VMware Horizon Community
MNCNE
Enthusiast
Enthusiast
‎06-18-2013 01:44 AM
Jump to solution

problem with mcafee DLP Device control on virtual machines winxp

Hallo,

We are using view 4.5 and ESX 4.1.
I have the problem that we are using DLP 9.1 with EPO 4.5 and have the problem that when we use in DLP USB sticks with serial nummer they are not working through zeroclient on virtual machine.

We have configured rules in the DLP Device controll that it is only allowed to use usb sticks which are content encrypted and where the serialnumber is registered in the DLP.


This is working fine on normal physical Laptops but if i use the same USB Stick on my zeroclient which got a virtual vmware machine than the stick got allways blocked.
I also tried to register the stick not by serialnumber and used the VID and the PID but also this have the same result that the stick got blocked.


If i disable all rules in Device controll the stick got mapped from zeroclient to the virtual machine without problem.
Can you help use or is there any well known practise for using device controll with virtual machines?

I was also in contact with mcafee but they mean this problem is related to vmware and i shut go in contact with vmware.


best regards
MS Heinze

0 Kudos
1 Solution

Accepted Solutions
MNCNE
Enthusiast
Enthusiast
‎06-20-2013 12:41 AM
Jump to solution

Hallo,

so we found the Problem.

The reason why in the virtual machine there is no SN of the stick we could not solve but for this we are in contact with zeroclient vendor teradici.

The reason why the instance id of the stick and the PID or VID where not working was a problem in the permission set for the users who applied the policy to EPO.

The DLP Policy showed that it applyed the rules and also show it later when you loggon but it was just on the configuration screen that this rules are configuried when you use in DLP POLICY the Import configuration from EPO server than it loads the config which is realy in use and so we saw that when we configured the USB Stick via VID PID or device instance it was never written to the EPO Server and never applied to the virtual machine 🙂

best regards maybe this is helpful for somebody

View solution in original post

0 Kudos
2 Replies
MNCNE
Enthusiast
Enthusiast
‎06-19-2013 12:03 AM
Jump to solution

Hallo,

i checked also the DLP Monitor and this is what is quite strange for me because the serial number on the VM is not show so it is clear i can not use it but why it is not working with the VID or PID or with DeviceClass?

In the Mcafee log the PID and VID is not shown not for physcial and not for the VM but with the tool "usbdeview" you see on both machines the same VID and PID numbers.

Here are so details what the DLP Log show for the physical laptop and for the zeroclient the same usb stick is used:

Log from Zeroclient

Device Class GUID:   4D36E967-E325-11CE-BFC1-08002BE10318

Device Class Name:   Disk drives

Device Name:   Kingston DataTraveler G3 USB Device

Device Compatible ID:   USBSTOR\Disk

Device Instance ID:   USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00\001CC0EC303CFC70C59D2562&0

USB Serial Number:   PCoIPUSB_0001

Volume Serial Number:   3A84-8FD1

Log from Physical Client

Device Class GUID:   4D36E967-E325-11CE-BFC1-08002BE10318

Device Name:   Kingston DataTraveler G3 USB Device

Device Compatible ID:   USBSTOR\Disk

Device Instance ID:   USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00\001CC0EC303CFC70C59D2562&0

USB Serial Number:   001CC0EC303CFC70C59D2562

USB Class:   08h - Mass Storage

Volume Serial Number:   3A84-8FD1

Best regards

0 Kudos
MNCNE
Enthusiast
Enthusiast
‎06-20-2013 12:41 AM
Jump to solution

Hallo,

so we found the Problem.

The reason why in the virtual machine there is no SN of the stick we could not solve but for this we are in contact with zeroclient vendor teradici.

The reason why the instance id of the stick and the PID or VID where not working was a problem in the permission set for the users who applied the policy to EPO.

The DLP Policy showed that it applyed the rules and also show it later when you loggon but it was just on the configuration screen that this rules are configuried when you use in DLP POLICY the Import configuration from EPO server than it loads the config which is realy in use and so we saw that when we configured the USB Stick via VID PID or device instance it was never written to the EPO Server and never applied to the virtual machine 🙂

best regards maybe this is helpful for somebody

0 Kudos