Client Configuration Policy Best Practices
  • 18 Oct 2020
  • 2 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Client Configuration Policy Best Practices

  • Print
  • Share
  • Dark
    Light

Client Configuration Policies allow SecureCircle administrators to define Circle-specific device configuration settings. A single Client Configuration Policy may be applied to multiple Circles. The following are best practices when creating Client Configuration Policies.

Set Caching TTLs to the Longest Possible that Meets Security Requirements

Increasing client cache TTLs to the longest times will increase client performance and decrease load on the SecureCircle Server. This is especially important if users are using applications that interface with a large number of files in a short amount of time (e.g., applications that quickly access large repositories of small files, such as IDEs that access and index source code). The longer the TTL, the longer it may take access control changes to take effect, so it is important to determine a realistic expectation for the time between when an administrative access control change takes place, such as a Directory Policy being updated on a Circle, and the time when the access change takes effect on a user's device. In many cases, it is acceptable to allow this TTL to be many minutes, or even many hours.

Best practices for each TTL setting are as follows.

Client Configuration Default Best Practices
Online Cache TTL (sec) 15 The longest possible that fits into realistic expectations for the time between an access policy change and the change going into effect on a device. Consider 10 minutes (600 sec) up to an hour (3600 sec).
Offline Cache TTL (sec) 86400 The longest that users should be reasonably able to access data on their devices without coming online (e.g., in airplane mode). Consider 1 day (86400 sec) up to 1 week (604800 sec)
Key Cache TTL (sec) 2147483647 The highest number possible (2147483647 sec) unless the organization has a specific compliance requirement governing how long per-file encryption keys can be cached on user endpoints.
Information

With Active Directory installations, it is important to note that the various TTL settings apply to when the endpoint was last connected to a network that had access to your Active Directory server. Being connected to a Guest network or travelling around without tunneling through VPN will result in the Offline Cache TTL going into effect.

Leave File Tagging Disabled, Unless Specifically Required

File tagging allows for application-level metadata to be added to supported file types. This is almost always unnecessary and is not able to be used in conjunction with Derivative Works Protection.

Leave Derivative Works Protection Enabled, Unless Specifically Not Required

Derivative Works Protection will protect existing or newly-written data that matches data (with the given % threshold) already protected in a Circle. This provides significant protection in most cases, but may be unnecessary in certain cases, such as when data is moving as part of a contained data pipeline.

Was This Article Helpful?