Skip to main content
  • EN

AD_4nXfbWZVesBfi_fSunFRDHy--Exzj-aMKP2eskLxYkq8DXycO7ImvLlDdurA7IkQuH5EXWDKVssHKmzHK8ntiWIEcXgYz4M1HHusOnVE9Szps0SIJppD3nhpUqTcEobMZmWuzEZRt6Im4nCqaAV1pjGF9-jgzkPvSHjMI5Cr1BWS2hCV3nIl_Xg?key=ikvR2VI2_b_1VTPjoZnd2w

Netskope Global Technical Success (GTS)

EPDLP - Device Control: USB Storage Devices

 

Netskope Cloud Version - 118

 

Objective

Netskope's current abilities to regulate access to USB storage devices

 

Prerequisite

Netskope Endpoint DLP license is required

 

Context

In this knowledge base article, we'll explore Netskope's capabilities regarding Endpoint DLP. We'll go through a use case to provide insights into both its capabilities and constraints.

 

Do You Know?

Endpoint DLP allows you to manage and govern endpoints to prevent sensitive content from being transferred to USB storage devices or printers. You can:

  • Govern endpoint devices by creating device control, content control, and file origin policies.
  • Monitor endpoint activities and block or trigger alerts when users insert or remove USB storage devices, transfer sensitive files to USB storage devices, set up and configure printers, and print documents.
  • Respond to incidents and alert the user of their actions.
  • Coach the user through custom notification messages by allowing them to justify their actions or cancel them.

 

Use Case 1 Block all Device Storage Accees

Step 1:

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Client Configuration >>> Select The client configuration where you want to enable Endpoint DLP >>> go to Endpoint DLP >>> Check the Endpoint DLP Checkbox and Save.

AD_4nXfrh-P_ozg5iTKFzijIzsShW36JBIYdienYSOeGZdE-pZSH0HcaJyPQA5dSqIR2Xt0Xtr9FfLWPs0n_oiO007DWNsdiH9N9BlhHnHOl_G66Do7ZRvQEKPc_gCe5M82EnT0cJhGUGA1IYwyl2vHEkD44frBa1minLXW0UsR1?key=ikvR2VI2_b_1VTPjoZnd2w

Note: make sure to restart the device after the EPDLP activation.

 

Step 2:

Path: Netskope Tenant UI >» Policies >>> Endpoint Protection >>> Select Device Control

AD_4nXdCtBQFt67wr1OSdq6PVePhmLcwzMMw0K7XtqVoRknLXZwESHkBqyPZevgW9LReWmRvYxAzyN9rZxqAnjzSViQo8DE6u-KJOCjic8viZT1WTYzg4dy2tMxkYC9McyEyPWjDGnJa-2DXMr4NsxDfPgRsK_8pOLduMrGzUFEETA?key=ikvR2VI2_b_1VTPjoZnd2w

 

On Devices, select USB Storage Devices, On USB Storage Devices select Any and select action Block click Save.

AD_4nXdG0REqIMPU1fpuDRe4rSJLzm2JrHV7_HejCRulJjbz75walG6T8AmH6n2btMA-gfFt-StX_IqQ__pv3RH0F4G5WGk5fR2btcb2HC20kVs2MXBD2dpluhZoyRMnLygMFKEng-Z49S1zNicAVIED-_MlNMgyVoxY8ZZ98lRy5g?key=ikvR2VI2_b_1VTPjoZnd2w

 

AD_4nXdSBdQTnRTyrSXudGY1SHoYBW5R5vCenLz0d78ls_z3rrkdel6TCvZ43RhiwuuxgwAj-FSaf-won9QySgVNWyQZ3BcgEf2pHWlwP0Hb6bDFYQD98OmVdPm5Jbx7EXAwf6Hl7Cv698qaeEd6WO643rDjHj0089rabs9UmYHZ?key=ikvR2VI2_b_1VTPjoZnd2w

 

Verification

Insert any USB storage device and a blocking message will appear.

AD_4nXeOYzzc6k11NuFlx_Hd8E3J3dmRK25XFhIYqWvz7hOlflstzmAohngG1zLo4Xxp-Yc5Zcq1X15oSNRhB1gqvtPXx7f-OZNGqWRAW7oDGM_rYlMH2W0ib8lC9jgqzHkd5DCEz8uB5uCLWbbsrv868me_-txQeZ4K41Aqo1S4Cg?key=ikvR2VI2_b_1VTPjoZnd2w

 

Path: Netskope Tenant UI >>> SkopeIT >>> Endpoint Events and confirm the block is logged.

AD_4nXcanKde_AItY5jj0pqDdqsVYdFGIUp3xzp6vd5pJ4wdgTj3ZS1TCpW9IwmMwXwXPhIhUgyImtUG3_jxnQ_nxKL87l96StYLXdyKY6_HQ2cOoS5-zrUWQCxW1N8zKhmvQ_1K7SC-PzfYRQVCRKI8VTx8hPgbRNqko24lkMYQ?key=ikvR2VI2_b_1VTPjoZnd2w

 

Question: How can I confirm the block action in NSlogs?

Answer: After downloading the NS logs, you will notice a file named “epdlp-diagnostics.zip.log.” Please remove the “.log” part, and the file will now appear as a zip file. Once you unzip the file, you will find a log folder inside, and the logs are located in the “epdlp_sys_log.txt” file.

 

Sample

2024/08/22 15:17:04.781 PolicyWorker.cpp:1456 7816 24792 cinfo] PolicyWorker 7: evaluated event 60ceb07f-3a1b-4b9d-880b-a4ec433b8a3f with result "match" with action "block" for rule "USB storage Block" 

AD_4nXe0ZFXn-KHWVKLbAmglbhE_ut7Q8d0Q5pEf5q1A857pbZG_J1NJ756rQxzaWGGfGwB5lVHjWN-R_ONJKg-p1-TNyD_RJw60qp3FxF5uFymh3cmgIsKDTv09fBUdWlZrdauuBRbdt4eOd4qItgo4fAojX4f7PCLU2CbeSF_Xhg?key=ikvR2VI2_b_1VTPjoZnd2w

 

Use Case 2 Make Read-Only 

Follow Use Case 1 Step 1 and Step 2 but on step 2 change the USB storage device Action to Make Read-Only

AD_4nXfOdjxqzHfo_u1bt9ZV0jAah_fU9ycvauFiupoSqb7zjW5Xjb6-IfQtEnPJysdQukO5a05KidVnLBpFcIGWvxu7oLNNPxGav_wxXDOMx7a5RXhco6bKkW80W-uzhHONOWfpm_4aXQu0f30QDhvKWlN4Grigw-ixiWtynxKIuQ?key=ikvR2VI2_b_1VTPjoZnd2w

 

Note: WPD/phone devices do not support Read-Only policy actions. These devices will be blocked.

 

Verification

Path: Netskope Tenant UI >>> Skope IT >>> Endpoint Events and confirm the Read only events are logged.

AD_4nXcLcYRzlMq1HOTfUcmCtis14OYnAL3uz5ubH48x6_KookCD6T3SuhYUuNfJ3w5ivMXzqhFySA7cCKD3WXd9QtchfMhBwjbifBswuDEdU9iVYJkPj5ZPuGjeH0LAgcupMNM_eYqFUEO-gXtwZyOCMpFknLw2h2x-JUQ_2NmhQQ?key=ikvR2VI2_b_1VTPjoZnd2w

 

Note: Read Only prevents modify the USB content or add content to the USB, Its allowed extract from content from the USB to your device.

 

Questions: How can I confirm the block action in NSlogs?

Answer: After downloading the NS logs, you will notice a file named “epdlp-diagnostics.zip.log.” Please remove the “.log” part, and the file will now appear as a zip file. Once you unzip the file, you will find a log folder inside, and the logs are located in the “epdlp_sys_log.txt” file.

 

Sample

2024/08/22 16:49:44.429 PolicyWorker.cpp:1456 7460 11716 /info] PolicyWorker 0: evaluated event a289ce88-6911-4984-93f8-ae07babad753 with result "match" with action "readonly" for rule "USB storage Make-Read-Only"

AD_4nXdPLPkEmXC2STMMEGIdlWA-D9U4NyJo6bC-kcEoElReUGCdf71_K-3j7wzsL9Qj_QYt-yT2pMV1nUGAja5ZsJyZRcWkLAi9-YZ2y_WrhMeJUR0x3D-HogvSEyqlXFmq56-M_whn2ipLId7uZA3xMX8NBnnoCBJWlLttqR3h?key=ikvR2VI2_b_1VTPjoZnd2w

 

Constraints

In the Netskope UI, go to Policies > Profiles > Constraint and select the USB Device tab >> In the USB Storage Device tab, click New Device Constraint Profile

AD_4nXfb_DevXCM5g0ACZieEBqTYeE7uFMh5cj0kpJtagBawKEcJ4AKzFRNi3gfi4F9-HMXMkVjbIfc29emmRCQ9R6A3J1OxjQjty5cbM61HPTYnvaWRuiP_FRMCEUJBJou3Ii7wU6ibHcRqoRp4o2d528sK-RH9d7V1_lGHv6XJ?key=ikvR2VI2_b_1VTPjoZnd2w

 

In the New USB Device Constraint Profile window, enter a profile name.

AD_4nXfxTDGKIEf5BCrZNvsL22gB-5jwmtzmbdcytLr69tvyDzu3s7Ey6dNqH0lSt25GjoazPjQ5eUlzK0rp-1YQ8_fhKk2mdqS1guCXNxtAOgNJHP-fomKczzGtcNMLUHCXutg-AmxjAGn4vpvlSiOUln2-TiFsEz2OZeBgTPxDyA?key=ikvR2VI2_b_1VTPjoZnd2w

Provide the list of USB storage device manufacturers, IDs, models, and serial numbers. Select each tab and enter the values or upload a list as a CSV file. You can upload a maximum file size of 6 MB in each tab. Ensure the following:

Manufacturer and Model are partial matches. For example, enter “Sandisk” as the manufacturer to match USB device names such as “Sandisk”, “ Sandisk USB”, “Sandisk Electronics, INC”, etc.

The ID must be in the format idVendor+idProductiSerialNumber.

Serial_Number and ID are exact match fields.

 

Note: Device Control, policies are prioritized first, followed by Content Control. For example, when it comes to USB devices, if Device Control determines that a device is not allowed on an endpoint, it will block the device. This means the filesystem is never mounted, and the user has no opportunity to copy files to the device, effectively preventing any data transfer.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

Terms & ConditionsCookie settings