Configuration Options

Option	Description
General Settings
Agent status and update notifications	This setting controls if the end user can view their current accessibility permissions in the system tray.
Agent permission change notifications	This setting provides several options related to notifying end users of any Device Control policy updates you make. You can configure this notification to: Display a message every time you update a user's Device Control policy. This option is useful for informing users that you've updated their permissions. Display only when temporary permissions are assigned to the user. Disable the notification. For example, you might use this setting to prevent your user-base from spamming you questions related to the notifications.
Shadowing related options
Server shadow directory	The file path where the Endpoint Security Server stores uploaded copies of files that users transfer to and from devices. Depending on how widely you use full file shadowing, storage requirements can be demanding, so enter a file path with a safe amount of storage space. Changing the storage location in the future does not move your existing shadowed files to the new location.
When a user tries to write a CD in a format that doesn't support shadowing	This option determines Device Control behavior when it attempts to create a shadow file for a file copied to or from a CD or DVD. When burning a CD or DVD, files are not written directly to the media on a file-by-file basis. Instead, an intermediate file is created that represents the entire disc image, and that single file is used to create the disc. In some cases, Device Control cannot access the individual files stored in this image file. Therefore, Device Control cannot create individual shadow copies of the files stored on the disc. This option also determines what action Device Control takes when it cannot create a shadow file from a disc. Options include: Block the write operation so no data is written without being shadowed. Allow the write operation, but skip shadowing. You will have no record of what data was written to the disc. Allow the write operation, and create a shadow file of the entire disc. This option may consume excessive disk space if used frequently.
Encryption settings
Enforce Password Complexity	Forces users to use complex passwords when encrypting devices. Device Control uses the Microsoft Password Complexity Requirements.
Microsoft CA key provider	This option determines if user certificates issued by a Microsoft Certificate Authority (CA) can be used to encrypt devices. Disabled: Users must enter passwords to encrypt devices and cannot associate AD users with the device. Enabled (Decentralized): Users may add “Windows Users” to devices. When an added user connects the device, the certificate unlocks the device automatically. You must have a Microsoft Certificate Authority in your environment to use this option.
Unencrypted device connected prompt	This option allows you to enter text that displays to end users if: They connect an unencrypted device to the endpoint. Their permissions allow them (but does not force them) to encrypt the device. Use this option to remind users who are copying files to a device that they have an encryption option available. For example, you can enter a message of: "Do you wish to encrypt your device now?”
Automatically clear unused space	True: During the device encryption process, the user is forced to encrypt unused space. This option is more secure, but the encryption process takes longer. False: During the device encryption process, the user is prompted whether they want to encrypt unused space.
Retain data when encrypting device	During the device encryption process, you can configure Device Control to: Retain all data currently on the device and encrypt that data. Choose this option if users assume their data should be retained. Erase all data currently on the device and encrypt the empty device. Choose this option if you're concerned malware exists on devices connecting to your organizational endpoints. Prompt the user to choose from one of the previously mentioned options.

General Settings

Agent status and update notifications

This setting controls if the end user can view their current accessibility permissions in the system tray.

Agent permission change notifications

This setting provides several options related to notifying end users of any Device Control policy updates you make.

You can configure this notification to:

Display a message every time you update a user's Device Control policy.
This option is useful for informing users that you've updated their permissions.
Display only when temporary permissions are assigned to the user.
Disable the notification.
For example, you might use this setting to prevent your user-base from spamming you questions related to the notifications.

Shadowing related options

Server shadow directory

The file path where the Endpoint Security Server stores uploaded copies of files that users transfer to and from devices. Depending on how widely you use full file shadowing, storage requirements can be demanding, so enter a file path with a safe amount of storage space.

Changing the storage location in the future does not move your existing shadowed files to the new location.

When a user tries to write a CD in a format that doesn't support shadowing

This option determines Device Control behavior when it attempts to create a shadow file for a file copied to or from a CD or DVD.

When burning a CD or DVD, files are not written directly to the media on a file-by-file basis. Instead, an intermediate file is created that represents the entire disc image, and that single file is used to create the disc. In some cases, Device Control cannot access the individual files stored in this image file. Therefore, Device Control cannot create individual shadow copies of the files stored on the disc.

This option also determines what action Device Control takes when it cannot create a shadow file from a disc. Options include:

Block the write operation so no data is written without being shadowed.
Allow the write operation, but skip shadowing. You will have no record of what data was written to the disc.
Allow the write operation, and create a shadow file of the entire disc.

This option may consume excessive disk space if used frequently.

Encryption settings

Enforce Password Complexity

Forces users to use complex passwords when encrypting devices. Device Control uses the Microsoft Password Complexity Requirements.

Microsoft CA key provider

This option determines if user certificates issued by a Microsoft Certificate Authority (CA) can be used to encrypt devices.

Disabled: Users must enter passwords to encrypt devices and cannot associate AD users with the device.
Enabled (Decentralized): Users may add “Windows Users” to devices. When an added user connects the device, the certificate unlocks the device automatically.

You must have a Microsoft Certificate Authority in your environment to use this option.

Unencrypted device connected prompt

This option allows you to enter text that displays to end users if:

They connect an unencrypted device to the endpoint.
Their permissions allow them (but does not force them) to encrypt the device.

Use this option to remind users who are copying files to a device that they have an encryption option available.

For example, you can enter a message of: "Do you wish to encrypt your device now?”

Automatically clear unused space

True: During the device encryption process, the user is forced to encrypt unused space. This option is more secure, but the encryption process takes longer.
False: During the device encryption process, the user is prompted whether they want to encrypt unused space.

Retain data when encrypting device

During the device encryption process, you can configure Device Control to:

Retain all data currently on the device and encrypt that data. Choose this option if users assume their data should be retained.
Erase all data currently on the device and encrypt the empty device. Choose this option if you're concerned malware exists on devices connecting to your organizational endpoints.
Prompt the user to choose from one of the previously mentioned options.