Create read-only policy for Windows endpoints

  1. In the Management Center, go to Policies.
  2. Right-click Policy Items, then click New and then File Encryption.
  3. Enter a name for the new policy and click OK.
  4. On the File encryption tab, select Application-based (Synchronized Encryption) from the Encryption type drop-down list.
    Application list and Encryption scope options are displayed.
  5. Select the Application list you have previously created from the drop-down list.
  6. From the Encryption scope drop-down list, select Defined locations.
  7. When you leave the File encryption tab, the system prompts you to save your changes.
  8. Click Yes.
  9. Go to Users and Computers and assign and activate the new policy for Windows endpoints users who should be able to read encrypted data but not encrypt data.
    Note: This policy must not be assigned to Mac OS X endpoints. This can be easily achieved by activating the policy only for .Authenticated Computers since Mac OS X endpoints only interpret user settings. To do so, drag the .Authenticated Users group from the policies activation area to the Available Groups list.