ddribeiro
commented
2 months ago Similar to #20805
Open ddribeiro opened 2 months ago
ddribeiro
commented
2 months ago Similar to #20805
JoStableford
commented
2 months ago 
noahtalerman
commented
2 months ago certain hosts that should not have disk encryption enabled.
@ddribeiro what kind of hosts are these? How are they used by the business? And how does that differ from a normal workstation?
noahtalerman
commented
1 month ago Potential use cases:
zayhanlon
commented
1 month ago @ddribeiro we would like to bring this in for consideration but are out of capacity for the next design sprint. can you please bring it back on the next prioritization call?
Problem
As a Fleet admin, I'd like the ability to exclude certain hosts on a team from having disk encryption enabled. Currently, enabling disk encryption on a team applies it to all hosts with no options for exclusion.
What have you tried?
The customer looked for a way to use labels to exclude certain hosts from having disk encryption enabled, like they are able to do for custom settings today. This option does not exist in Fleet.
The customer is currently putting these hosts in a separate team that does not have disk encryption enabled. Since disk encryption is the only difference in configuration, it creates extra work to maintain 2 teams with otherwise identical configurations.
Potential solutions
Having a way to use labels to exclude certain hosts on a team from having desk encryption enabled could be a good solution. This would mirror the method we have today to exclude hosts from having custom settings applied.
What is the expected workflow as a result of your proposal?
A customer would create a label in Fleet to identify certain hosts that should not have disk encryption enabled. They would add the host to a team that has the appropriate configuration for that device (profiles, scripts, software, etc.). They would then go to Controls > Disk encryption and apply labels to exclude the disk encryption settings.