Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 27628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enforce Data Exchange (only) on USB Removable Media for all users of a PC

gsmdit

Hi there,

We're having some problems with a basic setup and wonder if more experienced users could point us in the right direction.

We have SafeGuard Management Center 7, but a mix of 6 and 7 clients, used previously to encrypt laptops so all working fine.

Our new objectives:

For most desktop Win 7 PCs we now wish to enforce encryption of USB removable media;

We want the policy to apply to any user of that PC, as almost any of our PCs can be used by any of our users;

We do not want POA, or volume encryption, only Data Exchange, and that to only apply to removable media, so file-based not volume-based;

We have enabled generation of Group Keys as we wish to use Group Keys so users in-house can seamlessly exchange USB devices and files;

SGPortable can be used for external recipients.

We have no problem getting the PreInstall, Client, and the Config onto the PCs.

The problem:

How to assign all our users to a PC or ideally to an OU?  It seems only possible to assign individual users to a PC.  If I create a group of users and assign that group, the users are individually enumerated in the assignment.

Then when attempting to save the configuration after adding the users, I get an error such as attached,

"You have already assigned a max of 0 user(s).  Please remove 110 object(s)"

We have 250 available DE licences, so even if the license is per user, this doesn't make sense.  (Although we thought the license was per device?). 

After going round in circles with this one for some days now, I'm getting confused between AD groups, Safeguard groups, group keys, OUs etc...

All we want to do is assign everybody to each configured PC in the simplest possible way (i.e. groups) all using the same group key.

If someone could point out where we are going wrong, this would be much appreciated.  Thanks in advance,

Dave T

:55823


This thread was automatically locked due to age.
Parents
  • 0

    Hi David,

    there is no need to distribute every single user to every single machine. The users auto enroll themselves during the first logon to the SafeGuard Data Exchange computers:

    In a scenario where SafeGuard Device Encryption (incl. POA) is used, the first user to log on in Windows is automatically registered in the SafeGuard POA. At first, no other Windows user can log on at the SafeGuard POA. Further users must be imported with the assistance of the first user.

    When the Device Encryption (incl. POA) is not installed, the registration process for new Users changes slightly:

    To allow new user registrations for every user (w/o the registered owner being present), change the policy "Specific Machine Settings | User Machine Assignment (UMA) | Allow registration of new SGN Users for" from "Owner" to "Everybody".

    Policy hint: Defines who is able to import another SGN user into the SafeGuard POA and/or UMA (by disabling the pass-through to the operating system).

    Note: For endpoints that do not have the Device Encryption module installed the "Allow registration" of new SGN users for for setting must be set to "Everybody" if it should be possible on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise users can only be added in the Management Center.

    After changing the policy and synchronizing the changes to the Clients, Users that login to a SafeGuard Data Exchange Client for the first time will be automatically listed as a "SafeGuard User" and have access to their encryption keys if the Client version is 6.10 or 7.0.

    Hope that helps,

    ChrisD

    :55838
Reply
  • 0

    Hi David,

    there is no need to distribute every single user to every single machine. The users auto enroll themselves during the first logon to the SafeGuard Data Exchange computers:

    In a scenario where SafeGuard Device Encryption (incl. POA) is used, the first user to log on in Windows is automatically registered in the SafeGuard POA. At first, no other Windows user can log on at the SafeGuard POA. Further users must be imported with the assistance of the first user.

    When the Device Encryption (incl. POA) is not installed, the registration process for new Users changes slightly:

    To allow new user registrations for every user (w/o the registered owner being present), change the policy "Specific Machine Settings | User Machine Assignment (UMA) | Allow registration of new SGN Users for" from "Owner" to "Everybody".

    Policy hint: Defines who is able to import another SGN user into the SafeGuard POA and/or UMA (by disabling the pass-through to the operating system).

    Note: For endpoints that do not have the Device Encryption module installed the "Allow registration" of new SGN users for for setting must be set to "Everybody" if it should be possible on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise users can only be added in the Management Center.

    After changing the policy and synchronizing the changes to the Clients, Users that login to a SafeGuard Data Exchange Client for the first time will be automatically listed as a "SafeGuard User" and have access to their encryption keys if the Client version is 6.10 or 7.0.

    Hope that helps,

    ChrisD

    :55838
Children
No Data
Unfiltered HTML