Group Policy or Exclusion for Devise Control

GThomas

Is there a work around for Global Devise Control such that different policies can be applied to devise or user type groups? In absence of this, is there a way to exclude workstations/laptops/other ethernet mac addresses from the Global Devise Control?

SuroopMC

@GThomas - Device Control rules are a combination of Global Rules and group-specific policies. However, group-specific rules only augment global rules and do not replace them. E.g. You block mass storage across all devices, and also block smartphones for some specific users.

Here's how you can achieve your use-cases:

1. Create a Threat Protection policy for the general mass of endpoints/users (who NEED NOT be excluded). And replicate your global Device Control rules within the Device Control tab of that policy. Then assign this to a new Capture Client Policy.
   1. If you are using the Default policies for these endpoints, you can even modify the Default Threat Protection policy which is assigned to the Default Capture Client Policy.
2. Create another Threat Protection policy for the excluded endpoints/users (who need to be excluded). And leave the Device Control tab blank. Assign it to a new Capture Client Policy
3. Make sure the Capture Client Policy created in Step 2, is higher in the list than the policy used in Step 1.
4. Create 2 groups - Group 1 for the general endpoints/users and Group 2 for the excluded endpoints/users based on your criteria.
5. Assign Capture Client POlicy from Step 1 to Group 1, and assign Capture Client POlicy from Step 2 to Group 2

This means that your general policy for USB devices is "Allow" while for a specific set of devices (which is actually the majority) the policy is customized to whatever you want it to be.

Hope that helps!

Nevyaditha

Hi @GThomas ,

Please check the link below :

https://www.sonicwall.com/support/knowledge-base/how-do-i-add-a-user-group-and-apply-capture-client-security-policy-to-a-user-group/180404091018608/

Also attaching the admin guide for reference and more details :

capture-client-3-0-operations.pdf

I hope this helps.

Thanks

shiprasahu93

Hello @GThomas ,

Unfortunately the Device control feature is completely a global setting at this time. Since it is granular enough to even block on the basis of Serial number it can be made very specific as to which USB devices are being blocked.

But I completely understand your concern. This is a perfect RFE candidate. I would request you to contact your Sales representative and open up an RFE for this option to be available on a policy level.

I hope that helps!

Thanks!!

shiprasahu93

Hello @SuroopMC,

I have received similar concerns earlier as well. I am sure this is possible with the steps you mentioned, but wouldn't it be easier to achieve this if this is a policy based setting?

Even I was curious if we have any plans to add this section on the policy level?

Thanks!

SuroopMC

It depends - most organisations that want to have group-specific rules will create group-specific policies. We are working on enhancements to simplify this process further

shiprasahu93

Perfect!