I/O Device Access Control

I/O Device Access Control is a crucial security measure that empowers administrators to strictly regulate the connection of external devices to managed devices. By controlling which I/O devices can be accessed, you can effectively prevent unauthorized data transfers and protect your organization's sensitive information. This mitigates the risks associated with connecting untrusted devices to your network. At the same time you can exercise precise control over which I/O devices are allowed to access your devices.

By implementing I/O Device Access Control, you can significantly strengthen your organization's security posture and protect your valuable data.

The document explains what configurations you need to do on Scalefusion Dashboard to control accessing I/O devices on managed macOS devices.

Platforms Supported: macOS

External Storage Device Types Supported: PenDrive, Hard Disk Drive, SD Card

Pre-Requisites

1. Scalefusion MDM Client’s (agent app for macOS) v4.1.1 or above should be installed on device

2. macOS Device Profile should be created on Scalefusion Dashboard

3. Your account should have access to I/O Device Access Control feature

4. Supported OS: OS 10.15 or above

How it Works

1. Configure Access Policy: Set the default access level for storage devices.

2. Define Access Rules: Create rules specifying the storage devices to deny or allow based on the chosen criteria.

3. Enforcement: Scalefusion Veltar will monitor external devices connected and enforce the defined rules.

4. Logging: Detailed logs are recorded for devices’ access, providing valuable insights into device usage.

Steps

Step 1: Create Configuration

1. On Scalefusion Dashboard, navigate to Veltar > I/O Device Access Control and click on Create Configuration
   
   

2. In the new window, enter Configuration Name

3. On the left you will find the configurable settings under these heads. Navigate to each link:

   1. Access Policy

   2. Settings

   3. Access Restrictions
      
      

4. Once you have configured all the above, click on Create button on top right.

5. The configuration will get created and displayed under Configuration tab with other related details.

Access Policy 

From this section, you can define the rules related to storage device access control. By configuring these settings, you can control the access level for storage devices, enforce encryption requirements, and manage connections from iPhones and iPads. Configuration Options:

1. Default Access Level for Storage Devices: Set the default access level for storage devices.

   1. Read & Write

   2. Read Only

   3. Deny Access

2. Allow Access Only if the Device is Encrypted: Enables or disables access to storage devices unless they are encrypted. This option is configurable when the default access level is set to Read & Write or Read Only.

3. Access Policy for iPhones & iPads: Configure the access policy for iPhone and iPad connections to the device by choosing one of the following:

   1. Allow to Connect

   2. Deny Access

4. Device Level Access Rules: Configure specific rules for individual storage devices which will allow you to define exceptions to the default policy. To do so,

   1. Click on Add Access Rule
      

   2. This will open the Add Access Rule wizard. Enter the following details:

      1. Name: Set a unique name for the rule.

      2. Type: Select the rule type which act as unique identifiers for the device. It can be based on any of the following:

         1. Product ID

         2. Vendor ID

         3. Serial Number

      3. Access Type: Configure the access type for the device.

         1. Read & Write

         2. Read Only

         3. Deny Access

      4. Encryption Status: With this, you can allow or deny the access to the storage device only if the device is encrypted.

      5. Value: Enter the value for the selected rule type. For example, if you have selected Product ID as the Type then provide the Product ID of the storage device for which you are creating access rule.
         

         
         Note: Values can be fetched from the managed device by navigating to Settings > General > About > System Report
         

5. Click Save

6. The rule will be created and displayed.
   

To apply a rule, you need to enable the toggle under Enable All

Settings 

Configure I/O Devices’ blocking behavior through these settings:

1. Configure Blocking Behavior: Select whether to block I/O device silently or display an alert to the end user.

   1. Alert Message (Enabled if Blocking Behavior is set to Display an Alert): Configure the alert message that will be shown to the user when a blocked storage device is accessed.

   2. Display More Info Button: Enables or disables the More Info button in the alert. When enabled, clicking the button will direct the user to the specified URL.

