Encryption at edge site with no network access

Hi Justin,

You probably already have a default hard disk encryption policy, where the Device Protection target is Mass Storage. If not you might want to create one for these stand alone machines. Just the default settings for Volume Based encryption are needed, AES of the desired lenght, and the Machine Key.

Next you create a policy group, called eg. standalone, to which you add this hard disk encryption policy.

The third step is to create a standalone package (eg sgstandalone.msi) to which this policy group is linked.

You need to send the msi files, preinstall, sgnclient and this self-created one to those offline machines, by means of USB, CD, SD or whatever is possible for them to read and install from. These msi's (keep in mind there's also a 64 bit version) need to be installed in the correct order, and you want to make sure they do not install DX, CP, FS, or CS modules (let me know if you want them to encrypt data on USB, and I'll get into DX on standalone). After the installation backup files are created on the client, and they need to send those to you so you can help in case of forgotten passwords or broken MBRs.

You can also use this as a reason to go on-site, if the site is somewhere in the Caribbean.

Last step for you is to make sure you have backup files for all of the machines, and keep them in a safe place, and properly backed up. If  you also make sure you have a backup plan for your SafeGuard Database and your MSO key file, you will always be able to help them log back in, or do data recovery (except if the disk is really toast).

You can extend this policy group with policy items for eg. password settings, authentication settings, and also very helpful, Local Self Help settings. You can then make a new standalone msi, and deploy that to new and existing machines.

Doesn't seem that hard, right? Good luck!

  John

PS alternatively you could link an SGN server to the outside world (via Web Application Firewall/ reverse proxy), and have such clients be serviced directly via the internet.

Hi Justin,

You probably already have a default hard disk encryption policy, where the Device Protection target is Mass Storage. If not you might want to create one for these stand alone machines. Just the default settings for Volume Based encryption are needed, AES of the desired lenght, and the Machine Key.

Next you create a policy group, called eg. standalone, to which you add this hard disk encryption policy.

The third step is to create a standalone package (eg sgstandalone.msi) to which this policy group is linked.

You need to send the msi files, preinstall, sgnclient and this self-created one to those offline machines, by means of USB, CD, SD or whatever is possible for them to read and install from. These msi's (keep in mind there's also a 64 bit version) need to be installed in the correct order, and you want to make sure they do not install DX, CP, FS, or CS modules (let me know if you want them to encrypt data on USB, and I'll get into DX on standalone). After the installation backup files are created on the client, and they need to send those to you so you can help in case of forgotten passwords or broken MBRs.

You can also use this as a reason to go on-site, if the site is somewhere in the Caribbean.

Last step for you is to make sure you have backup files for all of the machines, and keep them in a safe place, and properly backed up. If  you also make sure you have a backup plan for your SafeGuard Database and your MSO key file, you will always be able to help them log back in, or do data recovery (except if the disk is really toast).

You can extend this policy group with policy items for eg. password settings, authentication settings, and also very helpful, Local Self Help settings. You can then make a new standalone msi, and deploy that to new and existing machines.

Doesn't seem that hard, right? Good luck!

  John

PS alternatively you could link an SGN server to the outside world (via Web Application Firewall/ reverse proxy), and have such clients be serviced directly via the internet.