XML import format
XML import format
You can import the user and computer management settings via XML (Access Control access rights, product activation). To import, define the respective rights externally in an XML file and import the file to the Console. For details, see: Importing settings via XML file
XML file format for importing access rights
The basic structure of the XML files with which you can import settings is as follows:
<?xml version="1.0"?>
<?xml version="1.0"?>
<xml>
<header></header>
<body>
<schema>1</schema>
</body>
</xml>
Below the <schema> element (inside the <body>), define the access rights or the settings for the product activation that you want to import.
Definition of access rights
The access rights for Access Control occurs on several levels. First determine the device or port for which to apply the rights, and then assign rights for this device to specific users and/or computers. Example: An XML file for assigning the access rights looks as follows:
<?xml version="1.0"?>
<xml>
<header></header>
<body>
<schema>1</schema>
<DC id="7" name="Bluetooth">
<SD prf="0">
<ACE guid="d0acaf5d1e474b3cb047f313ba2c5e60" ar="0"></ACE>
</SD>
</DC>
</body>
</xml>
- First of all, the device or port for which rights are to be assigned is addressed (in example: via the <DC> element (device class) with the id="7" (Bluetooth)).
- After that, a security descriptor (element <SD>) is used that contains the entries for the access rights (element <ACE>).
- The <SD> element contains the attribute prf="0", which specifies the access rights for online profile of the device.
- The <ACE> element contains the attribute guid, which specifies the default rights for new user, computer or unknown user to whom the rights of this element to apply.
- In the example, the value guid="d0acaf5d1e474b3cb047f313ba2c5e60" assigns the default rights to all new computers. The <ACE> element also has the attribute ar="0". This attribute specifies the actual access rights of the user/computer for the respective device. The value 0 stands for no access.
- To see all elements and attributes for the definition of access rights, click on Elements and attributes.
Definition of product activations
In addition to defining access rights, you can also use XML to activate products for specific users and/or computers. The example code for this looks as follows:
<?xml version="1.0"?>
<xml>
<header></header>
<body>
<schema>1</schema>
<ACCNT name="PC-NAME" addons="256"></ACCNT>
</body>
</xml>
- The settings for the product activation are defined in the <ACCNT> element.
- Specify the directory service object for which to activate the products (in the example, the corresponding computer is addressed via the attribute name = "PC-NAME")
- Then enter a value in the addons attribute that corresponds to the products to be activated (in the example, the value 256 stands for the Green IT product).
- You can also store a number of optional settings via attributes in the <ACCNT> element.
To see all elements and attributes for the definition of product activation, click on Elements and attributes.
Elements and attributes
Elements for device definition
To define access rights for a device or a port, define them via the corresponding element. Depending on the device and application, the following elements are available:
| Element | Description | Attribute |
|---|---|---|
|
DP (device port) |
Defines access rights for a specific port type. You can find the available port types under User management | Control or Computer management | Control. |
|
|
DC (device class) |
Defines access rights for a specific device type. You can find the available device types under User management | Control or Computer management | Control. |
|
|
DM (device model) |
Adds certain device groups under Permitted devices | Permitted device models to the whitelist. |
|
|
DN (device node) |
Adds individual devices under Permitted devices | Individual device permissions to the whitelist. |
|
Available port types and device classes
To address a device or a port via the elements <DC> / <DP>, the attribute id (for device classes) or type (for port types) must be assigned to it. The individual device classes and port types have certain IDs, which can be used to assign them during import. The following tables give an overview of the values of the type and id attributes that you must assign to the respective elements:
