All Products
Search
Document Center

Secure Access Service Edge:Protect data security by managing peripheral devices

Last Updated:Jun 20, 2026

To prevent employees from using peripheral devices (such as USB drives or Bluetooth) to transfer sensitive files and cause significant business loss, use the Office Data Protection feature (DLP) in SASE to control peripheral devices. This enables real-time monitoring of sensitive data transfers and helps track data breach risks. This topic describes how to configure control policies, view detection results for sensitive behaviors, and set up a peripheral device whitelist.

Supported peripheral devices

Operating system

Supported peripheral devices and interfaces

Description

Windows

  • Supported peripheral devices: USB Drive, Printer, portable devices, Card Reader, Optical Drive.

  • Supported device interfaces: Bluetooth.

Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data.

If you set USB Drive to Read/Write, transferring internal files via USB drives or USB storage triggers sensitive behavior detection.

macOS

  • Supported peripheral devices: USB Drive.

  • Supported device interfaces: Bluetooth, AirDrop.

Prerequisites

Configure peripheral device control policies

  1. Log on to the Secure Access Service Edge console.

  2. In the left navigation pane, choose Data Protection > Policy Center.

  3. Select the Peripheral Management tab, then click Create Policy.

  4. In the Create Policy panel, configure the settings based on the following table.

    Configuration item

    Description

    Policy Name

    The name of the policy.

    It must be 2 to 32 characters long and can contain letters, digits, hyphens (-), underscores (_), and Chinese characters.

    Policy Description

    A description of the policy.

    Status

    The policy status: enabled or disabled.

    The policy takes effect only when it is enabled.

    Priority

    The priority of the policy.

    Priority values range from 1 to 10. A lower number means higher priority.

    Applicable User

    The users or user groups affected by the policy.

    Windows

    • Supported peripheral devices: USB Drive, Printer, portable devices, Card Reader, Optical Drive.

    • Supported device interfaces: Bluetooth.

    Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data.

    macOS

    • Supported peripheral devices: USB Drive.

    • Supported device interfaces: Bluetooth, AirDrop.

    Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data.

    Approval Process Configuration

    If a peripheral device poses a security risk, you can choose whether to allow employees to report it.

    If you enable employee reporting, select an appropriate approval flow. For more information about creating approval flows, see Configure approval flows.

    Prompt Display Configuration

    Set the message shown when access to a peripheral device is blocked. You can set messages in both Chinese and English.

  5. Click OK.

    After creation, your policy appears in the policy list. The Office Data Protection feature controls peripheral devices based on your configuration.

View sensitive behavior detection results

If you set USB Drive to Read/Write, transferring internal files via USB drives or USB storage triggers sensitive behavior detection. Based on the detection results, the system analyzes data from the last 30 days, 7 days, or 24 hours.

  1. In the left navigation pane, choose Data Protection > Sensitive Behavior Detection.

  2. On the Sensitive Behavior Detection page, view statistics on sensitive files sent via USB drives and USB storage during a specified time period.

  3. In the list of employees involved in sending sensitive files, click Details to view specific information about the employee's file transfer.

  4. Click Details in the Actions column for a specific file to view its sensitive message, matched policy, office endpoint, and transfer method.

Configure a peripheral device whitelist

If you want SASE to exclude certain employees from auditing and controlling their peripheral device usage, configure a peripheral device whitelist in Office Data Protection to apply a permissive allow policy for those employees.

  1. On the Peripheral Management page, click Peripheral Whitelist.

  2. On the Whitelist tab, add employees to the whitelist.

    In the Peripheral control whitelist box, enter whitelist entries separated by commas. Press Enter to confirm.

  3. Click Submit.

Adjust policy priority

To adjust the priority of a peripheral device control policy, click the 编辑 icon and change the number. Priority values range from 1 to 10. A lower number indicates higher priority.

Disable a policy

If you no longer need the policy for current operations, disable the Policy Status. The policy settings remain saved. When needed again, simply enable the Policy Status.

Delete a policy

If you no longer need the policy for future operations, click Delete to remove it.

Important

Deleted policies cannot be recovered. Proceed with caution.

References