Setting up LEMSS DC Policy for the Wireless class 

Version 1

    Details

    Lumension Endpoint Management and Security Suite with the Device Control module (LEMSS DC), all supported versions

    BACKGROUND

    When you block access to the Wireless NIC class you will not receive an "Access Denied" if you try to use the wireless connection without permission to do so, unlike other device classes.  It is even possible for the computer to connect to the Access Point and get an IP Address, but there will be no traffic over the wireless link.  SK-NDIS is a filter driver so it blocks the traffic rather than killing the connection.

    As a wireless NIC is initialized before login you cannot assign policy to individuals, hence the option is to use the ‘Everyone’ group.
    You can assign this policy to individual computers/computer groups of course via the regular DC policy assignment mechanism.

    PROCESS

    To provide a separate level of access while users are connected to the wired LAN vs. when they are not, you should include 2 sets of permissions and modify the 'Online state definition' per the steps below. This example demonstrates setting it up for all managed endpoints:

    1.   Under Tools > Options > Device Control > General Settings, set the 'Online state definition' option to Wired Connectivity.

    1.   Create a Wireless NIC class policy, let’s call it “Wireless NIC – Offline”
    •   Device Class: Wireless NIC
    •   Policy applied by this policy: select the "Permissions settings" check box
    •   Policy enforcement: Offline only
    •   Activation: Enable
    •   Permissions: select the radio button for "Allow the following permissions" and select the Read and Write check boxes
    •   Users: Built-in User and Groups > ‘Everyone’ > Add > Click the Finish button.



    1.   Create another Wireless NIC class policy, let’s call this one “Wireless NIC – Online”
    •   Device Class: Wireless NIC
    •   Policy applied by this policy: select the "Permissions settings" checkbox
    •   Policy enforcement: Online only
    •   Activation: Enable
    •   Permissions: select the radio button for "Block all access"
    •   Users: Built-in User and Groups > Everyone > Add > Click the Finish button.



    Remember to disable the “Default Policy for Wireless NIC” also. So your Wireless NIC class policies should look like this:

    The above policy combination will prevent users from accessing Wi-Fi while a network cable is plugged in, but will allow Wi-Fi operation otherwise. 
     

    When you unplug the network cable after a few seconds the wireless connection will come alive. The Status window of the LES tray icon will display ‘Read/Write’ for Wireless NIC class.
    Plug the network cable back in and wait a couple of seconds and the traffic will no longer flow over the wireless NIC. The Status window of the LES tray icon will display ‘None’ for Wireless NIC class.

    As the WiFi connection is not disabled but the traffic is blocked as mentioned above to the naked eye the connection may ‘appear’ open. Should you wish to review what interface the data is travelling over you may use a something like Microsoft’s Netmon to have 2 active separate network traces running (one for each NIC). You will be able see the traffic flowing/not flowing as the case may be.