Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1400 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Can it be perform back to front?

scanwell

Hi

Bit of a weird one this.

We would like to make use of Device Control.  I have managed to get the policies working and I am quite happy with how it works in general.

I can currently block all USB Storage Devices and put exceptions in to allow individual devices.  This is great.

However

What I would like to do is use the policy in reverse.  I would like to allow all USB Storage Devices but be able to block individual USB devices. 

Has anyone tried this?  I have tried to setup the policy to do this, but when you allow everything the exception will only allow full control or read only, not block. 

Any ideas?

Regards

Stuart

:1120


This thread was automatically locked due to age.
Parents
  • 0

    Hi Stuart,

    This isn't currently feasible. There is always a trade off between policy complexity and functionality and when we implemented the device control policy we thought that most customers would want to generically block and then authorize specific devices as opposed to the other way around. We've talked about adding a monitor only action per device and in principle it would then be possible to add an exception which then blocked specific devices - I think that would meet your need. I'll raise a feature request on your behalf anyway.

    Thanks,

    John

    PS if this is a must have requirement one option is too look at SafeGuard Configuration Protection: http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/configuration-protection/

    :1127
Reply
  • 0

    Hi Stuart,

    This isn't currently feasible. There is always a trade off between policy complexity and functionality and when we implemented the device control policy we thought that most customers would want to generically block and then authorize specific devices as opposed to the other way around. We've talked about adding a monitor only action per device and in principle it would then be possible to add an exception which then blocked specific devices - I think that would meet your need. I'll raise a feature request on your behalf anyway.

    Thanks,

    John

    PS if this is a must have requirement one option is too look at SafeGuard Configuration Protection: http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/configuration-protection/

    :1127
Children
No Data
Unfiltered HTML