Best Device Control Software and Tools

The critical facility that enables data loss prevention systems to block data theft is device control

“Device” is one of those words that can have multiple meanings in IT. For example, endpoints are often referred to as devices, and peripherals to endpoints are also called devices. However, in the world of data loss prevention, “device” refers to the peripherals.

Here is our list of the best device control software: 

  1. Endpoint Protector Device Control EDITOR’S CHOICE This package accesses each endpoint across the network and takes control of its USB and peripheral ports. The system identifies each device as it connects and selectively allows or blocks its use, which can be linked to a specific user account. Implemented as a cloud service or as a virtual appliance. Access the free demo.
  2. ManageEngine Device Control Plus (FREE TRIAL) This on-premises package will manage the peripheral devices on multiple endpoints across the network for data loss prevention. Runs on Windows Server. Start a 30-day free trial.
  3. CrowdStrike Falcon Device Control A cloud-based system that operates through agents for Windows and macOS to assess and control USB devices attached to corporate desktops.
  4. Digital Guardian DLP This cloud platform includes monitors endpoints and networks to control data movements, and it is also able to enroll cloud services into its protection system. In addition, it contains peripheral devices, including USB ports, emails, printers, faxes, and file transfer utilities to manage authorized data movements. Agents are available for Windows, macOS, and Linux.
  5. Teramind DLP This cloud package offers threat detection and employee performance tracking as well as data loss prevention. In addition, the system includes controls over data exfiltration points through its endpoint agents.

You can read more about each of these options in the following sections.

Device control doesn’t just involve blocking all data movements onto those peripherals or disabling the interfaces – although those are two strategies that you could take. Instead, sophisticated device control lets some people move certain data types onto peripheral devices—the rules over who can move which data can be a complicated matrix of user groups and classes.

The foundations of device control

Device control doesn’t operate in isolation. That matrix of who can move what data has to be set up. Systems that include device control software also include automated methods to help build up that rule base, known as “security policies.”

A business can operate just one security policy. However, that is rare. So instead, the device control rule base is made up of a list of security policies.

To define a security policy, you need a user group from the access rights management system operating on the protected system and a list of data types.

The purpose of device control

Data loss prevention systems and their device control mechanisms are needed to prevent data theft. All of the data you hold on your system is necessary – otherwise, it would be deleted. Not only is that helpful information, but it has value. Although it might just be working data for your business that enables the enterprise to make money through its products, that data itself can earn money by itself for other people.

Many data thieves already have a high-paying buyer in mind – your company. News of the loss of data can severely damage the reputation of a business and lose sales and contracts. Paying thieves to keep quiet about the disclosure is often the cheapest way to deal with a data loss event.

If your business stores information on private individuals, called personally identifiable information (PII), it must comply with data privacy standards. Failure to protect PII can lead to fines, and it also exposes the business to litigation from those individuals to whom the stolen data relates.

Businesses that hold PII have to ensure that their suppliers that might need to process or store their PII are compliant with the relevant standard. Thus, if a data theft occurs and knowledge of that slip becomes public, your business would lose all of its contracts with companies following data privacy standards.

There are industry-wide standards in force in the USA and elsewhere that your company might need to follow. Examples of these are the Payment Card Industry Data Security Standard (PCI DSS) for the credit card payment processors and the Health Insurance Portability and Accountability Act (HIPAA), which pertains to the healthcare sector.

There are also location-specific standards. Examples of these are the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In these cases, there are also rules to follow over the location where data is stored and the location where those accessing the information are situated.

Creating security policies

The security policies that dictate how device controls should behave require a list of data instances that are deemed to be sensitive and a clean set of access permissions. Therefore, it is necessary to use an eDiscovery service to discover all data locations and then sort out which instances are sensitive, need to be protected, and do not need to be included in the program.

Implementing device controls over data also requires a more acceptable grade of access rights. Existing user groups in your access rights management system need to be split out so that users can be given access to just a specific type of sensitive data and possibly also just in one particular location. This access rights organizing task requires an auditing function.

Implementing device controls

The main focus of device controls is those peripherals that connect directly to the computer via a port. These days, USB connectors tend to dominate, and so USB devices are particularly of interest. Naturally, this category of devices includes memory sticks. In addition, however, some consumer products have a memory card and can connect via a USB port, such as digital cameras.

Peripheral devices don’t always have to connect directly to the computer by a cable. It is also possible to network these devices so that they can be shared among several computers. Devices in this category include printers and fax machines.

