You can allow and prohibit the use of USB devices on your endpoint device. Specific rules for individual devices or device classes are possible.

The activation of USB Access Control and setting the Default rule to Deny will block the use of USB devices locally and in the session and, thus, might disable devices needed for the users. Therefore, activate the USB access control only if your security policy requires that. In this case, set Default rule to Deny and configure Allow rules for the required USB devices and USB device classes. 

It is recommended to make settings for USB Access Control as the last step in the device configuration. Before activating the USB access control, check that all your other settings for printers, Unified Communication, USB redirections, mapping settings for USB devices are working as expected.

Note that the feature does not disable a USB port physically, i.e. power delivery will still work.

Enable USB Access Control

  1. Open the Setup and go to Devices > USB Access Control.
  2. Enable the option Enable.
  3. Select the Default Rule. The default rule specifies whether the use of USB devices is generally allowed or prohibited.

  4. Create one or more rules for classes of devices or individual devices.

Create a Class Rule

  1. To create a new rule, click in the Class Rules area.
  2. Choose a rule. The rule specifies whether use of the device class defined here is allowed or prohibited.
  3. Under Class ID, select the class of device for which the rule should apply. Examples: Audio, Printer, Mass Storage.
  4. Under Name, give a name for the rule.
  5. Click OK.
  6. Save the changes.
    The rule is active.

Create a Device Rule

When a rule is defined, at least one of the properties Vendor ID or Product ID or UUID must be given.
  1. To create a new rule, click in the Device Rules area.
  2. Choose a rule. The rule specifies whether use of the device defined here is allowed or prohibited.
  3. Give the Vendor ID of the device as a hexadecimal value.
  4. Give the Product ID of the device as a hexadecimal value.

    To find out the Vendor ID and Product ID of the connected USB device, use the command lsusb (or lsusb | grep -i [search term]) in the terminal. You can also use the System Information tool, see Using “System Information” Function.

  5. Give the Device UUID (Universal Unique Identifier) of the device.
  6. Specify Permissions for the device.
    Possible values:
    • Global setting: The default setting for hotplug storage devices is used; see Default permission parameter under Devices > Storage Devices > Storage Hotplug.
    • Read only
    • Read/Write
  7. Under Name, give a name for the rule.
  8. Click OK.
  9. Save the changes.
    The rule is active.

Example

  • The set rule prohibits the use of USB devices on the device.
  • A class rule allows the use of all entry devices (HID = Human Interface Devices).
  • A device rule allows the use of the USB storage device with the UUID 67FC-FDC6.
  • The use of all other USB devices, for example, storage devices or printers, is prohibited.