USB devices allowlist

On the USB devices allowlist page, you can specify individual USB devices or USB device models to exclude from device access control. As a result, access to those devices is allowed regardless of the access settings in the device control module.

The allowlist is intended to allow using certain USB devices regardless of any other device control settings. You can add individual devices or device models to the allowlist to disable the access control for those devices. For example, if you add a mobile device with a unique ID to the allowlist, you allow the use of that particular device even though any other USB devices are denied.

There are two ways to identify devices in the allowlist:

  • Model of device - Collectively identifies all devices of a certain model. Each device model is identified by vendor ID (VID) and product ID (PID), such as USB\VID_0FCE&PID_E19E.

    This combination of VID and PID does not identify a specific device, but an entire device model. By adding a device model to the allowlist, you allow access to any device of that model. For example, this way you can allow the use of USB printers of a particular model.

  • Unique device - Identifies a certain device. Each unique device is identified by vendor ID (VID), product ID (PID), and serial number, such as USB\VID_0FCE&PID_E19E\D55E7FCA.

    Not all USB devices are assigned a serial number. You can add a device to the allowlist as a unique device only if the device has been assigned a serial number during production. For example, a USB stick that has a unique serial number.

To add a device to the allowlist, you first need to add it to the USB devices database. Then, you can add devices to the allowlist by selecting from that database.

The allowlist is managed on a separate configuration page called USB devices allowlist. Each item in the list represents a device or device model and has the following fields:

  • Description - The operating system assigns a certain description when connecting the USB device. You can modify the description of the device in the USB devices database (see USB database management page).
  • Device type - Displays Unique if the list item represents a unique device, or Model if it represents a device model.
  • Read-only - When selected, allows only receiving data from the device. If the device does not support read-only access, then access to the device is blocked. Clear this check box to allow full access to the device.
  • Reinitialize - When selected, causes the device to simulate disconnecting/reconnecting when a new user logs on. Some USB devices (such as the mouse) require reinitializing to function, so it is recommended to select this check box for such devices. It is also advisable to clear this check box for data storage devices (such as USB sticks, optical drives, external hard drives).

    The device control may not be able to reinitialize some USB devices with proprietary drivers. If there is no access to such a device, the user must disconnect and reconnect the device by hand (for example, remove the device from the USB port and then insert it back).

You can add or remove devices/models from the allowlist as follows:

  • Click Add from database above the list and then select the desired device/s from those registered with the USB devices database. The selected device is added to the list, where you can configure its settings and confirm the changes.
  • Click Allow this USB device in an alert informing that access to the USB device is denied (see Device control alerts). This adds the device to the allowlist and to the USB devices database.
  • Click the delete icon at the end of a list item. This removes the respective device/model from the allowlist.

See also steps to exclude individual USB devices from access control.