We are trying the achieve the following using Host DLP create a OU group in Active directory which contains (called GROUP_ENG for the 140 engineers). After which, we turn off GPO on those users and let DLP to take over the USB control
Can you please confirm if DLP can have the concept of groups. Group 1: Only MBed/EVkits allow( USB kits used by our engineers internally) Group 2: MBed/EVkits + all USB access allow. Group 3: No USB access
Can this be achieved ? Your suggestion/help will be much appreciated.
You could do this many ways but one way is as follows using your DLP defined user groups:
Ruleset 1 containing:
Rule 1 - Block USB for all users. Exceptions for Device Definition for MBed/EVKits and Group 2 Users
Rule 2 - Block Device Definition for MBed/EVKits for all users except for Group 1 Users and Group 2 Users
In tab form this gives you
|Rule||Mbed/EVKits Group 1||MBed/EVKits + All USB Group 2||USB Blocked Group 3|
|Can access non MBed/EVkits USB Devices||False (rule 1)||True (rule 1)||False (rule 1)|
|Can access MBed/EVKits||True (Combination rule 1 & 2)||True (rule 2)||False (Combination rule 1/rule 2)**|
** Rule 1 allows access but Rule 2 blocks.
Least privilege wins in this case so blocked.
Obviously I cannot test but should do what you are looking for. Hopefully there's no glaringly obvious logic flaws (but I'm sure someone will point out if so!)