This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encrypting of USB Memory Stick


I am fairly new to Sophos SafeGuard and wondered if someone can point me in the right direction of encrypting a USB Memory Stick using the Sophos SafeGuard Console?

Thanks and kind regards,

Dan Petford

This thread was automatically locked due to age.
  • Hi Dan - I think the VERY first step is Business Change. Any drastic change to policy (if you currently allow "free-reign") will have to be communicated to everyone. You will not be the most popular man at the party if you "accidently" encrypted Vera's France holiday photos, or the bosses PowerPoint presentation. 

    Second step I would create a test group of PC's and apply the policy to these only. You'll have to test this a great deal to be 100% confident in it.

    Third step - The policy creation. Best to go for Synchronised Encryption for USB rather than location based, especially if you have the existing hard drive/SSD encrypted.

    Are you wanting to encrypt the whole stick or files on it?

  • Thanks Michael,

    I want to encrypt the whole stick before we issue them out.

    I have made a Test Policy Item and a Test Policy Group, how do I now assign myself to it as a test?

    Kind regards, Dan Petford

  • Well done - good start!

    Once you've made the group (I was just going to advise you created a group rather than individually assigning!) you need to apply it either to the OU/container you're working with or the root of the OU. I use the root here for one of my policies so that'll it can apply to any object within the tree.

    Go to the root (or the OU you want to apply the policy/policy group to) - use the Policies tab. 

    Drag in the policy OR the policy group.

    Automatically it'll be applied to all users and computers in the bottom half. This will NOT be desired for your policy. 

    Click on Authenticated Users and remove it.

    Click on Authenticated Computers - remove this.

    On the bottom right - drag in yourself as a user/group.

    Click Save.


    Find your PC - Use your RSOP Tab and put in YOUR username/group. Click search to confirm the policy IS being applied to you AND/OR your PC.


    Refresh your client on your PC to get the new policy. You should see "New policies received" on the client.


    Hope this helps?

  • What is the difference between adding the Policy Item or the Policy Group?

  • Nothing really! One policy is just one, but a group could be a group of policies like "encrypt USB" policy combined with "Encrypt secondary drives" sort of thing. 


    I would always create a group - even if there's just one thing in there for now, as it makes it much easier to add/modify later.


    I would (in your case) perhaps add a secondary policy to include different legal text notification that appears on their welcome screen to indicate that USB encryption IS activated. That way they'll be reminded of this every time they log in. Useful for "well you didn't tell me" type argument that is almost guaranteed from some users! You can set this under "Specific Machine Settings policy" and add this to your group? You can set the text you want to display under "Texts" in Policies.

  • Thanks for that, one more question, I am trying to add a device to the White List, but when I save it then disappears.

    I only have a Hardware ID and no Vendor or Product, does that make a difference?

  • Are you importing XML or creating it manually?

  • Hi Michael,

    Just wondered if you had anymore thoughts on this?

    Kind regards, Dan

Reply Children
No Data