3 Replies Latest reply on Oct 6, 2016 11:36 AM by hhoang

    DLP 9.3 desktop/laptop policy difference

    bothari

      Hi, we have DLP 9.3 installed and would like to do this: for user X we would like for USB ports to be disabled on desktop machine but enabled on laptop machine. Is there a way to do this?

       

      Regards,

        • 1. Re: DLP 9.3 desktop/laptop policy difference
          hhoang

          You can either create an active directory security group, assign your laptop users to this group, and use that group as a user group assignment for DLP -or- use computer assignment groups and apply that policy to systems that have a 'laptop' tag.  You can create a system tree tag based on the 'isLaptop' value that is reported to EPO.  McAfee agent 5.x and later should use battery power being present to determine whether or not a system is a laptop.

          1 of 1 people found this helpful
          • 2. Re: DLP 9.3 desktop/laptop policy difference
            bothari

            Hi,

             

            this part would interest me "use computer assignment groups and apply that policy to systems that have a 'laptop' tag.  You can create a system tree tag based on the 'isLaptop' value that is reported to EPO.  McAfee agent 5.x and later should use battery power being present to determine whether or not a system is a laptop." but haven't found a guide anywhere. Could you please (please, please) describe how to do this?

             

            Thank you, regards

            • 3. Re: DLP 9.3 desktop/laptop policy difference
              hhoang

              To clarify, computer assignment group policies (CAG) will take precedence over user assignment groups (UAG).  So, if you have a need for user specific reactions on laptops this may not be the best solution for you. 

               

              To set up the tag:  Menu > tag catalog

              Follow along with the tag creation wizard, it should be pretty straightforward.  When you get to the criteria tab there will be a 'is laptop' value you can select from the left pane and set that to 'equals yes'.  The evaluation tab determines when the tag analysis would be done - you would probably want this at every agent to server communication.

               

              Configure your CAG:  Menu > Policy catalog > DLP > Computer assignment group  (edit)

              Select all your rules that you want the policy to apply.

               

              Apply the policy based on tag:  Menu > Policy assignment rules > New assignment rule > Select 'system based rule' > select your DLP CAG policy to be applied > select the tag you created as the criteria