Hello, I have a particular situation.
We have a number of take-home laptops which are not on a domain but may connect to our office network from time to time. That becomes an issue because by design offline encryption will convert to "online" encryption once the machine is on the network and finds our EPO. Even though we advise users not to connect their offline encrypted laptop to network, they do it anyway. So we need to come up with a way so that even if they connect to network, we can't let the offline encrypted laptop to find our EPO and if we can do that successfully, the offline encryption will remain offline encryption.
So after some initial detective work, I figured out the ePo_Policy.xml file contains some reference to our EPO server (near the bottom of the file with lines looking like this:
<EPOPolicyObject name="My Default" featureid="EEADMIN_1000" categoryid="Settings" serverid="XXXXXXXX" editflag="0" typeid="Settings">
<description></description><PolicySettings>My Default:ettings (6DFEC962-81C3-4D19-9EDE-9C36D8372DEF)</PolicySettings>
As you can see, I've replaced it with XXXXXXXs. We are still testing if this is enough to prevent machines from finding EPO and chaning their encryption status from offline to online.
Does the second piece FramePackage.exe which is also generated from EPO find its EPO? Is simply changing the xml file is enough?
Thanks for your help.
Is there another way to encrypt at-home laptops without an "offline package" generated from EPO? I would like to encrypt a number of laptops but don't want to have anything to do with our EPO. Is there a standalone Encryption package installer that will simply encrypt a machine? I'm afraid that modifying that xml file may not be enough. I think framepackage.exe probably contains some reference to the parent EPO.
if you block the machine from talking to EPO, you won't be able to recover it if there's a problem. You also won't be able to track how many licences you are using, or prove any data protection/audit requirements.
It's not "offline encryption", it's offline activation. Its not meant to be a permanent situation.
Can you let us know what the problem with allow the machines to connect is - what's the situation which means you don't want to see these in EPO?
Hi thanks for your response.
Yes I'm fully aware of the tracking licensing/recovery keys issue. Our IT group encrypts laptops for users so they keep a list of users/licenses and stores recovery keys.
Goal - encrypt machines without any EPO involvement.
I understand that offline activation is meant to be temporary and as such once on network it will find EPO. Ideally we want people to keep these laptops home/outside of office network. If they do that, we are ok with offline activation which will never find EPO, will never convert to online. However users sometimes do bring their laptops to office, they do connect to network and of course agent finds EPO and converts to online. Because these standalone laptops were not part of a domain, no users were assgined for encryption. So if a reboot takes place, we are stuck on pre-boot screen.
That is why we want to find out if we can break the communication by modifying some config file or something. Meaning even if they connect to office network, we need to make sure it won't find EPO.
OR if there is a package which we can use that will simply encrypt a machine, we would be ok with that.
some other alternatives we may consider - setup a Read-only domain controller which will be exposed to outside network, or modify our wirless network (that's usually how laptops will connect to network) so that EPO access can be blocked.
Hope my situation is clear. Thanks.
Aer you setting these machines up with the pre-boot disabled? If so, you do realise (like every other product in this mode) that the encryption key is stored on the drive?