cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JKBH1
Level 10
Report Inappropriate Content
Message 1 of 5
‎10-11-2019 05:41 AM

Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

Hello,

Is there a way to efficiently exempt a list of MacOSX users or devices in a DLP data rule? 

For Windows users or devices, this is pretty easy because a definition can be created for this list of users (through a distribution list or security groups) via active directory. Once this is set, just create an exception for users pointing to this distribution list within the DLP data rule set.

As designed, MacOSX users or devices do not go to active directory. So one idea is to create a tag (DO_NOT_INSTALL_DLP), create a server task with action to import a list of MacOSX users or devices then a subtask to query for these devices. Tag them with DO_NOT_INSTALL_DLP then remove DLP package.

However, as the list is static, this is not sustainable from a manageability perspective. We will have to re-import the list again and again in the server task should it get updated in the future.

Please advise what is the best way to approach this scenario. Thank you.

0 Kudos
Reply
2 Solutions

Accepted Solutions
JaganA
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎10-11-2019 11:29 PM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

@JKBH1 Thanks for choosing Support Community.

Though I am not very certain about your query, will try my best to answer.

1. Do you want to deploy DLP for Mac to some systems and exclude few systems? If yes, then create a sub system group in ePO -> system tree called "DLP deployed" and assign a deployment task. Even policy can be managed effectively with this groups.

2. Do you want to exclude all MacOSx systems from DLP deployment task? If yes, then very simple, don't create a deployment task for MacOSx. The deployment task created with Windows platform / package is not applicable for MacOSx systems. 

Let me know if my understanding is different from what you said.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
JKBH1
Level 10
Report Inappropriate Content
Message 5 of 5
‎12-06-2019 12:59 PM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

After much overthinking, it is really a simple solution.

The best way to handle this sort of use case scenario is to have a DLP policy that is configured only for device control. Then assign the Mac endpoints that are to be excluded from the data rule to this device control only ruleset. 

Problem solved. Thanks everyone for your recommendations.

View solution in original post

0 Kudos
Reply
4 Replies
JaganA
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎10-11-2019 11:29 PM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

@JKBH1 Thanks for choosing Support Community.

Though I am not very certain about your query, will try my best to answer.

1. Do you want to deploy DLP for Mac to some systems and exclude few systems? If yes, then create a sub system group in ePO -> system tree called "DLP deployed" and assign a deployment task. Even policy can be managed effectively with this groups.

2. Do you want to exclude all MacOSx systems from DLP deployment task? If yes, then very simple, don't create a deployment task for MacOSx. The deployment task created with Windows platform / package is not applicable for MacOSx systems. 

Let me know if my understanding is different from what you said.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?
0 Kudos
Reply
JKBH1
Level 10
Report Inappropriate Content
Message 3 of 5
‎10-16-2019 02:36 PM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

Jagan, thanks for the reply. We will only deploy the data protection rules to a few Mac users so #1 recommendation should work for our environment. 

0 Kudos
Reply
JKBH1
Level 10
Report Inappropriate Content
Message 4 of 5
‎11-04-2019 08:38 AM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

I want to revisit this topic. As I understand it, DLPe has 2 components/modules: data protection and device control.

If it's not deploying the entire DLP suite to these Mac users, then it's really easy by tagging them and excluding them to not have any DLP installed. The given two scenarios by JaganA would work.

The requirement for this use case scenario is to only have a certain Mac users be exempted from data protection rules but these same Mac users are not exempted from the device control policies. 

How do I go about this? As Mac users do not go through Active Directory but Enterprise Connect, how do I exclude these users in the data protection rules in the Exceptions tab? 

1.) Is there a way to define these Mac users in "is any local user or non-LDAP user", "belongs to one end-user groups", or "belongs to all following end-users group"?  The end-user group definition goes to identify the user, users, groups through LDAP. How will this work with Mac users who don't go through LDAP but Enterprise Connect? 

2.) What is that "is any local user or non-LDAP user" option? Can I use this for excluding Mac users? If so, how do I define this?

Or will a Policy Assignment Rule with the right tagging and data protection rule set assigned to it will make this use case work? 

Trellix ePolicy Orchestrator 

Trellix ePolicy Orchestrator
Trellix
Trellix ePolicy Orchestrator
McAfee Enterprise Products
View in Store
0 Kudos
Reply
JKBH1
Level 10
Report Inappropriate Content
Message 5 of 5
‎12-06-2019 12:59 PM

Re: Efficient way to exempt a list of MacOSX users or devices in a DLP data rule

Jump to solution

After much overthinking, it is really a simple solution.

The best way to handle this sort of use case scenario is to have a DLP policy that is configured only for device control. Then assign the Mac endpoints that are to be excluded from the data rule to this device control only ruleset. 

Problem solved. Thanks everyone for your recommendations.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC