Device Policies
What is a Device Policy
It's possible to pre-configure access rights for specified USB devices for specified user accounts or user groups.
For example, you can deny access to mass storage devices for all users, except administrators. Another example is allowing access to a specified model of a signature pad for a specified user and auto-connect that signature pad upon user logon.
In other words, Device Policy specifies the action for a USB device (or groups of USB devices) on user logon.
On the screenshot above, there are several configured device groups (Audio device, Communications device, HID device, etc). There is a policy action configured for the Mass Storage device group. The policy denies using Mass storage devices for Everyone.
So, in this case, each time user tries to connect a mass storage USB device, the program blocks that attempt and denies connection of the USB device.
Device Groups
Device Group is a set of properties that identifies certain USB devices. It can also identify a single USB device. The following parameters are used: VID, PID, Serial number, Class, Subclass, Protocol.
In order to identify a group of USB devices it is possible to specify only several properties.
Device Group Matching
If several groups match for a USB device, the group with the highest priority is used. Device group has the highest priority if all properties are specified. Each property has its own priority weight:
| Property | Priority |
|---|---|
| VID | 00100000 (32) |
| PID | 00010000 (16) |
| Serial | 00001000 (8) |
| Class | 00000100 (4) |
| Subclass | 00000010 (2) |
| Protocol | 00000001 (1) |
| Action | Description |
|---|---|
| Deny | The USB device is prohibited from connecting |
| Allow | It's allowed to connect the USB device |
| Auto-connect | The USB device will be connected automatically on user logon |
| Auto-connect, prevent disconnection | The USB device will be connected automatically on user logon. The user is not able to disconnect that USB device |
It's possible to configure several Policy Actions for a Device Group.
For example, there is a device group called "Webcams". There are two policy actions configured for this group. The first one allows connection for the usergroup Accounting. The second one denies connection for the user Alice.
If the USB device does not match any Device Group, the device is allowed for connection (Allow action).
Policy Action Matching
If the USB device matches a certain Device Group, the program chooses the proper Policy Action for that USB device for the logged user.
If the USB device matches a certain Device Group, but no Policy Action is found for the logged user, Deny action is applied to that USB device.
In case several Policy Actions are found (for example, the first Policy Action is specified for a usergroup, and the second one is specified for a username), Policy Action with the highest priority is applied.
| Action | Priority |
|---|---|
| Deny | 00001000 (8) |
| Auto-connect, prevent disconnection | 00000100 (4) |
| Auto-connect | 00000010 (2) |
| Allow | 00000001 (1) |
If a USB device is a composite device, several Device Groups with the same priority can match such USB device (the number of Device Groups depends on the number of interfaces of the composite USB device). In this case the action with the highest priority will be selected.
Policy Storage
For local users (non-domain users) the program uses Policy Actions stored in local Windows registry. For domain users it retrieves Policy Actions from the Active Directory database.
Local Storage
Local Storage is located in the system registry. In order to modify data in the Local Storage, Local Administrator rights are required.
Domain Storage
Domain Storage is located in the database of the Active Directory of the domain.
LDAP://CN=Policies [policy version], CN=USB for Remote Desktop Server, CN=FabulaTech, CN=Program Data, [domain DN]
- [domain DN]
- "Distinguished Name" for the domain
- [policy version]
- Policy version
In order to modify data in the Domain Storage, the rights should be sufficient for modifying the AD object specified above. By default, Domain Administrators have such rights.
In order to assign such rights to a user, it's enough to assign them for the specified AD object.
All users must be allowed to read data from the object!
Reading settings from Policy Storage
On user logon, the program checks whether the user belongs to any domain.
- If the user belongs to a domain, the program loads Policies from the Domain Storage.
- If the user is a local user (non-domain user), the program loads Policies from the Local Storage.
It's possible also to prohibit using Domain Storage, in such case Local Storage is used for both domain and non-domain users. To do this, enable "Use only local storage" setting.
The program refreshes the Policy Storage every 1 minute. However, it's possible to refresh it manually for a specified user session (Edit -> Update Session Account Storage).