We have a rule that blocks all Removable Storage devices for all domain users.
How do we configure HDLP (or Device Control) in order to allow the use of removable storage media on a specific workstation regardless of whoever is logged in?
Using 'only' computer assignment groups would not be helpful in this case as we are using the UAG to exclude admin users from the blocking rule already.
You can use a mixed mode of both CAG and UAG in the environment. Have your standard rules you have set now assigned thru UAG and create a new rule for your CAG assignment.
The new removable device rule would include all removable storage, set to monitor and/or notify only and assign no user groups. Assign that rule to a new policy in the policy catalog and then assign the policy in the system tree to the machine you want to exclude blocking on.
That was the first thing we had tried.
McAfee HDLP applies a union of all assigned rules. Therefore, when a domain user logs on to the specific workstation with the monitor-only rule applied through CAG, the blocking rule assigned through UAG still kicks in and disallows the use of removable media.
It's almost unbelievable such a simple use-case would not be addressed by McAfee product development.
We definitely have this requirement in our environment and are unable to provide it using McAfee HDLP at the moment.
Can you not just add your admins to privileged users within DLP which will negate the need to have them use a UAG policy?Message was edited by: jontownsend on 04/05/12 03:28:58 CDT
Privileged users have only two strategies: Override All or Monitor Only.
Even our admins are restricted to certain devices that they could use in the network. So giving them "override all" or "monitor only" rights will not address our requirements.
Moreover, there are also other user groups that have an operational need to use a specific external device for jumping "air gap".
The previous device / port control solution we were using allowed all of this to be configured easily. I hope McAfee could fix this in future releases.
From the DLP 9.2 guide:
Computer assignment groups
Computer assignment groups specify which computers areassigned which policies. You can use this feature to apply different policiesto groups of computers in your network. When a computer group is assignedspecific policies, those policies are enforced on the named computers, and userassignment groups in McAfee DLP Endpoint rules are lost.
Computer assignment groups is a feature of ePolicyOrchestrator. It is being described here because of the effect on McAfee DLPEndpoint rules. Computer assignment groups are accessed from the Policy Catalogby specifying the Computer Assignment Group Category.
If, for example, you have assigned Marketing computers toa group, and then select an email protection rule and a web post protectionrule in the computer assignment group definition, those DLP rules are appliedto all users in the Marketing computer group, and not according to any UserAssignment Groups defined in the DLP protection rule. Any rules not included inthe computer assignment group (for example, a removable storage protectionrule) are applied according to the User Assignment Group definition in therule.
Clear as mud.
The only workaround we have been able to find is Policy Injection:
It's really a dirty way to do it but it allows you to inject a unique policy to a specific computer. In our case, having only a few workstations to configure as USB transfer machines made it possible to implement.
Tough luck when we need to apply this to a greater number of machines...
Bad programming McAfee!!!