cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Exclusion for having evidence for groups

Jump to solution

Hi ,

We are going to deploy Device Control in our organisation. We are using ePO 5.0 with DLP version 9.3. I am creating two Protection rulewhich are:

  • Monitor only files copied to USB > applied to IT groups
  • Monitor and Store evidence files copied to USB > applied to Domain Users with IT Group exclusion

Unfortunattely when users in IT Group copying data to USB it still got stored in the evidence.

Am I doing the exclusion properly?

1 Solution

Accepted Solutions
Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

I cross checked the policy. All the rules and UAGs are OK. Based on the policy and confirmation from your screenshot (showing the unexpected rule applied) I am sure that your ID is not part of the AD group.

If you recently added your ID to the AD Group wait up to 8 hours for the change to be in effect (This has nothing to do with DLPe. All AD)

You may speed up the replication by connecting the computer to the network using a wired connection and then logging out and logging back in.

View solution in original post

8 Replies
Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

Can you share screenshots of your rules and user assignment groups?

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

I created Store Evidence Group for Domain User and deny IT user as Follow:

store.JPGstorerule.JPG

storerule1.JPG

And I created not store evidence group for the IT user as follow:

notstore.JPGnotstoreprot.JPG

notstorerule.JPG

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

The rules and UAG look good. Check whether the machines where the IT team logs in shows only the correct rule applied. Check this in System Properties -> DLP User Sessions section.

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution


I am geting Monitor/Store Evidence - Files copied to USB as figure below:

Capture.JPG

Eventhough I am in IT group

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

If you can, could you share the 3 .opg files in a private message? I'll review it as I find time.

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

I cross checked the policy. All the rules and UAGs are OK. Based on the policy and confirmation from your screenshot (showing the unexpected rule applied) I am sure that your ID is not part of the AD group.

If you recently added your ID to the AD Group wait up to 8 hours for the change to be in effect (This has nothing to do with DLPe. All AD)

You may speed up the replication by connecting the computer to the network using a wired connection and then logging out and logging back in.

View solution in original post

Highlighted

Re: Exclusion for having evidence for groups

Jump to solution

After double checking the group, I found out that I am using a distribution group instead of security group

Re: Exclusion for having evidence for groups

Jump to solution

Well, that's why

Distribution Lists do not allow the use of SID which is why it does not work.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community