File & Removable Media Protection product currently offers five “Protection Level” options for USB devices.
Please note that the below screenshot is taken from version 4.2 of the product.
For more information on the UI changes incorporated in v4.2, please refer to https://community.mcafee.com/docs/DOC-5175
Protection Level Option (1) : Allow Unprotected Access
If the Admin chooses this option, the product just silently logs the end user activities in the background.
For more information on the audit logs captured for Removable USB Media, please refer to https://community.mcafee.com/docs/DOC-5228
Protection Level Option (2) : Allow Encryption (with offsite access)
This option was formerly known as EERM (Endpoint Encryption for Removable Media).This allows end users to encrypt USB devices, and also be able to read these encrypted devices on machines without having to install the McAfee Encryption software. This is a “container based” encryption approach.The secure container which contains the data can be unlocked either using a password or a certificate.
There is an initial provisioning step where the container needs to be created. The screenshot below shows the UI for the device provisioning.
After the initial provisioning step, there are no additional steps for the end user. All that the end user has to do on inserting an encrypted USB stick is to provide the authentication credentials, and on successful authentication, can "Add" or "Remove" or "Create" files in the secure container area of the device.
Protection Level Option (3) : Enforce Encryption (with offsite access)
This option was formerly known as EERM (Endpoint Encryption for Removable Media). This option is primarily the same as the previous one except the fact that this option ensures that end users cannot copy data to the USB device unless the device is encrypted.
The screenshots below show some of the options that are available with Protection Level Options (2) and (3).
Protection Level Option (4) : Enforce Encryption (onsite access only)
This option was formerly known as “Regular Encryption”. This is a “file based” encryption approach. The Administrator can configure the key with which the files copied to the USB device should be encrypted with. In this case, Encryptionis enforced which will ensure that all files copied to the USB device are automatically encrypted with the configured key.
In this case, the encrypted files can only be read on machines only with the client installed (having the necessary key). The end user does not have to configure anything when this option is selected.
With Protection Level Options (2), (3) or (4), the end user sees a padlock icon (when inserted on the client) on the USB device drive, and also on the files in the device indicating that they are encrypted and are in a protected state.
Protection Level Option (5) : Block Write Operations
This option restricts USB devices to a read-only state. Egress operations from the device are allowed but no data can be copied to the USB device