Reference Guide
Security Management Server Virtual - AdminHelp v9.8
275
EMS Automatic
Authentication
Local
Disabled, Enable Local, Enable Roaming
Local automatic authentication allows the Dell-encrypted media to be
automatically authenticated when inserted in the originally Dell-encrypting
computer when the owner of that media is logged in. When the User Roaming
key is applied to Encryption External Media, Roaming Automatic Authentication
allows Dell-encrypted media to be automatically authenticated when it is
inserted in any Dell-encrypted computer the media owner is logged into. When
automatic authentication is disabled, users must always manually authenticate
to access Dell-encrypted media.
Disabling Roaming Authentication helps to prevent users from forgetting their
password when they take the media home or share it with a colleague.
Disabling Roaming Authentication also promotes a sense of awareness from a
security perspective for users that the data being written to that media is
protected.
EMS Access Encrypted Data
on unShielded Device
Selected
Selected allows the user to access encrypted data on removable storage
whether the endpoint is encrypted or not.
When this policy is Not Selected, the user is able to work with encrypted data
when logged on to any encrypted endpoint, regardless of the Dell Server the
user activated against. The user will not be able to work with encrypted data
using any unencrypted device.
EMS Device Whitelist
String - Maximum of 150 devices with a maximum of 500 characters per
PNPDeviceID. Maximum of 2048 total characters allowed. "Space" and "Enter"
characters count in the total characters used.
This policy allows the specification of removable storage devices to exclude
from encryption [using the removable storage device's Plug and Play device
identifier (PNPDeviceID)], thereby allowing users full access to the specified
removable storage devices.
More...
This policy is available on an Enterprise, Domain, Group, and User level. Note
that local settings override inherited settings. If a user is in more than one
group, all EMS Device Whitelist entries, across all Groups, apply.
Note: This policy is particularly useful when using removable storage devices
which provide hardware encryption. However, this policy should be used with
caution. This policy does not check whether external media devices on this list
provide hardware encryption. Whitelisting removable storage devices which do
not have hardware encryption will not have enforced security and will not be
protected.
For example, the Kingston® DataTraveler® Vault Privacy model enforces that
encryption is enabled to use the device. However, the Kingston DataTraveler
Vault model has an unsecured partition and a secured partition. Because it is
the same physical removable storage device with only one PNPDeviceID, the
two partitions cannot be distinguished, meaning that whitelisting this
particular removable storage device would allow unencrypted data to leave
the endpoint.
Additionally, if a removable storage device is encrypted and is subsequently
added to the EMS Device Whitelist policy, it remains encrypted and requires a
reformat of the removable storage device to remove encryption.
The following is an example of a PNPDeviceID, which contains the manufacturer
identifier, product identifier, revision, and hardware serial number:
To whitelist a removable storage device, provide a string value which matches
portions of the device’s PNPDeviceID. Multiple device PNPDeviceIDs are
allowed.
For example, to whitelist all Kingston DataTraveler Vault Privacy models, input
the string:
To whitelist both models of Kingston DataTraveler, the Vault and Vault Privacy
models, input the string:
Note that space characters are considered part of the substring to match to a