USB Port Security: deny by default but allow IT dept

Hi, DA newbie here. We're trying to make the logic work in our environment and I could use some guidance from more experienced DA administrators.

 

By default, we would like to restrict all non-HID USB devices while allowing the IT team (In an OU and a Security Group) full access.

 

Individual users who are approved for specific uses - say, downloading pictures from a camera, or using a USB stick to transfer postal meter data - should be allowed to use ONLY that device and ONLY on the computer they are approved for.

 

I don't want a user to have access to USB mass storage except for an approved device. Recommendations on how to configure? The DA video on the support site is not very helpful and it's so tiny I can't see what settings are being applied.

 

Thanks in advance for any and all assistance.

Parents
  • Excellent information that was very helpful in understanding how all the moving parts work together. I had the Exceptions piece figured out, but struggled with the Allow when there was an explicit Deny for a much larger group.

    To facilitate IT access, I created a Permission set that sits at the top of the hierarchy and has the Advanced option "If this profile is validated during execution, do not process any subsequent profiles" enabled. This prevents any Deny permissions from being applied if other items match. This also obviated the need to create a special AD group that would need managing separately.

    Thanks to everyone for the help, the boss is happy and our devices are safe. Can't beat that.
Reply
  • Excellent information that was very helpful in understanding how all the moving parts work together. I had the Exceptions piece figured out, but struggled with the Allow when there was an explicit Deny for a much larger group.

    To facilitate IT access, I created a Permission set that sits at the top of the hierarchy and has the Advanced option "If this profile is validated during execution, do not process any subsequent profiles" enabled. This prevents any Deny permissions from being applied if other items match. This also obviated the need to create a special AD group that would need managing separately.

    Thanks to everyone for the help, the boss is happy and our devices are safe. Can't beat that.
Children
No Data