Device Control - merging Device and User Policy

Hi Sven,

Thanks for reaching out to us.

Only 1 policy will be applied to the device at a time. Policy processing from Sophos Central will occur in a top-down fashion. You can block a device either based on:
Instance ID - Identifier for the specific peripheral
Model ID - Identifier for the model of peripheral

You could create 2 different policies, one device-based policy with the scanner allowed using Instance ID, then a second policy (user-based this time) higher in the list applied to the user in question with the USB allowed and scanner blocked.

The base policy can be changed to block the scanner on all devices.

When all other users log into the concerned device, if they don't have another Peripheral Control policy assigned to their user specifically, the device-based policy will take precedence. 
When the USB-user signs in to the concerned device, their user-based policy (top of the policy list) will apply first and as a result, allow the USB and prevent usage of the scanner. 

Let me know if this will work for you. 

Hi Sven,

Thanks for reaching out to us.

Only 1 policy will be applied to the device at a time. Policy processing from Sophos Central will occur in a top-down fashion. You can block a device either based on:
Instance ID - Identifier for the specific peripheral
Model ID - Identifier for the model of peripheral

You could create 2 different policies, one device-based policy with the scanner allowed using Instance ID, then a second policy (user-based this time) higher in the list applied to the user in question with the USB allowed and scanner blocked.

The base policy can be changed to block the scanner on all devices.

When all other users log into the concerned device, if they don't have another Peripheral Control policy assigned to their user specifically, the device-based policy will take precedence. 
When the USB-user signs in to the concerned device, their user-based policy (top of the policy list) will apply first and as a result, allow the USB and prevent usage of the scanner. 

Let me know if this will work for you. 

First I do not think Instance ID is peripheral and andpoint, it is only an option to allow one special device on all computers.

Model ID is all devices of same type.

Instance ID is this special device.

What customer need. Merging Device Control Policies.

All User allowed to use Scanner on on special Computer via Device Rule.

One User is allowed to use a special USB Stick.

When this user is using the Scanner Computer, he is not allowed to use the scanner or the USB stick, depending which rule comes first.

It is no option to add the scanner to the User rule, because then he is able to use it on every computer.

Sven

Thank you for correcting me there. I have edited my comment so that it is now accurate. 

Merging Device Control Policies is not possible, however, you can still define the same settings in Policy 2 as you have in Policy 1. Policy 2 will just have an exception for the USB stick. 

I will reach out to you via PM to inquire further, I believe the proposed solution in my original comment will still work.