Allow only specific USB disks using VMware Workspace ONE

At one of my customers, we ran into a requirement that states that only certain USB disks should be allowed on Workspace ONE managed Windows laptop devices. There are multiple policy settings that can be used for allowing or preventing access to USB devices, and it can be a real puzzle to get the right combination of policies to make things work as expected. This short blog post describes how baseline policies in Workspace ONE can be used to allow access to only specific USB disks, while still allowing the use of all other USB devices.

Configuring the baseline policy

In the Workspace ONE UEM console click Resources

Click Profiles & Baselines

Click Baselines

In the Baselines section, click New

Select Create your own and click Next

Specify a Baseline Name and click Next

Select a Windows version from which you want to apply a policy.

In the search field type apply layered and click the policy that is presented: Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria

Configure the policy to be Enabled.

In the search field type allow installation of devices and click the policy Allow installation of devices that match any of these device instance IDs.

Configure the policy to be Enabled.

Click Show.

In the Value field, type the device instance ID that represents the USB disk that you want to allow.

One of the ways of finding your device instance ID for a USB disk is to use Device Manager (devmgmt.msc) from Windows. Lookup your device, go to the properties of the device and select the Details tab. From there, select Device instance path as the property and use this value in the before mentioned value field in the policy.

In the search field type prevent installation of devices and click the policy Prevent installation of devices using drivers that match these device setup classes.

Configure the policy to be Enabled.

Click Show.

In the Value field, type the device class ID that represents disk drives: {4d36e967-e325-11ce-bfc1-08002be10318} (include the curly brackets!)

Microsoft uses known device classes for device types, which can be found here.

Click Next

Click Save & Assign

Select one or more Smart Groups and click Publish

Windows device behavior after applying the baseline

Now that we have applied the baseline policy to our device, let’s have a look at how Windows behaves when inserting an allowed USB disk and a disallowed USB disk.

Let’s start with the USB disk that we allowed in the baseline policy. You can see that the DT Elite 3.0 USB disk is connected and allowed (there’s no message saying that it’s blocked). And we are able to browse the USB disk (E:\).

Now let’s insert another USB disk that’s not on the allow list in the baseline policy. You will receive a popup saying that the device is blocked. You can also see it underneath the device in the Devices overview. And see that the USB drive (letter) is not available in Windows Explorer

I hope that this blog post was informative. Please contact me via Twitter or LinkedIn if you have any questions.