Access settings

On the Access settings page, you can allow or deny access to devices of certain types, as well as enable or disable OS notification and device control alerts.

The access settings allow you to limit user access to the following device types and ports:

  • Removable (access control by device type) - Devices with any interface for connecting to a computer (USB, FireWire, PCMCIA, IDE, SATA, SCSI, etc.) that are recognized by the operating system as removable storage devices (for example, USB sticks, card readers, magneto-optical drives, etc.). The device control classifies all hard drives connected via USB, FireWire, and PCMCIA as removable devices. It also classifies some hard drives (usually with SATA and SCSI) as removable devices if they support the hot-plug function and do not have the running operating system installed on them.

    You can allow full access, read-only access, or deny access to removable devices, and thereby allow or deny copying data to/from any removable device on a protected computer.

  • Printers (access control by device type) - Physical printers with any interface for connecting to a computer (USB, LPT, Bluetooth, etc.), as well as printers accessed from a computer on the network.

    You can allow or deny access to printers, and thereby allow or deny the printing of documents on any printer on a protected computer.

    When you change the access setting for printers to Deny, the applications and processes accessing the printers must be restarted in order to enforce the newly configured access settings. To ensure that access settings are enforced correctly, restart the protected workloads.
  • Clipboard (access control by device type) - Windows clipboard.

    You can allow or deny access to the clipboard, and thereby allow or deny copying/pasting any data through the Windows clipboard on a protected computer.

    When you change the access setting for clipboard to Deny, the applications and processes accessing the clipboard must be restarted in order to enforce the newly configured access settings. To ensure that access settings are enforced correctly, restart the protected workloads.
  • Mobile devices (access control by device type) - Devices (such as Android-based smartphones, etc.) that communicate with a computer via Media Transfer Protocol (MTP), with any interface used for connecting to a computer (USB, IP, Bluetooth).

    You can allow full access, allow read-only access, or deny access to mobile devices, and thereby allow or deny copying data to/from any MTP-based mobile device on a protected computer.

    When you change the access setting for mobile devices to Read-only or Deny, the applications and processes accessing the mobile devices must be restarted in order to enforce the newly configured access settings. To ensure that access settings are enforced correctly, restart the protected workloads.
  • Bluetooth (access control by device type) - External and internal Bluetooth devices with any interface for connecting to a computer (USB, PCMCIA, etc.). This setting controls the use of the devices of this type rather than data exchange using such devices.

    You can allow or deny access to Bluetooth, and thereby allow or deny the use of any Bluetooth devices on a protected computer.

  • Optical drives (access control by device type) - External and internal CD/DVD/BD drives (including writers) with any interface for connecting to a computer (IDE, SATA, USB, FireWire, PCMCIA, etc.).

    You can allow full access, allow read-only access, or deny access to optical drives, and thereby allow or deny copying data to/from any optical drive on a protected computer.

  • Floppy drives (access control by device type) - External and internal floppy drives with any interface for connecting to a computer (IDE, USB, PCMCIA, etc.). There are some models of floppy drives that the operating system recognizes as removable drives, in which case the device control also identifies these drives as removable devices.

    You can allow full access, allow read-only access, or deny access to floppy drives, and thereby allow or deny copying data to/from any floppy drive on a protected computer.

  • USB (access control by device interface) - Any devices connected to a USB port, except hubs.

    You can allow full access, allow read-only access, or deny access to USB port, and thereby allow or deny copying data to/from devices connected to any USB port on a protected computer.

  • FireWire (access control by device interface) - Any devices connected to a FireWire (IEEE 1394) port, except hubs.

    You can allow full access, allow read-only access, or deny access to FireWire port, and thereby allow or deny copying data to/from devices connected to any FireWire port on a protected computer.

  • Redirected devices (access control by device interface) - Mapped drives (hard, removable and optical drives), USB devices, and the clipboard redirected to virtual application/desktop sessions.

    The device control recognizes devices redirected via the Microsoft RDP, Citrix ICA, VMware PCoIP, and HTML5/WebSockets remoting protocols in the Microsoft RDS, Citrix XenDesktop, Citrix XenApp, Citrix XenServer, and VMware Horizon virtualization environments hosted on protected Windows computers. It can also control data copy operations between the Windows clipboard of the guest operating system running on VMware Workstation, VMware Player, Oracle VM VirtualBox, or Windows Virtual PC, and the clipboard of the host operating system running on a protected Window computer.

    You can configure access to redirected devices as follows:

    • Mapped drives - Allow full access, allow read-only access, or deny access, and thereby allow or deny copying data to/from any hard drive, removable drive, or optical drive redirected to the session hosted on a protected computer.
    • Clipboard incoming - Allow or deny access to allow or deny copying data through the clipboard to the session hosted on a protected computer.
      When you change the access setting for clipboard incoming to Deny, the applications and processes accessing the clipboard must be restarted in order to enforce the newly configured access settings. To ensure that access settings are enforced correctly, restart the protected workloads.
    • Clipboard outgoing - Allow or deny access to allow or deny copying data through the clipboard from the session hosted on a protected computer.
      When you change the access setting for clipboard outgoing to Deny, the applications and processes accessing the clipboard must be restarted in order to enforce the newly configured access settings. To ensure that access settings are enforced correctly, restart the protected workloads.
    • USB ports - Allow or deny access, and thereby allow or deny copying data to/from devices connected to any USB port redirected to the session hosted on a protected computer.

Device control settings affect all users equally. For example, if you deny access to removable devices, you prevent any user from copying data to/from such devices on a protected computer. It is possible to selectively allow access to individual USB devices by excluding them from access control (see Device types allowlist and USB devices allowlist).

When access to a device is controlled by both its type and its interface, denying access at the interface level takes precedence. For example, if access to USB ports is denied (device interface), then access to mobile devices connected to a USB port is denied regardless of whether access to mobile devices is allowed or denied (device type). To allow access to such a device, you must allow both its interface and type.

When a removable device, a printer, or a Bluetooth device is connected to a USB port, allowing access to that device overrides the access denial set at the USB interface level. If you allow such a device type, access to the device is allowed regardless of whether access to the USB port is denied.

See also steps to view or change access settings.