We're currently using Symantec Endpoint Protection for antivirus and are considering a switch to System Center Endpoint Protection. One feature of SEP that we would need to replace is Device Control Policies.
In SEP, we have configured it to block all USB devices by class, except for those we explicitly allow. We then add to the policy's exception list the hardware ID of any device we wish to allow. When a new USB device is plugged in to a computer, if its hardware ID doesn't match one on the exception list, the device is disabled and the user sees a popup informing them of this.
This is great for cases when a user brings in a flash drive from home and plugs it into their computer. SEP disables the device and prevents access to the drive. Some users really do need flash drives though, so we issue encrypted flash drives to those users. Because we have set the policy to allow devices matching that specific hardware ID, when a user plugs in one of our encrypted flash drives the device is installed and operates normally.
I have been told that I can accomplish the same thing using group policy, but I'm not sure if that's correct. As I look at the description of the relevant policies, it appears that a Deny rule takes precedence over an Allow rule. That seems to prevent the "Block everything EXCEPT" method that we use currently.
Is there any way to achieve our goal using Group Policy?