Dell Data Protection | Encryption Personal Edition Installation Guide
____________________ © 2014 Dell Inc. Registered trademarks and trademarks used in the DDP|E, DDP|ST, and DDP|CE suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated.
Contents 1 Overview Personal Edition Security Tools . 2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interoperability . 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Use the Security Tools Authentication Applications . Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Icon Context Menu . . . . . .
10 About Personal Edition Policies and Templates Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Template Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 85 93 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installation Guide
Overview 1 This guide assumes that Security Tools will be installed with Personal Edition. Personal Edition The purpose of Personal Edition is to protect data on your computer, even if the computer is lost or stolen. To ensure the security of your confidential data, the Shield for Windows encrypts the data on your Windows computer. You can always access the data when logged into the computer, but unauthorized users will not have access to this protected data.
Installation Guide
2 Requirements • The user account performing the installation and activation must be a local or domain Admin user. • Internet connectivity is required to activate. • To successfully install, Dell Data Protection | Personal Edition requires an entitlement. The entitlement is supplied when you purchase DDP|PE. Depending on how you purchase Personal Edition, you may need to manually install the entitlement. If so, follow the simple instructions that accompany the entitlement.
Hardware Requirements The following table details supported hardware. Windows Hardware • Intel Pentium-class or AMD processor • 512 MB-1GB RAM • +-110 MB of free disk space plus •250 MB free space in Preboot Authentication partition Optional Embedded Hardware • Trusted Platform Module (TPM) chipset with TCG Software Stack (TSS) version 1.2.1.42 NOTE: TSS is a component that interfaces with the Trusted Platform Module (TPM).
Windows Hardware Precision M4800 Precision M6800 Precision T3600 Precision T3610 Precision T5600 Precision T5610 Precision T7600 Precision T7610 Precision T1650 Precision T1700 OptiPlex 9010 AIO OptiPlex 9010 OptiPlex 7010 OptiPlex 7020 OptiPlex XE2 OptiPlex 9020 AIO OptiPlex 9020 OptiPlex 9020 Micro OptiPlex 9030 AIO Authentication Hardware Support The following table details supported authentication hardware.
Operating Systems The following table details supported operating systems. NOTE: The Encryption client does not support dual boot configurations as it is possible to encrypt system files of the other operating system, which would interfere with its operation. XP Mode is not compatible with the Encryption client, it is designed to run Microsoft Windows 7 or later natively.
Operating Systems Supported to Access EMS-Protected Media (32- and 64-bit) • Microsoft Windows 8.1- Windows 8.1 Update 1 - Enterprise Edition - Pro Edition Language Support The Encryption client and Security Tools are Multilingual User Interface (MUI) compliant and support the following languages.
NOTE: If running DDP|E encryption products, stop or pause an encryption sweep. If running Microsoft BitLocker, suspend the encryption policy. Once DDP|A is uninstalled and Microsoft BitLocker policy is unsuspended, initialize the TPM by following the instructions located at http://technet.microsoft.com/en-us/library/cc753140.aspx. Deprovision DDP|A-Managed Hardware 1 Launch DDP|A and click the Advanced tab. 2 Select Reset System.
Pre-Installation Configuration to Enable HCA 3 If the computer targeted for encryption is equipped with an HCA card and you intend to use HCA policies, you must first set up and activate the TPM. Follow the instructions in this section to configure HCA prior to Personal Edition installation. NOTE: The features available as of v8.3 with Enterprise PBA are supported on legacy BIOS non-UEFI computers. If running Windows 8 or Windows 8.
Computer BIOS Needed Optiplex 9020 AIO A06 Optiplex XE2 A05 Precision T1700 A06 e Select Get drivers and downloads in the left menu. f Click View All Drivers. g Scroll down to Refine your results and expand the BIOS drop-down. Download and install the updated BIOS, following the prompts in the BIOS installer package. The following example displays a Latitude E7440. 5 Install the product using the DDPSetup.exe file. Using DDPSetup.exe installs Personal Edition and Security Tools.
