Dell Data Protection | Security Tools Installation Guide
© 2014 Dell Inc. Registered trademarks and trademarks used in the DDP|E, DDP|ST, and DDP|CE suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Old Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Password Manager Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction Dell Data Protection | Security Tools (DDP|ST) provides security and identity protection to Dell computer administrators and end users. DDP|ST is pre-installed on all Dell Latitude, Optiplex, and Precision computers and on select Dell XPS notebooks. Should you need to reinstall DDP|ST, follow the instructions in this guide. For additional support, see www.dell.com/support > Endpoint Security Solutions.
Installation Guide
Requirements • DDP|ST is pre-installed on all Dell Latitude, Optiplex, and Precision computers and on select Dell XPS notebooks, and meets the following minimum requirements. Should you need to reinstall DDP|ST, ensure that your computer still meets these requirements. See www.dell.com/support > Endpoint Security Solutions for more information. • Windows 8.1 should not be installed on drive 1 on self-encrypting drives. This operating system configuration is not supported because Windows 8.
Windows Operating Systems The following table details supported software. Windows Operating Systems (32- and 64-bit) • Microsoft Windows 7 SP0-SP1 - Enterprise - Professional • Microsoft Windows 8 - Enterprise - Pro - Windows 8 (Consumer) • Microsoft Windows 8.1 - Enterprise Edition - Pro Edition Hardware The following table details supported hardware. Fingerprint Readers • Validity VFS495 in Secure Mode • Broadcom Control Vault Swipe Reader • UPEK TCS1 FIPS 201 Secure Reader 1.6.3.
Language Support DDP|ST is Multilingual User Interface (MUI) compliant and supports the following languages. NOTE: PBA localization is not supported in Russian, Traditional Chinese, or Simplified Chinese.
Interoperability Deprovision and Uninstall Dell Data Protection | Access If DDP|A is installed now or has been installed in the past on your computer, before installing Security Tools, you must deprovision the DDP|A-managed hardware and then uninstall DDP|A. If DDP|A has not been used, you may simply uninstall DDP|A and restart the installation process. Deprovisioning DDP|A-managed hardware includes the fingerprint reader, smart card reader, BIOS passwords, TPM, and the Self-Encrypting Drive.
Uninstall DDP|A Once the authentication hardware is deprovisioned, uninstall DDP|A. 1 Launch DDP|A and perform a Reset System. This will remove all DDP|A managed credentials and passwords and will clear the Trusted Platform Module (TPM). 2 Click Uninstall to launch the installer. 3 When the uninstall finishes, click Yes to restart. NOTE: Removing DDP|A will also unlock the SED and remove the Preboot Authentication. Initialize the TPM 1. Follow the instructions located at http://technet.microsoft.
Installation Guide
Installation and Configuration Tasks To install DDP|ST, you must be at least a local Admin user. Install DDP|ST This section details installing DDP|ST on the local computer. 1 Locate installation file in the DDP|ST installation media. Copy it to the local computer. NOTE: The installation media can be located at www.dell.com/support > Endpoint Security Solutions. 2 Double-click the file to launch the installer. 3 Select the appropriate language and click OK.
8 Select Next on the Select Feature screen. 9 Depending upon your operating system, a dialog may display to indicate that Security Tools will now be managing your authentication credentials. Click Continue to accept Security Tools as the manager of your authentication credentials, or click Cancel to stop the installation and retain Windows as your authentication credentials manager.
10 Click Install to begin the installation or click Cancel to continue using the Microsoft Operating System to manage your credentials. 11 Once the installation is complete, a computer restart is required. Select Yes to restart and then click Finish. Installation is complete.
Configure DDP|ST To begin using the features of DDP|ST, they must first be configured. Configure Features in the Administrator Console • Launch the Administrator Console from the Desktop shortcut. NOTE: If logged in as a regular user (using a standard Windows account), the Administrator Console requires UAC elevation to launch. • Before beginning configuration tasks, you must create a password to be used with DDP|ST. This password will be needed any time you log on to the Administrator Console.
• To change your password, from the Home tab, click Administrator Settings. • To navigate through the Administrator Console, you can either select items from the top menu “tabs” or click the “tiles” in the body of the page. Either method takes you to the same page.
