Endpoint Protection

Hi,

I've been looking at SEP for a customer and so far it is stacking up quite well. The customer however currently uses DeviceLock for restriciting access to USB ports and devices. These restrictions are based on Active Directory user group memberships (i.e User A on Computer A can access USB key drives, but User B on Computer A cannot). Ultimately, if we go with SEP, we would like to replace the DeviceLock functionality with SEP Proactive Threat Protection Device Control.

From what I've read the SEP client can operate in "computer" or "user" mode but not both. It seems that generally computer mode is a better choice, with policies applying then to the computer, not the user. If I were to run my client in computer mode, is there anyway to then apply device control policies by user (as per my example above). Generally all policies we would apply would be suitable (and potentially preferable) to be computer based, other than the device control policy where we would like the policy to be user based.

From the reading of the documentation its not clear if this can be done other than the client being in user mode for everything, which I think we would like to avoid.

Any advice / suggestions / pointers would be much appreciated.

Cheers,

This cannot be Done..Policy can be applied applied only in Either Computer mode OR User Mode. You cannot have combination.

You can apply all the policies in User Mode and then give specific set of users the ability to disable  SEP-App n Dev Control.

Application and Device Control can only control operations that take place in user mode

If you want to apply different policies based on user (such as group membership, for example), there is a workaround.

Basically you create “locations” based on a registry key value (instead of based on network information). You would need a logon script that would evaluate the criteria you want to use to apply the policy (for example, domain group membership based on ADSI queries or whatever) and would set this registry key or keys.

The SEP client would then automatically switch its “location” based on the registry values. You only have to apply different policies to the different “locations” in the SEPM console.
 
For simple cases (for example, two groups, “Allow USB” and “Deny USB”) it can be useful. If it gets more complex than that, it will soon become unmanageable…

Hope that helps

Alfredo

Thanks for the replies everyone.

It sounds like I would need to deploy my desktop computer SEP clients in user mode to fully acheive what I'd like.

Am I correct in assuming that if I were to do this, I could have a global "catch all" client group for all users (i.e one where any user that wasnt specifically contained in any other client group would get its security policy from) and then sub client groups which could contain the named users that I would like specific security policies to be applied to?

i.e. I would only want to specifically name users and place them in client groups when they were to receive something other than the default security policy for the organisation.

Cheers,

Will this (=user policies) also work in a terminal server (Citrix) environment?
I can imagine one user has access to use a USB-key and another user on the same server hasn't.
What if conflicting policies occur on a terminal server?

And one additional question about usermode.
How can you define a scheduled scan during night hours when normally no user is logged on in user mode?
I suppose the setting is only applied after the user logs so my question is in fact which policies are applicable to such client.

The computer mode policy will take precedence over a user mode policy, in case of  a conflict!!!!

I understand but you need to have or machine or userbased policy.

So if you define userbased policies how do you archieve the scheduled scan at night when no user is logged on?

And second question: what about Citrix and user based USB blocking? In our environment USB ports from the workstation/Thinclient are forwarded to the citrixserver. How do we block those ports user selective?