Why would you want to block policy updates? It can be really important if your user is out of sync but needs to access some files...
I agree but this is because of unique business requirements.
So you are saying that this cannot be accomplished?
Not that I know without tinkering. Policy sync is an integral and necessary part of the product - I'm not sure I understand why you would want to stop the user doing it when they need to.
You could of course disable the tray manager, but then support won't be too happy if you log a ticket, and you won't be able to tell what's going on.
So, what are these unique requirements that mean for a user to update their policy is so bad?
Well, one requirement is the less user interaction the better. We are using EERM only and users need only to interact (authentication/recovery) with a protected removable device. I wish there was an option to force Files and Folders synchronization from the management console.
not sure I get what the problem is - if the user syncs, nothing harmful is going to happen, in fact, nothing as far as the user is concerned is going to happen at all.
You said it was really important to remove this feature? If nothing's going to change for the user if they click the icon, why is it so important to get rid of it?
Files and Folders synchronization = Username and Password authentication.
We implement SSO and have it set to pass through to Files and Folders synchronization. We do not want users to authenticate again if they accidently or intentionally perform a manual Files and Folders synchronization.
If we give non-technical users this much credit not to flub Files and Folders sync/authentication we are fooling ourselves. Less calls to the helpdesk the better.
I don't get it - you trust your users enough to use pre-boot authentication, and stick in their user name and password there, and I guess you must also have screen saver auth on (otherwise you won't be compliant to data protection regulations etc), but if the user clicks something and then gets presented with the same auth box, that's a problem? ;-)
As one ex-CTO of McAfee said, "security sucks", that's it's nature unfortunately - you can't get protection, or even compliance without a teeny bit of change and effort..
But yes, you could hack the client tool tray manager out of the registry to remove the options, it's not supported, and not documented, but I'm sure you could work out how to do it. Not sure what it would break though, possibly nothing.
I guess you're not using any central recovery keys so you don't care about data recovery off the removable media? If your users really are that difficult, have you considered giving them hardware encrypted sticks - they are much simpler for people to operate. Just swipe your finger and you're in. No software to deploy at all.
I agree with you Safeboot. With great security comes great responsibility.
Thanks for the advice.