How to enforce encryption for removable storage devices in LEMSS

Version 1

    Details

    Lumension Endpoint Management and Security Suite (LEMSS) 7.1 and higher

    In order to enforce encryption for removable storage device, you would need to create 2 separate policies. One policy for unencrypted devices and another for encrypted devices.

    Policy for Unencrypted devices.

         
    1. In LEMSS Web Console, navigate to Manage > Device Control Policies.
    2.    
    3. Click on Create > Device class policy".
    4.    
    5. Specify a Policy name and select ‘Removable Storage Devices’ from the Device class selection drop down menu.
    6.    
    7. Check the ‘Permission settings’ checkbox under Settings applied by this Policy section.
    8.    
    9. Set Policy enforcement to Always.
    10.    
    11. Set Activation to ‘Enable’ and click on Next.
    12.    
    13. Check on "Allow the following permissions and check on the following options:    
               
      • Encrypt (required)
      •        
      • Export to file (only needed if you plan on exporting the key to a file)
      •        
      • Export to media (automatically selected when you select 'Encrypt')
      •        
      • Read Access (optional)
      •    
         
    14.    
    15. Under Connections section, select ‘All’ or the type of connections which you wish to be controlled by this policy.
    16.    
    17. Under the Drives section check on ‘Non hard drives only’
    18.    
    19. Select only ‘Unencrypted/Unknown encryption type’ under Encryption section and click on Next.
    20.    
    21. Choose whether you want to assign this policy to everyone, a particular endpoint/machine, or a group of endpoints and click on OK.

    Policy for Encrypted devices.

         
    1. In LEMSS Web Console, navigate to Manage > Device Control Policies.
    2.    
    3. Click on Create > Device class policy".
    4.    
    5. Specify a Policy name and select ‘Removable Storage Devices’ from the Device class selection drop down menu.
    6.    
    7. Check the ‘Permission settings’ checkbox under Settings applied by this Policy section.
    8.    
    9. Set Policy enforcement to Always.
    10.    
    11. Set Activation to ‘Enable’ and click on Next.
    12.    
    13. Check on "Allow the following permissions and check on the following options:    
               
      • Read (required)
      •        
      • Write (required)
      •        
      • Decrypt (optional but requrired if you want the users to be able to decrypt)  NOTE:  Data is not retained when you decrypt
      •        
      • Encrypt (due to a product limitation, you must select 'Encrypt' in order to have the option to select 'Export to Media') 
      •    
         
    14.    
    15. Under Connections section, select ‘All’ or the type of connections which you wish to be controlled by this policy.
    16.    
    17. Under the Drives section check on ‘Non hard drives only’
    18.    
    19. Select only ‘Self contained encryption’ under Encryption section and click on Next.
    20.    
    21. Assign this policy as it was done for Policy for Unencrypted device and Click on OK.