Device connection

Trigger Device connected in DLP policies

Trigger Device connected enables monitoring and blocking of hardware device connections to computers within the organization. The trigger operates based on the list of device groups available in Windows Device Manager – selected device types can be fully blocked or allowed for users or devices covered by the rule.

List of supported devices

The eAuditor system enables monitoring and blocking of the following device types:

• Storage volume shadow copies – Supports mechanisms for creating and managing backups and snapshots of storage volumes used by the operating system.

• Battery devices – Includes battery-powered devices and power management components such as batteries and power controllers.

• Biometric devices – Devices used to authenticate users based on biometric characteristics, such as fingerprints or facial recognition.

• Bluetooth devices – Devices communicating wirelessly using Bluetooth technology, e.g., headsets, keyboards, mice.

• CD-ROM drives – Optical drives that allow reading (and in some cases writing) of CD media.

• Graphics cards – Devices responsible for processing and generating the image displayed on the screen.

• Floppy disk drives – Devices used for reading and writing data on magnetic floppy disks.

• Global Positioning System – Devices and modules enabling determination of geographic position using GPS.

• Hard disk controllers – Controllers that manage communication between the operating system and hard drives and other data storage devices.

• Human Interface Devices (HID) – Devices that enable user interaction with the system, such as keyboards, mice, joysticks, and game controllers.

• IEEE 1284.4-compliant devices – Devices using the IEEE 1284.4 standard, most commonly used in communication with printers.

• IEEE 1394 host bus controller – IEEE 1394 (FireWire) interface controllers enabling communication with high-throughput peripheral devices.

• Imaging devices – Devices intended for capturing images, such as cameras, scanners, and digital cameras.

• IrDA devices – Devices using infrared communication according to the IrDA standard.

• Keyboards – Input devices used for data entry and system control.

• Media changers – Devices that enable automatic swapping of data or media carriers, e.g., disc changers.

• Modems – Devices used for transmitting data between the system and the telecommunication network.

• Mouse – A pointing device that enables cursor control and interaction with the system graphical interface.

• Multifunction devices – Complex devices combining multiple functions, e.g., printing, scanning, and copying.

• Multimedia – Devices and components responsible for handling audio and video in the operating system.

Principle of operation

Activating the trigger results in a configuration change for the selected device groups. Any attempt to enable or disable devices in the specified group from Device Manager results in a rule violation, which may trigger specific actions, e.g., screen recording, log entry, notifications, etc.

For each device group there are three possible settings available:

• Ignore (gray)

• Always allow (green)

• Always block (black)

Ignore (gray)

• Does not enforce any changes – the user can locally modify rules in Windows.

• Connecting devices does not affect the DLP policy.

Always allow (green)

• Devices from the given group may be connected.

• Attempts to locally disable availability for this group are blocked and logged.

• Connecting the device does not trigger any actions or system log entries.

Always block (black)

• Does not allow local unlocking of devices.

• Every attempt to change settings is logged and blocked.

• Devices connected from the given group are immediately blocked.

Practical application

Blocking all USB devices on the production floor

Objective: Ensure that no external CD-ROM drives and Bluetooth devices are used on the production floor.

Configuration:

1. Select device types: CD-ROM drives and Bluetooth devices.

2. Set the rule to Always block (black switch) – all specified devices will be blocked.

Result:

• No device whose type was specified in the rule will be detected on computers covered by the rule.

Summary

Trigger Device connection is a flexible tool for managing device availability within the organization. With a broad list of supported devices and straightforward configuration of blocking options, the rule enables effective protection of IT resources against unauthorized hardware use.