Policy Rules Guide

Explore this glossary to discover various rules that may be incorporated into a policy.

Protected folders

Concept of Protected Folders

Protected folders are fundamental in FenixPyre, defining specific folder locations accessible to designated users and groups. These folders allow users and groups within your organization to access and consume encrypted content using FenixPyre. Notably, encrypted files can only be accessed within these protected folders, whether via FenixPyre's Windows agent or cloud integrations. Examples of protected folder paths include common user directories, on-premises network drives, and cloud-based document sharing services.

Supported Path Types

1. Windows Local Paths

Local paths are used for protecting folders on users' Windows machines.

Syntax

C:\Users\%username%\path\to\folder

Key Features

  • Supports %username% variable for dynamic user paths

  • Case-insensitive

  • Backslashes (\) required as separators

  • Drive letter (e.g., C:) must be specified

Examples

C:\Users\%username%\Desktop\Confidential
C:\Users\%username%\Documents\HR_Files
C:\Program Files\Company\Secure

Best Practices

  • Use %username% for paths that should work across different user profiles

  • Avoid spaces in folder names when possible

  • Use consistent casing for better readability

  • Verify the path exists before adding

2. Network Paths

Network paths allow protection of shared folders on network drives. Supports UNC, DFS, and mapped drive paths.

UNC Path Syntax

\\server_name\share_name\folder_path

DFS Path Syntax

\\domain\dfs_root\folder_path

Key Features

  • Double backslashes (\\) required at start

  • Server/domain name must be specified

  • Supports both IP addresses and hostnames

Examples

\\fileserver\shared\Finance
\\192.168.1.100\documents\Legal
\\domain.local\dfs\Department\HR

Best Practices

  • Use UNC paths instead of mapped drives for reliability

  • Verify network connectivity before adding

  • Ensure proper network share permissions

  • Consider using DFS for location independence

3. SharePoint/OneDrive Paths

Cloud paths for protecting content in Microsoft 365 environments.

Syntax

\\<sharepoint_domain>\sites\<site_name>\<folder_path>

Features

  • Automatic conversion from web URLs

  • Supports both SharePoint and OneDrive locations

Examples

\\company.sharepoint.com\sites\HR\Confidential
\\company-my.sharepoint.com\personal\user_company_com\Documents

Automatic URL to Path Conversion

Web URLs are automatically converted to the correct format. You can just paste any sharepoint/onedrive link and it will automatically be converted to the desired format:

https://company.sharepoint.com/sites/HR/Confidential
→ \\company.sharepoint.com\sites\HR\Confidential

4. Egnyte Paths

For organizations using Egnyte cloud storage.

Syntax

\\<domain>.egnyte.com\<folder_path>

Examples

\\company.egnyte.com\Shared\Finance
\\company.egnyte.com\Private\HR

5. Box Paths

For organizations using Box cloud storage.

Syntax

\\<enterprise ID>@app.box.com\<folder path>

Examples

\\[email protected]\New Folder\test
\\[email protected]\All Files\Shared\Lab Folders

User Permissions

The following permission decide what type of actions can be performed by the user or group on FenixPyre.

Permission
FenixPyre Windows Agent
FenixShare (SharePoint, OneDrive and other cloud integrations)

Can Encrypt

This permission determines whether a user can encrypt files

This permission determines whether a user can encrypt files

Can Decrypt

This permission determines whether a user can decrypt files and remove protection.

This permission determines whether a user can decrypt files

Can Share

This permission determines whether you can share a file via outlook or right-click option via FenixShare.

The permission determines whether you can share a file from SharePoint, OneDrive, Egnyte or Box Drive using FenixShare.

Can View Audit Logs

This permission determines whether a user can view audit logs form the right-click option

Thiis permission determines whether a user can view audit logs .

Can Open

Rolling out soon

Rolling out soon

Can Edit

Rolling out soon

Rolling out soon

Can Add Protection

Rolling out soon

Rolling out soon

Can Delete

Rolling out soon

Rolling out soon

User Applications

All admin approved and FenixPyre approved applications are displayed on the policy page. Learn how to add a new application

With FenixPyre installed on Windows Desktops, you can control which applications can access encrypted files and how they do so.

Enabling an application for a policy

There are a number of configurations that you can manage for an application while adding them to a policy.

User application configuration
1

Enable opening files from non-protected folders

This option determines whether the application can open encrypted files stored outside of protected folders.

2

Enable saving files to non-protected folders

This option determines the application encrypts all the files saved irrespective of the folder it's saved to. This setting will be useful to enforce a stricter encryption policy and not worry about defining protected folders.

3

Enable compliance mode

Read this article for more details

4

Enable real-time file block

Enable this option to have FenixPyre automatically close the application and files when access rules are violated or a user

5

Enable returning original file size

Enable this option to have FenixPyre return decrypted (original) file size or encrypted file size when applications request file information using the windows directory listing api call. Recommended value: Enabled

6

Prevent opening protected and unprotected files together

When this option is enabled, the users will not be able to open encrypted and non-encrypted files at the same time. This is to prevent accidental sharing of sensitive data

Endpoint Settings

Automatic Encryption Service

Automatic encryption service is a windows endpoint feature that FenixPyre offers in which it encrypts any file that has been newly added to or created within an a protected folder.

