I have set a rule to block all USB devices and now i'm working on exceptions. I need to allow specific groups to access specific devices but apparently it only let me select user/s.
I absolutely need to selct AD Groups as i have thousands of users in my environment.
I also tried to create a rule set for everyone and it actually block USB devices, but when i specify a device serial number in the exceptions it allow all the USB devices. If i use only one rule set and a specific user in the exceptions next to the device serial number it works. If i select a group it doesn't.
Working but need to add any single user:
As for your first problem:
Why don´t you create a new usergroups in your AD the are used to define if a user is blocked for sth or not and then put the users in the corresponding groups? So you can refer to these groups under the "Condition" Tab instead of the "Exception"-Tab.
As for you 2nd question I think you need to create device-depmplates containing you serialnumbers instead. Without knowing it i would guess you used "Exclude Serial Number & User Pairs"?
As normal condition i need to block all USB devices for all the users, then i'll permit only specific device to be used by specific users of specifi groups. Yes i used "Exclude Serial Number & User Pairs" but it only works for specific users i guess right?
You would need to create several rules that include your groups and the corresponding serialnumbers and does nothing as action.
You would need to have as much groups as you would have different rules for different serialnumbers in you AD though.
You mean that i need to create a rule denying the access to USB devices and then another rule for each group to allow specific serial number and selecting allow as reaction?
Could you provide a practical example please? I need to figure out how to organize the rule sets.
If i create a rule for each group allowing a specific device it doesn't block all the others. If a create a policy which blocks all USB devices and another policy which allows a specific USB device, the first policy wins and it blocks all USB devices anyway
I just had a look to verify and you seem to be right.
They are lacking the feature of saying "is not" in the definitions or exclusions. This is **bleep** **bleep**ty.
The problem here is to exclude certain devices only for certain people. If it was gloabal exclusions it would work.
Maybe you want to open a case with the support?
I probably solved the isseu, i created a rule for each group saying block all USB devices and enable Exceptions Device Definitions > Device serial number and it's working correctly
Yes you basically need to create a record in device definition for each single device and a rule for each single group or single user but i don't see any other ways