Policy Rules Guide

Explore this glossary to discover various rules that may be incorporated into a policy.

PreviousUser Policies NextUser Applications

Last updated 1 month ago

Was this helpful?

Policy Rules Guide

Explore this glossary to discover various rules that may be incorporated into a policy.

Protected folders

Protected folders are fundamental in FenixPyre, defining specific folder locations accessible to designated users and groups. These folders allow users and groups within your organization to access and consume encrypted content using FenixPyre. Notably, encrypted files can only be accessed within these protected folders, whether via FenixPyre's Windows agent or cloud integrations. Examples of protected folder paths include common user directories, on-premises network drives, and cloud-based document sharing services.

Windows Desktop Agent Paths

You can specify folders commonly used by users on their desktop for storing sensitive files. If you're unclear on the usernames of your users, we support wildcard based folder paths. Few examples of Windows Desktop agents are

eg: 
C:\Users\%username%\Desktop\SensitiveFiles
C:\Users\%username%\HR_Files

Note: Files in Windows desktop folders marked as protected folders will be encrypted automatically by the FenixPyre Windows agent.

Network Drive Paths

You can also add protected folders to provide access using DFS, UNC, and Mapped Drive paths.

To set a folder named "secrets" as protected, located in a shared folder "documents" on the server "server1," use the UNC path:

\\server1\documents\secrets

The double backslash (\\) indicates a UNC path, followed by the server name and shared folder name.

UNC Path Syntax:

\\server_name\share_name\file_path

A UNC (Universal Naming Convention) path specifies the location of files or folders within a network, using the server name or IP address, and the share name.

After completing the steps above, Anchor will protect your folder. You can access the folder using DFS, UNC, and Mapped Drive paths. However, you cannot access the files using the local server path.

Note: Files in Network Drive folders marked as protected folders will be encrypted automatically by the FenixPyre Windows agent.

SharePoint/OneDrive Web Paths

Add Sharepoint or OneDrive folder as protected folders by selecting the OneDrive path from the drop down and then adding the path in the following format

\\<sharepoint or onedrive domain>\sites\<siteDomain>\<folderPath>

You can also copy the sharepoint or onedrive web url to the input box and then we will convert it to the above format too

Egnyte Web Paths

Box Web Paths

User Permissions

The following permission decide what type of actions can be performed by the user or group on FenixPyre.

Permission

FenixPyre Windows Agent

FenixShare (SharePoint, OneDrive and other cloud integrations)

Can Encrypt

This permission determines whether a user can encrypt files

Can Decrypt

This permission determines whether a user can decrypt files and remove protection.

This permission determines whether a user can decrypt files

Can Share

This permission determines whether you can share a file via outlook or right-click option via FenixShare.

The permission determines whether you can share a file from SharePoint, OneDrive, Egnyte or Box Drive using FenixShare.

Can View Audit Logs

This permission determines whether a user can view audit logs form the right-click option

Thiis permission determines whether a user can view audit logs .

Can Open

Rolling out soon

Can Edit

Rolling out soon

Can Add Protection

Rolling out soon

Can Delete

Rolling out soon

User Applications

With FenixPyre installed on Windows Desktops, you can control which applications can access encrypted files and how they do so.

There are a number of configurations that you can manage for an application while adding them to a policy.

Enable opening files from non-protected folders

Enable saving files to non-protected folders

This option determines the application encrypts all the files saved irrespective of the folder it's saved to. This setting will be useful to enforce a stricter encryption policy and not worry about defining protected folders.

Enable compliance mode

Enable real-time file block

Enable this option to have FenixPyre automatically close the application and files when access rules are violated or a user

Enable returning original file size

Enable this option to have FenixPyre return decrypted (original) file size or encrypted file size when applications request file information using the windows directory listing api call. Recommended value: Enabled

Prevent opening protected and unprotected files together

When this option is enabled, the users will not be able to open encrypted and non-encrypted files at the same time. This is to prevent accidental sharing of sensitive data

Endpoint Settings

Automatic Encryption Service

Automatic encryption service is a windows endpoint feature that FenixPyre offers in which it encrypts any file that has been newly added to or created within an a protected folder.

