The Device Lock feature is intended to offer to IT managers the way to secure even more strongly a thin client workplace disabling specific model or entire classes of USB devices.
USB device ID (VID and PID) and USB class
Each USB Device is characterized by a specific Vendor ID (VID) and Product ID (PID) depending on chipset it integrates.
Furthermore the USB devices have been divided in classes on basis of their specific application and features, without regards of the device manufacturer. Each USB device is indeed characterized by a Class ( AKA "Base Class" in some USB-IF documentation), by a Subclass and by a Protocol ID. For more information about USB Device VID, PID, Class, Subclass and Protocol ID, follow the link https://www.usb.org/defined-class-codes .
In this way it is possible identify both a specific USB device model of a specific vendor (using VID and PID) as well as a whole class of USB devices (using Class, Subclass and Protocol) made from whichever manufacturer.
VID, Class, Subclass and Protocol ID are defined by USB-IF, the USB Implementers Forum, Inc. For more information https://www.usb.org .
It's possible that devices with different brand have really the same VID and PID because integrates the same chipset. In the same way, a vendor may manufacture the same device model integrating different chipset so that two distinct item of the same model may present different VID and PID.
USB device VID and PID resolving
In order to resolve VID and PID for a specific USB device, access Windows Device Manager (for Windows 10, right click on Start menu and select Device Manager), select the device, right click and access properties.
Now access the Details tab and select the property "Hardware IDs". In the most cases in the values box will be displayed the device VID and PID. If they aren't present under this property, you have to look for VID and PID in different properties listed in the Property drop-down list.
Device Lock management panel
Access the USB Device Lock feature selecting the "Device Lock" tab on the left sidebar menu.
The Device Lock feature allows to define a set of rules in order to lock USB devices. After then a device will be inserted into the Lock List, it will be no more neither accessible nor visible from the Operating System. In other words when a USB device is defined as "locked" it is hidden too and therefore it will be no more listed in the Windows resource list.
Before start off with whatever USB Device Lock configuration, the Unified Write Filter (UWF) has to be disabled. In any case Praim Agile will check this constraint for you and will display a warning message in a red box on the top of the windows reminding you to disable the Unified Write Filter (UWF).
In order to disable the Unified Write Filter (UWF) refer to Using the Write Filter in this guide.
No one USB Device Lock rule management is allowed until Unified Write Filter (UWF) is enabled
Add USB Locking Rule
The first time you access the Device Lock section, you will find the rules list empty and the service disabled (i.e. "Enable device block" unchecked).
Under this condition you can click on the top right button "+ ADD RULE" and begin to add USB Locking rules.
Differently, if you has already added at least one USB Device Locking rule and the USB lock feature is enabled, you have to disable it unchecking the top left box before you be allowed to access the rules list or to add any rule.
Clicking on the "+ ADD RULE" it will open the "new rule" windows. It is divided in two section: the above one is dedicate to manage USB devices locks, whereas the below one is intended to manage USB classes locks.
One rule is designate only by one of them: in a rule you can specify OR a USB device OR a USB class to lock, never both.
ADD USB Device Locking Rule
If you want lock a USB device that is already connected to the system (thin client or PC) access the USB available devices list clicking on the downward arrow on the right of the "Available device" combo box.
The system will list all connected USB devices. Select the device you want to lock and confirm with OK. The system will create automatically a USB device locking rule characterized by the device name, VID and PID display in the available device list, avoiding you have to supply any further parameter.
USB devices list refresh
Please notice that if you connect a USB device after you have opened the "New rule" window, this device won't reported in the USB devices drop down list. In order to refresh the USB connected devices, close the "New rule" window clicking on "Cancel" and reopen it again. Now even the last connected device will be right displayed in the list.
When connected, in the USB Available devices list are reported both keyboard and mouse as well as the internal USB HUB that usually collect all frontal USB sockets. Ponder carefully if you want really lock these devices. If you have locked accidentally keyboard and/or mouse you have to replace it temporary with a different hardware (VID or PID have to be different from the locked ones) or manage the system remotely by Praim ThinMan management software to remove the locking rules. If you, instead, have locked accidentally the internal USB HUB, use a USB socket connected straight to the motherboard to connect keyboard or mouse and remove the locking rules.
If you need to add a locking rule without connecting the device to the system, you can edit straight the VID and PID values in the input rule mask, ignoring the "Available device" list. After you click OK, a locking rule will be created having as device identifier only the VID and PID couple, without any further description.
In the above picture you can see the difference between the first locking rule created selecting the device from the "Available devices" list and a locking rule created typing straight VID and PID: the first one reports the significant USB type description as device identifier, whereas the second one reports only its VID and PID as identifier.
ADD USB Class Locking Rule
You can lock a whole USB device class with a single locking rule. The easiest way requires only to select a class from the "Device Classes" drop down list available on the lower section of the "New rule" form.
The listed class items are the official ones defined by USB Implementers Forum (USB-IF). When selected a USB Class, the system will fill in automatically the parameter "Class" and, if defined, the Subclass and Protocol too. Actually these last two parameters are preset only for Keyboard and Mouse classes. Anyway the Subclass and Protocol rule parameters are editable from you, if you need configure it.
Although allowed, we suggest to leave unchanged the Class ID assigned by default for the selected USB Class.
It is possible to create a USB Class locking rule without choosing a official USB class from the drop down list. In this case select the first entry in the classes drop down list (i.e. "---------") and then fill in the parameters Class and, if defined, Subclass and Protocol too. the rule created in this way will be characterized by description "---------" reporting the parameters Class, Subclass and Protocol as details.
The picture above depict how are listed differently USB Class locking rules created in the two different ways, i.e. selecting a USB class from the list or creating a USB class locking rule "from scratch".
Arranging the USB Locking Rules List
Once you has created more one USB locking rule, you can arrange their listing order. The rule list order is absolutely irrelevant about the USB lock effectiveness: alle locking rules are applied conveniently. The rules order arranging feature is intended only for a logical and practical grouping or sorting. In order to sort the rules list, simply drag the rule with the mouse and drop it in the new position.
Enabling and disabling USB Locking Rules
In order that the USB locking rules be effective you have to check the left upper checkbox "Enable devices block" in the "Device lock" form.
Before activate USB locking rules, the system checks if you have created some device o class locking rule regarding keyboard and/or mouse and in this case it will advise you about, requiring your confirmation.
Locking rules protection
After locking rules enabling we suggest to activate the Unified Write Filter option (UWF) in order to avoid unwanted rules change or erasing.
Disable all USB locking rules, once disabled the Unified Write Filter (UWF), require only to uncheck the "Disable devices block" control on the top-left of the Device Lock panel. In this way you can temporarily suspend all USB locking rules without delete them.
Unified Write Protection disabling
Whichever USB locking rules enable disable or management require the Unified Write Protection (UWF) be disable. The system reminds you about that with a specific warning in the top of te Device Lock panel. Please remind that the UWF enable or disable require always a system reboot.
Modify USB Lock Rule
There is no way to modify a USB locking rule. If you want change a rule, you have to access the rule list and delete the unwanted rule clicking on the root bin icon that appears on the right of the rule item when the mouse is moved on it.
After you click on the red bin, the rule will be immediately deleted, without any further confirm request!
After you have deleted the rule, you can recreate a new one, with the desired parameters.
Delete USB Lock Rule
In order to delete a locking rule, click on the root bin icon that appears on the right of the rule item when the mouse is moved on it. See the picture above.
After you click on the red bin, the rule will be immediately deleted without any further confirm request!