# Policy Rules Guide ## Protected folders

Protected folders are fundamental in FenixPyre, defining specific folder locations accessible to designated users and groups. These folders allow users and groups within your organization to access and consume encrypted content using FenixPyre. Notably, encrypted files can only be accessed within these protected folders, whether via FenixPyre's Windows agent or cloud integrations. Examples of protected folder paths include common user directories, on-premises network drives, and cloud-based document sharing services. ### Supported Path Types #### 1. Windows Local Paths Local paths are used for protecting folders on users' Windows machines.

**Syntax** ``` C:\Users\%username%\path\to\folder ``` **Key Features** * Supports `%username%` variable for dynamic user paths * Case-insensitive * Backslashes (`\`) required as separators * Drive letter (e.g., `C:`) must be specified **Examples** ``` C:\Users\%username%\Desktop\Confidential C:\Users\%username%\Documents\HR_Files C:\Program Files\Company\Secure ``` **Best Practices** * Use `%username%` for paths that should work across different user profiles * Avoid spaces in folder names when possible * Use consistent casing for better readability * Verify the path exists before adding #### 2. Network Paths Network paths allow protection of shared folders on network drives. Supports UNC, DFS, and mapped drive paths.

**UNC Path Syntax** ``` \\server_name\share_name\folder_path ``` **DFS Path Syntax** ``` \\domain\dfs_root\folder_path ``` **Key Features** * Double backslashes (`\\`) required at start * Server/domain name must be specified * Supports both IP addresses and hostnames **Examples** ``` \\fileserver\shared\Finance \\192.168.1.100\documents\Legal \\domain.local\dfs\Department\HR ``` **Best Practices** * Use UNC paths instead of mapped drives for reliability * Verify network connectivity before adding * Ensure proper network share permissions * Consider using DFS for location independence #### 3. SharePoint/OneDrive Paths Cloud paths for protecting content in Microsoft 365 environments.

**Syntax** ``` \\\sites\\ ``` **Features** * Automatic conversion from web URLs * Supports both SharePoint and OneDrive locations **Examples** ``` \\company.sharepoint.com\sites\HR\Confidential \\company-my.sharepoint.com\personal\user_company_com\Documents ``` **Automatic URL to Path Conversion** Web URLs are automatically converted to the correct format. You can just paste any sharepoint/onedrive link and it will automatically be converted to the desired format: ``` https://company.sharepoint.com/sites/HR/Confidential → \\company.sharepoint.com\sites\HR\Confidential ``` #### 4. Egnyte Paths For organizations using Egnyte cloud storage.

**Syntax** ``` \\.egnyte.com\ ``` **Examples** ``` \\company.egnyte.com\Shared\Finance \\company.egnyte.com\Private\HR ``` #### 5. Box Paths For organizations using Box cloud storage.

**Syntax** ``` \\@app.box.com\ ``` **Examples** ``` \\1174000000@app.box.com\New Folder\test \\1174000000@app.box.com\All Files\Shared\Lab Folders ``` ## User Permissions The following permission decide what type of actions can be performed by the user or group on FenixPyre.

Permission	FenixPyre Windows Agent	FenixShare (SharePoint, OneDrive and other cloud integrations)
Can Encrypt	This permission determines whether a user can encrypt files	This permission determines whether a user can encrypt files
Can Decrypt	This permission determines whether a user can decrypt files and remove protection.	This permission determines whether a user can decrypt files
Can Share	This permission determines whether you can share a file via outlook or right-click option via FenixShare.	The permission determines whether you can share a file from SharePoint, OneDrive, Egnyte or Box Drive using FenixShare.
Can View Audit Logs	This permission determines whether a user can view audit logs form the right-click option	Thiis permission determines whether a user can view audit logs .
Can Open	Rolling out soon	Rolling out soon
Can Edit	Rolling out soon	Rolling out soon
Can Add Protection	Rolling out soon	Rolling out soon
Can Delete	Rolling out soon	Rolling out soon

## User Applications {% hint style="info" %} All admin approved and FenixPyre approved applications are displayed on the policy page. [Learn how to add a new application](https://docs.fenixpyre.com/fenixpyre-for-admins/admin-dashboard/user-applications) {% endhint %} With FenixPyre installed on Windows Desktops, you can control which applications can access encrypted files and how they do so.

There are a number of configurations that you can manage for an application while adding them to a policy.

