1.5 Moving a Managed Device From One Zone to Another Zone

You can move a device to a zone where Full Disk Encryption is not active or to a zone where Full Disk Encryption is active.

1.5.1 Moving a Device to a Zone Where Full Disk Encryption Is Not Active

When you unregister a device from its zone, the Full Disk Encryption Agent continues to enforce the Disk Encryption policy. Encrypted volumes remain encrypted and the ZENworks PBA (if it is enabled in the policy) continues to provide pre-boot authentication.

If you the register the device in a zone where Full Disk Encryption is not active (or the Full Disk Encryption Agent is disabled or not installed), the Disk Encryption policy and the Full Disk Encryption Agent are removed from the device. Encrypted volumes are decrypted and the ZENworks PBA is removed.

To move a device:

  1. Unregister the device. See Unregistering a Device in the ZENworks Discovery, Deployment, and Retirement Reference.

    After the device is unregistered, the Full Disk Encryption agent continues to enforce the Disk Encryption policy. Encrypted volumes remain encrypted and the ZENworks PBA (if it is enabled in the policy) continues to provide pre-boot authentication.

  2. Register the device in the new zone. See Manually Registering a Device in the ZENworks Discovery, Deployment, and Retirement Reference.

    After the device registers in the zone, the Disk Encryption policy is removed and the Full Disk Encryption Agent decrypts any encrypted volumes. The ZENworks Agent then uninstalls or disables the Full Disk Encryption Agent.

1.5.2 Moving a Device to a Zone Where Full Disk Encryption Is Active

When you unregister a device from its zone, the Full Disk Encryption Agent continues to enforce the Disk Encryption policy. Encrypted volumes remain encrypted and the ZENworks PBA (if it is enabled in the policy) continues to provide pre-boot authentication.

If you then register the device in another zone (or reregister it in the same zone) and assign a Disk Encryption policy to the device, the Full Disk Encryption Agent enforces the new policy. If the new policy uses the same encryption settings (algorithm, key length, and so forth) as the device’s current policy, no encryption changes take place. If the new policy has different encryption settings, any encrypted volumes are decrypted and then re-encrypted using the new encryption settings.

To move a device:

  1. Unregister the device. See Unregistering a Device in the ZENworks Discovery, Deployment, and Retirement Reference.

    After the device is unregistered, the Full Disk Encryption Agent continues to enforce the Disk Encryption policy. Encrypted volumes remain encrypted and the ZENworks PBA (if it is enabled in the policy) continues to provide pre-boot authentication.

  2. Register the device in the new zone. See Manually Registering a Device in the ZENworks Discovery, Deployment, and Retirement Reference.

    After the device registers in the zone, the Full Disk Encryption Agent continues to enforce the Disk Encryption policy. However, because the policy is not assigned to the device through the zone, you cannot modify the policy in ZENworks Control Center.

  3. (Optional) Assign a new Disk Encryption policy to the device.

    If you want to manage the Disk Encryption policy for the device, you need to assign a new policy that exists in the zone. To ensure that the device’s volumes are not decrypted and then encrypted again, make sure the new policy uses the same encryption settings (algorithm, key length, and so forth) as the device’s current policy.