Skip to main content

CLOUD SOLUTIONS

Operation

Using Device Control

This section provides information on how to use the Device Control module from the GravityZoneControl Center.

Enable Device Control

To use Device Control, install the module on the endpoint and enable it in the policy applied to the endpoint.

For more information on how to install Device Control , refer to the installation section.

To enable Device Control on endpoints, follow these steps:

  1. Go to the Policies page.

  2. Find the policy you are interested in and click its name to open it.

  3. Go to the Device Control section.

  4. Select the Device Control check box.

  5. Click Save.

By default, Device Control allows all devices to connect to the endpoints. Therefore, to properly protect your endpoints you should configure the rules.

Configure Rules

Once Device Control is enabled, you can set up rules that determine whether a type of devices is allowed on your network or not. Follow these steps to set up rules:

Device_Control_policies_drop_down_list_79779_en.PNG

  1. Select the type of device you want to set up from the Device Classes grid.

    9905_3.png

  2. Select the permission from the drop-down list. You can choose between Allowed, Blocked, or Custom.

  3. If you have selected the Custom option, you can set up permissions for a variety of sub-classes. For each sub-class, choose from the drop-down list between Allowed and Blocked.

  4. Click Save.

Create Exclusions

Access the Exclusions section to add exceptions for devices available in your network . By adding exclusiond you allow certain devices to become accesible in your network.

To start adding exclusions click the Add button and select from the drop-down the way in which you want to start adding the exclusions.

Device_Control_policies_exclusion_list_79779_en.PNG

  1. Manually

  2. From Discovered Devices

Manually:

  1. Select Manually to open the Add Exception window.

    9905_6.png

  2. Select the type of exception, Device ID or Product ID.

    9905_8.png

  3. Optionally, you can configure wildcard exclusions based on Device ID by using the wildcards:deviceID syntax.

    Use the question mark (?) to replace one character, and the asterisk (*) to replace any number of characters in the deviceID.

    For example, for wildcards:PCI\VEN_8086*, all devices containing the string PCI\VEN_8086 in their ID will be excluded from the policy rule.

  4. Click Save.

From Discovered Devices

  1. Select Add Exception from Discovered Devices from the drop-down list. This window displays all devices from endpoints with Device Control enabled.

    9905_9.png

  2. Select the devices you want to exclude.

  3. Click Save

Install/Enable the Device Control

The Device Control module must be installed on the Endpoint. To install it on a fresh machine, when creating the installation package, check the Device Control box > Save. The package, wich can be used for manual and remote installs, will now install the Device Control module as well.

9905_1.png

If BEST is already installed on the machine without the Device Control module, to install it, from the GravityZone Control Center, select the machine in question -> right click > Tasks -> Reconfigure Client -> check the Device Control box (along with the other modules that you want to install or keep on the machine).

Introduction

Now that the Device Control is up and running on the machine, it can be configured from the GravityZone Control Center policies.

From Device Control -> Rules, the module can be turned ON or OFF (this checkmark does not uninstall the module).

9905_2.png

When selecting one of the Device Classes, the permission on it can be modified to Allow and Deny.

9905_3.png

Some of the Device Classes have a Custom option which allow you to Allow or Deny a number of subclasses.

9905_4.png

From the Device Control -> Exclusions tab, exceptions can be added for the devices from the network.

9905_5.png
How to add Exclusions

The exclusions can be added Manually or From Discovered Devices:

Manual exclusions:

Click on the Add button (from the upper-middle part of the screen) -> Manually and Add Exception window will appear.

9905_6.png
9905_7.png

The exception Type can added for Device ID or Product ID.

9905_8.png

Note

You can manually configure wildcard exclusions based on Device ID, by using the syntax wildcards:deviceID. Use the question mark (?) to replace one character, and the asterisk (*) to replace any number of characters in the deviceID. For example, for wildcards:PCI\VEN_8086*, all devices containing the string PCI\VEN_8086 in their ID will be excluded from the policy rule.

Discovered Devices exclusions:

Click on the Add button (from the upper-middle part of the screen) -> From Discovered Devices and a Add Exceptions from Discovered Devices window will appear. This window contains all of the discovered devices from the machines which currently run BEST with the Device Control module installed and enabled.

9905_9.png

Select the device(s) that need to be added as exceptions and Save.

In this section: