I have the same scenario.
Let's assume everyone is Group A. Group A maps to an OU in Active Directory that all users are under.
I have one group of users who use card readers for handheld equipment. Lets call them Group B (mapped to an OU in my structure)
What I do is have 2 different user groups:
Group A includes all users and exclude Group B.
Group B includes just the OU of users who need readers.
You could also map to AD groups instead of OU but I do it this way.
You then have to make a device definition for your card reader (by VID/PID)
Make 2 rules: one that is assigned to your "Everyone" Group which blocks all devices except your approved keys.
Another rule is the exact same but excludes the Device definition you setup for the card readers and is assigned to Group B.
The only downfall I have is I now have to maintain 2 rules.
There may be a better way, but this is how I do it.
Thanks for your reply.
I already have what you have decribed setup at the moment, but I want to lock it down further so they can only delete image files from the SD card, which I can partially do with a Protection Rule.
I am assigning this Rule to the computer rather than the user to lock it down further.