Smartcrypt Assignments provide an easy-to-deploy set for tasks to control client end points. Where traditional Lockers control folders and directories on specific devices, Assignments organize users (or Active Directory Security Groups) by platform.  A Smartcrypt Assignment enables mass deployments because of their generic scope of assigning users.

Types of Assignments:

  • Encryption
  • Decryption
  • Discovery

Understanding Differences between Lockers and Assignments

Below is a table highlighting some of the major differences between Smartcrypt Lockers and Smartcrypt Assignments.

Lockers and AssignmentsLockers OnlyAssignments
  • Supports Encryption Folder
  • Support Windows, Mac, Linux
  • Supports Discovery*
  • Supports Re-Encryption
  • Setup Per Device
  • Requires Windows Service but no interactive Windows session
  • Supports Single Location
  • No Support for Decryption Folder
  • No Support for Prioritized List of Smartkeys
  • Community, User Created Smartkeys
  • Support Mass Deployments
  • Only Runs During Active Windows Interactive Session
  • Supports Multiple Locations
  • Support Decryption Folder
  • Support for Prioritized List of Smartkeys
  • Community or Personal (non sharable) Smartkeys Only

Viewing Existing Assignments

When you browse to the Assignments tab, the default view will display all assignments defined in your Smartcypt ecosystem. The main view displays:

  • Name of the assignment
  • Scope of the Users set up to receive the assignment
  • The platform/operating system of the devices setup to receive the assignment
  • The Mode, which is the type of assignment (Encrypt, Decrypt, Discovery)
  • Locations to be protected on the end points
  • Prioritized Smartkeys list defined to be used to protect the paths defined
  • Re-Encryption Flag to display if data should be attempted to be re-encrypted to match the assigned Smartkey.
  • Whether the Assignment location(s) are valid and able to be encrypted. Click the number in the Compliant or Not Compliant column to see details about the Assignment.

Assignment Compliance

The Compliant and Not Compliant columns in the Assignments list indicate if the agent has received the latest policy changes from the Smartcrypt Enterperise Manager.

Viewing the Status of Existing Assignments

Click Status to view additional details about the selected Assignment.

ComplianceOffers a quick visual identification of problems. The green circle indicates the agent has received the the latest policy changes from the Smartcrypt Enterprise Manager. The red circle indicates the agent has not received the latest policy changes from the Smartcrypt Enterprise Manager. 

This field identifies any issues that may occur from the agent. Possible issues include an invalid configuration or path/location. Click Back, then Edit to fix the problem.

If the field is green, and data is coming into the  Assignment folder, this field will read Up to date.

PathLocation to be protected on the end points.
DeviceThe name of the device (phone, computer) hosting this assignment.
OwnerThe Smartcrypt user of this device.
SizeTotal size of protected file(s) and folder(s) on this device.
FilesA count of protected files.
FoldersA count of protected folders
PlaintextA count of un-encrypted text files in the protected Path.
EncryptedA count of encrypted files in the protected Path.
Sensitive(Discovery assignments only) A count of sensitive files in the protected Path.
Reported AtDate and time of this status report.

Adding a New Assignment

Click Add Assignment to display this Configuration page:

Complete the form to set up a new assignment. This page also appears when you click Edit on an existing assignment.

NameThe human defined name for a Smartcrypt Assignment. Can be anything, but should be defined to be useful for maintenance of the system.
PlatformAvailable options are Windows, Linux, & OSX

Encrypt: All files that are found in the defined Location(s) will be encrypted.

Decrypt: All encrypted that are found in the defined Location(s) will decrypted if the user has access to decrypt the files.

Discovery: All files are scanned by the Smartcrypt Discovery filter and only files that meet the defined criteria are acted upon.

Users/GroupsList of Active Directory users and groups for which this assignment should apply. Note: A user can be defined in more than one assignments, the first one in the Assignment Processing list control the action on a location(s) on a device.
Local Path(s)

The path(s) is the exact folder path on all the remote devices that this assignment applies. You may use a Universal Naming Convention (UNC) path, or a mapped network drive to define this path. If the path doesn't exist on the specified device, the Smartcrypt client will try to create the path. If the path is invalid (for example, by referring to a path without permissions to access) no assignment will be created. This path is relative to the Smartcrypt client, so if there is a mounted drive on the remote device, it can be referenced through the drive letter.

Variables can be used to reference user/device specific locations as well. The full array of system variables is available by wrapping the commands in curly braces ${VARNAME}.

Example: ${USERPROFILE}\Desktop\Secure will result in a folder on the user's desktop called Secure.

If many of the users in the scope of the assignment can see the same remote drive, issues can occur. When using remote paths, locking the scope down to one device is better.

Do not place an Assignment in the same path as a Locker! This can lead to a variety of behaviors.