Typically, device controls extend to complete control of all data exfiltration channels. So, these tools also scan email attachments and chat apps. In addition, they will also constantly monitor network traffic for file transfer protocols, such as FTP and the secure versions, SFTP and FTPS. Unfortunately, secure transfer protocols protect the contents of the transfers with encryption, so the actual data payload of this traffic cannot be read. However, data loss protection systems can control access to the interfaces that launch these transfer systems.

The Best Device Control Software

It is rare to install a standalone device control tool because the groundwork that enables these systems to function is also required. Packages that include device control and all research functions that build up security policies are called data loss prevention systems.

Our methodology for selecting device control software

We reviewed the market for data loss prevention systems and analyzed tools based on the following criteria:

  • A function that will scan all data exfiltration channels
  • A supporting system of continuous sensitive data discovery and classification
  • An auditor that reorganizes access rights management structures
  • A library of pre-set controls for specific data privacy standards compliance
  • Endpoint agents for all the major operating systems
  • A no-cost assessment opportunity through a free trial or a demo system
  • Value for money that provides a fully functional device control system as part of a data loss prevention package

We have created a list of suitable protection systems for sensitive data with these selection criteria in mind.

1. Endpoint Protector (GET DEMO)

Endpoint Protector

Endpoint Protector combines threat detection with data loss prevention (DLP). The core of the DLP system is device control. The controls are implemented through the access rights manager operating on the protected system and an eDiscovery system.

Key Features:

  • Blocks All Peripheral Devices: A default ban on devices
  • Allowlisting: An administrator can permit a specific device, identified by its serial number
  • Multi-Level Approval: Choose to permit a device for use on a specific device or any device
  • Managed Through Endpoint Agents: Available for Windows, macOS, and Linux
  • Central Control Dashboard: Hosted in the cloud

Why do we recommend it?

Endpoint Protector Device Control blocks all USB ports on all protected endpoints and then allows an administrator to permit specific devices to connect. That permission can relate to all computers, to a specific computer, or only for use by a specified user on all or on a specific computer.

The Endpoint Protector system is controlled from a central server and implemented through endpoint agents. These agents are available for Windows, macOS, and Linux. They can continue controls on peripherals and other data-related activity even when the endpoint is offline and uncontactable by the Endpoint Protector server.

The user accesses the dashboard for the DLP and sets up security policies, and it is possible to specify settings that implement specific data privacy standards by selecting a template. The server audits the on-site access rights manager and creates user groups that coordinate with the sensitive data categories that Endpoint Protector uses.

With these foundations in place, the Endpoint Protector server searches the network and discovers all endpoints. It then installs the agent programs and scans the devices for peripheral ports. If any devices are connected, they are logged. However, the agent will continue to watch and will spot new devices when they attach. The system will also monitor email and chat systems, file transfer utilities, and connections to printers and faxes.

The agents scan for data and identify those instances that are sensitive. These are then categorized for controls. With this task completed, data protection can begin. The data discovery cycle continues to operate, logging all new instances for protection.

Endpoint Protector is a good choice for a device control tool. It combines a local module for immediate controls, even offline, with a central coordinating server that spreads security policies across the enterprise. In addition, this system offers a range of deployment options from SaaS to cloud service and virtual appliance. Endpoint agents for Windows, macOS, and Linux cover all office systems.

Who is it recommended for?

This tool requires an agent on each computer but it operates as a remote management tool. Therefore, it can be used to control all computers in an organization even across sites. This system is part of a wider platform of malware protection. Any size of business could use this system.


  • Controls Peripheral Devices Attached to Endpoints: Also manages networked printers and faxes
  • Monitors Data Movements: Scans emails, chat apps, and file transfer utilities
  • Includes a Discovery and Classification System: Protection for sensitive data
  • Audits Access Rights Permissions: A USB can be approved for use by a specific user
  • Offers Templates for Standards Compliance Security Policies: For PCI DSS, HIPAA, NIST, ISO 9001, and GDPR


  • Would be Beneficial to Have Data Throughput Throttling: Or limits per device or per user

Endpoint Protector is offered as a hosted SaaS platform and is also available as a service on AWS, GCP, and Azure. Alternatively, you can install the software package on-site over a VM. You can assess Endpoint Protector by accessing a free demo.


Endpoint Protector Device Control is our top pick for a device control tool because it provides an administrator with a central console to manage the ports on all endpoints. The system gives you control over USB ports and other sockets for peripheral devices, such as printers. The service is able to apply your DLP data access policies, allowing only specific users to deploy specific USBs on specific devices. Alternatively, you can approve a USB device by serial number for use on any device on the network.

