leviu 0 Posted July 31, 2019 Share Posted July 31, 2019 (edited) I have created a policy for Windows endpoint products to block external USB devices. In the policy there 2 rules in order (top to bottom): allows RW to USB storage device for a specific AD group Second - block access to USB storage devices outright The AD group has been added via the the synced groups from AD into ESMC. The questions (TL;DR): what resolved security context for a user belonging to an AD group for ESET Device management? What actions does an admin need to perform after adding a user to the AD exceptions group to force the workstation to allow the user to access USB? There are seemingly 3 options: 1. ESMC server - after a a server task of syncing that group (i.e. there is a cache as to who belongs to that group). 2. ESMC server - by request of Endpoint Product (unlikely IMO), 3. ESET Endpoint product (or Agent) - via currently loaded security context After some tests it seems like option 3 is most likely. I definitely did not touch the server sync task in ESMC, which triggers every day only. After a combination of logging off/logging in and sending wake up calls to the workstation via ESMC the USB storage permissions were updated per the changes in the AD group. I just can't seem to narrow down exactly what forces the security context update for ESET Endpoint Antivirus's Device Control. All testing done applying policy to a single domain joined workstation and using the same domain account. ESMC server version: 7.0.577.0 Endpoint product version: 7.1.2053.0 ESET management agent version: 7.0.577.0 Edited July 31, 2019 by leviu grammar Link to comment Share on other sites More sharing options...
Recommended Posts