How to Create USB Policy Rules

Default Policy

The following are the default policy configuration:

DENY: class=09 # Hub devicesDENY: class=03 subclass=01 # HID Boot device (keyboards and mice)DENY: class=0b # SmartcardDENY: class=e0 # Wireless ControllersDENY: class=02 # Communications and CDC ControlDENY: class=0a # CDC DataALLOW: # Ultimate fallback: allow everything else

How It Works

When a user plugs in a simple USB device, the host device checks it against each policy rule consecutively until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is redirected to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop (that is its not redirected). If no match is found, default rules are used.

User-added image
When a user plugs in a composite USB device (a device with multiple functions (interfaces) for example audio headset with speaker, mic and HID button) the host device checks for all functions (interfaces) against each policy rule. If the first match for any function(interface) is a Deny rule, the rule is considered definitive for the composite device and device is denied. If the first match for a function (interface) is an Allow rule, the host device continues to match the rules against next function (interface). The composite device is allowed if no function (interface) is denied by a policy rule. If definitive match for composite device is a Deny Rule, the device is available only to the local desktop otherwise the device is remoted to the virtual desktop. If no match is found, default rules are used.

User-added image

Creating New USB Policy Rules

Refer to the Citrix Receiver for Windows documentation for information on Updating the List of USB Devices Available for Remoting.

Tip: When creating new policy rules, refer to the USB Class Codes , available from the USB web site.

Policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by whitespace. The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating new policy rules, consider the following:

  • Rules are case-insensitive.

  • Rules might have an optional comment at the end, introduced by #. A delimiter is not required and the comment is ignored for matching purposes.

  • Blank and pure comment lines are ignored.

  • Whitespace is used as a separator, but cannot appear in the middle of a number or identifier, for example, Deny: Class = 08 SubClass=05 is a valid rule; Deny: Class=0 Sub Class=05 is not.

  • Tags must use the matching operator =. For example, VID=1230.

  • Each rule must start on a new line or form part of a semicolon separated list.

Important! If you are using the Administrative (ADM) template, you must create rules on a single line, as a semicolon-separated list.

For example a set of administrator-defined USB policy rules:

Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive

Deny: Class=08 SubClass=05 # Mass Storage

Related:

  • No Related Posts

Leave a Reply