The 6 Best USB Control Software of 2023 (Tech Review)

data loss prevention: The best USB blockers

Need a USB blocker to protect sensitive files against theft to portable storage? In this article you will learn why you need to block USB devices and the best USB device management tools to prevent data loss to removable media.

Looking for more tools? Check out our list of the best internet filters and the best employee monitoring software


AccessPatrol USB Device Control software from CurrentWare

Ready to prevent data loss to USB storage devices? Get started immediately with a free trial of AccessPatrol, CurrentWare’s USB blocking software.

What Are the Risks of Removable Media?

Data Leaks & Insider Data Theft 

data leakage prevention - how to protect your data

The theft of sensitive data via USB ports is by far the greatest risk presented by unmanaged USB devices. Companies with databases full of sensitive data such as customer information, intellectual property, and trade secrets are especially vulnerable to insider data theft as this data can be used for personal or professional gain.

A USB blocker is an essential part of any data theft prevention strategy. By not restricting USB drives and other external devices from USB ports a data security incident is as simple as a user sneaking in an unauthorized USB flash drive, plugging it into an available port, initiating a download of sensitive data from the network to the device, then walking away.

Data Loss & Integrity Risks

data loss prevention - the top data exfiltration risks

USB devices are portable, which makes them convenient for mobile data storage. It also makes them incredibly easy for a user to misplace. 

If a proper data backup system is not in place for crucial data there is a risk that the most up-to-date version of a file is located on a USB removable storage device. Should one of the removable devices go missing the integrity of the data will be compromised, not to mention the potential data breach if the data wasn’t encrypted.

With a USB blocker you can improve data security by limiting what files are allowed to be transferred to a USB device.

USB Malware & Viruses

Since USB flash drives are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant when infected USB flash drives were plugged its USB port.

Even if USB drives aren’t intentionally infected with malware, personal USB devices are at a greater risk of inadvertent infections. A USB blocker protects against rogue USB devices by blocking USB ports and allowing you to authorize trusted USB drives.

Learn More: How Rogue USB Devices Harm Security

Examples of Removable Devices

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

Removable devices consist of a variety of compact devices that can connect to another device to transmit data from one system to another.

  • USB storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drives”, etc)
  • SDHC, SDXC & SD cards
  • External drives and solid-state drives
  • R/W Compact Disk or DVD media
  • Mobile devices such as tablets, smart devices, cameras, and portable media that support a data storage function such as player-type devices with internal flash or hard drive-based memory.
  • eSATA devices
  • Floppy disks

The Best USB Control Software of 2023

1) AccessPatrol – The Best USB Control Software For Windows

Last Updated: July 2022

Overview

AccessPatrol is a data loss prevention (DLP) and USB device control software solution that protects sensitive data against theft to portable storage devices and cloud storage services.

AccessPatrol keeps data secure by…

  • Preventing data loss by stopping users from stealing data or transferring malicious files with easily concealed USB flash drives
  • Allowing you to identify devices that have been used on your endpoints
  • Tracking file transfers to/from any website
  • Blocking file uploads to cloud storage services
  • Maintaining auditable records of file transfers to portable storage, and…
  • Triggering real-time alerts when security policies are violated

AccessPatrol’s central console allows you to centrally manage devices and run reports on your user’s USB activities from the convenience of a web browser. 

The security policies are enforced by a software agent that is installed on your user’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.

AccessPatrol operates from the same central console as the other modules in the CurrentWare Suite. It can be purchased individually for the greatest flexibility or bundled with the CurrentWare Suite for the best value.

The CurrentWare Suite includes multiple solutions for protecting data:

Platforms & Deployment Options

central management console for AccessPatrol endpoint security solutions

AccessPatrol is exclusively available on Windows. It supports Active Directory import and sync that allows you to manage your users with your existing organizational units alongside non-AD users. 

AccessPatrol uses a software client to enforce data loss prevention policies on devices no matter which network they are connected to, making it the ideal solution for protecting remote workers. 

AccessPatrol has been verified as Citrix Ready. The device control software can be installed on premises or to the cloud on a self-managed cloud virtual machine

Learn More: AccessPatrol System Requirements

Pros/Cons

Pros
  • Device control policies can be customized based on user and computer groups; it integrates with Active Directory to simplify user management
  • At $3.99 PUPM it’s the best value device control software when compared to those with a similar feature set
  • Integrates with the CurrentWare Suite to protect corporate data against high-risk websites and user activity
  • Easy-to-use interface and operator accounts allow for trusted employees to perform centralized monitoring and adjust USB data security policies as needed
Cons
  • Only available for Windows machines
  • Device control capabilities require a software agent to be installed
  • While AccessPatrol works with both encrypted and unencrypted usb devices, an external tool is required to enforce data encryption

Price

AccessPatrol is a module within the CurrentWare Suite. When purchased as a standalone module its pricing starts at $3.99 per license per month, paid annually. 

