Views:

The primary form of protection that Endpoint Encryption delivers is prevention of unauthorized user access to encrypted endpoints and devices. Correctly configuring Endpoint Encryption devices, users, and policy groups prevents data loss risk from accidental information release or deliberate sabotage.

Devices

Endpoint Encryption counts the amount of consecutive logon attempts on a given device and the amount of time since the last communication with PolicyServer for a given length of time. If a device violates the policy criteria, Endpoint Encryption can reset, lock, or erase the disk.

Users

In addition to checking authentication attempts on a device, Endpoint Encryption also counts the amount of consecutive logon attempts by a particular user account. If that user violates the policy criteria, Endpoint Encryption can reset, lock, or erase the disk.

Groups

Groups act as a container for users for policy management. Administrators and authenticators within a group have those special privileges only within that group, but unassigned administrators and authenticators have that role throughout the Enterprise.

For a complete list of the configurable methods to authenticate users and devices, see Authentication Methods.

Devices

Endpoint Encryption devices are Endpoint Encryption agents that have registered with PolicyServer. Installing any Endpoint Encryption agent automatically registers the endpoint with PolicyServer as a new Endpoint Encryption device. Since multiple Endpoint Encryption agents may protect a given endpoint, a single endpoint may appear as more than one Endpoint Encryption device on PolicyServer.

Depending on the policy settings, Endpoint Encryption takes one of the following actions when users attempt to consecutively log on that device unsuccessfully:

  • Delay the next authentication attempt

  • Lock the device

  • Erase all data on the device

Note:

To configure Endpoint Encryption devices, use the Endpoint Encryption Devices widget. See Endpoint Encryption Devices.

Users

Endpoint Encryption users are any user account manually added to PolicyServer or synchronized with Active Directory.

Endpoint Encryption has several types of account roles and authentication methods for comprehensive identity-based authentication and management. Using Control Manager or PolicyServer MMC, you can add or import user accounts, control authentication, synchronize with the Active Directory, and manage policy group membership, as needed.

The following table describes the Endpoint Encryption user roles:

Role

Description

Administrator

Administrators may access the management consoles and perform any configurations within their domain. This role has different rights depending on the level that the administrator role is added:

  • Enterprise administrator: These administrators have control over all policies, groups, users, and devices in the enterprise.

  • Group administrator: These administrators have control over users and devices that authenticate within a specific group. Control Manager makes a group for each policy, so these administrators may also be known as "policy administrators".

Authenticator

Authenticators provide remote assistance when users forget their Endpoint Encryption passwords or have technical problems. This role has different rights depending on the level that the authenticator role is added:

  • Enterprise authenticator: These authenticators can assist any users in the enterprise.

  • Group authenticator: These authenticators can assist any users within a specific group. Control Manager makes a group for each policy, so these authenticators may also be known as "policy authenticators".

User

Basic end users have no special privileges. The user role may not log on the Endpoint Encryption management consoles. Unless allowed by PolicyServer, the user role also may not use recovery tools.

Note:

To configure Endpoint Encryption users, use the Endpoint Encryption Users widget. See Endpoint Encryption Users.

Groups

Endpoint Encryption manages policies by user groups. Groups management differs between PolicyServer MMC and Control Manager. After modifying policies and groups, PolicyServer synchronizes groups across both consoles.

Important:

Control Manager always takes precedence over PolicyServer MMC for policy and group assignment. Any modifications to the group assignment in PolicyServer MMC are automatically overwritten the next time that Control Manager synchronizes with PolicyServer.

Console

Group Management

Control Manager

Endpoint Encryption automatically creates a group each time a policy with specific targets is deployed. After deployment, modify the groups a user is in from the Endpoint Encryption Users widget, and modify the users in the policy from the Policy Management screen.

PolicyServer MMC

Add and modify groups directly from the left pane of PolicyServer MMC. Groups in PolicyServer MMC can be assigned as follows:

  • Top Group: Top Groups are the highest level of groups under the Enterprise. Each Top Group has a unique node underneath the Enterprise.

  • Subgroup: Subgroups are created within Top Groups. Subgroups inherit the policies of the Top Group on creation, but do not inherit changes made to the Top Group. Subgroups may not be more permissive than the Top Group.

    Note:

    You must manually assign devices and users to each subgroup. Adding Endpoint Encryption users to a subgroup does not automatically add the users to the Top Group. However, you can add users to both the Top Group and subgroup.

Note:

To configure the users within a policy group on Control Manager, use the Endpoint Encryption Users widget. See Endpoint Encryption Users.

To configure users within a policy group on PolicyServer MMC, see the Endpoint Encryption PolicyServer MMC Guide.