I'm going to run into the same problem in the near future. What happens if you have one "block all" rule with all external device groups excluded?
does anyone have an answer to this? I've got a similar problem, where users are members of more than one group it creates conflicts and blocks everything. Everyone I've spoken to at Mcafee or the reseller says "that doesn't sound right" but no-one has been able to explain how to get around it. Seems that if there was a rule hierarchy it would all work fine!
Sounds like maybe another group:
Allowed_External_HDD_and_CR and a seperate rule?
Exclude that group from your other assignment groups.
Kind of messy but it should work.
that is what I had to do in the end. I had McAfee support and Professional services in and that is what we had to setlle on. It's mad !
I now have lots of rules for example ..
allow cd write but block everything else
allow camera but block everything else
when a user wants both devices I create a new rule called
Allow cd write and camera but block everything else
I then also create a new AD group called allowed cd write and camera to assign to this rule
I then make sure that group is exluded from the main block all rule.
The trouble I have now is I have user who wnats three different device types ! I am not sure when it's going to end :-(
On a side note... I recently realized that Apple ipad/iphone get recognized as Imaging Device... If you want to block them you have to make a rule for imaging devices.
Thanks for the responses.
I think we're going to end up creating a hierarchy of devices, for example, level zero users get nothing. Level one users get digital cameras. Level two get digital cameras and USB memory sticks. Level three get digital cameras, USB memory sticks and USB hard drives. That way we just need to make sure that no-one is in more than one group, and we're controlling access by serial number of these devices anyway, so even if someone has digital camera access they won't be able to use it without the actual camera that is allowed.
Does this seem realistic to anyone who has actually done it?
You need to excluded the allowed users from the block everyone rule and create new rules for them. DLP will always perform the most restrictive action. In this case that would be to block everyone.