The device definitions were defined in the Device Definitions category in Device Management, similiarly Device Rules were defined in the Device Definition category in Device Management.
Device definitions were defined as follows Bus type and CD/DVD drives were chosen as the selected parameters. Only USB was selected in the Bus type parameter.
Device Definitions were defined as follows. Step 1: The device definition rules from above was included. Step 2: Block (online\offline); Monitor (online\offline) and Notify user (online\offline) were selected. Step 3: Was left blank initally with just the privileged user set up by user account. The drives were not being blocked. A User Assignment group was then set up and used, it was set up by group as defined by Active Directory.
Basically mistake with McAfee DLP is method of enforcement. You need to decide wich one more effective for you - computer or users/group enforcement. If you try to use both, the resoult is conflict and policy not work. My advice - start from beginning. Delete device rules and Assignment groups. Recreate rules. 1. For computer enforcement - leave "Assignment groups" empty (skip it) and create policy for DLP agent in policy catalog. Select the created rules and apply policy for selected computers or group. 2. For AD user/group enforcenent - select "Assignment group" in Device rule creation wizard, click apply button in DLP management interface and NOT!!! change policy for DLP Agent. 3. Make wakeup for clients.
PS: Changes madden in "Agent Global configuration" enforced just after client reboot.