HCA Pre-Installation BIOS Configuration If the following hardware and BIOS instructions are not completed, are inaccurate or are otherwise not met, Personal Edition ignores HCA policies and software encryption is implemented. 1 Boot into the BIOS Configuration: — Press F2 or F12 continuously during boot until a message in the upper right screen says something similar to “preparing to enter setup” (F2) or “preparing one-time boot menu” (F12).Enter BIOS Administrator password if prompted.
Installation Guide
Installation Tasks 4 • To install and activate Personal Edition, you must be a local or domain Admin user. • If upgrading, Dell recommends upgrading when no encryption sweep is running. Performing an upgrade during an encryption sweep may prevent the client from restarting normally after the installation finishes. If this occurs, a computer restart corrects the issue. • If running Windows 8.
Best Practices Dell recommends that IT best practices are followed during the deployment of Personal Edition. We recommend at least the following: 1 Create a Windows Password - It is highly recommended that a Windows password be created (if one does not already exist) to protect access to your encrypted data. Creating a password for your computer prevents others from logging on to your user account without your password. a Go to the Windows Control Panel (Start > Control Panel).
Install Personal Edition You can install Personal Edition using the master installer (highly recommended), or alone by extracting the child installer out of the master installer. Either way, Personal Edition can be installed by user interface, command line or scripts, and using any push technology available to your organization. To successfully install, Dell Data Protection | Personal Edition requires an entitlement. The entitlement is supplied when you purchase DDP|PE.
Dialogs display that alert you to the status of the installing the prerequisites. This may take several minutes. 4 Click Next when the Welcome screen displays. 5 Read the license agreement, agree to the terms, and click Next. 6 Click Next to install Personal Edition in the default location of C:\Program Files\Dell\Dell Data Protection\. 7 Dell Data Protection | Security Tools is installed by default and cannot be deselected. This is listed as Dell Data Protection | Security Framework in the installer.
8 Click Next Installation Guide 23
9 Click Install to begin the installation. A status window displays. This may take several minutes.
10 Select Yes, I want to restart my computer now and click Finish when the InstallShield Wizard Complete screen displays. 11 Once the computer restarts, authenticate to Windows. Installation of Personal Edition + Security Tools is complete. The Security Tools Administrator Console launches immediately after restart and authentication. The rest of this section explains how to install Personal Edition + Security Tools using the master installer command line and may be skipped.
Parameters The following table details the parameters available for the installation. Parameters InstallPath=path to alternate installation location. FEATURES=PE Example Command Line Installation Although the reboot is suppressed in these examples, an eventual reboot is required. Encryption cannot begin until the computer has rebooted. Be sure to enclose a value that contains one or more special characters, such as a blank space, in escaped quotation marks. Command lines are case-sensitive.
The extracted child installers are located at C:\extracted\. Command Line Installation For a command line installation, the switches must be specified first. The /v switch is required, and takes an argument. Other parameters go inside an argument that is passed to the /v switch. Switches The following table details the switches available for the installation. Switch Meaning /v Pass variables to the .
Display Options The following table details the display options that can be specified at the end of the argument passed to the /v switch, to achieve your expected behavior.
Then: Dell ControlVault - C:\extracted\UshCvReset (Dell ControlVault Software Update) Child Installer • The following example installs Dell ControlVault software driver and firmware updates used by Security Tools (silent installation, no reboot, log file at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection). If the target computer is not equipped with Dell ControlVault, installing this software is not harmful and will have no effect.
Installation Guide
Configuration Tasks for Administrators 5 Configure Features in the Security Tools Administrator Console To begin using the features of Security Tools, they must first be configured. • Launch the Administrator Console from the Desktop shortcut. NOTE: If logged in as a regular user (using a standard Windows account), the Administrator Console requires UAC elevation to launch. • Before beginning configuration tasks, you must create a password to be used with Security Tools.
• To change your password, from the Home tab, click Administrator Settings. • To navigate through the Administrator Console, you can either select items from the top menu “tabs” or click the “tiles” in the body of the page. Either method takes you to the same page.
Configure Authentication for Users 1 Click the Authentication tab. 2 Click Preboot Authentication to configure Preboot Authentication. For preboot authentication, the computer must be equipped with an HCA card, running an enterprise BIOS, and running Personal Edition v8.3 or later. a This page is visible only if PBA is present on the computer. Change or confirm the following values.
