SGFE for Mac - policy vs. interface
Some attention to the interface would seem necessary to address perceived "shortcomings" in the product regarding external media (thumb drives...)
Policy set to always encrypt. Dialog box pops up asking if user wants to encrypt.
No encryption takes place until the dialog box is addressed even though policy is to always encrypt.
This leaves a window of opportunity for the user to not encrypt the drive/data. Arguably that is nice, in the event the drive is not yours, and it would be problematic to encrypt data on a drive that is from a user outside of the organization...
But the dialog box alone is insufficient to address the options, and instead leads to confusion for the user, possibly leading to leaked unsecured data.
Policy overrides dialog box at the instant an external drive is inserted, or
Dialog box makes clear the option of ejecting the drive (like, perhaps an eject button :) to prevent encrypting someone else's drive.
Alternatively, any unencrypted media is mounted read only until the user chooses to encrypt.