Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEPM Device Control policy not working

  • 1.  SEPM Device Control policy not working

    Posted Jul 31, 2013 05:48 AM

    My client has SEP running centrally on a workgroup (not AD). And has all the client connected to SEPM.

    However, when he creates a device control policy to restrict flash/pen drives, assigns it, updates the client - it doesn't take.

    The client machine reads the flash/pen drive as storage device/volume - like how it would detect a hard disk. This is on all clients.

    How do I fix this?



  • 2.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 05:53 AM

    did you add the divice id to the hardware id list and then blocked it? what components of SEP have you installed, just Antivirus and antispyware?

    Check this document once.

    http://www.symantec.com/business/support/index?page=content&id=TECH175220



  • 3.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 05:55 AM

    Have you check the policy is getting applied on that client or not?

    Policy serial number of server and clints are match?

    how many clients are having same issue?



  • 4.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 06:10 AM

    The device ID it's showing is akin to that of HDDs. So if we block it it might mess with those.

    All components installed.



  • 5.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 06:18 AM

    The policy is not getting assigned on the client side. Policy serials do not match.

    All clients have the issue.



  • 6.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 06:21 AM
    Hi, please check this thread https://www-secure.symantec.com/connect/forums/application-and-device-control-policy-not-working


  • 7.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 06:29 AM

    Export the policy from SEPM and import it on client, if thats working. we will know if the problem is from client or from policy. here is the link

    http://www.symantec.com/business/support/index?page=content&id=TECH190053



  • 8.  RE: SEPM Device Control policy not working



  • 9.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 08:17 AM

    Right click the SEP icon and "Update Policy" This will force it to check in and get the updated policy



  • 10.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 08:42 AM

    Sorry, but this exports policies from a Symantec Endpoint Protection client with correct policies to another Symantec Endpoint Protection client. Not from SEPM to SEP client.

    Right now no SEP client has the correct policy.

    It is not possible to export a policy from a SEPM and import directly on a SEP client.



  • 11.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 08:47 AM

    It is not possible to export a policy from a SEPM and import directly on a SEP client.



  • 12.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 08:59 AM

    One more thing - when a pen/flash drive is plugged into the client machine, the message attached to the policy (USB Blocked) shows. But it still goes on to install and is readable on the clients.



  • 13.  RE: SEPM Device Control policy not working

    Posted Jul 31, 2013 09:44 AM

    Device ID will be Unique, not sure how its showing it as same as your HDD?

    user Deviewer .It's included with SEP and is at the following location on CD2...

    CD2\Tools\NoSupport\DevViewer\Deviewer.exe

    then add it to the list.



  • 14.  RE: SEPM Device Control policy not working

    Posted Aug 05, 2013 07:30 AM
      |   view attached

    Update:

     

    Please see attached the components installed and the info from device manager.

    SEPM policy still not applying to the clients.

    Attachment(s)

    docx
    SEP info.docx   265 KB 1 version


  • 15.  RE: SEPM Device Control policy not working
    Best Answer

    Posted Aug 05, 2013 07:41 AM

    Gather the Device ID of device(s) using the DevViewer tool:

    1. Find the DevViewer.exe tool on the SEP 11.0.X CD2 in the CD2\Tools\NoSupport\DevViewer folder.

    2. Plug in the device you want to gather the GUID from.

    3. Run the DevViewer.exe tool and browse to find the device. (Example, for a thumb drive, look under Disk drives)

    4. Select the device, and on the right you will see information about the device.

    5. Right click the [GUID] and select Copy GUID.

    6. Exit the DevViewer Tool.

    Add the Hardware Device into Symantec Endpoint Protection Manager policy:

    1. In the SEPM, select the Policies view.

    2. In the upper left corner of the console, under the View Policies section, click on Policy Components to expand the sub-list.

    3. Under Policy Components, select Hardware Devices.

    4. Under Tasks, select Add a Hardware Device

    5. Type in the Name you wish to call your device (example: Administrator's Thumbdrive).

    6. Select the class ID option, click in the text box and use CTRL-V to paste the Device ID you copied from the DevViewer tool.

    7. Click OK.

    Add Hardware Device to Blocking list:

    1. In the SEPM, Under View Policies, select Application and Device Control

    2. Right click your Application and Device Control Policy and select Edit.

    3. Select the Device Control view.

    4. Under the Blocked Devices section, click Add, select the device you added in the previous section and click OK and click OK

     

     



  • 16.  RE: SEPM Device Control policy not working

    Posted Aug 09, 2013 01:21 PM

    Have all these client are online?

    What the Heartbeat interval time you set?



  • 17.  RE: SEPM Device Control policy not working

    Posted Aug 28, 2013 02:41 AM

    Sorry for the silence. The set up is not in my country - will get results on this and get back to you on what has worked. Currently trying @Rafeeq's latest recommendation.