Reference Guide
Security Management Server Virtual - AdminHelp v9.8
269
colleague. Not selecting Roaming automatic authentication also promotes a
sense of awareness from a security perspective for users that the data being
written to that media is protected.
EMS Access Encrypted Data
on unShielded Device
Selected
Selected allows the user to access encrypted data on removable storage
whether the endpoint is Dell-encrypted or not.
More...
When this policy is False, the user will be able to work with encrypted data
when logged on to any encrypted endpoint, regardless of the Security
Management Server the user activated against. The user will not be able to
work with encrypted data using any device that is not Dell-encrypted.
EMS Device Whitelist
String - Maximum of 300 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 4096 total characters allowed. "Space" and "Enter"
characters used count in the total characters used.
This policy allows the specification of removable storage devices to exclude
from Encryption External Media encryption [using the removable storage
device's Plug and Play device identifier (PNPDeviceID)], thereby allowing users
full access to the specified removable storage devices.
More...
This policy is available on an Enterprise, Domain, Group, and User level. Note
that local settings override inherited settings. If a user is in more than one
group, all EMS Device Whitelist entries, across all Groups, apply.
Note: This policy is particularly useful when using removable storage devices
which provide hardware encryption. However, this policy should be used with
caution. This policy does not check whether external media devices on this list
provide hardware encryption. Whitelisting removable storage devices which do
not have hardware encryption will not have enforced security and will not be
protected.
For example, the Kingston® DataTraveler® Vault Privacy model enforces that
encryption is enabled to use the device. However, the Kingston DataTraveler
Vault model has an unsecured partition and a secured partition. Because it is
the same physical removable storage device with only one PNPDeviceID, the
two partitions cannot be distinguished, meaning that whitelisting this
particular removable storage device would allow unencrypted data to leave
the endpoint.
Additionally, if an removable storage device is protected by EMS and
subsequently added to the EMS Device Whitelist policy, it remains encrypted
and requires a reformat of the removable storage device to remove
encryption.
The following is an example of a PNPDeviceID, which contains the manufacturer
identifier, product identifier, revision, and hardware serial number:
To whitelist a removable storage device, provide a string value which matches
portions of the device’s PNPDeviceID. Multiple device PNPDeviceIDs are
allowed.
For example, to whitelist all Kingston DataTraveler Vault Privacy models, input
the string:
To whitelist both models of Kingston DataTraveler, the Vault and Vault Privacy
models, input the string:
Note that space characters are considered part of the substring to match to a
PNPDeviceID. Using the previous PNPDeviceID as an example, a space before
and after the semicolon would cause neither of the substrings to be matched,
because the space character is not part of the PNPDeviceID.
Instructions...
To find and edit the PNPDeviceID for removable storage:
1. Insert the removable storage device into an encrypted computer.
2. Open the EMSService.log in C:\Programdata\Dell\Dell Data