8 Replies Latest reply on Dec 9, 2011 2:53 AM by pierce

    HDLP 9.1.100 how to assign policy to everybody and exclude a few people?

    pierce

      Hi All,

       

      I currently have HDLP 9.1.100 checked in and the end points are slowly upgrading from 3.1 and 9.1.0 to 9.1.100.

       

      Originally I just had DLP installed on the end users that needed their USB's blocked. Now security have decided this is not sufficient (obviously...) and DLP should be deployed to all end points.

       

      So now I will have DLP deployed to all end points and I have a current policy that applies to 'everyone' to block their USB's. Is there a way to add an exception group? For example have this policy apply to everyone apart from users in this active directory 'McAfee Exclusion USB' Group? Looking around it seems I need to create a group and stick every single users from active directory in there... which seems like an absolute nightmare to manage.

       

      Im curious how people have got this running in their organisation as this must come up quite alot with helpdesk staff etc...

       

      many thanks for any help you can provide!

       

      Pierce

        • 1. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?
          tonyw

          You can manually assign people to an exclude group you create or just add them manually to the rule and select "exclude" for that user or user group.

          1 of 1 people found this helpful
          • 2. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?

            You can create a User Assignment Group that consist of all Domain Users (or whatever group you have that encompasses all usesrs) set to included, with the AD Group "McAfee Exclusion USB" being excluded.  Any rules configured to use this User Group will only apply to people that are in the Domain Users group, but not in the McAfee Exclusion USB group.  If necessary, you can also exclude individual users from this group as well, not just AD Groups.

            • 3. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?
              pierce

              Thanks Tonw and dgriner.

               

              For some reason I thought this wasnt possible.... just tested and works fine!

              • 4. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?

                This doesn't seem to be the case for me, during my testing using 9.1.100.1.

                 

                 

                I have one device rule which blocks cd/dvd drives and notifies. The user assignment group included in this rule has the AD Domain Users group included and my own user account excluded.

                 

                I have another device rule which just monitors and notifies on cd/dvd drives. The user assignment group included in this rule has AD domain users group excluded and my own user account included.

                 

                 

                However, when I log in the blocking rule is always applied even though I have an exclusion specific to my username that I'm loggin in with. So how can it be working for people in this thread.

                • 5. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?
                  tonyw

                  Make sure you have applied the rule in the DLP Policy manager and performed a collect and send props on the machine.

                   

                  Also there is no need to exclude AD domain users from your second rule.  The first rule you had to exclude yourself since you're a part of the AD domain user group.  Including yourself in the second rule will not include all domain users so there's no reason to exclude them there.

                  • 6. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?

                    The rule is applied, everytime I update the policy I make sure the workstation gets it. I even double-check by looking at the policy version currently applied by looking at the machine from the system details view.

                     

                    In my first attempt I did not include all domain users in the second monitoring rule, that was done out of desperation to get this working. I initially only had domain users included in the blocking rule and my own account excluded. The second monitor rule initially had only had my own account included, with no exclusions. But I was being blocked.

                     

                    Also when looking at the monitor log that has the event in which I was blocked, both rules show as being applied. The monitor rule first, followed by blocking rule.

                     

                    as seen here:

                     

                    Event Generated Time (Endpoint):   12/8/2011 10:51:51 AM

                    Event Generated Time (UTC):   12/8/2011 2:51:51 PM

                    User Name: 

                    Associated Rules:   6. Monitor DVD/CD drives, 5. Block DVD/CD drives

                    Computer Name:  

                    Agent Action(s):   Block, Monitor, Notify User

                    Agent Version:   9.1.100.1

                    Policy Name:   DLP Security Policy

                    Policy Time (UTC):   12/8/2011 2:48:44 PM

                    Connection State:   Online

                    Device Class GUID:  

                    Device Class Name:   DVD/CD-ROM drives

                    Device Name:   ASUS DVD-E616A3T

                    Device Compatible ID:   GenCdRom

                    Device Instance ID:   IDE\CDROMASUS_DVD-E616A3T________________________BP08____\5&20960AC&0&0.0.0

                    Bus Type:   IDE

                    Device File-System Access:   Read - Only

                     

                    Message was edited by: Moniker on 12/8/11 9:08:19 AM CST
                    • 7. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?

                      I think there is a missing piece from this thread that is very important. It appears if an account is say part of "Domain Users" (normally anyone with logon rights is a part of this group), and also part of the exclusion group/user/ou you create, then the most restrictive rule even if you have your group excluded to avoid the rule.

                       

                      I saw this thread in which the person speaking about advice from support which contradicts what is mentioned as an answer in this thread.

                       

                      see - https://community.mcafee.com/message/173095#173095

                       

                      quote "

                      so I contacted support, I was told this method probably would not work because the most restrictive policy of setting the CD/DVD drive to read only would take effect when a user was in multiple user assignments. "

                       

                      So there doesn't seem to be a practical way to apply these DLP rules, in which you're not managing a large amount of AD groups and the users in them.

                      • 8. Re: HDLP 9.1.100 how to assign policy to everybody and exclude a few people?
                        pierce

                        Hey Moniker,

                         

                        This does work succesfully for me, but I am only currently dealing with a single USB block rule and its exceptions. I never tested this with more than one rule as thats not what I needed sorry!