Encryption Guidelines and Procedures

MDP machines

Bitlocker will be enabled on all new MDP installations by default. Instructions are on the IS wiki.The plan will be to encrypt existing MDP machines at a later date.

Desktops should be installed first and then bitlocker enabled. This is done by selecting Bitlocker in the Software Centre. This take about a couple of hours. After installation, the pc will ask for the key after every reboot unless this fix is applied.

The keys are available from IS but I managed to persuade them to give me access.

Self-managed Windows

IS recommend Bitlocker but it is only available on Windows 7 Enterprise. Instructions for installing Bitlocker are on the IS website. Their pages suggest that you can still use Truecrypt for Windows 7 Pro but our experience is that it only works for Enterprise. A little more clarification from Angus - The Bitlocker confusion is because Windows 7 and 8 are different. On 7 it is Enterprise and Ultimate, on 8 it's Enterprise and Professional. As any new laptops won't be coming with 7, and any that are rebuilt into 7 should have Enterprise it's probably not worth mentioning Ultimate.

All admin staff laptops have already been encrypted by support. We should perhaps use the new mobile device supported desktop for any future admin laptops. This could be extended to ALL Windows laptops but may meet with some resistance.

For non-admin staff, should this be done by us (which would mean we would have to perform the initial set up completely) or should we ask the end-user to sign something which says that they will encrypt the machine as part of the set up themselves . Particularly with Windows desktops, the end user is quite likely to re-install with their preferred version of Linux which is a waste of effort and still does not guarantee that the machine remains encrypted. We need to keep a record of which machines have been encrypted by us.

Self-managed Macs

Full disk encryption is to be enabled before the device is handed to the end user. FileVault is recommended - see IS pages for instructions. This will involve creating an admin account and an account for the end-user. Upon selecting Turn On FileVault , you will be asked to identify the user accounts that will be allowed to unlock the encrypted drive. Once the disk has been encrypted, the admin account should be deleted.

iOS tablets

A PIN is to be set prior to handing the device over to end user.

Android tablets

TBC

-- AlisonDownie - 23 Sep 2015

Topic revision: r8 - 11 Jan 2016 - 12:10:02 - LindseyBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies