Portable Device Encryption Permission

Portable device encryption options can be assigned on a user or user group basis. Device permissions combined with specific device encryption default settings govern the behavior of the Encrypt Medium utility that runs on the client.

Prerequisites

You may set the Password Attempts Limit option for user password requirements, using the Tools > Default Options > Computer tab.

For detailed information about using default options, refer to Computer tab.

An administrator must set the device encryption default options and permissions to enable the Encrypt Medium utility option for portable device access. Using portable encryption options, encrypted devices can be accessed on any Microsoft Windows computer.

Computers that are served applications via Citrix XenApp (version 6 or higher) but do not have the Device Control Client installed, can use the Secure Volume Browser (SVolBro) to encrypt devices on the unmanaged endpoint.

  • The Secure Volume Browser must already be installed on the computer or published to the user.
  • Only up to 2 GB of space can be used on a portable device encrypted using Citrix SVolBro.

  1. In the Management Console select Tools > Default Options.
    The Default Options dialog opens.
  2. Select the Computer tab.
  3. In the Option column select the Microsoft CA Key Provider value.
    1. To allow a user to add other users to access the device, clear the Default setting check box in the Option Value panel.
    2. Select the Disabled value from the drop-down list.
  4. In the Management Console select View > Modules > Device Explorer.
  5. Right-click the Removable Storage Devices device class in the hierarchical structure at the Default settings (to activate decentralized encryption for all computers), Machine-specific settings level (to activate decentralized encryption for a specific computer), or at the individual computer group level.
  6. Click Add/Modify Permissions.
    The Permissions dialog opens. See Managing Permissions for additional information about assigning permissions for encryption.
  7. To create permissions that force a user to encrypt a removable storage device, click Add.
    The Select Group, User, Local Group, Local User dialog opens.
  8. Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
  9. From the Encryption panel, select the Unencrypted (Unencrypted or unknown encryption type) option.
    Selection of this option forces a user or user group to encrypt all unencrypted devices attached to the client computer.

    Important: You must deselect the Self Contained EncryptionEncryption option.

  10. From the Permissions panel, select the following options:
    • Encrypt
    • Export to media

    Important: To allow a user to save existing data stored on the removable storage device, you must add the Read permission.

  11. From the Bus and Drive panels, select any options you want to apply.
    For detailed information regarding Bus and Drive type options, see the Permissions Dialog.
  12. Click OK
  13. To create permissions that allow the user to access the encrypted device, click Add.

    14. Important: This step requires that you must add the same users a second time that you added in the previous steps. In the previous steps you created encryption permissions; in the following steps you are creating user access permissions for the device after encryption.

    The Select Group, User, Local Group, Local User dialog opens.

  14. Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
  15. From the Encryption panel, select the Self Contained Encryption option.

    16. Important: You must deselect the Unencrypted (Unencrypted or unknown encryption type)Encryption option.

  16. Create permissions that allow a user to access an encrypted removable storage medium. From the Permissions panel, select one or any combination of the following options:
    • Read
    • Write
    • Decrypt
  17. From the Bus and Drive panels, select any options you want to apply.
    For detailed information regarding Bus and Drive type options, see the Permissions Dialog.
  18. Click OK.

The Secure Volume Browser (SVolBro) is installed on the device during encryption. SVolBro runs on any supported Microsoft Windows computer and prompts the user for a password that allows device access, regardless of whether the machine runs the Device Control client or not. The password protects the encryption key, which is exported to the device during encryption.

When a user attempts to access an unencrypted removable storage device, the Encrypt Medium utility launches and guides the user through the device encryption process. The user will create a password for access to the encrypted device.

The following table show the Encrypt Medium pages that the user can see based on the encryption options configuration.

Related Tasks