Enter the Crypto Erase Password - A word or code of up to 100 characters used as a failsafe security mechanism. Entering this word or code in the user name or password field during PBA authentication wipes the device permanently. Not entering text in this field results in no crypto erase password being available in case of emergency. Click Apply when finished. b This page is visible only if PBA is present on the computer. Change or confirm the following values.
Legal Notice Text - This text displays before being allowed to log on to the device. For example: “By clicking OK, you agree to abide by the acceptable computer use policy.” Not entering text in this field results in no text or OK/Cancel buttons being displayed. Text wrapping occurs at the word level, not the character level. For instance, if you have a single word that is more than approximately 50 characters in length, it will not wrap and no scroll bar will be present, therefore the text will be cut off.
a New Windows users are automatically added when they log on to Windows or enroll credentials. Click Add to add an existing Windows user. When the Select Users dialog displays, select the Object Type and Location. Enter the object name and click Check Names. Click OK when finished. Select a User and click Enroll to launch the Attended Enrollment Wizard. On the Choose Credentials page, select which credentials are to be enrolled for the selected user.
4 Click Authentication Policy to define how users login. a The Logon Policy allows you to configure how Administrators and Users log in to the Windows operating system and system hardware. Double-click one of the logon options or click Add to specify combinations of credentials to use for logon. The Session Policy allows you to configure how Administrators and Users access password protected software applications and Internet logins.
Functionality During the Grace Period During a specified Grace Period, after every log on, the Additional Credentials notification displays when the user has not yet enrolled the minimum credentials required to satisfy a changed logon policy. The message content is: Additional credentials are available for enrollment. If additional credentials are available, but are not required, the message displays only once after the policy has been changed.
5 Click Credentials to define credential restrictions. a Click Recovery Questions. Select at least three pre-defined Recovery Questions to be presented to users during Recovery Question Setup in the Security Console. You can also define whether a user is allowed to type their own passphrase. Additionally, you can add up to three custom questions to the list that the user selects from.
Click Apply when finished. b Click Fingerprints. From the Enrollment tab, set the minimum and maximum number of fingers to enroll. Click Clear all data to clear all fingerprint data from Reader. Click Apply when finished. From the Sensitivity tab, adjust the False Acceptance Rate (FAR) if desired. The False Accept Rate is the probability of receiving a false acceptance decision when comparing fingerprints scanned from different fingers.
The higher the setting, the lower the chance of receiving a false acceptance. However, at the High setting, the system may reject legitimate fingerprints. Click Apply when finished.
6 Click Advanced to modify advanced end user options. a Under Self-Enrollment, you can optionally allow users to self-enroll credentials or optionally allow users to modify their enrolled credentials. Allow users to enroll their credentials themselves - The default for this setting is selected. Users are permitted to enroll credentials without intervention by an Administrator.
Click Apply when finished. 7 Close the Administrator Console. 8 A computer shutdown is required to complete the activation process. When prompted, click Shutdown. Turn the computer back on after a complete power-down. Users will now log in through the PBA using their Windows password.
Personal Edition Setup Wizard 1 The Security Tools PBA interface displays. Log on with your Windows username and password. You will be seamlessly passed through to Windows. 2 A dialog displays that states that an application needs elevated privileges to launch. Click Yes to launch the Personal Edition Setup Wizard. If the dialog does not display, open the Encryption Console from the DDP icon in the system tray to launch to Personal Edition Setup Wizard.
View Current Settings Current settings are the encryption policies in effect for the current logged on user. Current settings include policy template overrides made. To access current settings: 1 Click the Advanced tab. 2 Click Reporting in the main menu. 3 Click Current Settings.
Installation Guide
Configuration Tasks for End Users 6 Configure Features in the Security Tools Security Console • The Security Console provides users with an easy way to enroll their authentication credentials, manage their logons to websites, programs and network resources, backup and restore program data, and to monitor encryption status. The Security Console contains three tabs: Setup, Authentication, and Encryption. 1 Launch the Security Console from the Start Menu or the System Tray.
2 When the Security Console launches, the Setup tab displays. The user clicks Setup to launch the Security Tools Setup Wizard. 3 The user clicks Next at the Welcome page.
