Reference Guide
Manage Policies
308
to Encryption External Media, Roaming Automatic Authentication allows Dell-
encrypted media to be automatically authenticated when it is inserted in any Dell-
encrypted computer the media owner is logged into. When automatic
authentication is disabled, users must always manually authenticate to access
Dell-encrypted media.
Disabling Roaming Authentication helps to prevent users from forgetting their
password when they take the media home or share it with a colleague. Disabling
Roaming Authentication also promotes a sense of awareness from a security
perspective for users that the data being written to that media is protected.
EMS Access Encrypted Data on
unShielded Device
Selected
Selected allows the user to access encrypted data on removable storage whether
the endpoint is encrypted or not.
When this policy is Not Selected, the user can work with encrypted data when
logged on to any encrypted endpoint. The user cannot work with encrypted data
using any unencrypted device.
EMS Device Whitelist
String - Maximum of 150 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and "Enter"
characters count in the total characters used.
This policy allows the specification of removable media devices to exclude from
encryption [using the device's Plug and Play device identifier (PNPDeviceID)],
thereby allowing users full access to the specified removable media devices.
More...
This policy is available on an Enterprise, Domain, Group, and User level. Local
settings override inherited settings. If a user is in more than one group, all EMS
Device Whitelist entries, across all Groups, apply.
This policy is particularly useful when using removable media devices which
provide hardware encryption. However, this policy should be used with caution.
This policy does not check whether external media devices on this list provide
hardware encryption. Whitelisting removable storage devices that do not have
hardware encryption do not have enforced security and are not protected.
For example, the Kingston® DataTraveler® Vault Privacy model enforces that
encryption is enabled to use the device. However, the Kingston DataTraveler Vault
model has an unsecured partition and a secured partition. Because it is the same
physical removable media device with only one PNPDeviceID, the two partitions
cannot be distinguished, meaning that whitelisting this particular device would
allow unencrypted data to leave the endpoint.
Additionally, if a removable media device is encrypted and is subsequently added
to the EMS Device Whitelist policy, it remains encrypted and requires a reformat of
the device to remove encryption.
The following is an example of a PNPDeviceID, which contains the manufacturer
identifier, product identifier, revision, and hardware serial number:
To whitelist a removable media device, provide a string value that matches
portions of the device’s PNPDeviceID. Multiple device PNPDeviceIDs are allowed.
For example, to whitelist all Kingston DataTraveler Vault Privacy models, input the
string:
To whitelist both models of Kingston DataTraveler, the Vault and Vault Privacy
models, input the string:
Space characters are considered part of the substring to match to a PNPDeviceID.
Using the previous PNPDeviceID as an example, a space before and after the
semicolon would cause neither of the substrings to be matched, because the
space character is not part of the PNPDeviceID.
Instructions...
1. Insert removable media.
2. Open System Profiler.
3. Under Hardware, select the device and find t
he Product ID and Vendor