To prevent data leaks, the Device Control option applies rules and exceptions to Allow, Block, or Custom the policy rules on external devices once the antimalware option is applied to the endpoints.
Devices already connected to Qualys endpoints are discovered after you restart the corresponding endpoints.
The set of following exceptions might differ for each Device Class:
- Allow- the device class can be implemented on the target endpoint.
- Block- the device class cannot be implemented on the target endpoint. If you block a device class, the user will be notified that the device is blocked.
- Custom- you can assign different permissions for each type of port. If you select Custom to set permissions, you can select multiple ports to include in the device control.
The following table lists the Device Class and the exceptions for Windows:
| Device Class | Allow | Block | Custom |
| Bluetooth Devices |  |
|
PCI, PCMCIA, and USB |
| CDROM Drives | |
|
 |
| IEEE 1284.4 | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| IEEE 1394 | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Imaging Devices | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Modems | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Tape Drives | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Windows Portable | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| COM/LPT Ports | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Printers | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
| Network Adapters | |
|
|
| Wireless Network Adapters | |
|
|
| Internal Storage | |
|
|
| External Storage | |
|
Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB |
In the following procedure of Device Control, we have selected Bluetooth Device Class as an example:
- Toggle Device Control to edit permissions for the devices. In the following screenshot, we have selected Bluetooth Device Class:
- By default, the Permission is set as Allowed. To change the permission, click
under the Actions column. - You can change the permission from Allow to Block or Custom. If you change the permission to Custom, you should also select the permissions for the type of ports listed.
To unblock a blocked connected device, restart the system or reconnect the device to use it again.
- Click Save.
The following screenshot displays an example of the updated changes for the Bluetooth Device Class with the Custom Permission:
Once the device class permissions are configured in the Device Control, you can exclude the devices in the Exclusions step. For more information about device control exclusion, refer Exclusion Support.