Reference Guide
Manage Policies
300
EMS Exclude CD/DVD Encryption
Not Selected
False encrypts CD/DVD devices.
EMS Allow Read-access to
unShielded Media (5.4.x Only)
Selected
This policy applies to 5.4.x Windows Encryption clients only.
More...
If a user chooses not to encrypt media and this policy is set to True, they are able
to read or delete existing files on the media that are not encrypted, but the client
does not allow any files to be edited on or added to the media unless it is Dell-
encrypted.
EMS Encryption Algorithm AES256
AES 256, AES 128, 3DES
Encryption algorithm used to encrypt removable media.
Encryption algorithms in order of speed, fastest first, are AES 128, AES 256, 3DES.
EMS Data Encryption Key User Roaming
Common, User, User Roaming
Choose a key to be used by the Encryption client to encrypt all data encrypted by
the Encryption External Media.
More...
You cannot save a policy where this policy has the same value as either User Data
Encryption Key policy or Application
Data Encryption Key policy, the error message
Policy Constraint Violation: The value for EMS Data Encryption Key conflicts with
User Data Encryption Key and/or Application Data Encryption Key will display.
EMS Automatic Authentication Disabled
Disabled, Local, Roaming
Local automatic authentication allows the encrypted media to be automatically
authenticated when inserted in the originally encrypting computer when the
owner of that media is logged in. When automatic authentication is Disabled,
users must always manually authenticate to access encrypted media.
Not Selecting Roaming automatic authentication helps to prevent users from
forgetting their password when they take the media home or share it with a
colleague. Not selecting Roaming automatic authentication also promotes a sense
of awareness from a security perspective for users that the data being written to
that media is protected.
EMS Access Encrypted Data on
unShielded Device
Selected
Selected allows the user to access encrypted data on removable media whether
the endpoint is Dell-encrypted or not.
More...
When this policy is False, the user can work with encrypted data when logged on
to any Dell-encrypted endpoint . The user cannot work with encrypted data using
any device that is not Dell-encrypted.
EMS Device Whitelist
String - Maximum of 150 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and "Enter"
characters count in the total characters used.
This policy allows the specification of removable media devices to exclude from
encryption [using the device's Plug and Play device identifier (PNPDeviceID)],
thereby allowing users full access to the specified removable media devices.
More...
This policy is available on an Enterprise, Domain, Group, and User level. Local
settings override inherited settings. If a user is in more than one group, all EMS
Device Whitelist entries, across all Groups, apply.
This policy is particularly useful when using removable media devices which
provide hardware encryption. However, this policy should be used with caution.
This policy does not check whether external media devices on this list provide
hardware encryption. Whitelisting removable storage devices that do not have
hardware encryption do not have enforced security and are not protected.
For example, the KingstonĀ® DataTravelerĀ® Vault Privacy model enforces that
encryption is enabled to use the device. However, the Kingston DataTraveler Vault
model has an unsecured partition and a secured partition. Because it is the same
physical removable media device with only one PNPDeviceID, the two partitions
cannot be distinguished, meaning that whitelisting this particular device would
allow unencrypted data to leave the endpoint.
Additionally, if a removable media device is encrypted and is subsequently added
to the EMS Device Whitelist policy, it remains encrypted and requires a reformat of
the device to remove encryption.
The following is an example of a PNPDeviceID, which contains the manufacturer
identifier, product identifier, revision, and hardware serial number: