Endpoint Protection

Hi,

I'm trying to block USB on some computers (not all) in a computer group.
We don't want to create a separate active directory OU's and/or give these computers a fixed IP address.

So I created a new location called ethernet-specific and added the Application and Device control policy with block USB to this location.

Created a hostgroup with all the MAC addresses and added a condition to the location ethernet-specific.

It is allowed to create a condition  on computers IP address and then add a hostgroup in my case the hostgroup with MAC Addresses.

However the clients are not switching to this location.

They only switch to this loaction when I add for example an condition, based on an IP range to the default or another additional location.

e.g. If client computer has one of the IP addresses listed below then select IP range and make sure the IP address of the computer of which you like to block the USB is not in that range. If you have more computers then multple IP ranges are needed. Down side is that we don't want to create fixed IP addresses.

If we leave the default location blank (no condition) and temporarily add the IP address to the ethernet-specific location. Then wait till the client has switched to this location and remove the IP address again. This way the client won't switch back to the default location but it is tricky and not recommended because it is not a fixed IP address.

Has anyone tried to use location switching based on hostgroup with MAC addresses?

Should this work or is it a bug in SEPM12.1 RU1.

Has anybody a solution to block USB on some computers in the a group preferably on hostname but by registry is also fine?

Thanks

Rogier

I think the problem is here that your host group is based on MAC Adresses but in the location switch criteria you take the criteria type of: IP Address and add there a hostgroup of MAC addresses. This is bit of a mix and probably won't work - you would need here to have a host group based on IP Address.

Why not use another location criteria like Registry Key Name or Value - and check it if exists or not - you can add registry keys as needed to the target machines and this way group them for specific location - is maybe not the cleanest solution but should work in environment with dynamic IPs.

cannot add using MAC or Hostname. conditions for location are

Hi,

Thanks for your response.

I have also raised a call with Symantec Technical Support a couple of days ago but they are still working on this.

They didn't told me that it wasn't possible which makes me think....Do they even know about the way I like to configure it?

It is possible to select a host group as a location condition and SEPM knows the MAC addresses so it is really strange that it is not possible.

There are articles like the one below where they talk about MAC addresses and switching location.

http://www.symantec.com/business/support/index?page=content&id=TECH97369

Nevertheless I have tried the registry key and registry key value condition but this is not working. Even created a Registry key with the computer name. HKEY_LOCAL_MACHINE\SYSTEM\Mycomputername

The registry condition is having three options Registry Key, Registry Key Name and Registry Value. Unfortunately the last option is not looking for the Value Data but Value Name instead.

Maybe I have made a mistake so do you know how to configure the condition so that it looks at the registry key (below) and if the Value Data Mycomputername in HostName exist?

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink.  HostName=Mycomputername

Hope my answer and questions make sense.

Rogier

Hi,

Thanks for your respons.

It is possible to select host groups and host group may contain MAC addresses.

So in my opinion it is possible to add MAC addresses. The third option under specify location criteria is not talking about IP addresses but addresses in general.

It is obviously not working but there are many other conditions not working either so it might be a bug or an issue with SEPM. Please see my comments above.

The switching by regkey works fine for me.  Both SEPM and SEP client are running SEP12.1RU3 and client is running Win8.

Using the Registry Value rule and the below hive:

SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostName

Value type is string and value itself is your machine name.  Does this match your attempts?

Hi, 

Have you checked any other conditions for location switching for testing purpose?

Regards

Ajin

AFAIK host group will work in Firewall policy. Location switching will not work with MAC adddress condition.

Hi

Thanks for the info.

I did tested the location switch with a registry key I created myself and the one you mentioned but it didn't work.

It could be that I made a mistake because I tried a lot of options the last couple of days.

Must say that it is good to hear that the registry key condition is working for you and will do some testing today.

No worries, hope it works for you.

Just FYI, the hive I posted is exactly as taken from my Location Awareness testiing, and should cause it to look for a value inside the "Hostname" keyname for whatever machine name you pop in the regkey value field.

I must admit, I've not tested if the rule is case sensitive, but can confirm it is not affected by tamper protection.

Hi SMLatCST,

It is working on registry key value!!

So strange it didn't work a couple of days ago so I must have made mistake somewhere?

Thanks.

I guess so.  Just so you know, to create the entry I exported the hive to file, then copy and pasted it into the SEPM.

I'd recommend using that process going forward perhaps.

I'm glad to hear to worked though.  As always, it'd be appreciated if you could mark any posts you find useful with a "Thumbs Up" or as the Solution 

Hi SMLatCST,

This is how the condition looks now. Just copy paste and changed the hostname in the value field.

I have still a case open with Symantec technical support and if you like I can keep you informed.

Thanks for your help!

Hi Roog,

Looks good to me.  And yes, please keep us informed fo the progress of your case.

#EDIT#

Oh, and for the sake of clarity and consistent behaviour, you may want to explicitly exclude these machines from the other locations in the group that they may match with (other than default of course).

Hi SMLatCST,

Thanks, I will keep in mind to exclude machines.

In this case it is not needed because the desktop group is only having two locations (1 default). 

But for our laptop computer group we probably need to have exclusions because this group is having three locations.

Btw host name value is not case sensitive just successfully tested this.

(Hostname value in the client registry is upper case and the location condition is lower case.)

Hi AjinBabu,

Yes I have tested other conditions.

Thanks to SMLatCST it is working now on registry key value. See comments in this post.

This issue has been solved by using registry key value.

Switch location by MAC address is still under investigation by Symantec Technical Support.