Force USB encryption Windows and Mac
-
Late to the party here, but...
To me, it sounds like they don't want data going from the computer, into a portable storage device, that isn't encrypted... which could be stolen or data taken off by anyone somewhere else.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted. It will be readonly. This seems exactly what they want, and super easily doable with group policy and bitlocker.
-
@Obsolesce said in Force USB encryption Windows and Mac:
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted.
No there are not.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted with BitLocker. That is not the same thing.
But the matters not since this is a mixed environment of macOS & Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms...
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
-
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
The point of wanting to use USB media is for portability. Otherwise, you simply disable it.
-
Beachhead does this
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.
There were two policies in that picture, only the first one was relevant. The irrelevant one mentioned "another organization".
Don't know why you read what I wrote so incorrectly.
They simply do not want data going from a managed computer to an unencrypted USB drive.
To meet this requirement for Windows, enable the policy to block write access to any USB drive that is not Bitlocker encrypted.
Yes, this means all USB drives will need to be bitlocker encrypted for data writability to them from Windows 10 computers with that policy applied. That's what you want.
Now, any USB drive that is not bitlocker encrypted or encrypted by something else will not be writable from managed Win10 devices. Anything not encrypted with Bitlocker will be mounted as read-only. Again, this is what you want.
As for the other requirement, I do not know if you can set bitlocker to automatically encrypt a non-encrypted USB drive. I think that requirement was not thought out. But the user can receive a message that they cannot write to it unless they encrypt it first with BitLocker.
For Mac, another solution will be needed, but they can be used on Macs with Bitlocker-to-go.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
The point of wanting to use USB media is for portability. Otherwise, you simply disable it.
I don't know how many users are sticking data on a USB drive from a Mac, then giving it to someone else or marching it over to a Windows device, or vice versa, but if that's the case, there are ways to make it work.
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-to-go-faq
