Jump to content
helis

Device Control Policies

Recommended Posts

Posted (edited)

I'm trying to create a device control policy that is as follows:

1. All usb storage devices are blocked by default on the clients.

2. On some individual clients some particular usb storage devices  (specified by their serial numbers) are allowed either for read-only or for full access.

3. On some individual clients all usb storage devices are allowed for full access.

 

When I tried doing it on a local machine with Endpoint 7 installed, I created multiple rules: one that blocks all usb storage devices and several others that allow certain devices. I placed the blocking rules at the bottom of the list and everything worked as intended.

But now that I'm trying to create a policy in ESMC, I've run into strange issue. What I'm trying to do is block all devices via the policy and then allow certain devices on client machines individually. The settings on local machines are password-protected, so they won't be editable just by anyone. But as soon as I create a blocking rule, the setting becomes uneditable for clients. If I try to make it editable for clients, the rule vanishes and I get a warning:

>

Important: entered values will be saved only for settings that are applied. Any values entered in settings that are not applied will be lost when saving the policy. Duplicate the policy to keep a copy of entered data.

<

I for the life of me can't understand what it's trying to convey. What does it mean, "applied"? Isn't that what I'm doing, applying settings?..

I'm at a bit of a loss, what to do here. Would someone help me out?

Edited by helis

Share this post


Link to post
Share on other sites

The message means that you first added some Device Control rules but then clicked on the far left circle which effectively removed the setting and the already created rules from the policy.

In order for a specific setting to be applied by a policy, you must select the dot icon in the middle. In order to enforce a setting over other policies, select the flash icon on the right.

image.png

 

image.png

Share this post


Link to post
Share on other sites

Thank you for your reply, Marcos, but as I said, what you're suggesting doesn't work either. I'll just illustrate what I'm doing:

1. Before I do anything:

hxxp://puu.sh/E8f9v/594d86f669.png

2. After I click "Edit":

hxxp://puu.sh/E8fcG/52cfbdde72.png

3. I add a rule

hxxp://puu.sh/E8fdi/28a413cbf1.png

hxxp://puu.sh/E8fdw/891ddd384a.png

4. I click "Save". Voila, the rules are not editable on clients

hxxp://puu.sh/E8fe3/f7408cc858.png

5. I click the icon you've marked as "2"

hxxp://puu.sh/E8ff3/ea3b2bc041.png

6. And then "OK" in the warning window

hxxp://puu.sh/E8fg4/eb1412ed21.png

7. The rule is still there if I press edit

hxxp://puu.sh/E8fjb/8cb2fdf26a.png

Ok, so I'm happy, I press "Finish", get "Policy saved" message, horray. However, if I try to edit it again, guess what, here's the rules window:

8. hxxp://puu.sh/E8fkw/eb3db2d2e3.png

 

And no, if I apply the policy for some client machine, even before step 8, the rules are not editable. That's why I'm kinda confused.

Share this post


Link to post
Share on other sites

The thing is you must not click the icon marked as 2, otherwise any changes made in the rule editor will be lost when you save the policy and re-open it for editing.

Make sure it looks like this

image.png

or like this when you save the policy:

image.png

Share this post


Link to post
Share on other sites
Posted (edited)

Yes, I got that, but I need the rules to be editable on clients, so what do I do then?

PS Sorry for the mess with the links, I was editing that out, but you've replied already, so there's no point I guess.

Edited by helis

Share this post


Link to post
Share on other sites

Any settings set by a policy will not be editable on clients. Policy settings can be edited only by administrators on the ESMC server.

You can only append or prepend rules to existing ones on cliets:

image.png

Replace means that the rules will be replaced on clients without an option for users to set up their own rules.

Policies can be overridden only temporarily on clients in a so-called override mode that must be first permitted and configured via a policy:

image.png

Share this post


Link to post
Share on other sites

Ahhh, I think I finally get it. Instead of making settings on individual clients, I should create individual policies which would contain only this specific setting overriding that of the main policy. Is this how it's supposed to be done?

Share this post


Link to post
Share on other sites

Yes, I would put those users into static groups and assign separate policies to them.

Share this post


Link to post
Share on other sites

I see, gonna try doing that tomorrow. Thank you!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...