Hello. LEM is still pretty new to us. We took a different approach to USB blocking. Instead of a white list, we created a black list and a list of allowed users based on AD group. So the rule looks like this:
SystemStatus.EventInfo = *Attached*
SystemStatus.EventInfo Contains Banned USB Devices (LEM group which lists *USB Mass storage*, *iPhone, etc)
SystemStatus.SourceAccount Does Not Contain \Allow USB Mass Storage (which is an AD group of users allowed to use USB storage devices)
This has been working perfectly for our needs save for laptops where the policy doesn't apply when they are not connected to the network. The solution of course is USB Local Policy. From what I understand all I had to do was create a text file of the allowed users that are in the AD group. When I applied this list all USB was blocked including keyboards, mice, and tokens for software that requires it for licensing.
So, any ideas on how I can leverage USB Local Policy in my environment? Should the list be only the banned USB devices? I appreciate any ideas.
Thanks!