Data is the digital lifeblood of organizations. Unfortunately, worrying about whether or not that data is secure can slowly drain the life from many IT endpoint administrators! And each lost or stolen endpoint only heightens that concern and intensifies the drain.
Over the years, ZENworks has helped protect the sensitive and private data on Windows endpoints through encryption of whole fixed disks (full disk encryption) as well as encryption of removable drives.
Beginning with #ZENworks2020, we’ve added fixed-disk folder encryption to complement the existing full disk encryption. Now you have the choice to encrypt files in targeted folders or on the entire fixed disk. If you want, you can even use both together. But for now, let me introduce you to the new folder encryption capabilities.
Folder encryption is provided as a part of ZENworks Endpoint Security Management. It enables you to designate folders, such as the Documents folder, as encrypted folders. When encryption is applied to the folder, all of its files and subfolder files are encrypted. Likewise, when a file is added to an encrypted folder, the file becomes encrypted.
ZENworks uses native Microsoft Windows Encrypting File System (EFS) technology so that no additional encryption drivers are needed. However, we’ve enhanced the native EFS capabilities to provide better:
Folder encryption is applied to endpoints via the Microsoft Data Encryption policy. This ZENworks security policy can optionally be configured to also enable removable drive encryption (which uses BitLocker technology).
The following options are provided to configure the folder encryption:
Administrator Recovery Password: Required. Enables the administrator to recover encrypted folders on ZENworks-managed endpoints.
Default Encrypted Folders: Defines the folders that will be encrypted. You can use absolute folder paths or environment variables. Take the Documents folder as an example. The Documents folder path is dependent on the logged in user and therefore require the use of an environment variable. If a defined folder does not exist on the device, it is created.
Show Encrypted Folders/Files in Color: Displays the names of encrypted folders and files in green text. This is in addition to a lock overlay applied to the folder and file icons.
Secondary Authentication: Requires an additional password to be defined by the user and then entered after Windows login to gain access to the encrypted folders/files.
When the Microsoft Data Encryption policy is applied to a device, the policy-defined folders are encrypted along with their subfolders and files. In the following example, the Documents folder is encrypted.
In addition, if the policy is configured to require a secondary authentication password, the user is informed that folder encryption has been enabled and is prompted to define the unlock password. The user can provide an optional password hint to help if the password is forgotten. Each time the user logs in after defining the password, he is prompted for the password before the the encrypted folders are unlocked and made accessible.
When a user moves or saves a file to an encrypted folder, the file becomes encrypted.
In addition to using the policy-defined folders, a user can encrypt folders of their own choosing by right-clicking the folder and selecting ZENworks folder encryption. And, of course, they can also decrypt folders they’ve encrypted.
Typically, the encryption actions available from the context menu will be all that a user needs. However, ZENworks also provides a Folder Encryption Management dialog that lets the user see all of the policy- and user-defined folders, add and remove user-defined folders, and reset the secondary authentication password. The Folder Encryption Management dialog is available by right-clicking any folder and selecting ZENworks folder encryption.
In some cases, such as a user forgetting his secondary authentication password or leaving the organization, it might be necessary to recover encrypted files from an endpoint. To accomplish this, an administrator can log in to the endpoint through a Windows administrator account and use the Administrator Decryption Tool available in the Folder Encryption Management dialog. To ensure that only authorized administrators can access the encrypted files, the tool requires the administrator to enter the Administrator Recovery Password from the policy applied to the endpoint.
If the policy is no longer applied to the endpoint causing the Folder Encryption Management dialog to no longer be available, the administrator can download the standalone ZENworks Folder Decryption Tool from ZENworks Control Center and use the device’s encryption certificate to decrypt the files. An encryption certificate (PFX) is uploaded to the ZENworks server any time the encrypted folders on the device change. In addition to using the encryption certificate with the ZENworks Folder Decryption Tool, you can also use it with the native Microsoft certificate tools used to managed EFS encrypted folders.
If you have licensed ZENworks 2020 Endpoint Security Management, the Encrypting Devices page in the new Security Getting Started in ZENworks Control Center can help you configure and enforce the Microsoft Data Encryption policy on endpoints.
If you don’t have ZENworks 2020 Endpoint Security licensed, you can use the 60-day evaluation to check out the folder encryption capabilities and all of the other Endpoint Security capabalities. The Security Getting Started in ZCC steps you through everything you need to do to set up Endpoint Security and use the policies.
Have a great day and stay encrypted and safe!
Darrin VandenBos (@DarrinVandenBos)
Product Manager, Endpoint Management