Block unauthorized Human Interface Devices

Block unauthorized Human Interface Devices

What does this do?

Allows specific Human Interface Devices (HID), such as company-authorized keyboards and mice, and blocks all other keyboards and mice.  This allows control of keyboards and other input devices that may pose a security risk.

What types of devices are covered?

Only external HIDs using the USB port are covered, including wireless devices that connect through a USB dongle.  It does not include wireless devices that connect using Bluetooth, nor devices that connect using other types of cables (e.g. PS/2).

This feature distinguishes between two categories of HID:

  • Keyboard and Mice
    • These are the keyboards used for typing text input into the computer, and mice used to control the UI
    • Other devices may also fall into this category if they identify as being in the same class as keyboards or mice due to compatibility or plug-and-play functionality. 
      Example: a barcode scanner that “types” the barcode data into the current application, or a graphics tablet and pen that works like a mouse.
  • Other HID
    • This covers most other input devices that identify themselves to the OS as input-type devices using the USB port, or the input functionality portion of devices.
      Example: game controllers, the media controller buttons of some audio headsets

Note: due to the vast number of device types and manufacturers, it is not possible to cover all the unique aspects of all input devices.  Keyboard and mice devices generally follow OS standards, however other uncommon devices may implement custom methods and classifications which won’t be managed by AccessPatrol.

How to set this up

Before enabling any blocking functionality in AccessPatrol, it is highly recommended to consider the following points

  • What is the impact if a user is blocked from using this device?
  • Does there need to be separate policies for different groups of users?
  • How can a user request to have their new device unblocked?

Based on the considerations above the features relating to HID blocking can be utilized to provide a good user experience.

Setting up an allowed list of HID Devices

  1. Each computer or user group can have their own allowed list
  2. Select the group that you would like to manage the allowed list of

  1. Select the Allowed List button 
    • This shows the current Allowed List of the selected group.

  1. Click on the red “Add from Available Devices” button on the left-hand side.

Available Devices List

For keyboards and mice, ensure the “Show HID” button is enabled


This shows the devices that have most recently connected to the client PCs.  Select the ones you wish to add to the Allowed List and click “Add to Allowed List”

The dialog that appears allows you to add the selected devices to the Allowed List of multiple groups if you wish.  Clicking “Add to Allowed List” will complete the action for the selected groups.


Enable Blocking for Human Interface Devices

Once there are sufficient devices added to the Allowed List, the HID blocking can be enabled. This will deny the use of HID that are not on the Allowed List.


Other HIDs

This category generally covers Human Interface Devices that are not classified as Keyboard and Mouse.  The classification is dependent on the individual device manufacturer’s reported specifications.  Consequently, some devices are classified under an unexpected category due to their capabilities or for compatibility reasons.  For example, a barcode scanner may be classified under Keyboard, as they are able to “type” the barcode information directly into the active application.

Devices may appear under multiple device classes

Some devices may appear under multiple device classes as they have functionality that can be categorized under each of those categories.  For example, an audio headset has media capabilities, but may also have extra buttons for controlling playback, macro functionality, and these appear under Input classes.

AccessPatrol can control the USB Input class devices, (which are under Human Interface Devices in Windows Device Manager).  Only the input-type functionality will appear in dashboards and reports.

Tips for making the most of the feature

Alerts

By setting up email alerts, you can be notified when a user has attempted to use any blocked device.  For full details on this feature see Setting up Email Alerts with File and Device Activities

Warning message

If you would like to display a warning message to users when a device is blocked, see How to setup device blocking

FAQs

What types of Human Interface Devices does this support

This feature works on USB keyboards, mice, most game controllers, graphics tablets, barcode scanners, and many other devices that connect through the standard USB port (either wired or wirelessly).

What happens when a device is blocked?

Once the CurrentWare client running on a user’s PC has received a policy relating to blocking devices, it disables the devices through the OS drivers, and prevents them from being re-enabled by the user.  The device will cease functioning as if it was not connected to the PC.

How can a user return the blocked device to a working condition?

They will need to inform a CurrentWare administrator / operator to add the device to the Allowed List.  By providing their username or PC name and the device name, an administrator can determine the device in question from the dashboard and available devices list, and add the device to the Allowed List.  The user must be connected to the network for the new policy to be sent to their PC.

How can a user request access to a device if they are not connected to the network?

They can request temporary access using the Access Code feature How do I temporarily allow device access?

Does this handle Rubber Ducky, BadUSB and similar

These devices are specifically designed to trick the OS into believing that the device is something else (for example a standard keyboard), to subvert the usual defenses.

Currently, AccessPatrol does not have the ability to override the OS functionality, and cannot detect usage of these types of devices.

If you have further issues with your CurrentWare Solutions, contact our technical support team.


    • Related Articles

    • Can I block devices at specific times?

      Device Scheduler The device scheduler allows the administrator to assign when the device permissions will be enforced by assigning the start time and stop time for particular devices on the network. Only storage devices are available for the device ...

    • Can I block specific file types from being transferred?

      AccessPatrol gives you the ability to prevent your end-users from copying specific file extensions to their storage devices. Using Block File Extensions to Restrict File Type Transfers Choose the AccessPatrol solution from the left-hand side. Select ...

    • Which devices can I control with AccessPatrol?

      AccessPatrol allows you to control the following external devices on your users computers. Device Class Devices Access Permissions Storage Devices USB Full / Read only / No access DVD /CD Full / Read only / No access Floppy Full / Read only / No ...

    • Best practices to block mouse mover software

      Employers have a common concern with productivity when employees are working remotely A common occurrence with remote working is having employees fake mouse and keyboard movements to avoid getting an “idle” or “away” status with related work apps. ...

    • Managing Bluetooth Devices

      As of v7.0.0 you have more control over Bluetooth devices through AccessPatrols Device Restrictions. You have more granularity to be able to decide on more indepth blocking ability as Bluetooth can encompass a large range of device types. Here you ...