PGP SDA Policy not working
We are using PGP universal Server 3.1.2/PGP Desktop 10.1.2 and would like
to restrict users from creating a PGP SDA via the PGP Desktop. We have
policy set on the PGP UNiversal server to disable conventional encryption and
SDA and it works fine with PGP desktop 9.9.1, however when we installed PGP
10.1.2 on a Windows 7 desktop, the conventional decryption is disabled, but
the SDA funtion is there for all users. We would like to restrict this
because of the ability to encrypt without the enforcement of the ADK.
Is there a way that we can disable the SDA capability in PGP desktop
10.1.2, either by adding something to the prefs file or disabling it in the
context menu? Any assistance that you can provide will be greatly
appreciated. Thanks in advance for your help.
Comments 10 Comments • Jump to latest comment
There is an option for this inside the Universal Server:
Consumers > Consumer Policy > "Effective Policy name" > Desktop > Zip & Shredder
http://www.cstl.com
The option works with PGP desktop 9.9.1, but when I upgraded to 10.1.2, Users cannot do conventional encryption but now get the ability to do the SDA???
So even with that effective policy applied they still can do shredder?
http://www.cstl.com
Sorry, if we uncheck the PGP Zip check box, users do not get any options (other that the ability to shred) in the PGP context menu when they right click on a file. The policy is set as follows:
Consumers > Consumer Policy > "Effective Policy name" > desktop > General: The allow conventional encryption and self decrypting achives box is UNCHECKED
Consumers > Consumer Policy > "Effective Policy name" > Desktop > File Encryption: Only the PGP Shredder box is checked.
Just to clarify when using PGP Desktop 9.9.1, when a user right clicks on a file, the Create Self Decrypting Archive and secure with passphrase options are grayed out. In PGP Desktop 10.1.2 using the same policy, all options are available to the user including the Self Decrypting Archive, Users can create SDAs but they are prevented from using the Secure with passphrase option.
If there is anyway to prevent the ability to do SDAs and conventional encryption, but still present the other options (Encrypt to key, master key, shredder, etc) when the user right clicks on a file and selects PGP Desktop?? Thanks
The context menu handlers are in:
HKEY_CLASSES_ROOT\*\ShellEx\ContextMenuHandlers
HKEY_CLASSES_ROOT\FOLDER\ShellEx\ContextMenuHandlers
You could remove the SDA option for that?
http://www.cstl.com
One additional piece of information... When creating a PGP Zip through PGP Desktop, the SDA and passphrase options are grayed out and appear to work correctly, it's only when you right click on a file, select PGP desktop that the user will get the option to create an SDA...
Removing the PGP contextmenuhandler removes the PGP Desktop option including all of the options, I only want to remove the option for SDA and keep the other options.
inside the GUIDs in those reg keys are default strings with the names in. One of those should say PGP Zip, remove that one
http://www.cstl.com
I can delete the entire "PGP Desktop" context menu, but I cannot specifically pick and choose which items to delete within the PGP desktop context menu. If I can do that, it would be great and if you have specific instructions on how to do that, I would be extremely grateful.
My guess is that the PGPmn.dll is not handling policy correctly. Especially since encrypting through the PGP desktop application appears to work correctly. Can someone verify if this is a bug and/or if there is a fix to the PGPmn.dll?
Would you like to reply?
Login or Register to post your comment.