The File storage and data control DLP Policy controls the use of file storage inside Venn. Enabling a file storage system assigns the desktop app and maps the location inside file manager native to the operating system. Organizations can choose a single file system or multiple file systems for use simultaneously. All unspecified file systems are readable but cannot be written to. This policy also prevents data movement to locations outside of Venn. This article provides details about the policy, its use and limitations.
Overview
The File storage and data control DLP Policy is accessible from within the DLP Policy admin. This policy governs:
- Which file system is authorized for use inside Venn
- Assignment of the corresponding 3rd party file system app for use within Venn
- Mapping of the virtual drive folder inside of Venn Disk (read more about Venn Disk here)
- The default location for downloads
- The default save location for files
- Auto-start of corresponding 3rd party file system app when Venn starts
- Prevention of data movement to locations not defined in the policy
Configuring a File System
When a file system is enabled, it must be configured for use in Venn. Most file systems will have similar options, while some may have additional configuration requirements.
OneDrive
Enablement
- From the DLP Policy admin page locate Files and Account Access.
- Click Change.
- From the policy editor that appears locate OneDrive and toggle it On. This will reveal required configuration options.
Note: Venn Disk will be set as the default location for downloads and the default save location if a file system is not specified.
In order to use OneDrive within the Secure Enclave, you must specify a default tenant ID. You can obtain your organization tenant ID by following the instructions here. To add the tenant ID:
- Click in the Tenant ID box
- Type or paste in your ID.
In addition to authorizing the file system for use in the Secure Enclave and mapping the virtual drive as a folder inside of Venn Disk, the policy will assign the corresponding application to the user/group the policy applies to (e.g. OneDrive desktop app). It is not necessary to assign the application from the admin All apps page.
Auto-launch
The application can be configured to automatically start when a user logs in to Venn, similar to how apps can be automatically set to run when you log into a computer. For file systems, it is recommend to always set this option for the primary file system the user will need to access. To set the option:
- Below the Tenant ID box, check the box titled Launch automatically when logging in to Venn.
- Click Apply in the bottom right of the window if you have completed configuration.
Setting the default save and download location
The File storage and data control DLP Policy enables the configuration of the default download and default file save location independently. By default, the default download and file save locations are set to Venn Disk if another location has not been specified. Follow the steps below to set OneDrive as the default save location.
- Scroll to the section titled Data control
- To the left of the options, click the radio button next to OneDrive
- Click Apply in the bottom right of the window if you have completed configuration.
Google Drive
Enablement
- From the DLP Policy admin page locate Files and Account Access.
- Click Change.
- From the policy editor that appears locate the desired file system and toggle it On. This will reveal required configuration options.
Note: Venn Disk will be set as the default location for downloads and the default save location if a file system is not specified.
Auto-start
Google Drive can be configured to automatically start when a user logs in to Venn, similar to how apps can be automatically set to run when you log into a computer. For file systems, it is recommend to always set this option for the primary file system the user will need to access. To set the option:
- Under General Settings for Google Drive, locate Launch automatically when logging into Venn.
- To the left of the option, click into the check box.
- Click Apply in the bottom right of the window if you have completed configuration.
Setting the default save and download location
The Files and Account Access policy enables you to configure the default download and default file save location independently. By default, the default download and file save locations are set to Venn Disk if another location has not been specified. Follow the steps below to set Google Drive as the default save location.
- Under General Settings for OneDrive, locate Set as default save and download.
- To the left of the option, click into the check box.
- Click Apply in the bottom right of the window if you have completed configuration.
Account Access Control
In order to finalize configuration of a file system for use in the Secure Enclave, you need to define the domains(s) that is authorized for use or choose to allow access to Google Drive and all other Google Workspace resources with any account. It is highly recommended to restrict logins to Google Drive and Google Workspace resources by specific domain(s). This will ensure that only accounts associated with your organization's domains can be used to login to Google Workspace resources, including Google Drive. To configure this option:
- Locate Account access beneath the Google Drive configuration.
- Ensure the radio button Only allow access with specific business accounts is selected.
- In the input field below, input the desired domain and press enter.
- Click Apply in the bottom right of the window if you have completed configuration.
If you want to allow access with any account to Google Workspace resources, including Google Drive, select the Allow access with any account radio button.
Restricting Data to the Secure Enclave
By default, data is not allowed to be saved or moved outside of Venn. This means that once a file system has been specified for use in the Secure Enclave, copying or moving data from the specified file system to any location not specified is prohibited. This does not restrict the movement of data from file locations outside of the enclave to locations authorized for use inside. Changing this setting is not advised as data can be moved to unauthorized locations. To change this setting.
- Click Change next to Files and Account Access for the target policy.
- At the bottom of the window under Data control, uncheck Do not allow data to be saved or moved out of Venn.
- Click Apply.
Configuration to restrict access to data outside of the Secure Enclave
Preventing data from being accessed from outside of the Secure Enclave requires three components.
- Specifying the file system for user via the Files and Data policy.
- Ensuring the option Do not allow data to be saved or moved out of Venn is checked for the policy.
- Locking down access within the service provider to only the Private Company Gateway IP.
Depending on the file system, the steps to lock down access within the service provider may vary. See Restricting Applications to Venn for available instructions.
Disabling a File System
If a file system is no longer needed for the user/group it is assigned to, it can easily be easily disabled from the Files and Account Access policy. To disable a file system:
- Click Change next to Files and Data for the target policy.
- In the File Storage list locate the file system.
- Set the toggle to OFF.
- Click Apply.
Note: The default download and save location will be changed to Venn Disk