I have created a policy for Windows endpoint products to block external USB devices. In the policy there 2 rules in order (top to bottom):
allows RW to USB storage device for a specific AD group
Second - block access to USB storage devices outright
The AD group has been added via the the synced groups from AD into ESMC.
The questions (TL;DR):
what resolved security context for a user belonging to an AD group for ESET Device management?
What actions does an admin need to perform after adding a user to the AD exceptions group to force the workstation to allow the user to access USB?
There are seemingly 3 options:
1. ESMC server - after a a server task of syncing that group (i.e. there is a cache as to who belongs to that group).
2. ESMC server - by request of Endpoint Product (unlikely IMO),
3. ESET Endpoint product (or Agent) - via currently loaded security context
After some tests it seems like option 3 is most likely.
I definitely did not touch the server sync task in ESMC, which triggers every day only. After a combination of logging off/logging in and sending wake up calls to the workstation via ESMC the USB storage permissions were updated per the changes in the AD group. I just can't seem to narrow down exactly what forces the security context update for ESET Endpoint Antivirus's Device Control.
All testing done applying policy to a single domain joined workstation and using the same domain account.
ESMC server version: 7.0.577.0
Endpoint product version: 7.1.2053.0
ESET management agent version: 7.0.577.0