Showing results for 
Search instead for 
Did you mean: 
Level 11
Report Inappropriate Content
Message 1 of 2

DLP USB blocking

Hi All,

We are trying the achieve the following using Host DLP create a OU group in Active directory which contains (called GROUP_ENG for the 140 engineers).  After which, we turn off GPO on those users and let DLP to take over the USB control

Use cases:

Can you please confirm if DLP can have the concept of groups.  Group 1: Only MBed/EVkits allow( USB kits used by our engineers internally) Group 2: MBed/EVkits + all USB access allow.  Group 3: No USB access

Can this be achieved ? Your suggestion/help will be much appreciated.


1 Reply
Reliable Contributor chrisnlc
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: DLP USB blocking

You could do this many ways but one way is as follows using your DLP defined user groups:

Ruleset 1 containing:

     Rule 1 - Block USB for all users. Exceptions for Device Definition for MBed/EVKits and Group 2 Users

     Rule 2 - Block Device Definition for MBed/EVKits for all users except for Group 1 Users and Group 2 Users

In tab form this gives you

RuleMbed/EVKits Group 1
MBed/EVKits + All USB Group 2USB Blocked Group 3
Can access non MBed/EVkits USB DevicesFalse (rule 1)True (rule 1)False (rule 1)
Can access MBed/EVKitsTrue (Combination rule 1 & 2)True (rule 2)False (Combination rule 1/rule 2)**

** Rule 1 allows access but Rule 2 blocks.

Least privilege wins in this case so blocked.

Obviously I cannot test but should do what you are looking for. Hopefully there's no glaringly obvious logic flaws (but I'm sure someone will point out if so!)



Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.