1 Reply Latest reply on Jul 31, 2009 3:30 PM by SafeBoot

    Build 5701 FFE: restricted directories?

      Hi guys...

      Today I need you help on two questions:

      I have encountered a very hindering issue with the file & folder encryption today.
      We created a policy, telling the client to encrypt nsf files whenever notes.exe saves one.

      Well, it didn't.

      Everything inside the "program files" directory seems to have the encryption "enforced by a policy", which is stated in the respective directory's properties on the encryption tab.

      I... COULD... change the encryption key on the program files directory level, but that's not what I want.

      Moving the nsf file to the desktop, manually encrypting it and putting it back works fine, but I can't do that with hundreds of files.

      So are there any hardcoded directories in FFE and if so, how can I take influence on them?

      There are predefined "variables" in the Folder dropdown list, like [COMMON FILES], etc.
      Are these configurable?
      If I want to tell the policy to encrypt a local folder via UNC, how can I do that without creating a share?
      The string \\%COMPUTERNAME%\C$\folder resolves correctly from the windows explorer, but the FFE policy doesn't seem to translate that.

        • 1. RE: Build 5701 FFE: restricted directories?
          1. Program files is hard excluded to stop Windows getting messed up - Microsoft have prohibited applications from storing data in the program files tree for many years - I'm surprised something as common as Notes still does so. It's meant to store data in the user profile, or applicationdata folders.

          I would speak to your account manager re getting a feature request raised if this is important.

          2. No, you can't add more - these are the ones again described by Microsoft. If you want to encrypt something on the C: drive, just use "c:\... " etc (why would you want to use a UNC for a local path?)

          If you must use a UNC, then it needs to be a real UNC, not one with an environment variable in (they are only handled by explorer and a command window, and are not necessarily set in accounts other than the current logged in user).