4 Verify Your Identity The user enters their Windows password to verify their identity and clicks Next. 5 Recovery Questions Security Tools provides a question and answer-based method for users to access their Windows account if other credentials are unavailable (for example, if they forgot their password). The user selects pre-defined questions from the drop-down menu and then enters and confirms their answers. The user may also click Skip recovery questions setup to bypass this page at this time.
6 Choose Credentials On the Choose Credentials page, the user can select which additional credentials to enroll at this time.By default, all credentials permitted by the Administrator and supported by the computer’s hardware and software are listed on this page. Disconnected peripherals are not displayed until they are reconnected. The user clicks Next to continue to enroll the selected credentials. NOTE: Credentials may be enrolled at any time by re-launching the Setup Wizard.
7 Enroll Credentials During the process of enrolling the credentials selected in the previous step, a series of pages are presented to the user to enroll their credentials. The actual pages shown will vary, depending on the credentials selected by the user. a Fingerprint Enrollment The user enrolls their fingerprint credential on the Choose Credentials page. The user clicks the desired finger to enroll and clicks Save. The user may also click Skip fingerprint enrollment to bypass this page at this time.
The number of swipes needed to complete fingerprint enrollment depends on the quality of the fingerprint scan. The user clicks Save when finished with each finger. To delete an enrolled fingerprint, click the highlighted fingerprint. A confirmation dialog displays, which ensures that the user intends to delete the fingerprint. The user clicks Save when finished.
b Card Enrollment To set up a built-in contactless card, place the card very close to the reader. Once the contactless card communicates with the reader, the user is prompted to verify their identity. The user enters their Windows password and clicks Authenticate. The user is prompted to Save the credential information after authentication of the card.
c Enrollment summary A summary of the credentials enrolled is shown after enrollment of required credentials is complete. The user clicks Finish to close the wizard. 8 The Encryption tab displays the protection status of the computer. Once provisioned (encrypted), the status updates to Protected.
Use the Security Tools Authentication Applications 7 The Security Console provides access to three applications through the tiles located on the Authentication tab. The applications are: • Credentials • Backup and Restore • Password Manager Credentials The Credentials application provides a way to enroll end user credentials. By default, end users enroll and modify their own credentials. However, Administrators may limit the ability of the end user to enroll or manage credentials.
However, if the Administrator has prohibited end users from enrolling their credentials, the navigation to the end users’ credentials is hidden. The following message displays on the page: No credentials allowed for setup. Please contact your administrator. If the Administrator has prohibited modification of credentials, the following message displays: No credentials allowed for modification. Please contact your system administrator. The end user clicks OK to dismiss the dialog.
Windows Password The Windows Password page allows end users to easily change their Windows password from within the Security Console. Password changes are effective immediately after clicking Change. IMPORTANT: End users should be instructed to change their Windows password only in the Security Console, rather than in Windows. If the Windows password is changed outside of the Security Console, a password mismatch will occur, requiring a recovery operation.
3 End users can also view a text log of backup and restore operations performed on this computer by clicking View Backup and Restore log at the bottom of the Backup and Restore page. NOTE: The data backed up does not include Windows or PBA logon credentials or credential-specific information, such as the end user's fingerprints. Back up Data 1 Click Back up data to launch the Backup and Restore Wizard. The first page of the wizard allows the end user to select the application data to back up.
2 The end user clicks Next. 3 On the second page of the wizard, the end user types the location and name of the file to be created or navigates to the desired location by clicking Browse. If the end user attempts to back up the data to the same drive as the original data, a warning displays a recommendation to back up the data to portable storage or a network drive. 4 The end user clicks Next.
6 The end user clicks Next. 7 The final page of the wizard informs the end user that the backup has been completed and lists the applications that have had their data backed up. The end user clicks View Details to view a text log of the backup operations performed. 8 The end user clicks Finish to close the dialog.
Restore Data 1 Click Restore data to launch the Backup and Restore Wizard and to restore the data that was previously backed up using Back up Data. 2 The end user enters the name and location of the backup file or clicks Browse to navigate to the file and then enters the password for the file. The end user clicks Next. 3 On the next page of the wizard, the end user is asked to select the data to restore. By default, all data that is managed is restored.
