To prevent employees from using peripheral devices (such as USB drives or Bluetooth) to transfer sensitive files and cause significant business loss, use the Office Data Protection feature (DLP) in SASE to control peripheral devices. This enables real-time monitoring of sensitive data transfers and helps track data breach risks. This topic describes how to configure control policies, view detection results for sensitive behaviors, and set up a peripheral device whitelist.
Supported peripheral devices
|
Operating system |
Supported peripheral devices and interfaces |
Description |
|
Windows |
|
Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data. If you set USB Drive to Read/Write, transferring internal files via USB drives or USB storage triggers sensitive behavior detection. |
|
macOS |
|
Prerequisites
-
You have purchased the Office Data Protection edition of SASE Internet Access Security. For more information, see Secure Access Service Edge Billing overview, Purchase Secure Access Service Edge.
-
You have added users and user groups. For more information, see Connect LDAP identity sources and Set user groups.
Configure peripheral device control policies
Log on to the Secure Access Service Edge console.
-
In the left navigation pane, choose .
-
Select the Peripheral Management tab, then click Create Policy.
-
In the Create Policy panel, configure the settings based on the following table.
Configuration item
Description
Policy Name
The name of the policy.
It must be 2 to 32 characters long and can contain letters, digits, hyphens (-), underscores (_), and Chinese characters.
Policy Description
A description of the policy.
Status
The policy status: enabled or disabled.
The policy takes effect only when it is enabled.
Priority
The priority of the policy.
Priority values range from 1 to 10. A lower number means higher priority.
Applicable User
The users or user groups affected by the policy.
Windows
-
Supported peripheral devices: USB Drive, Printer, portable devices, Card Reader, Optical Drive.
-
Supported device interfaces: Bluetooth.
Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data.
macOS
-
Supported peripheral devices: USB Drive.
-
Supported device interfaces: Bluetooth, AirDrop.
Only USB Drive support access permissions that include the following: Prohibited, Read/Write, and Read-only. All other devices and interfaces only support the Prohibited option. Selecting this option prevents employees from using the corresponding device or interface to transfer data.
Approval Process Configuration
If a peripheral device poses a security risk, you can choose whether to allow employees to report it.
If you enable employee reporting, select an appropriate approval flow. For more information about creating approval flows, see Configure approval flows.
Prompt Display Configuration
Set the message shown when access to a peripheral device is blocked. You can set messages in both Chinese and English.
-
-
Click OK.
After creation, your policy appears in the policy list. The Office Data Protection feature controls peripheral devices based on your configuration.
View sensitive behavior detection results
If you set USB Drive to Read/Write, transferring internal files via USB drives or USB storage triggers sensitive behavior detection. Based on the detection results, the system analyzes data from the last 30 days, 7 days, or 24 hours.
-
In the left navigation pane, choose .
-
On the Sensitive Behavior Detection page, view statistics on sensitive files sent via USB drives and USB storage during a specified time period.
-
In the list of employees involved in sending sensitive files, click Details to view specific information about the employee's file transfer.
-
Click Details in the Actions column for a specific file to view its sensitive message, matched policy, office endpoint, and transfer method.
Configure a peripheral device whitelist
If you want SASE to exclude certain employees from auditing and controlling their peripheral device usage, configure a peripheral device whitelist in Office Data Protection to apply a permissive allow policy for those employees.
-
On the Peripheral Management page, click Peripheral Whitelist.
-
On the Whitelist tab, add employees to the whitelist.
In the Peripheral control whitelist box, enter whitelist entries separated by commas. Press Enter to confirm.
-
Click Submit.
Adjust policy priority
To adjust the priority of a peripheral device control policy, click the
icon and change the number. Priority values range from 1 to 10. A lower number indicates higher priority.
Disable a policy
If you no longer need the policy for current operations, disable the Policy Status. The policy settings remain saved. When needed again, simply enable the Policy Status.
Delete a policy
If you no longer need the policy for future operations, click Delete to remove it.
Deleted policies cannot be recovered. Proceed with caution.
References
-
To view and trace logs of sent sensitive files, see Sensitive file detection logs.
-
To protect data security by detecting files sent by employees, see Protect data security by detecting outbound files.
-
To protect data security by managing screen and print watermarks for employees, see Protect data security by managing watermarks.