We are about to let ourcustomer know the pros and cons between administrating policies with ADmanagement or manually from ePO in order to restrict computers from usingdevices with McAfee Device Control and we need to gather some info.
¿Ideas? Thank you.
This depends on what you need but this can help:
Do you need a specific computer to never have an USB device connected by anyone or do you need a specific user not to use USB devices on any computer?
For the first option you'll need computer-based policy and for the second option you need user-based policy
Hello Las, thanks forpaying attempt ion to my question.
Well the main question is¿What can it be won/lost by administrating policies by ePO adding the machinesmanually and what can be won/lost by adding the machines automatically with anActive Directory sync?.
When you say "and forthe second option ('a specific user not to use USB devices on any computer')you need user-based policy", ¿is that possible without sync ePO with AD?
There are two different things.
First one is that there's no difference adding computers manually or by an AD sync, it only create computer objects under system tree so it's up to you how you want to add them. If your AD computer groups are up-to-date then an AD sync will add all your computers (if you want to) so you know you are managing all of them.
The second thing is the user policy assignement. This one can only be achieved defining an AD server under Registered Servers and an automated server task that will cache AD users (If I'm right) periodically. The example I posted before was just to make you understand that if (for example) I don't want Mr. Smith to connect a pendrive on a computer then I usually don't want him to connect a pendrive to ANY computer and that's why I need to create a user-basd policy instead of a computer-based policy
Edit: For products like VirusScan (for example) you won't usually need a user-based policy but a computer-based policy
El mensaje fue editado por: ulyses31 on 4/10/13 11:25:46 CEST
We use Ad synch for our computer objects and also synch the OU. When you have a lot of computers and and distributed organization, it makes management a lot easier.
One plus of synching from AD is the ability to know about computers before they are managed in ePO. You could potentially push the agent to those unmanaged devices.