Skip to main content


The Assignments provide an easy way for deploying set of instructions for tasks, to control client end points. An Assignment enables mass deployments because of their generic scope of assigning users. To access this screen, go to Archive > Assignments.

Difference between Assignments and Lockers

There are some major differences between Assignments and Lockers:

AssignmentsLockersAssignments & Lockers (Similarities)
Assignment supports mass deployments because of their scope.Lockers are setup per device.Both support creation of encryption folder.
The assignments run during active windows interactive session.It requires windows service but no interactive session.Both can be operated on all three types of platforms i.e., Windows, Linux and MacOS.
Multiple locations can be added in assignments.Only one location can be added or supports single location.Both supports Discovery.
Supports the creation of Decryption folder.A decryption folder cannot be created.Both supports re-encryption process.

Provides support for prioritized list of Smartkeys.

There is no support for prioritized list of Smartkeys.
Use of only Community or Personal Smartkeys.You can use only Community or User created Smartkeys. 

Adding a new Assignment

There are three types of assignments that can be defined:

  1. Discovery
  2. Decrypt
  3. Encrypt

To define a new assignment, click Add button and configure the following settings:

Common Attributes

There are few common attributes that need to be configured for creating a new assignment.



Enter the name of the assignment. The name must be descriptive.
CommentEnter any additional information in this field, if required.
CommentThere are different platforms on which assignments are supported i.e., Windows, Linux, OSX, etc.

There are three types of assignments i.e., Discovery, Decrypt, and Encrypt.

  • Discovery – All files are scanned, and action is taken only on those files which meet the defined criteria.
  • Decrypt – All files that are found in defined location will be decrypted.
  • Encrypt – All files that are found in defined location(s) will be encrypted. This is the default option.

This field displays the list of Active Directory users and groups. To search users, you can make use of Advanced Definitions feature.


A user can be defined in more than one assignment, the first one in the assignment processing list controls the action on a location(s) of a device.
Local Path(s)

This field contains the exact path of the folder where the files are kept for discovery, encryption, or decryption. You can use the Universal Naming Convention (UNC) path or can map a network drive to define this path.

If path does not exist on the specified device, then PK Protect Agent will create a path. If path is invalid, no assignment will be created. This path is relative to PK Protect Agent, if mounted drive exists on the remote device, it can be referenced through drive letter.

You can use variables for referencing user or device specific locations. The format for referencing a location is ‘${Variable}’.


If any users in the scope of the assignment can see the same remote drive, issues can arrive. When using remote path, scope must be locked down to one device. 

File FilterSelect the file filters from the drop-down. The file filters are created in the File Filters tab that can be accessed through Advanced > File Filters. To know more, refer File Filters.
AlgorithmThis field displays the list of algorithms which is applied on the data that need to be encrypted. This field is visible when Encrypt is selected in the Mode drop-down.
Community Key(s)This field allows you to add Smartkeys defined by user and administrators. This field is visible when Encrypt is selected in the Mode drop-down.
CompressThis option compresses a file if you fall within a scope. The file is compressed before encryption process takes places. The file does not get compressed if this option is not selected. This encrypts the data much faster.
Enable Scan-Only ModeThis option scans the target system and provides the admin with progress information (in %) as scan continues.
Sweep Interval

This option is a secondary scan which runs to ensure that all the files are processed. Sometimes there is a possibility that system under extremely high load will not expose the correct file system event to PK Protect. Due to this reason, the file will not get processed.

The time interval specifies how often a secondary scan should run. The default setting is 84, 600 second i.e., Day.


On Solaris, AIX and HP-UX systems, there are no system event notifications for PK Protect.

Report Compliance and Status

The assignment path communicates its status to the PK Endpoint Manager (PEM), which in turn generates a report whether the PK Protect Agent has received latest policy change or not.

Report Advanced File Attributes

If you want to provide more details on specific file type on when the discovery task is triggered, opt for this option. This option is visible when Windows is opted as a Platform.

Supported file types are: docx, xls, xlsx, ppt, pptx, vsd, one.

Image Discovery

Selecting this option will allow agents to discover the sensitive information in the supported image file types. 

Encryption Events

This option is visible on screen when Encrypt is selected in the Mode drop-down. Following settings are available:

  • Report Successful Encryption - Select this option, if you want to report any successful encryption events to PEM.
  • Report Encryption Failures – Select this option, if you want to report any encryption failure events to PEM.
Decryption Events

This option is visible on screen when Decrypt is selected in the Mode drop-down. Following settings are available:

  • Report Successful Decryptions - Select this option if you want to report any successful decryption events to PEM.
  • Report Decryption Failures – Select this option if you want to report any decryption failure events to PEM.


To enable scheduling for an assignment, check Enable Scheduling option. On enabling, it displays following options:


Agents earlier than 16.60 do not support scheduling feature.

Start Time and Pause TimeSelect the time in Start Time and Pause Time field. The time must be selected as per agent’s local time for an assignment to run in that specified time range.
Passive ModeThis feature queues the files to be processed even when outside of the scheduling.


To enable re-encryption for an assignment, check the Enable Re-Encryption option. This setting is visible when you select Encrypt in the Mode drop-down. On enabling, it displays following options:

Report Successful Re-encryption

Select this option if you want to report any successful re-encryption events to PEM Administrator. 

Report Re-encryption FailuresSelect this option if you want to report any re-encryption failure events to PEM Administrator.

Archive Options

To enable the archive remediations for an assignment, check the Enable Advanced Archive Options option. This setting is visible when Discovery is opted in the Mode drop-down. On enabling, it displays following options:

Fields Description
ExtensionsThis field displays the file extensions that would be discovered or remediated.
DepthThe number of archive levels deep the assignment should execute in.

E.g., If a file is within an archive i.e., at the top-level archive. The depth level is defined as 2.

Preserve SignaturesThis preserves the original signatures of an archive when the assignment discovers or remediates file.
Extract Single File Archives Modified by Remediation Actions

If checked, the underlying file from an archive is remediated, extracted on disk and the original zip file is deleted.

If unchecked, the file remains intact and is remediated.

Process Encrypted

If checked, the agent will scan encrypted files within the archive. With this box checked and there is a remediation action that modifies the file, the file will remain decrypted unless the 'encrypt' action is selected as part of the remediation action.

File Remediation Actions

The Assignments use the Discovery feature to scan the content of document to determine whether it should be encrypted or not. When Discovery is selected in the Mode drop-down, the content of file can be remediated as per the action specified in the File Remediation Actions. To know more, refer

To add multiple filter bundles in the File Remediation Actions panel, click Add button. Similarly, you can delete a filter bundle by clicking Delete button.

When Discovery is selected, following fields get visible:

Filter Bundles

This field lists down all the filter bundles defined in the Discovery screen. These bundles are used for scanning the sensitive data within a document or file.

You can make use of Advanced Definition feature for searching filter bundles.

MIP Azure Label

This field lists down all the MIP labels defined in the MIP screen. This feature discovers a specific MIP label based on the selection.

File Filter

This drop-down displays the list of all the file filters defined in the File Filters screen that can be accessed via Advanced > File Filters.

This feature allows you to scan only those file extensions and paths which are specified in the filter. To know more, refer File Filter.

File Remediation Action

This field displays list of all remediation actions that can be applied on the filter bundle. The order of remediation action is important as PK Protect Agent processes the remediation actions list from top to down.

E.g., if an assignment has two remediation actions, the first remediation action at the top looks for ‘Secret’ and has a remediation action that will encrypt and move the file. The second remediation action looks for, ‘Secret’ + ‘Sensitive’, and takes a remediation action by deleting the files.

If agent finds ‘Secret’, it will only apply the first remediation action i.e, encrypting and moving the file. If agent finds ‘Sensitive’, it will only apply the second remediation action i.e., deleting the file.

Once you’ve configured all the settings, click Save button to make the changes effective else click Cancel.

Viewing Existing Assignments

On clicking Assignment in the navigation panel under the Archive, the default screen appears. It displays list of all assignments. Following is the description of the columns:


This field displays the name of the assignment. 

Users/GroupsThis field displays the list of users and groups. It defines the scope of an assignment.
PlatformThis field displays the operating system of the device.

It displays the type of assignment i.e., Discovery, Decrypt or Encrypt.

LocationIt displays the scan locations on the end points.
Compliant and Non – CompliantThese fields indicate whether agent has received then latest policy changes from PEM. If agent has communicated with PEM post latest policy changes, then value in Compliant field changes to 1 else the value in Non-Compliant field changes to 1.

Within this screen, you can perform some actions on every assignment:

  1. Status – Click this button if you want to view the status of the assignment. On clicking, it displays Locations of Assignment This panel displays details such as the size of the file that needs to be scanned, encrypt of decrypt, any number of files or folders scanned, were there any plaintext in the file, any error occurred while performing an operation, etc.
  2. Convert – Click this button to convert the assignment into a target. When clicked, a message will be displayed that asks a user to convert an Assignment to Target. Upon clicking Convert, the assignment is converted to a new File Protection Policy and Target containing the same set of information. Currently the conversion of IBM AIX and HP-UX platforms are not supported.


    Upgrade agents to 17.6 or later to enable this feature. 

  3. Edit – Click this button if you want to update the details.
  4. Clone – Click this button to create a replica of an existing assignment with exact details.
  5. Delete – Click this button if you want to delete an assignment.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.