7 Replies Latest reply on Dec 21, 2011 10:30 AM by Firewall-Joe

    Device Control 9.1 multiple rules headache

    Superhoop

      Hi All,

       


      Just when you think you have mastered the product another issue arises !!

       

      I have a rule that says block everything USB for 'Everyone' unless you are in one of the following groups

       

       

       

       

       

       

      Allowed_External_CD_Read/Write

      Allowed_External_Hard drive

      Allowed_External_Card reader

       

      I have several other groups but the above are examples.

       

       

      I then has another rule for External Hard drives that says Block all , Excluding certain approved hard drives,  if you are in 'Allowed_External_Hard drive'.

       

       

      This works a treat. We drop users into the 'Allowed_External_CD_Read/Write' and they are allowed to use any of the approved CD burners.

       

       

      But what happens when a user has an external hard drive AND a Card Reader.

       

       

      If I put them in both groups Device Control is not clever enough to realise this. The Block all from he Card reader rule blocks the external hard drive and visa versa......

       

       

      You see what I mean ? :-)

       

       

      What can I do to allow people to have more then one item to exclude? I want to be as granular as possible so do not want to merge too many products together.

       

      Many thanks for reading


      Superhoops

        • 1. Re: Device Control 9.1 multiple rules headache

          I'm going to run into the same problem in the near future.  What happens if you have one "block all" rule with all external device groups excluded?

          • 2. Re: Device Control 9.1 multiple rules headache
            chrismills

            Hi,

             

            does anyone have an answer to this? I've got a similar problem, where users are members of more than one group it creates conflicts and blocks everything. Everyone I've spoken to at Mcafee or the reseller says "that doesn't sound right" but no-one has been able to explain how to get around it. Seems that if there was a rule hierarchy it would all work fine!

             

            Thanks

             

            Chris.

            • 3. Re: Device Control 9.1 multiple rules headache
              JoeyMc

              Sounds like maybe another group:

              Allowed_External_HDD_and_CR and a seperate rule?

              Exclude that group from your other assignment groups.

              Kind of messy but it should work.

               

              Joey

              • 4. Re: Device Control 9.1 multiple rules headache
                Superhoop

                that is what I had to do in the end. I had McAfee support and Professional services in and that is what we had to setlle on. It's mad !

                 

                I now have lots of rules for example ..

                 

                allow cd write but block everything else

                allow camera but block everything else

                 

                when a user wants both devices I create a new rule called

                 

                Allow cd write and camera but block everything else

                 

                I then also create a new AD group called allowed cd write and camera to assign to this rule

                 

                I then make sure that group is exluded from the main block all rule.

                 

                The trouble I have now is I have user who wnats three different device types ! I am not sure when it's going to end :-(

                • 5. Re: Device Control 9.1 multiple rules headache
                  JoeyMc

                  On a side note... I recently realized that Apple ipad/iphone get recognized as Imaging Device... If you want to block them you have to make a rule for imaging devices.

                  • 6. Re: Device Control 9.1 multiple rules headache
                    chrismills

                    Thanks for the responses.

                     

                    I think we're going to end up creating a hierarchy of devices, for example, level zero users get nothing. Level one users get digital cameras. Level two get digital cameras and USB memory sticks. Level three get digital cameras, USB memory sticks and USB hard drives. That way we just need to make sure that no-one is in more than one group, and we're controlling access by serial number of these devices anyway, so even if someone has digital camera access they won't be able to use it without the actual camera that is allowed.

                     

                    Does this seem realistic to anyone who has actually done it?

                     

                    Cheers

                     

                    Chris

                    • 7. Re: Device Control 9.1 multiple rules headache

                      You need to excluded the allowed users from the block everyone rule and create new rules for them.  DLP will always perform the most restrictive action.  In this case that would be to block everyone.