Working with Policy

(imported topic written by Shalva91)

Hi,

I have a requirement and I’m stuck to fulfill it.

I applied the permanent policy to Disable USB Storage access on all computers. I stuck while managing the exceptions.

E.G:- I’d disabled the USB on 100 systems permanently. Out of these 100 systems I need to provide access to 10 systems due to business requirements.

Now, when I want to provide the access to 10 systems (which are part of Disable USB access policy), first I need to stop the previous action of disable policy and take a new action to enable the USB on only those 10 systems. It worked fine at the initial stages, however when my client base is getting increased, my exceptions are also getting increased. While handling this It’s consuming more manual work and having the scope for Human Errors. If any one has the solution to fulfill this requirement.

To be precise

I’m trying to achieve the following

  1. By Default I need to disable USB storage on all 100 systems which are reporting to my console, if any new system comes in to the console the USB should get disabled on those systems too and the policy should disable the USB access if any body fiddle with the settings locally or remotely at the endpoint

  2. Out of 100 systems reporting to the console I need to enable the USB on 10 systems for specific time period (E.g.:- for 3 months from today)

  3. After 3 months the USB access should be disabled an all 10 systems automatically

Do we have any option to achieve this?

Thanks,

Shalva Narayan

(imported comment written by Tim.Rice)

Couldn’t you use a Manual group to exclude systems?

(imported comment written by Shalva91)

I tried that one too… My main purpose to use TEM is to provide the access to particular time period, if I use the Manual group, again I need to track those systems and move them manually.

Is my understand is correct or any scope of improvement.

(imported comment written by Tim.Rice)

I didn’t see any mention of time periods in the original posting. I assume that when you say “time period” you mean a range during the day. So, to make sure I understand what you are trying to do…

You want to …

  1. Disable the ability to add USB Storage to 100 computers by default.
  2. You need to have a ‘limited selection’ of computers (~10?) that will have it enabled during a defined period of the day. (ie 8am-5pm?)

Is that correct?

If, on the other hand, you are dealing with a chaotic set of requests where the various systems have to be variously locked and unlocked with no particular pattern, it will be more difficult to automate it because there are no Rules to govern the behavior.

(imported comment written by Shalva91)

Hi Tim,

Thanks for the review

You understood correctly, however I modified my original post, so you may get more clarity what I’m trying to do.

(imported comment written by Tim.Rice)

I think the easiest way to do this might be with a “Setting” on the client.

Something like a setting called “Enable USB”.

By default, the setting won’t exist on a computer where the USB is to be Disabled.

I don’t know if you need to use multiple expiration periods for the Enable USB setting or not. If you do, this will work fine for you, if not, I bet you can figure out how to modify the Task we’re going to create.

Let’s start by assume that we will create a Setting “Enable USB” with a value equal to the number of days that USB should be enabled.

Next we’ll create a Task “Disable expired USB Permissions”.

Relevance for the Task will look something like …

(now - effective date of setting “Enable USB” of client) / day > (value of setting “Enable USB” of Client as integer)

The Action for the task would be …

Setting Delete “Enable USB” on “{Now}” for client

You would also want to include the Action script that would disable the USB on the target computer to ensure that it gets disabled.

Another option is to take advantage of the fact that the Setting can be configured to self delete at some point in the future. You would need to have a task that looked for enabled USB without the setting existing, then have it disable the setting. This might be more secure, I don’t know. You might also have to make sure that the users don’t have modify access to the TEM Client Settings portion of the Registry.

(imported comment written by Shalva91)

Dear Tim,

Thanks for the answer, I can see there is some logical approach in this. however I’m finding it may be little complicated to configure on the console.