Reference Guide
Manage Policies
authentication is Disabled, users must always manually authenticate to
access encrypted media.
Not Selecti
ng Roaming automatic authentication helps to prevent users
from forgetting their password when they take the media home or share
it with a colleague. Not selecting Roaming automatic authentication
also promotes a sense of awareness from a security perspective for
users that the data being written to that media is protected.
EMS Access Encrypted
Data on unShielded
Device
Selected
Selected allows the user to access encrypted data on removable media
whether the endpoint is Dell-encrypted or not.
More...
When
this policy is False, the user can work with encrypted data when
logged on to any Dell-encrypted endpoint . The user cannot work with
encrypted data using any device that is not Dell-encrypted.
EMS Device Whitelist
String - Maximum of 150 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and
"Enter" characters count in the total characters used.
This policy allows the specification of removable media devices to
exclude from encryption [using the device's Plug and Play device
identifier (PNPDeviceID)], thereby allowing users full access to the
specified removable media devices.
More...
This policy is available on an Enterprise, Domain, Group, and User
level. Local settings override inherited settings. If a user is in
more than one group, all EMS Device Whitelist entries, across all
Groups, apply.
This policy is particularly useful when using removable media devices
which provide hardware encryption. However, this policy should be used
with caution. This policy does not check whether external media
devices on this list provide hardware encryption. Whitelisting
removable storage devices that do not have hardware encryption do not
have enforced security and are not protected.
For example, the Kingston® D
ataTraveler® Vault Privacy model enforces
that encryption is enabled to use the device. However, the Kingston
DataTraveler Vault model has an unsecured partition and a secured
partition. Because it is the same physical removable media device with
only one PNPDeviceID, the two partitions cannot be distinguished,
meaning that whitelisting this particular device would allow
unencrypted data to leave the endpoint.
Additionally, if a removable media device is encrypted and is
subsequently added to the EMS Device Whitelist policy, it remains
encrypted and requires a reformat of the device to remove encryption.
The following is an example of a PNPDeviceID, which contains the
manufacturer identifier, product identifier, revision, and hardware
serial number:
To whitelist a removable media device, provide a string value that
matches portions of the device’s PNPDeviceID. Multiple device
PNPDeviceIDs are allowed.
For example, to whitelist all Kingston DataTraveler Vault Privacy
models, input the string:
To whitelist
both models of Kingston DataTraveler, the Vault and Vault
Privacy models, input the string:
Space characters are considered part of the substring to match to a
PNPDeviceID. Using the previous PNPDeviceID as an example, a space
before and after the semicolon would cause neither of the substrings
to be matched, because the space character is not part of the
PNPDeviceID.
Instructions...
To find the PNPDeviceID for removable media:
254