Solution
There are two ways that devices can be identified in SEP 11.x and 12.1:
- by Class ID
- by Device ID
There are advantages and disadvantages of using either method and there is a different functionality for each method.
This article discusses these two IDs and how to use them in SEP.
Class ID
A Class ID is a generic category of devices that are designated by the Windows operating system. A Class ID is always listed as a GUID. Here are examples of Class IDs (GUID):
- Disk Drives - {4d36e967-e325-11ce-bfc1-08002be10318}
- Storage Volumes - {71a27cdd-812a-11d0-bec7-08002be2092f}
- USB devices - {36FC9E60-C465-11CF-8056-444553540000}
- DVD/CD-ROM - {4D36E965-E325-11CE-BFC1-08002BE10318}
- IDE - {4d36e96a-e325-11ce-bfc1-08002be10318}
- PCMCIA - {4d36e977-e325-11ce-bfc1-08002be10318}
In SEP, wildcards are not supported on Class IDs.
For a list of Class IDs, click here.
Device ID
A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device. A Device ID can be more effective for blocking or allowing devices because it is made by concatenating a list of data about the particular device. Device IDs are generally in a more readable format.
Here are two common formats for Device IDs:
<class>\<type>&<vendor>&<model>&<revision>\<serial number>
<class>\<type><vendor><model><revision>\<serial number>
Here are examples of Device IDs:
- SanDisk Micro Cruzer - USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
- Apple iPod - USBSTOR\DiskApple___iPod____________1.62\4&3656B0&0
- Hitachi IDE Hard Drive - IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0
For Device IDs wildcards are supported: * and ?.
- Asterisk [*] - means zero or more of any character
- Question mark [?] - means a single character of any value
Here are examples of using wildcards:
Any USB Storage device
Any USB Disk
Any USB SanDisk drive
- USBSTOR\DISK&VEN_SANDISK*
Any USB SanDisk Micro Cruzer drive
- USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO*
A specific SanDisk device
- USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
It is recommended to use Device IDs over Class IDs in most cases.
Hardware Devices
Both the Class IDs and the Device IDs can be added to the SEPM under Policy Components > Hardware Devices section.
Device Viewer
On the SEP CD or DVD, under the Tools\NoSupport folder look for Device Viewer (DevViewer). The Device Viewer can be used to get either the Class ID or the Device ID of a particular device. It would assist copying the IDs to the clipboard and then paste into the SEPM.
The Device Viewer also gives the ability to view devices by type or by connection.
By type:
By connection:
Device Control
SEP has the ability to block devices using either Application Control or Device Control. Device Control gives the ability to completely disable a device. When a device has been disabled this way, it will be seen as disabled in the Windows Device manager. Device Control can ensure that the device specified cannot be used in the SEP client system at all. Device Control can use both Class IDs and Device IDs.
Device Control can also block devices at any node in the tree. If a device is blocked at one node then all devices below that node (all children) will be blocked also. Conversely if a device is excluded on a particular node, then all the devices above that node will also be excluded.
In the example below, to block the SanDisk Cruzer, block it by blocking the USB Mass Storage Device:
Note: on Windows 2000, XP and 2003 if a USB device is disabled with SEP's Device Control then the operating system will power down that device.
Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged. On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled.
Application Control
Application Control feature would assist in performing a more granular blocking of devices. Application Control is a very powerful engine that controls the block or allow of reads, writes or execute commands on a device, including controlling what applications can be used.
For example; Creating a policy using Application Control to block any program that is running off a USB drive from changing the registry or modifying files on the host computer. With Application Control, Device IDs could be used. Class IDs will not work. Device IDs are allowed in the following places:
Program Definition
- Application Rule process
- Launch process
- Terminate process
File Definition
Only blocking a device with Application Control that is at the end of a node in the tree could be performed, unless the end node is "Generic volume" or "Storage volume". In these two cases, the device that is one up from the last node (the parent of the last node) would be blocked.
In the example below, SanDisk Cruzer Micro cannot be blocked at either the "USB Mass Storage Device" node or at the "Generic volume" node:
Most Device IDs that are supported by Application Control will have one of these types:
USBSTOR
- Example: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
FCD
- Example: FDC\GENERIC_FLOPPY_DRIVE\4&371082C9&0&0
IDE
- Example: IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0
SCSI
- Example: SCSI\DISK&VEN_WDC_WD50&PROD_00KS-00MNB0&REV_700.\4&1291CDED&0&000
Note: Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them. Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.
|