"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
When attempting to exempt a device (e.g., a USB flash pen device) using its 'Device ID', the unique identifier is not shown in the Enterprise Console 'Device Control - Event Viewer'.
As a result of this you are unable to exempt this particular device from a device control policy in the console. Example:
First seen in Sophos Endpoint Security and Control 9.5
A device ID is only returned to the Enterprise Console Event Viewer (by Sophos Endpoint Security and Control running on the client computer) when the device has a unique ID across all computers. In order to prevent unexpected behavior, a device ID is not sent to the console if it cannot be blocked across all computers. This is by design.
You need to check if the device is seen by the operating system as a unique device or not.
If the CM_DEVCAP_UNIQUEID value is present for a device then that device is seen as a unique device by the operating system and you should expect a device ID to be present in the device control event viewer, under the 'Device ID' column. You will also be able to select the option 'Exempt: This device only' from your central device control policy.
If the device does not have the CM_DEVCAP_UNIQUEID value then the device ID is purposely withheld from the event viewer as the code returned will not allow you to block the device across all endpoint computers. As a result you are only able to select the option 'All devices of this model' from the central policy.
If you are unsure as to why this ability has not been included in the device please contact the manufacturer.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.