5 The end user clicks Finish to close the dialog.
Password Manager • Due to the ever changing structure of web logon screens, the software may not be able to support all websites at all times. • On Dell Venue tablets, touch capability for Password Manager icons is not available. • If running on Firefox or Chrome, you must install and register the Password Manager extension. For instructions on installing extensions: • • in Mozilla Firefox, see https://support.mozilla.org/. • in Google Chrome, see https://support.google.com/chrome/.
• The Password Manager icon in the upper left area of a screen indicates that this screen can be trained with the software. • To start training a logon screen, an end user can perform any of the following actions: • 64 a Scan enrolled credentials. An end user with an enrolled fingerprint or contactless smart card can touch the fingerprint reader with an enrolled fingerprint or present an enrolled card to the card reader.
Add Logon • The end user adds their logon information for the website or program in the Add Logon dialog. • The end user can add or subtract logon fields or edit the field labels through the More fields button. • For password fields, a password strength indicator is shown below the password field in the dialog. The indicator bar changes from red (weak) to yellow (medium) to green (strong). To accommodate color blindness, the length of the strength bar grows as the password becomes stronger.
• An end user can edit field labels by clicking on the item in the fields list. • For logon to applications, Submit changes. A drop-down list of available options displays. • When saving the entered logon data, the end user is required to authenticate according to the Session Authentication policy in force. • The Add logon dialog box can also be launched by clicking the Password Manager icon on the white arrow of the blue circle and selecting the first menu item.
Icon Context Menu The context menu displays the following options: • Add to Password Manager - launches the Add logon dialog. • Open Password Manager - launches the Password Manager page in the Security Console. • Icon Settings - Allows the end user to configure the display of the Password Manager icon on trainable logon pages. NOTE: The Exclude this screen option is not reversible for the specific logon screen for the current user.
Logging on to Trained Logon Screens • If the end user directly navigates to a web or application logon, the application detects whether this screen was trained and shows the Password Manager icon in the upper left corner of the screen. • The first three times the end user accesses a trained logon, an information balloon is shown to guide the end user. • To start the logon process, an end user can perform any of the following actions: a Scan enrolled credentials.
Open Password Manager - The Security Console is opened to the Password Manager page. Filling in with Windows Credentials • The application allows the end user to use their Windows credentials for web and application logon. Instead of typing the username and password, the end user can choose their Windows credentials from the drop-down menus available in the Add Logon and Edit Logon dialogs.
Use Old Password • It is possible that an end user may modify a password in Password Manager and then have the password rejected by the application. In this case, the application allows the end user to use a previous password (a password previously entered for this logon page) instead of the most recent one. • If the end user selects Use previous password, then after authentication, the end user is prompted to choose an old password from the Password Manager list.
Password Change • Password Manager provides a change password functionality that helps the end user create stronger passwords. When the application detects a password change screen, a dedicated Password Manager icon is shown on the password screen. • Upon authentication, the end user can change their password from a dedicated change password dialog. Generate password functionality is supported. The end user can also choose the complexity criteria to be used in generating a password.
Password Manager Page • The Password Manager page allows an end user to launch their trained logons and to add, remove, and edit logon data. Until the end user has created a logon, instructional text is shown on the user interface to help the end user understand the password management functionality offered by the program. After the end user has created a logon, the regular user interface displays.
• Logons are grouped by domain. If an end user has multiple logons for the same web domain, the logons will be listed, indented, under their domain. • If the end user clicks the Manage command next to a logon, a drop-down menu shows a subset of the following commands, depending on whether a domain or a logon is selected. Open (default - also triggered if the end user double-clicks the logon) Edit Add Delete • The logons show a password strength indicator bar for each account added.
• If the end user clicks the Add category, the Add Category dialog displays. Settings Page • On the Settings page, the end user can configure the following: • The display of the Password Manager icon on the logon screens that can be trained for automatic data fill in. • The key combination that can be pressed to display the Logons menu. The default key combination is “Ctl+Alt+H”. Turning off Password Manager To turn off Password Manager, follow these steps: 1 Close the web browser, if it is open.
Decryption and Uninstallation Tasks 8 The user performing decryption and uninstallation must be a local or domain Admin user. When using System Data Encryption (SDE), User, or Common encryption, file decryption optionally occurs at uninstallation if you choose to install the Encryption Removal Agent, enabling you to decide whether or not to decrypt files. When using HCA encryption, all HCA-encrypted drives must be decrypted prior to uninstallation.