Managing Automatic Encryption Disruptions

The suggested delay is 5,000 ms. We recommend keeping the delay value below 60,000 ms (or 1 minute).

Anchor's automatic encryption service may disrupt workflows by encrypting new files in protected folders immediately. This encryption can cause application conflicts, such as interrupting an SFTP file transfer, depending on how files are created in the folder. To address these issues, we have introduced a delay setting to allow more flexible handling of such cases.

Limitations

  • Sequential Processing: When adding multiple files to a protected folder, the encryption service processes each file one at a time. Each file is subject to a delay, regardless of any accumulated delay.

  • Placeholder Files: The service does not encrypt placeholder files.

  • Active File Usage: Files may not be encrypted if they are in use by another application or process.

  • Zero-byte Files: Files with zero bytes are not encrypted.

Periodic Encryption Service

FenixPyre offers a Windows feature called the Periodic Encryption Service, which regularly scans protected folders and encrypts any unencrypted files. You can set the scan frequency between 30 minutes (recommended) and 1440 minutes (every 24 hours).

Recommended value: 30 mins

Limitations

  • Placeholder files in OneDrive or SharePoint folders will remain unencrypted.

  • Network shared folders are excluded from scans, except for Egnyte Connected Folders.

Offline Mode

Offline mode allows offline access to encrypted files, enabling users to work without an internet connection. Administrators can determine which users have offline access and set a time limit of up to 90 days. While an internet connection is typically needed for accessing Anchored files, offline mode balances offline functionality with maintaining control and protection of Fenixpyre encrypted files

Recommended period: 15 days

Allowed Extensions

By default, any file whose extension is listed under Allowed Extensions is encrypted automatically by the Automatic Encryption Service and the Periodic Encryption Service on the FenixPyre Windows agent.

If you want to change how applications encrypt files on your system, visit User Applications.

For FenixPyre cloud integrations, encrypting, decrypting, opening, and sharing files on FenixShare is limited to these Allowed Extensions. This serves as a protective measure, ensuring only authorized users can access the encrypted files.

File Settings

Preserve File Timestamps

By default, FenixPyre preserves original file timestamps when encrypting or decrypting. This means the "last modified date," "last access date," and "last write date" stay the same even after files are processed. If you want these timestamps to reflect the time of encryption or decryption instead, you can change this default behavior.

Recommended Value: Enabled

Preserve File Security Info

You can keep a file’s security details, like its Discretionary Access Control List (DACL), even after encrypting or decrypting. A DACL controls who can access files and folders in a computer system.

Recommended Value: Enabled

File Access Rules

Access Rules define the conditions that must be met before encrypted data can be opened. They are automatically applied to new and existing files, which makes managing access controls much easier.

Adding File Access Rules with IPs and Geo location
  • Default Rule (Organization): The device must belong to the data-owning organization. All files are given this global default rule upon encryption.

  • IP Address: Limit access to selected public IP ranges (supports multiple IPs and CIDR notation).

  • Geo-Fencing: Currently only supports the US, so files can only be opened if accessed from within the United States. This is verified using geolocation, IP addresses, or both.

Office Add In Settings

The FenixPyre Office Add-In offers various settings that help Data Loss Prevention (DLP) in Office 365. These settings disable any features that could compromise data security, ensuring your sensitive information remains protected.

Setting Name
Description
Recommended Value

Can Lock Files

FenixPyre automatically handles file locking for Office files synced from OneDrive or SharePoint. It ensures encrypted files are edited by only one user or device at a time, preventing conflicts and maintaining data security.

enabled

Can Share

Enable or Disable Share Options in Microsoft Office

disabled

Can View Info

Enable or Disable View Info Option in Microsoft Office

disabled

Can Transform

Enable or Disable Transform Option in Microsoft Office

disabled

Can Export

Enable or Disable Export Option in Microsoft Office

disabled

Can Publish

Enable or Disable Publish Option in Microsoft Office

disabled

Can Print

Enable or Disable Print Option in Microsoft Office

disabled

Can Custom Preview

Enable or Disable Custom Preview Option in Microsoft Office

disabled

Can Save to Non-Protected Folders

This setting controls the ability to save files to non-protected folders. It overrides similar setting in User applications, including Microsoft Word, Excel, and PowerPoint.

disabled

Advanced Settings

Setting Name
Description
Recommended Value

User Policy Update Interval

The Windows agent updates user policies at regular intervals. By default, these updates occur every 60 seconds.

60 seconds

Access Control Heartbeat Interval

Frequency at which FenixPyre verifies user status and ensures compliance with file access rules.

15 seconds

Last updated

Was this helpful?