Hi all, I'm hoping someone can shed some light on how best to add device control exceptions to a rule-set.
We currently have a rule-set in place which will make all removable media Read-Only except for devices which are covered by a device definition. The current device definition is a Device Template and uses the Device Friendly Name as the identifier. All works as intended. I now have to add another device definition to the same policy. Both definitions encompass devices from the same manufacturer however the most recent batch of devices do not have a property set for the Device Friendly Name. So at this point I've looked at using some of the alternative properties but struggling to find a suitable alternative. None of the alternative properties look to be particularly specific to this batch of removable media i.e. The Device Description value is USB Mass Storage Device which is not suitable.
Struggling to understand the purpose of a Device Class as it seems as if I cannot specify one within an exception.
Would anyone be able to shed some light on how best to manage multiple device definitions? What properties are others using? Could I configure this in an alternative way to make this easier?
Let me know if any further information is required.
Device classes are used for plug and play device rules which sounds like you are using a removable storage device rule and why it is not available for criteria.
As far as your new device definition for the exclusion goes it sounds like you already have an incident for the device you want to exclude - if that is the case the easiest way is:
1) Open incident manager
2) Select the incident that blocked the device you want to exclude (i.e. put a check mark in the box next to it)
3) Select Actions
4) Create device template
5) Removable storage device
It will auto populate a device definition for you. You can remove some of the criteria to make it more generic but hard to say what you should do without seeing your existing configuration and the device information being reported.
Note: The above steps were part of a feature enhancement added in DLPe 10.x but I don't recall specifically which version.
Hi Hhoang, many thanks for your response.
Good to know that I am able to create the exclusion based off of an existing incident - this is very handy to know.
Whilst looking at this a little further last night I noticed that I can specify a vendor ID and Product ID which will provide a relatively generic exclusion and I feel this would be considered suitable.
I am however hoping that we can begin pairing a device with a particular user (a decision for the business to make). This would be ideal as it enforces the device -> owner relationship that is recorded in our CMDB.