Jump to content

Device Control Policies


Recommended Posts

I'm trying to create a device control policy that is as follows:

1. All usb storage devices are blocked by default on the clients.

2. On some individual clients some particular usb storage devices  (specified by their serial numbers) are allowed either for read-only or for full access.

3. On some individual clients all usb storage devices are allowed for full access.

 

When I tried doing it on a local machine with Endpoint 7 installed, I created multiple rules: one that blocks all usb storage devices and several others that allow certain devices. I placed the blocking rules at the bottom of the list and everything worked as intended.

But now that I'm trying to create a policy in ESMC, I've run into strange issue. What I'm trying to do is block all devices via the policy and then allow certain devices on client machines individually. The settings on local machines are password-protected, so they won't be editable just by anyone. But as soon as I create a blocking rule, the setting becomes uneditable for clients. If I try to make it editable for clients, the rule vanishes and I get a warning:

>

Important: entered values will be saved only for settings that are applied. Any values entered in settings that are not applied will be lost when saving the policy. Duplicate the policy to keep a copy of entered data.

<

I for the life of me can't understand what it's trying to convey. What does it mean, "applied"? Isn't that what I'm doing, applying settings?..

I'm at a bit of a loss, what to do here. Would someone help me out?

Edited by helis
Link to post
Share on other sites
  • Administrators

The message means that you first added some Device Control rules but then clicked on the far left circle which effectively removed the setting and the already created rules from the policy.

In order for a specific setting to be applied by a policy, you must select the dot icon in the middle. In order to enforce a setting over other policies, select the flash icon on the right.

image.png

 

image.png

Link to post
Share on other sites

Thank you for your reply, Marcos, but as I said, what you're suggesting doesn't work either. I'll just illustrate what I'm doing:

1. Before I do anything:

hxxp://puu.sh/E8f9v/594d86f669.png

2. After I click "Edit":

hxxp://puu.sh/E8fcG/52cfbdde72.png

3. I add a rule

hxxp://puu.sh/E8fdi/28a413cbf1.png

hxxp://puu.sh/E8fdw/891ddd384a.png

4. I click "Save". Voila, the rules are not editable on clients

hxxp://puu.sh/E8fe3/f7408cc858.png

5. I click the icon you've marked as "2"

hxxp://puu.sh/E8ff3/ea3b2bc041.png

6. And then "OK" in the warning window

hxxp://puu.sh/E8fg4/eb1412ed21.png

7. The rule is still there if I press edit

hxxp://puu.sh/E8fjb/8cb2fdf26a.png

Ok, so I'm happy, I press "Finish", get "Policy saved" message, horray. However, if I try to edit it again, guess what, here's the rules window:

8. hxxp://puu.sh/E8fkw/eb3db2d2e3.png

 

And no, if I apply the policy for some client machine, even before step 8, the rules are not editable. That's why I'm kinda confused.

Link to post
Share on other sites
  • Administrators

The thing is you must not click the icon marked as 2, otherwise any changes made in the rule editor will be lost when you save the policy and re-open it for editing.

Make sure it looks like this

image.png

or like this when you save the policy:

image.png

Link to post
Share on other sites

Yes, I got that, but I need the rules to be editable on clients, so what do I do then?

PS Sorry for the mess with the links, I was editing that out, but you've replied already, so there's no point I guess.

Edited by helis
Link to post
Share on other sites
  • Administrators

Any settings set by a policy will not be editable on clients. Policy settings can be edited only by administrators on the ESMC server.

You can only append or prepend rules to existing ones on cliets:

image.png

Replace means that the rules will be replaced on clients without an option for users to set up their own rules.

Policies can be overridden only temporarily on clients in a so-called override mode that must be first permitted and configured via a policy:

image.png

Link to post
Share on other sites

Ahhh, I think I finally get it. Instead of making settings on individual clients, I should create individual policies which would contain only this specific setting overriding that of the main policy. Is this how it's supposed to be done?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...