Device Control
Device Control Overview
SentinelOne Device Control lets you control which external devices are allowed to be used with endpoints in your organization. Use Device Control to:
- Block external devices that are not required, to limit data leaks.
- Strictly control allowed devices to prevent malicious content that can enter your network through external devices.
Device Control General Information
- Device Control is supported from Eiffel Management with 2.8 Windows Agents and 2.7 macOS Agents.
- In this release you can manage external USB devices with Windows and macOS Agents.
- Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit policies or have their own.
- Define the policy in the Management Console in NETWORK → Device Control.
The Device Control Policy includes Settings and Rules:
- Settings: Turn Device Control on or off, define the inheritance settings, and select the ACTIVITY log settings.
- Rules: Create and organize rules to allow or block connection of specific devices, or groups of devices, to endpoints, based on the device identifiers (Vendor ID, Class, Serial ID, or Product ID).
End-User Interaction with Device Control
- When an end-user inserts a device that is blocked by Device Control, a message shows on the endpoint.
- Users cannot create requests automatically from these messages. This is to prevent an overload of requests for Security Admins.
- Admins can easily create new Device Control rules to Allow devices that were blocked, based on the Device Control event log in the ACTIVITY view.
Device Control Settings
In the Device Control settings, define the policy inheritance, turn Device Control on or off, and select which device events are reported to the Activity log. The same settings apply to Windows and macOS endpoints.
By default, Agents have Device Control disabled, until they connect to a Site or Group with an enabled Device Control policy.
How to configure Device Control settings
- In the Management Console, click Network.
- Select a scope: A Site, a Group, or All Sites, for Global Admins.
- Click Device Control.
- Click the Settings icon.
- Click Enable Device Control if it is not enabled.
- For a Site or Group: Use the toggle to turn the inheritance On or Off.
Note: If inheritance is On, the other settings are disabled because they are inherited. If you turn Off inheritance, the other settings become enabled.
- Select which device events are reported to the Activity log:
-
- Report approved device events to activity log- Creates logs when devices are connected and when disconnected (by default, this is not selected).
-
- Report blocked device events to activity log – Creates a log when a device is blocked.
- Optional: You can click Disable Device Control. This disables the feature for your current scope and all Sites and Groups that inherit Device Control settings from this scope.
For a Site or Group, you must turn Off inheritance before you can disable Device Control.
Existing rules remain in the policy but become inactive. When you enable Device Control again, the rules will become active with their latest Enabled or Disabled state
Device Control Policy Inheritance
How To make a Site inherit rules and settings from Global
- Turn On Inherits rules and settings from Global (on by default).
- The Site uses the Global settings and the Global rules.
- You can add Site rules.
How to give a Site its own policy
- Turn Off Inherits rules and settings from Global.
- The Site uses the settings that you configure.
- The Site uses only Site rules.
How to make a Group inherit rules and settings from a Site that inherits from the Global settings (the Site has inheritance turned on)
- Turn On Inherits rules and settings from Global (on by default).
- The Group uses Global settings, and Global and Site rules.
- You can add Group rules.
How to make a Group inherit rules and settings from a Site that has its own policy (the Site has inheritance turned off)
- Turn On Inherits rules and settings from Site (on by default).
- The Group uses the Site settings and the Site rules.
- You can add Group rules.
How to give a Group its own policy:
- Turn Off Inherits rules and settings from Site.
- The group uses the settings you configure.
- The Group uses only Group rules.
Device Control Rules
Creating rules
Create and edit rules for a specific scope to allow or block devices, based on device identifiers.
When you create a rule, it applies to the current scope of the Network view.
Note: On Windows, if a device is already connected to an endpoint, new rules and rule changes do not affect it. Rules will apply the next time the device connects to the endpoint. On macOS, changes apply to devices that are already connected to an endpoint.
These Rule Types are available:
Rule Type | Required | Optional Identifiers |
Class | * For example: Audio, Communications and CDC Control, HID (Human Interface Device), Physical, Image, Printer, Mass Storage, Hub, CDC-Data, Smart Card, Content Security, Video, and Wireless Controller.
Note: You cannot block HID or Hub Classes. |
Vendor ID |
Vendor ID | Vendor ID | Class |
Product ID | Product ID and Vendor ID | N/A |
Serial ID | Device Serial ID (UID), generally for USB Mass storage devices. | N/A |
* If you select a class that applies to the whole device, the whole device is blocked. If you select a class that only applies to one interface of a device, the other interfaces will still be available.
Note: If the IDs of a device change, for example, due to a firmware upgrade, rules that were defined for the previous IDs will not work. Create new rules for the new IDs, or create rules based on Class.
- In the Management Console, click Network.
- Select a scope.
- Click Device Control.
- Click New rule.
- In the window that opens, enter the details of the rule:
-
- Rule name – Enter a descriptive name for the rule. The rule name must be different from other rule names in the scope.
-
- Best Practice – Include the reason for the rule in the name.
-
- Interface – Select the type of device to which the rule applies.
-
- Rule Type – Select a device identifier to include in the rule.
- Scope – This is taken automatically from the current scope of the Network view.
If you want to give the rule a different scope, click Cancel and select a different scope in Network. Or you can move the rule to a different scope later on.
-
- Action – Select Allow or Block to define if Agents block or allow use of devices that match the rule parameters.
- Click Continue.
- In the window that opens, define the specifics of the device identifiers.
For example, if you selected Class as the Rule Type, select the class, such as Video or Mass Storage.
- If you selected Product ID as the Rule Type, enter the Product ID and the Vendor ID.
- Optional: If relevant, add more specific identifiers. If you add more identifiers, the rule only applies if all identifiers match a device. Identifiers that are not explicitly defined are set to the default value, which is Any.
- Enable rule immediately after saving is selected by default. This means that the rule becomes active immediately. To create the rule in Disabled state, deselect this.
- Click Save rule.
Creating Rules from the Activity log:
From a blocked Device Control event in the ACTIVITY view, you can create a rule to allow a specific device that was blocked for end-users. If a device connected successfully, no rule options are available from the event.
For example, you have a Site rule that blocks the video class of USB devices. However, your Marketing Department needs to use this type of device to record marketing videos. You can open a blocked Device Control event from the Activity log and make a new rule to allow the devices that they need.
The new rule can be very specific, to allow only a specific vendor or product, based on the details recorded in the logged event.
By default, the scope of the new rule is the endpoint's group. After you create the rule, you can move or copy it to change its scope.
Note: If a device is already connected to an endpoint, new rules and rule changes do not affect it. To make a new or changed rule take effect on a device, remove the device and then re-connect it.
- In the Management Console, click Activity.
- From the Sites list, Select a Site or All Sites.
- In Administrative, click the down arrow to open the options.
- Scroll down and select Device Control events.
- Move the cursor over a blocked event and click Event details.
- In the Event details window, click Allow Device to open a new rule.
- In the New Rule window, enter the Rule Name.
- The rule is automatically based on the most specific identifiers available for the device.
-
- If the device has a Serial ID (generally for mass storage devices), the rule is based on the Serial ID.
-
- For most other devices, the rule is based on the Product ID and Vendor ID.
If you want to change the Rule to include a wider range of devices, change the Rule Type.
- Click Continue.
- Enter missing information, if necessary.
- Click Save rule.
Enabling or Disabling a Rule
If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
If a rule is Enabled, it is active if Device Control is enabled. If Device Control is disabled for the rule's scope, the rule keeps the Status Enabled but is not active. It will become active automatically if Device Control is enabled.
- In NETWORK → Device Control, select a rule and click Actions.
- Click on a rule.
- In the Rule Details window, click Options.
- Select Enable or Disable.
Editing a rule
Note: When you edit a rule, you cannot change the Rule Type.
- In NETWORK → Device Control, click on a rule.
- In the Rule Details window, click Edit.
- Make changes in the Rule Details.
- Click Save changes.
Changing the Order of Rules
Device Control rules let you allow or block specific devices, or groups of devices, that connect to endpoints, based on device identifiers. When the Management Server sends policy information to Agents, it includes these rules.
When an external device connects to an endpoint, the SentinelOneAgent checks if it is allowed to run by the Device Controlpolicy. The Agent looks at the rules based on their order in the Device Control policy, from the top to the bottom. When the Agent finds a rule that matches the device identifiers of a connected device, that rule is applied. The Agent does not continue to the lower rules in the list. If the matched rule has the Block Action, the Agent prevents the device from being used. If the matched rule has the Allow Action, the device can be used.
The Agent applies the rules in this order:
- Group rules from first to last.
- Site rules from first to last.
- Global rules from first to last.
New rules are added to the top of the relevant section of the Device Control policy.
The rules that apply to your current scope show in NETWORK → Device Control. To see Site or Group rules, make sure you are in that scope.
Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use the free text search.
Device Control Rule Attributes
Column | Description | Values |
Interface | Physical interface to which the rule applies. | USB (more will be added in future releases). |
Rule Name | A descriptive name. | Free text, up to 50 characters. Must be unique within the scope. |
Class | Device Class as defined by the Interface standard (for example, USB Device Class). | Class selected from predefined list, or Any if not defined. |
Vendor ID | Vendor Identifier. | Free text for relevant devices or Any if not defined. |
Product ID | Product Identifier, unique for a specific product module, per vendor ID, and Interface. | Free text for relevant devices or Any if not defined. |
Serial ID | Unique identifier of some physical USB devices. | Free text for relevant devices or Any if not defined. Supported for USB mass storage devices only (support for all Device Classes will be added in future releases). N/A for other devices. |
Scope | The scope for which the rule applies. | Group, Site, or Global. |
Action | Defines if Agents Block or Allow use of devices that match the rule parameters. | Allow or Block |
Status | State of the rule. | Enabled – Active (if Device Control is enabled).
Disabled – Not active. |
How to change the order of the rules
You can change the order of rules within your Admin scope.
