Technical Articles ID:
KB85876
Last Modified: 2023-06-19 08:54:07 Etc/GMT
Environment
File and Removable Media Protection (FRP) 5.x
Summary
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
Recent updates to this article:
Date
Update
June 19, 2023
Minor formatting updates; no content changes.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
What are the broad use cases that FRP addresses?
FRP protects data on local drives, network shares, and removable media devices. Specifically, it offers options to:
Encrypt files and folders on local drives.
Encrypt files and folders on network shares.
Encrypt files and folders synced to Cloud Storage services.
Encrypt removable media devices:
Restricts use of encrypted removable media devices to just within the company’s environment (onsite access only).
Or
It can allow encrypted devices to be read on systems without having to install any of our Encryption software.
Encrypt email attachments.
What does the persistent encryption feature mean?
Persistent encryption is the ability to maintain the encryption state of files for operations performed through Windows File Explorer.
Is the process of encrypting files and folders on local drives or network shares policy-driven or user-driven?
It can be both. The administrator can take the policy-driven approach and configure policies to encrypt either:
Files based on applications using the Application-based Protection policy.
Files and folders based on location, which can be either a local drive or a network share, using the Location-based Protection policy
The administrator can also enable the Explicit Encrypt and Explicit Decrypt options. These options allow users to selectively encrypt or decrypt files and folders.
Does FRP support USB 3.0 devices?
Yes.
Does FRP support embedded SD cards?
No. FRP isn't compatible with SATA readers, but removable SD cards are supported.
Does FRP 5.0.xsupport a Virtual Desktop Infrastructure (VDI) environment?
Yes. FRP 5.0.x offers support for certain selected modes of Citrix XenDesktop 7.1 and later.
VDI information:
Supported VDI mode -Remote PC Access option (Existing VMs and Physical systems) under Operating System and Hardware (Create Machine Catalog).
VDI environment that isn’t supported - If you need support for other platforms in a VDI environment, submit a product idea. For details about submitting a product idea, see the Related Information section of this article. We’ll consider support for more versions or platforms of VDI environments for future releases.
Does FRP support the Advanced Format Drives that have a 4-KB hard disk sector size?
FRP doesn’t currently support the 4-KB native drives because the current Microsoft operating systems don’t support this format. But, FRP products do support Microsoft operating systems that support drives that use the Advanced Format of 4 KB physical and 512-byte logical sector size. The drives in this mode emulate 512-byte sectors, so no issues are expected. For details, see KB71582 - Support for the Advanced Format Drives that have a 4-KB hard disk sector.
Does FRP support governmental regulations, for example, HIPAA or FISMA, for records retention or retrieval?
Our encryption products can help address many of the compliance requirements.
NOTE: Use of our Endpoint Encryption solutions doesn’t automatically guarantee compliancy or certify compliancy. Customers must enlist the services of third-party compliancy auditing services.
Is FRP Common Criteria Evaluation Assurance Level certified?
Yes. FRP 4.3.1 was the first version to be certified at the EAL2+ level of assurance through the Canadian Common Criteria Evaluation and Certification Scheme (CCS).
What burning software does FRP support with CD/DVD Encryption (Onsite Access Only)?
FRP supports Windows Burner (Mastered Format), Nero, and Roxio Creator.
Is FRP compatible with the Microsoft Encrypted File System (EFS)?
No. Because EFS and FRP are file encryption products and work at the same file system level, there would be a driver conflict.
Is FRP compatible with the Microsoft Extended File Allocation Table (ExFAT)?
Yes. When the question is specifically for the container-based model of encrypting USB devices. The base file format doesn’t matter because FRP creates a secure FAT32-based container on top of it. This container is independent of the base file format.
Does FRP encrypt the Windows system page file?
Yes. FRP always encrypts the page file, which is why the page dump file is also encrypted. Not encrypting the Windows page file would be a security loophole.
Are the Microsoft Windows system files encrypted with FRP?
No. System files are excluded from encryption as a safety precaution.
Does FRP support encryption of files uploaded on a SharePoint server?
FRP can't communicate directly with Microsoft SharePoint Portal Server because it’s a web-based document management system.
SharePoint uses socket communication for all file operations instead of Windows I/O file operations. Thus, the FRP file system filter driver isn’t invoked in SharePoint file operations. And, the encrypted data is uploaded in plain text.
