Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP SDA Policy not working

Created: 12 Feb 2013 | 10 comments

We are using PGP universal Server 3.1.2/PGP Desktop 10.1.2 and would like
to restrict users from creating a PGP SDA via the PGP Desktop. We have
policy set on the PGP UNiversal server to disable conventional encryption and
SDA and it works fine with PGP desktop 9.9.1, however when we installed PGP
10.1.2 on a Windows 7 desktop, the conventional decryption is disabled, but
the SDA funtion is there for all users. We would like to restrict this
because of the ability to encrypt without the enforcement of the ADK.

Is there a way that we can disable the SDA capability in PGP desktop
10.1.2, either by adding something to the prefs file or disabling it in the
context menu? Any assistance that you can provide will be greatly
appreciated. Thanks in advance for your help.

Comments 10 CommentsJump to latest comment

Alex_CST's picture

There is an option for this inside the Universal Server:

Consumers > Consumer Policy > "Effective Policy name" > Desktop > Zip & Shredder

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

skinsfan1161's picture

The option works with PGP desktop 9.9.1, but when I upgraded to 10.1.2, Users cannot do conventional encryption but now get the ability to do the SDA???

Alex_CST's picture

So even with that effective policy applied they still can do shredder?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

skinsfan1161's picture

Sorry, if we uncheck the PGP Zip check box, users do not get any options (other that the ability to shred) in the PGP context menu when they right click on a file.   The policy is set as follows:

Consumers > Consumer Policy > "Effective Policy name" > desktop > General:  The allow conventional encryption and self decrypting achives box is UNCHECKED

Consumers > Consumer Policy > "Effective Policy name" > Desktop > File Encryption:  Only the PGP Shredder box is checked.

Just to clarify when using PGP Desktop 9.9.1, when a user right clicks on a file, the Create Self Decrypting Archive and secure with passphrase options are grayed out.  In PGP Desktop 10.1.2 using the same policy, all options are available to the user including the Self Decrypting Archive,  Users can create SDAs but they are prevented from using the Secure with passphrase option.

If there is anyway to prevent the ability to do SDAs and conventional encryption, but still present the other options (Encrypt to key, master key, shredder, etc) when the user right clicks on a file and selects PGP Desktop??   Thanks         

Alex_CST's picture

The context menu handlers are in:

 

HKEY_CLASSES_ROOT\*\ShellEx\ContextMenuHandlers

HKEY_CLASSES_ROOT\FOLDER\ShellEx\ContextMenuHandlers 

You could remove the SDA option for that?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

skinsfan1161's picture

One additional piece of information...  When creating a PGP Zip through PGP Desktop, the SDA and passphrase options are grayed out and appear to work correctly, it's only when you right click on a file, select PGP desktop that the user will get the option to create an SDA...  

skinsfan1161's picture

Removing the PGP contextmenuhandler removes the PGP Desktop option including all of the options, I only want to remove the option for SDA and keep the other options. 

Alex_CST's picture

inside the GUIDs in those reg keys are default strings with the names in.  One of those should say PGP Zip, remove that one

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

skinsfan1161's picture

I can delete the entire "PGP Desktop" context menu, but I cannot specifically pick and choose which items to delete within the PGP desktop context menu.  If I can do that, it would be great and if you have specific instructions on how to do that, I would be extremely grateful.

skinsfan1161's picture

My guess is that the PGPmn.dll is not handling policy correctly.  Especially since encrypting through the PGP desktop application appears to work correctly.   Can someone verify if this is a bug and/or if there is a fix to the PGPmn.dll?