Configure Authentication for Users 1 Click the Authentication tab. 2 Click Preboot Authentication to configure Preboot Authentication.
a This page is visible only if a self-encrypting drive is present on the computer. Change or confirm the following values. Logon Policies Non-Cached User Login Attempts Allowed - How many times an unknown user can attempt to log in (a user that has not logged in to the computer before [no credentials have been cached]). Cached User Login Attempts Allowed - How many times can a known user attempt to log in. Question/Answer Attempts Allowed - Number of times the user can attempt to enter the correct answer.
Click Apply when finished. 3 Click Users to manage users and user status. a New Windows users are automatically added when they log on to Windows or enroll credentials. Click Add to add an existing Windows user. When the Select Users dialog displays, select the Object Type and Location. Enter the object name and click Check Names. Click OK when finished. Select a User and click Enroll to launch the Attended Enrollment Wizard.
Click Delete to remove the Windows user from accessing the Security Console enrollment options.
4 Click Authentication Policy to define how users login. a The Logon Policy allows you to configure how Administrators and Users log in to the Windows operating system and system hardware. Double-click one of the logon options or click Add to specify combinations of credentials to use for logon. The Session Policy allows you to configure how Administrators and Users access password protected software applications and Internet logins.
Functionality During the Grace Period During a specified Grace Period, after every log on, the Additional Credentials notification displays when the user has not yet enrolled the minimum credentials required to satisfy a changed logon policy. The message content is: Additional credentials are available for enrollment. If additional credentials are available, but are not required, the message displays only once after the policy has been changed.
5 Click Credentials to define credential restrictions. a Click Recovery Questions. Select at least three pre-defined Recovery Questions to be presented to users during Recovery Question Setup in the Security Console. You can also define whether a user is allowed to type their own passphrase. Additionally, you can add up to three custom questions to the list that the user selects from.
Click Apply when finished. b Click Fingerprints. From the Enrollment tab, set the minimum and maximum number of fingers to enroll. Click Clear all data to clear all fingerprint data from Reader. Click Apply when finished. From the Sensitivity tab, adjust the False Acceptance Rate (FAR) if desired. The False Accept Rate is the probability of receiving a false acceptance decision when comparing fingerprints scanned from different fingers.
The higher the setting, the lower the chance of receiving a false acceptance. However, at the High setting, the system may reject legitimate fingerprints. Click Apply when finished.
6 Click Advanced to modify advanced end user options. a Under Self-Enrollment, you can optionally allow users to self-enroll credentials or optionally allow users to modify their enrolled credentials. Allow users to enroll their credentials themselves - The default for this setting is selected. Users are permitted to enroll credentials without intervention by an Administrator.
Under One-Step Logon, optionally enable single-sign-on for PBA, if applicable. Click Apply when finished. Configure Encryption for Users 1 Click the Encryption tab. 2 Click Self-Encrypting Drives to configure self-encrypting drive policies. a The Self-Encrypting Drives page is visible only if a self-encrypting drive is present on the computer. At least one user is required, although additional users can be added at any time.
Toggle Self-Encrypting Drive Management from OFF to ON to enable encryption for all Windows users on this computer. Recovery data will be automatically backed up to your specified location, if available. If the location is not available (for instance, if your backup USB drive is not inserted), DDP|ST prompts you for a location to back up your recovery data. Encryption will not begin until recovery data is saved to a location that is not on this computer. Click Apply when finished.
Configure Features in the Security Console • The Security Console provides users with an easy way to enroll their authentication credentials, manage their logons to websites, programs and network resources, backup and restore program data, and to monitor encryption status. The Security Console contains three tabs: Setup, Authentication, and Encryption. 1 Launch the Security Console from the Start Menu or the System Tray.
2 When the Security Console launches, the Setup tab displays. The user clicks Setup to launch the DDP|ST Setup wizard. 3 The user clicks Next at the Welcome page.
4 Verify Your Identity The user enters their Windows password to verify their identity and clicks Next. 5 Recovery Questions DDP|ST provides a question and answer-based method for users to access their Windows account if other credentials are unavailable (for example, if they forgot their password). The user selects pre-defined questions from the drop-down menu and then enters and confirms their answers. The user may also click Skip recovery questions setup to bypass this page at this time.
6 Choose Credentials On the Choose Credentials page, the user can select which additional credentials to enroll at this time.By default, all credentials permitted by the Administrator and supported by the computer’s hardware and software are listed on this page. Disconnected peripherals are not displayed until they are reconnected. The user clicks Next to continue to enroll the selected credentials. NOTE: Credentials may be enrolled at any time by re-launching the Setup Wizard.
