I have tested DLP to block mass storage devices and it works really fine. What I want to do is to generally block mass storage devices for all users except domain admins and allow specific devices on specific PCs for specific users only, for example the BlackBerry on the laptop of the CIO only for the CIO.
The base rule to block all devices was no problem, it works. I also can make exceptions in this rule to allow specific devices on all hosts and for specific users or groups on all hosts, that is no problem. I also can allow specific devices only on one PC for all users.
But what is a possible procedure to let this base rule take place an additionally allow a specific device for a specific user on a specific PC? Can anyone help me with that?
Best regards, Jochen
I assume the CIO isn't logged into mutilple machines without logging off?
Since the rule is applied to the user logged into the machine and not the machine itself, the rules you are trying to setup just need to follow these guidelines.
Block everything - Include Everyone, exclude CIO, exclude domain admins
Block everything, exclude Blackberry device ID - Include CIO
Hope that helps
the CIO only was an example... Some other users are indeed logged into multiple machines, specifically my project managers (and they also use BBs).
Your rules are defined on a general basis, I think, means are not pinned do specific machines? If so this yould be a solution to allow the BB on all machines, I think. Isn´t it?
I´ll try anyway...
PS: our CIO also did log on on multiple machines yet ;-)
Under assigned user, you can create a special user group by pulling the users from Domain. Then, create a device rule to use such user group, then assign the rule to the computer or group of computers. It can be done. However, the hard part is when you try to create the user group, you have to browse Domain to locate the users. That will be very time consuming. I did that at Lab wjhere I have Domain with less than 50 accounts. EPO server is join Domain and the user account to manage ePO/DLP policy has Domain Admin right.