{% stepper %} {% step %} #### Enable opening files from non-protected folders This option determines whether the application can open encrypted files stored outside of [protected folders](#protected-folders). {% endstep %} {% step %} #### Enable saving files to non-protected folders This option determines the application encrypts all the files saved irrespective of the folder it's saved to. This setting will be useful to enforce a stricter encryption policy and not worry about defining protected folders. {% endstep %} {% step %} #### Enable compliance mode Read this [article](https://docs.fenixpyre.com/fenixpyre-features/compliance-mode) for more details {% endstep %} {% step %} #### Enable real-time file block Enable this option to have FenixPyre automatically close the application and files when access rules are violated or a user {% endstep %} {% step %} #### Enable returning original file size Enable this option to have FenixPyre return decrypted (original) file size or encrypted file size when applications request file information using the windows directory listing api call. Recommended value: Enabled {% endstep %} {% step %} #### Prevent opening protected and unprotected files together When this option is enabled, the users will not be able to open encrypted and non-encrypted files at the same time. This is to prevent accidental sharing of sensitive data {% endstep %} {% endstepper %} ## Endpoint Settings ### Automatic Encryption Service Automatic encryption service is a windows endpoint feature that FenixPyre offers in which it encrypts any file that has been newly added to or created within an a protected folder. **Managing Automatic Encryption Disruptions** The suggested delay is 5,000 ms. We recommend keeping the delay value below 60,000 ms (or 1 minute). Anchor's automatic encryption service may disrupt workflows by encrypting new files in protected folders immediately. This encryption can cause application conflicts, such as interrupting an SFTP file transfer, depending on how files are created in the folder. To address these issues, we have introduced a delay setting to allow more flexible handling of such cases. {% hint style="info" %} Limitations * **Sequential Processing**: When adding multiple files to a protected folder, the encryption service processes each file one at a time. Each file is subject to a delay, regardless of any accumulated delay. * **Placeholder Files**: The service does not encrypt placeholder files. * **Active File Usage**: Files may not be encrypted if they are in use by another application or process. * **Zero-byte Files**: Files with zero bytes are not encrypted. {% endhint %} {% hint style="success" %} Learn more about [Automatic Encryption Service](https://docs.fenixpyre.com/fenixpyre-features/automatic-encryption-service)
If you are looking for a solution for encryption files on cloud - SharePoint/OneDrive, Egnyte or Box we suggest you learn about Auto-Encryption on FenixShare {% endhint %} ### Periodic Encryption Service FenixPyre offers a Windows feature called the Periodic Encryption Service, which regularly scans protected folders and encrypts any unencrypted files. You can set the scan frequency between 30 minutes (recommended) and 1440 minutes (every 24 hours). Recommended value: 30 mins {% hint style="info" %} Limitations * Placeholder files in OneDrive or SharePoint folders will remain unencrypted. * Network shared folders are excluded from scans, except for Egnyte Connected Folders. {% endhint %} {% hint style="success" %} Learn more about [Periodic Encryption Service](https://docs.fenixpyre.com/fenixpyre-features/periodic-encryption-service) {% endhint %} ### Offline Mode Offline mode allows offline access to encrypted files, enabling users to work without an internet connection. Administrators can determine which users have offline access and set a time limit of up to 90 days. While an internet connection is typically needed for accessing Anchored files, offline mode balances offline functionality with maintaining control and protection of Fenixpyre encrypted files Recommended period: 15 days {% hint style="success" %} Learn more about [Offline mode](https://docs.fenixpyre.com/fenixpyre-features/offline-mode) {% endhint %} ### **Allowed Extensions** By default, any file whose extension is listed under *Allowed Extensions* is encrypted automatically by the Automatic Encryption Service and the Periodic Encryption Service on the FenixPyre Windows agent. {% hint style="info" %} If you want to change how applications encrypt files on your system, visit [User Applications.](https://docs.fenixpyre.com/fenixpyre-for-admins/admin-dashboard/user-applications) {% endhint %} For FenixPyre cloud integrations, encrypting, decrypting, opening, and sharing files on [FenixShare](https://docs.fenixpyre.com/fenixpyre-for-users/fenixpyre-sharing) is limited to these *Allowed Extensions*. This serves as a protective measure, ensuring only authorized users can access the encrypted files. ## File Settings ### Preserve File Timestamps By default, FenixPyre preserves original file timestamps when encrypting or decrypting. This means the "last modified date," "last access date," and "last write date" stay the same even after files are processed. If you want these timestamps to reflect the time of encryption or decryption instead, you can change this default behavior. Recommended Value: Enabled ### Preserve File Security Info You can keep a file’s security details, like its Discretionary Access Control List (DACL), even after encrypting or decrypting. A DACL controls who can access files and folders in a computer system. Recommended Value: Enabled ### File Access Rules Access Rules define the conditions that must be met before encrypted data can be opened. They are automatically applied to new and existing files, which makes managing access controls much easier.

Adding File Access Rules with IPs and Geo location

* **Default Rule (Organization)**: The device must belong to the data-owning organization. All files are given this global default rule upon encryption. * **IP Address**: Limit access to selected public IP ranges (supports multiple IPs and [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)). * **Geo-Fencing**: Currently only supports the US, so files can only be opened if accessed from within the United States. This is verified using geolocation, IP addresses, or both. ## Office Add In Settings The FenixPyre Office Add-In offers various settings that help Data Loss Prevention (DLP) in Office 365. These settings disable any features that could compromise data security, ensuring your sensitive information remains protected. | Setting Name | Description | Recommended Value | | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | | Can Lock Files | FenixPyre automatically handles file locking for Office files synced from OneDrive or SharePoint. It ensures encrypted files are edited by only one user or device at a time, preventing conflicts and maintaining data security. | enabled | | Can Share | Enable or Disable Share Options in Microsoft Office | disabled | | Can View Info | Enable or Disable View Info Option in Microsoft Office | disabled | | Can Transform | Enable or Disable Transform Option in Microsoft Office | disabled | | Can Export | Enable or Disable Export Option in Microsoft Office | disabled | | Can Publish | Enable or Disable Publish Option in Microsoft Office | disabled | | Can Print | Enable or Disable Print Option in Microsoft Office | disabled | | Can Custom Preview | Enable or Disable Custom Preview Option in Microsoft Office | disabled | | Can Save to Non-Protected Folders | This setting controls the ability to save files to non-protected folders. It overrides similar setting in [User applications](#user-applications), including Microsoft Word, Excel, and PowerPoint. | disabled | ## Advanced Settings | Setting Name | Description | Recommended Value | | --------------------------------- | --------------------------------------------------------------------------------------------------------------- | ----------------- | | User Policy Update Interval | The Windows agent updates user policies at regular intervals. By default, these updates occur every 60 seconds. | 60 seconds | | Access Control Heartbeat Interval | Frequency at which FenixPyre verifies user status and ensures compliance with file access rules. | 15 seconds |