cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

DLP USB block exceptions applied to Groups

Hello,

I have set a rule to block all USB devices and now i'm working on exceptions. I need to allow specific groups to access specific devices but apparently it only let me select user/s.
I absolutely need to selct AD Groups as i have thousands of users in my environment.
I also tried to create a rule set for everyone and it actually block USB devices, but when i specify a device serial number in the exceptions it allow all the USB devices. If i use only one rule set and a specific user in the exceptions next to the device serial number it works. If i select a group it doesn't.

 

Working but need to add any single user:

https://ibb.co/bZYsa7

https://ibb.co/buu12n

 

Not Working:

https://ibb.co/jmfVv7

9 Replies
Daniel_S
Level 12
Report Inappropriate Content
Message 2 of 10

Re: DLP USB block exceptions applied to Groups

As for your first problem:
Why don´t you create a new usergroups in your AD the are used to define if a user is blocked for sth or not and then put the users in the corresponding groups? So you can refer to these groups under the "Condition" Tab instead of the "Exception"-Tab.

 

As for you 2nd question I think you need to create device-depmplates containing you serialnumbers instead. Without knowing it i would guess you used "Exclude Serial Number & User Pairs"?

Best regards
Dan

Re: DLP USB block exceptions applied to Groups

As normal condition i need to block all USB devices for all the users, then i'll permit only specific device to be used by specific users of specifi groups. Yes i used "Exclude Serial Number & User Pairs" but it only works for specific users i guess right?

Daniel_S
Level 12
Report Inappropriate Content
Message 4 of 10

Re: DLP USB block exceptions applied to Groups

You would need to create several rules that include your groups and the corresponding serialnumbers and does nothing as action.

You would need to have as much groups as you would have different rules for different serialnumbers in you AD though.

Best regards
Dan

Re: DLP USB block exceptions applied to Groups

You mean that i need to create a rule denying the access to USB devices and then another rule for each group to allow specific serial number and selecting allow as reaction?

Could you provide a practical example please? I need to figure out how to organize the rule sets.

Re: DLP USB block exceptions applied to Groups

If i create a rule for each group allowing a specific device it doesn't block all the others. If a create a policy which blocks all USB devices and another policy which allows a specific USB device, the first policy wins and it blocks all USB devices anyway

Daniel_S
Level 12
Report Inappropriate Content
Message 7 of 10

Re: DLP USB block exceptions applied to Groups

I just had a look to verify and you seem to be right.

They are lacking the feature of saying "is not" in the definitions or exclusions. This is **bleep** **bleep**ty.

The problem here is to exclude certain devices only for certain people. If it was gloabal exclusions it would work.

Maybe you want to open a case with the support?

Best regards
Dan

Re: DLP USB block exceptions applied to Groups

I probably solved the isseu, i created a rule for each group saying block all USB devices and enable Exceptions Device Definitions > Device serial number and it's working correctly

Daniel_S
Level 12
Report Inappropriate Content
Message 9 of 10

Re: DLP USB block exceptions applied to Groups

Perfect then.

But a lot of manual work.

Best regards
Dan

Re: DLP USB block exceptions applied to Groups

Yes you basically need to create a record in device definition for each single device and a rule for each single group or single user but i don't see any other ways

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.