Endpoint Protection

Hi

I am using SEPM version 11.0.6 and I have like 40 managed computers from Windows XP to Windows 7. I would like to create a separate group where If users try to plug in their USB storage devices like Memory Sticks,BB phones,Ipods etc into their systems they cannot access them or see them. I only want these devices blocked. They can use their USB mouse,keyboard and printers. How can I do this in SEPM? Any help would be appreciated.

Thanks

Carolin

How to use Application and Device Control to block all USB devices except those I specifically want to allow

http://www.symantec.com/business/support/index?page=content&id=TECH105770&actp=search&viewlocale=en_US&searchid=1334609914324

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH106304

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH175220

Application and Device Control whitepaper

http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

Hello,

Here are the Steps to block the USB Drives -

1. First you have start and logon to “Symantec Endpoint Protection Manager”

2. In the main windows | tool bar select: “Policies” | Hardware Devices | right click and ADD

3. In Device Name write “USB Storage” and Device ID “USBSTOR*.*” | OK 

4. Then click inside “Application and Device Control” in the main menu and then right click inside “Application and Device Control” and Edit. 

5. Device Control | Blocked Devices and click Add

6. Select “USB Storage” and click OK

7. Active Notification: Mark: “Notify users when deviced is blocked”, click “Specify Message Text” ) | add messange | OK (c) and click OK.

8. To assign to the policy just click in “ASSIGN”

9. Select the group to be applied and click “Assign”

10. Done the policy will updated to all workstation member of this group.

Check these Articles:

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH175220

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

How to block USB Keys with SEP

http://www.symantec.com/docs/TECH106361

Also, Check these Threads:

https://www-secure.symantec.com/connect/forums/how-block-usb-using-sepm-windows-7

https://www-secure.symantec.com/connect/forums/usb-device-control-2

https://www-secure.symantec.com/connect/forums/sepm-121-application-and-device-control

Hope that helps!!

Hi Carolin,

just as an addition to the previous posts: In SEP 11, Application and Device control, which is responsible for blocking USB devices, only runs on computers with 32-bit OS. E.g., if your Windows 7 computers are 64-bit, it won't work. In this case you have to update to SEP 12.1 (this is a good idea anyway).

Here is another whitepaper for Application and Device Control:

http://www.symantec.com/connect/sites/default/files/Application%20and%20Device%20Control_V1%202_4_0.pdf

HTH!

HI,

How to block or allow device's in Symantec Endpoint Protection

http://www.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

https://www-secure.symantec.com/connect/downloads/sep-policy-block-usb-and-exclude-keyboard-and-mouse

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH106304

 How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH175220

https://www-secure.symantec.com/connect/downloads/sep-policy-block-usb-and-exclude-keyboard-and-mouse

Attachment(s)

Application and Device Control.pdf   1.82 MB 1 version

Hi Brian,

By following the instructions above, in order to whitelist (allow) then you need to manually get the USB drive type and model ?

devviewer tool will help to get the list of device id. yes, it is manual process.

Many thanks Pete for your repsonse :-)

Hi guys,

This is not working. Any ideas how to troubleshoot this issue?

Thanks

Hi

Seems as though the blocking of the USB pen drives and BB phones is working perfect for the Windows 7 32 bit computers. However it is not working for windows XP 32 bit and windows 7 64 bit computers. Any ideas would be appreciated.

Thanks

Do they have latest policy?

Are they in a different group from the ones that are working?

Hi,

Application and device control policy doesn't work on 64bit OS, you need SEP 12.1.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?page=content&id=TECH102143

So in your case will have to check why it's not working on windows XP 32 bit only?

Check the policy serial number and also make sure same SEP features are installed on Windows xp machine compared to Windows 7 machines

I would also suggest to upgrade to the SEP 12.1 RU1 version.

You can directly upgrade from SEP 11.6 to SEP 12.1 RU1.It's a free upgrade.

Why upgrade is important?

Few differences between SEP 11.x and SEP 12.1 EE

https://www-secure.symantec.com/connect/articles/feature-differences-between-sep-11x-and-sep-121

thanks. How do I check the policy serial number? The same SEP features are installed on both Windows XP 32 bit and Windows 7 32bit.

Hi,

Screenshot is attached to the reference.Screenshot is taken from SEPM 11.x.

The client has the same policy serial number as the group they are assigned to.

Hi CHetan, how can we change the policy serial number ?

in one of the server environment, I saw that the policy is the same as my desktop and I don't want it to be treated like desktop.

Hi guys,

Really need some help with this urgently.

Thanks

HI,

Application and device control policy doesn't work on 64bit OS, you need SEP 12.1.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?pag...

In Windows xp try to Create new SEPM group Apply ADC policy and export new package and install one sep client.

Check policy blocked aur not ?

Hi,

You should move them to the respective group.

Clients will take the policys which is assigned to their respective group.

If they are not taking assigned policy then further troubleshooting is required.

Hi,

Further troubleshooting can be done with the help of Sep Support tool logs.

Gather SEP Support Tool with WPP logging

How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs

http://www.symantec.com/docs/TECH171176

This issue is occurring on all Windows XP 32 bit machines? not on random machines?

Collect Sep support tool from affected clients machines. Collect it from at least 2 machines.

Hi

I am using 11.0.6. can this work?

Hi,

As I said earlier Application and device control policy won't work on 64bit machines.

Check this article to know more about it

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?pag...

If you are interested to upgrade then please go through the following article

SEP 11.x to SEP 12.1 Upgrade process graphical overview

http://bit.ly/sDogRu

Thanks for the update Chetan !