What about third-party encryption compatibility?
We don't recommend installing any other third-partyfile-basedencryption products that operate at the same file system level. It would result in a driver conflict.
Does FRP work in Microsoft Windows Safe Mode?
FRP works for Safe Mode with networking. FRP doesn’t work for Safe Mode without networking.
Encrypted USB media can be read on Windows systems without having to install any FRP software - do I have the same flexibility with Mac OS X?
Yes. Offsite support on Mac OS X clients is a new feature introduced in FRP 4.3.
Is FRP installation supported on Mac computers?
Yes. Support for USB Media protection (container-based option) was introduced with FRP 5.0. The option enables users to initialize (create encrypted containers) on Mac systems.
The following protection level options are supported with this release:
Allow Unprotected Access (Report).
Allow Encryption (with offsite access).
Block Write Operations.
NOTE:If Enforce Encryption (with offsite access) is selected, the fallback on OS X systems is to the 'Allow' protection level.
How is an iPhone handled by Removable Media?
The iPhone doesn’t present itself as a USB storage device when connected to a Windows operating system. With the iPhone, Removable Media doesn’t try to create an encrypted container.
NOTE: You can exempt devices from Removable Media by using the Exempted Device IDs option. To find the Device ID for a removable media device, see the FRP Product Guide.
Can I use 'User personal keys' in a DLP Endpoint policy?
Yes. You can use 'User personal keys' with Host DLP 11 and later.
Can I Use User Directory accounts to assign keys?
Currently restrictions in the Trellix Agent (formerly McAfee Agent) mean that User directory can't be used in FRP key assignment.
Does FRP work with Drive Encryption (DE) or Management of Native Encryption (MNE)/BitLocker?
Yes. They’re different products that operate at different levels. DE/MNE (BitLocker) works at the sector level, and FRP works at the file level.
Do I have to restart a client when I install FRP, as I did with Endpoint Encryption for Files and Folders (EEFF)?
Yes. You must restart the client after you install FRP.
What does a user see if a non-Trellix encrypted drive is plugged into a Removable Media client? Is the user prompted to encrypt?
You might be prompted to perform encryption. This prompt occurs because Removable Media Protection options, with offsite access, might not recognize the drive as encrypted.
We advise you to include non-Trellix encrypted devices in the Exempted Device IDs list. The reason is because choosing to create an encrypted container on an already encrypted drive might result in unexpected behavior. Sometimes it can lead to loss of data. The message shown to users can also be customized as appropriate.
Is Removable Media functionality installed as a separate package?
Removable Media functionality is automatically installed with FRP.
Can I install FRP in FIPS mode?
Yes. FRP uses our Core Cryptographic Module (CCM) which has been validated at FIPS 140-2 Level 1certification. For more information about how to install FRP in FIPS mode via ePO, see the relevant FRP Product Guide for your release.
Also, see:
NOTE: Deployment of FRP in FIPS mode on a Mac operating system isn’t currently supported.
More FIPS information:
Running ePO in FIPS mode: You must review your overall configuration with the appropriate auditor to determine whether you have to run ePO in FIPS mode. Discussions with your auditor determine whether you have to operate client and server in FIPS mode or just the client. There are restrictions, such as ePO can only manage FIPS-certified products when operating in FIPS mode. For more information, see the relevant ePO Product Guide for your release on our Product Documentation site.
Running the Microsoft Windows system on which the FRP client is installed in FIPS mode: To determine, review your overall configuration with the appropriate auditor.
Upgrading from an existing version of EEFF 4.3.x to FRP 5.x (FIPS mode). Only supported if you installed and ran the previous version of FRP 4.3.x in FIPS mode. Otherwise, only clean installations are supported. You can't move from a non-FIPS installation of EEFF to a FIPS installation of FRP. The keys have previously been generated in a non-FIPS mode. The result is the inability to claim FIPS-certified status for your installation.
Clients that run FRP in FIPS mode. These versions can read files, folders, and removable media devices encrypted by the previous versions of EEFF installed in non-FIPS mode.
On systems where FRP is installed in non-FIPS mode, performance benefits offered by CCM are retained. FRP operating in non-FIPS mode also uses the CCM cryptographic module and can use performance benefits available by CCM using AES-NI.
