Restrictions

Note the following restrictions for managed endpoints:

• Restrictions for initial encryption:

  Initial configuration of managed endpoints may involve the creation of encryption policies that may be distributed inside a configuration package to the SafeGuard Enterprise protected endpoints. However, when the endpoint is not connected to a SafeGuard Enterprise Server immediately after the configuration package is installed, but is temporarily offline, only encryption policies with the following specific settings become immediately active:

  Volume-based full disk encryption that uses the Defined Machine Key as encryption key.

  For all other policies involving encryption with user-defined keys to become active on the SafeGuard Enterprise protected endpoint, the respective configuration package has to be reassigned to the endpoint's organizational unit as well. The user-defined keys are then only created after the endpoint is connected to SafeGuard Enterprise Server again.

  This is because the Defined Machine Key is created directly on the SafeGuard Enterprise protected endpoint at the first restart after installation, whereas user-defined keys can only be created after the endpoint has been registered at the SafeGuard Enterprise Server.

• Restrictions for BitLocker Drive Encryption support:

  Either SafeGuard Enterprise volume-based encryption or BitLocker Drive Encryption can be used, but not both simultaneously. If you want to change the encryption type, you must first decrypt all encrypted drives, uninstall the SafeGuard Enterprise encryption software and then reinstall it with the features you want to use. The installer prevents the deployment of both features at the same time. Uninstallation and reinstallation is necessary even if no configuration package intended to trigger encryption has been installed.