Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Allow Admins to Enable, Disable Device Control for temporary on client machine

Created: 04 Feb 2013 | 6 comments
Amir Mahook's picture

 

Dear all,

Is there is any solution to enable USB for temporary that is already blocked by using SEP - Device control component. The current workaround in mind is to create another group with different allowed policy and then move the client to the enabled USB group. Then admin need to return it back to blocked group manually.

So how can we have automation process?  

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

.Brian's picture

How to block USB flash drives while allowing other USB devices.

Article:TECH104299  |  Created: 2008-01-28  |  Updated: 2012-02-21  |  Article URL http://www.symantec.com/docs/TECH104299

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ajit Jha's picture

There is no as such option in SEPM to block USB or Allow USB on Temporary basis. All you can do is Allow certain USB and Block rest. Use the Device ID to create a different rule.

http://www.symantec.com/business/support/index?pag...

Regard's

Ajit Jha

Technical Consultant

ASC & STS

SebastianZ's picture

If the policy specifies the USB devices as blocked - there is no way to allow it temporarily. You would need either to move the selected machines to a different group with a policy that allows the devices - second possible way would be to create a new location with a differnt policy that allows the devices - but to do this the machines itself would need to change location (based on IP address, subnet and so on). 3rd way is to temporatily disable the policy itself for these clients.

 

Vikram Kumar-SAV to SEP's picture

If you are using SEP 12.1 then under Group- Policy tab..under location specific setting you can select the option to gives users option to enable disable ADC...

However in SEp 11.x there is no such option..at the max, user can stop the SMC service..but not advisable as people you stop SMC..after their work is done usually dont turn it back on.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SMLatCST's picture

"Thumbs Up" to Vikram above.  It is entirely possible to disable Application and Device Control from the SEP Client console if need be.  If enabling this option this however, you might want to consider implementing password protection on accessing the client console.

http://www.symantec.com/docs/HOWTO55487

This isn't really temporary access however, as the checkbox will remain unchecked.  Any admin doing this must remember to re-enable A&DC on the client

Grandeco's picture

For me this would also be a usefull "feature".

Often users need access to their usb drive, for maybe 1 hour? half a day?

The admin then has to logon to the console, move the user to a group with more rights.
Have the user update their policy... let them use the usb drive...
and hopefully remember they moved the user afterwards

A "grant USB access for XX hours" option would be usefull, the admin then doesn't have to worry about this getting forgotten...

 

Kind regards,
Domien