The full CurrentWare Suite starts at $8.99 and provides additional modules for internet use monitoring, web filtering, and remote PC power management. 

Discounts are available for prepayment and bulk licensing, managed service providers, and nonprofit/educational organizations.

A free trial of AccessPatrol is available for 14 days and 10 computers.

Learn More: AccessPatrol pricing and licensing FAQ

Key Features

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

  1. Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
  2. and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales. 

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur. 

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

 In the overview dashboard you can review the following metrics:

  • File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
  • Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
  • The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
  • The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
  • The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
  • The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
  • And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

  • A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
  • You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
  • Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
  • And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard

In this dashboard, we have…

  • A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices. 
  • Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period. 
  • Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious. 

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity. 

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices. 

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in. 

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

AccessPatrol has a variety of device control capabilities. Beyond the ability to block removable storage devices it can permit temporary or scheduled access to USB devices, selectively restrict data transfers based on file name and extension, and more.

Here are AccessPatrol’s key device control features:

  • Device Control: Selectively allow or block access to a variety of peripheral devices including removable devices, Bluetooth devices, mobile devices, communication ports, printers, firewire, and others | Learn More: Which Devices Can I Control With Accesspatrol?
  • Granular Control: Data Loss Prevention policies can be customized based on groups of users/PCs. Data transfers can be permitted to specific USB devices that are on an allow list. Access permissions can be set to Full / Read only / No access for devices.
  • USB Activity Reports & Alerts: Monitor data transfers and file operations to portable storage devices, network share drives, and cloud storage services. Audit device access with detailed reports of all allowed and blocked storage devices used by each employee or workstation. Get alerts of attempts to use unauthorized peripherals.
  • Temporary Access: AccessPatrol can grant temporary access to blocked devices with the access code generator. Use the generator to produce a time-limited single-use code that provides users with full access permissions to their peripheral devices, even if they do not have access to the internet.
  • Restrict Data Transfers: Prevent files from being transferred to USB devices based on their name or extension, even for trusted removable devices.
  • Remote Workforce: The USB lockdown software tools continue to work even when devices are taken off the network.

Learn More: AccessPatrol USB device control features

Reviews

AccessPatrol is a magical weapon with cutting-edge capabilities that protects your computer from untrusted USB devices. If an unauthorized device is attached it will warn the company immediately.

Md Jahan M, Digital Marketing & Full Stack Specialist (2022) Internet Industry, 10,001+ employees

[AccessPatrol] has been a great benefit to secure USB devices and access to company computers. We now have the ability to secure machines that otherwise would have been exposed to threats.

Jordan F., Senior IT Specialist (2022) Machinery Industry, 1001-5000 employees

Data leaks have been thwarted by Accesspatrol. When an unauthorized device is detected, an email alert is sent immediately. It enables real-time audit reports on accessed and blocked devices.

Karen M., Senior Director of Marketing (2022) Construction Industry, 10,001+ employees

We have experienced data leaks by dishonest employees in the past and AccessPatrol has helped us avoid them and work with greater security and peace of mind for us and our customers.

Julio V., Head of Information Technology (2022) Financial Services Industry, 10,001+ employees


A departing employee was caught stealing classified files! If we didn’t have AccessPatrol we would never have known.

Learn how Viking Yachts protected their intellectual property from a departing employee in our case study


Support

Product support for AccessPatrol is available from a variety of channels. Their support team is active 8:00 AM – 6:30 PM EST, Monday to Friday.

Last Updated: July 2022

Overview

ManageEngine Device Control Plus is a device control software solution created by Zoho Corp. It is available for both Windows and macOS. It is free for up to 25 devices in LAN; the free version contains all of the features except for the ability to have multiple administrator accounts.

Platforms & Deployment Options

ManageEngine Device Control Plus is compatible with both Windows and macOS.

Support Windows OS:

  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows server 2016
  • Windows server 2012 R2
  • Windows server 2012
  • Windows server 2008 R2
  • Windows server 2003 (Conditional support)

Supported macOS:

  • 10.12 Sierra
  • 10.13 High Sierra
  • 10.14 Mojave
  • 10.15 Catalina
  • 11 Big-Sur
  • 12 Monterey

Pros/Cons

Pros
  • Free for up to 25 devices within a LAN
  • The annual subscription is US$595 for 100 Computers ($5.95 per computer per year), making it a suitable budget device control software.
  • Both macOS and Windows are supported
Cons
  • The macOS version supports less devices than the Windows version
  • Their support team has consistently critical reviews online; the key grievances revolve around an abundance of canned responses and requiring multiple attempts to get issues resolved

Price

  • The annual subscription is US$595 for 100 Computers ($5.95 per computer per year).
  • Perpetual licenses for 100 computers are available for US$1,488 with a cost of US$298 per year for support and maintenance
  • Basic annual maintenance and support is included with the subscription; 4 hours of web-based product training is available for US$495
  • Multiple add-ons are available including a failover service, secure gateway server, and a multi-language pack license

Key Features

  • Device and Port control  
  • File access control  
  • File transfer control  
  • File tracing  
  • File shadowing  
  • Device audit  
  • Temporary device access  
  • Trusted Device List  

Reviews

While ManageEngine has an extensive product portfolio with many users, reviews for ManageEngine Device Control Plus specifically are difficult to come by. 

Based on reviews, ManageEngine Device Control Plus works great as a basic device control software for restricting removable devices, but their customer support is lacking and their feature set does not compete with more advanced device control products.

This software delivers on the essential tasks required for security monitoring files by running real-time and audit reports of who, what, where, and when.

Verified Reviewer of ManageEngine DataSecurity Plus on Capterra (2019)

Manage Engine products seem to be about 80% complete. The UI is unnecessarily unintuitive. They are clearly written by developers who don’t actually know what the end users need.

/u/SysWorkAcct (2022)

I have been in the IT field 20+ years and this is BY FAR the worst technical support I have ever encountered.

I have been in constant “chat sessions” with support. They always end with “can you please upload the log files and we will get back with you.” So I upload the files. 3-5 days later they finally reply with some “canned” fixes or links that do not resolve the issue, then once again ask you to upload the log files. Rinse and repeat.

/u/newsomek (2022)

I would highly recommend using one of their local resellers instead If you want/need quality local support.

/u/elasticweed (2022)

Support

  • ✅ Email/Help Desk
  • ✅ Knowledge Base
  • ✅ Phone Support
  • ✅ Live Chat

While ManageEngine Device Control Plus provides a variety of methods to contact their support team, critical reviews online have recommended users to purchase from a local reseller to get quality support.

4 hours of web-based product training is available from ManageEngine for US$495

ManageEngine provides email support (during the business hours) for signing-up, usage assistance, problem diagnosis and resolution, clarification in documentation, and technical guidance. 

Customers can use telephone support for the following:

  • To report a problem and get technical assistance.
  • Following up on a problem.
  • Communicating the priority.
  • Getting the status on your current problem etc.

Unfortunately, while they do have a self-serve knowledge base it lacks a basic search function. 

Last Updated: July 2022

Overview

As a company, Ivanti was born out of a series of mergers and acquisitions. In 2015, Lumension and FrontRange merged to create HEAT Software, driven by private equity firm Clearlake Capital. In January 2017, as part of the transaction by Clearlake to acquire LANDESK, Clearlake contributed HEAT Software to the new platform investment in LANDESK. As a result, a new company was established under the name Ivanti.

Ivanti Device Control provides a variety of advanced device control features including forced data encryption, off-network compatibility, and full auditing of all Administrator actions.

Platforms & Deployment Options

Ivanti Device Control supports both Windows and macOS. While it is not a verified Citrix Ready partner the vendor does note that the Ivanti Device Control software clients are compatible with Citrix XenApp and XenDesktop.

Pros/Cons

Pros
  • macOS and Windows compatibility makes it a great data leakage prevention solution for mixed OS environments
  • File shadowing feature gives organizations the ability to prevent data loss by shadowing all data copied to external devices or specific ports
Cons
  • The company’s history of mergers and acquisitions has been difficult for legacy customers searching for support
  • This software is too difficult for a small IT Group to maintain and manage. 

Price

Pricing is not publicly available; you must contact their sales team for a custom quote. 

Key Features

  • Implement file copy limitations, file type filtering, and forced encryption policies for data moved onto removable devices.
  • Device whitelisting
  • Granular policies allow you to assign permissions for authorized removable devices and media to individual users or user groups.
  • Grant temporary access to USB devices
  • Centralized management
  • Active Directory integration
  • Enforced encryption of removable storage up to 2TB and internal storage larger than 2TB.
  • Works Off-network 
  • Admin activity log
  • USB activity reports 
  • Custom block message
  • File shadowing
  • Limit file transfers based on size

Reviews

The team at what was Lumension are excellent. They provided KB articles regularly, they were brilliant at customer service and support. Overall just a pleasure to work with. During my time working with Lumension I came across a few issues, on a couple of occasions these required release updates so did take a while, but most of the time the team at Lumension provided a way to resolve the issue in the version I was using or input on what could be done to fix the issue.

Anonymous, IT Services Industry (2010)

It worked exactly how it was supposed to. Device control and reporting on devices was exceptional often even down to the make/model and serial number of the device being attached.

Anonymous, IT Services Industry (2010)

I am impressed with Lumension, it is great for that in depth level of control – able to go down to a device/user/computer level and set permissions.

Liam Windsor Brown, Finance Industry 101-250 Employees (2015)

What do you like best?

This application does an amazing job of controlling all of your Endpoints. You can use this product to manage USB devices, dvd drives, and to shadow copy violations of policy. This is very useful when you need to maintain peak productivity and keep data safe. 

What do you dislike?

With the aggressive mergers and expansion Ivanti – formally Landesk has experienced in the last few years, some of the message, roadmaps and support channels have degraded in value while cost continues to rise at around 5% per year.

Anonymous Administrator in Information Technology and Services (2018)

Support

  • ✅ Email/Help Desk
  • ✅ Knowledge Base
  • ✅ Phone Support
  • ❌ Live Chat

Three levels of support are available: Standard, Premium, and Enterprise. 

All support levels entitle you to receive software updates and upgrades, including patches, fixes, and security updates. Technical support is provided via the Ivanti Support Portal or over the phone. 

Access to the Ivanti Community is also available with each of three plans, giving you an opportunity to meet other Ivanti customers using the same product(s) so you can share ideas, request ideas or help, or just get to know others with similar job responsibilities.

Last Updated: December 2022

Overview

Endpoint Protector By CoSoSys is a data loss prevention and endpoint security solution that includes robust data loss prevention features including deep packet inspection and data scanning. 

While the initial setup of Endpoint Protector By CoSoSys is complex, the ability to create custom rules to detect and block transfer of data you consider sensitive allows for greater protection of confidential data than a traditional device control software solution.

Platforms & Deployment Options

The clients for Endpoint Protector device control can be installed on the following operating systems:

  • Windows
  • Mac
  • Linux

Endpoint Protector By CoSoSys is one of the few device control solutions that support Linux, making it an excellent choice for preventing data theft in Linux environments. It supports various Linux distros including Ubuntu, OpenSUSE, RedHat and CentOS.

Unlike other multi-OS device control software vendors that have limited features on non-Windows OSs, Endpoint Protector provides feature parity between Linux, Windows and macOS computers.

Endpoint Protector’s endpoint security solution can be deployed as a virtual appliance, as a self-managed cloud service, or directly from CoSoSys as a software-as-a-service (SaaS) solution.

Virtual appliance

Available in VMX, PVA, OVF, OVA, XVA and VHD formats, being compatible with the most popular virtualization tools.

Cloud services

Available for deployment in the following cloud services: Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).

SaaS

Reduce deployment complexity & cost. Focus more resources on identifying and mitigating risks to your sensitive data and less on maintaining the infrastructure.

Pros/Cons

Pros
  • Robust DLP features including deep packet inspection and scanning data in motion
  • Enforced encryption ensures that data transferred to removable storage devices are protected against accidental disclosure to unauthorized computers
  • Feature parity for key functions across all operating systems and Linux support makes this a true device control solution for multi-OS environments
Cons
  • Initial setup is complex, particularly for their data discovery features; this often leads to false positives that prevent critical information sharing
  • The learning curve is pretty steep to get the policies set up correctly
  • The user interface can be confusing to navigate
  • As new solutions have entered the market Endpoint Protector has fallen behind in features compared to competitors

Price

Pricing for Endpoint Protector is not publicly available. The trial license allows access to all Endpoint Protector’s features for a period of 30 days.

To gain access to all of Endpoint Protector’s endpoint protection and data loss prevention features you must purchase additional modules. 

Key Features

  • Lockdown, monitor and manage devices. Granular control based on vendor ID, product ID, serial number and more. Define policies per user, computer, or group.
  • Prevent data leakage through a variety of egress points including clipboard, screen captures, USB devices, and applications including Microsoft Outlook, Skype or Dropbox.
  • Monitor, control and block file transfers. Protects data in motion with identifiers ranging from file type to predefined content based on dictionaries and regular expressions.
  • Create custom rules to detect and block transfer of data you consider sensitive. 
  • Enforced encryption
  • eDiscovery: Discover, encrypt, and delete sensitive data
  • Deep packet inspection & network communications control 
  • Separate outside network and outside hours policies
  • USB activity alerts and reports
  • File shadowing

Reviews

Overall: We needed to unify our data loss prevention solution and Endpoint Protector checked all our key requirements and more. Support is very responsive and the rollout was super easy.

Pros: Endpoint Protector has compatibility with all major operating systems. Endpoint Protector’s granularity on who or which computer gets what policies makes it easy to apply Endpoint Protector to many use cases.

Cons: The flow of the user interface could use some work and unification. It takes a bit to get used to and there’s a few breaks in the flow that I find a bit annoying at times.

Verified Anonymous Reviewer, IT Technology Company (2021)

If you are looking for a product that protects source code, this is not for you. Lot’s and lot’s of false positives when trying to check for code leaks, so many in fact, that it make it unusable for this purpose

Gustavo P., Cloud Systems Administrator (2021)

The product is robust, intuitive & designed by a very dedicated company that carefully listens to it’s customers both when it comes to implementing requested product features and support.

Chad P., Dispatch Coordinator (2017)

The learning curve is pretty steep to get the policies setup correctly. Make sure you team has someone to set this up and have the machine to host the software. That was the only piece we were missing is we had to scramble to find a machine powerful enough to host the solution.

Ray G., Interactive Developer (2020)

What do you like best?

I liked how responsive their support was and how they bundled all the products in one console. The console was pretty simple to work with. I like use agents and this product involves installing an agent on the device that will then report in.

What do you dislike?

I would recommend exploring other products on the market. This product has potential but it’s similar in cost to other products has some difficulty in configuring due to outdated labelling in the console, and doesn’t cover as much as other products.

Anonymous Administrator in Health, Wellness and Fitness (2022)

Support

  • ✅ Email/Help Desk
  • ✅ Knowledge Base
  • ✅ Phone Support
  • ✅ Live Chat

Paid consultations are available for assistance with solution planning, design and deployment. As the creation of custom rules is complex and unique to each organization this added training can be of great benefit.

Last Updated: July 2022

Overview

While Gilisoft USB Lock is not the best device control solution for businesses, its affordable pricing, variety of features, and simple interface make it an ideal choice for home users that want to prevent data theft, restrict internet use, and stop unwanted apps from launching.

Platforms & Deployment Options

USB Lock is available for Windows 2000/2003/XP/7/8/10/11

Pros/Cons

Pros
  • Expands beyond USB control to include web filtering and app blocking
  • Inexpensive perpetual license
Cons
  • Lack of Active Directory integration or a central console makes it unscalable for businesses

Price

  • $39.95 per device per year subscription
  • $49.95 per device for a perpetual license with lifetime free updates
  • Volume discounts are available

Key Features

  • Email alerts notify administrators when end-users try to brute force the password to the software
  • Block websites
  • USB activity reports and web filtering logs
  • Device control tools
  • Encryption of removable storage devices

Reviews

Gilisoft USB Lock has a simple-to-use interface but it offers advanced features. The application allows you to set a list of trusted devices, so you won’t have to worry about data loss

Windows Report

The graphical interface of GiliSoft USB Lock is very modern, glossy, and intuitive. Its layout is well designed which makes it unchallenging for all kinds of users to work on this software, irrespective of their technical background.

Phohen

While the USB lock does what it intends to do, it gives your computer many lag spikes while you use it. In my opinion, it’s really worthless and you shouldn’t download it unless you have an incredibly good computer or if you enjoy lag spikes.

aznkidkevin7, Download.Cnet.com

Support

  • ✅ Email/Help Desk
  • ✅ Knowledge Base
  • ⚠️Phone Support (Skype)
  • ❌ Live Chat

Last Updated: July 2022

Overview

Note: Microsoft Intune is not a dedicated USB lockdown software. This review will focus largely on its USB lockdown features, though it has far more utility as a mobile device management (MDM) and mobile application management (MAM) solution that is not covered in this review.

Intune is available as part of various Microsoft multi-soution licenses:

  • Microsoft 365 E5
  • Microsoft 365 E3
  • Enterprise Mobility + Security E5
  • Enterprise Mobility + Security E3
  • Microsoft 365 Business Premium
  • Microsoft 365 F1
  • Microsoft 365 F3
  • Microsoft 365 Government G5
  • Microsoft 365 Government G3
  • Intune for Education (Microsoft 365 Education A3 + A5)

If you are already an active customer who has a dedicated IT team and you simply need basic USB lockdown features without USB activity reports you may want to consider using Intune to block USB devices. 

If you need device control solutions that make it easy to allow and block specific USB devices you may want to consider a Microsoft Intune alternative for USB lockdown.

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). With Intune you have control over how your business’s laptops, tablets, and cell phones are used.

Additionally, Intune enables employees in your company to use their personal devices for work. On personal devices, Intune can separate organizational data from personal data to ensure that it remains safe.

Intune provides mobile device and application management across popular platforms: Windows, Mac OS X, Windows Phone, iOS, and Android. When Intune is connected with Microsoft Endpoint Configuration Manager in a hybrid configuration, you can also manage Macs, Unix and Linux servers, and Windows Server machines from a single management console.

Platforms & Deployment Options

Intune supports devices running the following operating systems (OS):

  • iOS
  • Android
  • Windows
  • macOS
  • Apple iOS 13.0 and later
  • Apple iPadOS 13.0 and later
  • macOS 10.15 and later
  • Android 8.0 and later (including Samsung KNOX Standard 2.4 and higher
  • Windows 11 (Home, S, Pro, Education, and Enterprise editions)
  • Surface Hub
  • Windows 10 (Home, S, Pro, Education, and Enterprise versions)
  • Windows 10 and Windows 11 Cloud PCs on Windows 365
  • Windows 10 Enterprise 2021 LTSC
  • Windows 10 Enterprise 2019 LTSC
  • Windows 10 IoT Enterprise (x86, x64)
  • Windows Holographic for Business
  • Windows 10 Teams (Surface Hub)
  • Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)
  • Windows 11

Pros/Cons

Pros
  • A robust solution for managing endpoints in desktop and mobile work environments. Perfect to reduce the time and effort IT admins need to manage desktop and mobile work environments.
  • Control how your organization’s devices are used, including mobile phones, tablets, and laptops
  • Enforce compliance with computer security requirements across an entire organization
Cons
  • Lack of USB activity reports
  • Misconfigurations are likely to cause disruption to users and can be difficult to undo
  • Selectively allowing approved USBs requires complex manual parameter tuning in an XML file

Price

Intune is available as part of a variety of Microsoft multi-solution licensed products, such as Microsoft’s Enterprise Mobility + Security (EMS) suite. This suite is a bundle that combines Intune with various Microsoft Azure security and identity management products. 

The EMS suite is available in two tiers:

  1. Enterprise Mobility + Security E3 $10.60 user/month
  2. Enterprise Mobility + Security E5 $16.40 user/month

Enterprise Mobility + Security E3 includes Azure Active Directory Premium P1, Microsoft Intune, Azure Information Protection P1, Microsoft Advanced Threat Analytics, Azure Rights Management (part of Azure Information Protection) and the Windows Server CAL rights.

Enterprise Mobility + Security E5  includes all the capabilities of Enterprise Mobility + Security E3 plus  Azure Active Directory Premium (AADP) P2, Azure Information Protection P2, Microsoft Cloud App Security, Azure Active Directory [AD] Identity Protection (as a feature of AADP P2), Azure Advanced Threat Protection, Azure AD Privileged Identity Management (as a feature of AADP P2).

Key Features

Note: Microsoft Intune is a dedicated mobile device management (MDM) and mobile application management (MAM). This section will focus on its USB control features.

  • Set rules and configure settings on personal and organization-owned devices to access data and networks.
  • Deploy and authenticate apps on devices — on-premises and mobile.
  • Protect your company information by controlling the way users access and share information.
  • Ensure devices and apps are compliant with your security requirements.

Reviews

Note: As Intune is more than USB control software, many of these reviews reflect the user’s experience when using Intune as a mobile device management (MDM) and mobile application management (MAM) platform.

We ended up going with a mix of Intune and a 3rd party because Intune doesn’t have a policy that says “block all USBs except this one type of encrypted drive”. Doing it via regular GPO causes a whole host of other problems because the GPO blocks removable devices not just storage.

We struggle with the Tattoo issue as we have shared computer situations where someone who is in the block policy logs in and then someone on the allow list logs in….until the Intune policy syncs (which can take awhile sometimes) the person who should be allowed removable media is blocked.

/u/MiamiFinsFan13

Microsoft Intune still represents one of the best device management options for folks running Microsoft-centric environments. The bundle options with Azure-based identity and security tools have matured and represent a powerful growth path. However, the price will be substantial and, for those running non-Microsoft platforms, there are some overlooked features, too.

PCMag (2017)

Pros: Its security is most valuable. It gives us a way to secure devices, not only those that are steady. We do have a few tablets and other devices, and it is a way for us to secure these devices and manage them. We know they’re out there and what’s their status. We can manage their life cycle and verify that they’re updated properly.

Cons: It doesn’t economize when you scale up. We have over 14,000 employees, and we have between 7,500 and 8,000 city-owned or personal devices being used to conduct city business. Its price can be improved. It is not a cheap solution.

reviewer1141062, Enterprise Computing Services Manager at a government with 10,001+ employees

We already use a lot of Microsoft products in our company, and therefore, it made sense to also use this product.

Peter Augustin, Global Messaging & Mobility Specialist at a pharma/biotech company with 10,001+ employees

Support

  • ✅ Email/Help Desk
  • ✅ Knowledge Base
  • ✅ Phone Support
  • ❌ Live Chat

Microsoft provides global technical, pre-sales, billing, and subscription support for device management cloud-based services, including Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. 

