SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK
This is causing me a major headache. I have a call logged with Symantec and they are not getting very far with this either (ref. 414112147). I have 1500 clients that urgently require this functionality.
- USB devices must be set to read only.
- With certain devices exceptions set to allow write using the VID/PID combination with wildcards.
It's really that simple.
I am aware of how to edit the Hardware Devices though Policy Components. I am using DevViewer to take the following and amend with the wildcard (yes I have tried without the wildcard also):
I am also aware that the App & Dev Control component must be installed on the endpoint client - it is. It is also 32bit Win XP SP3 (so fully compatible).
When editing the default "Make all removable drives read-only" rule in the Application Control element of the policy (all I need to do is add my exclusion to the "Do not apply to the following files and folders" rule section under the "Block writing to all files and folders" condition), the device is not exempted. Write access is blocked along with all other non-exempted devices which contradicts what I have set.
I am able to make this work with the Device Control section of the policy. But I do not have options here to make the devices read only, only block all USB which I do not want to do.
Different devices with different PID/PID combinations have the same effect. My VID/PIDs are correct.
I can see the policy serial number in SEPM and the endpoint (they match).
Versions are SEPM 11.0.6005.562 / endpoint 11.0.6200.754 (so the endpoint is more up to date).
Can anybody assist?