Skip to main content

Assignments

Description

PK Protect Assignments provide an easy to deploy set for tasks to control client end points. Where traditional Lockers control folders and directories on specific devices, Assignments organize users (or Active Directory Security Groups) by platform.  A PK Protect Assignment enables mass deployments because of their generic scope of assigning users. 

Types of Assignments:

  • Encryption
  • Discovery

Understanding Differences between Lockers and Assignments

Below is a table highlighting some of the major differences between PK Protect Lockers and PK Protect Assignments.

Lockers and AssignmentsLockers OnlyAssignments
  • Supports Encryption Folder
  • Support Windows, Mac, Linux
  • Supports Discovery*
  • Supports Re-Encryption
  • Setup Per Device
  • Requires Windows Service but no interactive Windows session
  • Supports Single Location
  • No Support for Decryption Folder
  • No Support for Prioritized List of Smartkeys
  • Community, User Created Smartkeys
  • Support Mass Deployments
  • Only Runs During Active Windows Interactive Session
  • Supports Multiple Locations
  • Support Decryption Folder
  • Support for Prioritized List of Smartkeys
  • Community or Personal (non sharable) Smartkeys Only

Viewing Existing Assignments

When you browse to the Assignment tab, the default view will display all assignments defined in your Smartcypt ecosystem. The main view displays:

  • Name of the assignment
  • Scope of the users and groups set up to receive the assignment
  • The platform/operating system of the devices set up to receive the assignment
  • The Mode, which is the type of assignment (Encrypt or Discovery)
  • Locations(s) to be protected on the end points
  • Re-Encryption Flag to display if data should be attempted to be re-encrypted to match the assigned Smartkey
  • The Compliant and Not Compliant columns indicate if the agent has received the latest policy changes from the PK Endpoint Manager
  • Click Status to display the locations where this assignment applies
  • To temporarily make this Assignment Scan-Only (see following table), click Disable.

Adding a New Assignment

Click Add to add an Assignment 

Common Attributes

FieldDescription
NameThe human defined name for a PK Protect Assignment. Can be anything, but should be defined to be useful for maintenance of the system.
Platform

Available options are Windows, Linux, & OSX.

CommentsSpecify any additional information for the assignment, in the field
Mode

Encrypt - All files that are found in the defined Location(s) will be encrypted. This is the default setting.

Discovery- All files are scanned by the PK Protect Discovery filter and only files that meet the defined criteria are acted upon.

Users/GroupsList of Active Directory users and groups for which this assignment should apply. You can also use 7362108. Note: A user can be defined in more than one assignment, the first one in the Assignment Processing list control the action on a location(s) on a device.
Local Path(s)

The exact folder path on all the remote devices that this assignment applies. You may use a Universal Naming Convention (UNC) path, or a mapped network drive to define this path. If the path doesn't exist on the specified device, the PK Protect client will try to create the path. If the path is invalid (for example, by referring to a path without permissions to access) no assignment will be created. This path is relative to the PK Protect client, so if there is a mounted drive on the remote device, it can be referenced through the drive letter.

Variables can be used to reference user/device-specific locations as well. The full array of system variables is available by wrapping the commands in curly braces ${VARNAME}.

Example: ${USERPROFILE}\Desktop\Secure will result in a folder on the user's desktop called "Secure".

Note: If many of the users in the scope of the assignment can see the same remote drive, issues can occur. When using remote paths, locking the scope down to one device is better.

File Filter

Select from the drop down of available file filters created in the Discovery File Filters page. The file filter selected here will only be applicable to the base functionality of Encryption, Decryption, and Discovery. For more information on file filters, see the "File Filter" section in the discovery page and further below this page for discovery functionality of multiple remediations with file filters.

Sweep Interval

The Sweep Interval is a secondary scan that runs to ensure all files are being processed. It is possible that a system under extremely high load will not expose the correct file system event to PK Protect, which will result in a file not being processed. This interval is the timer for how often the secondary scan should run. The default setting is 86,400 seconds (24 hours). 

On Solaris, AIX and HP-UX systems, there are no system event notifications for PK Protect to capture. To process any files in an assignment, you must define a Sweep Interval.

Compress

This option only appears when the "Mode" is set to "Encrypt"
Check this box to allow users within scope to compress on files. If a file is triggered, the file will be compressed before encryption.

