2 Replies Latest reply on Jan 27, 2011 7:13 PM by JayMan

    DLP Device Rule via AD Groups


      I'm testing McAfee Device Control/DLP before deploying to the business & just trying to get my head around how this works... At the moment I have a couple device rules based on groups in Active Directory.


      To start my testing I have blocked myself USB access... This works as expected...

      I have now added myself to the 'USB Allowed' group in Active Directory, logged off from my computer & logged back in (to pickup the new group membership)... however I am still being blocked access...


      Does something within the ePO need to be 'synced' with AD after making changes to groups? (and then new policy pushed to agents?)



        • 1. Re: DLP Device Rule via AD Groups

          hmm i've just rebooted and this also didn't help...


          Maybe its the way my rules/groups are setup...


          I have 2 user assignement groups, "USB Allowed" and "USB Blocked"...


          USB Blocked has "Everyone" and "Local Users" included, and "AD_USB Allowed (domain.com)" excluded.

          USB Allowed has "AD_USB Allowed (domain.com)" included.


          I then have a device rule set to Block, Monitor & Notify all Removable Storage devices assigned to the USB Blocked user assignment group.

          And a device rule set to Monitor & Notify all removable storage devices assigned to the USB Allowed user assignment group.


          Would this be the correct way to have this setup?



          • 2. Re: DLP Device Rule via AD Groups

            Nevermind... Turns out someone had ticked options under the Computer Assignment Group in the Policy Catalog which was overwritting the user settings


            I've got USB removable media rules worked as expected now... On to working on optical drive access now.