Reference Guide
Security Management Server Virtual v10.2.11 AdminHelp
awareness from a security perspective for users that the data
being written to that media is protected.
When set to Roaming, the owner of the removable media is
automatically authenticated if logged into a computer other
than th
e one where the media was encrypted and the computer is
running either the full Encryption client or EMS Service.
EMS Scan
External Media
Not Selected
Selected allows removable media to be scanned every time it is
inserted.
When this policy is Not Selecte
d and the EMS Encrypt External
Media policy is Selected, only new and changed files are
encrypted.
See EMS Encryption Rules
if changing this policy to Selected.
Do not enable this policy without applying EMS Encryption
Rules also.
More...
A scan occurs at every insertion so that any files added to
the removable media without authenticating can be caught.
Files can be added to the media if authentication is declined,
but encrypted data cannot be acce
ssed. The files added are not
encrypted in this case, so the next time the media is
authenticated (to work with encrypted data), any files that
may have been added are scanned and encrypted.
EMS Access
Encrypted Data
on unShielded
Device
Selected
Selected allows the user to access encrypted data on removable
media whether the endpoint is encrypted or not.
More...
When this policy is Not Selected, the user can work with
encrypted data when logged on to any encrypted device,
regardless of the Dell Server the
user activated against. The
user cannot work with encrypted data using any unencrypted
device.
EMS Device
Whitelist
String - Maximum of 150 devices with a maximum of 500
characters per PNPDeviceID. Maximum of 2048 total characters
allowed. "Space" and "Enter" characters count in the total
characters used.
This policy allows the specification of removable media
devices to exclude from encryption [using the device's Plug
and Play device identifier (PNPDeviceID)], thereby allowing
users full access to the specified removable media devices.
More...
This policy is available on an Enterprise, Domain, Group, and
User level. Note that local settings override inherited
settings. If a user is in more than one group, all EMS Device
Whitelist entries, across all Groups, apply.
This policy is particularly useful when using removable media
devices which provide hardware encryption. However, this
policy should be used with caution. This policy does not check
whether external media devices on this list provide hardware
e
ncryption. Whitelisting removable storage devices that do not
have hardware encryption do not have enforced security and are
not protected.
For example, the Kingston® DataTraveler® Vault Privacy model
enforces that encryption is enabled to use the device.
However, the Kingston DataTraveler Vault model has an
unsecured partition and a secured partition. Because it is the
same physical removable media device with only one
PNPDeviceID, the two partitions cannot be distinguished,
meaning that whitelisting this particular device would allow
unencrypted data to leave the endpoint.
Additionally, if a removable media device is encrypted and is
subsequently added to the EMS Device Whitelist policy, it
remains encrypted and requires a reformat of the device to
remove encryption.
The following is an example of a PNPDeviceID, which contains
159