Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
bawise Absent Member.
Absent Member.
2555 views

FDE policies not allowed to be assigned to groups.

Hi,
I was wondering if there was a design reason behind why Full Disk Encryption cannot be assigned to groups.

We use powershell scripts that offer a menu selection of all of our locations here at my company during the initial configuration phase post-imaging. The powershell scripts utilize registration keys during the ZENworks registration process to assign computers to the appropriate groups and folders within ZENworks. This removes the need for technicians to manually place a device into the appropriate folder or group in ZENworks.

Our folders are based on location in our company. Right now, we have broad-based locations and inside of those locations we have laptop folders. When a laptop is dropped into the laptop folder via registration key or manually, it immediately gets the full disk encryption policy. We do this to make sure our technicians do not forget to assign the full disk encryption policy to the laptop.

We would like to get more granular with our location folders so that we can apply more specific policies to certain areas and do not want to create a laptop folder in each of the locations.

Our choices are:
1) Keep our broad based location folders and use groups to specify more specific locations. This solution makes it easy to forget to add a device to a group membership versus dropping a device into a folder.
2) Apply encryption policies to our entire infrastructure and get more granular with the folders.
3) Manually assign encryption policies to computers.

Ideally, we could have an encryption group that gets assigned to laptops during the registration process or manually. But, this functionality is not allowed.

Thanks,
Brandon
0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: FDE policies not allowed to be assigned to groups.

The given reason is to avoid issues where a device may receive more than one FDE policy due to multiple group assignments with conflicting FDE policies.
Best thing to do would be to enter an Enhancement Request on the Portal Page.

If FDE is only deployed on Laptops, you could create a SysReq on the FDE policy that would only apply it to laptops.
This would remove the need for a specific laptop folder.

Mind you, that would not fully cover every possible reason for wanting to use groups.
0 Likes
bawise Absent Member.
Absent Member.

Re: FDE policies not allowed to be assigned to groups.

CRAIGDWILSON;2473796 wrote:
The given reason is to avoid issues where a device may receive more than one FDE policy due to multiple group assignments with conflicting FDE policies.
Best thing to do would be to enter an Enhancement Request on the Portal Page.

If FDE is only deployed on Laptops, you could create a SysReq on the FDE policy that would only apply it to laptops.
This would remove the need for a specific laptop folder.

Mind you, that would not fully cover every possible reason for wanting to use groups.



What is the best way to do that? I am not seeing anything that stands out to me.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE policies not allowed to be assigned to groups.

Ping this thread if I dont answer that later..........
I have been meaning to chat about this topic..........
0 Likes
bawise Absent Member.
Absent Member.

Re: FDE policies not allowed to be assigned to groups.

CRAIGDWILSON;2474033 wrote:
Ping this thread if I dont answer that later..........
I have been meaning to chat about this topic..........


Hey, just pinging this thread...
0 Likes
bawise Absent Member.
Absent Member.

Re: FDE policies not allowed to be assigned to groups.

Hey Craig,
I am very interested in how you would accomplish this.

It sounded like you wanted to publish a detailed blog/article in regards to this. But if you didn't mind sending me a private message with the basics, I would greatly appreciate it.

Thank you!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE policies not allowed to be assigned to groups.

What I did in the past was use Registry Keys that set any possibly needed info about a PC in the registry.
Then used System Requirements for bundles and other stuff.

This could include stuff such as
DATE_IMAGE_CREATED
DATE_IMAGE_APPLIED

WMI Scripts can be called that will populate stuff other details such asd

MAKE, Model, Vendor, BIOS Version, Etc...

Desktop vs Laptop can be determined by collecting BatteryInfo.
Note: Tablets would be categorized as laptops in this case....

Chassis Type can also be queried, which is also populated by most vendors.
This could differentiate between laptop and tablet.

I have not gotten around to re-creating sample scripts yet.....
0 Likes
bawise Absent Member.
Absent Member.

Re: FDE policies not allowed to be assigned to groups.

CRAIGDWILSON;2475145 wrote:
What I did in the past was use Registry Keys that set any possibly needed info about a PC in the registry.
Then used System Requirements for bundles and other stuff.

This could include stuff such as
DATE_IMAGE_CREATED
DATE_IMAGE_APPLIED

WMI Scripts can be called that will populate stuff other details such asd

MAKE, Model, Vendor, BIOS Version, Etc...

Desktop vs Laptop can be determined by collecting BatteryInfo.
Note: Tablets would be categorized as laptops in this case....

Chassis Type can also be queried, which is also populated by most vendors.
This could differentiate between laptop and tablet.

I have not gotten around to re-creating sample scripts yet.....


Thanks for sharing those tips.

Are there any plans to add that into the builtin requirements? Based on inventory data?

I think one of the frustrating pieces of ZENworks is having to use all of these workarounds for features that should be builtin and constantly having to manipulate registry settings on thousands of computers that might be offsite, etc.

One of the things that definitely should be in ZENworks, is the ability to select groups for the requirement. There is the option of selecting "specified devices" but that forces you to select individual devices each time and then update the policy/bundle to a new version.

ZENworks should also have an area to disable policy inheritance all together on a folder. I know that you can override a policy by directly assigning a policy to a specific device/user, but having the option to disable inheritance in the relationship would be cleaner.
0 Likes
bawise Absent Member.
Absent Member.

Re: FDE policies not allowed to be assigned to groups.

Based on the tips that you shared with me. I was able to add requirements that filter out by model and agent version.

But I am not able to apply multiple FDE policies to the same ZENworks folder. Is there anyway around that?

This is what I am trying to accomplish:
Move computers into more specific location folders and move away from using groups for this.
Apply two different FDE policies to the folders based on different FDE agent types. (11.4.1 versus 17.1)
Filter devices by model (laptops)
Exclude specialty devices with Bitlocker on them.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.