Nonportable Device Encryption Permission
Non-portable device encryption options can be assigned on a user or user group basis. Device permissions combined with specific device encryption default settings govern the behavior of the Encrypt Medium utility that runs on the client.
Prerequisites
You must have a properly configured and working Microsoft® Certificate Authority which can issues certificates to users for the purpose of encryption.
An administrator must set the device encryption default options and permissions to enable the Encrypt Medium utility option for non-portable device access. Non-portable device access encryption force users to encrypt devices for use only on computers running the Device Control client that are connected to the corporate network.
- In the Management Console select Tools > Default Options.
The Default Options dialog opens. - Select the Computer tab.
- In the Option column select the Microsoft CA Key Provider value.
- To allow a user to add other users to access the device, clear the Default setting check box in the Option Value panel.
- Select the Enabled value from the drop-down list.
This configuration setting requires that a Microsoft Certificate Authority is available.
- In the Management Console select View > Modules > Device Explorer.
- Right-click the Removable Storage Devices device class in the hierarchical structure at the Default settings (to activate decentralized encryption for all computers), Machine-specific settings level (to activate decentralized encryption for a specific computer), or at the individual computer group level.
- Click Add/Modify Permissions.
The Permissions dialog opens. See Managing Permissions for additional information about assigning permissions for encryption. - To create permissions that force a user to encrypt a removable storage device, click Add.
The Select Group, User, Local Group, Local User dialog opens. - Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
- From the Encryption panel, select the Unencrypted (Unencrypted or unknown encryption type) option.
Selection of this option forces a user or user group to encrypt all unencrypted devices attached to the client computer. - From the Permissions panel, select Encrypt.
- Click OK.
- From the Bus and Drive panels, select any options you want to apply.
For detailed information regarding Bus and Drive type options, see the Permissions Dialog. - To create permissions that allow the user to access the encrypted device, click Add.
- Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
- From the Encryption panel, select the Self Contained Encryption option.
- Create permissions that allow a user to access an encrypted removable storage medium. From the Permissions panel, select one or any combination of the following options: Read, Write, Decrypt.
- From the Bus and Drive panels, select any options you want to apply.
For detailed information regarding Bus and Drive type options, see the Permissions Dialog. - Click OK.
Important: You must deselect the Self Contained Encryption Encryption option.
To allow a user to save existing data stored on the removable storage device, you must add the Read permission.
Important: This step requires that you must add the same users a second time that you added in the previous steps. In the previous steps you created encryption permissions; in the following steps you are creating user access permissions for the device after encryption.
The Select Group, User, Local Group, Local User dialog opens.
Important: You must deselect the Encryption option Unencrypted (Unencrypted or unknown encryption type).
A user is forced to encrypt unencrypted devices before access to the device is allowed; no password is required for device access. After encrypting the device, the user can only access the device on computers running the client.
When a user attempts to access an unencrypted removable storage device, the Encrypt Medium utility launches and guides the user through the device encryption process.
Important: You may authorize additional users for the same type of device access using the Media Authorizer. For detailed information about using the Media Authorizer, see The Media Authorizer Window. Verify that additional users have Read and/or Write permissions for devices encrypted using Self Contained Encryption.