If a user transfers sensitive files outbound by using peripherals such as USB flash drives and Bluetooth at work, major business loss may occur. To prevent such issues, you can use the data loss prevention (DLP) feature of Secure Access Service Edge (SASE). This feature allows you to manage peripherals, monitor outbound transfers of sensitive files in real time, and monitor data leaks. This topic describes how to configure peripheral control policies, view the results of sensitive behavior detection, and configure the user-specific peripheral whitelist.
Supported peripherals
Operating system | Supported peripheral and device port | Description |
Windows |
| The following options are available for USB flash drives and USB storage devices: Disable Use, Read/Write, and Read-only. The following option is available for peripherals other than USB flash drives and USB storage devices: Disable Use. If you select Disable Use for a peripheral or device port, users cannot use the peripheral or device port to transmit data. If you set USB Flash Drive and USB Storage to Read/Write, sensitive behavior detection is triggered when a user transfers internal files by using a USB flash drive or USB storage device. |
macOS |
|
Prerequisites
Internet Access DLP Edition of SASE is purchased. For more information, see Billing overview and Service purchase.
Users are added, and user groups are created. For more information, see Connect an LDAP IdP to SASE and Configure a user group.
Configure a peripheral control policy
Log on to the SASE console.
In the left-side navigation pane, choose .
On the Peripheral Management page, click Create Policy.
In the Create Policy panel, configure parameters. The following table describes the parameters.
Parameter
Description
Policy Name
The name of the policy.
The name must be 2 to 32 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Policy Description
The description of the policy.
Status
The status of the policy. You can turn on or turn off the switch to enable or disable the policy.
The policy takes effect only if the switch is turned on.
Priority
The priority of the policy.
Valid values: 1 to 10. A smaller value indicates a higher priority.
Applicable User
The users or user groups to which the policy is applied.
Windows
Valid values for Peripheral: USB Flash Drive and USB Storage, Printer, Portable Device, Card Reader, and Optical Drive.
Valid value for Device Port: Bluetooth.
The following options are available for USB flash drives and USB storage devices: Disable Use, Read/Write, and Read-only. The following option is available for peripherals other than USB flash drives and USB storage devices: Disable Use. If you select Disable Use for a peripheral or device port, users cannot use the peripheral or device port to transmit data.
macOS
Valid value for Peripheral: USB Flash Drive and USB Storage.
Valid values for Device Port: Bluetooth and AirDrop.
The following options are available for USB flash drives and USB storage devices: Disable Use, Read/Write, and Read-only. The following option is available for peripherals other than USB flash drives and USB storage devices: Disable Use. If you select Disable Use for a peripheral or device port, users cannot use the peripheral or device port to transmit data.
Approval Process Configuration
Specify whether users can submit an application for approval when the users want to use an at-risk peripheral.
If you select Users can submit an application for approval, you must select an appropriate approval workflow. For more information, see Create an approval workflow.
Prompt Display Configuration
Configure the prompt message that appears in the dialog box when users want to use an at-risk peripheral. You can specify a message in Chinese or English.
Click OK.
After the policy is created, the policy is displayed in the policy list. DLP manages peripherals based on the policy.
View the results of sensitive behavior detection
If you set USB Flash Drive and USB Storage to Read/Write, sensitive behavior detection is triggered when a user transfers internal files by using a USB flash drive or USB storage device. Then, DLP analyzes data in the last 30 days, 7 days, or 24 hours based on the detection results.
In the left-side navigation pane, choose .
On the Sensitive Behavior Detection page, view the statistics about outbound transfers of sensitive files that are performed by using USB flash drives or USB storage devices within the specified period of time.
In the lower part of the page, view the list of users who performed outbound transfers of sensitive files. Then, find a user and click Details in the Actions column to view more information.
Find a file and click Details in the Actions column to view more information about the file. The information includes Sensitive Message, Hit Policy, Office Terminal, and Outbound Transfer Channel.
Configure the peripheral whitelist
If you do not want SASE to audit or manage the outbound transfers for users within your enterprise, you can configure the peripheral whitelist in DLP to allow the operations.
On the Peripheral Management page, click Peripheral Whitelist.
On the Whitelist tab, add users to the whitelist based on your business requirements.
Click Submit.
Change the priority of a policy
If you want to change the priority of a peripheral control policy, click the 
icon and enter a different priority value. Valid values: 1 to 10. A smaller value indicates a higher priority.
Disable a policy
If you do not require a peripheral control policy, you can find the policy and turn off the switch in the Policy Status column to disable the policy. After the policy is disabled, the policy is retained. You can turn on the switch in the Policy Status column to enable the policy again.
Delete a policy
If you no longer require a peripheral control policy, you can find the policy and click Delete in the Actions column.
After a policy is deleted, it cannot be restored. Proceed with caution.
References
For more information about how to view and trace the logs of outbound transfers of sensitive files, see Sensitive file detection.
For more information about how to detect files transferred outbound, see Monitor outbound file transfers to ensure data security.
For more information about how to manage screen watermarks and printer watermarks, see Manage watermarks to ensure data security.