Encryption: Device Encryption

Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault on Macs. Encrypting hard disks keeps data safe, even when a device is lost or stolen.

You set up encryption as follows:

  1. The Device Encryption agent is installed on Windows computers automatically when you use the standard Windows agent installer (if you have the required license). You must manually install the Device Encryption agent on Macs.
  2. Edit a Device Encryption base policy and apply the policy to users as described below.
  3. Computers are encrypted when those users log in.
    Note FileVault encryption is user-based; every user of an endpoint must have encryption turned on.

For full details of how computers are encrypted, see the Device Encryption administrator guide.

Note You can apply device encryption to boot volumes and fixed data volumes, but not to removable media.

To set up a policy:

  • Edit a Device Encryption base policy
  • Open the policy's Settings tab and configure it as described below.

Settings

Device Encryption is on/off: A computer is encrypted as soon as one of the users the policy applies to logs in.

A Windows endpoint stays encrypted even if a different user who isn't included in the policy logs in.

Warning You must apply an encryption policy to all users of a specific macOS endpoint to ensure that it is fully protected.

Encrypt boot volume only: This option allows you to encrypt the boot volume only. Data volumes are ignored.

Advanced Windows settings

Require startup authentication: This option is turned on by default. It enforces authentication via TPM+PIN, passphrase, or USB key. If you turn it off, TPM-only logon protection is installed on supported computers. For more information on authentication methods, see the Device Encryption administrator guide.

Require new authentication password/PIN from users: This option is turned off by default. It forces a change of the BitLocker password or PIN after the specified time. An event is logged when users change their password or PIN.

Note On the endpoint, the feature is only available in Central Device Encryption 2.0 or later.

If users close the dialog without entering a new password or PIN, the dialog is shown again after 30 seconds, until they enter a new one. After users have closed the dialog five times without changing the password or PIN, an alert is logged.

Encrypt used space only:This option is turned off by default. It allows you to encrypt used space only instead of encrypting the whole drive. You can use it to make initial encryption (when the policy is first applied to a computer) much faster.

Warning If you encrypt used space only, deleted data on the computer might not be encrypted, so you should only do this for newly set up computers.
Note This option does not affect Windows 7 endpoints.

Password protect files for secure sharing (Windows only)

Note On the endpoint, the feature is only available in Central Device Encryption 2.0 or later.

You can protect files up to 50Mb.

Enable right-click context menu: If you turn on this option, a Create password-protected file option is added to the right-click menu of files. Users can attach password-protected files to emails when sending sensitive data to recipients outside your corporate network. Files are wrapped in a new HTML file with encrypted content.

Recipients can open the file by double-clicking it and entering the password. They can send the received file back and protect it with the same or a new password, or they can create a new password-protected file.

Enable Outlook add-in: This option adds encryption of email attachments to Outlook. Users can protect attachments by selecting Protect Attachments on the Outlook ribbon. All unprotected attachments are wrapped in a new HTML attachment with encrypted content, and the email is sent.

Always ask how to proceed with attached files: If you turn on this option, users must choose how to send attachments whenever the message contains one. They can send them password protected or unprotected.

You can enter excluded domains for which the Always ask how to proceed with attached files option does not apply. For example, your organization's domain. If recipients belong to such a domain, the senders aren't asked how they want to handle attachments.

Enter only complete domain names and separate them by commas.