Manualshelf

HP Client Security Commercial Managed IT Software Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G1 Notebook PC
21222324252627282930
HP Client Security Technical Whitepaper
August 2016
747889-002
© Copyright 2016 HP Development Company, L.P.
HP Device Access Manager (HPDAM) 24
12 HP Device Access Manager (HPDAM)
HP Device Access Manager speaks to HP’s strong commitment to security and its ability to respond to customer needs with
innovative solutions. A common assumption with today’s PC usage model is that users who are authorized to log on to a
personal computer and access sensitive data are also able to copy that information. In reality, this is not always the case.
Companies may need to allow users to view sensitive data, but restrict their ability to copy that data. HP Device Access
Manager solves that problem. In doing so, it enables a new usage model for personal computing devices.
Through the combination of a Windows service, a custom Filter Driver and Windows ACLs, the device access control policy
defined is enforced to “Allow” or “Deny” users and groups’ access to devices on the PC.
HPDAM protects against data leaving the PC, either by accident or intentionally (malicious or otherwise), and mitigates
against the introduction of malware to the PC.
12.1.1 Accessing Devices
Device Access Manager’s true power lies in configuring device access profiles. PC administrators can create device and
peripheral usage profiles based on the individual user, user type, individual device, or device class. Configuring device
classes or devices will create policies to implement complex security requirements, as well as complex business processes.
12.1.2 Define a policy
Once the administrator authenticates, using the “Change” button, the “Groups on this PC, “Device Classes, “Access” and
“Duration” (see Just In Time Authentication (JITA) Configuration on page 25) can be modified to create a policy. This level of
configurability enables new client policies, as described in the scenarios below:
Scenario 1 In a call center environment, call takers have full access to sensitive product and pricing information. The
company wants to protect this data and ensure that it is not removed from the premises. This can be accomplished by
creating a Device Access Manager policy that prevents removable storage devices such as USB keys and writeable optical
drives from being used by unauthorized users.
Scenario 2 A company is making sensitive financial information available to an auditor and wants to protect this
information from being copied or removed from the notebook. Device Access Manager can allow a policy where this user
is denied access to any removable storage devices.
Separate policies can be defined for Administrators and Users. Only Administrators are allowed to change the device access
control policy on a machine. Users have a read-only view of the policy that applies to them.
For most device classes, the device access policy is a simple “Allow” or “Deny”. The following common device classes within
Device Access Manager are supported:
Removable Storage (any attached storage device that Windows assigns a drive letter to access))
Optical drives
Bluetooth
IEEE 1394 Bus Host Controllers
Ports (COM & LPT)
The following are examples of the additional devices supported:
Biometric devices
Network Adapters
Imaging Devices (e.g. Webcam)