1 of 1 people found this helpful
You can manually assign people to an exclude group you create or just add them manually to the rule and select "exclude" for that user or user group.
You can create a User Assignment Group that consist of all Domain Users (or whatever group you have that encompasses all usesrs) set to included, with the AD Group "McAfee Exclusion USB" being excluded. Any rules configured to use this User Group will only apply to people that are in the Domain Users group, but not in the McAfee Exclusion USB group. If necessary, you can also exclude individual users from this group as well, not just AD Groups.
Thanks Tonw and dgriner.
For some reason I thought this wasnt possible.... just tested and works fine!
This doesn't seem to be the case for me, during my testing using 126.96.36.199.
I have one device rule which blocks cd/dvd drives and notifies. The user assignment group included in this rule has the AD Domain Users group included and my own user account excluded.
I have another device rule which just monitors and notifies on cd/dvd drives. The user assignment group included in this rule has AD domain users group excluded and my own user account included.
However, when I log in the blocking rule is always applied even though I have an exclusion specific to my username that I'm loggin in with. So how can it be working for people in this thread.
Make sure you have applied the rule in the DLP Policy manager and performed a collect and send props on the machine.
Also there is no need to exclude AD domain users from your second rule. The first rule you had to exclude yourself since you're a part of the AD domain user group. Including yourself in the second rule will not include all domain users so there's no reason to exclude them there.
The rule is applied, everytime I update the policy I make sure the workstation gets it. I even double-check by looking at the policy version currently applied by looking at the machine from the system details view.
In my first attempt I did not include all domain users in the second monitoring rule, that was done out of desperation to get this working. I initially only had domain users included in the blocking rule and my own account excluded. The second monitor rule initially had only had my own account included, with no exclusions. But I was being blocked.
Also when looking at the monitor log that has the event in which I was blocked, both rules show as being applied. The monitor rule first, followed by blocking rule.
as seen here:
Event Generated Time (Endpoint): 12/8/2011 10:51:51 AM
Event Generated Time (UTC): 12/8/2011 2:51:51 PM
Associated Rules: 6. Monitor DVD/CD drives, 5. Block DVD/CD drives
Agent Action(s): Block, Monitor, Notify User
Agent Version: 188.8.131.52
Policy Name: DLP Security Policy
Policy Time (UTC): 12/8/2011 2:48:44 PM
Connection State: Online
Device Class GUID:
Device Class Name: DVD/CD-ROM drives
Device Name: ASUS DVD-E616A3T
Device Compatible ID: GenCdRom
Device Instance ID: IDE\CDROMASUS_DVD-E616A3T________________________BP08____\5&20960AC&0&0.0.0
Bus Type: IDE
Device File-System Access: Read - Only
I think there is a missing piece from this thread that is very important. It appears if an account is say part of "Domain Users" (normally anyone with logon rights is a part of this group), and also part of the exclusion group/user/ou you create, then the most restrictive rule even if you have your group excluded to avoid the rule.
I saw this thread in which the person speaking about advice from support which contradicts what is mentioned as an answer in this thread.
so I contacted support, I was told this method probably would not work because the most restrictive policy of setting the CD/DVD drive to read only would take effect when a user was in multiple user assignments. "
So there doesn't seem to be a practical way to apply these DLP rules, in which you're not managing a large amount of AD groups and the users in them.
This does work succesfully for me, but I am only currently dealing with a single USB block rule and its exceptions. I never tested this with more than one rule as thats not what I needed sorry!