Skip to main content

Linux Bluetooth Policy

Updated today

The Linux Bluetooth Policy allows administrators to control Bluetooth functionality and restrict which Bluetooth devices can connect to managed Linux endpoints.
This policy can be applied to both BYOD and company-owned Linux devices enrolled in Swif.ai.

It provides two powerful security controls:

  1. Block or allow all Bluetooth functionality

  2. Restrict Bluetooth pairing to approved MAC addresses

  3. Block specific disallowed MAC addresses

This policy is often used in high-security environments to prevent unauthorized peripherals such as headphones, keyboards, mice, storage bridges, or proximity devices.

Requirements

  • Linux device enrolled in Swif.ai
    (Compatible with major distributions such as Ubuntu, Fedora, Debian, CentOS, Rocky Linux, etc.)

Configuration Settings

1. Bluetooth Block

This setting determines whether Bluetooth functionality is allowed or blocked on the device.

Options include:

  • True → Completely disables Bluetooth

  • False → Allows Bluetooth functionality

  • NA → No change (default system behavior)

When Bluetooth is blocked:

  • Existing Bluetooth connections are terminated.

  • New Bluetooth pairing attempts are rejected.

2. Disallowed Device List

Bluetooth connections with MAC addresses on this list will be blocked and disabled.

Use this list to explicitly prevent certain devices from connecting, even if Bluetooth is enabled.

Example Use Cases

  • Blocking personal headphones

  • Blocking unauthorized keyboards or mice

  • Preventing malicious or unknown MAC-based attempts

  • Enforcing a "deny known-bad devices" policy

Example Entries

00:1A:7D:DA:71:13 F4:5C:89:3E:2A:10 B8:27:EB:45:22:AC

Swif.ai will:

  • Terminate existing connections with these MAC addresses

  • Prevent pairing attempts

  • Log a blocking event

3. Allowed Device List

Only Bluetooth connections that match the MAC addresses on this list will be permitted. All others will be disabled.

This setting enforces a strict allowlist model—ideal for secure or compliance-driven environments.

When an allowlist is configured:

  • Devices not on the list are automatically rejected

  • Only devices whose MAC addresses match an entry in the list may connect

  • This overrides all other Bluetooth permissions

Example Use Cases

  • Allowing only company-issued headsets

  • Restricting Bluetooth to official peripherals

  • Enforcing Zero Trust peripheral policies

  • Preventing data exfiltration via rogue devices

Example Entries

34:88:5D:AB:93:F2 (Company headset) 00:18:09:EF:13:11 (Corp keyboard) 50:F1:4A:10:22:9C (Approved mouse)

How the Evaluation Order Works

The policy evaluates in this order:

  1. Bluetooth Block
    If set to True, ALL Bluetooth functionality is disabled and allowlists/disallowlists are ignored.

  2. Allowed Device List
    If the allowlist is populated, only those devices can connect, regardless of the disallowed list.

  3. Disallowed Device List
    If Bluetooth is enabled and not restricted by an allowlist:

    • Devices in this list are blocked

    • All other devices may connect

This ensures safe, predictable behavior.

Best Practices

✔ Use Allowed Device List for High Security

If protecting sensitive environments (R&D, finance, healthcare), allowlisting is the recommended approach.

✔ Add MAC Addresses Before Deploying

Make sure to collect and document the MAC addresses of authorized peripherals to avoid accidental lockout.

✔ Monitor Bluetooth Events

Combine with Linux Tracking Policy to view:

  • Bluetooth connect/disconnect events

  • Blocked device attempts

  • Suspicious MAC addressing patterns

✔ Use in combination with company-issued peripherals

This ensures seamless user experience while maintaining strict security.

Troubleshooting

Bluetooth still works after setting Block = True

  • Confirm that the device has synced the latest policy

  • Ensure no OS-level Bluetooth services override the enforcement

  • Restart Bluetooth services or reboot if needed

Allowed devices cannot connect

  • Verify MAC address formatting (uppercase/lowercase doesn't matter, but punctuation must be correct)

  • Confirm the device is not accidentally listed in the disallowed list

  • Ensure Bluetooth is not globally blocked

Unexpected devices still connect

  • The allowlist may be empty (NA → wildcard allow)

  • Verify the MAC address of the connecting device—it may be using a dynamic randomized MAC address

  • Some devices rotate addresses; use allowlist mode to prevent this

Summary

The Linux Bluetooth Policy provides granular control over Bluetooth functionality on Linux devices.
It allows you to:

  • Fully disable or allow Bluetooth

  • Block specific MAC addresses

  • Restrict connections only to approved MAC addresses

This makes the policy highly flexible for both general IT management and strict security environments.

Related Articles
Linux-specific MDM policies available in Swif
Android Bluetooth Policy
Apple Bluetooth Policy
Linux Application Block Policy
Linux WiFi Policy
Did this answer your question?