I'm curious how other in the IT field handle multi-user encryption access for things like laptops and how remote management is handled.
What we(my company and I) would like is the ability to have full disk encryption on our portable systems while also allowing multiple users to be able to login AND if possible have some means of remote management.
Basically we do a lot of work with the healthcare field and they seem to be moving toward laptops. In order to stay in compliance, laptop encryption is necessary, but some of these people who are getting computers are pretty damn computer illiterate. If you add an extra day to their weekend, they forget everything which makes remote management for encrypted computers a headache.
In the past we've used truecrypt but with the need for multiple users to login it probably wont suffice unless we give out a single password to everyone to unlock the encryption but if one person quits or gets fired you essentially have to change every machine's encryption header. More recently we've used HP protect tools which allows you to enroll a domain user into the encryption software but the need to have your hands physically on the machine to un-enroll them.
So what might be the standard operating procedure for things like this?
What we(my company and I) would like is the ability to have full disk encryption on our portable systems while also allowing multiple users to be able to login AND if possible have some means of remote management.
Basically we do a lot of work with the healthcare field and they seem to be moving toward laptops. In order to stay in compliance, laptop encryption is necessary, but some of these people who are getting computers are pretty damn computer illiterate. If you add an extra day to their weekend, they forget everything which makes remote management for encrypted computers a headache.
In the past we've used truecrypt but with the need for multiple users to login it probably wont suffice unless we give out a single password to everyone to unlock the encryption but if one person quits or gets fired you essentially have to change every machine's encryption header. More recently we've used HP protect tools which allows you to enroll a domain user into the encryption software but the need to have your hands physically on the machine to un-enroll them.
So what might be the standard operating procedure for things like this?