Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

261

262

263

264

265

266

267

268

269

270

Manage Policies

254

EMS Device Whitelist

String - Maximum of 150 devices with a maximum of 500 characters per

PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and

"Enter" characters count in the total characters used.

This policy allows the specification of removable media devices to

exclude from encryption [using the device's Plug and Play device

identifier (PNPDeviceID)], thereby allowing users full access to the

specified removable media devices.

More...

This policy is available on an Enterprise, Domain, Group, and User

level. Local settings override inherited settings. If a user is in

more than one group, all EMS Device Whitelist entries, across all

Groups, apply.

This policy is particularly useful when using removable media devices

which provide hardware encryption. However, this p

olicy should be used

with caution. This policy does not check whether external media

devices on this list provide hardware encryption. Whitelisting

removable storage devices that do not have hardware encryption do not

have enforced security and are not protected.

For example, the Kingston® DataTraveler® Vault Privacy model enforces

that encryption is enabled to use the device. However, the Kingston

DataTraveler Vault model has an unsecured partition and a secured

partition. Because it is the same physical r

emovable media device with

only one PNPDeviceID, the two partitions cannot be distinguished,

meaning that whitelisting this particular device would allow

unencrypted data to leave the endpoint.

Additionally, if a removable media device is encrypted and is

subsequently added to the EMS Device Whitelist policy, it remains

encrypted and requires a reformat of the device to remove encryption.

The following is an example of a PNPDeviceID, which contains the

manufacturer identifier, product identifier, revision, and hardware

serial number:

To whitelist a removable media device, provide a string value that

matches portions of the device’s PNPDeviceID. Multiple device

PNPDeviceIDs are allowed.

For example, to whitelist all Kingston DataTraveler Vault Privacy

models, input the string:

To whitelist both models of Kingston DataTraveler, the Vault and Vault

Privacy models, input the string:

Space characters are considered part of the substring to match to a

PNPDeviceID. Using the previous PNPDeviceID as an example, a space

before and after the semicolon would cause neither of the substrings

to be matched, because the space character is not part of the

PNPDeviceID.

Instructions...

To find the PNPDeviceID for removable media:

1. Insert the removable media device into an encrypted computer.

2. Open the EMSService.log in C:\Programdata\Dell\Dell Data

Protection\Encryption\EMS.

3. Find PNPDeviceID=

For example:

14.03.18 18:50:06.834 [I] [Volume "F:\"] PnPDeviceID =

USBSTOR\DISK&VEN_SEAGATE&PROD_USB&REV_0409\2HC015KJ&0

VEN=Vendor; Green highlighted text is for the vendor to be

excluded

PROD=Product/Model Name; Adding text highlighted blue also