Creating USB Policy Rules

RoyATokeshi
February 23, 2009 8:32 am

Creating USB Policy Rules

Document ID: CTX119722 / Created On: Feb 6, 2009 / Updated On: Feb 6, 2009
Average Rating: not yet rated
View products this document applies to

Summary

This document describes the default USB policy rules in XenDesktop 3.0, and their semantics.

Default Policy

The default policy configuration is as follows:

DENY: class=09 # Hub devices
DENY: class=03 subclass=01 # HID Boot device (keyboards
and mice)
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless Controllers
DENY: class=02 # Communications and CDC Control
DENY: class=0a # CDC Data
ALLOW: # Ultimate fallback: allow everything else

How It Works

When a user plugs in a USB device, it is checked against each policy rule in turn until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is remoted to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop.

Creating New USB Policy Rules

The XenDesktop Administrator’s Guide describes how to update the list of USB devices available for remoting in “Updating the List of USB Devices Available for Remoting”.

Tip: When creating new policy rules, refer to the USB Class Codes, available from the USB Web site at http://www.usb.org/

Policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by whitespace. The following tags are supported:

Tag

Description

VID

Vendor ID from the device descriptor

PID

Product ID from the device descriptor

REL

Release ID from the device descriptor

Class

Class from either the device descriptor or an interface descriptor

SubClass

Subclass from either the device descriptor or an interface descriptor

Prot

Protocol from either the device descriptor or an interface descriptor

When creating new policy rules, be aware of the following:

• Rules are case-insensitive.

• Rules may have an optional comment at the end, introduced by #. A delimiter is not required and the comment is ignored for matching purposes.

• Blank and pure comment lines are ignored.

• Whitespace is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule; Deny: Class=0 Sub Class=05 is not.

• Tags must use the matching operator =. For example, VID=1230.

• Each rule must start on a new line or form part of a semicolon separated list.

Important: If you are using the Administrative (ADM) template, you must create rules on a single line, as a semicolon separated list.

Example

This example shows a set of administrator-defined USB policy rules.

Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive
Deny: Class=08 SubClass=05 # Mass Storage

More Information

For more information about XenDesktop 3.0 and USB device support, see the XenDesktop Administrator’s Guide.

This document applies to:

XenDesktop 3.0 x32
Exit Print View



Primary links

Custom Search

User login

Who's new

  • Preatercelepe
  • Kxtuzjgv
  • Maitacewwisat
  • abnonsoks
  • themopoty

Who's online

There are currently 0 users and 4 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.