cancel
Showing results for 
Search instead for 
Did you mean: 
JKBH1
Level 9
Report Inappropriate Content
Message 1 of 5

Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

Hello,

Is there a way to efficiently exempt a list of MacOSX users or devices in a DLP data rule? 

For Windows users or devices, this is pretty easy because a definition can be created for this list of users (through a distribution list or security groups) via active directory. Once this is set, just create an exception for users pointing to this distribution list within the DLP data rule set.

As designed, MacOSX users or devices do not go to active directory. So one idea is to create a tag (DO_NOT_INSTALL_DLP), create a server task with action to import a list of MacOSX users or devices then a subtask to query for these devices. Tag them with DO_NOT_INSTALL_DLP then remove DLP package.

However, as the list is static, this is not sustainable from a manageability perspective. We will have to re-import the list again and again in the server task should it get updated in the future.

Please advise what is the best way to approach this scenario. Thank you.

2 Solutions

Accepted Solutions
JaganA McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

@JKBH1 Thanks for choosing Support Community.

Though I am not very certain about your query, will try my best to answer.

1. Do you want to deploy DLP for Mac to some systems and exclude few systems? If yes, then create a sub system group in ePO -> system tree called "DLP deployed" and assign a deployment task. Even policy can be managed effectively with this groups.

2. Do you want to exclude all MacOSx systems from DLP deployment task? If yes, then very simple, don't create a deployment task for MacOSx. The deployment task created with Windows platform / package is not applicable for MacOSx systems. 

Let me know if my understanding is different from what you said.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?

View solution in original post

JKBH1
Level 9
Report Inappropriate Content
Message 5 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

After much overthinking, it is really a simple solution.

The best way to handle this sort of use case scenario is to have a DLP policy that is configured only for device control. Then assign the Mac endpoints that are to be excluded from the data rule to this device control only ruleset. 

Problem solved. Thanks everyone for your recommendations.

View solution in original post

4 Replies
JaganA McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

@JKBH1 Thanks for choosing Support Community.

Though I am not very certain about your query, will try my best to answer.

1. Do you want to deploy DLP for Mac to some systems and exclude few systems? If yes, then create a sub system group in ePO -> system tree called "DLP deployed" and assign a deployment task. Even policy can be managed effectively with this groups.

2. Do you want to exclude all MacOSx systems from DLP deployment task? If yes, then very simple, don't create a deployment task for MacOSx. The deployment task created with Windows platform / package is not applicable for MacOSx systems. 

Let me know if my understanding is different from what you said.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?

View solution in original post

JKBH1
Level 9
Report Inappropriate Content
Message 3 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

Jagan, thanks for the reply. We will only deploy the data protection rules to a few Mac users so #1 recommendation should work for our environment. 

JKBH1
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

I want to revisit this topic. As I understand it, DLPe has 2 components/modules: data protection and device control.

If it's not deploying the entire DLP suite to these Mac users, then it's really easy by tagging them and excluding them to not have any DLP installed. The given two scenarios by JaganA would work.

The requirement for this use case scenario is to only have a certain Mac users be exempted from data protection rules but these same Mac users are not exempted from the device control policies. 

How do I go about this? As Mac users do not go through Active Directory but Enterprise Connect, how do I exclude these users in the data protection rules in the Exceptions tab? 

1.) Is there a way to define these Mac users in "is any local user or non-LDAP user", "belongs to one end-user groups", or "belongs to all following end-users group"?  The end-user group definition goes to identify the user, users, groups through LDAP. How will this work with Mac users who don't go through LDAP but Enterprise Connect? 

2.) What is that "is any local user or non-LDAP user" option? Can I use this for excluding Mac users? If so, how do I define this?

Or will a Policy Assignment Rule with the right tagging and data protection rule set assigned to it will make this use case work? 

McAfee ePolicy Orchestrator 

JKBH1
Level 9
Report Inappropriate Content
Message 5 of 5

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

After much overthinking, it is really a simple solution.

The best way to handle this sort of use case scenario is to have a DLP policy that is configured only for device control. Then assign the Mac endpoints that are to be excluded from the data rule to this device control only ruleset. 

Problem solved. Thanks everyone for your recommendations.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community