Portable and Non-portable Device Encryption Permission

Portable and non-portable device encryption options can be assigned on a user or user group basis. Device permissions combined with specific device encryption default settings govern the behavior of the Encrypt Medium utility that runs on the client.

Prerequisites

  • You must have a properly configured and working Microsoft® Certificate Authority which can issues certificates to users for the purpose of encryption.
  • You may set the Password Attempts Limit option for user password requirements, using the Tools > Default Options > Computer tab.

    For detailed information about using default options, refer to Computer tab.

An administrator must set the device encryption default options and permissions to enable the Encrypt Medium utility option for portable and non-portable device access.

  1. In the Management Console select Tools > Default Options.
    The Default Options dialog opens.
  2. Select the Computer tab.
  3. In the Option column select the Microsoft CA Key Provider value.
    1. To allow a user to add other users to access the device, clear the Default setting check box in the Option Value panel.
    2. Select the Enabled value from the drop-down list.
  4. In the Management Console select View > Modules > Device Explorer.
  5. Right-click the Removable Storage Devices device class in the hierarchical structure at the Default settings (to activate decentralized encryption for all computers), Machine-specific settings level (to activate decentralized encryption for a specific computer), or at the individual computer group level.
  6. Click Add/Modify Permissions.
    The Permissions dialog opens. See Managing Permissions for additional information about assigning permissions for encryption.
  7. To create permissions that force a user to encrypt a removable storage device, click Add.
    The Select Group, User, Local Group, Local User dialog opens.
  8. Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
  9. From the Encryption panel, select the Unencrypted (Unencrypted or unknown encryption type) option.
    Selection of this option forces a user or user group to encrypt all unencrypted devices attached to the client computer.

    Important: You must deselect the Self Contained Encryption Encryption option.

  10. From the Permissions panel, select the following options:
    • Encrypt
    • Export to Media

    To allow a user to save existing data stored on the removable storage device, you must add the Read permission.

  11. Click OK.
  12. From the Bus and Drive panels, select any options you want to apply.
    For detailed information regarding Bus and Drive type options, see the Permissions Dialog.
  13. To create permissions that allow the user to access the encrypted device, click Add.

    Important: This step requires that you must add the same users a second time that you added in the previous steps. In the previous steps you created encryption permissions; in the following steps you are creating user access permissions for the device after encryption.

    The Select Group, User, Local Group, Local User dialog opens.

  14. Click Search or Browse and select a user or user group to assign user access permission rules, then click OK.
  15. From the Encryption panel, select the Self Contained Encryption option.

    Important: You must deselect the Unencrypted (Unencrypted or unknown encryption type) Encryption options.

  16. Create permissions that allow a user to access an encrypted removable storage medium. From the Permissions panel, select one or any combination of the following options:
    • Read
    • Write
    • Decrypt
  17. From the Bus and Drive panels, select any options you want to apply.
    For detailed information regarding Bus and Drive type options, see the Permissions Dialog.
  18. Click OK.

When a user attempts to access an unencrypted removable storage device, the option Encrypt Medium utility launches and guides the user through the device encryption process.

  • If a user selects the Non-portable encryption option, then the user is forced to encrypt unencrypted devices before access to the device is allowed. After encrypting the device, the user can only access the device any computer running the Device Control client; no password is required for device access.

    Important: You may authorize additional users for the same type of device access using the Media Authorizer. For detailed information about using the Media Authorizer, see The Media Authorizer Window. Verify that additional users have Read and/or Write permissions for devices encrypted using Self Contained Encryption.

  • If a user selects the Portable encryption option, then the Secure Volume Browser (SVolBro) is installed on the device during encryption. SVolBro runs on any supported Microsoft Windows computer and prompts the user for a password that allows device access, regardless whether the computer runs the Device Control client. The password protects the encryption key, which is exported to the device during encryption.

Related Tasks