21.0 Removal Best Practices

The following sections provide a best practice approach to removing security policies that have been deployed to devices.

Practice 1: Remove policy assignments before deleting a policy

Deleting a policy automatically removes the policy assignments. However, we recommend that you remove policy assignments before you delete a policy to see if the policy removal has any negative effects on the device. If so, the policy is still available to reassign.

Practice 2: Decrypt files before removing a Data Encryption policy

When you remove a Data Encryption policy from a device, the encryption driver is disabled immediately but the decryption driver remains enabled until the device is rebooted. Users can continue to decrypt files until the device reboots, but no new files can be encrypted. Once the device reboots, encrypted files can no longer be decrypted.

The device is rebooted based on the reboot behavior defined for the ZENworks Adaptive Agent feature installation (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent > Reboot Behavior). The one difference is that the forced reboot for a Data Encryption policy occurs after 2 minutes rather than after the 5 minutes stated for agent feature installation.

Before removing a Data Encryption policy from a device, we strongly recommend that you have the device’s user decrypt files. This is done by moving the files from Safe Harbor folders and encrypted removable storage devices to non-Safe Harbor (unencrypted) folders on the computer.

If a user fails to decrypt files before the policy is removed and the device reboots, you can use the Administrator version of the File Decryption utility to decrypt the files. For information about the utility, see File Decryption Utility in the ZENworks 11 SP3 Endpoint Security Utilities Reference.