Select this option to enable data encryption on removable storage devices (RSDs). When the policy is applied to a device, the Endpoint Security Agent encrypts all data stored on any removable storage device connected to the device.
Removable storage devices include, but are not limited to, USB thumb drives, flash and PCMCIA memory cards, ZIP drives, floppy drives, external CDR drives, digital cameras, and MP3 players.
A device can access encrypted files on any removable storage devices encrypted by other devices in the same ZENworks Management Zone. This is because all devices within a zone receive all encryption keys for the zone. For example, if Laptop1 and Laptop2 are in the same zone, any files encrypted to a removable storage device on Laptop1 can be accessed on Laptop2.
After you enable encryption for removable storage devices, the following options are available:
Allow user to password-encrypt files: Files are always key-encrypted; key encryption enables the files to be read on any managed device within your ZENworks Management Zone. You can select this option to enable password encryption of the files as well. Each user supplies his or her own password to use for the encryption.
The benefit of password-encrypting files is that the files can be read on non-managed devices (no Endpoint Security Agent installed) by using the ZENworks File Decryption utility and supplying the encryption password. To distribute the ZENworks File Decryption utility, you can have it automatically added to each removable storage device (see Copy standalone decryption tool to removable storage devices below).
You can enable password encryption of all files added to a removable storage device, or you can specify that only files added to a specific folder are password encrypted. Select one of the following options:
Allow password-encrypted files anywhere on the device: All files saved to the removable storage device are required to be password encrypted.
Restrict password-encrypted files to this folder only: Only files saved to the specified folder are password encrypted. Specify the folder name without a drive letter (for example, EncryptedFiles). The specified folder is created on the root of the removable storage device. Folder paths are not supported (for example, documents\EncryptedFiles).
Require user to specify a strong encryption password: Select this option to force users to define an encryption password that meets the following requirements:
Seven or more characters
At least one of each of the four types of characters:
uppercase letters from A to Z
lowercase letters from a to z
numbers from 0 to 9
at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”
For example: y9G@wb?
Prompt user for encryption password one time only: Select this option to allow users to provide an encryption password one time. The password is persisted across device restarts. If you don’t select this option, users are required to provide an encryption password each time the device restarts.
Copy standalone decryption tool to removable storage devices: The ZENworks File Decryption utility is required to decrypt the password-encrypted files on non-managed devices. Select this option to have the decryption utility copied to removable storage devices so that it is readily available to users.
Devices to Exclude from Encryption: Add the removable storage devices that you don’t want encrypted.
Create New: Click Add > Create New to manually define the device to be excluded. When the Add Device to Exclude from Encryption dialog box is displayed, click the Help icon in the upper-right corner of the dialog box for details about defining a device.
Copy Existing: Click Add > Copy Existing to copy excluded devices that are already defined in other Data Encryption policies. When you copy excluded devices from another policy, all devices are copied; after the copy is complete, you can remove any unwanted devices from the list.
Import: You can import devices from a policy export file or from a Device Scanner file. Only class 8 (Mass Storage) devices are imported; all other device classes are ignored.
To import devices from a policy export file, click Add > Import, make sure that Existing Policy/Component is selected in the Select Source of Data list, then browse for and select the policy export file.
To import devices from a Device Scanner file, click Add > Import, then select ZESM Device Scanner Tool in the Select Source of Data list. Browse for and select the Device Scanner file to import, then select the data fields you want imported. The recommended data fields are selected by default. You can deselect any recommended data fields and select any additional fields. The more data fields that you import, the more you limit the number of matches for a device. If you include all of the data fields for a scanned device, you can literally isolate a device definition to the specific USB port on the computer where the device was scanned.
Devices definitions are tested in the order they are listed, from top to bottom. Use the Move Up and Move Down options to reorder the list.