Configuration Options

This setting controls if the end user can view their current accessibility permissions in the system tray.

This setting provides several options related to notifying end users of any Device Control policy updates you make.

You can configure this notification to:

• Display a message every time you update a user's Device Control policy.
  This option is useful for informing users that you've updated their permissions.
• Display only when temporary permissions are assigned to the user.
• Disable the notification.
  For example, you might use this setting to prevent your user-base from spamming you questions related to the notifications.

The file path where the Endpoint Security Server stores uploaded copies of files that users transfer to and from devices. Depending on how widely you use full file shadowing, storage requirements can be demanding, so enter a file path with a safe amount of storage space.

Changing the storage location in the future does not move your existing shadowed files to the new location.

This option determines Device Control behavior when it attempts to create a shadow file for a file copied to or from a CD or DVD.

When burning a CD or DVD, files are not written directly to the media on a file-by-file basis. Instead, an intermediate file is created that represents the entire disc image, and that single file is used to create the disc. In some cases, Device Control cannot access the individual files stored in this image file. Therefore, Device Control cannot create individual shadow copies of the files stored on the disc.

This option also determines what action Device Control takes when it cannot create a shadow file from a disc. Options include:

• Block the write operation so no data is written without being shadowed.
• Allow the write operation, but skip shadowing. You will have no record of what data was written to the disc.
• Allow the write operation, and create a shadow file of the entire disc.

This option may consume excessive disk space if used frequently.

Forces users to use complex passwords when encrypting devices. Device Control uses the Microsoft Password Complexity Requirements.

This option determines if user certificates issued by a Microsoft Certificate Authority (CA) can be used to encrypt devices.

• Disabled: Users must enter passwords to encrypt devices and cannot associate AD users with the device.
• Enabled (Decentralized): Users may add “Windows Users” to devices. When an added user connects the device, the certificate unlocks the device automatically.

You must have a Microsoft Certificate Authority in your environment to use this option.

This option allows you to enter text that displays to end users if:

• They connect an unencrypted device to the endpoint.
• Their permissions allow them (but does not force them) to encrypt the device.

Use this option to remind users who are copying files to a device that they have an encryption option available.

For example, you can enter a message of: "Do you wish to encrypt your device now?”

• True: During the device encryption process, the user is forced to encrypt unused space. This option is more secure, but the encryption process takes longer.
• False: During the device encryption process, the user is prompted whether they want to encrypt unused space.