Policies are applied to all users and Hubs that are assigned to a Tenancy. To implement more than one policy set, multiple Tenancies should be used. Users with the Tenant admin role are able to modify policies.
DekkoSecure typically engages clients in a consultative process to determine the best policy settings for their use case(s). For clients with policy requirements that vary depending on their use cases, multiple tenancies can be set up. Below is the standard tenancy policy configuration:
Minimum password length
Disable Public Hub
Invite message appendix
External File Verification
Enhanced Zero Knowledge
Limit users who can create hubs
Step(s) / Notes
Set minimum password length
Enter the specific character count, then press the "Update policies" button. Note: password length requirements are not applied to SSO users.
Set session timeout
Enter the required session duration in minutes, then press the "Update policies" button. Note: session timeout is not applied to SSO users.
Set file retention
Enter the required retention duration in days, then press the "Update policies" button.Note: file retention is applied to versioned files (not current files).
Note: 2FA enforcement is not applied to SSO users.
Note: the trusted user function is not applied to SSO users. A user must log at least once after the policy is applied to be able to reset their password.
When ON, users in all Hubs that belong to this Tenancy will be able to add a status from the specified list to files and folders. To specify tags, press the manage tags button, then add a tag. The default tag colour is dark grey, but can be adjusted from the standard colours list. Tags selection will appear in the same order as the tag management list - drag the ⋮⋮ marker to re-order your tags. See notes for examples of status tags in use.
Disable Public Hub
When OFF, users that are members of any Hubs that belong to this Tenancy will be able to access the Public Hub. The Public Hub does not belong to this Tenancy, and no Policies are applied to it. When ON users that are members of any Hubs that belong to this Tenancy will not be able to access the Public Hub.
Invite message appendix
Enable by ticking the policy, then enter your appendix content. Appendix content will be applied to all future invites. See notes for example invite with appendix.
Enhanced zero knowledge
Note: this setting controls whether users in Hubs associated with the selected tenancy are able to share files and send messages with unregistered users. Policy OFF: users can share files with/send messages to unregistered users. The file/message key is stored securely by DekkoSecure until the recipient registers. All interactions after this point are zero knowledge. In-app viewing and editing for Office (DOCX, XLSX, PPTX) files is enabled - refer to security/compliance notes below for more information. Policy ON: users cannot share files with/send messages to unregistered users. Users must invite recipients and wait for them to register. Following registration, files/messages can be sent. File/message keys are never stored by DekkoSecure. In-app viewing and editing for Office (DOCX, XLSX, PPTX) files is disabled.
Limit users who can create Hubs
This policy controls who in your Tenancy (i.e., users who belong to Hubs which are assigned to your Tenancy). This policy if OFF by default, meaning that all users who are already in your Tenancy are able to create new Hubs.To limit Hub creation, add a rule or rules to the policy. There are two possible rules: - Individual users - Users with a shared domain To set an individual user, enter their ID (email address, i.e., firstname.lastname@example.org) and then press 'Add'. To set a domain, use a wildcard (*), for example *@yourdomain.com, then press 'Add'. You can add as many users and/or domains as required. Current limits will be displayed under the limit field, and can be removed at any time. Note: users with the Tenant admin role are able to create Hubs regardless of any rules set in Hub creation limitation.
An invite appendix adds text to the end of all invite messages sent from Hubs that belong to a Tenancy. This policy is typically used for legal disclaimers or branding purposes.
Adding and managing tags:
Note: if you remove a tag from the tag manager that is in use, it will be removed from all associated files.
Tag use example:
Tags can be added to files that you own (uploaded) or of which files you are an administrator (shared with full permissions). Tags set on shared content will be displayed for all users that have access to the file/folder.
Tag changes are also shown in the audit log -
Enforced Zero Knowledge
Turning this policy ON disables the share-and-invite feature.
When files are shared with an unregistered address, the file and file key is stored securely by the DekkoSecure system and then passed to the recipient user when they complete registration - This is called “share-and-invite”. After this exchange has taken place, all future interactions between the sender and newly registered user is end-to-end encrypted.
If Enforce Zero Knowledge is ON, Files can only be shared with existing DekkoSecure users, meaning all users must register via an invite, then receive files after they register, meaning all content accessed by them is secured using end-to-end encryption by way of an asymmetric key exchange.
Enforced Zero Knowledge (office file viewing/editing):
Turning this policy ON disables in-app Office file viewing and editing.
Office document viewing and live editing in DekkoSecure is enabled by utilising a facility on a virtual machine in the DekkoSecure PROTECTED Cloud which renders the file, facilitates live editing, and presents the content to users within the web application.
During this rendering and manipulation process, temporary access to the document is granted to the processing appliance via a specifically generated encryption key, which is removed immediately after rendering is complete (when the user exits the file).
This capability is part of the IRAP-PROTECTED assessment undertaken by DekkoSecure.
Disabling access to this feature via a Tenancy policy is provided in order to maintain DekkoSecure’s zero-knowledge capability should this be strictly required for use of the service.