Showing results for 
Search instead for 
Did you mean: 
Level 11
Report Inappropriate Content
Message 1 of 2

DLP USB blocking

Hi All,

We are trying the achieve the following using Host DLP create a OU group in Active directory which contains (called GROUP_ENG for the 140 engineers).  After which, we turn off GPO on those users and let DLP to take over the USB control

Use cases:

Can you please confirm if DLP can have the concept of groups.  Group 1: Only MBed/EVkits allow( USB kits used by our engineers internally) Group 2: MBed/EVkits + all USB access allow.  Group 3: No USB access

Can this be achieved ? Your suggestion/help will be much appreciated.


1 Reply

Re: DLP USB blocking

You could do this many ways but one way is as follows using your DLP defined user groups:

Ruleset 1 containing:

     Rule 1 - Block USB for all users. Exceptions for Device Definition for MBed/EVKits and Group 2 Users

     Rule 2 - Block Device Definition for MBed/EVKits for all users except for Group 1 Users and Group 2 Users

In tab form this gives you

RuleMbed/EVKits Group 1
MBed/EVKits + All USB Group 2USB Blocked Group 3
Can access non MBed/EVkits USB DevicesFalse (rule 1)True (rule 1)False (rule 1)
Can access MBed/EVKitsTrue (Combination rule 1 & 2)True (rule 2)False (Combination rule 1/rule 2)**

** Rule 1 allows access but Rule 2 blocks.

Least privilege wins in this case so blocked.

Obviously I cannot test but should do what you are looking for. Hopefully there's no glaringly obvious logic flaws (but I'm sure someone will point out if so!)