diff --git a/docs/POSTINSTALL-README.md b/docs/POSTINSTALL-README.md
index 8edb8cc7e..ad1100d0e 100644
--- a/docs/POSTINSTALL-README.md
+++ b/docs/POSTINSTALL-README.md
@@ -98,6 +98,7 @@ When using a non-wheel user, you can add the user to other groups if you want. F
 - use libvirt: `libvirt`
 - use `adb` and `fastboot`: `plugdev`
 - use systemwide flatpaks: `flatpak`
+- use usbguard: `usbguard`
 
 > [!NOTE]
 > You don't need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling `run0`.
diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just
index 05ffb90e9..62c31f4f2 100644
--- a/files/justfiles/hardening.just
+++ b/files/justfiles/hardening.just
@@ -106,13 +106,14 @@ flatpak-permissions-lockdown:
 setup-usbguard:
     #!/usr/bin/bash
     echo "Notice: This will generate a policy based on your existing connected USB devices."
-    ACTIVE_USERNAME=$(whoami)
     run0 sh -c '
         mkdir -p /var/log/usbguard
         mkdir -p /etc/usbguard
         chmod 755 /etc/usbguard
         usbguard generate-policy > /etc/usbguard/rules.conf
+        sed -i "/IPCAllowedGroups=wheel/s/$/ usbguard/" /etc/usbguard/usbguard-daemon.conf
+        restorecon -vR /var/log/usbguard
         systemctl enable --now usbguard.service
         usbguard add-user $1
-    ' -- $ACTIVE_USERNAME
+    ' -- $USER
     systemctl enable --user --now usbguard-notifier.service