There may be some requirement to apply DLP Device Protection Policy to the endpoint machines like USB complete allow, USB complete block, USB Read only, etc. for one day or one week or one month. Currently there is no option in the DLP or McAfee Agent to create a DLP Policy for time based.
But the same can be implemented using System tags and Server task in the ePO. Below are the steps to be followed:
Create a tag with no criteria and apply to the machines.
Create a Policy Assignment Rules – With a rule stating that machines with the tag (newly created) should be applied with required DLP policy.
Create a Query – To identify the machines applied with Tag.
Create a Server task – Task to clear the tag in the machines at specified time.
Step 1: Create a tag with no criteria and apply to the machines.
- Created a new tag with no criteria selected. Named as – “USB Allow – 1 week”
- Applied to 5 machines in the system tree
Step 2: Create a Policy Assignment Rules – With a rule stating that machines with the tag (newly created) should be applied with required DLP policy.
- Select the Policy Assignment Rules from ePO Menu
- Name the Policy Assignment Rule as – “USB Allow – 1 Week”
- Assign the required policy in the rule – “McAfee Everything Allow”
- Give the Criteria as machines with Tag – “USB Allow – 1 week”
- Below rule will enable USB access to all the machines which are applied with the tag.
NOTE: Policy assignment through Policy Assignment Rules takes the priority against policy applied on system tree node level.
- There can be multiple rule created in Policy Assignment Rules with its own priority.
Step 3: Create a Query – To identify the machines applied with Tag.
- Create a Query in the Queries & Reports
Note: Chart type should be Table if other type is select it cannot be used in Server task.
- In Filter, Again give the criteria as machines with Tag – “USB Allow – 1 Week”
- Once you execute the query you will be able to see the machines with tag applied. In the example, 5 Machines will be showed in the output
Step 4: Create a Server task – Task to clear the tag in the machines at specified time.
- Create a new Server task.
- Name the Server task. – Clear Tag : Weekly
- In the action, select the Run Query in the first action and clear tag option in the sub-action.
- The motto of this server task: Machines with the tag will be enabled with the required DLP policy and the same should be disabled after 1 week. By this Server task the tag will be removed automatically after 1 week.
Above steps can be modified as per the requirement by changing the Tag name, Query name, and Server task name. For example, 3 different tag can be created like 1 day, 1 week and 1 month and server task for the same running accordingly like Clear tag : 1 day – deleting the tag daily, Clear tag : 1 week – deleting the tag weekly and Clear tag : 1 month – deleting the tag monthly.