Reference Guide
Manage Policies
forgetting their password when they take the media home or share it
with a colleague. Disabling Roaming Authentication also promotes a
sense of awareness from a security perspective for users that the data
being written to that media is protected.
EMS Access Encrypted
Data on unShielded
Device
Selected
Selected allows the user to access encrypted data on removable storage
whether the endpoint is encrypted or not.
When this policy is Not Selected, the user can work with encrypted
data when logged on to any encrypted endpoint. The user cannot work
with encrypted data using any unencrypted device.
EMS Device Whitelist
String - Maximum of 150 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and
"Enter" characters count in the total characters used.
This policy allows the specification of removable media devices to
exclude from encryption [using the device's Plug and Play device
identifier (PNPDeviceID)], thereby allowing users full access to the
specified removable media devices.
More...
This policy is available on an Enterprise, Domain, Group, and User
level. Local settings override inherited settings. If a user is in
more than one group, all EMS Device Whitelist entries, across all
Groups, apply.
This policy is
particularly useful when using removable media devices
which provide hardware encryption. However, this policy should be used
with caution. This policy does not check whether external media
devices on this list provide hardware encryption. Whitelisting
re
movable storage devices that do not have hardware encryption do not
have enforced security and are not protected.
For example, the Kingston® DataTraveler® Vault Privacy model enforces
that encryption is enabled to use the device. However, the Kingston
DataTraveler Vault model has an unsecured partition and a secured
partition. Because it is the same physical removable media device with
only one PNPDeviceID, the two partitions cannot be distinguished,
meaning that whitelisting this particular device would allow
unencrypted data to leave the endpoint.
Additionally, if a removable media device is encrypted and is
subsequently added to the EMS Device Whitelist policy, it remains
encrypted and requires a reformat of the device to remove encryption.
The following is an example of a PNPDeviceID, which contains the
manufacturer identifier, product identifier, revision, and hardware
serial number:
To whitelist a removable media device, provide a string value that
matches portions of the device’s PNPDeviceID. Multiple device
PNPDeviceIDs are allowed.
For example, to whitelist all Kingston DataTraveler Vault Privacy
models, input the string:
To whitelist both models of Kingston DataTraveler, the Vault and Vault
Privacy models, input the string:
Space characters are considered part of the substring to match to a
PNPDeviceID. Using the previous PNPDeviceID as an example, a space
before and after the semicolon would cause neither of the substrings
to be matched, because the space character is not part of the
PNPDeviceID.
Instructions...
1. Insert removable media.
2. Open System Profiler.
3.
Under Hardware, select the device and find the Product ID and
Vendor ID, as follows:
Capacity:2.06 GB (2,055,019,008 bytes)
258