I want to upgrade the product extension to FRP when some of my clients are still on EEFF. Can I still manage these clients with the FRP extension?
Yes. The extension is backward compatible, which allows the EEFF/FRP clients to remain manageable by the FRP extension. But, any new FRP functionality doesn’t work until the EEFF/FRP client has been upgraded.
When I initialize a large 500-GB USB device, and need to copy the existing data to the encrypted container, how much free space do I need on the FRP client?
When you initialize a large capacity USB device, you see a warning that asks whether you need to back up the data.
Example: If you connect a 500-GB drive full of data, and choose to back up the data. You need that same amount of free space on the computer to complete the transfer.
How can I perform an FRP client upgrade using a third-party tool, when I can't uninstall FRP via Add/Remove Programs?
You must first uninstall the current version.
To uninstall FRP, run the following command prompt:
On 32-bit systems, type: msiexec /x eeff32.msi
On 64-bit systems, type: msiexec /x eeff64.msi
When prompted to confirm that you want to uninstall the product, click Yes.
When prompted to restart the system, click No.
Now, install an updated version of the product with either of the following methods:
After I upgrade from FRP 4.x to 5.x, what happens to the recovery key set as Key recovery on the removable media?
When the recovery for FRP 4.3.x removable media is set to recovery by key, the recovery method and the key set is used for the auto-unlock feature in FRP 5.x. The conversion happens automatically during an upgrade.
Do I have to uninstall the trial version of FRP and install the production version?
No.
What are the encryption options available for Protected Area for FRP?
The following encryption options are available on FRP with 'Allow Encryption (with offsite access)' and 'Enforce Encryption (with offsite access)':
Entire Device.
User Managed, which is the option that allows you to choose the size of the encryption part of the device.
What is the maximum recommended device size for 'Allow encryption (with offsite access)' or 'Enforce encryption (with offsite access)' options for USB Media?
We have tested and support devices on:
FRP 5.4.0 and later, up to 16 TB (only on Windows) and up to 8 TB (on Mac)
FRP 5.1.0 to 5.3.x, up to 8 TB
FRP 4.3.x and 5.0.x, up to 2 TB
When connecting a USB device, the encrypted area is shown in gigabytes (GB); can this value be shown as a percentage?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
What is the basis on which the new policy pages for CD/DVD and Removable Media categories have been organized?
The original policy pages for both CD/DVD, and Removable Media referred to the Encryption Options and Encryption Method respectively. They now both focus on the Protection Level. On selecting the Protection Level, the associated Protection Options are available to be configured.
The main difference in behavior between the file-based and container-based encryption technologies, is that file-based constrains the device usage on systems with FRP installed (onsite access only). Container-based allows for access on without our Encryption software installed via the offsite browser (with offsite access). The behavioral change is the main theme of the new UI for both policy categories.
What CD/DVD Protection Level options are available?
Allow Unprotected Access
Allow Encryption (with offsite access)
Enforce Encryption (with offsite access)
Enforce Encryption (onsite access only)
Block Write Operations
What are the Protection Level options available for Removable Media?
The available options are:
Removable Media Policy is organized into two tabs:
USB Media
Floppy Disk Media
Options available for USB Media:
Allow Unprotected Access
Allow Encryption (with offsite access)
Enforce Encryption (with offsite access)
Enforce Encryption (onsite access only)
BlockWrite Operations
Options available for Floppy Disk Media:
Allow Unprotected Access
Block Write Operations
What access does the user have on a USB drive, when a policy is set to 'Allow/Enforce Encryption with offsite access'?
With Enforce Encryption (with offsite access). If the user chooses not to encrypt, the whole device is made read-only. In this situation, the user can’t write to any part of the device.
With Allow Encryption (with offsite access). If the user chooses not to encrypt, the device remains writeable, and any files written to the device remain unencrypted.
A USB Media Protection Level is set to one of the following when:
A device is already initialized.
And
A user-managed area of the device is available.
USB Media Protection Level
User-Managed area
(Encrypted area)
Unencrypted area
("Unprotected Files" folder)
Enforce Encryption
(with offsite access)
User has Read and Write access
User has read-only access
Allow Encryption
(with offsite access)
User has Read and Write access
Will the Block Write Operations protection level offered for USB Media block copy operations from the USB device as well?