Managing Automatic Encryption Disruptions

The suggested delay is 5,000 ms. We recommend keeping the delay value below 60,000 ms (or 1 minute).

Anchor's automatic encryption service may disrupt workflows by encrypting new files in protected folders immediately. This encryption can cause application conflicts, such as interrupting an SFTP file transfer, depending on how files are created in the folder. To address these issues, we have introduced a delay setting to allow more flexible handling of such cases.

Limitations

Sequential Processing: When adding multiple files to a protected folder, the encryption service processes each file one at a time. Each file is subject to a delay, regardless of any accumulated delay.
Placeholder Files: The service does not encrypt placeholder files.
Active File Usage: Files may not be encrypted if they are in use by another application or process.
Zero-byte Files: Files with zero bytes are not encrypted.

If you are looking for a solution for encryption files on cloud - SharePoint/OneDrive, Egnyte or Box we suggest you learn about Auto-Encryption on FenixShare

Periodic Encryption Service

FenixPyre offers a Windows feature called the Periodic Encryption Service, which regularly scans protected folders and encrypts any unencrypted files. You can set the scan frequency between 30 minutes (recommended) and 1440 minutes (every 24 hours).

Recommended value: 30 mins

Limitations

Placeholder files in OneDrive or SharePoint folders will remain unencrypted.
Network shared folders are excluded from scans, except for Egnyte Connected Folders.

Offline Mode

Offline mode allows offline access to encrypted files, enabling users to work without an internet connection. Administrators can determine which users have offline access and set a time limit of up to 90 days. While an internet connection is typically needed for accessing Anchored files, offline mode balances offline functionality with maintaining control and protection of Fenixpyre encrypted files

Recommended period: 15 days

Allowed Extensions

By default, any file whose extension is listed under Allowed Extensions is encrypted automatically by the Automatic Encryption Service and the Periodic Encryption Service on the FenixPyre Windows agent.

File Settings

Preserve File Timestamps

By default, FenixPyre preserves original file timestamps when encrypting or decrypting. This means the "last modified date," "last access date," and "last write date" stay the same even after files are processed. If you want these timestamps to reflect the time of encryption or decryption instead, you can change this default behavior.

Recommended Value: Enabled

Preserve File Security Info

You can keep a file’s security details, like its Discretionary Access Control List (DACL), even after encrypting or decrypting. A DACL controls who can access files and folders in a computer system.

Recommended Value: Enabled

File Access Rules

Access Rules define the conditions that must be met before encrypted data can be opened. They are automatically applied to new and existing files, which makes managing access controls much easier.

Default Rule (Organization): The device must belong to the data-owning organization. All files are given this global default rule upon encryption.
Geo-Fencing: Currently only supports the US, so files can only be opened if accessed from within the United States. This is verified using geolocation, IP addresses, or both.

Office Add In Settings

The FenixPyre Office Add-In offers various settings that help Data Loss Prevention (DLP) in Office 365. These settings disable any features that could compromise data security, ensuring your sensitive information remains protected.

Setting Name

Description

Recommended Value

Can Lock Files

FenixPyre automatically handles file locking for Office files synced from OneDrive or SharePoint. It ensures encrypted files are edited by only one user or device at a time, preventing conflicts and maintaining data security.

enabled

Can Share

Enable or Disable Share Options in Microsoft Office

disabled

Can View Info

Enable or Disable View Info Option in Microsoft Office

disabled

Can Transform

Enable or Disable Transform Option in Microsoft Office

disabled

Can Export

Enable or Disable Export Option in Microsoft Office

disabled

Can Publish

Enable or Disable Publish Option in Microsoft Office

disabled

Can Print

Enable or Disable Print Option in Microsoft Office

disabled

Can Custom Preview

Enable or Disable Custom Preview Option in Microsoft Office

disabled

Can Save to Non-Protected Folders

disabled

Advanced Settings

Setting Name

Description

Recommended Value

User Policy Update Interval

The Windows agent updates user policies at regular intervals. By default, these updates occur every 60 seconds.

60 seconds

Access Control Heartbeat Interval

Frequency at which FenixPyre verifies user status and ensures compliance with file access rules.

15 seconds

PreviousUser Policies NextUser Applications

Last updated 1 month ago

Was this helpful?