Video Screencast Help

Endpoint Protection - Device Control

Created: 12 Sep 2012 • Updated: 13 Sep 2012 | 7 comments
This issue has been solved. See solution.


I've been asked to setup Symantec Endpoint Protection 12.1 for a Windows 7 environment, with Device Control to be enabled for the blocking of USB Drives.  The specific requirements for blocking these USB Drives is this:

  • All Users/Computers to be blocked by default;
  • Groups of users should be allowed to access USB Drives;
  • Specific computers should be allowed access to USB Drives no matter what user (e.g. boardroom PCs)

How is this best achieved?  I've thought about this and concluded I may have to do the following (based on importing objects - either OU's or Groups from Active Directory):

  • For PC’s that are meant to allow USB access – Symantec Client is installed in COMPUTER mode, and an “Allow USB Device” policy is assigned to the Active Directory OU where these PC’s are.
  • For all other PC’s where USB access is denied by default – Symantec Client is installed in USER mode.  Two AD Groups are imported into SEPM (“Allowed USB Device” & “Deny USB Device”), with equivalent policies then assigned to the appropriate group.  All other policies (e.g. AV, Firewall, Exclusions etc.) are applied at this level, rather than computer.

I think I'd much prefer to go the "simpler" way of just using Active Directory, but I may not be allowed to do this (based on requirements).  Would love some advice and direction.


Comments 7 CommentsJump to latest comment

pete_4u2002's picture

is the users in exception using the same computer, if not let know if it helps,

create groups where all the computer are blocked to access USB.

create another group where the computer is added who are allowed to access the USB

G-Train's picture

The users aren't guaranteed to be using the same computers that are allowed.  Essentially, an "allowed" user needs to be able to roam to any machine and use a USB.  As well, a selection of PC's need to be allowed for ALL users e.g. attaching a USB to a laptop in a boardroom for a presentation. 

But it almost sounds like you are stating what I was after.  Is there actually the ability to import an Active Directory group into "CLIENTS" and assign a policy to this?

G-Train's picture

I've already imported my Workstations OU.  I'm wanting to know if I can import Active Directory Security Groups?

SMLatCST's picture

I'm afraid there is no option to import AD Security groups in SEP.

Given your requirements though, I'd be more inclined to assign the policies using SEP Custom groups rather than AD imported ones (although this preference is based upon the fact that most AD structures I've encountered do not usually lend themselves to managing AV, which may not be the case with your structure).

Your proposed setup sounds solid though:

  • One group for the SEP Clients that allow USB access, working in Computer Mode
  • All other SEP Clients in User Mode
  • Users split into two groups: those that are blocked from USB devices, and those that have access

The only thing I can add is to look into the availability of your SEPM(s), and investigate Load-balancing/Fault-tolerance if not already implemented.  When in User mode, the SEP Client contacts the SEPM for the policies appropriate for the user when they log in.  If the SEPM is unavailable, then the SEP Client will revert to the policies applied by the previous user.

SameerU's picture


Agreed with pete


G-Train's picture

Thanks for the response.  I was pretty much expecting as such, but wanted to see if there was actually a "better" option, as this solution seems very high in management overhead.  Maybe I should look into doing USB drive restrictions in Group Policy instead.