USB exception policy not working on Windows device in dynamic device groupSolved

Hello @ethan_ ,

When both a USB restriction policy and a USB exception or less restrictive USB policy are applied to the same device, the most restrictive configuration takes precedence. Because the device is still receiving the USB restriction policy through the dynamic device group, USB access remains blocked.

To allow USB on that specific device, the device must stop receiving the USB restriction policy. Since the restriction is applied through a dynamic device group, one option is to exclude the device from that group using the group criteria, for example:

1. Go to Manage > Device Groups.
2. Open the dynamic device group used for the USB restriction.
3. Go to the Criteria tab.
4. Add an exception for the specific device, such as Serial Number is <device_serial_number>.
5. Save the group.
6. Run Sync now from Actions > Scanning and Monitoring.
7.  Open the device and confirm that the USB restriction policy is no longer listed under its Policies tab.

However, excluding the device from the dynamic group removes all policies assigned through that group, not just the USB restriction policy.

Regards,
Simon Scott
Hexnode UEM

That is the part I’m worried about. The dynamic group has many other policies attached to it. If I remove the device from the group just to avoid the USB restriction, those other policies will also be removed. Is there any way to remove only the USB policy from one device while keeping the rest of the group policies?

No, a policy inherited from a dynamic device group cannot be removed from only one individual device while keeping that device inside the same group. If the device matches the dynamic group criteria, it receives all policies associated with that group.

For this scenario, the practical options are:

• Exclude the device from the dynamic group and then manually associate the required non-USB policies directly to that device.
• Remove the USB restriction policy from the broad dynamic group and apply that USB restriction policy only to the specific devices or a separate group of devices that should have USB blocked.

The second approach is usually easier to manage when USB access exceptions are needed for multiple devices, because it avoids disrupting unrelated policies assigned through the main device group.

Does the same policy behavior apply to macOS too? For example, if a Mac gets a restrictive policy from a dynamic group and another policy directly, will the restrictive one still win?

Yes. The same general behavior applies to macOS as well. If conflicting policies are applied to a device, the more restrictive configuration takes precedence. Also, if a policy is inherited through a dynamic device group, it cannot be selectively removed from only one device while that device continues to remain a member of the same group.

For both Windows and macOS, it is best to design dynamic groups and policy targets so that restrictive policies, such as USB restrictions, are applied only to devices that should actually receive them.