Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

191

192

193

194

195

196

197

198

199

200

Manage Policies

176

when logged on to any encrypted device, regardless of the Dell Server the

user activated against. The user cannot work with encrypted data using

any unencrypted device.

EMS Device

Whitelist

String - Maximum of 150 devices with a maximum of 500 characters per

PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and

"Enter" characters count in the total characters used.

This policy allows the specification of removable media devices to exclude

from encryption [using the device's Plug and Play device identifier

(PNPDeviceID)], thereby allowing users full access to the specified

removable media devices.

More...

This policy is available on an Enterprise, Domain, Group, and User level.

Note that local settings override inherited settings. If a user is in more than

one group, all EMS Device Whitelist entries, across all Groups, apply.

This policy is particularly useful when using removable media devices

which provide hardware encryption. However, this policy should be used

with caution. This policy does not check whether external media devices

on this list provide hardware encryption. Whitelisting removable storage

devices that do not have hardware encryption do not have enforced

security and are not protected.

For example, the Kingston® DataTraveler® Vault Privacy model enforces

that encryption is enabled to use the device. However, the Kingston

DataTraveler Vault model has an unsecured partition and a secured

partition. Because it is the same physical removable media device with only

one PNPDeviceID, the two partitions cannot be distinguished, meaning that

whitelisting this particular device would allow unencrypted data to leave

the endpoint.

Additionally, if a removable media device is encrypted and is subsequently

added to the EMS Device Whitelist policy, it remains encrypted and requires

a reformat of the device to remove encryption.

The following is an example of a PNPDeviceID, which contains the

manufacturer identifier, product identifier, revision, and hardware serial

number:

To whitelist a removable media device, provide a string value that matches

portions of the device’s PNPDeviceID. Multiple device PNPDeviceIDs are

allowed.

For example, to whitelist all Kingston DataTraveler Vault Privacy models,

input the string:

To whitelist both models of Kingston DataTraveler, the Vault and Vault

Privacy models, input the string:

Space characters are considered part of the substring to match to a

PNPDeviceID. Using the previous PNPDeviceID as an example, a space

before and after the semicolon would cause neither of the substrings to be

matched, because the space character is not part of the PNPDeviceID.

Instructions...

To find the PNPDeviceID for removable media:

1. Insert the removable media device into an encrypted

computer.

2. Open the EMSService.log in C:\Programdata\Dell\Dell Data

Protection\Encryption\EMS.

3. Find PNPDeviceID=

For example:

14.03.18 18:50:06.834 [I] [Volume "F:\"] PnPDeviceID =