Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
almahoro
Explorer

Harmony Endpoint BitLocker behavior

Jump to solution

Hello Everyone,

I recently implemented Harmony Endpoint in my customer's environment and I noticed strange behavior with BitLocker Encryption.

The laptop we tested the solution on was encrypted with BitLocker prior to installation of Harmony Endpoint Client. Before the installation, we enabled Full Disk Encryption on the relevant Deployment policy, as well as on the relevant Data protection policy.

As expected, Harmony showed the endpoint as encrypted and didn't attempt to encrypt it again. We tried disabling Full Disk Encryption on the Deployment policy, but not on the Data protection policy and Harmony immediately started decrypting the disk. It made no particular sense to us, however, it might be for security reasons, so that the endpoint wouldn't stay encrypted without the ability to decrypt it since Full disk encryption is now disabled on Deployment policy.

Could someone please confirm if this is the reason for the described behavior?

In addition to the aforementioned, the strangest part about this feature was: when we disabled encryption on the Data protection policy and then enabled it on the Deployment policy, we expected the feature to be visible on the Endpoint Client, but the encryption to be turned off, however, as soon as we upgraded the client and installed the policy, Harmony Endpoint started Encrypting the disk.

What could be the reason for this behavior?

Thank you all in advance.

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

In your case, there are two conflicting rules. The Deployment Policy requires FDE at the deployment stage. The Data Protection policy does not.

The most restrictive rule prevails. If you do not want FDE to initiate during the deployment stage, uncheck the deployment policy FDE rule. 

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin

I am sorry, to ask, but what part of the behavior seems not okay to you? Your Deployment policy originally required that the disk be encrypted upon deployment. Since there already was encryption in place, it did not do anything. When you disabled this requirement, the client decrypted the disk, as you asked. When you re-enabled it, it encrypted again.

For the data protection, it is to verify that additional media is encrypted when copying the files out, as I remember.

All you described seems to be by design. 

0 Kudos
almahoro
Explorer

Hello,

 

thank you very much for your reply. The part of the behavior that concerns me is the part where Full Disk Encryption is installed on the Client (by enabling it in Deployment Policy  > Software Deployment) but Encyption is OFF (Turned off in Data Protection General) (please find the screenshots attached).

 

To my understanding, the policy described above should ensure that the encryption feature is installed on the client, but that it should not start encrypting the disk until the type of encryption is chosen in Data Protection policy (Check Point Encryption or BitLocker).

 

Thanks again,

Br.

0 Kudos
_Val_
Admin
Admin

This is not exactly correct.

Please review encryption settings for both Deployment Policy and Data Protection Policy in the admin guide. You can start here: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

 

0 Kudos
almahoro
Explorer

Thanks again.

I believe I already read most of the documentation there is about Harmony Endpoint 🙂

It just doesn't make sense to me that there is an OFF option in the policy if it doesn't do anything.

 

Thanks again,

Br.

0 Kudos
_Val_
Admin
Admin

In your case, there are two conflicting rules. The Deployment Policy requires FDE at the deployment stage. The Data Protection policy does not.

The most restrictive rule prevails. If you do not want FDE to initiate during the deployment stage, uncheck the deployment policy FDE rule. 

0 Kudos
almahoro
Explorer

I wasn't aware that Deployment policy works like that and could be in conflict with the rest of the rules.

I guess it makes sense if you put it like that.

 

Again, thank you very much for the clarification.

0 Kudos