NOTE: The minimum and maximum number of fingerprints to enroll is configured by the Administrator. The number of swipes needed to complete fingerprint enrollment depends on the quality of the fingerprint scan.
You must enroll a minimum number of fingerprints before you can move to the next screen. To delete an enrolled fingerprint, click the highlighted fingerprint. A confirmation dialog displays, which ensures that the user intends to delete the fingerprint. b Card Enrollment To set up a built-in contactless card, place the card very close to the reader. Once the contactless card communicates with the reader, the user is prompted to verify their identity.
The user is prompted to Save the credential information after authentication of the card. c Enrollment summary A summary of the credentials enrolled is shown after enrollment of required credentials. The user clicks Finish to close the wizard.
8 The Encryption tab displays the protection status of the computer. Once provisioned (encrypted), the status changes to Protected.
Installation Guide
Use the DDP|ST Authentication Applications The Security Console provides access to three applications through the tiles located on the Authentication tab. The applications are: • Credentials • Backup and Restore • Password Manager Credentials The Credentials application provides a way to enroll end user credentials. By default, end users enroll and modify their own credentials. However, Administrators may limit the ability of the end user to enroll or manage credentials.
If you have prohibited modification of credentials, the following message displays: No credentials allowed for modification. Please contact your system administrator. The end user clicks OK to dismiss the dialog. Windows Password The Windows Password page allows end users to easily change their Windows password from within the Security Console. Password changes are effective immediately after clicking Change.
Recovery Questions The Recovery Questions page is as described in the Setup Wizard. See Recovery Questions. Fingerprints Fingerprint enrollment is as described in the Setup wizard. See Fingerprint Enrollment. You can grant permission to end users to enroll or modify fingerprint credentials in the Remote Management Console. Cards Card enrollment is as described in the Setup Wizard. See Card Enrollment.
Back up Data 1 Click Back up data to launch the Backup and Restore Wizard. The first page of the wizard allows the end user to select the application data to back up. By default, Password Manager is selected. 2 The end user clicks Next. 3 On the second page of the wizard, the end user types the location and name of the file to be created or navigates to the desired location by clicking Browse.
6 The end user clicks Next. 7 The final page of the wizard informs the end user that the backup has been completed and lists the applications that have had their data backed up. The end user clicks View Details to view a text log of the backup operations performed. 8 The end user clicks Finish to close the dialog.
Restore Data 1 Click Restore data to launch the Backup and Restore Wizard and to restore the data that was previously backed up using Back up Data. 2 The end user enters the name and location of the backup file or clicks Browse to navigate to the file and then enters the password for the file. The end user clicks Next. 3 On the next page of the wizard, the end user is asked to select the data to restore. By default, all data that is managed is restored.
5 The end user clicks Finish to close the dialog. Password Manager Password Manager allows an end user to automatically fill in and submit data required to log on to websites, Windows applications, and network resources. Password Manager also provides the capability for an end user to change their logon passwords through the application, ensuring that logon passwords maintained by Password Manager are kept in sync with those of the targeted resource.
Website and Application Logon Training • To train new website and application logons, an end user launches the logon screen (a web page or program) to train. An icon displays when the software detects the logon screen. Alternatively, the end user can click Add Logon and then navigate to the web page or program logon screen. • The Password Manager icon in the upper left area of a screen indicates that this screen can be trained with the software.
• After performing one of the above-listed actions, the Add Logon to Password Manager dialog displays. Add Logon • The end user adds their logon information for the website or program in the Add Logon dialog. • The end user can add or subtract logon fields or edit the field labels through the More fields button. • For password fields, a password strength indicator is shown below the password field in the dialog. The indicator bar changes from red (weak) to yellow (medium) to green (strong).
NOTE: If there are several editable fields on the logon screen, the software may not choose the desired editable fields automatically. To specify which fields to include, the end user can click the More fields button. The More Fields dialog box is displayed and the end user can specify the desired fields. When the end user navigates to a field in the More Fields dialog, the corresponding field on the logon screen is highlighted.
• For logon to applications, Submit changes. A drop-down list of available options displays. • When saving the entered logon data, the end user is required to authenticate according to the Session Authentication policy in force (configured in the Remote Management Console). • The Add logon dialog box can also be launched by clicking the Password Manager icon on the white arrow of the blue circle and selecting the first menu item.
Web Domain Support • If an end user has trained a logon screen for a specific web domain but then wants to access his account on that web domain from a different logon screen, the end user can navigate to the new logon screen. The end user is then prompted to use an existing logon or to add a new one to Password Manager. • If the end user clicks Use logon, they are logged on to the previously created account.
• The end user must authenticate according to the Session Logon authentication policy in force, which is configurable in the Remote Management Console. Upon a successful authentication, the logon data is filled in on the logon screen. The end user is prompted to choose the account to use if more than one logon for the logon screen exists. • Additional options are available through the context menu upon successful authentication.
For the password, the end user can use their Windows password. All options above are hard-coded and cannot be modified. Use Old Password • It is possible that an end user may modify a password in Password Manager and then have the password rejected by the application. In this case, the application allows the end user to use a previous password (a password previously entered for this logon page) instead of the most recent one.
Password Change • Password Manager provides a change password functionality that helps the end user create stronger passwords. When the application detects a password change screen, a dedicated Password Manager icon is shown on the password screen. • Upon authentication, the end user can change their password from a dedicated change password dialog. Generate password functionality is supported. The end user can also choose the complexity criteria to be used in generating a password.
Password Manager Page • The Password Manager page allows an end user to launch their trained logons and to add, remove, and edit logon data. Until the end user has created a logon, instructional text is shown on the user interface to help the end user understand the password management functionality offered by the program. After the end user has created a logon, the regular user interface displays.
• Logons are grouped by domain. If an end user has multiple logons for the same web domain, the logons will be listed, indented, under their domain. • If the end user clicks the Manage command next to a logon, a drop-down menu shows a subset of the following commands, depending on whether a domain or a logon is selected. Open (default - also triggered if the end user double-clicks the logon) Edit Add Delete • The logons show a password strength indicator bar for each account added.
• If the end user clicks the Add category, the Add Category dialog displays. Settings Page • On the Settings page, the end user can configure the following: • The display of the Password Manager icon on the logon screens that can be trained for automatic data fill in. • The key combination that can be pressed to display the Logons menu. The default key combination is “Ctl+Alt+H”. Turning off Password Manager To turn off Password Manager, follow these steps: 1 Close the web browser, if it is open.
Uninstallation Tasks • To uninstall DDP|ST, you must be at least a local Admin user. Uninstall DDP|ST If you have a computer with a self-encrypting drive, follow these instructions to uninstall: 1 Deprovision the SED. From the Administrator Console > Encryption tab, toggle SED management from ON to OF.F. Once the SED is deprovisioned, reboot the computer. 2 Go to Uninstall a Program in the Windows Control Panel (Start > Control Panel > Programs and Features > Uninstall a Program.).
Installation Guide
Recovery Self-Recovery, OS Logon This workflow enables an end user to log on with provisioned recovery questions. Once the user's Recovery Questions have been set up, and if the Allow recovery questions for Windows logon setting is selected on the Recovery Questions page in the Administrator Console, then the option to use the recovery questions for Windows logon is available from the Windows Start screen. 1 The end user clicks Can't access your account? to use the Recovery Questions.
2 Clicking the link displays the questions selected by the end user during their initial setup in the Security Console. The end user enters the answers and clicks OK. 3 Upon successful entry of the answers to the questions, the end user is in Access Recovery mode.
The end user selects one option and clicks Next. NOTE: If none of the options are selected within the Windows timeout period, the end user is automatically logged into Windows without further action. Self-Recovery, PBA This workflow enables end users to log on with provisioned recovery questions. Once the end user's recovery questions have been set up, then the option to use the recovery questions for PBA self-recovery is available.
1 At the PBA login screen, the end user enters their user name and clicks the gear in lower left. 2 The end user selects Forgot Password.
3 The end user enters the correct answers to the recovery questions and clicks Finish. Assisted Recovery, PBA • For PBA recovery, log on to www.dell.com/support > Endpoint Security Solutions and enter your service tag number, which is located on the bottom of your computer. After entering your service tag number, follow the instructions to contact Dell Support for recovery assistance and to obtain the necessary files. • Assisted recovery will be needed if you need to bypass the PBA login for any reason.
Installation Guide
Glossary Deprovision - Deprovisioning removes the PBA database and deactivates the PBA. Deprovisioning requires a shutdown to take effect. Preboot Authentication (PBA) - Preboot Authentication (PBA) serves as an extension of the BIOS or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer.
Installation Guide
0XXXXXA0X
