Blocking USB access is often essential for organizations seeking to prevent unauthorized data transfers, malware infections, or data exfiltration through removable media. For those managing SentinelOne via the Addigy Security Suite, the following step-by-step guide details how to block USB devices in accordance with enterprise security policies and compliance needs. These instructions are specifically for administrators using the Addigy Security Suite integration powered by SentinelOne.
Why Block USB Devices?
- Prevent Data Loss: USB devices are a common vector for data theft or accidental loss, posing a significant risk to sensitive organizational information.
- Mitigate Malware Threats: USB storage can introduce malware and ransomware onto endpoints, compromising systems.
- Enforce Compliance: Many regulatory standards require strict controls over external device usage to ensure data integrity and compliance.
Prerequisites
- Ensure the Addigy Security Suite with SentinelOne integration is enabled for your environment.
- Users must have the necessary permissions within Addigy and access to the SentinelOne Management Console.
- Device Control must be supported by the deployed SentinelOne agent versions (macOS 2.7–4.3, 21.7+).
Step-by-Step Guide
-
Accessing Device Control Rules
- Open the SentinelOne Management Console synced through your Addigy environment.
-
Navigating to Device Control
- In the SentinelOne Console, select the appropriate scope (Group, Site, Account, or Global) in the Scopes panel.
- Click on the Device Control tab in the toolbar.
-
Creating a Block USB Device Rule
- Click New rule… to begin creating a new device control rule.
- In the rule creation window:
- Name your rule descriptively, e.g., "Block All USB Storage Devices," explaining its purpose for future reference.
- Set the Interface to USB.
- Select the Rule Type, such as Class, and then specify the class (e.g., "Mass Storage").
- Define the desired scope if different from the currently selected one.
- Set the Action to Block. This will block USB devices matching your criteria from being accessed on endpoints.
-
Defining Block Rule Criteria
- On the criteria screen, select:
- Class: "08 Mass Storage" for all USB storage devices, or specify other classes (Video, Printer, etc.) as needed.
- Optionally, set Vendor ID, Product ID, or Serial ID for more granular control. Leaving these as "Any" blocks all devices of the selected class.
- On the criteria screen, select:
-
Finalizing and Enabling the Rule
- Ensure "Enable rule immediately after saving" is checked, so the rule becomes active right away.
- Click Save rule to implement the policy.
-
Rule Activation Details
- For devices assigned to the policy, changes apply immediately—even for currently connected devices.
-
Managing and Editing Rules
- To enable/disable a rule, select it in the Device Control panel, and use the
Actionsmenu. - To edit the rule, click the rule name, go to
Edit, make changes, and Save.
- To enable/disable a rule, select it in the Device Control panel, and use the
Best Practices
- Block rules stop data transfer but may not always prevent device charging, depending on the device model.
- For detailed device targeting, use vendor or product IDs as appropriate.
- Keep rule names concise and descriptive for audit and maintenance purposes.
These steps ensure comprehensive control over USB device usage in organizations using Addigy Security Suite with SentinelOne, providing advanced endpoint security aligned with best practices and compliance requirements.