The following instructions assume that you are on the Configure Data Encryption Settings for Removable Storage Devices pages in the Create New Data Encryption Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Data Encryption policy (see Editing a Policy’s Details).
The Data Encryption policy lets you configure the data encryption settings applied to a device.
IMPORTANT:The Data Encryption policy is not supported on Windows 10 devices configured with UEFI BIOS or UEFI Secure Boot firmware. To encrypt removable storage data on devices that match this description, use the Microsoft Data Encryption policy.
Refer to the sections below for policy details:
As you configure Data Encryption policies and apply them to devices, be aware of the following:
The Data Encryption policy is a device-only policy. It cannot be assigned to users.
The Data Encryption policy does not support inheritance. The Data Encryption policy that is assigned closest to the device becomes the effective policy for the device. For example, if a Data Encryption policy is assigned to a device and to a group in which the device is a member, the device-assigned policy becomes the effective policy and the policy assigned to the device group is ignored.
The first time a Data Encryption policy is applied to a device, the device must be rebooted to enable the encryption drivers. Data encryption does not occur until after this reboot. Subsequent updates to the same policy do not require a reboot. In addition, if you remove the policy from a device and apply a new (different) Data Encryption policy before the device reboots, no reboot is required because the encryption drivers are still loaded. However, if a reboot occurs between removal of the first policy and application of the second policy, the encryption drivers are disabled and a reboot is required to enable the drivers again.
When facilitating the reboot, the Endpoint Security Agent applies the reboot behavior defined for the ZENworks Agent feature installation (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent > Reboot Behavior). The one difference is that the forced reboot for a Data Encryption policy occurs after 2 minutes rather than after the 5 minutes stated for agent feature installation.
If you decide to remove a Data Encryption policy from a device, it is strongly recommended that the device’s user decrypt files prior to removal of the policy. For more information, see Removal Best Practices.
If the policy is removed from a device, the device must be rebooted to disable the encryption drivers. The reboot behavior is determined the same way as stated in list item 3 above.
Select this option to enable data encryption on removable storage devices (RSDs). When the policy is applied to a device, the Endpoint Security Agent encrypts all data stored on any removable storage device connected to the device.
Removable storage devices include, but are not limited to, USB thumb drives, flash and PCMCIA memory cards, ZIP drives, floppy drives, external CDR drives, digital cameras, and MP3 players.
A device can access encrypted files on any removable storage devices encrypted by other devices in the same ZENworks Management Zone. This is because all devices within a zone receive all encryption keys for the zone. For example, if Laptop1 and Laptop2 are in the same zone, any files encrypted to a removable storage device on Laptop1 can be accessed on Laptop2.
After you enable encryption for removable storage devices, the following options are available:
Allow user to password-encrypt files: Files are always key-encrypted; key encryption enables the files to be read on any managed device within your ZENworks Management Zone. You can select this option to enable password encryption of the files as well. Each user supplies his or her own password to use for the encryption.
The benefit of password-encrypting files is that the files can be read on non-managed devices (no Endpoint Security Agent installed) by using the ZENworks File Decryption utility and supplying the encryption password. To distribute the ZENworks File Decryption utility, you can have it automatically added to each removable storage device (see Copy standalone decryption tool to removable storage devices below).
You can enable password encryption of all files added to a removable storage device, or you can specify that only files added to a specific folder are password encrypted. Select one of the following options:
Allow password-encrypted files anywhere on the device: All files saved to the removable storage device are required to be password encrypted.
Restrict password-encrypted files to this folder only: Only files saved to the specified folder are password encrypted. Specify the folder name without a drive letter (for example, EncryptedFiles). The specified folder is created on the root of the removable storage device. Folder paths are not supported (for example, documents\EncryptedFiles).
Require user to specify a strong encryption password: Select this option to force users to define an encryption password that meets the following requirements:
Seven or more characters
At least one of each of the four types of characters:
uppercase letters from A to Z
lowercase letters from a to z
numbers from 0 to 9
at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”
For example: y9G@wb?
Prompt user for encryption password one time only: Select this option to allow users to provide an encryption password one time. The password is persisted across device restarts. If you don’t select this option, users are required to provide an encryption password each time the device restarts.
Copy standalone decryption tool to removable storage devices: The ZENworks File Decryption utility is required to decrypt the password-encrypted files on non-managed devices. Select this option to have the decryption utility copied to removable storage devices so that it is readily available to users.
Devices to Exclude from Encryption: Add the removable storage devices that you don’t want encrypted.
Create New: Click Add > Create New to manually define the device to be excluded. When the Add Device to Exclude from Encryption dialog box is displayed, click the Help icon in the upper-right corner of the dialog box for details about defining a device.
Copy Existing: Click Add > Copy Existing to copy excluded devices that are already defined in other Data Encryption policies. When you copy excluded devices from another policy, all devices are copied; after the copy is complete, you can remove any unwanted devices from the list.
Import: You can import devices from a policy export file or from a Device Scanner file. Only class 8 (Mass Storage) devices are imported; all other device classes are ignored.
To import devices from a policy export file, click Add > Import, make sure that Existing Policy/Component is selected in the Select Source of Data list, then browse for and select the policy export file.
To import devices from a Device Scanner file, click Add > Import, then select ZESM Device Scanner Tool in the Select Source of Data list. Browse for and select the Device Scanner file to import, then select the data fields you want imported. The recommended data fields are selected by default. You can deselect any recommended data fields and select any additional fields. The more data fields that you import, the more you limit the number of matches for a device. If you include all of the data fields for a scanned device, you can literally isolate a device definition to the specific USB port on the computer where the device was scanned.
Devices definitions are tested in the order they are listed, from top to bottom. Use the Move Up and Move Down options to reorder the list.