Pre-requisites

A license for Apex One Data Loss Prevention is necessary to configure the Device Control settings.

Required Services

Ensure that the required Services are running. Follow the steps below:

1. Log in to the Apex One web console, and navigate to Agents > Agent Management.
2. Right-click the desired group or agent, then choose Settings > Additional Service Settings.
3. Enable the following services for the appropriate Windows platforms:
   • Unauthorized Change Prevention Service
   • Data Protection Service
4. Click Save.

Configuration

1. Log on to the Apex One web console.
2. Go to Agents > Agent Management.
3. In the agent tree, click the root domain icon to include all agents or select specific domains or agents.
4. Click Settings > Device Control Settings.
5. Click the External Agents tab to configure settings for external agents or the Internal Agents tab to configure settings for internal agents.
6. Select Enable Device Control.
7. Apply settings as follows:

   • If you are on the External Agents tab, you can apply settings to internal agents by selecting Apply all settings to internal agents.

   • If you are on the Internal Agents tab, you can apply settings to external agents by selecting Apply all settings to external agents.

   A confirmation message appears. Allow some time for the deployment command to propagate to all agents.

8. Choose to allow or block the AutoRun function (autorun.inf) on USB storage devices.
9. Configure settings for storage devices.
   • Data Protection Activated
     1. Select a permission for each storage device.

        For details about permissions, see Permissions for Storage Devices.

     2. If the permission for USB storage devices is Block, configure a list of approved devices. Users can access these devices and you can control the level of access using permissions.

        See Configuring an Approved List of USB Devices.

     3. For each non-storage device, select Allow or Block.
   • Data Protection Not Activated
     1. Configure advanced permissions and notifications if the permission for a storage device is any of the following: Modify, Read and execute, Read, or List device content only.

        See Configuring Advanced Permissions.

10. If you selected domain(s) or agent(s) in the agent tree, click Save. If you click the root domain icon, choose from the following options:

    • Apply to All Agents: Applies settings to all existing agents and to any new agent added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.

    • Apply to Future Domains Only: Applies settings only to agents added to future domains. This option will not apply settings to new agents added to an existing domain.

Required Services

Enable the following services for the appropriate Windows platforms in Additional Service Settings.

• Unauthorized Change Prevention Service
• Data Protection Services (to Block access to devices)

Configuration

1. Log in to the Apex Central web console
2. Go to Policies > Policy Management.
3. Create or select the policy created.
4. On targets, select the target Apex One agent(s).
5. Under Advanced Threat Protection, select Enable Device Control.
   • If you are on the External Agents tab, you can apply settings to internal agents by selecting Apply all settings to internal agents.
   • If you are on the Internal Agents tab, you can apply settings to external agents by selecting Apply all settings to external agents.
6. Add or edit a Device Control rule:
   • For user-based rules
     • To create a rule based on Active Directory user or group accounts, click Add.
     • To edit a rule based on Active Directory user or group accounts, click the link in the User Accounts column.
      

     User-based Device Control rules are only available after integrating Active Directory with Apex Central.

      
   • For default endpoint-based rule
     • Click the All users (default) link in the User Accounts column.
        

       You cannot delete the default endpoint-based rule.

        
7. In the User Accounts section, type and select the display name(s) of the Active Directory user(s) or group account(s) to which the rule applies.
    

   You cannot specify user or group accounts when editing the default All users (default) endpoint-based rule.

    
8. In the Storage Devices section:
   1. Select a permission for each storage device.
       

      • Only Security Agents with Data Protection enabled can take the "Block" action. If you deploy a policy to Security Agents that do not have Data Protection enabled, Apex One applies the action configured in the drop-down box.
      • Apex One automatically applies the access permission configured for any USB device in the Allowed USB List even if you do not enable Data Protection.

       

      For details about permissions, see Permissions for Devices.

      If you selected to restrict access to any storage device, the Allowed Programs button appears. For USB storage devices, if you selected Block (Data Protection), the Allowed USB Devices button appears.

   2. (Optional) Click Allowed Programs to configure a list of programs that Device Control does not restrict access on any device type.

      The Allowed Programs screen appears.

       
      1. Type the full path or the trusted Digital Signature Provider information of programs that Device Control allows users to access.
          

         • When specifying a Digital Signature Provider, Device Control only allows programs signed by the publisher to Execute.

           For more information, see Specifying a Digital Signature Provider.

         • When specifying the full path of a program, the Device Control Allowed Programs list supports the use of wildcard characters.

           For more information, see Wildcard Support for the Device Control Allowed Programs List.

      2. Click Add.

         The full path of the program or the trusted Digital Signature Provider information appears in the list.

      3. Select whether to allow the program to Execute or Read/Write.
      4. Click OK.
   3. (Optional) Click Allowed USB Devices to configure a list of USB devices that Device Control does not block.

      The Allowed USB Devices screen appears.

      1. Type the device vendor, model, and serial ID in the list.
      2. To add more devices, click the plus (+) icon.
      3. In the Permissions drop-down, specify the access level Device Control permits to users accessing the specified USB devices.
      4. Click OK.
   4. Select Block the AutoRun function on USB storage devices to prevent programs saved on USB devices from executing automatically.
   5. Select Display a notification message on the endpoint when Apex One detects unauthorized device access to inform end users that Device Control restricted access to a device.
9. For Security Agents with the Data Protection feature installed, select Allow or Block access to the devices listed under Mobile Devices and Non-Storage Devices.
10. Click OK.
     

    Device Control automatically assigns all user-based rules a higher priority than the default endpoint-based rule (All users (default)).

     
11. (Optional) Manage the Device Control rule list.
    • Priority: Click the arrows to change the priority of user-based rules.
    • Copy: Select a rule, click Copy, and modify the rule contents.
    • Delete: Select a rule and click Delete to permanently remove the rule from the list.