Defining rules for using USB devices

USB rules allow you to restrict the use of USB mass storage devices to certain models, for example.

  1. For the relevant OU or device, open Device configuration > Hardware > USB > Edit.

  2. In the list-field, select a set of predefined rules as template.

  3. Double-click into the relevant line, or select a line and press F2.
  4. Modify the rule by using the example rules below.

    The values of the manufacturer ID (VID) and product ID (PID) can be found on the device in the Config panel under Peripherals > USB > Information):

  5. Confirm with OK.

Example rules

Rule Code
Allow a specific USB mass storage device model only ALLOW: VID=0781 PID=5151 # Allow a particular USB model (Example: SanDisk Cruzer Micro)
DENY: CLASS=08 # Deny all devices of the class MASS STORAGE DEVICES.
Deny a specific smart card model only DENY: VID=18a5 PID=0302 # Deny a particular smart card model (Example: Omnikey CardMan 3821)
ALLOW: CLASS=0B # Allow all devices of the class SMARTCARD
Deny all printers, mass storage devices, smart card readers. DENY: CLASS=07 # Deny all devices of the class PRINTERS
DENY: CLASS=08 # Deny all devices of the class MASS STORAGE DEVICES
DENY: CLASS=0B # Deny all devices of the class SMARTCARD
Deny all devices DENY: # Deny all devices.
Disable the microphone of a webcam DENY: VID=045e PID=0810 CLASS=01 # Deny audio for the specified USB device

The syntax of USB rules corresponds to the syntax of Citrix USB policy rules.

The USB rules affect all USB device classes including 03 HID (Human Interface Devices). If you deny the 03 HID class, the mouse and keyboard will be deactivated. If you deny all classes (DENY: # Deny all devices), also internal USB hubs and devices with manufacturer-specific device classes such as WLAN modules on the device will be affected. For specific hardware configurations, you might encounter issues during the boot process of the device. We strongly recommend performing tests before using this option.