5 Name the key LogVerbosity. 6 Double-click the key to open it. 7 Enter 0, 1, 2, 3, or 5 in the Value Data: field. LogVerbosity 0: no logging LogVerbosity 1: logs errors that prevent the Service from running LogVerbosity 2: logs errors that prevent complete data decryption (recommended logging level) LogVerbosity 3: logs information about all decrypting volumes and files LogVerbosity 5: logs debugging information 8 Select Hexadecimal in the Base section. 9 Click OK to save and close the key.
4 At the Encryption Removal Agent Installation screen, select either: NOTE: The second option is enabled by default. If you wish to decrypt files, be sure you change the selection to option one. • Encryption Removal Agent - Import Keys from a File For SDE, User, or Common encryption, this option decrypts encrypted files and uninstalls Personal Edition. This is the recommended selection. • Do not install Encryption Removal Agent This option uninstalls Personal Edition but does not decrypt encrypted files.
• An error occurred during the decryption sweep. In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent Service to force another decryption sweep. Complete – The decryption sweep is complete. The Service, the executable, the driver, and the driver executable are all scheduled for deletion on the next restart.
Data Recovery 9 Personal Edition Situations such as operating system failure or hardware failure may cause encrypted data to become inaccessible. Data recovery allows you to regain access to encrypted data on computers encrypted by Personal Edition. There are two data recovery methods: • Recover Data Using Current Computer - If the target computer is still bootable, data recovery can be accomplished in-place. • Recover Data using the Recovery .
6 Enter the password associated with this file. 7 A dialog displays notifying you which disk is being recovered. Click Recover. 8 A dialog displays notifying you that recovery was completed successfully. Click Finish. 9 Restart the computer when prompted and re-authenticate to Windows. Data recovery is complete and you may use your computer as usual. If recovery fails, refer to Troubleshooting Recovery for assistance.
2 The end user selects Forgot Password. 3 The end user enters the correct answers to the recovery questions and clicks Finish.
Security Tools Self-Recovery, OS Logon This workflow enables an end user to log on with provisioned recovery questions. Once the user's Recovery Questions have been set up, and if the Allow recovery questions for Windows logon setting is selected on the Recovery Questions page in the Security Tools Administrator Console, then the option to use the recovery questions for Windows logon is available from the Windows Start screen. 1 The end user clicks Can't access your account? to use the Recovery Questions.
2 Clicking the link displays the questions selected by the end user during their initial setup in the Security Console. The end user enters the answers and clicks OK.
3 Upon successful entry of the answers to the questions, the end user is in Access Recovery mode. The following options are available to end users: • Change their Windows password • Re-enroll their credentials • Go directly into Windows The end user selects one option and clicks Next. NOTE: If none of the options are selected within the Windows timeout period, the end user is automatically logged into Windows without further action.
About Personal Edition Policies and Templates 10 A word about types of encryption: SDE is designed to encrypt the operating system and program files. In order to accomplish this purpose, SDE must be able to open its key while the operating system is booting without intervention of a password by the user. Its intent is to prevent alteration or offline attacks on the operating system by an attacker. SDE is not intended for user data.
Policy Aggress Protect for All Fixed Drives and Ext Drives PCI Reg Data Breach Reg HIPAA Reg Basic Protect for All Fixed Drives and Ext Drives (Def) Basic Basic Basic Protect Protect Protect for All for Sys for Ext Fixed Drive Drives Drives Only Enc Dis Description Hardware Crypto Accelerator This policy is the “master policy” for all other Hardware Crypto Accelerator (HCA) policies. If this policy is False, no HCA encryption takes place, regardless of other policy values.
Application Data Encryption List Application Data Encryption Key Encrypt Outlook Personal Folders Encrypt Temp Files Installation Guide True True winword.exe excel.exe powerpnt.exe msaccess.exe winproj.exe outlook.exe acrobat.exe visio.exe mspub.exe notepad.exe wordpad.exe winzip.exe winrar.exe onenote.exe onenotem.exe String - maximum of 100 entries of 500 characters each We do not recommend adding explorer.exe or iexplorer.exe to the ADE list, as unexpected or unintended results may occur.
