1 2 Previous Next 15 Replies Latest reply on Nov 7, 2014 1:40 AM by ninjaneer68

    DLP 9.3 CD/DVD rules


      I am trying to configure DLP rules to allow only a certain AD group to burn CD/DVDs and everyone else in AD will have read only CD/DVD access.  It seems like the only access I am getting is either everyone can burn or everyone is only read access.  Can some please provide an example of what I may need to do or where to start?


      Thank you

        • 1. Re: DLP 9.3 CD/DVD rules

          Silverss05, you would need 2 user groups and 2 rules to perform this.


          Assume you want to make all users read only except the IT admins group.

          Group 1:

          Include Everyone, exclude IT Admins


          Group 2:

          Include IT Admins


          Your 2 rules are:

          Include CD/DVD, Action - read only, Action - monitor, include Group 1


          Include CD/DVD, Action - monitor, include Group 2


          copied from tonyw

          • 2. Re: DLP 9.3 CD/DVD rules

            Thanks ninjaneer68.


            I want to allow "domain users" read only access, and allow another group "MediaBurners" the ability to burn.

            Group 1: Domain Users

            Include Domain Users, exclude MediaBurners


            Group 2: MediaBurners

            Include MediaBurners




            Read-Only CD/DVD, Action - read only & monitor, include Group 1


            Allow CD/DVD Burning, Action - monitor, include group 2 (MediaBurners)


            Does this sound correct? 

            • 3. Re: DLP 9.3 CD/DVD rules

              That is correct.

              • 4. Re: DLP 9.3 CD/DVD rules

                Yes that does sound correct. And you have your device definition for the rule set to DVD/CD ?

                • 5. Re: DLP 9.3 CD/DVD rules

                  FYI there was one thing I noticed lately and haven't had time to look it up to see if its just me or not.

                  I had a security group that was domain local. When I put it into a UAG it didn't apply a policy agaisn't the people in the security group. I am not sure why. But if you want to see if the people you have in the UAG have the policy applied agaisn't them.

                  Find the system then click on the products tab then select DLP. Scroll down and see if you see the policy rule name applied against that system that has someone logged into it.

                  I was one of the people in this security group I was testing, then I added my username directly inside the same UAG, then it was being applied to my system.

                  • 6. Re: DLP 9.3 CD/DVD rules

                    I have a similar issue to this as well.  I have set up Domain Admins group as a privileged user group and set to override all.  The settings don't seem to be applying to the group, but if I add a user from within the domain admin group individually the settings apply...

                    • 7. Re: DLP 9.3 CD/DVD rules

                      You might want to check to see if the end user's machine is showing the correct SID for the domain admin group you've applied it to by using gpresult or whoami commands.  KB75675 linked below provides some outlines for this.


                      McAfee KnowledgeBase - Changes to User Assignment Groups for Data Loss Prevention Endpoint 9.x in ePO 4.x are not enforc…

                      • 8. Re: DLP 9.3 CD/DVD rules

                        tonyw I am not sure how the users system SID would matter when using UAG-User assignment groups ??

                        ooo wait, after reading your link, you mean if they where just added to the group they would need to log off then back in.....right following you there



                        silverss05 I will test more this week, but so far I have only noticed it if the security group is DOMAIN LOCAL.

                        • 9. Re: DLP 9.3 CD/DVD rules

                          The "gpresult" command will list the AD groups for the machine while the "whoami /groups" will list the AD groups and their corresponding SID.


                          Under the UAG definition, you are provided the option to Identify LDAP objects using either SID or Name.  SID is the default.  In some environments I've seen user groups in AD not assign properly so the assigned UAG will never enforce.  Gpresult and whoami will show if the local machine has the AD assignment.

                          1 2 Previous Next