Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
980 Views 4 Replies Latest reply: Aug 28, 2013 8:28 AM by amunoz RSS
amunoz Newcomer 6 posts since
Nov 27, 2012
Currently Being Moderated

Aug 27, 2013 9:35 AM

Device Control - Exclude Computers from Policy

Greetings - I am testing the Device Control piece of DLP 9.3. Here is what I am trying to do. I want to make CD\DVD drives read-only for All Users with one exception we have a set of computers that need to be able to read and write CD\DVDs no matter which user is logged in.

 

Here is what I have done so far

 

I created a Device Definition that looks for CD\DVD Drives the I created a Device Rule that performs the following actions "Monitor, Notify User, and Read Only" and I assigned this rule to the a user assignment group that points to an AD group where I have some AD users that I am testing with. This rule works fine, it does make the CD\DVD Drives Read-Only.

 

The part that I need help with is how to exclude computers from applying this policy. Here is what I have done to test this piece. I created a new policy in the Policy Catalog under 'Data Loss Prevention 9.3.0.0:Policies' and made it a 'Computers Assignment Group'. In the settings of the policy I selected a Device Rule that I created that Allows Read-Write access to CD\DVD Drives. I then manually applied this policy to a PC that I am testing with. But when I log in to this PC with a user that has the Read-Only User Assignment Policy applied it makes the CD\DVD Drive Read-Only, It appears that it is not reading the Computer Assignment Group policy.

 

In the install guide it as the following regarding computer assignment groups

"Computer assignment groups specify which computers are assigned which policies. You can use this

feature to apply different policies to groups of computers in your network. When a computer group is

assigned specific policies, those policies are enforced on the named computers, and user assignment

groups in McAfee DLP Endpoint rules are lost.

Computer assignment groups is a feature of ePolicy Orchestrator. It is being described here because of

the effect on McAfee DLP Endpoint rules. Computer assignment groups are accessed from the Policy

Catalog by specifying the Computer Assignment Group Category."

 

I am not sure what I am doing wrong. Any help would be appreaciated.

  • Tristan Veteran 794 posts since
    Dec 8, 2009
    Currently Being Moderated
    1. Aug 27, 2013 10:42 AM (in response to amunoz)
    Re: Device Control - Exclude Computers from Policy

    If you edit the new CAG. Have you unticked the 'logged in user' and 'local user' fields for all other rules except your newly create 'allow CD/DVD' device rule?

  • vimalnavis McAfee SME 207 posts since
    Feb 23, 2010
    Currently Being Moderated
    3. Aug 27, 2013 1:34 PM (in response to amunoz)
    Re: Device Control - Exclude Computers from Policy

    Why would you allow ALL users to be able to write CD/DVDs on one machine? The exceptions always need to be user based and not computer based.

    You are creating a security gap by allowing ALL users unrestricted access to CD/DVDs on one machine. My recommendation is to use user based exceptions and not computer based exceptions.

     

    If you still want Device rules not to work on one computer, and still being able to use User Assignment Groups, create a new Agent Configuration and disable the Device Blocking module under Miscellaneous. Assign this Agent Config only to that one computer.

    This will ensure that none of the Device Rules work on that one computer.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points