I/O Device Access Control

Controlling access to external devices is a vital component of endpoint security. I/O Device Access Control (IODAC) enables IT administrators to define strict policies for managing peripheral connections on organizational devices, thereby preventing unauthorized data transfers and safeguarding sensitive information.

With Veltar’s I/O Device Access Control feature integrated into the Scalefusion Dashboard, administrators can configure granular policies across Windows, macOS, and Linux platforms to allow, restrict, or block specific device types ranging from USB storage and Bluetooth peripherals to keyboards, mice, and network adapters.

This document provides a step-by-step guide to configuring and managing IODAC policies on supported platforms to help you effectively control I/O device access within your organization.

• Platforms Supported: macOS, Linux, Windows

Pre-Requisites

1. Minimum Agent versions:

   1. macOS: Scalefusion MDM Client’s (agent app for macOS) v4.1.1 or above should be installed on device

   2. Windows: Scalefusion MDM agent (agent app for Windows) v16.3.1 or above should be installed on device

   3. Linux: v3.0.0 or above

      1. Ubuntu: 0.0.0~20250619095657-0_amd64.deb

      2. Redhat: 0.0.0~20250619100654-0.el8.x86_64.rpm

2. Device Profiles for macOS, Linux, Windows should be created on Scalefusion Dashboard

3. Your account should have access to I/O Device Access Control feature

4. Supported OS:

   1. macOS: OS 10.15 or above

   2. Linux: Debian and Redhat family

   3. Windows: Win 10,11 Pro and Home, and Server 2022, 2025

5. Enrollment mode on Windows: Agent based enrollment, Modern Management, BYOD, User Authenticated enrollment, Serial number based enrollment

How it Works

1. Configure Access Policy: Set the default access level for storage devices.

2. Define Access Rules: Create rules specifying the devices to deny or allow based on the chosen criteria.

3. Enforcement: Scalefusion Veltar will monitor external devices connected and enforce the defined rules.

4. Logging: Detailed logs are recorded for devices’ access, providing valuable insights into device usage.

Steps

Step 1: Create Configuration

1. On Scalefusion Dashboard, navigate to Veltar > I/O Device Access Control and click on Create Configuration
   

   

2. In the new window, enter Configuration Name

3. On the left you will find the configurable settings under these heads. Navigate to each link:

   1. Access Policy

   2. Access Rules

   3. Settings

   4. Access Restriction
      

      

4. Once you have configured all the above, click on Create button on top right.

5. The configuration will get created and displayed under Configuration tab with other related details.

Access Policy 

By configuring these settings, you can control the access level for various types of devices and enforce encryption requirements. Configuration Options:

Access Rules

1. Device Level Access Rules: Configure specific rules for individual storage devices which will allow you to define exceptions to the default policy. To do so,

   1. Go to Access Rules tab on the left panel and click on Add Access Rule
      

      

   2. This will open the Add Access Rule wizard. Enter the following details:

      1. Name: Set a unique name for the rule.

      2. Type: Select the rule type which act as unique identifiers for the device. It can be based on any of the following:

         1. Product ID

         2. Vendor ID

         3. Serial Number

         4. Device Instance ID (only for Windows)

            On Linux and macOS devices, Device Instance ID is not supported.

      3. Peripheral Type (only for Windows): Lists all peripheral types. Select the peripheral type for which you want to configure access rule.

         Note: Bluetooth is not supported as a peripheral type for configuring Access Rules.

      4. Access Type: Configure the access type for the device. The drop-down options might differ based on the peripheral type you have selected

         1. Full Access

         2. Read Only

         3. Deny Access

      5. Encryption Status: With this, you can allow or deny the access to the storage device only if the device is encrypted.

         In Windows, the encryption status can be configured only when the Peripheral Type is set to either USB (Removable Disks) or External HDD.

      6. Value: Enter the value for the selected rule type. For example, if you have selected Product ID as the Type then provide the Product ID of the storage device for which you are creating access rule.
         

         

         How to fetch values from macOS devices

         
         Values can be fetched from the managed device by navigating to Settings > General > About > System Report
         

         How to fetch Device Instance ID from Windows Devices

         To fetch device instance id, in target windows machine, connect the I/O device:

         1. Open Device Manager

            1. Press Win + X → Select Device Manager

         2. Locate the Device

            1. Expand the relevant category (e.g., Universal Serial Bus controllers, Disk drives, or Portable Devices)

         3. Open Device Properties

            1. Right-click the device → Select Properties

         4. Find the Device Instance ID

            1. Go to the Details tab

            2. In the Property drop-down, select Device Instance Path (or Device Instance ID in older versions)

            3. The value displayed is the Device Instance ID
               

               

2. Click Save

3. The rule will be created and displayed.
   

   

   
   

To apply a rule, you need to enable the toggle under Enable All

Settings 

Configure I/O Devices’ blocking behavior through these settings:

1. Configure Blocking Behavior: Select whether to block I/O device silently or display an alert to the end user.

   1. Alert Message (Enabled if Blocking Behavior is set to Display an Alert): Configure the alert message that will be shown to the user when a blocked storage device is accessed.

