Video Screencast Help

Configuring USB

Created: 18 Dec 2009 • Updated: 22 May 2010 | 9 comments
This issue has been solved. See solution.

How to configure USB in symantec endpoint protection so that it allows the USB to work for a specific user (user1) and blocks to anyone who login on a computer.

Example

PC1
User1

User1 on PC1 = allow
User2 on PC1 = block

Please help required urgently.

Comments 9 CommentsJump to latest comment

EdT's picture

Assuming the information is not in the product documentation, the quickest solution to an urgent requirement is to log a call with Symantec support.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

Fatih Teke's picture

hello Waqas300
You can block USB with create group.
you can watch this video and know how you can do it
https://www-secure.symantec.com/connect/videos/how-block-flash-disk-application-and-device-policy

Thanks
Fatih

 Everything works better when everything works together.

Rafeeq's picture

You should install the symantec endpoint protection in user mode
so policies are applied to users not to computers
by default symantec endpoint is installed in computer mode
when you change that to user mode and put two users in diff group
you can apply two diff policy to those users
user1 computer 1 to allow usb
user2 computer 2 block usb
 

sandip_sali's picture

computer and user mode.JPG

Thanks & Regards

Sandeep C Sali

waqas300's picture

Please note that there is only one computer which has a user A has access to usb and if B logins to that computer he will find it blocked.

AravindKM's picture

For achieving your goal you have to install your clients in user mode.
In SEPM you can install clients in two policy modes- user mode and computer mode

Computer mode: SEP is installed on computer no matter who logs in

User mode: Installed to users the currently logged in user.

this is from page number 56 from installation guide

You can set up clients as users or computers, depending on how you want the policies to work. Clients that are set up as users are in user mode. Clients that are set up as computers are in computer mode. Clients that are set up as users are based on the name of the user who logs on to the network. Clients that are set up as computers are based on the computer that logs on to the network. You set up clients as users or computers by adding the users and computers to an existing group. After a user or a computer is added to a group, it assumes the policies that were assigned to the group.

The policies that are in force depend on the mode in which the client software runs:

Mode

Description

Computer mode
The client protects the computer with the same policies, regardless of which user is logged on to the computer. The policy follows the group that the computer is in. Computer mode is the default setting.

User mode
The policies change, depending on which user is logged on to the client. The policy follows the user.

If the client software runs in user mode, the client computer software gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client gets the policies from the group of which the computer is a member.

After you add a computer, it defaults to computer mode. Computer mode always takes precedence over user mode. Users who log on to the computer are restricted to the policy that is applied to the group to which the computer belongs.

You have to create two groups .To the first group you have to attach user a and give policy which will allow usb access and to the second group attach user b and deny usb.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

SOLUTION
AravindKM's picture

If you are not able to use usermode in computer mode you can allow only some specific usb drives
for more info refer below doc
How to block USB Thumb Drives and USB Hard
Drives, but allow specific USB Drives in the Application and Device Control
Policy in Symantec Endpoint Protection
 

These are the two possibilities.

Note:It is possible to switch clients from user mode to compute mode and vice-versa in SEPM console.There is some tools also available to do it in mass.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

waqas300's picture

 Thanks it works yahooooooo :-) so nice of you.

Nardoni's picture

AravindKM - You wrote:

"Note:It is possible to switch clients from user mode to compute mode and vice-versa in SEPM console.There is some tools also available to do it in mass"

What tools are you referring to?

I have 10,000 clients running in Computer Mode.  I have to role out our USB Blocking Policy based on Business Unit.  For example, we tell HR Managment that on this day, we are going to apply the policy to your employee's PC's.  If they all had similar named machines (based on floor or dept. abbreviation) I could just search with a wild card on that, move them into their own group, and then apply policy - done.  Unfortunately they are not named in any specific way to do that and even if they were, some departments have people scattered all over the place.  

I am able to query LDAP based on a department ID Attribute, and I do get a list of all those employees, but when I add them to a new group, nothing changes.   I see them listed in the group under the default view, but none of their policies change.  Is that because they already exist or their machine already exists in Computer Mode?  I deleted a machine that my ID was attributed to after I had imported my user ID from LDAP.  I even restarted my SEP Service.  When I checked the client, it showed that I was now a member of the Default Group, even though my user ID was listed in another group that I created and imported my ID into.  Undersatnd what I'm saying?

I could solve my problems another way, if SEPM allowed me to move clients to a group, off of a text file.  I can easily get a list of computer names associated with employee ID's from Altiris.  It would be so easy then at that point to say, take this imported list of computer names, and move these computers to this group.

What about a SQL Backend trick?  Is there any way to do it from there?

Thanks.