ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Force USB encryption Windows and Mac

    Scheduled Pinned Locked Moved IT Discussion
    112 Posts 10 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ObsolesceO
      Obsolesce
      last edited by Obsolesce

      Late to the party here, but...

      To me, it sounds like they don't want data going from the computer, into a portable storage device, that isn't encrypted... which could be stolen or data taken off by anyone somewhere else.

      There are policies to make it so that you cannot write to a USB storage device that isn't encrypted. It will be readonly. This seems exactly what they want, and super easily doable with group policy and bitlocker.

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Obsolesce
        last edited by

        @Obsolesce said in Force USB encryption Windows and Mac:

        There are policies to make it so that you cannot write to a USB storage device that isn't encrypted.

        No there are not.

        There are policies to make it so that you cannot write to a USB storage device that isn't encrypted with BitLocker. That is not the same thing.

        But the matters not since this is a mixed environment of macOS & Windows.

        ObsolesceO 1 Reply Last reply Reply Quote 0
        • ObsolesceO
          Obsolesce @JaredBusch
          last edited by Obsolesce

          @JaredBusch said in Force USB encryption Windows and Mac:

          No there are not.

          ... Yes.

          Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.

          Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms...

          Screenshot_20190824-082044_Edge.jpg

          JaredBuschJ 2 Replies Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Obsolesce
            last edited by JaredBusch

            @Obsolesce said in Force USB encryption Windows and Mac:

            @JaredBusch said in Force USB encryption Windows and Mac:

            No there are not.

            ... Yes.

            Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.

            No, there are not. Read the English again.

            There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @Obsolesce
              last edited by

              @Obsolesce said in Force USB encryption Windows and Mac:

              Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms

              That is useless as it means the encrypted media is useless between macOS and Windows.

              ObsolesceO 1 Reply Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce @JaredBusch
                last edited by

                @JaredBusch said in Force USB encryption Windows and Mac:

                @Obsolesce said in Force USB encryption Windows and Mac:

                @JaredBusch said in Force USB encryption Windows and Mac:

                No there are not.

                ... Yes.

                Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.

                No, there are not. Read the English again.

                There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.

                Pay attention here...

                If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @JaredBusch
                  last edited by

                  @JaredBusch said in Force USB encryption Windows and Mac:

                  @Obsolesce said in Force USB encryption Windows and Mac:

                  Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms

                  That is useless as it means the encrypted media is useless between macOS and Windows.

                  That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Obsolesce
                    last edited by

                    @Obsolesce said in Force USB encryption Windows and Mac:

                    @JaredBusch said in Force USB encryption Windows and Mac:

                    @Obsolesce said in Force USB encryption Windows and Mac:

                    @JaredBusch said in Force USB encryption Windows and Mac:

                    No there are not.

                    ... Yes.

                    Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.

                    No, there are not. Read the English again.

                    There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.

                    Pay attention here...

                    If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.

                    No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Obsolesce
                      last edited by

                      @Obsolesce said in Force USB encryption Windows and Mac:

                      @JaredBusch said in Force USB encryption Windows and Mac:

                      @Obsolesce said in Force USB encryption Windows and Mac:

                      Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms

                      That is useless as it means the encrypted media is useless between macOS and Windows.

                      That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.

                      The point of wanting to use USB media is for portability. Otherwise, you simply disable it.

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • SmithErickS
                        SmithErick
                        last edited by

                        Beachhead does this

                        1 Reply Last reply Reply Quote 1
                        • ObsolesceO
                          Obsolesce @JaredBusch
                          last edited by

                          @JaredBusch said in Force USB encryption Windows and Mac:

                          @Obsolesce said in Force USB encryption Windows and Mac:

                          @JaredBusch said in Force USB encryption Windows and Mac:

                          @Obsolesce said in Force USB encryption Windows and Mac:

                          @JaredBusch said in Force USB encryption Windows and Mac:

                          No there are not.

                          ... Yes.

                          Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.

                          No, there are not. Read the English again.

                          There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.

                          Pay attention here...

                          If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.

                          No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.

                          There were two policies in that picture, only the first one was relevant. The irrelevant one mentioned "another organization".

                          Don't know why you read what I wrote so incorrectly.

                          They simply do not want data going from a managed computer to an unencrypted USB drive.

                          To meet this requirement for Windows, enable the policy to block write access to any USB drive that is not Bitlocker encrypted.

                          Yes, this means all USB drives will need to be bitlocker encrypted for data writability to them from Windows 10 computers with that policy applied. That's what you want.

                          Now, any USB drive that is not bitlocker encrypted or encrypted by something else will not be writable from managed Win10 devices. Anything not encrypted with Bitlocker will be mounted as read-only. Again, this is what you want.

                          As for the other requirement, I do not know if you can set bitlocker to automatically encrypt a non-encrypted USB drive. I think that requirement was not thought out. But the user can receive a message that they cannot write to it unless they encrypt it first with BitLocker.

                          For Mac, another solution will be needed, but they can be used on Macs with Bitlocker-to-go.

                          1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @JaredBusch
                            last edited by

                            @JaredBusch said in Force USB encryption Windows and Mac:

                            @Obsolesce said in Force USB encryption Windows and Mac:

                            @JaredBusch said in Force USB encryption Windows and Mac:

                            @Obsolesce said in Force USB encryption Windows and Mac:

                            Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms

                            That is useless as it means the encrypted media is useless between macOS and Windows.

                            That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.

                            The point of wanting to use USB media is for portability. Otherwise, you simply disable it.

                            I don't know how many users are sticking data on a USB drive from a Mac, then giving it to someone else or marching it over to a Windows device, or vice versa, but if that's the case, there are ways to make it work.
                            https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-to-go-faq

                            1 Reply Last reply Reply Quote 1
                            • 1
                            • 2
                            • 3
                            • 4
                            • 5
                            • 6
                            • 6 / 6
                            • First post
                              Last post