I am currently looking into allowing a single device for a certain set of people.
My current setup is as follows:
Device Definition named "All Devices" which uses the Bus Type parameter with USB selected.
Device Definition named "USB Microscope" which uses the Compatible ID of a USB Microscope I want to allow (note: I have used this compatible ID in a Whitelisted Plug and Play Definition and it was unblocked for all users successfully).
User Assignement group called "Microscope Users" which inlcudes the members of an Active Directory Group of the same name.
User Assignment group called "All Users" which excludes the "Microscope Users" group.
Device Rule called "Block All" which Includes both of the above Device Definitions to bock and monitor, and is applied to the All Users assignment group.
Device Rule called "Block All ex Microscopes" which includes the "All Devices" definition to block and monitor but excludes the "USB Microscope" definition, and is applied to the "Microscope Users" assignment group.
I was hoping this would mean that anyone in the Microscope Users group will be allowed to use the Microscope, however the device remains blocked, and I have uploaded the events from my test PC to the EPO DLP Incident Manager and can see that it is being blocked by the Block All rule.
Now I'm stumped - my test user shouldnt have the Block All rule applied to it as it is a member of the Microscope Users group.
Have I completely misunderstood how this works and trying to use DLP how it wasn't designed? If so, how on earth do I do this? I simply want to allow a specific device (or devices as new ones are bought) for a list of users and nobody else.