Connecticut State Colleges & Universities
IT Support Center

Protective Enclave FAQ

The following are answers to questions that you may have when using the Protective Enclave.

NOTE: Because the Protective Enclave uses MFA to authenticate, check the MFA FAQ if your question relates to authentication.

Questions:

Answers:

  •  Once logged in, can I stay logged in all day?
  • Yes, typically, you can log in at the beginning of your work day and minimize the Protective Enclave Virtual desktop window when you are not using it throughout your day. You will only use your NetID and password to unlock the Protective Enclave Virtual desktop if the screensaver kicks in - you won't need to reauthenticate each time using MFA. At the end of your work day, remember to sign out of the Protective Enclave Virtual desktop to before you log out of your local workstation.

  •  How do I change the default browser in the PE?
  • Since some applications work better in other browsers, you may find it neccessary to change your default browser. Here are the steps:

    • Click the Windows Icon on the bottom left-hand corner of the Enclave's desktop:
    • Type "PC Settings" -->Click PC Settings:
    • Click "Search and Apps":
    • Click "Defaults":
    • Click the current default browser (i.e. Internet Explorer) under "Web Browser":
    • Select the new browser you want to set as the default:
  •  When using Core-CT, what activities must be done from inside the Protective Enclave?
  • Work completed by anyone maintaining employee records in Core-CT (e.g. Workforce Administration, benefits, Time and Labor, and Payroll) must be done within the Protected Enclave. Restricting access to Core-CT to the Protected Enclave for employee administration purposes, will mitigate the exposure of sensitive DCL3 data.

    Employees maintaining their own personal information, entering time, or approving time can access Core-CT outside of the Enclave.

  •  I have a file that McAfee DLP is stating contains DCL3 data and is preventing me from accessing it from outside the enclave. I've reviewed the data and it does not contain DCL3 data. What needs to be done to allow access to this file from outside the enclave?
  • There can be several reasons your file is being flagged as containing DCL3 data even though it doesn't appear to be:

    • Once a file has been encrypted, even if you move the file out of your Enclave-Transfer library and remove DCL3 data or DCL3 keywords from the file and re-save the file, the file will remain encrypted and will not be allowed to be accessed from outside the enclave. You need to remove the DCL3 data prior to saving the file in your Enclave-Transfer library.
    • Banner Student Data: If the report is from a Banner extract that involves student data, it may contain the "Comments field" which is known to contain DCL3 keywords that are used to identify unformatted SSNs, Passports or Driver's Licenses. If you do not need the information found in the "Comments field" for the work you are doing outside the enclave, make sure you remove the "Comments" field (and any other fields not needed), prior to saving it in your Enclave-Transfer library.
    • False positives: Other files can contain data that appears to be DCL3 data (i.e. barcodes, 9 digit numbers, 4 sets of 4-digit numbers) that may result in flagging the file as if it contained DCL3 data. Sometimes, the McAfee DLP product cannot differentiate between real DCL3 data and unformatted numbers that resemble DCL3 data. The product is designed to accept the least risk and therefore it will encrypt the file to prevent DCL3 data from being allowed out of the enclave. You will need to work with your local IT department, identifying the name of the file and the time/date you were working on the file in order to determine if this file can be accessed outside the enclave.
  •  Why am I seeing a timeout message appear after logging into the Protective Enclave?
  • Once logged into the Protective Enclave Virtual Desktop, you can simply close the browser window connected to the Citrix Receiver to avoid seeing the session timeout warning. If you don't close it, you'll notice it will warn you it will be timing out soon:

    and then it will timeout due to inactivity:

    You can either let it timeout (seen above) or you can choose to close the browser window once you are connected to the Protective Enclave:


    NOTE: If you log out of the Citrix session (using Log Off), you will disconnect from the Protective Enclave Desktop.

