We have a requirement to use McAfee DLP on our Virtual Estate. They have USB functionality in the form of a USB hub.
We already have it successfully installed across the estate so I know the policy works fine.
For dedicated VDI desktops DLP works as expected. For Pooled it does not.
Does anyone know if DLP SHOULD be able to work here on pooled VDI's?
Sorry, of course.
I have a basic rule to block removeable storage. I also have a rule to monitor plug n play at the moment and removabel storage for the domain these VDI's are on.
Pooled VDI's do not generate any events of any type and all devices can be used..
These VDI's use a USB hub called '52 Technology Link'.
With the dedicated VDI's the removeable storage devcies are blocks and plug n plug detected.
The times I've come across the situation in the past, the VM isn't mounting the drive as a true removable storage device.
With a simple PNP monitor rule for USB and no other definition, does it trigger?
What do the plugged devices show up as when using a program like usbdeview?
It boils down again to how the VM is mounting the drives. If it's mounting in a way that DLP should be able to recognize it, DLP should be able to take action against it.