Skip to main content

Email Policy

PK Protect has been enhanced to support an Outlook Add-In, which can be used to create security policies to protect sensitive information in email messages. The Email page under Archive allows you to configure policy workflows for email. This page also provides the facility to set some basic email configuration settings which are applicable to users or groups of users.

Email Settings

The Email Settings table is a place where you can view, set, and edit some email configurations, so that you can establish some basic rules for email usage across the board, regardless of the policy implemented.

The below table describes the email configuration settings:

Name

Description

Internal Domains

Admins can specify the domains internal to their organization.

External Recipients Warning

Enabling this checkbox will warn the end user when the email is being sent outside the organization.

External Recipient Prompt

Enter the message for the prompt that you want to display to the end user when the email is being sent to external recipients.

Enable Recents

Enable this checkbox to enable Recents mode. If checked, users can select ‘Recents...’ from the PKWARE tray icon in the Windows operating system. It shows a dialog where the users can see recently sent messages.

Add Header Tag

Enabling this checkbox will add PKWARE tag to the x-header information of the email.

Include Unzip Instructions

Enabling this checkbox will allow PK Protect to include a non-encrypted document with instructions on how to decrypt the attachment.

File Includes

Specify the file extensions that will be considered by the PK Protect Add-In while performing discovery and remediation actions.

File Excludes

Specify the file extensions that will be neglected by the PK Protect Add-In while performing discovery and remediation actions.

Unzip Instructions

Text specified in this field will be provided in a text file that is sent out automatically when a user sends an encrypted attachment. This text can be plain text or HTML formatted. 

Message Body Replacement

This field is the place where admin can craft customized instructions for how to access encrypted information in an email message body. This field work in combination with the Include unzip instructions. If that is selected to be Yes, then the instructions created in the ‘Message Body Replacement’ field are displayed to the recipient when they receive a message with an encrypted message body.

Default Zip Name

PK Protect gives the same generic name to all ZIP file attachments that contain multiple files. In this field, specify the generic name to use. By default, the given name is ‘PK Protect Attachments’.  

Default Zip Extension

This field allows you to define an alternate three-character extension for ZIP file attachments. By default, the value is set to ‘.zip’.

Image DiscoverySelecting this option allows agents to discover the sensitive information in the supported image file types.
Support URL

This field allows user to define a custom URL for the support icon shown within the PK Secure Email prompt at the bottom left corner. Using this feature, customer can redirect the employees or user to the support site mentioned in this field.

If nothing has been specified, support icon will not appear in PK Secure Email.

Agent Connectivity Error

This action is performed when PK Secure Emails fails to connect with the PK Protect agent within the specified time limit of 5 seconds. By default, the value is set to Warn with Prompt. Following are the options:

  1. Ignore and Send – this will ignore the agent connectivity issue and automatically send the email.
  2. Warn with Prompt – this will warn the user about the agent connectivity issue, but they can still send an email.
  3. Block with Prompt – this will block the user from sending the email if any agent connectivity issue is found.
Action Failures

This action is performed when PK Secure Email fails to perform discovery or remediation action  on the email. By default, the value is set to Warn with Prompt.

Following are the options:

  1. Ignore and Send – this will ignore any action failures (remediation or discovery) and automatically send the email.
  2. Warn with Prompt – this will warn the user about the action failures, if occurred, but they can still send an email.
  3. Block with Prompt – this will block the user from sending email if any action failure occurred.
Unkown Errors

Set the value in this field to enable PK Secure Email prompt when unknown errors are occurred. By default, the value is set to Warn with Prompt. Following are the options:

  1. Ignore and Send – this will ignore the errors, if generated, and automatically sends the email.
  2. Warn with Prompt – this will warn the user about the potential error, but they can still send the email.
  3. Block with Prompt – this will block the user from the sending the email.
Sensitive Subject Encryption

Set the value in this field to enable the PK Secure Email prompt when sensitive data is detected in the email subject and encryption remediation is applied. Encrypting the subject is not supported function in PEM Administrator. By default, the value is set to Block with Prompt.

Following are the options:

  1. Ignore and Send – this will ignore the email subject containing any sensitive information from being encrypted and automatically send the email.
  2. Warn with Prompt – if you opt for this option, this will warn the user that their email subject contains sensitive information by giving a prompt, but they can still proceed further by sending an email without encryption.
  3. Block with Prompt – if you opt for this option, this will block the email from being sent if the subject contains sensitive data and encryption remediation is attempted to be applied in the Outlook messages.
Live Monitoring 

Set the value in this field to enable and control the behaviour of sensitive data detection while composing an email. This feature starts scanning the content of email such as body, attachments, and subjects after every 5 seconds to detect sensitive information. Following are the options:

  1. Do Nothing - this will display no notification in the infobar if the email body, attachment, or subject consist of sensitive data. By default, Do Nothing option is opted.
  2. Infobar Notification - this will display notifications in the inforbar if a sensitive information is detected in the email content. 
Caching Duration

This field displays the amount of time in minutes or number of days the policy can be cached for on a machine. If the policy cache duration is exceeded and a new policy cannot be retrieved, PK Secure Email prompt is based on the Agent Connectivity Error prompt value. This could be the result of the agent not being logged in or not being able to connect to PEM MDS.  

If the value is set to 0, policy will not get cached, and agent must be on and logged in the process email. The caching duration for a policy can be set in Days as well as in Hours. By default, the value is set to 1 Day.

Save

Click the Save button to save the provided values.

Cancel

Click the Cancel button if you want to discard the provided values.


Email Policies

The Email Policies table displays the list of policy workflows defined specifically for email. This table is a place to view, add, edit, delete, and download policies for email. 

