Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1401 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Device control intermittantly blocking Registered Devices

tokind

I am rolling out Device control to varios depertments and Branches over time. We are asking our employees to call in to register devices and have a vetting process to identify which devices will be registered under what conditions.

We are registering devices per deive (not all devices of this type) and commenting the entry with the identity of the device known to the group of users. Our default approach is to block write access only. Read access is not blocked.

We are seeing problems with USB memory sticks that HAVE BEEN REGISTERED being blocked at the endpoint. Wen we use the console Events, Device Control Events... we can see the device, computer, and Status. Selecting the device from the list and clicking on Exempt Device... we see the device settings and comment we entered when registered the device. Yet it has been blocked. Clicking OK will sometimes result in the device being allowed after they unplug it, then plug it back in. Sometimes it will still be blocked. It does not seem as if only a particular model of USB drives are intermittantly blocked.

:23671


This thread was automatically locked due to age.
Parents
  • 0

    Hello tokind,

    using the Event Viewer for exemption affects all DC polices (including Default which means the device will also be exempted in any new policy you create) which are subsequently automatically transferred to the clients so I'd rule out that the device is not exempted at the endpoint (unless there's a problem with policy processing). I don't think all this is random though.

    Some thoughts:

    • If you can identify a particular device which is repeatedly not exempted turn on DC verbose logging (on the client, using the SESC GUI). Also make sure the client is compliant with the DC policy. If the log doesn't show anything useful you should contact Support
    • Are only certain devices affected - you say It does not seem as if only a particular model is blocked, but do all instances of a model have this issue? - or certain computers (ones that might have something in common)?
    • How many exemptions do you have? I'm not aware of a limit but there might be a recommendation. 
    • Are these "simple" USB devices, i.e. just appearing as one drive, complex ones (more than one drive, special functions or software)?

    Again, it might be a good idea to contact Support directly

    Christian

    :23699
Reply
  • 0

    Hello tokind,

    using the Event Viewer for exemption affects all DC polices (including Default which means the device will also be exempted in any new policy you create) which are subsequently automatically transferred to the clients so I'd rule out that the device is not exempted at the endpoint (unless there's a problem with policy processing). I don't think all this is random though.

    Some thoughts:

    • If you can identify a particular device which is repeatedly not exempted turn on DC verbose logging (on the client, using the SESC GUI). Also make sure the client is compliant with the DC policy. If the log doesn't show anything useful you should contact Support
    • Are only certain devices affected - you say It does not seem as if only a particular model is blocked, but do all instances of a model have this issue? - or certain computers (ones that might have something in common)?
    • How many exemptions do you have? I'm not aware of a limit but there might be a recommendation. 
    • Are these "simple" USB devices, i.e. just appearing as one drive, complex ones (more than one drive, special functions or software)?

    Again, it might be a good idea to contact Support directly

    Christian

    :23699
Children
No Data