Highlighted
Absent Member.
Absent Member.
2281 views

Access Control for 1 Type of USB Manufacture/model

Hi,

I'm testing with the "Storage Device" and "Usb Connectivity" Policy.
I get a lot working, but i don't understand something.

Both policies has a list for custom devices. What is exactly the different? beside that one has also "read only" and the other has a lot of more rows to fill in.

When do you use the list of both, or do you need to combine it?

For examply it want to:
- Disable all Mass storage (USB) by default
- Allow every usb stick from manufacture "Sandisk" and model "Cruzer". with Read only

What's the best way todo that. I'm stuck on the custom lists.
Labels (2)
0 Likes
9 Replies
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

floort,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Anyone can explain this?
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

uhhhhh RETRY! :)......

Still waiting for the golden answer.... or any answer in this case ! 🙂
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Hi,

Storage Devices utilises our file system driver to determine what is a storage device i.e. CD/DVD, SD Card, USB Storage / iOS device / Android device, Floppy drives etc. USB Connectivity can control anything you can plug into the USB port i.e. keyboard / mouse, scanners, USB drives etc.

Have you tried the device scanner tool ? Have a look through this for some tips: Novell Doc: ZENworks 11 SP1 Endpoint Security Utilities Reference - Device Scanner

I would suggest using the USB Connectivity policy, Disable the Mass Storage Class group and import your "approved" USB device. You can edit the data that you import and just leave the e.g. Manufacturer and Vendor ID details.

Hope that help.

Cheers,
Chris

Chris Gacesa
Senior Product Manager
Novell - ZENworks
CGacesa@novell.com (Email)
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

cgacesa;2130411 wrote:
Hi,

Storage Devices utilises our file system driver to determine what is a storage device i.e. CD/DVD, SD Card, USB Storage / iOS device / Android device, Floppy drives etc. USB Connectivity can control anything you can plug into the USB port i.e. keyboard / mouse, scanners, USB drives etc.

Have you tried the device scanner tool ? Have a look through this for some tips: Novell Doc: ZENworks 11 SP1 Endpoint Security Utilities Reference - Device Scanner

I would suggest using the USB Connectivity policy, Disable the Mass Storage Class group and import your "approved" USB device. You can edit the data that you import and just leave the e.g. Manufacturer and Vendor ID details.

Hope that help.

Cheers,
Chris

Chris Gacesa
Senior Product Manager
Novell - ZENworks
CGacesa@novell.com (Email)



Hi Chris,

Thanks for helping,
I know the Zesm Device scanner, Have used it to collect all the usb data.
But i've still the problem. In my example i try to do:

- Disable all Mass storage (USB) by default
- Allow every usb stick from manufacture "Sandisk" and model "Cruzer". with Read only

You suggest me to use the "USB Conn.Policy". But on that policy there is no "read only" setting for the "USB Device Access Settings List"
If you go to the "Storage device policy" you are able to set "Read only". But there i have not enough fields to create a custom scenario to only allow the Sandisk "Cruzer".

Don't know if it's normal to combine that policies, but i think that makes it's more complex than it should be.

So as a result i'm back to my first question.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Hi,

That'll teach me to read the requirements first. So, yes, you can
combine the 2 policies.

Firstly, it is recommended that you use the Product or Vendor ID details
from the Device Scanner utility rather than the 'friendly name'. Also,
remove any details that lock it down to a specific machine (i.e. OS
Device ID etc.)


In your Storage Device Control, set the Removable Storage setting to
Read Only. In your USB Connectivity policy, Enable the 'approved' USB
device's Access and Disable the Mass Storage Class setting.

Give that a test and let me know how you go.

Chris

Chris Gacesa
Senior Product Manager
Novell - ZENworks
CGacesa@novell.com (Email)
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Chris,

I've tried what you said, and it looks like its working for the "example" setup i asking for.
But if i want to expand this setup and add another usb stick vendor with full access?

Maybe it depends on me, but i can't follow the logic of the 2 policies.
Still don't understands what are the differents, and why i have to combine things to get this simple things.
In my opinion i'm missing the "Read only" option in the "usb connectivity" policy. If that one was available i think i never asked for this question.

i need 1 place where i can add several usb stucks from different vendors, for example:

1. Sandisk cruzer = Read only
2. Sandisk Titanium = Always Enable

And Mass Storage Class : Disable.

But since i have not the "read only" setting per USB Vendor, i''m unable to do this.

And as usual my own examples are not available in the documentation.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Anyone? ...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Access Control for 1 Type of USB Manufacture/model

Storage device policies apply to all devices that instantiate on the computer, regardless of the bus or interface, that are some type of "storage device". The subset of this policy for USB device white listing, is for storage devices that use the USB interface.

For USB policies, it is generic to and applicable for ONLY the USB interfaces. There is some overlap with the storage device policy if the USB device is a storage device.

If both policies are assigned to a device, the storage device policy has lower kernel drivers and would "trump" any options in the USB policy. The same is true if you disabled all USB in a USB policy, then the USB storage settings in the storage device policy wouldn't really matter (as the other policy would kill the USB interface).

So it's best to use just one policy type and in this case I'd use the USB policy for your scenario.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.