I have an EEFF Removable Media Policy that forces encryption of USB before write is permitted for all workstations in the ePO group container.
I want to allow exceptions to write to unencrypted USB. I can create a new ePO group container that doesn't have the Removable Media Policy enforcing encryption, but then any user who logs on to one of these workstations will be able to write to unencrypted USB. Is there any way I can allow these exceptions based on user ID or AD group?
Many thanks for any advice
Yes, use Policy Assignment Rules to assign policies to the users that you want to grant exceptions.
If "system policies" and "user policies" are conflicting in nature, "user based policies" will take precedence. So this should solve your use case.
For information regarding EEFF policy assignments : https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24643/en_US/...
Page 25 onwards : "System Tree Assignment" through which you can assign policies to systems
Page 27 onwards : "Policy Assignment Rules" through which you can assign policies to either users or systems
Hope this helps, let me know if you need more information.
I've now created my Policy Assignment Rule, which assigns a more permissive EEFF Removable Media Policy that allows user to encrypt removable media as opposed to enforcing encryption. The Policy Assignment Rule uses an AD group of which my account is a member. Have forced updates to the client workstation, restarted and logged on with the user account which is in the group but I still get the more restrictive policy that the other workstations in the ePO group container are getting.
Any ideas what I could be doing wrong?
Can you do a "force policy sync" either from the client or from ePO, then check the policy enforced on the client via the McAfee Tray Icon -> Manage Features -> Endpoint Encryption for Files and Folders; it should be the more permissive EEFF Removable Media Policy that you have assigned through the PAR..
From ePO, I've done "Wake up agents" with "Force Policy and tasks update", also from the workstation "Status Monitor" I've done "Check for new polices" and "Enforce polices". I've also been to the server tasks and performed and Ldap synch which appeared to sychncronise my AD group successfully. Unfortunately I'm still getting my more restrictive Removable Media Policy that's assigned to the group container as opposed to the less restrictive policy from the PAR.
Any other things you think I should check?
You still see the restrictive policy when you check the enforced policy on the client via McAfee Tray Icon -> Manage Features -> Endpoint Encryption for Files and Folders ?
Just an update on this thread - it turned out to be an Ldap synch issue that was preventing the Policy Assignment Rule from deploying to members of the AD group.
HughMessage was edited by: howardmp on 26/02/14 05:07:12 CST
Thanks Hugh, were you able to achieve the use case that you had in mind ?Message was edited by: nchakrap on 2/26/14 9:01:13 AM CST