- Global Admins can change the order of the Global, Site, and Group rules.
- Site Admins can change the order of Site rules and Group rules, for Sites and groups in their scope.
- In the Management Console, click Network.
- Select a scope.
- Click Device Control.
- Click Reorder rules.
- In the window that opens, you can change the order of the rules in these ways:
-
- Drag and drop rules.
-
- Or, in the Order column, click the number of the rule and enter a new number.
- Click Save.
Moving and Copying Device Rules
You can copy a Device Control rule to use it in multiple Sites or groups. For example:
- You have a rule for Site A: Copy it to use it in all of Site B, or copy it to one Group of Site B.
- You have a rule in Group X, which is in Site A: Copy it to two other Groups in Site A.
You can move Device Control rules to change their scope. For example:
- You made a Group rule for one Group and want to change it to be a Site rule.
- You made a rule for Site A and want it to apply to Site B instead.
Moving Device Control rules between Sites or groups
- In the Management Console, click Network.
- Select a scope.
- Click Device Control.
- Select a rule or multiple rules.
- Click Actions and select Move.
- Select the destination for the rule.
- Click Move.
Copying Device Control rules
- In the Management Console, click Network.
- Select a scope.
- Click Device Control.
- Select a rule or multiple rules.
- Click Actions and select Copy.
- Make either of the following actions in the Copy Rules window.
-
- In the SITES column, select a Site.
-
- Or in the GROUPS column, select All Groups, or one or more specific groups.
- Click Done.
Viewing Changes to Device Control Rules and Settings and Viewing all Reported Control Events
See all of the Device Control logs in the ACTIVITY view. The results shown are based on your current scope.
- Changes to rules and settings show under Operations → Device Control.
- Blocked, Connected, and Disconnected device events show under Administrative → Device Control events.
- Connected and Disconnected device events show if Report approved device events to activity log is selected in the Device Control settings.
- Blocked device events show if Report blocked device events to activity log is selected in the Device Control settings.
- If necessary, you can create a new rule from a blocked device event to allow a device.
Move the cursor over a Blocked, Connected, or Disconnected device event to open the Event Details, which contains:
- A summary of the event.
- The date and time of the event.
- The endpoint name and logged in user.
- All of the device identifier details: Class, Interface, Vendor ID, Product ID, Serial ID (if relevant), Device Name.
Viewing changes to Device Control rules and settings
- In the Management Console, click Activity.
- From the Sites list, Select a Site or All Sites.
- In Operations, click the down arrow to open the options.
- Scroll down and select Device Control.
Viewing all reported Device Control events
- In the Management Console, click Activity.
- From the Sites list, Select a Site or All Sites.
- In Administrative, click the down arrow to open the options.
- Scroll down and select Device Control events.
- Move the cursor over an event and click Event details to see the details of the event and the device identifiers.
- If the device was blocked, an option shows to Allow Device. Optional: Click Allow Device to create a new rule that allows device identifiers of this device.
Getting device details from Management Console
Device Control rules are based on the device identifiers as reported by the hardware, not definitions that the Operating System uses for hardware.
- If a device was connected to an endpoint with a SentinelOne Agent installed, you can see the device information in the Management Console, from the event details.
- The information for connected devices is reported if the option Report approved device events to activity log is enabled in the Device Control settings.
You can use Windows Device Manager or macOS System Report → Hardware to get the device identifier information for a device that connected to an endpoint. You can also use external tools that read the parameters of devices.
Finding device identifier information for an inserted device on Windows
- From the Control Panel, open the Device Manager.
- Select a device from the tree.
- Find a composite device:
-
- From the menu, select View → Devices by Connection.
-
- Find USB Composite Device.
-
- Select the root of the device. The different classes of the composite device show below the root. In this example, the root of the composite device is circled.
- In the Details tab, open the Property list and select a property to find the details:
- Class – Select Matching device id.
The Value shows Class_XY, where XY is the class code that Device Control uses. For example, for the device shown below, the class is 08, which corresponds to the class, Mass Storage in Device Control rules.
- Product ID and Vendor ID – Select Device instance path.
The Value shows VID_WXYZ&PID_ABCD, where:
-
- VID is the Vendor ID, 0781 in the example below
-
- PID is the Product ID, 5567 in the example below
- Serial ID – Only mass storage devices have a Serial ID. Select Device instance path.
At the end of the value, after the last "\" is a long string that is the serial ID, 4C5300001300615113204 in the example below.
Finding device identifier information for an inserted device on macOS
- Click on the Apple icon and select About This Mac.
- Click System Report.
- In the navigation tree, select Hardware → USB.
- Click a device to expand its details. See the Product ID, Vendor ID, and Serial Number (if it exists), as shown in this example:
Finding the Class used by Device Control on macOS
The Class does not show on macOS computers through the UI. To get the information you need to run a command on the endpoint.
- From the command line of an endpoint, run:
sudo sentinelctl device-control list
- See the class shown for each interface, as shown in this example: