Create policies for application-based file encryption

  1. In the Policies navigation area, create a new policy of the type File Encryption.
    The File Encryption tab is displayed.
  2. Select Application-based (Synchronized Encryption) from the Encryption type drop-down list.
    Application list and Encryption scope options are displayed.
    Note: For encryption type No Encryption see Policies of type No encryption.
  3. From the drop-down list, select the Application list you created beforehand.
  4. From the Encryption scope drop-down list, select one of the following:
    • Everywhere: Encryption is applied on local drives, removables, cloud storage and network drives. You can define exemptions where no application-based file encryption is applied.
      Note: For OS X, Everywhere means that all files in some predefined locations will be encrypted and can therefore only be used by the applications in your application list. These locations are:
      • folder <Desktop>
      • folder <Documents>
      • folder <Downloads>
      • folder <Music>
      • folder <Pictures>
      • folder <Videos>
      • all network shares
      • all removable devices
      • all supported cloud storage providers
      • temporary folders where Microsoft Outlook and Apple Mail store mail attachments
      Important: Applying Synchronized Encryption to network shares can cause issues for some users. If files on network shares have been encrypted by users who have the Synchronized Encryption key in their key ring, users without such key will not be able to decrypt them. To avoid this, you can first exclude network shares from encryption and remove the exemption after you are sure that all users have the Synchronized Encryption key. Users receive their key when a Synchronized Encryption policy is applied to their endpoint or you can manually assign the keys in the Management Center.
    • Defined locations: Lets you specify paths where encryption is applied. Placeholders for path definitions are provided. You can select to include or to exclude a path in/from encryption.
  5. Depending on your selection for the Encryption scope, you can define paths where application-based encryption is applied (Defined Locations) or exemptions to application-based encryption (Everywhere).
    Note: You can define paths for Windows and Mac OS X in the same policy. Placeholders for the different systems are available from the Path drop-down list. The System column indicates for which operating system the path is valid (All systems, Windows, Mac OS X). By hovering your cursor over the Cloud Storage placeholders, you can display tooltips telling you for which operating system you can use the placeholder.
  6. In the Path column, set the path to be handled by Application-based (Synchronized Encryption) file encryption:
    • Click the drop-down button and select a folder name placeholder from the list of available placeholders.
      Note: By hovering your cursor over the list entries, you can display tooltips telling you how a placeholder is typically presented on an endpoint. You can only enter valid placeholders for each operating system. For a description of all available placeholders, see Placeholders for paths in application-based File Encryption rules.
      Important: Encrypting the whole user profile with the placeholder <User Profile> may result in an unstable Windows desktop on the endpoint.
    • Click the Browse button to browse the file system and select the required folder.
    • Alternatively, just enter a path name.
  7. Select the encryption Mode:
    • For Encryption scope - Defined Locations, select Encrypt to let applications from the applications list encrypt their files under this path or Exclude if these applications should not encrypt their files under this path. For example, you can specify to encrypt D:\Documents and exclude D:\Documents\Plain.
    • For Encryption scope - Everywhere, you can only Exclude paths from encryption.
  8. Add further paths as required.
  9. Specify settings for Initial encryption. Select where existing files are encrypted according to the specified paths (Stored on local disks, Stored on removable devices, Stored with automatically detected cloud storage providers). Initial encryption starts when the policy is applied on the endpoint or when a removable device is connected.
  10. Save your changes.
    Note: When you leave the File encryption tab, the system prompts you to save your changes.
  11. Go to Users and Computers and assign the new policy to your user groups.