# Securing USB Devices

This document will explain you on the following:

- [Secure USB Settings for Users](#secure-usb-settings-for-users)
- [Applying Secure USB Settings to Computers and Users](#applying-secure-usb-settings-to-computers-and-users)
- [Adding Restrictions to secure USB Devices](#adding-restrictions-to-secure-usb-devices)
- [Excluding Devices](#excluding-devices)
- [Revoking All USB Restrictions applied to the User](#revoking-all-usb-restrictions-applied-to-the-user)

The Secure USB configuration is used for both users and computers to block or unblock the use of the USB devices. This configuration is applicable to users irrespective of the computers they use.

Using this configuration, you can block or unblock the following devices:

1. Mouse  
2. Disk drives (for example: USB drives and external hard-disk drives)  
3. CD ROMs  
4. Portable devices (for example: mobile phones, digital cameras and portable media players)  
5. Floppy disks  
6. Bluetooth devices  
7. Images (for example: USB cameras and scanners)  
8. Printers  
9. Modems  
10. Apple USB devices (for example: iPhone, iPad and iPod touch)

You can also exclude devices using the Device Instance ID assigned to each device.

## Secure USB Settings for Users

When you create the Secure USB configuration to block or unblock devices for users, you can set actions to take place once the user logs off. These actions enable you to retain or remove the settings that you make, using the Secure USB configuration, once the user logs off. The actions that you can set include the following:

1. **Don't alter device status**: Use this option to retain the settings you have made, even after the user has logged off.  

   For example, if you use this option, the settings that you have made to block or unblock the usage of USB devices will apply to all users who log on.

2. **Disable all devices excluding mouse**: Use this option to remove the settings you have made, even after the user has logged off.

## Applying Secure USB Settings to Computers and Users

When you apply the Secure USB configuration to both computers and users, the settings made for computers will be applied before the settings made for users. For example, assume that you have made the following settings:

1. **Settings configured for users**
   1. Administrator: You have unblocked the usage of the disk drive  
   2. Other users (excluding the administrator): You have not deployed any configurations  
2. **Settings configured for computers**: You have blocked the usage of portable devices and disk drives  

The following actions will take place:

1. **Computer startup**: The Secure USB configuration settings made for the computer are applied when the computer is started. This means that no portable devices and disk drives can be used.  
2. **Administrator logon**: The Secure USB configuration for the computer is applied. However, it is over written by the settings made for the administrator. This means that the administrator can use disk drives.  
3. **Other users (excluding the administrator) log on**: The Secure USB configuration made for the computer is applied.  
4. **Other users (excluding the administrator) log off**: The log off-action settings made for users are applied when a user logs off. If the log off-action setting is set to Don't alter device status, then the settings made will apply to the next user who logs on, provided that the user does not have any settings that apply to them.

![Note](https://www.manageengine.com/desktop-management-msp/help/images/note.jpg)

**Note**:  
**Block USB** represents blocking access to use any USB device.  
**Unblock USB** represents re-enabling access to the USB devices that have been blocked.  
**No Change** represents that no change has been made to the current settings.

## Adding Restrictions to secure USB Devices

As an administrator, you can create a configuration to block or unblock specific USB devices. You can also exclude specific devices, if required.

To create a configuration to secure USB devices for users, follow the steps given below:

1. Click the **Configurations** tab  
2. Click **Configuration**  
3. In the **User Configurations** section click **Secure USB**  
4. Enter a name and description for the configuration  
5. Click **Add** to apply restrictions  
6. To add restrictions, select the devices, choose to block or unblock devices.  
7. Select the required log-off action  
8. [Define the target](https://www.manageengine.com/desktop-management-msp/help/defining_targets.html#Defining-Configuration-Target-Computers)  
9. Specify the required execution settings  
10. Click **Deploy**

You have created configurations to secure USB devices. These configurations will be applied when the user logs in to the computer.

## Excluding Devices

When you block a device you can exclude certain devices from being blocked. This can be done by using Vendor ID or the Device Instance ID assigned to each device. You can exclude devices only when you have blocked a device.

To exclude devices, follow the steps given below:

1. Click the **Exclude Devices** link against a device  
2. Enter the **[Device Instance ID](#device-instance-id)** for the device. You can also choose to block all the devices from the specified **vendor**. You will have to specify the Device Instance ID using which, Endpoint Central will fetch the vendor instance ID and exclude all devices from the specific vendor.  
3. You can choose to exclude **All Encrypted devices / encrypted devices from the list of specified devices**. Devices that are encrypted using BitLocker can be added to the exclusion list. This is applicable only for Disk Drives and when the target computer supports BitLocker.  
4. Click **Close**

You have excluded a device from being blocked.

## Device Instance ID

Every USB device has a unique ID. This ID is assigned to devices by the system to identify them easily.

You can identify the Device Instance ID of a device by following the steps mentioned below:

1. Right-click **My Computer**  
2. Click **Properties**  
3. Click **Device Manager** (Refer to the figure below)  
4. From the list of devices, expand the list of devices for which you want the Device Instance ID.  

   (For example: if you want to identify the Device Instance ID of a mobile phone that you have connected to the computer, expand Portable devices and follow the next step.)

![Figure 1: Device Manager](https://www.manageengine.com/desktop-management-msp/help/images/device-manager.JPG)

**Figure 1: Device Manager**

5. Right-click on the name of a specific device and click **Properties** (Refer to the figure below)

![Figure 2: Properties](https://www.manageengine.com/desktop-management-msp/help/images/device-manager-properties.JPG)

**Figure 2: Properties**

6. Click the **Details** tab  
7. In the drop-down box, select **Device Instance ID** or **Device Instance Path** (Refer to the figure below)

![Figure 3: Device Instance ID](https://www.manageengine.com/desktop-management-msp/help/images/device-instance-id.JPG)

**Figure 3: Device Instance ID**

![Note](https://www.manageengine.com/desktop-management-msp/help/images/note.jpg)

In computers which have the operating system Windows Vista (and later versions), the Device Instance ID is called the **Device Instance Path**. You can copy the Device Instance Path from the Properties sheet of the Device Manager.

In computers that have older versions of the Windows operating system installed, you cannot copy the Device Instance ID directly from the Properties sheet of the Device Manager.

To copy the Device Instance ID you must open the `dcusbaccess.log` file. This file is located in:

**\<Drive>\\<Desktopcentral_Agent Folder>\logs\dcusbaccess.log**

It contains information about the following:

- Action Time (inserted\removed time)  
- Action (inserted\removed)  
- Friendly name  
- Device Instance ID  

You can now view and copy the Device Instance ID for a specific device.

## Revoking All USB Restrictions applied to the User

Administrators can choose to revoke all USB related restrictions which are applied to the user.

To create a configuration, in order to revoke all USB related restrictions for users, follow the steps given below:

1. Click the **Configurations** tab  
2. Click **Configuration**  
3. In the **User Configurations** section click **Secure USB**  
4. Enter a name and description for the configuration  
5. Click **Remove** to revoke all restrictions applied to the user  
6. Select the required log-off action  
7. [Define the target](https://www.manageengine.com/desktop-management-msp/help/defining_targets.html#Defining-Configuration-Target-Computers)  
8. Make the required execution settings  
9. Click **Deploy**

You have created configurations to secure USB devices. These configurations will be applied when the user logs in to the computer.

![Note](https://www.manageengine.com/desktop-management-msp/help/images/note.jpg)

**Note:** Administrators can choose to revoke or remove restrictions applied for specific USB devices by clicking **Add** as mentioned in step 5 and choosing to unblock the specific restrictions which need to be revoked.