      1. More Info URL: Enter the URL that will be displayed when the More Info button is clicked.

      The alert message and Display More Info button become configurable only if the blocking behavior is set to Display an alert 

2. Select User Scope: Select the scope for the blocking policy by choosing one of the following:

   1. Enrolled User

   2. All Accounts

   3. Administrator Accounts

   4. Standard Accounts

   5. Specific User Accounts: On selecting this option, a text field will be displayed where you need to enter Local user short names which are present on the device. You can search for a particular user which will populate list of users created. To add more than one user, click on New User link.
      
      

Access Restrictions

IT admins can configure specific conditions from the Scalefusion Dashboard which determine the users' ability to access the I/O device. To conditionally access, following parameters can be enforced: 

1. Day & Time: Configure the Time schedule in which user account is allowed to access the I/O device. Select the following:

   1. Start Time & End Time

   2. Timezone: You can either choose to use device's local timezone or select it manually from the drop-down. 

   3. Select Days: Select particular day(s) from Sunday to Saturday
      
      

2. IP Address: Enter the IP ranges and the user(s) will be allowed to access the I/O device within those specified ranges. To give range, click on Add Range link. This will add a new row below. Here, select Type from IPv4 and IPv6, give start and End IP address. The IT admins can click on the delete icon under Actions if any particular IP range has to be removed. Click on Add range to configure multiple IP ranges. Note: The IP addresses should be valid.
   

Once you have configured all the above, click on Create button on top right. The configuration will get created and displayed under Configuration tab with other related details.

Step 2: Publish Configuration

To Publish, 

1. Click on publish icon in front of the configuration

2. In the new window, select the device profile(s) on which you want to publish the configuration. 

3. Click Publish
   
   

User Experience on Device

On publishing the configuration,

1. Notice Veltar icon on the top bar. Clicking on it will reflect I/O Device Access Control Policy as Configured
   
   
   

2. If you open Scalefusion MDM Client, it will reflect I/O Device Access Control Policy as Configured, under Settings
   
   
   

3. If you try to access an external storage device (for which you have created a rule in the configuration) it will show up the alert message you have configured. Below screenshot is an example when user tries to access Crucial X6, a portable solid-state drive (SSD) which has I/O Device Access Control policy applied to it and the user is denied from using the storage device.
   
   

Event Logs

From this section you can get detailed logs which are recorded for I/O device access, providing valuable insights into device usage. Click on Event Logs tab under I/O Device Access Control

Events Info

This section shows detailed information on the events, under following heads

1. Endpoint: The name assigned to the macOS device.

2. Device Name: The name of the external storage device.

3. Device Type: The type of external storage device

4. Username: The name of the user account that accessed the storage device.

5. Connection Status: Connected- Read & Write, Connected - Read Only, Denied, Connected

6. Timestamp: Indicates when the I/O device was accessed by the user.

7. Actions:

   1. View App Information: Clicking this option displays a pop-up with detailed information about the I/O device. This information helps administrators understand the context of storage device’s access and identify the specific reasons for the blocks:

      1. Name

      2. Product ID

      3. Product Name

      4. Vendor ID

      5. Serial Number

      6. Manufacturer

      7. BSD Name

      8. Bsd Path

      9. Mount Point

      10. File System

      11. Is Encrypted

      12. Is Read Only

      13. Total Size

      14. Available Size

      15. Connection Status

      16. Connection Reason

   2. Edit Configuration: With this, you can update the configuration

   

Additional Features

Filters

There are filtering options available for viewing activity logs. You can filter them by: 

1. Timestamp:

   1. Timestamp

   2. Device Name

   3. Username

2. Configurations:

   1. All Configurations

   2. List of available configurations. Choose a specific configuration

3. Date Picker:

   1. Start Date: It can be from Current Date to 7 days. You cannot select a date more than 30 days in the past.

   2. End Date

      Note: Logs older than 30 days get automatically deleted.

4. Page Size: Select the number of records to be displayed on one page

5. Search Using Device Name, Serial No, or Name
   
   

Download Report

Clicking the button downloads a CSV report containing the filtered activity data. Please note the report can be downloaded for a duration of 7 days at the maximum.