cancel
Showing results for 
Search instead for 
Did you mean: 

DLP 9.3 desktop/laptop policy difference

Jump to solution

Hi, we have DLP 9.3 installed and would like to do this: for user X we would like for USB ports to be disabled on desktop machine but enabled on laptop machine. Is there a way to do this?

Regards,

1 Solution

Accepted Solutions
McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DLP 9.3 desktop/laptop policy difference

Jump to solution

To clarify, computer assignment group policies (CAG) will take precedence over user assignment groups (UAG).  So, if you have a need for user specific reactions on laptops this may not be the best solution for you. 

To set up the tag:  Menu > tag catalog

Follow along with the tag creation wizard, it should be pretty straightforward.  When you get to the criteria tab there will be a 'is laptop' value you can select from the left pane and set that to 'equals yes'.  The evaluation tab determines when the tag analysis would be done - you would probably want this at every agent to server communication.

Configure your CAG:  Menu > Policy catalog > DLP > Computer assignment group  (edit)

Select all your rules that you want the policy to apply.

Apply the policy based on tag:  Menu > Policy assignment rules > New assignment rule > Select 'system based rule' > select your DLP CAG policy to be applied > select the tag you created as the criteria

3 Replies
Highlighted
McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: DLP 9.3 desktop/laptop policy difference

Jump to solution

You can either create an active directory security group, assign your laptop users to this group, and use that group as a user group assignment for DLP -or- use computer assignment groups and apply that policy to systems that have a 'laptop' tag.  You can create a system tree tag based on the 'isLaptop' value that is reported to EPO.  McAfee agent 5.x and later should use battery power being present to determine whether or not a system is a laptop.

Re: DLP 9.3 desktop/laptop policy difference

Jump to solution

Hi,

this part would interest me "use computer assignment groups and apply that policy to systems that have a 'laptop' tag.  You can create a system tree tag based on the 'isLaptop' value that is reported to EPO.  McAfee agent 5.x and later should use battery power being present to determine whether or not a system is a laptop." but haven't found a guide anywhere. Could you please (please, please) describe how to do this?

Thank you, regards

McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DLP 9.3 desktop/laptop policy difference

Jump to solution

To clarify, computer assignment group policies (CAG) will take precedence over user assignment groups (UAG).  So, if you have a need for user specific reactions on laptops this may not be the best solution for you. 

To set up the tag:  Menu > tag catalog

Follow along with the tag creation wizard, it should be pretty straightforward.  When you get to the criteria tab there will be a 'is laptop' value you can select from the left pane and set that to 'equals yes'.  The evaluation tab determines when the tag analysis would be done - you would probably want this at every agent to server communication.

Configure your CAG:  Menu > Policy catalog > DLP > Computer assignment group  (edit)

Select all your rules that you want the policy to apply.

Apply the policy based on tag:  Menu > Policy assignment rules > New assignment rule > Select 'system based rule' > select your DLP CAG policy to be applied > select the tag you created as the criteria

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.