Customers with a Premier or Unified support contract have additional options for support. As a customer with a Premier or Unified support contract, you can specify a severity for your issue, and schedule a support callback for a specific time and day. These options are available when you open or submit a new issue and when you edit an active support case.

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

USB Control Methods Overview

To protect sensitive data against removable media devices you need more than a single tool. A layered cybersecurity strategy that combines physical, technical, and administrative controls is the most effective approach to preventing viruses and data loss.

This section will overview a few USB control methods that you can use to mitigate this threat.

USB Blocker Software

The best USB blocker software (device control software) are centrally-managed device control tools that allow you to selectively enable and disable what types of peripheral devices can be used and which endpoints/users are permitted to use them.

For example, you can use USB blocker software for blocking USB ports for any user or computer with access to sensitive data while leaving the USB blocker turned off for users that pose less risk. 

You can also enforce the exclusive use of authorized USB devices by blocking USB ports to peripheral devices that have not been added to an allow list.

CurrentWare’s USB blocker software AccessPatrol allows you to block or unblock USB ports in just a few clicks, making USB security simple and scalable.

AccessPatrol includes key features to prevent data leakage to portable drives:

  • Only allow trusted devices
  • Get alerts of potentially malicious activity such as attempts to use unauthorized removable storage devices
  • Integration with Active Directory
  • Control other devices such as Bluetooth, Firewire, SD/MM cards, and scanners.

Learn More: Which devices can I control with AccessPatrol?

Pros of a USB Blocker SoftwareCons of a USB Blocker Software
Scalable USB security. Solutions that allow for remote central policy management make managing the USB security policies of an entire business scalable. The solution is not free. While there may be some freeware solutions with limited functionality available, the best features for business use are found in paid USB lockdown software
Greater visibility. The best USB lockdown software tools will include a feature to monitor USB activities.

Timestamped reports of what devices are being used, which computer it was used on, and which user was logged in are incredibly valuable when investigating suspected data leaks. 
Requires a software agent. To control all the USB ports with usb lockdown software tools you need to install a software client on each machine you’d like to control. This limits your ability to control USB ports on equipment that is owned by the user.
Granular control. Rather than completely blocking peripheral ports you can selectively choose what devices are allowed and who is allowed to use them.

The best USB control software will allow you to selectively assign read-only, read/write, and no access to each device type. 

Ready to start blocking USB devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Removable Media Policy

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

A removable media policy is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives. 

These policies serve as a critical administrative security control for managing the risks of removable media. They establish the security responsibilities of users, explain the importance of following security standards, and provide guidelines for protecting sensitive data when transmitting confidential data to portable storage.

A USB blocker works in tandem with these administrative security controls to ensure your users avoid high-risk behavior such as using personal USB devices or stealing data for personal or professional gain.

Block USB Ports With Epoxy, Super Glue, etc

While this is an extreme form of removable device protection, it’s a surprisingly commonly suggested tool. After all, it does prevent the use of peripheral ports on a computer; albeit permanently.

If you desperately need a USB blocker while on a shoestring budget, it technically get the job done. As they say, “sometimes it’s best to just take control of the physical layer and call it a day.”

While using epoxy as a literal port blocker will certainly prevent the use of removable storage devices, there are several downsides…

Pros of this USB BlockerCons of this USB Blocker
It’s a permanent USB blocker. The ports are truly blocked, ensuring that no devices can be used. You can’t unblock peripheral ports. With no option to block and unblock USB access, the computer is permanently unable to accept any devices for the rest of its lifespan.
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. Applying epoxy is as simple as pressing a plunger.It harms employee productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. A permanent USB blocker prevents the use of legitimate devices.
It’s unnecessarily destructive. The device immediately loses any value for resale/refurbishment. Reliably getting epoxy out of the ports simply isn’t worth the risk and labour.
It’s not scalable. While this might not take too much time for a few devices, it quickly becomes too much of a hassle for an entire fleet. 
It lacks flexibility. Physical USB blocking can only block or unblock the USB port. It lacks granular device control such as only blocking unauthorized storage devices.

USB Blocker Hardware for USB Ports

USB flash drive next to laptop

Sticking with the physical layer, you could try a USB port blocker. A hardware USB blocker works similarly to the epoxy method, but using a reversible lock-and-key system. 

While it will require a greater initial investment than epoxy, the ability to protect your ports from permanent damage is more than worth it. Since the USB ports are completely blocked, physical port locking with USB blocker hardware offers protection against all USB devices.

Pros of this USB BlockerCons of this USB Blocker
It’s a functional USB blocker. The USB ports are truly blocked, ensuring that no devices can be used. It’s not scalable. While this might not take too much time for a few computers, it quickly becomes too much of a hassle for an entire fleet. 

With a dedicated USB blocker software you can block or unblock unlimited USB ports in just a few clicks.
It’s cheap and easy! No need to purchase USB blocking software or spend time in the BIOS on each computer. It’s inconvenient. Any time a USB device needs to be allowed an authorized user needs to physically come up to the computer and remove the USB lock to unblock the port.  
Layered security. A physical USB blocker serves as an added layer of device control. When combined with USB blocker software a company will have full device control.It lacks flexibility. Physical USB blocking can only block or unblock the individual port. It lacks granular device control such as only blocking unauthorized USB storage devices.
Platform agnostic. A physical USB lock works regardless of the operating system of the computer, though you’ll need to have unique USB blockers for each USB connection type.

USB Security Hardware

USB converter

With so many security risks it can be risky to support allowing even trusted users to use their USB ports. USB security hardware such as a USB data blocker (“USB condom”) can allow charging via USB without enabling data transfer.

A USB firewall such as the USG can further protect against rogue USB devices by acting as an interface between a USB device and the user’s computer, limiting the USB device’s capabilities to only a few safe commands.

Pros of this USB BlockerCons of this USB Blocker
Layered security. USB security hardware serves as an added layer of device control. When combined with USB blocker software a company will have full device control.It’s not reliable. These devices are great for providing another layer of security, but it’s not a reliable standalone tool. All it would take is a user neglecting to use the provided protection to introduce malware.
It’s great for third-party USB drives. For edge-cases where unauthorized devices may need to interface with the network, a USB firewall offers excellent protection against malware.It’s inconvenient. With this tool the user needs to remember to bring a physical USB block with them. Should they lose the tool they’ll simply be tempted to use their port anyway.

Disable USB Ports on Each Computer

USB device trying to connect to a USB port. "Forbidden" symbol overlayed.

If you do not need a USB blocker solution that allows you to easily unblock USB ports as-needed, you could completely disable USB ports. On Windows devices this can be accomplished using the BIOS, by modifying Registry keys, disabling USB root hubs in Device Manager, or physically removing the USB ports altogether. 

While this may be feasible in environments that genuinely have no use for USB ports, when you block USB ports in this way you also prevent the use of modern day keyboards and mice, among other USB devices that are essential for business use. 

If you choose to leave any USB ports enabled it completely defeats the purpose of using a USB blocker in the first place. A user only needs one port to use unauthorized hardware to transfer files. With a USB hub they can easily connect multiple devices to any enabled ports. 

Pros of this USB BlockerCons of this USB Blocker
It’s inexpensive. There’s no need to purchase software, all you need is time. It harms employee productivity. Modern day keyboards, mice, and other peripherals need a USB port to function. Completely disabling the ports prevents the use of legitimate devices.
It lacks flexibility. Fully disabling ports blocks access to all devices, including those related to the business’ legitimate needs.
No visibility. If any ports are left enabled there is no way to monitor their use to ensure that unauthorized devices aren’t being used.

Looking for even more protection? Your cybersecurity risk management program needs to extend far beyond a USB block. Download the full CurrentWare Suite for enhanced control and visibility over your endpoints: Block dangerous websites, monitor employee computer activity, and restrict peripheral devices—all from the same central console. 

Prevent Data Leaks Today—Get Started With AccessPatrol USB Blocker Software

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

  1. Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
  2. and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales. 

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur. 

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

 In the overview dashboard you can review the following metrics:

  • File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
  • Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
  • The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
  • The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
  • The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
  • The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
  • And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

  • A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
  • You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
  • Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
  • And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard

In this dashboard, we have…

  • A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices. 
  • Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period. 
  • Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious. 

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity. 

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices. 

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in. 

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

Ready to stop data theft to USB devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB blocking software. Use AccessPatrol on a Windows PC or in a Citrix VDI deployment for free to test its USB blocking capabilities in your environment.

  • Block USB: Prevent the use of unauthorized USB devices on your Windows computers. The restrictions remain enforced on the device even without an internet connection
  • Granular Controls: Selectively block and unblock specific peripherals such as flash drives, external hard drives, SD/MM cards, Bluetooth, and WiFi. Assign unique security policies to each group of endpoints and users.
  • Monitor USB Activity: Get reports and alerts of removable storage device use. Find out what devices are being used, get auditable reports of file activity to portable storage, and get alerted when unauthorized devices are used.
  • Limit Data Transfer: Prevent authorized devices from stealing sensitive data by selectively restricting file transfers based on file name and extension.
  • Central Console: Access the password-protected web console from the convenience of a web browser to manage the solution and configure policies for your entire workforce.
Sai Kit Chu
Sai Kit Chu
Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.