No. Only copy operations to the USB device are restricted with this feature.
What is the default Protection Level option for Optical Media, Removable USB Media and Floppy Disk Media?
Protection Level options are:
Optical Media - Enforce Encryption (with offsite access)
Removable USB Media - Enforce Encryption (with offsite access)
Floppy Disk Media - Block Write Operations
Do the preceding Protection Level options use a file-based encryption or container-based encryption approach?
Allow Encryption (with offsite access) and Enforce Encryption (with offsite access) use the container-based approach.
Enforce Encryption (onsite access only) uses the file-based encryption approach.
What are the authentication options available for USB devices with the preceding options selected?
Authentication can be password-based, or certificate-based, or key-based. Only password authentication is supported on OS X FRP client.
Can I force a user to use a password as the authentication mechanism for Removable USB Media?
Yes. You can configure the authentication options available to the user via the Removable Media policy.
Where can I change the Removable Media password complexity?
It’s possible to configure the FRP Removable Media password complexity via the Password Policy Rules page in ePO.
An administrator can configure the following:
The minimum length of the password, minimum number of uppercase characters
Minimum number of lowercase characters
Minimum number of alphabetical characters
Minimum number of numeric characters
Minimum number of special characters.
NOTE: The same password quality rules are applicable for FRP Authentication, Removable Media, Self-extractors, and User Local Keys.
Can I use a wildcard with the FRP Removable Media option Exempted Device IDs?
No. You can only exempt a device by using the Device ID. For details, see:
Can I configure the FRP Removable Media to exempt devices by serial number?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
What is the maximum number of devices that can be inputted into the Removable Media FRP policy Exempted Device IDs field?
There’s a character limitation of 3072 characters for the Device Exemptions field. So, optimize entries in the field based on the guidance documented in KB81519 - How to configure Removable Media Protection to exempt devices.
Can I customize the UI text that appears when a removable USB Media is inserted?
Yes. The administrator can configure this text via the Removable Media policy. The text can be up to 300 characters in length.
What location is used by FRP Removable Media to temporarily store the data when the encryption container is being created?
When FRP Removable Media encrypts a USB device, the original data is moved to your local hard disk under: %<Users temp folder>%\McafeeEERMFormat\Format*
Can I change the temporary location FRP Removable Media uses when encrypting a USB device?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
When is FRP Removable Media configured to delete the files backed up on the local hard disk?
The data isn’t deleted until you respond to a dialog box. Either when you exit, or reopen FRP Removable Media. Implemented to protect the original data in case the encryption process is interrupted.
Can I configure FRP Removable Media to have a policy where only removable media devices under a certain size are encrypted?
Yes. You can only specify an upper limit for the USB drive size to initialize with FRP Removable Media. The following FRP Removable Media encryption options are available:
Entire Device
User Managed NOTE: Selecting the option User Managed, provides the user the option to choose the size of the encryption part of the device.
When using the 'Send To, Mail Recipient' Windows context menu option to transfer an encrypted file, is it possible to prevent the files from being decrypted?
No. When you use the Windows context menu option Send to, files always attach as a decrypted file. Files are attached decrypted regardless of policy settings. Windows Explorer handles the file attachment process.
Is it possible to generate a list of all encrypted files?
Yes, but only locally on the client. FRP provides the option Enable search encrypted, which is located under the General policy, that allows for searching of encrypted files. After enabling this option, the user at the client has a right-click context menu option available that allows the ability to search for encrypted files. NOTE: There’s no current option for administrators to gather this information remotely. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
Is it possible to import/export an Exempted Device IDs list via the ePO console?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
Can I encrypt files and send via Bluetooth?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.
Can I use 'User Directory' accounts to assign keys?
No. Restrictions in the Trellix Agent mean that User Directory can't be used in FRP key assignment.
What is the configurable Key Cache expiry feature?
The Key Cache expiry feature is a software-based, policy-driven feature. It gives the administrator the capability to configure how long the Key Cache is available locally on the FRP client before it’s removed because of non-connectivity to the ePO server.
Other Key Cache facts:
When the FRP client doesn’t connect to the ePO server for the time period specified by the administrator. The Key Cache (containing the keys) is unloaded from the FRP client. In this scenario, users can't perform any operations which require the availability of keys, such as:
Reading encrypted files or folders on the local computer or network share
Initializing or encrypting removable USB media with the options Allow Encryption (with offsite access) or Enforce Encryption (with offsite access). Where a key has been configured for recovery Key-based recovery of removable USB media.
