Just when you think you have mastered the product another issue arises !!
I have a rule that says block everything USB for 'Everyone' unless you are in one of the following groups
I have several other groups but the above are examples.
I then has another rule for External Hard drives that says Block all , Excluding certain approved hard drives, if you are in 'Allowed_External_Hard drive'.
This works a treat. We drop users into the 'Allowed_External_CD_Read/Write' and they are allowed to use any of the approved CD burners.
But what happens when a user has an external hard drive AND a Card Reader.
If I put them in both groups Device Control is not clever enough to realise this. The Block all from he Card reader rule blocks the external hard drive and visa versa......
You see what I mean ? :-)
What can I do to allow people to have more then one item to exclude? I want to be as granular as possible so do not want to merge too many products together.
Many thanks for reading
I'm going to run into the same problem in the near future. What happens if you have one "block all" rule with all external device groups excluded?
does anyone have an answer to this? I've got a similar problem, where users are members of more than one group it creates conflicts and blocks everything. Everyone I've spoken to at Mcafee or the reseller says "that doesn't sound right" but no-one has been able to explain how to get around it. Seems that if there was a rule hierarchy it would all work fine!
Sounds like maybe another group:
Allowed_External_HDD_and_CR and a seperate rule?
Exclude that group from your other assignment groups.
Kind of messy but it should work.
that is what I had to do in the end. I had McAfee support and Professional services in and that is what we had to setlle on. It's mad !
I now have lots of rules for example ..
allow cd write but block everything else
allow camera but block everything else
when a user wants both devices I create a new rule called
Allow cd write and camera but block everything else
I then also create a new AD group called allowed cd write and camera to assign to this rule
I then make sure that group is exluded from the main block all rule.
The trouble I have now is I have user who wnats three different device types ! I am not sure when it's going to end :-(
On a side note... I recently realized that Apple ipad/iphone get recognized as Imaging Device... If you want to block them you have to make a rule for imaging devices.
Thanks for the responses.
I think we're going to end up creating a hierarchy of devices, for example, level zero users get nothing. Level one users get digital cameras. Level two get digital cameras and USB memory sticks. Level three get digital cameras, USB memory sticks and USB hard drives. That way we just need to make sure that no-one is in more than one group, and we're controlling access by serial number of these devices anyway, so even if someone has digital camera access they won't be able to use it without the actual camera that is allowed.
Does this seem realistic to anyone who has actually done it?
You need to excluded the allowed users from the block everyone rule and create new rules for them. DLP will always perform the most restrictive action. In this case that would be to block everyone.