In the past, you were able to choose from the following two policies to manage removable storage:
- Disable CD & DVD read access: disables the device’s read access to CD and DVD drives.
- Disable USB Storage: prevents users from mounting any USB mass storage device, such as flash and USB drives.
A new policy called Removable Storage replaces these two policies. This policy is powerful enough to disable any combination of the following removable storage classes with an associated level of access:
Policy Option | Block Read | Block Write | Block Run | Allow Remote Access |
---|---|---|---|---|
CD & DVD | ✔️ | ✔️ | ✔️ | |
Floppy drives | ✔️ | ✔️ | ✔️ | |
Removable discs | ✔️ | ✔️ | ✔️ | |
Tape drives | ✔️ | ✔️ | ✔️ | |
Windows Portable Devices (WPDs) | ✔️ | ✔️ | ||
All Classes | ✔️ | ✔️ | ✔️ | ✔️ |
The new Removable Storage policy also corrects any issues you may have occasionally seen when you applied both legacy policies to a device.
Considerations:
- If you created either of the legacy policies, Disable CD & DVD read access or Disable USB Storage, they’re still in effect. However, this means if you want to use the new Windows Removable Storage Policy, you must delete any legacy policies first.
If you don't remove legacy policies and also create the new Windows Removable Storage policy, there's a chance that none of the removable storage policies will work and your devices may be vulnerable to data theft and the introduction of malware.
Deleting Legacy Policies
If you created either of the legacy policies, Disable CD & DVD read access or Disable USB Storage, they're still in effect. This means you can manage them like any other policy. However, if you want to use the new Windows Removable Storage policy instead, you must delete any of these legacy policies first.
If you don't remove legacy policies and also create the new Windows Removable Storage policy, there's a chance that none of the removable storage policies will work and your devices may be vulnerable to data theft and the introduction of malware.
- If you remove either of these legacy policies, you can’t recreate them. These legacy policies are no longer available in the Admin Portal. You must use the new Windows Removable Storage policy instead, which is recommended.
- If you delete legacy policies and don’t replace them with the new Windows Removable Storage policy, users can access removable media which poses risks, including data theft and the introduction of malware.
- If you aren’t using either of the legacy policies, Disable CD & DVD read access or Disable USB Storage, you don’t need to follow these steps before using the new Windows Removable Storage policy.
To delete legacy Windows removable storage policies:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- Select Disable USB Storage or the name you gave to this policy.
- Select Disable CD & DVD read access, or the name you gave to this policy.
- Click delete.
- On the Delete policy confirmation screen, click continue.
You will see confirmation that the policies have been deleted.
Creating a Windows Removable Storage Policy
When managing removable storage on Windows, you used to have to create two separate policies - one for CD/DVD, and the other for USB. Now you can use one policy to prevent users from mounting any combination of the following removable storage classes:
- CD & DVD
- Floppy drives
- Removable disks
- Tape drives
- Windows Portable Devices (WPD)
After you create the policy, apply it to a device, and reboot the device, then the policy takes effect. When a user attaches a type of removable storage that your policy blocks, the device won't respond. This means the storage won't appear on the user's desktop or be listed in Device Manager.
- If you created either of the legacy policies, Disable CD & DVD read access or Disable USB Storage, they’re still in effect. If you want to use the new Windows Removable Storage policy, you must delete any legacy policies first.
- If you don’t remove legacy policies and also create the new Removable Storage policy, there’s a chance that none of the removable storage policies will work and your systems may be vulnerable to data theft and the introduction of malware.
- To apply a policy to a device, it must be running on a supported OS. Before you assign a policy, you can follow the instructions in Assign a Policy to a Device.
- To apply a policy to a group of devices, you must define device groups. Before you assign a policy, you can follow the instructions in Create a Device Group.
To create a Windows removable storage policy:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- Click ( + ).
- On the Configure New Policy panel, select Windows.
- Scroll down to find Removable Storage, click configure.
- In POLICY NAME you can type in a new title if necessary.
- In Settings, select the options that apply to your fleet needs.
- To apply the policy to one or more devices, select the Devices tab. Next to Device Name, select the options for all the devices where you want to apply this policy.
- To apply the policy to a defined group of devices, select the Device Groups tab. Next to Device Group Name, select the options for all the groups where you want to apply this policy.
- Click save policy.
- Restart all devices where you applied the removable storage policy.
Viewing the Windows Policy Status
After a policy is created and saved, it may take a few minutes for the policy to be enforced on the device. When the policy is running, you can view its status to determine if the policy has been successfully applied or it it requires your attention.
To view the policy status:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- Click the Removable Storage policy that you just created.
- Click Status.
- To see the last Result Log for a device where this policy is applied, in the results list next to a device, click View.
If any errors occur, they are listed in Exit Status. If you have an Exit Status of 0, no errors have occurred when applying or enforcing this policy.
Deleting a Windows Removable Storage Policy
There are several ways you can permit users to access removable storage devices after creating a policy to block access:
- If you want to allow users on a specific device to access storage devices, you can remove that device from the policy without removing the policy itself.
- You can also remove groups of devices from the policy without removing the policy itself.
- To allow all Windows devices managed by JumpCloud to access removable storage devices, you can remove the policy completely.
Remember that allowing users access to removable media poses risks, including data theft and the introduction of malware.
To allow access to Windows removable storage:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- If you want to remove devices from the policy, click Removable Storage or the name that you gave this policy.
- Go to DEVICE MANAGEMENT > Devices. Clear the options for all devices that you want to remove. Click save policy.
- If you want to remove groups from the policy, click Removable Storage or the name that you gave this policy. Select the Device Groups tab. Clear the options for all groups that you want to remove. Click save policy.
- If you want to completely remove the policy, select Removable Storage, or the name you gave to this policy. Click delete. On the Delete Policy confirmation screen, click continue.