Reference Guide
Security Management Server v10.2.7 AdminHelp
175
(WPD): Storage
Full Access: Port does not have read/write data restrictions applied.
Read Only: Allows read capability. Write data is disabled.
Blocked: Port is blocked from read/write capability.
Class: Human
Interface Device
(HID)
Enabled
Control access to all Human Interface Devices (keyboards, mice).
Note: USB port-level blocking and HID class-level blocking is only honored
if we can identify the computer chassis as a laptop/notebook form-factor.
We rely on the computer's BIOS for the identification of the chassis.
Class: Other
Enabled
Control access to all devices not covered by other Classes.
EMS Encrypt
External Media
Not Selected
This policy must be selected to use all other removable media policies. Not
Selected means that no encryption of removable media takes place,
regardless of other removable media policy values.
EMS Exclude
CD/DVD Encryption
Not Selected Not Selected encrypts CD/DVD devices.
EMS Access to
unShielded Media
Read Only
Block, Read Only, Full Access
Note that this policy interacts with the Storage > Subclass Storage: Externa
l
Drive Control policy. If you intend to set this policy to Full Access, ensure
that Subclass Storage: External Drive Control is not set to Read Only or
Blocked.
More...
When this policy is set to Block Access, you have no access to removable
media unless it is encrypted.
Choosing either Read-Only or Full Access allows you to decide what
removable media to encrypt.
If you choose not to encrypt removable media and this policy is set to Full
Access, you have full read/write access to removable media.
If you choose not to encrypt removable media and this policy is set to
Read-
Only, you can read or delete existing files on the unencrypted media,
but files cannot be edited on, or added to, the media .
EMS Encryption
Algorithm
AES256
AES 256, AES 128, 3DES
Encryption algorithm used to encrypt removable media.
Encryption algorithms in order of speed, fastest first, are AES 128, AES 256,
3DES.
EMS Automatic
Authentication
Disabled
Disabled, Local, Roaming
Local automatic authentication allows the encrypted media to be
automatically authenticated when inserted in the originally encrypting
computer when the owner of that media is logged in. When local
automatic authentication is disabled, users must always manually
authenticate to access encrypted media.
Not selecting roaming automatic authentication helps to prevent users
from forgetting their password when they take the media home or share it
with a colleague. Not selecting roaming automatic authentication also
promotes a sense of awareness from a security perspective for users that
the data being written to that media is protected.
EMS Scan External
Media
Not Selected
Selected allows removable media to be scanned every time it is inserted.
When this policy is Not Selected and the EMS Encrypt External Media
policy is Selected, only new and changed files are encrypted.
See EMS Encryption Rules
if changing this policy to Selected. Do not enable
this policy without applying EMS Encryption Rules also.
More...
A scan occurs at every insertion so that any files added to the removable
media without authenticating can be caught. Files can be added to the
media if authentication is declined, but encrypted data cannot be
accessed. The files added are not encrypted in this case, so the next time
the media is authenticated (to work with encrypted data), any files that
may have been added are scanned and encrypted.
EMS Access
Encrypted Data on
unShielded Device
Selected
Selected allows the user to access encrypted data on removable media
whether the endpoint is encrypted or not.
More...
When this policy is Not Selected, the user can work with encrypted data