Document toolboxDocument toolbox

(12.4-en) USB Access Control in IGEL OS 12

This article shows how to control USB access to the endpoint device in IGEL OS. You can allow or prohibit the use of USB devices on your endpoint. Specific rules for individual devices or device classes are possible.


Menu path: Devices > USB Access Control

 

 

Enable

☑ USB access control is enabled and the following settings can be configured.

☐ USB access control is inactive. (Default)

The activation of USB Access Control and setting the Default rule to Deny will block the use of USB devices locally and in the session and, thus, might disable devices needed for the users. Therefore, activate the USB access control only if your security policy requires that. In this case, set Default rule to Deny and configure Allow rules for the required USB devices and USB device classes. 

It is recommended to make settings for USB Access Control as the last step in the device configuration. Before activating the USB access control, check that all your other settings for printers, Unified Communication, USB redirections, mapping settings for USB devices are working as expected.

Note that the USB access control is completely separate than USB redirection for remote sessions.

Take also notice that the feature does not disable a USB port physically, i.e. power delivery will still work.

Default rule

Specifies whether the use of USB devices is allowed or prohibited.

  • Allow (Default)

  • Deny

 

Default permission

Default access rights for USB devices.

  • Read Only

  • Read/Write (Default)

Class Rules

Class rules apply to USB device classes. To manage the list of class rules:

  • Click image-20240716-112052.png to create a new entry.

  • Click image-20240716-112056.png to remove the selected entry.

  • Click image-20240716-112059.png to edit the selected entry.

  • Click image-20240716-112103.png to copy the selected entry.



Clicking image-20240716-111938.png brings up the Add dialogue, where you can define the following settings:

 

  • Rule

Specifies whether the use of the device class defined here is allowed or prohibited.

- Allow 

-Deny (Default)

  • Class ID

Device class for which the rule should apply. (Examples: AudioPrintersMass Storage).

  • Name

Name of the rule

Device Rules

Device rules apply to specific USB devices. To manage the list of device rules:

  • Click image-20240716-112052.png to create a new entry.

  • Click image-20240716-112056.png to remove the selected entry.

  • Click image-20240716-112059.png to edit the selected entry.

  • Click image-20240716-112103.png to copy the selected entry.



Clicking image-20240716-111938.png brings up the Add dialogue, where you can define the following settings:

 

  • Rule

Specifies whether the use of the device defined here is allowed or prohibited.
-Allow 
-Deny (Default)

  • Vendor ID

Hexadecimal ID of the device manufacturer

  • Product ID

Hexadecimal ID of the device

Getting USB Device Information

To find out the Class IDSubclass IDVendor ID and Product ID of the connected USB device, you can use the System Information tool. For further information, see System Information.

System Information example:

Alternatively, you can use the command lsusb (or lsusb | grep -i [search term]) in the terminal.

Example for lsusb:

 

  • Device UUID

Universal Unique Identifier (UUID) of the device

  • Permission

Authorizations for access to the device
Possible values: 

-Global setting: The default setting for hotplug storage devices is used; see the Default permission parameter under Devices > Storage Devices > Storage Hotplug. For more information, see https://igel-jira.atlassian.net/wiki/spaces/IGELOS12BSDOCP/pages/127719479.

-Read only

-Read/Write

  • Name

Name of the rule