By default in Trusted Extensions, devices are protected by device allocation requirements. Users cannot use a device without being given explicit authorization to allocate devices, and an allocated device cannot be used by another user. A device in use at one label cannot be used at another label until it is deallocated from the first label and allocated at the second label.
To use a device, see How to Allocate a Device in Trusted Extensions.