Skip to content

Devices Egress Tests (DM-DEVICE)

Validate that device-based egress channels (printers, removable storage/USB, camera, microphone, Bluetooth/NFC) cannot exfiltrate data when policy denies it.

Objectives

  • Enforce device deny posture for sensitive environments.
  • Verify optional watermarking/attribution when printing is permitted.

Controls Under Test

  • Device controls (printers, removable media, camera/mic, Bluetooth/NFC).

Canonical Tests

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
DM-DEVICE-01Print to Local/Virtual PDFInitiate print of a sensitive document to a local/virtual PDF device from an app inside the Sandbox.Pass: Print is blocked (or watermarked per policy).
Audit: category: "device", device.type: "printer", action: "deny" (or process with watermarkTemplateUsed), rule.id, integrity.hash.
DM-DEVICE-02USB Mass Storage Write/ExportConnect a removable USB mass storage device. Inside the Sandbox, attempt to export or write a file to the device.Pass: Access is denied; no data is written.
Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", action: "deny", bytesWritten: 0, rule.id, integrity.hash.
DM-DEVICE-03Camera/Microphone StreamingAttempt to start camera/mic in an app that can record/stream.Pass: Device access denied unless explicitly allowed.
Audit: category: "device", `device.type: "camera"
DM-DEVICE-04Bluetooth/NFC TransferAttempt to transfer/beaming a file via Bluetooth/NFC from inside the Sandbox.Pass: Operation blocked.
Audit: category: "device", `device.type: "bluetooth"
DM-DEVICE-05Removable Storage Attach (Enumeration Denied)Attach a USB removable storage device while the policy denies removable storage. Validate whether the device enumerates inside the Sandbox.Pass: Attach is blocked or not exposed to the Sandbox; device is not enumerated/mounted inside the container.
Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", eventType: "attach", action: "deny" (or exposure suppressed), vendorId, productId, serial (when available), rule.id, integrity.hash.
DM-DEVICE-06Removable Storage Detach (Cleanup/Safe Removal)Safely eject or physically remove the USB device after attempted use. Verify Sandbox handle cleanup and absence of dangling mounts.Pass: Cleanup completes; no open handles or mounts remain; no residual access after detach.
Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", eventType: "detach", action: "process", cleanup: "success", bytesWritten: 0, openHandles: 0, rule.id, integrity.hash.
DM-DEVICE-PRINT-01Printer Enumeration BlockedWith device-level printer restrictions enabled, open a print dialog in a simple app (for example, Notepad).Pass: No printers are enumerated/available inside the Sandbox.
Audit: category: "device", device.type: "printer", action: "deny" (or exposure suppressed), rule.id, integrity.hash.
DM-DEVICE-PRINT-02Print Job DeniedWith restrictions enabled, attempt to print any document to a local/virtual device.Pass: Print job is denied; no spooled output.
Audit: category: "device", device.type: "printer", action: "deny", bytesWritten: 0, rule.id, integrity.hash.

Evidence Requirements

  • Include the Golden Fields: category, action, rule.id, integrity.hash.
  • For removable storage, prefer: device.type ("storage"), device.class ("usbMassStorage"), eventType (attach/detach), and identifiers (vendorId, productId, serial) when available.

Troubleshooting

  • Validate device enumeration inside the Sandbox reflects policy (for example, printers list is empty when blocked; removable storage does not appear as a mount or drive).
  • Confirm runtime/device settings are applied via policy flags; ensure no per-app overrides enable devices.
  • For USB tests, verify host policies do not mask Sandbox behavior (host OS-level blocks vs Sandbox denies).

Known Limitations & Negative Space

  • Optical print to paper cannot be technically prevented; use watermarking and physical controls as compensating measures.
  • Some virtual devices can masquerade as allowed classes; keep allowlists minimal and validate device identifiers.