Endpoint Protection - Device Control
I've been asked to setup Symantec Endpoint Protection 12.1 for a Windows 7 environment, with Device Control to be enabled for the blocking of USB Drives. The specific requirements for blocking these USB Drives is this:
- All Users/Computers to be blocked by default;
- Groups of users should be allowed to access USB Drives;
- Specific computers should be allowed access to USB Drives no matter what user (e.g. boardroom PCs)
How is this best achieved? I've thought about this and concluded I may have to do the following (based on importing objects - either OU's or Groups from Active Directory):
- For PC’s that are meant to allow USB access – Symantec Client is installed in COMPUTER mode, and an “Allow USB Device” policy is assigned to the Active Directory OU where these PC’s are.
- For all other PC’s where USB access is denied by default – Symantec Client is installed in USER mode. Two AD Groups are imported into SEPM (“Allowed USB Device” & “Deny USB Device”), with equivalent policies then assigned to the appropriate group. All other policies (e.g. AV, Firewall, Exclusions etc.) are applied at this level, rather than computer.
I think I'd much prefer to go the "simpler" way of just using Active Directory, but I may not be allowed to do this (based on requirements). Would love some advice and direction.