Encrypting CD/DVDs or USB media with the option Enforce Encryption (with onsite access)
Keys, which are unloaded because of non-connectivity to the ePO server, are reloaded after communication with the ePO server.
Minimum requirement of either ePO or McAfee Agent for this Key Cache feature is McAfee Agent 5.0 or later.
Two options are available with Key Cache policy:
Enable Key Cache expiry
When selected, enables the automatic removal of keys from the Key Cache if the client system fails to connect to the ePO server in the configured period.
Key Cache expiry period
Specifies the number of days after which Key Cache is unloaded. Actioned when Enable Key Cache expiry is selected, and the client system hasn’t connected to the ePO server. NOTES:
The default Key Cache value is 90 days.
By default, the Key Cache expiry period feature is disabled.
The minimum value that can be configured for Key Cache expiry period is one day.
All types of keys are unloaded on the FRP client when the specified time period elapses (Regular, User Personal Keys, and User Local Keys).
When a key expires the files aren’t decrypted automatically, and access to those encrypted files is denied as long as the key remains expired.
When a key assigned to a user has been revoked or has expired, it isn’t possible to automate the process of renewing a key. You must access the FRP Keys page via the ePO console and activate the key manually.
Are large files (> 4 GB) now supported with 'Allow/Enforce Encryption with offsite access' options (formerly EERM)?
Yes. You can copy files larger than 4 GB to USB devices in a secure manner. Also, you access them on systems without having to install any of our encryption software.
Other large file facts:
Files larger than 4 GB weren’t supported previously with offsite access options. The reason was because a FAT 32 file system was used for the secure encrypted container. This file system placed a maximum file size restriction of 4 GB.
Files larger than 4 GB are now supported because we have made improvements to the existing FAT32 container implementation to support files larger than 4 GB.
Files larger than 4 GB can be read/copied even on systems without FRP installed (offsite access) and applies to both Windows and Mac OS X.
For devices less than or equal to 4 GB, those devices continue to retain the old container format. Updating the container format doesn’t serve any purpose in this case because you can't copy files larger than 4 GB to these USB devices.
The max file size supported that can be placed in the encrypted container is, theoretically, up to 256 GB.
For devices that are initialized through the User-Managed mode and the container size is less than 4 GB. The device continues to retain the old container format.
For a device where the file format is already NTFS. Users don’t have to format the USB drive to FAT before using with the Removable Media Protection solution. The base file format of the USB device can be either FAT or NTFS. Removable Media Protection solution creates a secure FAT32-based container on top of it.
An NTFS file system can't be used for the removable media encrypted container. An NTFS system is proprietary to Microsoft, and isn’t natively supported on platforms such as OS X. There are no NTFS public driver implementations available for FRP Removable Media to create the FRP Removable Media encrypted container in NTFS. Also, you must install a driver on the host platform, which also requires local administrator permissions. Doing so, defeats the whole purpose of having FRP Removable Media installed. We could use NTFS for the encrypted containers if we were allowed to install a driver or had some rights. But, without these abilities, it’s impossible to install an NTFS file system. Instead, FRP Removable Media containers must use FAT32. NOTE: Although the file system of the USB device can be either FAT or NTFS, the file system of the FRP Removable Media encrypted containers can only be FAT32. Thus, the storage area that isn’t assigned to be an encrypted container can be NTFS.
I have devices initialized with previous versions of FRP (EEFF) and I want to use the new functionality and place files of size > 4 GB. How do I do it?
You don’t need to format or reinitialize the USB drives. With the new FRP option Allow large file support (> 4 GB) policy option enabled, the container format is automatically updated to support large files. It only takes place on the first occasion that the older format USB device is inserted into an FRP 4.3 or 5.0 client.
Other upgrade container facts:
The 'Allow large file support (>4 GB)' option is for new installs, and is enabled by default. For upgrades, it’s disabled.
An event is generated and captured on the client for the container upgrade process. The event is sent back to ePO for Audit and Reporting purposes. The event helps the administrator track upgrade trends and hot spots for remediation.
The container upgrade process takes only a few seconds to complete.
