1 2 Previous Next 13 Replies Latest reply: Jul 8, 2014 9:58 AM by vimalnavis RSS

    DLP User Assignment vs Computer Assignment


      I have a basic DLP user assignment VS compuer assignment questions that I am kind of stuck on.


      I understaind how to go into the DLP console in the ePO and create the user groups and assign policies to it.


      I understand that I can duplicate and policy and assign rules to it then select a computer or section of the system tree and now its a computer based assignment.


      During some training that I had they said that user assignments groups rules in DLP are lost if computer assignment used.


      The part I am trying to wrap my head around, if I want to make sure I am using user assigment groups rules only, then do I just assign the "McAFee Default Computers assignment Group" to the My org of the system tree ? Is it once I duplicate it, assign it to a system or section in system tree that it becomes a computer based rule ??


      I think am tryibng to ask once I start ticking those boxes from the computer assignments group policy is that when it becomes a computer policy vs a user groups policy ?



      I hope the question makes sense.


      Message was edited by: sstretchh on 7/3/14 11:00:00 AM CDT
        • 1. Re: DLP User Assignment vs Computer Assignment

          Fresh week, giving this post a BUMP.

          • 2. Re: DLP User Assignment vs Computer Assignment

            I'm currently working on the same issue I guess, with some success.

            Basically what I have done is one general policy for all users and have that deployed at the default location of the system tree. This is for Agent Configuration and for Computer assignment Group and I’m just looking at Storage device rules. Then I created another policy for a particular computer group within the system tree, where I want to block devices. All that is saved an uploaded to ePO.

            In ePO, I did duplicate the Agent Configuration and the Computer Assignment Group policies and assigned the within the system tree to the group of computers. When you click at the policy within the Policy catalog of ePO you can select which assignment rules you want to drive.

            It works to some extent but I'm still trying to figure out how to exclude user groups from the restrictions.


            • 3. Re: DLP User Assignment vs Computer Assignment

              From what I understand, once you copy the policy and start selecting the device rules and apply it to a group of computers it automacially ingores the user assigment groups (UAG) and only applies the rule set to the set computers.


              That is how I understood it, was looking for someone to validate my understanding.


              so from your screen shot it will apply Removable STorage Device rule to all computers wiht in your section of the system tree and ingore the user assignments  you have attached to that rule.

              • 4. Re: DLP User Assignment vs Computer Assignment

                So is this intended or is it a bug? When I hover over the computer assigned group it still gives me the popup text clearly indicating that the this will be applied to the user assignment group of ...


                • 5. Re: DLP User Assignment vs Computer Assignment

                  User and Computer assignments are two different ways to assign rules. You may use either or both.

                  DLPe always enforces the most restrictive rule.


                  For the most part there is not a need to use Computer based assignment. It is typically used if the company does not have an AD infrastructure or certains machines need to be locked down irrespective of the logged in user.

                  • 6. Re: DLP User Assignment vs Computer Assignment

                    If you assign a policy using computer assignment group, doesn't it override the UAG group ?

                    • 7. Re: DLP User Assignment vs Computer Assignment

                      Well, we do have a mixed environment where we want to observer in general all devices (USB, CD-ROM, .. whatever) but for one department we would like to block the USB as there is a specific application running on some of the workstations, no matter who is logged in and of course we want to have exception to this as well, preferably driven by AD user groups. Currently we control most of it using GPO but we had the idea to move away from it as we see as well that device control is more powerful and not that easy to bypass.

                      Adding different policies to sub OU’s of the system tree specifying the user groups on top of the Computer OU will solve that issue, but it does not seem to work that way.

                      • 8. Re: DLP User Assignment vs Computer Assignment

                        I get that, and you can use computer assignment for those and UAG for others.


                        The questions I am trying to verfied is if computer assignment is used that it overrides any UAG policy that is set on the ePO

                        • 9. Re: DLP User Assignment vs Computer Assignment

                          Found this in the Help Portal:

                          "Computer assignment groups specify which computers are assigned which policies. You can use this feature to apply different policies to groups of computers in your network. When a computer group is assigned specific policies, those policies are enforced on the named computers, and user assignment groups in McAfee DLP Endpoint rules are lost."

                          1 2 Previous Next