We have been using SEPM App & Device Control (mainly the device control element) for some time now, with quite a good result.
Under our Device Control policy, we have blocked the use of all Storage Volumes, and as people require removable storage devices, we would manually add their device to the 'Excluded from Blocking' list.
But as more and more people are requiring storage devices, this doesn't seem to be the most efficient way of doing things.
So we were planning on changing the policy from Device Control, to Application Control (A.C.).
We were starting to use A.C. to block access to all Removable Devices, but allow some common file types (such as DOC, PDF, XLS etc...) to have read-only access. For example, this would allow external contractors to have read-only access to Excel reports, but lockdown the rest of the device. This part of the policy we could achieve correctly.
The problem has come down to excluding the multiple devices we had already approved for use for employees. I can't seem to add multiple device exceptions to an A.C. policy, without having to create a separate * wildcard item for each device, under the 'Do Not Apply to the following files and folders', using the field 'Only match files on the following device id type'.
Question, is there a way to block all read and write access to storage devices with the exception of some common file types like a word document, but also be able to add multiple storage devices, that have been pre-approved, to an exeption list that would allow full read/write access.
Apologies, I've tried to make this as clear as possible.
Thanks,
Rohan
Note: I have added our Application Control policy as an attachment for reference.