This is going to be hard to explain fully but I will try as McAfee are stuggling to find a resolution.
We are running a DLP/EERM solution on USB sticks to essentially make them read only unless they are our own purchased sticks which we will distribute. I have set up rules in DLP based on the Product Number "and" volume label we have assigned to the sticks we use. Only sticks that match both are allowed through, all others are read only. Once they are passed through DLP EERM picks them up and they are encrypted.
I have successfully tested this on 4 users where it works seamlessly.
I was requested to set up on the IT Directors laptop so he could see it working before we fine tuned on policys etc and rolled out the solution.... However....
When install on the IT directors machine non on the USB Sticks (all the same model) would initialize in EERM (initialzation failed). On further investigation in the DLP monitor the sticks were no being picked up in exactly the same way. Were it lists the specific information about the USB stick the product number information was not listed when logged in as the IT Director, therfore the usb stick was being marked as read only and hence not being able to initialize.
Again what else is strange is that I can log onto the IT Directors machine as myself and all works OK. If I log onto my test machine (which works fine as me) as the IT Director it again fails for the same reason.
He is in the same groups and has the same policys applied.
Does anyone have any ideas??
All of the software used is at the lastest version as we have had nothing but problems with the whole solution and each time we are told to upgrade first by McAfee support. That includes EPO, DLP, EERM and the Endpoint managment console.
EERM-wise there's one thing I can suggest here, as far as the DLP-policies go, I have no clue.
Check to see if you and your director both get another AD Policy assigned. I've seen a customer reporting that if the Security policy "Device --> Allow formatting/ejecting of removable media" was set to Administrators only, it could not initialize. Myself I was not able to reproduce this here (still waiting for a VM to do so) but apparently changing this setting to allowing normal users to do this also, worked for them.
Might be worth giving a shot?
I don't think it's EERM related as once something get's through the DLP it works OK.
It's up to tier III support now but based on their emails so far it looks like they don't have a clue......
I believe if you're logged in as an admin, you get to see the device id, whereas as a general user you don't.
Windows prevents more info in the former case, so you'll need to define rules which encompas both situations.