fleetdm
Exclusions for disk encryption
Problem
As a Fleet admin, I'd like the ability to exclude certain hosts on a team from having disk encryption enabled. Currently, enabling disk encryption on a team applies it to all hosts with no options for exclusion.
What have you tried?
The customer looked for a way to use labels to exclude certain hosts from having disk encryption enabled, like they are able to do for custom settings today. This option does not exist in Fleet.
The customer is currently putting these hosts in a separate team that does not have disk encryption enabled. Since disk encryption is the only difference in configuration, it creates extra work to maintain 2 teams with otherwise identical configurations.
Potential solutions
Having a way to use labels to exclude certain hosts on a team from having desk encryption enabled could be a good solution. This would mirror the method we have today to exclude hosts from having custom settings applied.
What is the expected workflow as a result of your proposal?
A customer would create a label in Fleet to identify certain hosts that should not have disk encryption enabled. They would add the host to a team that has the appropriate configuration for that device (profiles, scripts, software, etc.). They would then go to Controls > Disk encryption and apply labels to exclude the disk encryption settings.
certain hosts that should not have disk encryption enabled.
@ddribeiro what kind of hosts are these? How are they used by the business? And how does that differ from a normal workstation?
Potential use cases:
- Workstations on which the end user uses all web based tools (nothing local on the device). No need to encrypt.
@ddribeiro we would like to bring this in for consideration but are out of capacity for the next design sprint. can you please bring it back on the next prioritization call?
Hey @noahtalerman, this came up with on our call with numa yesterday. They have virtual Windows hosts that should not have disk encryption enabled, but otherwise have the same configuration as the physical Windows hosts. Their desired workflow is to keep the physical and virtual hosts on the same team and use a label that contains the virtual hosts to exclude them from the disk encryption. For the time being, numa is ok with our best practice of enrolling the virtual hosts into a separate team.
It looks like this issue was created before we started doing "Unpacking the why" calls, so I'm going to add it back to the drafting board so we can do that with this one.
Problem
As a Fleet admin, I'd like the ability to exclude certain hosts on a team from having disk encryption enabled. Currently, enabling disk encryption on a team applies it to all hosts with no options for exclusion.
What have you tried?
The customer looked for a way to use labels to exclude certain hosts from having disk encryption enabled, like they are able to do for custom settings today. This option does not exist in Fleet.
The customer is currently putting these hosts in a separate team that does not have disk encryption enabled. Since disk encryption is the only difference in configuration, it creates extra work to maintain 2 teams with otherwise identical configurations.
Potential solutions
Having a way to use labels to exclude certain hosts on a team from having disk encryption enabled could be a good solution. This would mirror the method we have today to exclude hosts from having custom settings applied.
What is the expected workflow as a result of your proposal?
A customer would create a label in Fleet to identify certain hosts that should not have disk encryption enabled. They would add the host to a team that has the appropriate configuration for that device (profiles, scripts, software, etc.). They would then go to Controls > Disk encryption and apply labels to exclude the disk encryption settings.