Encrypt Temp Internet Files True True encrypts the path listed in the environment variable CSIDL_INTERNET_CACHE with the User Data Encryption Key. To reduce encryption sweep time, the client clears the contents of CSIDL_INTERNET_CACHE for initial encryption, as well as updates to this policy. This policy is applicable when using Microsoft Internet Explorer only.
User Encryption Algorithm User Data Encryption Key Policy AES 256, Rijndael 256, AES 128, Rijndael 128, 3DES Encryption algorithm used to encrypt data at the individual user level. You can specify different values for different users of the same endpoint.
EMS Scan External Media True True allows EMS to scan removable storage every time removable storage is inserted. When this policy is False and the EMS Encrypt External Media policy is True, EMS only encrypts new and changed files. A scan occurs at every insertion so that EMS can catch any files added to the removable storage without authenticating. You can add files to the removable storage if you decline to authenticate, but you cannot access encrypted data.
EMS Encryption Rules Encryption rules to be used to encrypt/not encrypt certain drives, directories, and folders. A total of 2048 characters are allowed. “Space” and “Enter” characters used to add lines between rows count as characters used. Any rules exceeding the 2048 limit are ignored. Storage devices which incorporate multi-interface connections, such as Firewire, USB, eSATA, etc. may require the use of both EMS and encryption rules to encrypt the endpoint.
Port: USB Enabled Enable, Disable, or Bypass port access to external USB ports. Note: USB port-level blocking and HID class-level blocking is only honored if we can identify the computer chassis as a laptop/notebook form-factor. We rely on the computer's BIOS for the identification of the chassis. Port: eSATA Enabled Enable, Disable, or Bypass port access to external SATA ports. Port: PCMCIA Enabled Enable, Disable, or Bypass port access to PCMCIA ports.
Enabled PARENT to the next policy. Set this policy to Enabled to use the Subclass Windows Portable Device (WPD): Storage policy. Setting this policy to Disabled disables the Subclass Windows Portable Device (WPD): Storage policy - no matter what its value. Control access to all Windows Portable Devices. Enabled CHILD of Class: Windows Portable Device (WPD) Class: Windows Portable Device (WPD) must be set to Enabled to use this policy. Full Access: Port does not have read/write data restrictions applied.
PCI Regulation Targeted Payment Card Industry Data Security Standard (PCI DSS) is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to set the guidelines for organizations to proactively protect customer account data. This policy template: • provides protection of the System Drive and all Fixed Drives.
This policy template: • provides protection of the System Drive and all Fixed Drives. • provides Hardware Crypto Accelerator encryption (when a compatible Hardware Crypto Accelerator is detected on the client computer). • prompts users to encrypt Removable Storage devices. • provides the ability to write only UDF CD/DVDs. Port control configuration allows read access to all optical drives.
Installation Guide
Appendix A A Change Secure Boot/UEFI to Legacy Boot Mode in BIOS The features available as of v8.3 with HCA are supported on legacy BIOS non-UEFI systems. If running Windows 8 or Windows 8.1, follow these instructions prior to client installation. 1 Turn on the power to your Dell computer. If the computer is already running, reboot it.
5 In Settings > Secure Boot > Secure Boot Enable, ensure that the Secure Boot Enable selection is Disabled. 6 Apply the changes. 7 Now that the computer BIOS has been changed to a legacy boot mode, the computer must be re-imaged.
Glossary Common Encryption – The Common key makes files accessible to all managed users on the device where they were created. Encryption Administrator Password (EAP) – The EAP is an administrative password that is unique to each computer. Most configuration changes made in the Local Management Console require this password. This password is also the same password that is required if you have to use your LSARecovery_[hostname].exe file to recover your data. Record and save this password in a safe place.
Trusted Platform Module (TPM) – This Trusted Computing Group specification deals with the storage of encryption keys, platform integrity, authentication of hardware devices and other security functions. It is also used as the general name of implementations of that specification, as in “TPM chip” or “TPM Security Device”. User Encryption – The User key makes files accessible only to the user who created them, only on the device where they were created.
0XXXXXA0X
