Settings for locking device classes

Configuration: DOC -> Security Controls -> Devices -> Configuration -> Device classes

In the DriveLock Operations Center (DOC), open the configuration options by double-clicking on the respective device class.

In the DriveLock Management Console (DMC), you can change the settings on the General, Permissions and Awareness tabs.

The following configuration options are available.

  • Enable controlling devices of this device class: If this setting is active, devices are allowed or blocked according to the settings in rules or in the class. In the DOC, simply set the Active switch.

  • Allow learned devices: Once Device Control is activated on a DriveLock Agent, all devices connected to the agent are learned. If you want to repeat learning the devices, you can do this either via the command line with drivelock -recreatebootdevs or in the DOC via the command 'Relearn boot devices' in the context menu of a computer in the 'Additional actions' section.

    If you select this setting, the learned devices will be unlocked during the boot phase in future unless a rule exists for them (blocking or allowing them). If a device is connected after the boot phase has been completed, this does not apply.

  • Audit device events for devices of this type: You can also specify whether the associated monitoring events are generated. If this option is set, the events are transmitted to the configured locations (e.g. Windows Event Viewer, DriveLock Enterprise Service).

  • Do not show user notifications for devices of this type: Users do not receive information about the corresponding devices.

  • Disable locked devices in device manager: If devices are locked, they are disabled in the Device Manager.

  • Do not lock system devices of this type: For example, a system device is a network miniport driver or a UBS root hub. To avoid having to define separate whitelist rules for these "software" devices, this option is enabled by default initially. If you disable it, separate rules must be created for all those system devices.

  • Restart these devices when needed: If you want a currently locked device to be unlocked (e.g. following a policy, user or network change) or an unlocked device to be locked, this setting allows the device to be restarted (to establish the required lock status). Deactivating this setting is primarily used to resolve issues if devices cannot handle being restarted.

  • Simulation mode: Enable simulation mode for this device class if you want to test the effect of locking (or allowing) in your environment first.

  • Report device removal: You can configure (per device class) that an event is generated when a device is removed. For non-MTP devices, the DriveLock driver remains loaded in this case until the device is removed or deactivated. This may require a restart during the agent update, especially if an affected device cannot be removed or deactivated. Please only use this functionality if you absolutely have to!