| Port type (<DP>) | Type |
|---|---|
|
Parallel port |
3 |
|
Serial port |
4 |
|
FireWire |
9 |
|
PCMCIA |
10 |
|
USB (without keyboards, mouses…) |
14 |
|
Thunderbolt |
29 |
| Device class (<DC>) | |
|---|---|
|
Unknown |
0 |
|
CD / DVD |
1 |
|
Floppy disk |
2 |
|
External storage |
5 |
|
Infrared |
6 |
|
Bluetooth |
7 |
|
WiFi |
8 |
|
Scanners |
11 |
|
TV Tuner |
12 |
|
Local printers |
13 |
|
Portable devices (Android, PDA, Windows Mobile, MTP- & PTP-Devices) |
15 |
|
Blackberry |
16 |
|
Modem |
17 |
|
ISDN cards |
18 |
|
Sound, video and game controllers |
19 |
|
Fixed disk |
20 |
|
Thin client storage |
21 |
|
Network share |
22 |
|
Apple (iPhone, iPad etc.) |
23 |
|
Smart card readers |
24 |
|
USB network adapter |
27 |
|
Cameras |
28 |
|
NFC |
30 |
Elements for defining access rights
| Element | Description | Attribute |
|---|---|---|
|
SD (security descriptor) |
Container for the access rights of a device/port; contains one or more ACE elements. |
|
|
ACE (access control entry) |
Contains the access rights for a specific directory service object or default rights for new/unknown users or computers. |
|
The values for the ar attribute within an <ACE> element define the respective access rights. The attributes for the different access types are the following:
| Access right | Attribute |
|---|---|
|
No access |
ar="0" |
|
Read access |
ar="1" |
|
Print access (only printers) |
ar="1" |
|
Playback access (only Sound, video and game controllers) |
ar="1" |
|
Block virtual adapters (only Bluetooth) |
ar="1" |
|
Write access |
ar="2" |
|
Full access |
ar="3" |
|
Not controlled |
ar="8" |
The attributes guid or sid within an <ACE> element can not only be used to address individual users or computers, but also all objects in the directory using special, predefined values. In addition, default rights for new users/computers in the directory or for unknown users can also be defined in this way. The attributes and values for this are the following:
|
Description |
Attribute |
|---|---|
|
All computer/user (used when adding devices under Permitted devices | Permitted device models and under Permitted devices | Individual device permissions) |
sid="S-1-1-0" |
|
Default rights for new user |
guid="9a20eff0a9d74646aa1ccc4d91354b31" |
|
Default rights for new computer |
guid="d0acaf5d1e474b3cb047f313ba2c5e60" |
|
Default rights for unknown user |
guid="4f691245707843EC91aace235478c647" |
Elements for activating products
To activate products for certain users and / or computers, use the <ACCNT> element. Make all the settings using attributes within this element.
| Element | Description | Attribute |
|---|---|---|
|
ACCNT |
Contains the settings for activating products for a specific directory object. |
|
To determine the correct value of the addons attribute, add the values for all products that you want to activate from the following table:
| Product | Value for addon attribute |
|---|---|
|
Secure Audit |
1 |
|
Removable Device Encryption |
2 |
|
Shadowcopy |
4 |
|
Cloud Storage Encryption |
8 |
|
Application Control |
16 |
|
Local Folder Encryption |
32 |
|
Full Disk Encryption |
64 |
|
Access Control |
128 |
|
Green IT |
256 |
|
Secure Erase |
512 |
|
BitLocker Management |
1024 |
|
EgoSecure Antivirus |
2048 |
|
MDM |
4096 |
|
Insight Analysis |
8192 |
|
Inventory |
16384 |
|
Network Share Encryption |
32768 |
|
Permanent Encryption |
65536 |
|
Password Manager |
131072 |
|
IntellAct Automation |
262144 |
|
DLP Data in Use |
1048576 |
|
DLP Data at Rest |
2097152 |
Optional attributes for <ACCNT> elements
In addition to the addons attribute, you can also assign other optional attributes to the <ACCNT> element that define certain settings for clients and users. For each of these attributes, you can assign a value of 1 to activate the respective option or a value of 0 to deactivate it. You can also assign the value inherit, which has the priority over values 0 and 1 within one section.
E.g.: allowThinClientControl="1" allowHddFullControl="inherit" results in enabling the inheritance for the section Computer management | Settings | Client settings.