Users don’t have to move the data out of the device before the container upgrade process. It’s a seamless in-place upgrade process with zero user interaction requirements.
During the container upgrade process, users see a pop-up message advising them not to eject the device or perform any operations during the upgrade process.
Sometimes users see the upgrade message twice during the container upgrade process. FRP must resize the container in addition to changing its format. In this scenario, users are notified that the container upgrade procedure is a two-step process.
The container format remains the same as before, and users aren’t able to copy files larger than 4 GB under the following conditions:
Device is initialized with a previous version of FRP and is inserted into a computer running FRP 4.3 or 5.0.
The option to allow large file support (> 4 GB) hasn’tbeen selected.
If the option to allow large file support (> 4 GB) hasn’tbeen selected for newly initialized devices with FRP 4.3/5.0, devices have the older container format. The old format places the file size restriction of 4 GB.
The policy option to allow large file support (> 4 GB) isn’t selected. You still see an upgrade message under the following condition. The USB device is being upgraded to provision the Mac offsite application. If you select the Allow large file support (> 4 GB) option, the container upgrade and Mac offsite application provisioning occur simultaneously.
You have a mixture of FRP 4.3.x, 5.0.x, clients in your environment. Users can't read the USB devices that have the new container format on computers that run previous versions. Computers running the previous versions of FRP aren’t able to detect the new container format. Although files on the encrypted device can be read on these computers using the offsite application, it isn’t advisable.
Does FRP encrypt temporary and work files generated by programs?
FRP doesn’t encrypt any files or folders that aren’t specified in the File/Folder encryption policy.
What is our Core Cryptographic Module (CCM)?
CCM is a cross-platform, cross-product, cryptographic module developed by us, which is used in upcoming releases of all our Endpoint Encryption products. CCM provides performance benefits and, in particular, uses Intel Advanced Encryption Standard Instructions (AES-NI). CCM results in other performance improvements on systems with AES-NI support.
Other CCM information:
FRP uses CCM (user) and CCM (kernel).
The current certification status of CCM module is that the FIPS 140-2 validation process for our Core Cryptographic Module has been successfully completed. The Cryptographic Module Validation Program (CMVP) awarded certificate number 2239 to our Core Cryptographic Module (user) in October 2014; which is posted on the NIST website. The companion Core Cryptographic Module (kernel) FIPS 140-2 validation was announced in August 2014 and has certificate number 2223. These cryptographic modules have been validated at FIPS 140-2 Level 1.
What cryptographic algorithms does FRP use?
FRP uses AES-NI AES256.
Which FRP encryption rule takes precedence?
Here's an example. Consider that a file extension encryption policy is set to encrypt, for example, PDF files with Key A. A Folder Encryption policy is set to encrypt files in folder X with Key B. Which key is used to encrypt a PDF file put into folder X? The answer is that it’s encrypted with Key B because Folder Encryption always overrides File Extension Encryption.
Can I block a process?
Yes. The main purpose of blocking a process is to prevent encrypted data being unintentionally exposed in plain text. The feature isn’t designed to share encrypted data via, for example, webmail or the internet.
Processes that are OK to block:
FTP processes
File-sharing processes
File backup processes
Processes that are risky to block:
Internet browser processes
Email client processes
Processes that must never be blocked:
Data compression applications like WinZip
Windows Explorer
Windows processes
EEFF client processes
Scanning processes or processes for our other products
Can I use a command line or script to decrypt a file that has been encrypted on a network share?
No. Decryption can only take place via the UI.
Can I read an FRP Removable Media-encrypted USB device on a Windows/Mac OS X computer that doesn’t have FRP?
Yes. A key reason to use FRP Removable Media is to have a File Explorer application that resides on the USB media. This arrangement negates the need for any computer to have FRP Removable Media installed to authenticate and access the data in the FRP Removable Media container.
Can I decrypt the data encrypted on a Removable Media device when I want?
No. First back up the data on the encrypted removable media device, then format the device to remove the encrypted containers. To request enhancement of this feature in a future release of the product, you can submit a product idea. See the Related Information section for details.
NOTE: For Offsite Access, first you need to authenticate the removable media device before following the steps above.
Can I make a USB drive bootable after installing FRP Removable Media?
