4 Replies Latest reply: Aug 28, 2013 8:28 AM by amunoz RSS

    Device Control - Exclude Computers from Policy


      Greetings - I am testing the Device Control piece of DLP 9.3. Here is what I am trying to do. I want to make CD\DVD drives read-only for All Users with one exception we have a set of computers that need to be able to read and write CD\DVDs no matter which user is logged in.


      Here is what I have done so far


      I created a Device Definition that looks for CD\DVD Drives the I created a Device Rule that performs the following actions "Monitor, Notify User, and Read Only" and I assigned this rule to the a user assignment group that points to an AD group where I have some AD users that I am testing with. This rule works fine, it does make the CD\DVD Drives Read-Only.


      The part that I need help with is how to exclude computers from applying this policy. Here is what I have done to test this piece. I created a new policy in the Policy Catalog under 'Data Loss Prevention' and made it a 'Computers Assignment Group'. In the settings of the policy I selected a Device Rule that I created that Allows Read-Write access to CD\DVD Drives. I then manually applied this policy to a PC that I am testing with. But when I log in to this PC with a user that has the Read-Only User Assignment Policy applied it makes the CD\DVD Drive Read-Only, It appears that it is not reading the Computer Assignment Group policy.


      In the install guide it as the following regarding computer assignment groups

      "Computer assignment groups specify which computers are assigned which policies. You can use this

      feature to apply different policies to groups of computers in your network. When a computer group is

      assigned specific policies, those policies are enforced on the named computers, and user assignment

      groups in McAfee DLP Endpoint rules are lost.

      Computer assignment groups is a feature of ePolicy Orchestrator. It is being described here because of

      the effect on McAfee DLP Endpoint rules. Computer assignment groups are accessed from the Policy

      Catalog by specifying the Computer Assignment Group Category."


      I am not sure what I am doing wrong. Any help would be appreaciated.

        • 1. Re: Device Control - Exclude Computers from Policy

          If you edit the new CAG. Have you unticked the 'logged in user' and 'local user' fields for all other rules except your newly create 'allow CD/DVD' device rule?

          • 2. Re: Device Control - Exclude Computers from Policy

            Yes, only the "Allow Write CD\DVD Drive" rule has the 'logged in user' and 'local user' checked. Thanks for your suggestion.

            • 3. Re: Device Control - Exclude Computers from Policy

              Why would you allow ALL users to be able to write CD/DVDs on one machine? The exceptions always need to be user based and not computer based.

              You are creating a security gap by allowing ALL users unrestricted access to CD/DVDs on one machine. My recommendation is to use user based exceptions and not computer based exceptions.


              If you still want Device rules not to work on one computer, and still being able to use User Assignment Groups, create a new Agent Configuration and disable the Device Blocking module under Miscellaneous. Assign this Agent Config only to that one computer.

              This will ensure that none of the Device Rules work on that one computer.

              • 4. Re: Device Control - Exclude Computers from Policy

                We have one department (Medical Records) that is allowed to write CD/DVDs. So my thought was we either allow all the computers in that department to write CD/DVDs or we allow the users in that department. I did not want a user to have the option to go to a computer outside of the department and be able to write CD\DVDs so I thought it would be better to allow the computers. But it is gettting complicated to do computer based exceptions. I think I am going to do user based exceptions. Thanks for your advice.