Uncheck this box to not allow users within scope to compress files. If a file is triggered, the file will not be compressed before encryption. This could lead to faster encryption times for end users.
Scan-Only ModeCheck this box to assess the size of a potential remediation project. The assignment will scan the target system and provide you, the admin, with progress information (in % form) as the scan continues.
Report Compliance and StatusThe Assignment Path will communicate its status to the PK Endpoint Manager, generating a report if the agent has received the latest policy changes
Report Advanced File AttributesChecking this box will provide more details on specific file types that are discovered upon; File created date, File Author (creator), Last Saved Date, Last Author. File types supported: doc/docx, xls/xlsx, ppt/pptx, .vsd/.vsdx, .one
Image DiscoveryChecking this box will allow agents to discover sensitive information within supported image file types.
Exclude Hidden FilesBy default, an assignment will not encrypt hidden files. If you want to encrypt hidden files located in the assignment's path, uncheck this option. This feature is turned on by default. Click the box to turn it off.
Exclude System Files

By default, an assignment will not encrypt Windows system files. If you want to encrypt system files located in the path of the assignment, uncheck this option. You can verify system files by looking at the attributes of a file to confirm if it is deemed a system file. This feature is turned on by default. Click the box to turn it off.

 

This protection only exists on Windows-based operating systems.

Advanced Definitions of Users and Groups

Admins can use Boolean expressions to identify people and groups that expand beyond the limits of standard Active Directory Groups. You can select multiple users and groups, exclude some users with the NOT operator, and add other users

In this example, the LargeData Marketing group is the Group that this assignment applies to, but the group excludes user mig1@qanet.com.

To generate this result:

  1. Click
    in the Users/Groups field to display your options. The icon changes to
    .
  2. Start typing the name of the User or Group to make this assignment to. PK Endpoint Manager will display a list you can select from.
  3. Click Add Row.
  4. In the left-most field, change to User.
  5. To exclude a user, change the second field to not equal.
  6. Start typing the user name and select the user you want to exclude from this assignment.
  7. At the top, change the Boolean operator. By default, the OR operator is selected. Change this to AND.
  8. Click outside the box to confirm the changes.

Scheduling Options

Check the box to enable scheduling for an assignment. Select the "Start Time" and "Pause Time" based on the local agent's time for the period an assignment should be run in. Passive mode queues files to be processed even when outside of the schedule. Note: Agents earlier than 16.60 do not support scheduling.

Archive Options

Check the box to enable archive remediations for an assignment.

ItemDescription
ExtensionsArchive file types that would be discovered and/or remediated on
DepthThe number of archive levels deep the assignment should execute in. If a file is within an archive that is within the top level archive, it would be placed at a depth of 2.
Preserve SignaturesPreserving the original signatures of an archive when the assignment discovers or remediates on the file
Extract Single File Archives Modified By Remediation ActionsIf checked, the underlying file from an archive remediated, extracted onto disk, and the original zip file is deleted. If this checkbox is left unchecked, the file will remain in the archive and remediated.
Process EncryptedIf checked, the agent will scan encrypted files within the archive. With this box checked and there is a remediation action that modifies the file, the file will remain decrypted unless the 'encrypt' action is selected as part of the remediation action.

Discovery 

Discovery Assignments use PK Protect Discovery to scan the contents of un-encrypted documents to determine if they should be encrypted. To learn more about how to setup PK Protect Discovery, see Discovery.

When you click Discovery as the Mode, these fields appear in addition to the items above.

Field
Description
Smart Filter BundlesThe list of Discovery Filters to be used to scan data for matches on sensitive data. You can use 7362108 to define combinations of Smart Filter Bundles.
MIP LabelDiscover on a specific MIP label by selecting a label from the dropdown list 
File FilterSelect from the drop down of available file filters created in the Discovery File Filters page. The file filter selected here will only be applicable to the corresponding smart filter bundle and remediation in the same row. For more information on file filters, see the "File Filter" section in the discovery page
Remediation Actions

Remediation actions, defined in this table, are responsible for configuring the order of smart filter bundle(s) that are tied to specific remediation options.

Remediation action order is important; the client agent processes the remediation actions list from the top down. The agent uses the first one that applies to its particular discovered action. Each row has a defined smart filter bundle that correlates to a remediation action defined in the discovery page.

For example, a PK Protect assignment has two remediation actions. The first remediation action at the top looks for, “Secret” and has a remediation action to encrypt and move the file. The second remediation action below the first looks for, “Secret”+“Sensitive”, and remediates by deleting the files. If an assigned client finds “Secret” it will apply and only apply to the first remediation action at the top of the list by encrypting and moving the file. If an assigned client finds “Sensitive”, it will apply and only apply the second remediation action in the list by moving the file.

If a PK Protect client older than 15.60.0046 is given an assignment with multiple remediation actions, the client will default to only using the top remediation action.





JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close