Advanced permissions apply when
you grant limited permissions to most storage devices. The permission can be any of
the
following:
-
Modify
-
Read and execute
-
Read
-
List device content only
You can keep the permissions limited but grant advanced
permissions to certain programs on the storage devices and on the local endpoint.
To define programs, configure the following program lists.
Program Lists
|
Description
|
Valid Inputs
|
|
|
Programs with read and write access to devices
|
This list contains local programs and programs on
storage devices that have read and write access to the devices.
An example of a local program is Microsoft Word
(
winword.exe), which is usually found in C:\Program
Files\Microsoft Office\Office. If the permission for USB storage devices is
"List device content only" but "C:\Program Files\Microsoft
Office\Office\winword.exe" is included in this list:
|
Program path and name
For details, see Wildcard Support for the Device Control Allowed Programs List.
|
|
Programs on devices that are allowed to execute
|
This list contains programs on storage devices that
users or the system can execute.
For example, if you want to allow users to install
software from a CD, add the installation program path and name, such as
"
E:\Installer\Setup.exe", to this list. |
Program path and name or Digital Signature Provider
|
There are instances when you need to add a program to both
lists. Consider the data lock feature in a USB storage device, which, if enabled,
prompts users
for a valid user name and password before the device can be unlocked. The data lock
feature uses
a program on the device called "
Password.exe", which must be allowed to
execute so that users can unlock the device successfully. "Password.exe"
must also have read and write access to the device so that users can change the user
name or
password. Each program list on the user interface can contain up to 100 programs.
If you want to add more programs to a program list, you will need to add them to the
ofcscan.ini file, which can accommodate up to 1,000 programs. For instructions
on adding programs to the ofcscan.ini file, see Adding Programs to the Device Control Lists Using
ofcscan.ini. |
WARNINGPrograms added to the
ofcscan.ini file will be deployed to the root domain
and will overwrite programs on individual domains and agents. |