Revoke Access to Work Files on Compromised Computers
With the latest release of WSE WorkFolders you can now revoke access to the work files stored on your Windows 8.1 or greater network computers when they have been lost or stolen, when they are no longer being managed by your organization, or when they have been otherwise compromised.
A special type of encryption called Selective Wipe is used to protect the work files stored within Work Folders. You can instruct Selective Wipe to block access to the work files that are stored on a network computer by remotely revoking its encryption key as follows:
Open the server Dashboard and click on the “WORK FOLDERS” item in the navigation pane.
Click on the “Computers” subtab, select the compromised computer in the list of “Allowed Computers“, and click the “Revoke access to work files” task.
NOTE: If any users of the compromised computer are no longer part of your organization, then you should also stop them from being able to access Work Folders by clicking on the “Users” subtab, selecting the users in the list of “Allowed Users“, and clicking on the “Do not allow access to Work Folders” task. Additionally, you shouldn’t remove the computer (via the Dashboard’s “DEVICES” page) until such time as its wipe status is shown as “Confirmed” over on the “Computers” subtab.
The next time any user logs on to the compromised computer, its encryption key will be revoked, and the wipe status of the computer will be shown as “Confirmed” over on the “Computers” subtab. Thereafter, whenever a user attempts to open any of the work files that are stored on the computer, they will receive an access denied error. Additionally, the user will see the following message in the Work Folders Control Panel applet:
Limitations
• Only Windows 8.1 and Windows 10 or later computers that have been connected to your Essentials network (both domain-joined and non domain-joined) can be revoked using this feature of WSE WorkFolders. Additionally, the computers must have the client-side components of WSE WorkFolders installed on them (see the ReadMe.txt file for detailed information on installing WSE WorkFolders on both the server and on the computers on the network).
• Windows 7 computers do not support the use of Selective Wipe, and so they cannot be revoked using this feature of WSE WorkFolders.
• Android and iOS devices are not supported by this feature of WSE WorkFolders. Revoking access to mobile devices requires the use of a (subscription-based) Mobile Device Management solution such as Intune.
Restore Access to Work Files on Revoked Computers
If the revoked computer has been found/returned/recovered, is once again being managed by your organization, or is otherwise no longer compromised, then you can restore access to the work files on the computer by selecting the computer in the “Revoked Computers” list, and clicking on the “Allow access to work files” task.
To regain access to Work Folders on the computer, the user will need to open the Work Folders Control Panel applet, click “Stop using Work Folders” to remove the existing sync partnership, and then Set up Work Folders again in a new folder.
NOTE: Work Folders must be set up in a completely new folder, or the folder currently used by Work Folders must be renamed or deleted (don’t delete the folder if you want to recover files that haven’t synced to other PCs and devices). Otherwise, the user will receive the following error when attempting to set up Work Folders again:
Conclusion
That sums up the new “revoke access” feature of WSE WorkFolders. I look forward to hearing your feedback on this new feature (and as always, both positive and negative feedback is more than welcome).
— MIKE (The Office Maven)