Media Encryption Site

Media Encryption Site Actions

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management Server (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management Server UUID is written to the device. The Site action can prevent access to devices encrypted on a different Endpoint Security Management Server or from another organization. The Site action is enabled by default.

When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device matches UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID does not match, access to the device is blocked.

This table shows what occurs when you insert an encrypted device into a client that is connected to an Endpoint Security Management Server the policy allows read- access. The Endpoint Security Management Server that the device was encrypted with is referred to as "the encrypting Endpoint Security Management Server".

The client is connected to:	Action
The encrypting Endpoint Security Management Server	User can access automatically or enter a password for access.
A different trusted Endpoint Security Management Server	User can enter a password for access.
A non-trusted Endpoint Security Management Server	User cannot access the device.

Configuring Media Encryption Site Actions

Media Encryption Site actions are part of the Media Encryption & Port Protection Policy. This predefined action is enabled by default. You can change this action or create your own custom actions.

Action	Description
Allow access to media encrypted at current site only	Media Encryption Site (UUID) verification is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same Endpoint Security Management Server. If you add Endpoint Security Management Servers to the table below, they are considered trusted and devices encrypted on those servers are allowed also.

To allow access to devices encrypted on other trusted Endpoint Security Management Servers:

Right-click a Media Encryption Site action and select Edit.
Select Endpoint client will allow access only to encrypted media that was encrypted by an Endpoint client connected to one of the following management servers.
Click Add > New.
In the New Management Server window, enter:
- Name - A descriptive name for the trusted server.
- Comments - Optionally add free text comments.
- Server UUID - The trusted Endpoint Security Management Server UUID.
Click OK.

To allow access to devices encrypted on this Endpoint Security Management Server from other Endpoint Security Management Servers:

Right-click a Media Encryption Site action and select Edit.
The Edit Properties window opens.
Select Endpoint client will allow access to encrypted media that was encrypted by an endpoint client connected to any management server.
Click Copy to Clipboard and then save the current Endpoint Security Management Server UUID to a text file.
Add the current Endpoint Security Management Server, using the saved UUID, to the Media Encryption Action to each trusted Endpoint Security Management Server.

To disable Media Encryption sites:

Right-click the Allow access to media encrypted at current site only action.
Select Edit.
In the Select Action field, select New.
This creates a new site action.
In the Policy Action Single Page Form window, give the policy a different name and description.
Click OK.
Select Endpoint Client will allow access to encrypted media which was encrypted by an endpoint client connected to any management server.
Click OK.

When Media Encryption Sites is disabled, Endpoint Security clients can access storage devices that were encrypted by all Endpoint Security Management Servers.