Mac Device Control in Endpoint Protection 14
For each type of policy, you can create a hardware device control list. This list contains a list of blocked devices and a list of devices that are excluded from blocking.
The hardware device control occurs at the file system level. Therefore, the user may still be able to perform volume-level tasks on blocked devices or read-only devices with Disk Utility or Terminal commands. These tasks include erasing, ejecting, or creating a disc image of the blocked device.
The list does not show all of the allowed devices. This list only displays the exceptions to the
You should test all device control conditions that you create on a small test group before you apply the policy to all Mac clients. Testing ensures the device control policy blocks devices and excludes devices from blocking as expected.
Use caution when blocking by vendor or device ID. Symantec recommends that you do not select non-storage devices that may show up in Finder as devices to be blocked.
You can configure client user interface control settings with
Mixed Controlmode to prevent users from enabling or disabling device control.
For more information, see:
Vendor, model, and serial number fields are not case-sensitive. For each device specified, if you leave the vendor, model, or serial number fields blank, the policy blocks any devices that match the device type.
Device control rule conditions give greater precedence to the criteria that are the most specific. For example, the full text string has the greatest precedence, followed next by a partial text string with wildcard, and then by a wildcard only. A blank field acts like a wildcard search, with less weight than the full text string or a partial text string. Similarly, the serial number has a greater precedence than the model name, which takes greater precedence than the vendor name. The full string text for the vendor name takes precedence over the partial string text of the serial number.
The Mac device control conditions are weighted as follows, from greatest weight to least:
- Full string text, serial number
- Full string text, model name
- Full string text, vendor name
- Partial string text with wildcard, serial number
- Partial string text with wildcard, model name
- Partial string text with wildcard, vendor name
- Wildcard only, serial number
- Wildcard only, model name
- Wildcard only, vendor name
- Blank field (nothing defined)
To obtain the serial number, model number, or vendor name from a Mac-connected device, use the DeviceInfo tool from the installation file. You can find this tool and its instructions under
The following table lists the device blocking options available for Mac devices.
Group or option
The name of the device that is blocked or excluded from blocking. You can add or delete devices from this list.
The supported device types for Mac are:
The vendor of the device that is blocked or excluded from blocking.
You can block or exclude from blocking all device types except Thunderbolt by specific vendor name.
You can use regular expressions to define the vendor name. See:
The model of the device that is blocked or excluded from blocking.
You can block or exclude from blocking all device types by specific model.
You can use regular expressions to define the model name. See:
The serial number of the device that is blocked or excluded from blocking.
You can only block or exclude from blocking the specific serial numbers of Thunderbolt and USB devices.
You can use regular expressions to define the serial number. See:
Log detected devices
Adds an entry to the device control log whenever Device Control detects a device. This option is enabled by default.
Notify users when devices are blocked or unblocked
Sends a notification to client computers when a blocked device connects or starts up. This option is disabled by default.
The following table describes the regular expressions with which you can define device control criteria.
Matches any character but a newline.
For example, So*.* matches "So", "Soo", "Sooo", Sobar", "Sooxxx".
Matches the character to follow.
The backslash escapes all other meta-characters and itself. When you use backslash in a set, it is considered a regular character.
For a binary match, use \x. For example, \xA0 matches binary a0 Hex.
Matches one of the characters in the set.
If the first character in the set is a carat ( ^ ), the set attempts to match any characters that are not in the set. The special characters right bracket ( ] ) and hyphen ( - ) have no special meaning if they appear as the first character in the set.
A set can also match a range or characters. For example, S-E would specify a set of characters S through E, inclusive.
For example, [a-z] matches any alphabetical character, while [^]\-] matches any character except for ], \, and -.
(Star or asterisk)
Any previous regular expression form that concludes with the asterisk ( * ) matches zero or more matches of that form.
For example, Soo\\* matches "Soo\", "Soo\\", "Soo\\\", and "Soo\\\12".
Any previous regular expression form that concludes with the plus (+) matches one or more matches of that form.
For example, Soo\\+ matches "Soo\", "Soo\\", and "Soo\\\", but it does not match "Soo\\\12".