Yes. When you use FRP Removable Media, there’s both a private and public area. You can set up the USB drive as a bootable device. But, the files needed to boot the system are in the public area, and aren’t encrypted.
Can users stop the FRP Removable Media services to disable the encryption policy?
No. You can only disable the encryption policy via the FRP Removable Media policy at the ePO server.
Do I have to enable the Autorun option for the FRP Removable Media password/encryption prompt to be displayed?
Yes. But, even with Autorun disabled, you can still log on to the FRP Removable Media drive by opening the drive and running the FRP Removable Media application.
Does FRP Removable Media install any software on the computer?
No. Nothing is installed on the local computer. MfeEERM.exe or the Removable Media App for OS X, which resides on the USB device, decrypts the encrypted container (.dsk). The FRP standalone application prompts the user for a password before decrypting.
Can FRP keep a log of the files that are written to an initialized removable USB media?
This ability isn’t a feature in the current releases. To request enhancement of this feature in a future version of the product, you can submit a product idea. See the Related Information section for details.
Can an encrypted FRP file be emailed, either inside or outside of the company?
Yes. But, other security policies that your company applies might constrain or prohibit this action.
Do I have to take any manual actions to decrypt the file before emailing?
Encrypted files are automatically decrypted when attaching to an email, provided the user has access to the right encryption key. When an email application sends a file, it doesn’t send the mail via Windows file I/O and the FRP filter driver. The reason is because the mail and the attachment leave via a socket connection in plain text. In brief, encrypted files are attached in plain text when sent as email attachments.
NOTE: You can allow encrypted attachments with FRP in Windows Explorer. Right-click the file to be attached and select one of the Attach Encrypted options:
Context Menu Option
Description
Attach encrypted to E-mail
This option requires the FRP client is installed so the file can be read. So, use this option for internal emailing.
Attach as Self-Extractor to E-mail
Thisoption only requires the encryption password to open it. So, use this option for external emailing.
NOTE: Both these right-click options are subject to policy control. If used, a call is made to the default email application and an email opens with the encrypted attachment, based on what the user selected.
Can I block encrypted files from being attached in plain text?
Yes. Use the FRP Blocked processes feature.
NOTE: This feature selection renders encrypted files being attached as encrypted and, so, unreadable outside the organization. But, this feature isn’t the way to share encrypted attachments via email. Blocked Processes is just a method to prevent encrypted files from being accessed in plain text.
Are User Local Keys backed up on the ePO server similar to User Personal Keys?
No. The reason for User Local Keys is to keep them local.
Do User Local Keys move with the user if the user has two computers?
Yes. If you’re using Roaming Profiles, or if you create the keys on a removable drive, the keys move with the user.
Why can't I see User Local Keys on the FRP 5.4.1 Management Console, after either a restart, sign out, or when I switch user?
For FRP 5.4.1 and later: User Local Keys are displayed on the FRP console after the user has used that key for any kind of operation. For example, trying to open any encrypted file, encrypting or decrypting any file.
For FRP 5.4.0 and earlier: User Local keys are displayed on the FRP Management Console, even before any kind of operation.
Which key applies when a policy encrypts a subfolder with a different key from its parent folder?
If you encrypt a subfolder with a different key from its parent folder, you only require the key for the subfolder to access the contents of that folder. Example scenario:
A policy exists that encrypts Folder A in the path C:\FolderA with a specific key.
A newer policy is created that encrypts Folder B in the path C:\FolderA\FolderB with a different key.
You only require the key for Folder B to access the contents of Folder B. Any other items in Folder A remain encrypted.
Must I delete or remove the User Local Keys created on the client?
No. These keys aren’t automatically deleted because they can be accessed again if you reinstall the FRP client. You can only manually delete User Local Keys.
Does FRP encrypt the file or folder with a symmetric or an asymmetric key?
Symmetric.
Can I share FRP encryption keys between ePO server?
No. The only way to share the keys between the ePO server is to export the keys from one ePO server and import them to another.
If a user has multiple USB drives, do the drives share the recovery key on both the same or different computers?
Yes. Multiple USB drives share the recovery key on multiple computers.
IMPORTANT: If you use two USB devices on two different computers, you can have a different recovery key if the FRP administrator has set a different recovery key for different computers.
Are user-based policies manageable via an Active Directory (AD) Group Membership or Organization Unit affiliation?
