USB Device Management – Block Storage

Overview

This test case validates a critical security feature for any regulated environment: granular USB  Device control. The goal is to confirm that an administrator can enforce a common security policy that allows essential Human Interface Devices (HID) like keyboards and mice, while explicitly blocking all USB mass storage devices (e.g., thumb drives, external hard drives).

Successfully passing this test demonstrates the ability to prevent unauthorized data transfer and reduce the risk of malware introduction via removable media, which is a key compliance requirement for industries like finance, healthcare, and government.

zTC/zMAN Configuration

The policy to block mass storage devices can be set centrally from zMAN or configured on a local zTC device.

Method 1: Centralized Configuration via zMAN (Recommended)

(Note: The provided zMAN documentation confirms that settings can be centrally managed and will override local configurations. While the guide does not show a specific screenshot of the USB Configuration menu in zMAN, this procedure is based on the capabilities confirmed to exist on the zTC client.)

1. Log into zMAN Director: Access the zMAN management UI.
2. Create a New Settings Configuration:
   • Navigate to Device Settings -> USB Management.
   • Click ADD SETTINGS.
3. Configure the USB Policy:
   • Give the configuration a descriptive name, such as Block-USB-Storage-Policy.
   • In the USB Device Class (Priority – 3) section, locate the toggle switch for Mass Storage
   • Click the toggle to switch it to the disabled (off) position, which signifies “Block.”
   • Ensure other necessary classes like Audio and Video remain enabled.
   • Save the settings configuration.
4. Apply the Policy:
   • Navigate to Device Management -> zTC Clients -> LIST.
   • Select the target zTC device(s) and apply the Block-USB-Storage-Policy to them.

Method 2: Local Configuration on zTC

1. Navigate to USB Configuration:
   • On the zTC desktop, go to the Start menu -> Preference -> Settings.
   • From the left pane of the Settings window, click on USB Configuration.
2. Block the Mass Storage Device Class:
   • In the USB Device Class (Priority – 3) section, locate the toggle switch for Mass Storage.
   • Click the toggle to switch it to the disabled (off) position, which signifies “Block.”
   • Ensure other necessary classes like Audio and Video remain enabled.
3. Apply the Policy:
   • Click the Apply button at the bottom of the window to save the changes. The policy will take effect immediately.

3rd Party Setup (VDI Environment)

No specific backend VDI configuration is required for this test. A standard, accessible virtual desktop session (Citrix, VMware, or AVD) is sufficient to verify that the blocking policy is enforced for in-session device redirection.

Execution

1. Prepare Peripherals: Have the following devices ready for testing:
   • A standard USB keyboard and mouse (HID).
   • A USB thumb drive (Mass Storage).
   • (Optional) A USB headset (Audio).
2. Verify HID Functionality: With the policy applied, confirm that the USB keyboard and mouse are working correctly on the local SnapOS desktop.
3. Test Mass Storage Block (Local):
   • Insert the USB thumb drive into a USB port on the zTC.
   • Observe the system’s behavior. The device should not be recognized or mounted by SnapOS. No new drive icon should appear.
4. Launch a VDI Session: Log in to any available virtual desktop.
5. Verify HID Functionality (In-Session): Once the virtual desktop is loaded, confirm that your keyboard and mouse are passed through and working correctly within the session.
6. Test Mass Storage Block (In-Session):
   • Open File Explorer inside the virtual desktop.
   • The USB thumb drive should not appear as a redirected drive or be accessible in any way.
7. (Optional) Verify Allowed Class: Connect the USB headset. Verify that it is recognized by SnapOS and that audio is correctly passed into the VDI session, confirming that the “Audio” class was not blocked by the policy.

Verification

• Policy Application (Pass/Fail):
  • PASS: The USB configuration policy set either locally or from zMAN is successfully applied to the zTC. The settings are persistent and remain active after the device is rebooted.
  • FAIL: The policy fails to apply, does not block the specified device class, or reverts to a default “allow all” state after a reboot.
• Mass Storage Blocking (Pass/Fail):
  • PASS: When the USB thumb drive is connected, it is completely ignored by both the local SnapOS and the remote VDI session. It cannot be used for any data transfer.
  • FAIL: The USB thumb drive is mounted locally or is successfully redirected into the VDI session, which would represent a major security policy failure.
• HID and Allowed Peripheral Functionality (Pass/Fail):
  • PASS: Standard HID peripherals (keyboard, mouse) and any other device classes explicitly set to “Allow” (like Audio) continue to function perfectly on both the local OS and within the VDI session, without any impact from the blocking policy.
  • FAIL: The policy incorrectly blocks or interferes with the functionality of HID or other allowed peripherals, rendering the thin client difficult or impossible to use.