this is made by design. If one rule blocks a device, the device is blocked. If you want to manage one or more specific devices in detail, you have to configure one rule for them.
But in your szenario, it works like expected, one block rule matches and blocks the device.
If a rule that is configured to take no action is blocking devices - then, yes, you have a potential bug. Easy way to test, if you disable the rule to take no action does it continue to block CD/DVD or whatever device you expect to be allowed?
Alternatively, if you have the rules configured to generate incidents and the device is being blocked it should tell you explicitly which rule applied the block to the device. With that information you can tweak whichever rule to correctly exclude the device.
I have the same problem with an Integral encrypted USB stick. It presents itself as a CD drive so you can run the password input program to unlock the drive.
I find the Device Control configuration so arcane that I cannot for the life of me figure out how to whitelist this device when it presents itself as a CD drive, but still block all other USB CD drives. All the obvious attempts just do not work, or end up with Device Control giving up and not blocking anything.
Is there an implementable solution to this one which doesn't require a brain the size of the universe?
It's hard to say how you will need to configure your rule without looking at how it is currently configured. Can you provide a screenshot of the incident you receive when the encrypted USB drive is being blocked? If you are willing, you can provide an export of your DLP policy export and we can take a look or alternatively screenshots of the rule configuration on the policy that is currently blocking the encrypted USB.
No, I can't post anything useful because I haven't got a clue what would be useful...
The product documentation is dire.
The ePO help file doesn't help at at all.
The youtube tutorials are not printable or useful in any way.
The product has been designed by people who have no clue about end-user (i.e. sysadmin) usabilty.
Despite being of well-above-average intelligence and long experience in IT (including assembly language programming) this product has me totally flummoxed.
Got it mostly working but the product still lacks obvious capabilities.
e.g. exceptions for a device which is used by members of a group.
You can make an exception for a device, or for a group of users, but not the combination.
Might be able to work around by multiple rules, but even the group membership rules don't allow for "not a member of this active directory group", or am I missing something?
Before we get into what the product is, or is not, capable of doing we should probably start with what version of DLPe you are running. Features and limitations can differ drastically between product versions.
Later versions of DLPe have the option to exclude devices based on device definition and user group OR a device serial number / user ID pair (note this is an individual user ID and not a group). Excluding a single specific device is dependent on the device drivers actually providing a serial number for us to use in the DLP rules. If one is not available you can potentially use a volume serial number though that will change if the drive is formatted. You can achieve the same end result on older versions though the configuration is slightly more roundabout.
The product is reliant on what information is provided by the OS - so, if a device utilizes a driver that loads as a CD drive and then mounts a separate 'removable storage' volume after the fact it would unfortunately require two separate definitions to either block/allow whichever portions you want/don't want the user to protect. I know that historically Ironkey encrypted USB drives have used this method.