  •  I accidently clicked the X in the upper-right hand corner of the Protective Enclave Desktop window. Did I lose what I was working on?
  • If you accidently click the X in the upper-right hand corner of the Protective Enclave Desktop:

    It may show you the following popup:

     

    It is recommended that you do not enable the "Don't ask me again." If you accidentally clicked the X to close the window, the popup will alert you that you are about to disconnect from the Protective Enclave Virtual Desktop. If you do disconnect, in order to not lose any unsaved work, you must reconnect to the Protective Enclave Desktop within 10 minutes. Reconnecting after 10 minutes will result in losing any unsaved work.

    NOTE: Disconnecting by clicking the X as shown above is not the proper way to close your Protective Enclave Desktop. Instead, when you are done for the day, you will want to save any unfinished work and Sign Out.

  •  I thought all files were shredded in the Enclave-Transfer library nightly. Why are some files still there the next day?
  • There are a few reasons files may be left in the Enclave-Transfer library:

    • The file was locked because an application had the file opened and was not closed before the end of the day. Please make sure you close applications that have files located in the Enclave-Transfer library open.
    • You have the file selected in a File Explorer window (yellow folder icon) and is being disaplayed in the Preview Pane. Please make sure you close any File Explorers browsing the Enclave-Transfer library, or disable the Preview pane.
    • The file is larger than the max file size that can be shredded. These files will remain in the Enclave-Transfer library until either they are deleted by the user or administrative steps are taken to shred these large files.
  •  My Protective Enclave Desktop just disappeared for no reason even though I was actively working in it. Why?
  • There are two common situations where an active Protective Enclave Desktop would disappear:

    • During the scheduled, weekly maintenance window: Sunday 2AM - 4 AM. Note that any work that was being done may be lost.
    • When the same account that was used to connect to the Protective Enclave is used to open another Protective Enclave Desktop (for example it is launched from another workstation). There can only be one Protective Enclave Desktop open at a time per user, therefore if a second one is launched, the first one will disconnect without any error, popup or warning. Since it's the same user launching the Protective Enclave Desktop, whatever application was being worked on from the first Protective Enclave Desktop will be right where it was left off when the first Protective Enclave Desktop "disappeared".
  •  What happens when I am logged on to a machine and start a new session on another machine?
  • There can only be one Protective Enclave Desktop open at a time per user, therefore if a second one is launched on another workstation by the same user, the first one will disconnect without any error, popup or warning. Since it's the same user launching the Protective Enclave Desktop, whatever application was being worked on from the first Protective Enclave Desktop will be right where it was left off when the first Protective Enclave Desktop "disappeared".

  •  What is Request DLP bypass on the Data Loss Prevention pop-up?
  • When a file is flagged as containing DCL3, the McAfee Data Loss Prevention popup has a link to a 'Request DLP bypass'


    Currently, the link to 'Request DLP bypass' is not used by CSCU. If a file is flagged as containing DCL3 and is a false positive, work with your local IT department to allow the file to be allowed out of the Protective Enclave.

  •  How do I access the Enclave Transfer area remotely?
  • Where warranted, certain Connecticut Community Colleges (CCC) internal resources may be remotely accessible for those employees who perform CCC business from a remote location, such as home or when traveling. While measures have been taken to secure this type of connection, remote access is inherently a security risk. Consequently, policy, standards and procedures are required to minimize this risk.

    This procedure details how to work remotely with the Enclave-Transfer folder that is part of the Protective Enclave. In order to access the Enclave Transfer folder remote is by requesting Citrix RIS access and to explicitly state in the request that access to the Enclave transfer area in required. Once in RIS, files in the Enclave Transfer area can be access via a number of services.

  •  How do I request an application or a site be added in the PE?
  • Requests are only accepted by one of your college's PE Authorized Contacts. Contact your college IT department.

    College department chairs/heads will work directly with their college's PE Authorized Contact to request additional sites or applications that are needed to be accessed from within the Protective Enclave. Then, the college's PE Authorized Contact will fill out a request form that will submit a ticket to the Service Desk to have the site or application added.

    These are the two types of sites that are considered when being added as an Approved Site or Application:

    • Sites that transmit or have a data entry component for DCL3 data. All of these sites should have secure logins and are not generally used by the public without login credentials.
    • Sites that are used frequently when working with the above sites and would often be accessed also while using the above site.
This FAQ was last updated: Monday, August 23, 2021