the USB device matches a certain Device Group, but no Policy Action is found for the logged user, Deny action is applied to that USB device.

In case several Policy Actions are found (for example, the first Policy Action is specified for a usergroup, and the second one is specified for a username), Policy Action with the highest priority is applied.

Action Priority
Deny 00001000 (8)
Auto-connect, prevent disconnection 00000100 (4)
Auto-connect 00000010 (2)
Allow 00000001 (1)

If a USB device is a composite device, several Device Groups with the same priority can match such USB device (the number of Device Groups depends on the number of interfaces of the composite USB device). In this case the action with the highest priority will be selected.

Policy Storage

For local users (non-domain users) the program uses Policy Actions stored in local Windows registry. For domain users it retrieves Policy Actions from the Active Directory database.

Local Storage

Local Storage is located in the system registry. In order to modify data in the Local Storage, Local Administrator rights are required.

Domain Storage

Domain Storage is located in the database of the Active Directory of the domain.

LDAP://CN=Policies [policy version], CN=USB for Remote Desktop Server, CN=FabulaTech, CN=Program Data, [domain DN]

In order to modify data in the Domain Storage, the rights should be sufficient for modifying the AD object specified above. By default, Domain Administrators have such rights.

In order to assign such rights to a user, it's enough to assign them for the specified AD object.

All users must be allowed to read data from the object!

Reading settings from Policy Storage

On user logon, the program checks whether the user belongs to any domain.

  1. If the user belongs to a domain, the program loads Policies from the Domain Storage.
  2. If the user is a local user (non-domain user), the program loads Policies from the Local Storage.

It's possible also to prohibit using Domain Storage, in such case Local Storage is used for both domain and non-domain users. To do this, enable "Use only local storage" setting.

The program refreshes the Policy Storage every 1 minute. However, it's possible to refresh it manually for a specified user session (Edit -> Update Session Account Storage).