Advanced Settings for Media Encryption

Authorization Scanning

In Advanced Settings > Authorization Scanning, you can specify authorized and unauthorized file types for scanning. The authorized and unauthorized scan configures the file types that you can allow and block.

To specify the file types:

  1. Select the scan mode:

    • Authorized

    • Unauthorized

  2. To add a file type:

    1. Click .

      The Add a File Type or Category window appears.

    2. From the drop down, select a file type or category.

    3. Click OK.

  3. To create a new file type:

    1. Click .

      The File type Add / Edit window appears.

    2. Enter the Name, Comments and File Extension.

    3. To add a File Signature:

      1. Click .

        The Add new file signature window appears.

      2. Select the Offset.

      3. In the Signature field, enter the file signature.

      4. Click OK.

      5. To delete a File Signature, select the file signature and click .

    4. Click OK.

  4. To edit a file, select the file and click .

  5. To delete a file, select the file and click .

UserCheck Messages

UserCheck for Media Encryption & Port ProtectionClosed tells users about policy violations and shows them how to prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a message shows that explains the policy.

For example, you can optionally let users write to a storage device even though the policy does not allow them to do so. In this case, users are prompted to give justification for the policy exception. This justification is sent to the security administrator, who can monitor the activity.

Enabling the UserCheck messages

Select the checkbox to enable the UserCheck message:

  • Suggest to encrypt device when encryption is not mandatory

  • Suggest to encrypt device in order to get write access when inserting

  • Suggest to encrypt device in order to get write access when writing

  • Notify user that device has been blocked

  • Notify user that device has read only access

  • Notify when encrypting business related data

Customizing the UserCheck messages

You can customize UserCheck messages including the title, notification message, replacement text for the OK and Cancel buttons and also present them in multiple languages.

To customize the UserCheck messages:

  1. Click Edit for the particular UserCheck message you need to customize.

  2. Customize the message:

    • Message languages - Select multiple languages to add messages in different languages.

    • Edit language - Select the language to modify the message for the selected language.

      • Title - Edit the title of the notification.

      • Main text - Edit the text of the notification.

      • Body text - Edit the text of the notification.

      • OK button - Modify the UI text for the OK button.

      • Cancel button - Modify the UI text for the Cancel button.

      • More button - Modify the UI text for the More options button.

      Note -

      UserCheck messages asking justification for copying the files additionally include:

      • Check box - Modify the UI text for the check box.

      • Notes - Edit the text of notes.

      • Justification - Edit the text of the justification.

      • Warning - Edit the warning text.

  3. Click OK.

Advanced Encryption

  • Allow user to choose owner during encryption - Lets users manually define the device owner before encryption. This lets users create storage devices for other users. By default, the device owner is the user who is logged into the endpoint computer. The device owner must be an Active Directory user.

  • Allow user to change the size of encrypted media - Lets users change the percentage of a storage device that is encrypted, not to be lower than Minimum percentage of media capacity used for encrypted storage or Default percentage of media capacity used for encrypted storage. .

  • Allow users to remove encryption from media - Lets users decrypt storage devices.

  • When encrypting, unencrypted data will be - Select one of these actions for unencrypted data on a storage device upon encryption:

    • Copied to encrypted section - Unencrypted data is encrypted and moved to the encrypted storage device. We recommend that you back up unencrypted data before encryption to prevent data loss if encryption fails. For example, if there is insufficient space on the device.

    • Deleted - Unencrypted data is deleted.

    • Untouched - Unencrypted data is not encrypted or moved.

  • Secure format media before encryption - Run a secure format before encrypting the storage device. Select the number of format passes to do before the encryption starts.

  • Change device name and icon after encryption - When selected, after the device is encrypted, the name of the non-encrypted drive changes to Non Business Data and the icon changes to an open lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device is encrypted.

  • When encrypting media, file system should be:

    • As already formatted -According to the original format.

    • ExFAT

    • FAT32

    • NTFS

    Allow user to change the file system of the encrypted storage - After storage was encrypted in a specific format, the user can change this format to another format.

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management ServerClosed (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management ServerClosed UUID is written to the device. The Site action can prevent access to devices encrypted on a different Endpoint Security Management ServerClosed or from another organization. The Site action is enabled by default.

When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device matches the UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID does not match, access to the device is blocked.

Allow access to storage devices encrypted at any site - Endpoint Security clients can access encrypted devices that were encrypted at any site.

Allow access to storage devices encrypted at current site only - Media Encryption Site (UUID) verification is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same Endpoint Security Management Server.

Lockout Settings

You can configure Media Encryption & Port Protection in the Lockout Settings to lock a device after a specified number of unsuccessful log in attempts.

To configure lockout settings:

  1. Select Lock storage device after failed authentication attempts.

  2. To lock the storage device temporarily:

    1. Select Temporarily lock device.

    2. In the Temporarily lock device after authentication failed field, enter the failed log in attempts after which the system should lock the device.

    Notes:

    • If a device is locked temporarily, users can try to authenticate again after the specified time.

    • A temporary lock only occurs when its value is less than the permanent lock.

  3. To lock the storage device permanently:

    1. Select Permanently lock device.

    2. In the Permanently lock device after authentication failed field, enter the failed log in attempts after which the system should permanently lock the device. This should be greater than the value specified in Temporarily lock device after authentication failed field.

      Note - If the device is locked permanently, users can request to unlock through Remote HelpClosed. For more information, see Media Encryption Remote Help.

  4. In the Duration for temporary storage device lock field, enter the duration after the failed log in attempts the system should unlock the device.

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access a storage device from a computer that is not connected to an Endpoint Security Management Server. Users can also access the storage device with this password from a non-protected computer

Allow user to recover their password using remote help - Lets user recover passwords using remote help.

Copy utility to media to enable media access in non-protected environments - Copies the Explorer utility to the storage device. This utility lets users access the device from computers that are not connected to an Endpoint Security Management Server.

Password Constraints

You can specify the password requirements for users to follow to log in to the device.

To configure the password constraints, select one of these:

  • Use Windows Complexity Requirements

  • Use Custom Requirements

    • Consecutive identical characters are not allowed

    • Require special characters

    • Require digits

    • Require lower case characters

    • Require upper case characters

    • Password must not contain user name or full name

    • In the Minimum length of password field, enter the number of characters required in the password. The minimum supported length is four characters.