cancel
Showing results for 
Search instead for 
Did you mean: 
amunoz
Level 7

Device Control - Exclude Computers from Policy

Jump to solution

Greetings - I am testing the Device Control piece of DLP 9.3. Here is what I am trying to do. I want to make CD\DVD drives read-only for All Users with one exception we have a set of computers that need to be able to read and write CD\DVDs no matter which user is logged in.

Here is what I have done so far

I created a Device Definition that looks for CD\DVD Drives the I created a Device Rule that performs the following actions "Monitor, Notify User, and Read Only" and I assigned this rule to the a user assignment group that points to an AD group where I have some AD users that I am testing with. This rule works fine, it does make the CD\DVD Drives Read-Only.

The part that I need help with is how to exclude computers from applying this policy. Here is what I have done to test this piece. I created a new policy in the Policy Catalog under 'Data Loss Prevention 9.3.0.0Smiley Tongueolicies' and made it a 'Computers Assignment Group'. In the settings of the policy I selected a Device Rule that I created that Allows Read-Write access to CD\DVD Drives. I then manually applied this policy to a PC that I am testing with. But when I log in to this PC with a user that has the Read-Only User Assignment Policy applied it makes the CD\DVD Drive Read-Only, It appears that it is not reading the Computer Assignment Group policy.

In the install guide it as the following regarding computer assignment groups

"Computer assignment groups specify which computers are assigned which policies. You can use this

feature to apply different policies to groups of computers in your network. When a computer group is

assigned specific policies, those policies are enforced on the named computers, and user assignment

groups in McAfee DLP Endpoint rules are lost.

Computer assignment groups is a feature of ePolicy Orchestrator. It is being described here because of

the effect on McAfee DLP Endpoint rules. Computer assignment groups are accessed from the Policy

Catalog by specifying the Computer Assignment Group Category."

I am not sure what I am doing wrong. Any help would be appreaciated.

0 Kudos
1 Solution

Accepted Solutions
vimalnavis
Level 13

Re: Device Control - Exclude Computers from Policy

Jump to solution

Why would you allow ALL users to be able to write CD/DVDs on one machine? The exceptions always need to be user based and not computer based.

You are creating a security gap by allowing ALL users unrestricted access to CD/DVDs on one machine. My recommendation is to use user based exceptions and not computer based exceptions.

If you still want Device rules not to work on one computer, and still being able to use User Assignment Groups, create a new Agent Configuration and disable the Device Blocking module under Miscellaneous. Assign this Agent Config only to that one computer.

This will ensure that none of the Device Rules work on that one computer.

0 Kudos
4 Replies
Tristan
Level 15

Re: Device Control - Exclude Computers from Policy

Jump to solution

If you edit the new CAG. Have you unticked the 'logged in user' and 'local user' fields for all other rules except your newly create 'allow CD/DVD' device rule?

0 Kudos
amunoz
Level 7

Re: Device Control - Exclude Computers from Policy

Jump to solution

Yes, only the "Allow Write CD\DVD Drive" rule has the 'logged in user' and 'local user' checked. Thanks for your suggestion.

0 Kudos
vimalnavis
Level 13

Re: Device Control - Exclude Computers from Policy

Jump to solution

Why would you allow ALL users to be able to write CD/DVDs on one machine? The exceptions always need to be user based and not computer based.

You are creating a security gap by allowing ALL users unrestricted access to CD/DVDs on one machine. My recommendation is to use user based exceptions and not computer based exceptions.

If you still want Device rules not to work on one computer, and still being able to use User Assignment Groups, create a new Agent Configuration and disable the Device Blocking module under Miscellaneous. Assign this Agent Config only to that one computer.

This will ensure that none of the Device Rules work on that one computer.

0 Kudos
amunoz
Level 7

Re: Device Control - Exclude Computers from Policy

Jump to solution

We have one department (Medical Records) that is allowed to write CD/DVDs. So my thought was we either allow all the computers in that department to write CD/DVDs or we allow the users in that department. I did not want a user to have the option to go to a computer outside of the department and be able to write CD\DVDs so I thought it would be better to allow the computers. But it is gettting complicated to do computer based exceptions. I think I am going to do user based exceptions. Thanks for your advice.

0 Kudos