Job Management Partner 1/Software Distribution Description and Planning Guide
By suppressing device operations at a client, you can prevent the leakage of confidential information and the entry of undesirable information from external systems. This functionality is available when the client version is 09-50 or later.
Operation of the following can be suppressed:
- USB storage devices
- Internal CD/DVD drives
- Internal floppy disk drives
- IEEE1394-connected devices
- Internal SD cards
- Bluetooth devices
- Imaging devices
You can suppress the use of various devices (writing data to or reading data from these devices), and you can exclude specific devices from suppression. You also have the option of suppressing only writing data to a device. The following table shows the operations that can be suppressed for various devices.
Table 2-18 Operations that can be suppressed for various devices
Device type |
Can use of the device be suppressed? |
Can specific devices be excluded from suppression? |
Can only recording to a device be suppressed?#1, #6 |
USB storage device |
Y |
Y |
Y#2 |
Internal CD/DVD drive |
Y |
N |
Y#3 |
Internal floppy disk drive |
Y |
N |
Y#4 |
IEEE1394-connected device |
Y |
N |
Y#4 |
Internal SD card#5 |
Y |
N |
Y#4 |
Bluetooth device |
Y |
Y |
N |
Imaging device |
Y |
Y |
N |
- Legend:
- Y: Supported
- N: Not supported
- #1
- You cannot suppress recording only by device type. The devices for which you can suppress recording only are those devices whose use is not suppressed, or those that are excluded from suppression.
- #2
- Recording can be suppressed only if the client's OS is Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2012, or Windows 8.
- #3
- Recording can be suppressed only if the client's OS is Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2012, or Windows 8.
- #4
- Recording can be suppressed only if the client's OS is Windows Vista, Windows Server 2008, Windows 7, Windows Server 2012, or Windows 8.
- #5
- With an SD card connected, from Windows Device Manager, open the Properties dialog box for each SD card. If SD or RIMMPTSK is displayed for Enumerator under the Details tab, that SC card is supported. Depending on how the SD card in the PC is connected to the PC main unit, something other than SD or RIMMPTSK might be displayed for Enumerator. If something other than SD or RIMMPTSK is displayed for Enumerator, that SD card is not supported.
- #6
- If the client's OS is Windows 8 (Basic Edition), this facility is not supported.
Select the devices whose operations you want to suppress, based on factors such as the frequency of their use by jobs and the risk of information leakage.
The following figure provides an overview of device operation suppression.
Figure 2-25 Overview of device operation suppression
- Organization of this subsection
- (1) Prerequisites for the client OS
- (2) Notes on suppressing device operations
(1) Prerequisites for the client OS
You can suppress device operations when the client's OS is one of the following:
- Windows 2000
- Windows Server 2003
- Windows XP
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2012
- Windows 8
Operation suppression is not supported if the client's OS is Windows NT 4.0, Windows 98, or Windows Me.
(2) Notes on suppressing device operations
- You may not be able to suppress the operation of devices that were connected before operation monitoring started, such as immediately following startup of the client PC.
- JP1/Software Distribution cannot be used concurrently with other products that limit the use of external media (such as Windows Group Policy or Active Directory Policy). If such a product and JP1/Software Distribution are used concurrently on the same client, JP1/Software Distribution's setting for suppressing external media operations might be modified by the other product. JP1/Software Distribution might also modify the setting of the other product.
- Operation suppression does not go into effect on devices that were connected before an operation monitoring policy was applied. To enable device operation suppression for these devices, you must restart the client PC.
- If you make any of the following modifications to the operation monitoring policy, restart the client PC:
- Changing the setting from operation suppression to operation enabling
- Changing the setting for an already-connected device to operation suppression
- Enabling or disabling the setting that suppresses recording only
- If the OS of the client PC is Windows 2000, you cannot suppress operation of USB-connected hard disk and floppy disk drives that were connected before the user logged in.
- If you suppress a device for which the auto-playback function is enabled, an error message indicating auto-playback failure might be displayed.
- If an operation monitoring policy for suppressing the operation of a device is applied while that device is operating, the OS might display an error message.
- When a suppressed device is connected to the client PC for the first time, the OS might display an error message indicating a device driver installation failure.
- Devices such as USB scanners might be recognized as imaging devices even when they are USB-connected.
- You cannot suppress devices that cannot be recognized as USB storage devices, Bluetooth devices, or imaging devices even when they are USB-connected. You cannot exclude them from suppression, either.
- You cannot suppress only writing of data to DVD RAM.
- If you suppress only writing of data to a USB storage device equipped with an encryption function, reading of data from that device might also be disabled.
- To suppress only writing of data when the OS of the client PC is Windows Vista or later, you need to start Portable Device Enumerator service in the Services window (accessed by choosing Control Panel, Administrative Tools, and then Services).
- If a device that has multiple device instance IDs is connected, the dialog box showing its suppression status might be displayed multiple times for that single device.
- If driver installation is performed after a suppressed device is connected to the client PC for the first time, the dialog box indicating that device connection was suppressed might be displayed multiple times.
- When you suppress a USB-connected CD/DVD drive, the tray of the suppressed CD/DVD drive might open.
- When you connect a suppressed device to the client for the first time, you might not be able to install the device driver.
