How Device Control block devices This article applies to the following F-Secure products: Client Security, Policy Manager, PSB Portal and Computer Protection.
Hardware Identifiers
In Windows, every device has a few sets of properties that can be used to identify the device or the class of the device. In the table below the properties are ordered by specificity from most specific to general.
| Property | Description |
| Device ID | A device has only one device ID that is the most specific ID for a device. |
| Hardware IDs | A device can have multiple hardware IDs. They are also ordered by specificity. |
| Compatible IDs | List of general IDs for all devices of the same kind. |
| Class | A single GUID of device interface class. Every device has only one class. This is a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class where device information are stored. There are list of common classes but some devices generates unique class. For a list of universal Class IDs, click here. |
The algorithm
- Device Control subscribes to the system notification about hardware configuration changes.
- When configuration changed, Device Control enumerates all devices.
- For every device identifier checked starting from Device ID down to Class GUID.
- If matching rule found Device Control check the Access Level from the rule.
- If rule has Full access/Allow and device is blocked - Device Control remove block (enable the device).
- If rule has Blocked access level and device id not blocked - Device Control blocks (disable) the device.
- If access level match the current state of the device then no action is performed.
Alerts
- When the device is blocked for the first time, a flyer notification is shown to the current user.
- Policy Manager administrator gets the alert every time when the device is blocked.