Controlling access to removable device storage used to be so much easier! There was a time when pretty much all you had to do to stop the physical transfer of files to or from a computer was to block Read/Write access to floppy drives, optical (CD/DVD) drives, and USB drives . No sweat! Sure, there were a few outliers, but controlling these well-known media types usually accomplished the job.

Nowadays, many devices that attach to computers perform multiple functions. Smartphones and tablets are prime examples. They enable communication, play music, take photos, and much more. And, to support all of those functions, they contain storage. When users connect multifunction devices to their computers, you need to be able to control what access they have to the device storage.

But these devices connect via a USB port, right, so aren't they just like other USB removable storage devices? Unfortunately, no. A few years back, Microsoft introduced Windows Portable Devices (WPD) to enable Windows computers to better communicate with multifunction devices. However, WPD drivers cause portable devices to enumerate to the Windows operating system differently than traditional USB storage devices. And because of that the methods used to control USB removable storage don't work with WPD removable storage. This includes the methods used by ZENworks Endpoint Security.

ZENworks 2020 Endpoint Security remedies this by providing new support for Windows Portable Devices. What does that mean? Well, bottom line is that once again you can ensure that physical data transfer is happening only through approved methods using approved devices. And the bonus? Because you're not blocking the entire portable device, users can still charge their mobile phone or tablet (or even use it as a personal Wi-Fi hotspot) on their Windows laptop even as you restrict access to the storage media.

To control access to portable device storage, ZENworks 2020 Endpoint Security uses the Storage Device Control policy. The policy allows a Windows computer to have full Read/Write access, Read Only access, or no access to the storage. The default access applies to all removable storage devices, but you can override the default by assigning a different access to Windows Portable Devices. And, if necessary, you can create access exceptions for individual portable devices.

For example, maybe your organization doesn't allow the use of removable storage. To enforce this policy, you could set the default access for removable storage to Disable, resulting in no removable storage devices of any type being available (or displayed) on the computer. 

However, the Sales team is an exception to the policy because they need to take customer photos with their mobile phones, copy the photos to their laptops, and add them to their customer contact profiles. So you override the default access to provide Read Only access for all Windows Portable Devices, which allows Sales team members to copy files from their mobile phones but not to them. And, since the Senior VP of Sales insists on being able to copy files both directions between her laptop and her tablet, you create an access exception for her tablet. Once you assign the policy to the Sales team, the appropriate access controls (shown in the above illustration) are enforced. 

To help you more easily add exceptions to the Storage Device Control policy, the standalone Device Scanner Utility collects attributes for Windows Portable Devices connected to a computer. You can then import the scanned device attributes directly into the policy. This is the same utility you use to collect USB device information as well.

There you go. It’s pretty straightforward. If you have ZENworks 2020 Endpoint Security licensed, the Securing Devices page in the new Security Getting Started in ZENworks Control Center can help you configure and enforce the Storage Device Control policy on Windows computers.

If you don’t have Endpoint Security licensed, you can use the 60-day evaluation to check out all of the Endpoint Security functionality, including the storage device control capabilities. The Security Getting Started in ZCC steps you through everything you need to do to set up Endpoint Security and use the policies.

Darrin VandenBos (@DarrinVandenBos)
Product Manager, Endpoint Management