Priority conflicts between various types of device control

Learn what priority conflicts to watch out for when controlling devices via Zones, Device control, and Ignored devices.

 In Safetica ONE, you can control the use of and access to various devices (such as USB devices, Bluetooth devices, FireWire devices, Windows Portable Devices, multimedia device, etc.) via 3 different means:

  • Zones in the Protection section
  • Device control in the Protection section
  • Ignored devices in the Maintenance > Integration settings section

 

In this article, you will learn about:

Evaluation priorities

Multimedia devices (such as cameras, microphones, headsets) in Device control are by default ignored by Safetica restrictions. If you want to block such a device, you must add it to a Safetica Zone.

When configuring the control of your devices (such as whether to allow them, block them, or log that they were connected/disconnected), you should keep in mind that each of these means has different priority.

 Evaluation priority: Zone settings > Ignored devices > Device control settings 

Devices in Zones are evaluated before Ignored devices in Maintenance > Integration settings and before port settings in Device control.

Devices in the Ignored devices list (added via their Hardware IDs or Compatible IDs) are evaluated before port settings in Device control.

Port settings in Device control have the lowest priority.

 

Use cases

Basic use case:

Your company wants to forbid the use of USB devices. For this reason, you go to Protection > Device control and set the port settings for USB to Block.

However, there is one special class of USB devices that the company wants to allow without any need to audit or block the files transferred to them. You add this class of devices into Maintenance > Integration settings > Ignored devices, so that it is ignored by Safetica restrictions.

If a device from this allowed class of USB devices gets lost or stolen, you can block it by adding its unique serial number into a blocking Safetica Zone.

This way, the lost USB is blocked, its parent class of devices is allowed, and the use of all other USB devices is also blocked.

 

Advanced use case:

By default, headsets are ignored by Safetica restrictions. For some reason, however, Safetica blocks several headsets used by your company.

To bypass the unwanted blocking, you add these headsets into Maintenance > Integration settings > Ignored devices.

If you later decide to block these headsets for a specific user, you just add them into a blocking Safetica Zone assigned to that particular user.

 The Ignored devices list is applied globally across all endpoints. Zones, however, can be set for specific users.

 

More about Ignored devices

Devices added into the Ignored devices list are not controlled by Safetica driver. They are ignored by Safetica restrictions and only their connection/disconnection is logged. So, if Safetica driver is causing issues with your device, it is good practice to add it into the Ignored devices list.

 Devices can be added into the Ignored devices list via their Hardware ID, Compatible ID, or the Hardware ID of their parent (such as a USB hub or port, USB extender, etc.   E.g., if you add a Hardware ID of a USB extender, any device connected to it will be ignored as well).

If you add a single device (flash disk, multimedia device, etc.) via its Hardware ID to the Ignored devices list, the device will be ignored after re-connection (no computer restart needed). Connection and disconnection of the device will be logged.

If you add a Compatible ID to the Ignored devices list, all devices with this Compatible ID will be ignored.

If you add a Hardware ID of a parent to the Ignored devices list, all child devices will be ignored.

How to use parent Hardware ID in Ignored devices

To get the Hardware ID of a parent device, open the Device Manager, click View, and choose Devices by connection. This will display a tree that has USB devices as leaf nodes with one common parent (USB port).

  • If the parent device cannot be physically disconnected from the computer (e.g. USB hub on motherboard):
    • Child devices will be ignored after computer restart.
    • Connection and disconnection of child devices is not logged.
  • If the parent device can be physically disconnected from the computer (e.g. USB extender):
    • Computer restart is not required
    • Connection and disconnection of child devices is logged