Encryption Settings

Offline Access Actions

You can select one of these predefined actions to define encryption behavior for storage devices:

Allow offline access to encrypted media - Users can enter a password to access storage devices on protected computers not connected to an Endpoint Security Management Server (Offline). Users can also use their password to access storage devices on a non-protected computer.
Do not allow offline access to encrypted media - Users cannot access storage devices on protected computers that are not connected to an Endpoint Security Management Server or on non-protected computers.

You can change the settings of these predefined actions and create new custom Offline Access to Media action.

Custom Offline Access Settings

You can define custom offline access actions that include these settings:

Encryption Settings

Setting	Description
Allow user to choose owner during encryption	Lets users manually define the device owner before encryption. This lets users create storage devices for other users. By default, the device owner is the user who is logged into the endpoint computer. The device owner must be an Active Directory user.
Allow user to change size of encrypted media	Lets users change the percentage of a storage device that is encrypted, not to be lower than Minimum percentage of media capacity used for encrypted storage or Default percentage of media capacity used for encrypted storage. Also see Configuring Encryption Container Settings.
Allow users to remove encryption from media	Lets users decrypt storage devices.
Allow user to upgrade from legacy drives	Lets users upgrade storage devices that were encrypted by File Encryption version R73.
When encrypting, Non-Business Related Data will be:	Select one of these actions for existing data on a storage device upon encryption: Copied to encrypted section - Non-Business Related data is encrypted and moved to the Business Related (encrypted) storage device. We recommend that you back up Non-Business Related data before encryption to prevent data loss if the encryption fails. For example, this can occur if there is insufficient space on the device. Deleted - Non-Business related data is deleted. Untouched - Non-Business Related data is not encrypted or moved.
Secure format media before encryption	Run a secure format before encrypting the storage device. Select the number of format passes to do before the encryption starts.
Change device name and icon after encryption	When selected, after the device is encrypted, the name of the non-encrypted drive changes to Non Business Data and the icon changes to an open lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device is encrypted.

Offline Access Settings

Setting	Description
Password protect media for access in offline mode	Lets users assign a password to access a storage device from a computer that is not connected to an Endpoint Security Management Server. Users can also access the storage device with this password from a non-protected computer
Allow user to recover their password using remote help	Lets user recover passwords using remote help.
Copy utility to media to enable media access in non-protected environments	Copies the Explorer utility to the storage device. This utility lets users access the device from computers that are not connected to an Endpoint Security Management Server.
Protect media with password for read-only access in offline mode	Lets users assign a different password that gives read-only access to a storage device.
Allow user to change read-only password	Lets users change a previously defined read-only password.

Configuring Encryption Container Settings

Configure options for setting the encrypted space on storage devices.

To configure encryption settings for users on storage devices:

In the SmartEndpoint Policy tab, select a Media Encryption & Port Protection rule.
Clone the Offline access to encrypted storage devices action.
in the cloned action, under Allow offline access to encrypted storage devices, select Allow user to change the size of encrypted media.
Set the Minimum percentage and Default percentage of free space- how much of the device's free space can be used
Or set the Minimum percentage and Default percentage of media capacity - how much of the device's total capacity can be used.

To force encryption of all media:

Do not select Allow user to change the size of encrypted media.
Set the Minimum percentage and Default percentage of media capacity to 100.

Password Constraints for Offline Access

In the Properties of the Offline Access action, click Configure password constraints to set the requirements for password used to access encrypted devices.

These Actions define the requirements for user passwords for Media Encryption & Port Protection:

Action	Description
Use Windows password complexity	The standard Windows password requirements are enforced: The password must: Have at least six characters Have characters from at least 3 of these categories: uppercase, lowercase, numeric characters, symbols.
Use custom password complexity	If you select this, select the requirements for which type of characters the password must contain or not contain.

Action

Description

Use Windows password complexity

The standard Windows password requirements are enforced:

The password must:

Have at least six characters
Have characters from at least 3 of these categories: uppercase, lowercase, numeric characters, symbols.

Use custom password complexity

If you select this, select the requirements for which type of characters the password must contain or not contain.

Double-click an action to edit the properties:

Option	Description
Use custom requirements	If you select this, select the requirements for which type of characters the password must contain or not contain: Consecutive identical characters, for example, aa or 33 Require special characters. These can be: ! " # $ % & ' ( ) * + , - . / : < = > ? @ { Require digits, for example 8 or 4. Require lower case characters, for example g or t. Require upper case characters, for example F or G. Password must not contain user name or full name.
Minimum length of password	Enter the minimum number of characters for a valid password.
Password can be changed only after	Enter the minimum number of days that a password must be valid before the user can change it.
Password expires after	Enter the maximum number of days that a password can be valid before the user must change it.
Number of passwords	Enter the minimum number of password changes needed before a previously used password can be used again.

Media Lockout Settings

You can configure Media Encryption & Port Protection to lock a device after a specified number of unsuccessful login attempts:

Temporarily - If a device is locked temporarily, users can try to authenticate again after a specified time.
Permanently - If the device is locked permanently, it stays locked until an administrator unlocks it.

Select one of these Actions to define if and when user accounts are locked:

Action	Description
Do not lock out storage device upon failed authentication.	Users are not locked out of a device if they try to log on unsuccessfully. This setting is not recommended.
Temporarily lock storage device upon failed authentication attempts	After a configured amount of failed log on attempts (the default is 5), the device is temporarily locked.
Permanently lock storage device upon failed authentication attempts	After a configured amount of failed log on attempts (the default is 10), the device is permanently locked.

Right-click an Action to edit the properties. You can also create custom device Lock actions.