USB Control

USB control lets you decide which removable devices are allowed on managed PCs. This guide explains the device-class model and how to use it for data-loss prevention.

Device-class allow and deny

Rather than a single all-or-nothing switch for USB storage, CtrlOne can allow or deny by device class. That means you can permit input devices like keyboards and mice while blocking mass-storage devices that could be used to exfiltrate data.

Data-loss prevention

Blocking removable mass storage is a core DLP control for shared, kiosk, and high-sensitivity PCs. Combine it with the other restriction surfaces to close common data-exit paths while keeping the machine usable for its job.

Rolling it out

Add USB control to a policy, pilot it on a representative machine to confirm required peripherals still work, then apply it to the group. Because the control is reversible, you can adjust the allowed classes if a legitimate device is affected.

Frequently asked questions

Can I allow keyboards but block USB drives?

Yes - that's the point of per-class control. Permit input-device classes while denying removable mass storage.

Does blocking USB storage remove drivers?

No. Enforcement is policy-only, so removing the restriction returns the device behaviour to normal.

Round out your lockdown

Pair USB control with application blocking and browser restrictions for a complete data-exit posture.