Device Control - merging Device and User Policy

Hello,

is it possible to merge a Device Control Policy which is for a device, with a user policy.

Example.

There is a Computer with a Scanner, this Computer has a device policy and the scanner is allowed. Every User is able to use the scanner on this PC and nowhere else.

One User is allowed to use a USB Stick through a user policy.

When this User is using the Computer, he is able to use the USB Stick, but not the Scanner.

The Policies should be merged, is this possible?

Sven



replaced "add" with "merge" to make query clearer
[edited by: QC at 8:56 AM (GMT -7) on 5 Apr 2022]
Parents
  • Hi Sven,

    Thanks for reaching out to us.

    Only 1 policy will be applied to the device at a time. Policy processing from Sophos Central will occur in a top-down fashion. You can block a device either based on:
    Instance ID - Identifier for the specific peripheral
    Model ID - Identifier for the model of peripheral

    You could create 2 different policies, one device-based policy with the scanner allowed using Instance ID, then a second policy (user-based this time) higher in the list applied to the user in question with the USB allowed and scanner blocked.

    The base policy can be changed to block the scanner on all devices.

    When all other users log into the concerned device, if they don't have another Peripheral Control policy assigned to their user specifically, the device-based policy will take precedence. 
    When the USB-user signs in to the concerned device, their user-based policy (top of the policy list) will apply first and as a result, allow the USB and prevent usage of the scanner. 

    Let me know if this will work for you. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Sven,

    Thanks for reaching out to us.

    Only 1 policy will be applied to the device at a time. Policy processing from Sophos Central will occur in a top-down fashion. You can block a device either based on:
    Instance ID - Identifier for the specific peripheral
    Model ID - Identifier for the model of peripheral

    You could create 2 different policies, one device-based policy with the scanner allowed using Instance ID, then a second policy (user-based this time) higher in the list applied to the user in question with the USB allowed and scanner blocked.

    The base policy can be changed to block the scanner on all devices.

    When all other users log into the concerned device, if they don't have another Peripheral Control policy assigned to their user specifically, the device-based policy will take precedence. 
    When the USB-user signs in to the concerned device, their user-based policy (top of the policy list) will apply first and as a result, allow the USB and prevent usage of the scanner. 

    Let me know if this will work for you. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • First I do not think Instance ID is peripheral and andpoint, it is only an option to allow one special device on all computers.

    Model ID is all devices of same type.

    Instance ID is this special device.

    What customer need. Merging Device Control Policies.

    All User allowed to use Scanner on on special Computer via Device Rule.

    One User is allowed to use a special USB Stick.

    When this user is using the Scanner Computer, he is not allowed to use the scanner or the USB stick, depending which rule comes first.

    It is no option to add the scanner to the User rule, because then he is able to use it on every computer.

    Sven

  • Thank you for correcting me there. I have edited my comment so that it is now accurate. 

    Merging Device Control Policies is not possible, however, you can still define the same settings in Policy 2 as you have in Policy 1. Policy 2 will just have an exception for the USB stick. 

    I will reach out to you via PM to inquire further, I believe the proposed solution in my original comment will still work.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids