Assignments

Description

Smartcrypt Assignments provide an easy to deploy set for tasks to control client end points. Where traditional Lockers control folders and directories on specific devices, Assignments organize users (or Active Directory Security Groups) by platform. A Smartcrypt Assignment enables mass deployments because of their generic scope of assigning users.

Types of Assignments:

Encryption
Discovery

Understanding Differences between Lockers and Assignments

Below is a table highlighting some of the major differences between Smartcrypt Lockers and Smartcrypt Assignments.

Lockers and Assignments	Lockers Only	Assignments
Supports Encryption Folder Support Windows, Mac, Linux Supports Discovery* Supports Re-Encryption	Setup Per Device Requires Windows Service but no interactive Windows session Supports Single Location No Support for Decryption Folder No Support for Prioritized List of Smartkeys Community, User Created Smartkeys	Support Mass Deployments Only Runs During Active Windows Interactive Session Supports Multiple Locations Support Decryption Folder Support for Prioritized List of Smartkeys Community or Personal (non sharable) Smartkeys Only

Viewing Existing Assignments

When you browse to the Assignment tab, the default view will display all assignments defined in your Smartcypt ecosystem. The main view displays:

Name of the assignment
Scope of the users and groups set up to receive the assignment
The platform/operating system of the devices set up to receive the assignment
The Mode, which is the type of assignment (Encrypt or Discovery)
Locations(s) to be protected on the end points
Re-Encryption Flag to display if data should be attempted to be re-encrypted to match the assigned Smartkey
The Compliant and Not Compliant columns indicate if the agent has received the latest policy changes from the Smartcrypt Enterprise Manager
Click Status to display the locations where this assignment applies
To temporarily make this Assignment Scan-Only (see following table), click Disable.

Adding a New Assignment

Click Add to add an Assignment

Common Attributes

Field	Description
Name	The human defined name for a Smartcrypt Assignment. Can be anything, but should be defined to be useful for maintenance of the system.
Platform	Available options are Windows, Linux, & OSX.
Mode	Encrypt - All files that are found in the defined Location(s) will be encrypted. This is the default setting. Discovery- All files are scanned by the Smartcrypt Discovery filter and only files that meet the defined criteria are acted upon.
Users/Groups	List of Active Directory users and groups for which this assignment should apply. You can also use Advanced Definitions. Note: A user can be defined in more than one assignment, the first one in the Assignment Processing list control the action on a location(s) on a device.
Local Path(s)	The exact folder path on all the remote devices that this assignment applies. You may use a Universal Naming Convention (UNC) path, or a mapped network drive to define this path. If the path doesn't exist on the specified device, the Smartcrypt client will try to create the path. If the path is invalid (for example, by referring to a path without permissions to access) no assignment will be created. This path is relative to the Smartcrypt client, so if there is a mounted drive on the remote device, it can be referenced through the drive letter. Variables can be used to reference user/device-specific locations as well. The full array of system variables is available by wrapping the commands in curly braces ${VARNAME}. Example: ${USERPROFILE}\Desktop\Secure will result in a folder on the user's desktop called "Secure". Note: If many of the users in the scope of the assignment can see the same remote drive, issues can occur. When using remote paths, locking the scope down to one device is better.
File Filter	Select from the drop down of available file filters created in the Discovery File Filters page. The file filter selected here will only be applicable to the base functionality of Encryption, Decryption, and Discovery. For more information on file filters, see the "File Filter" section in the discovery page and further below this page for discovery functionality of multiple remediations with file filters.
Sweep Interval	The Sweep Interval is a secondary scan that runs to ensure all files are being processed. It is possible that a system under extremely high load will not expose the correct file system event to Smartcrypt, which will result in a file not being processed. This interval is the timer for how often the secondary scan should run. The default setting is 86,400 seconds (24 hours). On Solaris, AIX and HP-UX systems, there are no system event notifications for Smartcrypt to capture. To process any files in an assignment, you must define a Sweep Interval.
Scan-Only Mode	Check this box to assess the size of a potential remediation project. The assignment will scan the target system and provide you, the admin, with progress information (in % form) as the scan continues.
Report Compliance and Status	The Assignment Path will communicate its status to the Smartcrypt Enterprise Manager, generating a report if the agent has received the latest policy changes
Report Advanced File Attributes
Exclude Hidden Files	By default, an assignment will not encrypt hidden files. If you want to encrypt hidden files located in the assignment's path, uncheck this option. This feature is turned on by default. Click the box to turn it off.
Exclude System Files	By default, an assignment will not encrypt Windows system files. If you want to encrypt system files located in the path of the assignment, uncheck this option. You can verify system files by looking at the attributes of a file to confirm if it is deemed a system file. This feature is turned on by default. Click the box to turn it off. This protection only exists on Windows-based operating systems.

Advanced Definitions of Users and Groups

Admins can use Boolean expressions to identify people and groups that expand beyond the limits of standard Active Directory Groups. You can select multiple users and groups, exclude some users with the NOT operator, and add other users

In this example, the LargeData Marketing group is the Group that this assignment applies to, but the group excludes user mig1@qanet.com.

To generate this result:

Click
in the Users/Groups field to display your options. The icon changes to
.
Start typing the name of the User or Group to make this assignment to. Smartcrypt Enterprise Manager will display a list you can select from.
Click Add Row.
In the left-most field, change to User.
To exclude a user, change the second field to not equal.
Start typing the user name and select the user you want to exclude from this assignment.
At the top, change the Boolean operator. By default, the OR operator is selected. Change this to AND.
Click outside the box to confirm the changes.

Encrypt Mode Settings

When you click Encrypt as the Mode, these fields appear in addition to the items above.

Field	Description
Community Key(s)	Select a Smartkey from the drop-down menu to encrypt the locker's files. Since we are creating an assignment that can reach thousands of users, the Smartkey list will be narrowed to only display Community Smartkeys. As a Smartcrypt Administrator, you can define many Smartkeys to use to create a prioritized list of Smartkeys for the assignment to try to use. Let's describe how this works with a sample scenario: Name: Assignment A Scope: User PKWARE1, User PKWARE2 Mode: Encrypt Path: H:\SecureData Smartkeys: CommunityKey1, CommunityKey2, CommunityKey3 User PKWARE1 is not a member of any of the assigned Smartkeys of the assignment. Therefore, instead of NOT encrypting any data, the user will encrypt data with their Personal Smartkey. This is a builtin assumption that if a User doesn't have access to any of the defined Smartkeys, they will fallback to their Personal Smartkey. User PKWARE2 is a member of CommunityKey2, and CommunityKey3. Since the user has access to the CommunityKey2 key all encryptions will occur with that Smartkey, but CommunityKey1 will be skipped in the prioritized list because the user is not a member of the Smartkey.
Report Encryption Failures	An assignment might fail to encrypt or decrypt a file on the initial attempt. This might be caused by the file being locked open, or some other environmental issue. The Smartcrypt assignment will attempt to encrypt\decrypt the file again, but if your organization is interested in the failures being reported, enable this option. This feature is turned on by default. Click the box to turn it off.
Report Successful Encryptions	If Data Security Intelligence is enabled on the Basics page, each event in the assignment will be reported in the audit log. Uncheck this option If your organization is not interested in the encryption/decryption events that will be generated by the assignment(s). This feature is turned on by default. Click the box to turn it off.
Enable Re-Encryption	Re-encryption within an Assignment allows the Smartcrypt Agent the ability to change the encryption key protecting the archive file. The user running the Smartcrypt Agent and Assignment needs to have access to the existing key and the new key for re-encryption to work properly. This feature is not activated by default. Click the box to turn it on.
Report Successful Re-Encryptions	If this box is checked, any triggered successful re-encryption events will be reported to the Smartcrypt Enterprise Manager. This feature is not activated by default. Click the box to turn it on.
Report Re-Encryption Failures	If this box is checked, any triggered re-encryption event that resulted in a failure or error will be reported to the Smartcrypt Enterprise Manager. This feature is not activated by default. Click the box to turn it on.

Discovery

Discovery Assignments use Smartcrypt Discovery to scan the contents of un-encrypted documents to determine if they should be encrypted. To learn more about how to setup Smartcrypt Discovery, see Discovery.

When you click Discovery as the Mode, these fields appear in addition to the items above.

Field

Description

Smart Filter Bundles

The list of Discovery Filters to be used to scan data for matches on sensitive data. You can use Advanced Options to define combinations of Smart Filter Bundles.

File Filter

Select from the drop down of available file filters created in the Discovery File Filters page. The file filter selected here will only be applicable to the corresponding smart filter bundle and remediation in the same row. For more information on file filters, see the "File Filter" section in the discovery page

Remediation Actions

Remediation actions, defined in this table, are responsible for configuring the order of smart filter bundle(s) that are tied to specific remediation options.

Remediation action order is important; the client agent processes the remediation actions list from the top down. The agent uses the first one that applies to its particular discovered action. Each row has a defined smart filter bundle that correlates to a remediation action defined in the discovery page.

For example, a Smartcrypt assignment has two remediation actions. The first remediation action at the top looks for, “Secret” and has a remediation action to encrypt and move the file. The second remediation action below the first looks for, “Secret”+“Sensitive”, and remediates by deleting the files. If an assigned client finds “Secret” it will apply and only apply to the first remediation action at the top of the list by encrypting and moving the file. If an assigned client finds “Sensitive”, it will apply and only apply the second remediation action in the list by moving the file.

If a Smartcrypt client older than 15.60.0046 is given an assignment with multiple remediation actions, the client will default to only using the top remediation action.