The order of the policies in the Email page is important. The PEM Agent processes the policy list from top to bottom. Each policy has a defined scope of users that it applies to. The agent uses the first one that applies to its particular user. You can change the policy order by dragging them up and down. If no policy is defined for users, site-wide default policy is assigned to them.


Defining an Email Policy

Perform the following steps to add a new policy for email in the system:



The attachments in Outlook are ran through Protection Policies independently and Actions are only applied if an Outlook attachment triggers a protection policy row. It is recommended that to create highest sensitivity protection policies first followed by the lower priority protection policies.


Click the Add button to view the Add Email Policy screen to define a policy. Provide values for the following fields:

  1. Name: Enter the name of the policy in the Name.
  2. Users and Groups: List the Active Directory users and groups to whom you want to assign this policy. You can also use Boolean expressions to include or exclude multiple users and groups by using AND, OR, and NOT operators.


    In the above example, the LargeData Marketing group is the Group to whom this policy applies, but the group excludes user mig1@qanet.comTo generate this result, perform the following steps:
    1. Click </> icon in the Users and Groups field to view the options. The icon will change to
      .
    2. Type the name of the group in the first row. For example, Large Data Marketing. PEM Administrator will display a list from which you can select the option.
    3. Click Add row.
    4. In the left-most drop-down, select User.
    5. To exclude a user, select not equal in the second drop-down.
    6. Type the username that you want to exclude from this policy. PEM Administrator will display a list from which you can select the option.
    7. At the top, change the Boolean operator to AND. By default, the OR operator is selected.
    8. Click anywhere outside the dialog box to confirm the changes.

  3. Re-encrypt Attachments: Check this checkbox if you want to re-encrypt the attachments to match the assigned SmartKey.
  4. Re-name Attachment Extension: Check this checkbox if you want to change the extension of the attachments in outlook.
  5. Protection Policies: Perform the following steps:
    1. Click the Add button and provide values for the following fields:
    2. Filter Bundles: Select the Smart Filter Bundles from the drop down that the PEM Agent will look for, in order to discover sensitive data in the outgoing email messages.
    3. MIP Azure Label: Select the MIP label from the drop-down that you want to discover for. 
    4. Recipients: Specify the email recipients (internal or external) to whom you want to send an email and apply this protection policy.
    5. Remediation: Select the specific remediation from the drop down that will trigger the policy.

  6. After providing values in the Protection Policies field, click Save. Otherwise, click Close.
  7. Click Save to save the provided values. Otherwise, click Cancel.

Outlook Add-In Deployment

Before you can use the Outlook Add-in, the PKWARE Client Agent, the PKWARE Outlook Add-in and a TLS Certificate must be deployed and installed on the client system. The software components can be deployed in different ways depending on an organization’s policies and preferred methods for distributing software.

Distributing and installing the PKWARE Client Agent

The software components can be deployed in different ways depending on an organization’s policies and preferred methods for distributing software. As part of the installation process, a command can be used to automatically generate the TLS Certificate when the Client Agent is installed. The TLS Certificate is used to facilitate encrypted information exchange between the Client Agent and the Outlook Add-in.

Package Management Tool

If the Client Agent software is distributed to and installed on the client system using a package management tool, please follow the instructions for that particular application. If you desire to create the TLS certificate as part of the installation process, you can add a parameter (GENCERT=1) to the msi command line and PKWARE will generate the required TLS certificate as part of the installation parameters.

Using the PKWARE Deployments feature

You can distribute and install the PKWARE Client Agent software and generate the TLS Certificate by executing the following steps:

  1. Download the ‘deployments JSON’ file from PKWARE (supplied by PKWARE support)
  2. Modify the json to include the parameter "parameters" : "GENCERT=1", and save the file
  3. From the Archive > Deployments page, browse to the deployments json file on your computer.
  4. Select Save and execute the deployment.

In all cases a TLS Certificate is required. If desired, you may use your own TLS Certificate; in this case the certificate must be issued to localhost and trusted on the device. If the GENCERT=1 command is run, but finds a valid existing certificate, it will not create a new one; but instead, will allow the agent to use the existing certificate. 

How to Manually add the PK Protect Outlook Add-In?

Perform the following steps:

  1. In Outlook, click Get Add-ins from the Home tab on the ribbon. This will open the Add-Ins dialog box. If Get Add-Ins button is not available, login to Outlook 365 via web browser and navigate to https://aka.ms/olksideload to display the Add-ins dialog box.
  2. Click My add-ins on the left side of the dialog box and scroll down to Custom Addins.
  3. Download the appropriate version of PK Protect Secure Email manifest file on your local filesystem, for example, https://addin.pkware.com/v1.4/manifest.xml.
  4. Select Add from File from the + Add a custom add-in drop-down and upload the downloaded manifest file.
  5. Click OK. The installed add-in will appear on the Outlook message screen.

Note: The PEM Agent must be installed with an active user. In order to make this functionality to work, PEM Agent and Outlook application must be running on the same machine. It is not necessary for the user to login to PEM Agent and Outlook with the same email address. 


Email Policy Template

The Email Policy Template allows an administrator to create a clone of an existing email policy. It reduces the configuration time as it clones the exact information of the template.

There are four email policy templates.

  1. Redact Credit Cards
  2. Redact SSNs
  3. Smartkey Encrypt Credit Cards
  4. Smartkey Encrypt SSNs

Following actions can be performed on the policy templates:

  1. View: This allows you to view the details of pre-defined templates.
  2. Clone: This allows you to copy the configuration of an existing remediation action, which can be edited without impacting the original remediation action.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.