Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Hardware-Level Data Loss Prevention: Securing the Physical Port

Jump To

USB & Peripheral Control is a critical Data Loss Prevention (DLP) layer that governs how physical hardware interacts with managed endpoints. In high-security environments, simply “unplugging” the port isn’t always feasible; instead, IT admins use granular logic to determine the level of access granted to external storage devices based on the user’s role and the device’s security posture.

The logic typically follows a three-tier hierarchy:

  1. Blocked: The OS ignores the device entirely. The port may provide power, but no data mounting occurs.
  2. Read-Only: Users can view and copy files from the USB to the computer, but they cannot save or move corporate data to the USB.
  3. Full Access: Reserved for encrypted, corporate-issued drives or specific authorized personnel.

1. Overview

This document outlines the implementation of Media Management policies within Hexnode UEM. This configuration is designed to prevent data exfiltration and protect against malware-laden USB attacks by enforcing specific read/write/execute permissions on external storage media.

2. Access Logic Matrix

Before applying policies, determine the required restriction level based on the department or device type.

Restriction Level Logic Result Use Case
Full Block Device does not mount; no data transfer possible. High-security zones, public kiosks, or front-desk PCs.
Read-Only Can read from USB; cannot write/delete to USB. Distributing training materials or viewing external logs.
Write-Only Can write to USB; cannot read from it. Secure “Drop-Box” scenarios for air-gapped data collection.
Encrypted/Approved Only Access allowed only for allowlisted Hardware IDs. Corporate-standard data transfer for mobile employees.

3. Configuration Steps (Hexnode UEM)

Step A: Windows Media Management

Navigate to Policies > New Policies > Create a fully custom policy > Windows > Security > Media Management.

  • To Block Entirely: Disable Allow use of all external media. Alternatively, you can disable Allow read access and Allow write access under the Removable Disks section.
  • To Allow Read-Only: Enable Allow use of all external media. Under Removable Disks, check Allow read access but ensure Allow write access and Allow execute access are disabled to prevent data from being copied to the drive or malware from running.
  • Device Instance ID (Allowlisting): Disable “Allow use of all external media” and enable Allow use of specific external media. Enter the exact device ID of the corporate-issued drives.

Step B: macOS Media Management

Navigate to Policies > New Policies > Create a fully custom policy > macOS > Security > Media Management.

  • To Block Entirely: Select Deny all use of external media. Users cannot mount any external media, preventing all data transfer.
  • To Allow Read-Only: Select Allow use of external media as read only. The drive mounts as a read-only device, so users cannot copy files from the Mac to the external media.
  • Authentication Gates: You can also select Allow use of external media after authentication with admin credentials to lock mounts behind administrative oversight.
  • Correction Note: “Force Disk Encryption” for external drives is not a native toggle within Hexnode’s Media Management profile. Ensuring external corporate drives are encrypted should be managed via your hardware procurement protocols. Note that Hexnode’s native FileVault policy (macOS > Security > FileVault) is designed exclusively for encrypting the Mac’s internal startup disk, not for managing external USB media.

Step C: Mobile (Android/iOS) Restrictions

Navigate to Policies > New Policies > Create a fully custom policy > iOS/Android > Restrictions.

  • iOS: Disable the ‘Allow USB accessories when locked‘ option under ‘Advanced Restrictions‘ to prevent the Lightning/USB-C port from communicating with data devices when the phone is locked.
  • Android: Under Basic Restrictions, locate and disable USB file transfer. This limits the port to charging or basic non-data functions (Supported on Android Enterprise – Device Owner and Samsung Knox).

4. Advanced: The “Read-Only” Enforcement Logic

When Read-Only is enforced, the UEM modifies the system-level mount permissions:

  • Windows: The policy alters local system parameters restricting execute/write operations directly at the OS level.
  • macOS: The system flags external mounts as read-only at the kernel/system policy level, ensuring data cannot flow outward.

5. Security & Compliance Guardrails

  • Peripheral Allowlisting: If a user requires a specialized peripheral, use the device ID allowlist(Windows) to grant an exception without opening the entire USB bus.
  • Executable Blocking: Always disable “Allow execute access” on Windows unless absolutely necessary. This is your primary defense against auto-running malware.

6. Troubleshooting

  • “Read-Only” not working (Windows): Ensure the user does not have local admin rights, as they may attempt to override policies manually.
  • Allowlisted device blocked: Verify the device ID strings match exactly. Even a single character difference will cause a block.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework