Allow CD-writers to be exempted when using read only policy
We want to have a read-only optical device policy to allow all CD-ROMs to be used but only allow CD-writers by exemption. When using the read-only mode, any attempted write events are not being reported on the client or to SEC/Central, so there are no device control events to select and exempt the CD-writer you want to authorise. The only workaround is to temporarily set the policy to the more restrictive 'blocked', at which point all previously blocked events are suddenly reported to SEC/Central, allowing it to be exempted, then the policy can be set back to read only. Clearly the events are being detected, but suppressed.
See support call #7327238 for more details, where the outcome from support was that this is an intentional design decision as the read only status can trigger an event even
if the end user is not accessing the optical drive.
Even if that is the case, does it matter? If it blocks the write event (whether initiated by the user or not) then the policy is still doing its job properly, but at least if the events are reported then we have the option of whitelisting the device when we do need to allow writes by exception. The current workaround of temporarily blocking all devices for all users just to get the events reported is not really good enough. Alternatively there needs to be a different way of selecting and exempting optical devices in SEC/Central that doesn't rely on reported events.