I am having problems with some device rules that I have configured. I am using DLP 220.127.116.113 and ePo 4.5
I have some Device Definitions - Allowed devices, Ignored devices etc. containing devices defined by USB serial number, Device Name.
In both Plug and Play and Removable Storage I want to set up rules to monitor everything that is not in my Device Definitions, eventually changing the rule to block unknown devices.
The rules I have set up INCLUDE all bus types, but EXCLUDE devices that are defined in my device definitions.
The problem is, devices are still being reported, even though they are in the excluded device definitions.
This seems to be a logical approach (at leat I think so), so can anyone point me in the direction of some documentation / instuctions on how to acheive this?
Eastleigh Borough Council
What's your main objective here for the rule? Are you monitoring all the the devices (with file system/without file system) or only concerned about the devices with a file system for data loss? From your mail I am also observing - you have chosen all bus types...!!
Rather than selecting all - see if the rules work for USB types first...if yes then go on adding other bus types. I would always advise to keep the rules simple and separate like USB rules, CD/DVD rules, Bluetooth rules....etc...Also check you have the right user assignment group!
Let me know!
Eventually, we would like to block or make read-only ALL devices - memory sticks, cameras, phones, cd writers etc. EXCEPT ones that are authorised.
At the moment we have set up rules to monitor devices that are unauthorised, so that we know "what is out there" and can contact people to determine if we authorise the device or not. After we have done this for a few weeks we anticipate that the only devices that get monitored will be unauthorised devices and we can switch from MONITOR to BLOCK.
A specific problem that we have is-
We have a Plug and Play device rule set to monitor. It is set to INCLUDE all USB Plug and Play devices, but EXCLUDE the device class of imaging devices. However, Imaging Devices are still appearing in the monitor.
I thought that policy rules could be set to monitor all devices except those specifically excluded - with exclusions taking priority over inclusions?
Maybe we need to do this in "chunks", with separate definitions and rules for different types of device/interface to see what is going on?
Eastleigh Borough Council
Message was edited by: adrianlodge on 6/17/10 2:54:16 AM CDTMessage was edited by: adrianlodge on 6/17/10 2:58:24 AM CDT
Let me explain what I understand from your mail.
Your objective here is just to block devices those are not authorized in addition to devices which can actually help in data loss - is that correct? Let me give an example - if you try to block all devices with USB bus, that will block even the devices like a USB mouse if you don't allow specifically those devices in your exclude list. The problem with that approach I can see - going forward the way most of the devices are embracing USB or other medium, you have to create a ton of excluded devices definiton.
If you really want to protect data from leaking you need to only block those devices which have a file systems. That way you don't bother about a wireless keyboard which doesn't have a file system so that users are happy (productivity issue) and you are not allowing an iPOD (which has a USB bus and a FS) to assist in data loss...!!
Try to use removable storage device definitions rather that PnP. PnP rules are used when you are very specific which type of USB or other device you want to block or allow ( like bus 0, 1, 2 etc.)
Create 1 RSD definiton - select req. bus type (USB, bluetooth etc.) + File system type (NTFS, FAT etc) for ALL DEVICE TYPE
Rest individual RSD defintion should be for your allowed device - You can just connect your allowed devices and collect log - go to DLP monitor - right click and export configuration - open DLP manager - Device defintion - Create device defintion using exported config (not sure the exact wording..)
Once you have your definitions:
Create the rule by including the ALL device type and excluding your allowed devices. Ensure you have the right assignment groups. That set!
Hope I was helpful. Thank you!
That all sounds logical. We started using the PnP rule for some reason - but we can't remember why!
We'll amend our rules and see how we get on.
Using your suggestion, can we also define cd/dvd drives and cameras as read only?
Eastleigh Borough Council
Create your CD/DVD as a single separate rule..
You just have to create a defintion with option CD/DVD (optional file type - CDFS, UDFS - in case your rule won't work with that single option) -> Create the rule
Cameras will be protected by your USB filesystem rules.
Apologies for tagging this onto someone elses thread, but could I ask something in relation to the P&P devices?
I've had very similiar issues to Adrian here and have found that using the RSD rules allow us to use the product very well. The problem I am facing at the moment is with regards to PDA's. We are wanting to block all PDA's apart from those specifically allowed (Blackberries and other selected devices in this case), however, from what I can see in the monitor they are mostly presented as P&P devices. Blocking all USB devices at the P&P side over rides the RSD rules and blocks all USB sticks etc, although still doesn't block all PDA's
Does anyone have any experience with blocking and using PDA's with DLP? (v 3.0 as we are only using device management atm)
At the moment I can see no way of being able enforce the rule of "No PDA's unless specified" and being 100% confident all non-specified PDA's are blocked.
MMessage was edited by: Matt Ford on 30/06/10 06:08:31 CDT