cancel
Showing results for 
Search instead for 
Did you mean: 

Device Control 9.1 multiple rules headache

Hi All,


Just when you think you have mastered the product another issue arises !!

I have a rule that says block everything USB for 'Everyone' unless you are in one of the following groups

Allowed_External_CD_Read/Write

Allowed_External_Hard drive

Allowed_External_Card reader

I have several other groups but the above are examples.

I then has another rule for External Hard drives that says Block all , Excluding certain approved hard drives,  if you are in 'Allowed_External_Hard drive'.

This works a treat. We drop users into the 'Allowed_External_CD_Read/Write' and they are allowed to use any of the approved CD burners.

But what happens when a user has an external hard drive AND a Card Reader.

If I put them in both groups Device Control is not clever enough to realise this. The Block all from he Card reader rule blocks the external hard drive and visa versa......

You see what I mean ? 🙂

What can I do to allow people to have more then one item to exclude? I want to be as granular as possible so do not want to merge too many products together.

Many thanks for reading


Superhoops

7 Replies
RacerX
Level 9
Report Inappropriate Content
Message 2 of 8

Re: Device Control 9.1 multiple rules headache

I'm going to run into the same problem in the near future.  What happens if you have one "block all" rule with all external device groups excluded?

Re: Device Control 9.1 multiple rules headache

Hi,

does anyone have an answer to this? I've got a similar problem, where users are members of more than one group it creates conflicts and blocks everything. Everyone I've spoken to at Mcafee or the reseller says "that doesn't sound right" but no-one has been able to explain how to get around it. Seems that if there was a rule hierarchy it would all work fine!

Thanks

Chris.

JoeyMc
Level 10
Report Inappropriate Content
Message 4 of 8

Re: Device Control 9.1 multiple rules headache

Sounds like maybe another group:

Allowed_External_HDD_and_CR and a seperate rule?

Exclude that group from your other assignment groups.

Kind of messy but it should work.

Joey

Re: Device Control 9.1 multiple rules headache

that is what I had to do in the end. I had McAfee support and Professional services in and that is what we had to setlle on. It's mad !

I now have lots of rules for example ..

allow cd write but block everything else

allow camera but block everything else

when a user wants both devices I create a new rule called

Allow cd write and camera but block everything else

I then also create a new AD group called allowed cd write and camera to assign to this rule

I then make sure that group is exluded from the main block all rule.

The trouble I have now is I have user who wnats three different device types ! I am not sure when it's going to end 😞

JoeyMc
Level 10
Report Inappropriate Content
Message 6 of 8

Re: Device Control 9.1 multiple rules headache

On a side note... I recently realized that Apple ipad/iphone get recognized as Imaging Device... If you want to block them you have to make a rule for imaging devices.

Re: Device Control 9.1 multiple rules headache

Thanks for the responses.

I think we're going to end up creating a hierarchy of devices, for example, level zero users get nothing. Level one users get digital cameras. Level two get digital cameras and USB memory sticks. Level three get digital cameras, USB memory sticks and USB hard drives. That way we just need to make sure that no-one is in more than one group, and we're controlling access by serial number of these devices anyway, so even if someone has digital camera access they won't be able to use it without the actual camera that is allowed.

Does this seem realistic to anyone who has actually done it?

Cheers

Chris

Highlighted

Re: Device Control 9.1 multiple rules headache

You need to excluded the allowed users from the block everyone rule and create new rules for them.  DLP will always perform the most restrictive action.  In this case that would be to block everyone.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community