Skip to main content

Overview

Device Control policies manage USB and Bluetooth device access on endpoints. These policies allow you to prevent data exfiltration and unauthorized device usage by controlling which types of devices can connect to your systems.
Required API Scope: Device control policies: Read (for read operations) or Device control policies: Write (for write operations)

Get Device Control Policies

Search for and retrieve Falcon Device Control policies.
Get-FalconDeviceControlPolicy
Get-FalconDeviceControlPolicy [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Include] <string[]>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string[]
Policy identifier(s). Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language (FQL) expression to limit resultsExample: platform_name:'Windows'+enabled:true
Sort
string
Property and direction to sort resultsValid values: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc
Limit
int32
Maximum number of results per request (1-5000)
Include
string[]
Include additional propertiesValid values: members
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Examples

Get-FalconDeviceControlPolicy -All -Detailed

Create Device Control Policy

Create new Falcon Device Control policies.
New-FalconDeviceControlPolicy
New-FalconDeviceControlPolicy -Name <string> -PlatformName <string> [[-Description] <string>] [[-UsbSetting] <object>] [[-BluetoothSetting] <object>]

Parameters

Name
string
required
Policy name
PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux
Description
string
Policy description
UsbSetting
object
USB settings configuration
Default values will be supplied if omitted
BluetoothSetting
object
Bluetooth settings configuration
Default values will be supplied if omitted
InputObject
object[]
One or more policies to create in a single request (for batch operations)

Examples

$UsbSettings = @{
    enforcement_mode = 'BLOCK'
    classes = @(
        @{ class = 'mass_storage'; action = 'BLOCK' }
    )
}
New-FalconDeviceControlPolicy -Name 'Restrict USB Storage' -PlatformName 'Windows' -Description 'Block USB storage devices' -UsbSetting $UsbSettings

Edit Device Control Policy

Modify existing Falcon Device Control policies.
Edit-FalconDeviceControlPolicy
Edit-FalconDeviceControlPolicy -Id <string> [[-Name] <string>] [[-Description] <string>] [[-UsbSetting] <object>] [[-BluetoothSetting] <object>] [[-Propagated] <boolean>]

Parameters

Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Name
string
Policy name
Description
string
Policy description
UsbSetting
object
USB settings to update
BluetoothSetting
object
Bluetooth settings to update
Propagated
boolean
Propagate policy to child environments
InputObject
object[]
One or more policies to modify in a single request (for batch operations, max 100 per request)

Examples

Edit-FalconDeviceControlPolicy -Id <policy_id> -Name 'Updated Policy Name'

Remove Device Control Policy

Remove Falcon Device Control policies.
Remove-FalconDeviceControlPolicy
Remove-FalconDeviceControlPolicy -Id <string[]>

Parameters

Id
string[]
required
Policy identifier(s) to remove. Pattern: ^[a-fA-F0-9]{32}$

Example

Remove-FalconDeviceControlPolicy -Id <policy_id>

Policy Actions

Perform actions on Falcon Device Control policies such as enabling/disabling or assigning to host groups.
Invoke-FalconDeviceControlPolicyAction
Invoke-FalconDeviceControlPolicyAction -Name <string> [[-GroupId] <string>] -Id <string>

Parameters

Name
string
required
Action to performValid values: add-host-group, disable, enable, remove-host-group
GroupId
string
Host group identifier. Pattern: ^[a-fA-F0-9]{32}$Required for: add-host-group, remove-host-group
Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Examples

Invoke-FalconDeviceControlPolicyAction -Name enable -Id <policy_id>

Get Policy Members

Search for members (hosts) assigned to Device Control policies.
Get-FalconDeviceControlPolicyMember
Get-FalconDeviceControlPolicyMember [[-Id] <string>] [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

Get-FalconDeviceControlPolicyMember -Id <policy_id> -Detailed -All

Set Policy Precedence

Set Falcon Device Control policy precedence order for a specific platform.
Set-FalconDeviceControlPrecedence
Set-FalconDeviceControlPrecedence -PlatformName <string> -Id <string[]>

Parameters

PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux
Id
string[]
required
Policy identifiers in desired precedence order (highest to lowest priority). Pattern: ^[a-fA-F0-9]{32}$
All policy identifiers must be supplied in order, with the exception of the platform_default policy.

Example

$PolicyOrder = @('<policy_id_1>', '<policy_id_2>', '<policy_id_3>')
Set-FalconDeviceControlPrecedence -PlatformName 'Windows' -Id $PolicyOrder

Manage Device Classes

Modify Device Control policy classes to control specific device types.
Edit-FalconDeviceControlClass
Edit-FalconDeviceControlClass -Id <string> [[-BluetoothClass] <object>] [[-UsbClass] <object>]

Parameters

Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
BluetoothClass
object
Bluetooth class modifications and exceptions
UsbClass
object
USB class modifications and exceptions
InputObject
object[]
One or more policy identifiers and class objects to modify in a single request (for batch operations, max 100 per request)

Example

$UsbClasses = @{
    classes = @(
        @{ class = 'mass_storage'; action = 'BLOCK' },
        @{ class = 'imaging'; action = 'ALLOW' }
    )
    exceptions = @(
        @{ vendor_id = '0x1234'; product_id = '0x5678'; action = 'ALLOW' }
    )
}
Edit-FalconDeviceControlClass -Id <policy_id> -UsbClass $UsbClasses

Manage Default Notifications

Modify default Device Control notification settings displayed to users.
Get-FalconDeviceControlNotification
Get-FalconDeviceControlNotification
Edit-FalconDeviceControlNotification
Edit-FalconDeviceControlNotification -Bluetooth <object> -Usb <object>

Parameters for Edit

Bluetooth
object
required
Bluetooth custom notification settingsContains: blocked_notification with use_custom and custom_message properties
Usb
object
required
USB custom notification settingsContains: blocked_notification and restricted_notification, each with use_custom and custom_message properties

Examples

Get-FalconDeviceControlNotification

Device Control Enforcement Modes

Device Control policies support different enforcement modes:
  • BLOCK: Completely prevents device connections of specified types
  • MONITOR: Allows connections but logs device usage for visibility
  • ALLOW: Explicitly permits device types (used with exceptions)

Common USB Device Classes

USB flash drives, external hard drives, and other storage devices. Often blocked to prevent data exfiltration.
Cameras, scanners, and webcams. May be restricted in secure environments.
Wireless keyboards, mice, and other input devices. Sometimes blocked due to keystroke injection risks.
Mobile phones and tablets connected via USB. Can be restricted to prevent unauthorized data transfer.
USB printers. May be controlled in environments with print security requirements.

Best Practices

Before deploying restrictive Device Control policies, ensure you:
  • Identify legitimate business needs for USB and Bluetooth devices
  • Create exceptions for approved devices using vendor/product IDs
  • Test policies in monitor mode before switching to block mode
  • Communicate policy changes to end users
1

Start with Monitor Mode

Deploy policies in monitor mode to understand device usage patterns without disrupting users
2

Analyze Device Usage

Review logs to identify which devices are being used and by whom
3

Create Exceptions

Add exceptions for approved devices before enforcing blocking
4

Enable Block Mode

Switch to block mode and monitor for issues
5

Refine Policies

Continuously adjust policies based on business needs and security requirements

Firewall Policies

Manage network firewall policies

Prevention Policies

Control malware prevention settings

Build docs developers (and LLMs) love

Get started for freeTalk to us