Yes. You can manage user-based policies via AD Group Membership.
Can I apply multiple policies to a user account and if so, how does policy precedence work?
There are two ways in which a user account can have multiple policies:
No Policy Assignment Rule is set for the user account (for the required policy). The user would get the policies depending on the applied policies for the logged on computer.
For example, if a user logs on to Computer1, they would get the Explicit Encryption context menu option as it might have been enabled for Computer1 FRP General Policy. In case the same user logs on to Computer2, then the user might not have the Explicit Encryption context menu option. Occurs because it might have been disabled in the Computer2 FRP General Policy.
A Policy Assignment Rule has been set for the user account, the precedence is determined according to the priority set for the Policy Assignment Rules.
What is the purpose of the Self-Extractor?
To share encrypted data with users that don’t have FRP installed on their computers. For example, if you want to hand over the input material for your financial statements to a third party.
Other Self-Extractor file facts:
Algorithm is used when creating an FRP Self-Extractor file. When you click Save to disk, the Self-Extractor is saved to the user-specified location (for example, to a USB flash memory drive). When you’re prompted to select the password to be used to encrypt the Self-Extractor, the key is based on Password-Based Cryptography Standard (PKCS) PKCS#5. The encryption key is derived from the password and then that key is used to encrypt the Self-Extractor. The encryption used is the AES 256 algorithm.
The largest recommended input data size when creating a self-extractor file is 10 MB because it’s optimized for email attachments. You can use a larger input data size, but we don’t recommend using larger files. Any issues found when using larger files aren’t supported.
FRP Self-Extractor files aren’t readable by a macOS. The FRP Self-Extractor creates a Windows executable. To request enhancement of this feature in a future version of the product, you can submit a product idea. See the Related Information section for details.
FRP doesn’t compress files that are encrypted with regular encryption. Compression is only performed on FRP self-extracting files.
What is the temporary location for the encrypted container that holds the selected data to be burned to CD/DVD, or streamed out as an ISO image?
The Windows API is used to return the temporary path where FRP then creates a subfolder. For Windows 7 and later, the temporary path by default is C:\Program Data\. You can reconfigure this path from within Windows.
Other CD/DVD/ISO facts:
Users don’t have to select the files and folders to be written to CD/DVD/ISO each time. The feature allows the user to define and save a project file (.emo extension) that contains metadata about the source location and content. If changes have been made to the source structure or content since the project was last saved, the tool highlights the changes.
Users can use this CD/DVD/ISO project file to back up the same source content on a periodic basis. The project file saves metadata about the source folders and content. You can set up a project file to capture the files and folders to be included in the backup. You can then open the project file and use it to define the content to be archived to CD/DVD/ISO.
The structures on the CD/DVD/ISO don’t have to be the same as in the source location. The project file provides a mapping between the source files and folders and the structure used in the CD/DVD/ISO image. You can move, rename, and create folders within the project file, and you can move and rename files. The structure created on the CD/DVD/ISO reflects the structure defined.
What ISO standard does FRP use (Offsite Access protection)?
FRP uses the native Windows API (Microsoft Windows Image Mastering API v2.0) for burning, and uses Level 2. For details, see the Disc Formats Microsoft article.
Is the support for selected modes for Citrix XenDesktop 5.6 and 7.1 with FRP applicable to the entire product functionality?
Yes. File and folder encryption and also the Removable Media Encryption functionality are supported in a VDI environment.
Is there anything different that I have to do if I provision FRP in a Citrix XenDesktop environment?
No. The workflow remains the same.
Can I recover a USB drive that is NTFS formatted on a Mac?
No. Although FAT32 formatted devices can be recovered on a Mac, NTFS formatted devices can't. The limitation is down to macOS in which it can read but not write to NTFS devices. Trying to recover an NTFS formatted device on a Mac results in the error "Password Update Failed.”
Why was the Recovery Password option removed in FRP 5.0 and later?
A Challenge Response Help Desk recovery feature (similar to Drive Encryption) for USB devices was added in FRP 5.0. To minimize the changes, the existing fields previously used for Recovery Password were reused.
The decision was based on feedback. That if users can't remember the primary authentication password, it’s unlikely they remember the recovery password.
NOTE: USB drives previously initialized with Recovery Password can still be recovered.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
