helis 0 Posted August 22, 2019 Share Posted August 22, 2019 (edited) I'm trying to create a device control policy that is as follows: 1. All usb storage devices are blocked by default on the clients. 2. On some individual clients some particular usb storage devices (specified by their serial numbers) are allowed either for read-only or for full access. 3. On some individual clients all usb storage devices are allowed for full access. When I tried doing it on a local machine with Endpoint 7 installed, I created multiple rules: one that blocks all usb storage devices and several others that allow certain devices. I placed the blocking rules at the bottom of the list and everything worked as intended. But now that I'm trying to create a policy in ESMC, I've run into strange issue. What I'm trying to do is block all devices via the policy and then allow certain devices on client machines individually. The settings on local machines are password-protected, so they won't be editable just by anyone. But as soon as I create a blocking rule, the setting becomes uneditable for clients. If I try to make it editable for clients, the rule vanishes and I get a warning: > Important: entered values will be saved only for settings that are applied. Any values entered in settings that are not applied will be lost when saving the policy. Duplicate the policy to keep a copy of entered data. < I for the life of me can't understand what it's trying to convey. What does it mean, "applied"? Isn't that what I'm doing, applying settings?.. I'm at a bit of a loss, what to do here. Would someone help me out? Edited August 22, 2019 by helis Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted August 22, 2019 Administrators Share Posted August 22, 2019 The message means that you first added some Device Control rules but then clicked on the far left circle which effectively removed the setting and the already created rules from the policy. In order for a specific setting to be applied by a policy, you must select the dot icon in the middle. In order to enforce a setting over other policies, select the flash icon on the right. Link to comment Share on other sites More sharing options...
helis 0 Posted August 22, 2019 Author Share Posted August 22, 2019 Thank you for your reply, Marcos, but as I said, what you're suggesting doesn't work either. I'll just illustrate what I'm doing: 1. Before I do anything: hxxp://puu.sh/E8f9v/594d86f669.png 2. After I click "Edit": hxxp://puu.sh/E8fcG/52cfbdde72.png 3. I add a rule hxxp://puu.sh/E8fdi/28a413cbf1.png hxxp://puu.sh/E8fdw/891ddd384a.png 4. I click "Save". Voila, the rules are not editable on clients hxxp://puu.sh/E8fe3/f7408cc858.png 5. I click the icon you've marked as "2" hxxp://puu.sh/E8ff3/ea3b2bc041.png 6. And then "OK" in the warning window hxxp://puu.sh/E8fg4/eb1412ed21.png 7. The rule is still there if I press edit hxxp://puu.sh/E8fjb/8cb2fdf26a.png Ok, so I'm happy, I press "Finish", get "Policy saved" message, horray. However, if I try to edit it again, guess what, here's the rules window: 8. hxxp://puu.sh/E8fkw/eb3db2d2e3.png And no, if I apply the policy for some client machine, even before step 8, the rules are not editable. That's why I'm kinda confused. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted August 22, 2019 Administrators Share Posted August 22, 2019 The thing is you must not click the icon marked as 2, otherwise any changes made in the rule editor will be lost when you save the policy and re-open it for editing. Make sure it looks like this or like this when you save the policy: Link to comment Share on other sites More sharing options...
helis 0 Posted August 22, 2019 Author Share Posted August 22, 2019 (edited) Yes, I got that, but I need the rules to be editable on clients, so what do I do then? PS Sorry for the mess with the links, I was editing that out, but you've replied already, so there's no point I guess. Edited August 22, 2019 by helis Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted August 22, 2019 Administrators Share Posted August 22, 2019 Any settings set by a policy will not be editable on clients. Policy settings can be edited only by administrators on the ESMC server. You can only append or prepend rules to existing ones on cliets: Replace means that the rules will be replaced on clients without an option for users to set up their own rules. Policies can be overridden only temporarily on clients in a so-called override mode that must be first permitted and configured via a policy: Link to comment Share on other sites More sharing options...
helis 0 Posted August 22, 2019 Author Share Posted August 22, 2019 Ahhh, I think I finally get it. Instead of making settings on individual clients, I should create individual policies which would contain only this specific setting overriding that of the main policy. Is this how it's supposed to be done? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted August 22, 2019 Administrators Share Posted August 22, 2019 Yes, I would put those users into static groups and assign separate policies to them. Link to comment Share on other sites More sharing options...
helis 0 Posted August 22, 2019 Author Share Posted August 22, 2019 I see, gonna try doing that tomorrow. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts