Idea ID: 2783367

Implement an additional Failsafe for ZCM FDE decryption

Status : Delivered
over 5 years ago
Implement an option requiring entry of the admin password to enable a device to decrypt. Customer never wants a device to auto-decrypt under any circumstances. If the policy is lost for any reason [as occurred with bug 932058], we would like an extra step to physically decrypt the device. This would provide a failsafe.

Tags:

  • This was added in the ZENworks 2017 release as an "Encryption Lockdown" option in the Disk Encryption policy. As mentioned in my previous post, when the option is enabled, a device will only be decrypted if the administrator initiates the decryption 1) locally on the device or 2) remotely through a ZCC Quick Task. Anything that causes the loss of the policy (for example, accidentally unassigning the policy) will not initiate decryption. Darrin VandenBos ZENworks Product Manager
  • Absolutely! I would rather have to deal with a bricked drive than have to explain why there are devices which have decrypted unexpectedly.
  • For ZENworks 2017, we have planned a new feature called "Encryption Lockdown." When enabled, a device will only be decrypted if the administrator initiates the decryption 1) locally on the device or 2) remotely through a ZCC Quick Task. Anything that causes the loss of the policy (for example, accidentally unassigning the policy) will not initiate decryption.