In this case, no history of device connection, disconnection, and connection suppression is collected. The warning dialog box indicating device connection suppression is not displayed, either.
- When both of the following conditions are satisfied and a file is being copied to a USB-connected hard disk or floppy disk drive, operation of a USB storage device cannot be suppressed until file copying is completed:
- The OS of the client PC is Windows 8, Windows Server 2012, Windows 7 or Windows Server 2008 R2.
- An operation monitoring policy for suppressing the operation of a USB storage device is applied while file copying is being performed.
- If an operation monitoring policy is applied that excludes a specific USB storage device from suppression based on its friendly name, when that USB storage device is connected to the client PC for the first time, any device whose friendly name cannot be acquired might be suppressed. In this case, reconnect the USB storage device.
- If you suppress the operation of a device, the suppressed device is no longer recognized as a drive, and consequently you will not be able to collect that device's system information.
- If the auto-playback function is enabled in Windows settings, you cannot suppress the operation of USB-connected hard disk or floppy disk drives. To suppress the operation of these drives, disable the auto-playback function.
- If you suppress internal SD cards, the operation of the following devices is also suppressed:
- Devices for which RIMMPTSK is displayed for Enumerator under the Details tab in the device's Properties dialog box (displayed by choosing from Administrative Tools, Computer Management, and then Device Manager)
- If you specify an operation monitoring policy that suppresses the operation of a device that is already connected, the suppression dialog box for that device might be displayed when you connect a different device to the client PC.
- Even when it is necessary to restart the client PC to enable an operation monitoring policy for suppressing operation, the suppression dialog box is displayed when the operation monitoring policy is set.
- When the OS of the client PC is Windows Vista or later, if you apply an operation monitoring policy that suppresses one or more devices, an error-level event log might be output.
The following example shows the event log that is output when an internal CD/DVD is suppressed.
Source: Service Control Manager Eventlog Provider
Event ID: 7026
The following boot-start drive or system-start drive could not be loaded: cdrom
|
Note that in Windows 7 and Windows Server 2008 R2, the source is Service Control Manager.
- If you suppress a Bluetooth device, the use of the mouse or keyboard connected using Bluetooth will also be suppressed.
- When you connect a Bluetooth device to a PC, the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\ (the Bluetooth device's hardware ID) is created. The device control facility treats a device as a Bluetooth device when the Class value in this registry is Bluetooth, BTW, or BTM. You can check the hardware ID from the OS's device manager. We have confirmed that the Bluetooth devices listed below can be suppressed.
Manufacturer |
Model No. |
Planex Communications |
BT-Micro3E1X |
BT-MicroEDR2X |
Logitech |
LBT-UAN03C2BK |
LBT-UAN01C1 |
Corega |
CG-BT2USB01CB |
CG-BT2USB02CB |
Sanwa Supply |
MM-BTUD26 |
MM-BTUD23 |
Buffalo |
BSHSBD04BK |
BSHSBD02BK |
I-O Data |
USB-BT21 |
- If the client's OS is Windows 8 or Windows Server 2012, dialog boxes related to device suppression appear on the desktop.
- If the client's OS is Windows 8 or Windows Server 2012, you cannot suppress operations on a USB storage device to which a storage pool is assigned.
Notes on suppressing device operations at an offline machine
Do not suppress the operation of the device that will be used to apply an operation monitoring policy or to collect operating information. If you suppress such a device, you will not be able to apply an operation monitoring policy or collect operating information.
Notes on virtual environments
- When an operation monitoring policy for suppressing device operations is applied to a virtual environment, a warning dialog box indicating that the connection of the device has been suppressed is displayed only to users connected to a console session. If no users are connected to a console session, the warning dialog box is not displayed.
- If both of the following conditions are satisfied, operation of the redirected drive cannot be suppressed even if a security policy for suppressing devices has been applied to the terminal server:
- A security policy for suppressing device operations has not been applied to a PC remotely connected to the terminal server.
- The drive connected to the PC in condition 1 is set to be used by the terminal server.
To suppress such a drive, disable redirection on the terminal server side. However, making this setting will disable redirection for all drives. The procedure for disabling redirection for a terminal server in Windows Server 2012 or Windows Server 2008 is as follows.
- From Windows Terminal Service Configuration, open the RDP-Tcp property.
- Under the Client Settings tab, select Drive in Redirection.
- For Windows Server 2008 R2:
- From Windows Remote Desktop Session Host Configuration, open the RDP-Tcp property.
- Under the Client Settings tab, select Drive in Redirection.
- In Windows Local Group Policy Editor, choose Device and Resource Redirection (Computer configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host)
- Enable Do not allow drive redirection.
Notes on upgrading JP1/Software Distribution from versions between 08-51 and 09-00 inclusive to version 09-50 or later
An operation monitoring policy for suppressing external media operation is not applied to clients whose version is 09-50 or later. You need to specify an operation monitoring policy for suppressing device operation.
However, an operation monitoring policy for suppressing external media operations is applied when the following two conditions are satisfied:
- No operation monitoring policy that was edited following an upgrade has ever been applied.
- An operation monitoring policy that suppresses the operation of pre-upgrade external media is applied without being edited.
All Rights Reserved. Copyright (C) 2009, 2013, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.