Device whitelist rules

Whitelist rules for devices are created in the same way as drive rules. From version 2024.1, cross-device class whitelist rules can also be configured for all classes.

The following example shows the creation of a rule for a biometric device.

In the Description field enter a name, in this case it is the MSO300 series biometric device. You can additionally add a comment.

Narrow the scope further by providing additional information. You can either select a bus or enter a hardware ID. In this case, HID is used as the bus.

Thus, this rule is only applied if the device belongs to the same device class (here Biometric devices) and is connected via the configured bus.

If the bus you need is not present in the list, you can specify it subsequently by entering the appropriate name in the field.

If there are any whitelist rules that affect each other, DriveLock will use them as follows:

  • Bus locked and device enabled -> Device enabled

  • Bus locked and device locked -> Device locked

  • Bus enabled and device blocked -> Device locked

  • Bus enabled and device enabled -> Device enabled

Set up computer templates have no special prioritization regarding the manually created whitelist rules.

If a device or bus is allowed in one rule but blocked in another, the device or bus is enabled.

To distinguish devices from each other even more precisely, hardware IDs and their so-called Compatible IDs are used. Each device has its unique hardware ID. In addition, Windows maintains a list of compatible devices (Compatible ID). The Hardware ID or Compatible ID is used to find the appropriate driver. Additionally, the hardware IDs may also contain a revision number assigned by the manufacturer (which is, however, irrelevant for the choice of driver). In this case, Windows uses one of the Compatible IDs that does not contain this revision number.

Enter the correct hardware ID in the appropriate field to specify the desired device. The hardware ID can be read out either from the event display or the registration database. The list appears on the Installed devices tab.

The Hide system devices option hides all Windows system devices that are enabled by default via the Do not lock system devices of this type function in the device class lock settings.

Additional devices can be selected by connecting to another agent remotely and selecting a device present there. To do this, select on Agent and enter the name of the computer you want to connect to. This requires the DriveLock Agent to be installed on the target computer.

An explanation of the options on the other tabs can be found here.