This content has been marked as final. Show 11 replies
Your policy is set to encrypt removable media and make sure you don't have the "ignore existing content" checked. You will also need to check the boxes "explicit encrypt" and "explicit decrypt" but keep in mind, when you explicitly decrypt ON the removable media, it will just re-encrypt it by policy. to decrypt something that was encrypted by way of moving to removable, you have to move the file off removable and then do a decrypt.
This is by design as we want to be policy driven, not user driven.
Where is my policy set to encrypt removable media? Are you refering to my CE policy or my DE policy? The only places in MEE at all that it mentions removable media is on the machine properties and the option i talked about in the original post.
I have the machine properties set to never encrypt removable media and then all the options you mentioned are set properly too. It just grays out the option to manually decrypt the drive unless i uncheck the option to "enable" removable media controls.
I guess the wording of the option is just a little tricky to me lol
Sorry, I had the wording wrong. I am refering to CE policy. You will not use the devices tab for CE, only the policies tab. you can't actually decrypt the "drive" under this CE policy, just the files on the drive. and yes, this will be grey'd out. You need to move the file to your local disk and right click / decrypt
I don't think what you want is permitted - if you set removable media encrypt on, it encrypts the removable media (thus giving you safe harbor protection).
if the user had the chance to store stuff on the stick unprotected, you wouldn't be able to claim safe harbor any more as you wouldn't know if the data was protected or not?
If you need to be able to share secret data with third parties, why not use the option to create self-decrypting files instead?
I can see where you are coming from on this one SafeBoot.
In the past, we have had people who plug in their thumb drives and then it encrypts the files on the thumbdrive and then they would raise all kinds of havoc saying they needed their files bla bla bla.
managment wouldnt let us disable the usb ports because people needed to use them but at the same time wanted us to encrypt files that went off the laptop onto said thumb drives.
I guess managment needs to understand that they cant have their cake and eat it too huh? lol
I would set CE to encrypt new files pushed to the media, but ignore existing content. Any data they are taking off your corporate computers should therefore be considered company property. If they copy their kids pictures to the USB while at home, then bring them into work, fine. If they start their college paper at home, then try to edit it at work, it should encrypt it. Any data created or edited from a corporate asset, should then become property of the company.
At some point you have to tell your users to do their home stuff at home, because work time and resources is for cranking out work for the company. Once you get your upper management to agree to it and it is part of company policy, just forward that segment to anyone who cries about their encrypted homework or kids pictures.
Don't forget there's a policy option to only encrypt new files, leaving existing stuff unprotected. You can also make the sticks read only if that helps.
If the company or organization has a mandate to encrypt and protect all data on removable media and EE Files and Folders policies are implemented I would set it up like this:
1. Set "Never encrypt" for Removable Devices under the Machine Group Properties.
2. Check "Allow creation of Self-Extractor" in the General properties of the EE Files and Folders Policy. No need to check "Allow explicit Encrypt (and Decrypt)"
3. In Removable Media properties check "Enable removable media encryption controls" and also check "Auto Create Self-Extractors of files put on media through the Explorer"
4. Leave the "Ignore Existing content on media" unchecked. The user will still have the option to make the existing files Self-Extracting.
Now you are faced with everything that is put on the removable media becoming a Self- Extractor. I suggest checking "Ask user if files put on media shall become Self-Extractors". This will give the user the option to create and set a password for the file to be shared on another pc or the user can choose "No" and the file is put on the thumb drive encrypted.
Now the biggest problem I see is user error. They will forget the passwords they set on the files they wish to share. As stated on previous posts that the users should just leave their personal stuff at home if possible. I agree with the statement you cannot have the cake and it too.
I think it depends on whether the policy is "encrypt all stuff on removable media (for legal reasons)", or "give the user the choice to store stuff on removable media protected or unprotected, depending on how they are feeling".