Community Key(s)

Select a Smartkey from the drop-down menu to encrypt the Assignment's files. Since we are creating an assignment that can reach thousands of users, the Smartkey list will be narrowed to only display Community Smartkeys. As a Smartcrypt Administrator, you can define many Smartkeys to use to create a prioritized list of Smartkeys for the assignment to try to use.

Let's describe how this works with a sample scenario:

Name: Assignment A

Scope: User PKWARE1, User PKWARE2

Mode: Encrypt

Path: H:\SecureData

Smartkeys: CommunityKey1, CommunityKey2, CommunityKey3

User PKWARE1 is not a member of any of the assigned Smartkeys of the assignment. Therefore, instead of NOT encrypting any data, the user will encrypt data with their Personal Smartkey. This is a builtin assumption that if a User doesn't have access to any of the defined Smartkeys, they will fallback to their Personal Smartkey.

User PKWARE2 is a member of CommunityKey2, and CommunityKey3. Since the user has access to CommunityKey2, all encryptions will occur with that Smartkey, but CommunityKey1 will be skipped in the prioritized list because the user is not a member of the Smartkey.


(Optional) By default, Smartcrypt will process every file placed in the Assignment. With the White List, you can restrict the number and type of files processed in the folder. For example, if you only want to process spreadsheets in this assignment, type *.xls* in the white list. All other files placed in this assignment will remain unprocessed. Files/extensions are separated by semicolons.

If a white list is defined, ONLY the extensions matching the white list will be processed.

The blacklist is a semicolon separated list of files/extensions to filter out.  


The system is set to automatically black list the following files and patterns:

.dropbox, desktop.ini, thumbs.db, ~.*,

Sweep Interval (seconds)

The Sweep Interval is a secondary scan that runs to ensure all files are being processed. It is possible that a system under extremely high load will not expose the correct file system event to Smartcrypt, which will result in a file not being processed. This interval is the timer for how often the secondary scan should run.


On Solaris, AIX and HP-UX systems, there are no system event notifications for Smartcrypt to capture. To process any files in an assignment, you must define a Sweep Interval.

Report Compliance and StatusThe Assignment Path will communicate its status to the Smartcrypt Enterprise Manager.
Exclude Hidden FilesBy default, an assignment will not encrypt hidden files. If you want to encrypt hidden files located in the assignment's path, uncheck this option.
Exclude System Files

By default, an assignment will not encrypt Windows system files. If you want to encrypt system files located in the path of the assignment, uncheck this option. You can verify system files by looking at the attributes of a file to confirm if it is deemed a system file.


This protection only exists on Windows-based operating systems.

Report Encryption FailuresAn assignment might fail to encrypt or decrypt a file on the initial attempt. This might be caused by the file being locked open, or some other environmental issue. The Smartcrypt assignment will attempt to encrypt\decrypt the file again, but if your organization is interested in the failures being reported, enable this option.
Report Successful EncryptionsIf Data Security Intelligence is enabled on the Basics page, each event in the assignment will be reported in the audit log. Uncheck this option If your organization is not interested in the encryption/decryption events that will be generated by the assignment(s).

Enable Re-encryption for an Encryption Assignment

Re-encryption within an Assignment allows the Smartcrypt Agent the ability to change the encryption key protecting the archive file. The user running the Smartcrypt Agent and Assignment needs to have access to the existing key and the new key for re-encryption to work properly.

Discovery Assignments

Discovery Assignments use Smartcrypt Discovery to scan the contents of un-encrypted documents to determine if they should be encrypted. To learn more about how to setup Smartcrypt Discovery, see Discovery.

Smart Filter BundlesThe list of Discovery Filters to be used to scan data for matches on sensitive data.

An action can occur when a Smart Filter Bundle has a positive hit on data it finds.

  • Report: Send a DSI event to the Smartcrypt Manager with details of the discovery filter and filename
  • Encrypt: Encrypt the file with the selectedSmartkey
  • Delete: Delete the file from the system. (Note: This is removed from the system, not just put into trash)

Pre-processing command to run on the targeted file(s).

Smartcrypt will substitute any instances of `%FULLPATH%` `%DIRECTORY%`, `%FILENAME%`, and '%BASEDIR%'   in single-line commands with the respective details of the file being processed when processing Pre and Post commands.

These four variables are passed as parameters In multi-line commands, in the order listed above.

Command (post encryption)

Post-processing command to run on the targeted encrypted file.

Smartcrypt will substitute any instances of `%FULLPATH%` `%DIRECTORY%`, `%FILENAME%`, and '%BASEDIR%'   in single-line commands with the respective details of the file being processed when processing Pre and Post commands.

These four variables are passed as parameters In multi-line commands, in the order listed above.