As you configure Data Encryption policies and apply them to devices, be aware of the following:
The Data Encryption policy is a device-only policy. It cannot be assigned to users.
The Data Encryption policy does not support inheritance. The Data Encryption policy that is assigned closest to the device becomes the effective policy for the device. For example, if a Data Encryption policy is assigned to a device and to a group in which the device is a member, the device-assigned policy becomes the effective policy and the policy assigned to the device group is ignored.
The first time a Data Encryption policy is applied to a device, the device must be rebooted to enable the encryption drivers. Data encryption does not occur until after this reboot. Subsequent updates to the same policy do not require a reboot. In addition, if you remove the policy from a device and apply a new (different) Data Encryption policy before the device reboots, no reboot is required because the encryption drivers are still loaded. However, if a reboot occurs between removal of the first policy and application of the second policy, the encryption drivers are disabled and a reboot is required to enable the drivers again.
When facilitating the reboot, the Endpoint Security Agent applies the reboot behavior defined for the ZENworks Agent feature installation (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent > Reboot Behavior). The one difference is that the forced reboot for a Data Encryption policy occurs after 2 minutes rather than after the 5 minutes stated for agent feature installation.
If you decide to remove a Data Encryption policy from a device, it is strongly recommended that the device’s user decrypt files prior to removal of the policy. For more information, see Removal Best Practices.
If the policy is removed from a device, the device must be rebooted to disable the encryption drivers. The reboot behavior is determined the same way as stated in list item 3 above.