Overview
Deployed Protection policy with encryption enabled is not encrypting the device.
Environment
- GFI EndPointSecurity
- All supported platforms
Root Cause
The device must match the encryption policy to have encryption enabled. The mismatch can occur when:
- There are not enough permissions for the user to access the device category/connectivity ports.
- Volume encryption is not set in the policy.
- The device is detected with a category that is not listed in the policy.
Resolution
To resolve the issue discussed previously, implement the steps listed below:
-
Verify under which Device Category is the attached device discovered by performing the following steps:
-
Open the GFI EndPointSecurity console.
-
Go to Configuration > Computers.
-
Under the Scanning tab, select a computer and click Target Scan.
After the scan is completed, make sure the Deployed Protection policy has selected/enabled under the Controlled Device Categories, the same Device Category detected by the scan.
-
-
Verify the required Deployed Protection policy settings for encrypting the device by performing the following steps:
-
Enable Volume Encryption under Configuration > Protection Policies > Encryption.
-
Set Recovery Password, under the Volume Encryption window.
-
Enforce encryption of the device under the Users tab within the Volume Encryption window.
-
To make the encrypted data in your domain accessible on a device without an agent deployed, enter the Username under Volume Encryption window within the Traveler tab.
-
-
Verify the required Deployed Protection policy settings for decrypting the device.
When EndPointSecurity Volume Encryption is used, any User who is allowed/granted access to the Device Category in which the encrypted device is discovered from the Target Scan option will be able to decrypt or remove the encryption by entering the password.
-
(Optional) For Storage devices encrypted using the Windows BitLocker To Go encryption, ensure the following:
-
Enable detection of encrypted devices under Configuration > Protection Policies > Encryption.
-
Select users/groups who have access to the Windows BitLocker Encrypted device, and enable them to decrypt the device under the BitLocker Encryption window within the Permissions tab.
-
Enter the allowed/blocked file types from being decrypted under the BitLocker Encryption window within the File-type Filter tab or use the same filters for non-encrypted devices.
-