| Settings Type | Attribute |
|
Client settings |
|
|
User settings |
|
Examples
Setting user access rights for three device classes
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DC Id="1" Name="CD / DVD">
<SD>
<ACE sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="0"></ACE>
</SD>
</DC>
<DC Id="5" Name="External Storage">
<SD>
<ACE sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="1"></ACE>
</SD>
</DC>
<DC Id="8" Name="WiFi">
<SD>
<ACE sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="3"></ACE>
</SD>
</DC>
</Body>
</Xml>
Setting default user rights for three device classes
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DC Id="1" Name="CD / DVD">
<SD>
<ACE GUID="9a20eff0a9d74646aa1ccc4d91354b31" ar="0"></ACE>
</SD>
</DC>
<DC Id="5" Name="External Storage">
<SD>
<ACE GUID="9a20eff0a9d74646aa1ccc4d91354b31" ar="1"></ACE>
</SD>
</DC>
<DC Id="8" Name="WiFi">
<SD>
<ACE GUID="9a20eff0a9d74646aa1ccc4d91354b31" ar="3"></ACE>
</SD>
</DC>
</Body>
</Xml>
Setting user and computer access rights for device port
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DP Type="14" Name="USB">
<SD>
<ACE host="computer.damain.in" sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="3"></ACE>
</SD>
</DP>
</Body>
</Xml>
Setting computer access rights for two device ports and two device classes
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DP Type="9" Name="FireWire">
<SD>
<ACE host="hostname.domain.at" ar="0"></ACE>
</SD>
</DP>
<DP Type="10" Name="PCMCIA">
<SD>
<ACE host="hostname.domain.at" ar="3"></ACE>
</SD>
</DP>
<DC Id="7" Name="Bluetooth">
<SD>
<ACE host="hostname.domain.at" ar="0"></ACE>
</SD>
</DC>
<DC Id="8" Name="WiFi">
<SD>
<ACE host="hostname.domain.at" ar="3"></ACE>
</SD>
</DC>
</Body>
</Xml>
Adding two device models of different device classes into whitelist
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DM Class="1" Cert="1" HwId="IDE\\CDROMLITE-ON_DVDRW_SHM-165P6S________________MS0F____"></DM>
<DM Port="14" Class="5" Cert="1" HwId="USB\\VID_0835&PID_0835"></DM>
</Body>
</Xml>
Adding an external storage device into Console under Permitted devices | Individual device permissions for user and computer with readonly right
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DN Port="14" Class="5" InstanceId="USB\\VID_08EC&PID_0020\\0DE0F8613363AA02&0" Name="Intuix U3 USB Device">
<SD>
<ACE host="comp1" sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="1"></ACE>
</SD>
</DN>
</Body>
</Xml>
Adding an external storage device in Console globally under Permitted devices | Individual device permissions
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DN Port="14" Class="15" InstanceId="USB\\VID_0BB4&PID_0BCE\\5&1C5E86F8&0&1" Name="Windows Mobile-based Device">
<SD>
<ACE sid="S-1-1-0" ar="3"></ACE>
</SD>
</DN>
</Body>
</Xml>
Removing one user from CD security descriptor in Console under Permitted devices | Individual device permissions
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<DN InstanceId="IDE\\CDROMLITE-ON_DVDRW_SHW-16H5S_________________LS0N____\\5&23126E32&0&0.1.0" Name="LITE-ON DVDRW SHW-16H5S">
<SD>
<ACE Del="1" sid="S-1-5-21-3757206099-4223034928-3177353085-1003"></ACE>
</SD>
</DN>
</Body>
</Xml>
Activating products 'Access Control' and 'Secure Audit' for the user with SID="S-1-5-21-760337890-188976374-1171351706-1000"
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Sid="S-1-5-21-760337890-188976374-1171351706-1000" Addons="129"></ACCNT>
</Body>
</Xml>
Activating 'Access Control' for the computer with Name="PC-NAME"
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Name="PC-NAME" Addons="128"></ACCNT>
</Body>
</Xml>
Activating network shares control, printer control and disable the control of hard disks like external media for default rights.
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Guid = "d0acaf5d1e474b3cb047f313ba2c5e60">
<ClientSettings allowNetworkSharesControl="1" allowHddFullControl="0" allowPrinterControl="1">
</ClientSettings>
</ACCNT>
</Body>
</Xml
Restricting access to one keyboard and allow printer control for computer with Name = “PC-NAME”
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Name = "PC-NAME" >
<ClientSettings restrictKbdAccess="1" allowPrinterControl="1">
</ClientSettings>
</ACCNT>
</Body>
</Xml>
Enabling the inheritance of settings for computer with Name = “PC-NAME”
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Name = "PC-NAME" >
<ClientSettings inheritSettings="1" >
</ClientSettings>
</ACCNT>
</Body>
</Xml>
Disabling file downloads and clipboard for user with Sid = "S-1-5-21-2024135453-3835937584-2321026569-1000"
<?xml version="1.0"?>
<Xml>
<Header></Header>
<Body>
<Schema>1</Schema>
<ACCNT Sid = "S-1-5-21-2024135453-3835937584-2321026569-1000">
<UserSettings disableFileDownloads="1" disableClipboard="1">
</UserSettings>
</ACCNT>
</Body>
</Xml>