Introducing the New Linux USB Policy V2 | Help Center

Overview

The new Linux USB Policy (LINUX_USB_POLICY_V2) provides advanced control over USB device access on Ubuntu LTS 24 systems. This update replaces the older, category-based policy with a more flexible, rule-based approach, allowing organizations to precisely manage which USB devices can be used on managed Linux endpoints.

Key Features

1. Rule-Based USB Control

Policies are now defined as a set of rules, each specifying actions, device levels, device codes, and optional vendor/product IDs.

Example rule structure:

{
  "policyName": "LINUX_USB_POLICY_V2",
  "policyType": "LINUX_USB_POLICY_V2",
  "policy": {
    "rules": [
      {
        "actions": ["add", "bind", "change"],
        "level": "usb_device",
        "devCode": "00", // Use class information in the Interface Descriptors
        "authorize": true,
        "vendorId": "XXXX" // Optional: restrict to specific vendor
      }
    ]
  }
}

2. Granular Device Authorization

Control USB access at the device or interface level.
Authorize or block devices based on class codes, vendor IDs, and product IDs.
Easily allow or deny specific USB devices (e.g., only allow company-issued USB drives).

3. Dynamic Policy Updates

Policies can be updated or removed at any time.
When a policy is deleted, the corresponding udev rule file (/etc/udev/rules.d/99-swifteam-block-usb.rules) is also removed, restoring normal USB functionality.

4. Compatibility and Migration

Existing customers do not need to migrate immediately; the old policy format is still supported.
The option to disable all external USB drives remains available.

5. Improved Troubleshooting and Testing

Clear test steps for verifying USB policy enforcement, including checking device authorization status and udev rule file presence.
Supports both scenarios where the VM can or cannot detect USB devices.

How to Use

Assigning a Policy

Identify the USB device’s Vendor ID and Product ID using lsusb and cat /sys/bus/usb/devices/<device>/idVendor.
Create a policy rule specifying the desired actions, device level, and authorization status.
Apply the policy to the target device(s).

Example: Block All USB Devices

{
  "policyName": "LINUX_USB_POLICY_V2",
  "policyType": "LINUX_USB_POLICY_V2",
  "policy": {
    "rules": [
      {
        "actions": ["add", "bind", "change"],
        "level": "usb_device",
        "devCode": "00",
        "authorize": false
      }
    ]
  }
}

Example: Allow Only Specific Vendor

{
  "policyName": "LINUX_USB_POLICY_V2",
  "policyType": "LINUX_USB_POLICY_V2",
  "policy": {
    "rules": [
      {
        "actions": ["add", "bind", "change"],
        "level": "usb_device",
        "devCode": "00",
        "authorize": true,
        "vendorId": "XXXX"
      }
    ]
  }
}

Removing a Policy

When the policy is removed, the system automatically deletes the udev rule file, restoring USB access.

Notes and Limitations

If a USB device is plugged in before the policy is applied, the policy may not take effect until the device is reconnected.
Removing the policy now correctly removes the udev profile.
The new policy format supports all previous device categories via devCode mapping.

Troubleshooting

To check if a device is authorized:
cat /sys/bus/usb/devices/<device>/authorized
- 1 means authorized, 0 means blocked.
To verify policy removal, check that /etc/udev/rules.d/99-swifteam-block-usb.rules no longer exists.

Additional Resources

For more details on USB class codes and advanced configuration, refer to the official Linux USB documentation.
For support, contact your IT administrator or Swif.ai support.

Scheduled Device Restart Policy (Cron Policy) in Swif

Configuring a Policy for RADIUS Wi-Fi on Linux

Configuring a Login Message Policy for Linux

Android Password Policy

Android USB Policy