Official Site:

OS: AWS, Azure, GCP, SaaS, or VM

2. ManageEngine Device Control Plus (FREE TRIAL)

ManageEngine Device Control Plus

ManageEngine Device Control Plus is a networked solution that can manage USB devices and other peripherals on a fleet of endpoints from a central console. This system scans all endpoints constantly and knows when a new device attaches. The software controls the ports on an endpoint and will block any device that hasn’t been approved. The administrator can approve a device from the central console but the endpoint user doesn’t have that power.

Key Features:

  • Role-Based Access Controls: Allow a specific peripheral to be deployed by a group of users
  • Malware Protection: Blocks executables from running from a USB
  • File Type Controls: Blocks specific file types from being copied off a peripheral device
  • Activity Logging: Scan for insider threats

Why do we recommend it?

ManageEngine Device Control Plus is a similar system to Endpoint Protector Device Control. This tool creates a permissions structure that relates to the handling of data by users on devices. This is because it is intended for use as part of a sensitive data protection system.

For the purposes of controls, the definition of a device is anything that connects directly to an endpoint. So, a printer that is connected to an endpoint would be controlled by this tool but a printer that is networked and treated as an independent endpoint would not. This is because networked devices can be controlled through typical network security processes but directly tethered equipment cannot. The device control system needs to access the port controls of the endpoint in order to supervise activities.

The main purpose of Device Control Plus is to manage data access. The biggest issue in a modern office lies with users transferring data onto a USB memory stick. This action might be a valid procedure and part of the business’s working practices, so Device Control Plus can be tuned to allow certain actions as long as they are performed by authorized users. So, there is a user account privilege section in the dashboard for Device Control Plus that lets you define user accounts and groups of users and specify their security clearances.

Who is it recommended for?

This system is designed for use by companies that manage sensitive data. It is suitable for businesses of all sizes and small companies will be pleased to learn that there is a Free edition that will manage USB slots on 25 computers. This is an on-premises package that will operate across a network.


  • Granular Data Movement Controls: Block, allow and log, or allow
  • A Process for Defining Allowed Devices: All are blocked by default
  • Operates Through an Endpoint Agent: Available for Windows and macOS


  • No Sensitive Data Discovery and Classification Process: Partner the tool with ManageEngine Endpoint DLP Plus for that

ManageEngine Device Control Plus runs on Windows Server and it will check on the peripheral connected to endpoints running Windows and macOS. There is a Free edition that will monitor 25 endpoints. You can get a 30-day free trial of the paid version, which is called the Professional Edition.

ManageEngine Device Control Plus Start 30-day FREE Trial

3. CrowdStrike Falcon Device Control

CrowdStrike Falcon Device Control Prevent

CrowdStrike Falcon Device Control operates from the cloud but it installs a device agent on each endpoint that is enrolled in the protection system. These arents are available for Windows and macOS. The tool can be used individually or in combination with Falcon Insight, which is a coordinated, endpoint detection and response system. Users of Falcon Insight get better visibility across all devices that reaches all the way down to individual USB slots.

Key Features:

  • Central Cloud-Based Dashboard: Provides an administration console
  • Insider Threat Detection: Examines each user’s activities
  • Sensitive Data Tagging: Uses Microsoft sensitivity labels

Why do we recommend it?

CrowdStrike Falcon Device Control is designed to implement a data loss prevention strategy. This is an extension to the Falcon suite of antimalware and threat detection systems. Falcon is packaged in bundles of tools with the base service being its on-device anti-virus system, called Falcon Prevent.

The first action of the tool is to scan all USB slots and register in the dashboard any USB devices that get connected. The Device Control system scans the attached device and extracts its specifications.

The administrator needs to set up a policy for USB devices, which can be applied differently per endpoint or can be allocated to a group of endpoints, or all endpoints. The options available within a policy are to block all devices, allow read-only access, read, and write, or read, write, and execute.

Once the Falcon Device Control system is operating for an endpoint, the tool will log all events related to USB devices, noting the date and time, the device serial number, and the action that occurred.

If you also subscribe to CrowdStrike Falcon Insight, the screens for the Device Control module are integrated into the Insight console. The package of both tools will also unify live status statistics and activity reporting.

Who is it recommended for?

In order to use the Device Control unit, you must also have the Falcon Prevent system installed on each device. The Device Control system is an add-on rather than a standalone package. It can also be integrated into the Falcon Insight XDR, which provides threat detection and automated response.


  • Multi-Level Controls: Options to apply a policy per endpoint, for a group, or for all endpoints
  • Operates Through Endpoint Agents: Available for Windows and macOS
  • Logs All USB-Related Activity: Useful for compliance auditing


  • Doesn’t Include its Own Sensitive Data Discovery System: Relies on third-party tools

4. Digital Guardian DLP

Digital Guardian Endpoint DLP

Digital Guardian DLP is a cloud-based service that provides all of the elements of data loss prevention, including device control. As with the classic DLP strategy, rules are applied according to security policies formulated regarding access rights and sensitive data classification. In addition, the package performs both access rights auditing and continuous data discovery and classification service to support these requirements.

Key Features:

  • Device Control: Part of a wider data loss prevention package
  • SaaS Platform: Also available as a managed service
  • Access Rights Auditing: Spots abandoned accounts and overgenerous permissions

Why do we recommend it?

Digital Guardian DLP is a coordinator of third-party tools. The system doesn’t implement threat hunting but instead, relies on an external SIEM, to which the Digital Guardian system channels activity assessments from its endpoint agents. The service also operates through a proprietary network device. Endpoint agents report on USB port activity.

This service can unify the security monitoring of multiple sites and cloud resources. On-site devices are controlled by endpoint agents, which are available for Windows, macOS, and Linux. The Digital Guardian DLP system also implements network monitoring to catch unauthorized data transfers through email and file transfer services. This system aims to protect intellectual property as well as PII.

The service monitors USB ports, detecting whenever devices are connected. It will also scan connections to printers and faxes. Digital Guardian also includes a threat detection system that identifies insider threats and accounts takeover. You can assess the platform with a demo account.

Who is it recommended for?

Digital Guardian’s power lies in its endpoint agents and network device for activity monitoring. It can be used to impose a corporate security policy across all devices, including removable storage. The service requires the presence of a third-party SIEM for threat hunting and so this is a solution for larger businesses.


  • Operates Through Endpoint Agents: Available for Windows, Linux, and macOS
  • Data Discovery and Classification: Built into the package
  • Offers a Library of Security Policy Templates: These can implement compliance with specific data privacy standards


  • The Price is Kept Secret: You need to contact the company to get a quote

5. Teramind DLP

Teramind DLP

Teramind DLP offers three stages of protection. The data loss prevention system of Teramind is available in its highest plan. The lower plans are the Starter package, which provides user monitoring, and UAM, a user activity monitor looking for insider threats and account takeover. Each higher program includes the services of all lower editions, so you get user activity monitoring and user assessments in with the DLP plan.

Key Features:

  • Monitors User Activities: Services to track employee productivity
  • Track All File Movements: Including copying onto USBs
  • Compliance Management: For GDPR, HIPAA, ISO 27001, and PCI DSS

Why do we recommend it?

Teramind DLP focuses on user activity tracking. The base package of Teramind just tracks users and higher plans add on data protection security policy management. This system will track all fine activity, including transfers onto USB devices. Those actions can be automatically blocked and only allowed for specified users with files containing a particular category of data.

The DLP system is suitable for businesses that comply with GDPR, HIPAA, ISO 27001, and PCI DSS. The service scans for instances of sensitive data and then categorizes them. This is the basis for the service’s security policies implemented through file integrity monitoring and device controls.

Teramind takes an inside-out approach to data controls because it tracks all users’ activities as its base process. It looks for abnormal behavior and applies those detection rules to the use of data in the system. In addition, the service includes a risk assessor and a data analysis service that helps you work out how you can better organize your security policies and data storage systems to improve efficiency while tightening security.

Teramind is a cloud service, and it also has an on-premises version. The SaaS package requires an endpoint agent to be installed on-site. These are available for Windows and macOS but not for Linux. However, the endpoint programs can run on VM. The on-premises version operates as a virtual appliance.  You can assess the Teramind DLP system with a 14-day free trial.

Who is it recommended for?

Teramind is focused on user activity and has specialized modules for tracking remote users. So, distributed companies that operate virtual offices will particularly benefit from this package. The DLP service is designed for use by businesses that manage sensitive data. The system is available as a SaaS package or for on-premises installation.


  • Deployment Options: SaaS platform or on-premises installation
  • Includes a Sensitive Data Discovery and Classification Service: Focuses activity logging on important files
  • Risk Assessors: Enables incident analysis


  • No Software for Linux: The on-premises software package is available for Windows and macOS