   2. Display More Info Button: Enables or disables the More Info button in the alert. When enabled, clicking the button will direct the user to the specified URL.

      1. More Info URL: Enter the URL that will be displayed when the More Info button is clicked.

      The alert message and Display More Info button become configurable only if the blocking behavior is set to Display an alert 

2. Select User Scope: Select the scope for the blocking policy by choosing one of the following:

   1. Enrolled User

   2. All Accounts

   3. Administrator Accounts

   4. Standard Accounts

   5. Specific User Accounts: On selecting this option, a text field will be displayed where you need to enter Local user short names which are present on the device. You can search for a particular user which will populate list of users created. To add more than one user, click on New User link.
      

      

Access Restriction

IT admins can configure specific conditions from the Scalefusion Dashboard which determine the users' ability to access the I/O device. To conditionally access, following parameters can be enforced: 

1. Day & Time: Configure the Time schedule in which user account is allowed to access the I/O device. Select the following:

   1. Start Time & End Time

   2. Timezone: You can either choose to use device's local timezone or select it manually from the drop-down. 

   3. Select Days: Select particular day(s) from Sunday to Saturday
      

      

2. IP Address: Enter the IP ranges and the user(s) will be allowed to access the I/O device within those specified ranges. To give range, click on Add Range link. This will add a new row below. Here, select Type from IPv4 and IPv6, give the IP address. The IT admins can click on the delete icon under Actions if any particular IP range has to be removed. Click on Add range to configure multiple IP ranges.
   Note: The IP addresses should be valid.
   

   

On Windows devices, a 10-minute timer runs to check whether the device falls within the specified IP range or day and time range.

Once you have configured all the above, click on Create button on top right. The configuration will get created and displayed under Configuration tab with other related details.

Step 2: Publish Configuration

To Publish, 

1. Click on publish icon in front of the configuration

2. In the new window, select the device profile(s) on which you want to publish the configuration. 

3. Click Publish

   On Linux, an I/O device must be disconnected and reconnected for policy changes to take effect, whereas on Windows, a disconnect/reconnect may be required depending on the device type and policy.

   
   
   

User Experience on Device

Event Logs

From this section you can get detailed logs which are recorded for I/O device access, providing valuable insights into device usage. Click on Event Logs tab under I/O Device Access Control

Summary

The Summary view provides an overview of I/O Device Access Control activity and status. The information can be viewed under following heads:

1. Endpoints Monitored

2. Endpoints with events in last 24 hours

3. Endpoint with maximum events

4. Total Events (30 days)

5. Storage Device allowed events

6. Storage Devices blocked by Encryption status

7. Events in last 24 hours

8. Storage Device blocked events

9. Storage Devices blocked by Device level Access Rules

10. I/O Device allowed events

11. Storage Devices blocked by Default policy

12. Storage Devices blocked by Access Restrictions

13. I/O Device blocked events

    

Events Info

This section shows detailed information on the events, under following heads

1. Endpoint: The name assigned to the device.

2. Device Name: The name of the device.

3. Device Type: The type of device (External Storage or USB)

4. Username: The name of the user account that accessed the device.

5. Connection Status: Connected- Read & Write, Connected - Read Only, Denied, Connected

6. Timestamp: Indicates when the I/O device was accessed by the user.

7. Actions:

   1. View App Information: Clicking this option displays a pop-up with detailed information about the I/O device. This information helps administrators understand the context of device’s access and identify the specific reasons for the blocks:

      1. Name

      2. Product ID

      3. Product Name

      4. Vendor ID

      5. Serial Number

      6. Manufacturer

      7. BSD Name

      8. Bsd Path

      9. Mount Point

      10. File System

      11. Is Encrypted

      12. Is Read Only

      13. Total Size

      14. Available Size

      15. Connection Status

      16. Connection Reason

   2. Edit Configuration: With this, you can update the configuration
      

      

Additional Features

Filters

There are filtering options available for viewing activity logs. You can filter them by: 

1. Timestamp:

   1. Timestamp

   2. Device Name

   3. Username

2. Configurations:

   1. All Configurations

   2. List of available configurations. Choose a specific configuration

3. Date Picker:

   1. Start Date: It can be from Current Date to 7 days. You cannot select a date more than 30 days in the past.

   2. End Date

      Note: Logs older than 30 days get automatically deleted.

4. Page Size: Select the number of records to be displayed on one page

5. Search Using Device Name, Serial No, or Name
   
   

Download Report

Clicking the button downloads a CSV report containing the filtered activity data. Please note the report can be downloaded for a duration of 7 days at the maximum.