Theft Deterrent
Contents
1. Values Language en US English pt BR Portuguese tr TR Turkish es MX Spanish After installation completes the client is opened automatically 10 3 Pre set server address and address modify protection password The server address can be preset in master image so all the client will have the server address before it shipped out to end customer A password to protect the server address being changed can be preset in the master image as well This password will be reset to the protection password in server setting once after the client connects with the server Item Windows method Linux method Android method Server address In Master image edit the address and A file named as tdip txt Save under sdcard Address protection Set during install 1 Generate a password encryption file password process passwordPro ini E gt TDPasswordGen exe 2X12 23 Version 0 9293 Generate password file success 2 Copy the passwordPro ini under the client install path 10 4 Open Theft Deterrent client The client and guardian are loaded automatically at system start up You can open the client from either the client tray icon or the shortcut according to your operating system For more information on how to use the client see the Intel Education Theft Deterrent client User Manual 10 4 1 Open Theft Deterrent client on Windows If your operating system is Windows 7 you can open the client with eit2. This chapter introduces the procedures to deploy the server on Windows The deployment steps install the download feature as part of the web service by default If you want to use a seperate download server complete the following deployment steps and then configure the server to use the third party download server with the steps in chapter 9 6 1 Install Theft Deterrent server Copy the server installation package Theft_Deterrent_server_v4 0 10000 version zip to the local disk and then extract the installation package into a temporary folder In the temporary folder right click setup exe and select Run as administrator to open the installation wizard Follow these steps to deploy the server 1 Select a language of your choice and then click OK 2 Accept the license agreement and then click Next 3 Select Local Database and then click Next Figure 11 Database Location ie Intel R Education Theft Deterrent Server InstallShield Wizard a x Database Location Select the location of the database a Please select the location of the database server Local Database The database server and the web server will be installed on the same computer This option is recommended for small scale deployment C Separate Database The database server and the web server will be installed on different computers separately This option is recommended for large scale deployment 4 Seta password for the database server and
3. Education Theft Deterrent Deployment Guide Revision 1 6 Figure 26 Activate Server 1 Activate Theft Deterrent server x Step 1 Register the information of the Theft Deterrent server to the Central Server and get the activation code Server name East High School Server Location East Lake Contact person support admin E mail admin school com Phone number 022 1995554444 Central Server address 192 168 1 158 online registration vB Only skip this step if you want to reactivate the server When your request is approved by the central server admin you will receive an activation code The approval process might take a while and you can log out of the server during this period After you receive the activation code log in the server and click Register Server on the Activate Theft Deterrent server page Step 1 You can skip this step if you did not log out the server On the Activate Theft Deterrent server page Step 2 input the activation code and the IP address of the central server Then click Activate Server Figure 27 Activate Server 2 Activate Theft Deterrent server x Step2 Enter the activation code received from the Central Server to activate the Theft Deterrent server Activation Code 7777777T 9999 44d7 ba99 0e00eec00 Central Server Address 192 168 1 158 online activation lt Back Activate Server When you see the activation success message click OK 8 1 2 Reactivate Theft Deterrent ser
4. Enable Server Name URL Delete EJ TD Download server http 192 168 1 100 tdupdate 300 200 KB s Add Server Cancel For more information on how to configure the separate download server contact your local TME for support 43 Intel Education Theft Deterrent Deployment Guide Revision 1 10 Manually Deploy Theft Deterrent client and guardian The client and the Theft Deterrent guardian guardian are Theft Deterrent components that run on devices The client can lock and unlock devices based on the certificates received from the Theft Deterrent server while the guardian is a client protection application that restores the client if it is uninstalled or disabled Both components support the following operating systems e Windows 7 or 8 e Debian 7 32 bits e Debian 7 64 bits e Android The client and guardian are usually preloaded in factory during the manufactory of the devices If your device is not preloaded with a client or guardian you can deploy the components manually As a best practise the client should be kept running at all times Therefore for each client deployed you must deploy a guardian on the same device This chapter introduces the steps to deploy the client and guardian on devices running the Windows or Debian operating system For all devices running the Android operating system the client and guardian are always preloaded and thus would not require manual deployment Note The device s TPM
5. Figure 7 Database Location Setting Select the location of the database Local database 2 Separate database 4 Seta password for the database server Select Next and then press Enter Select a server support mode of your choice and then select Next Press Enter 6 If you choose to install the Stand alone mode select the Root Public Key type for you deployment on the next page g Figure 8 Select Root Public Key Type Stand alone Mode Settings 1 Select the Root Public Key Muse your own Root Public Key f 2 Use Intel Root Public Key L lt Previous gt 7 Ifyou choose to deploy the server with your own Root Public Key you must import the Root Public Key file with the extension pubkey or bin by copying the key to your local machine and then inputting the location of the key in the following window e g opt CmpcRoot pubkey 16 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 9 Import Root Public Key Stand alone Mode Regional Root CA Directories Files i i aie bashre aptitude profile rnd tdsinststatus lt Next gt Previous oO Note In the install wizard use Tab or arrow keys to move between the windows Within the directory or filename windows use the up or down arrow keys to scroll the current selection Use the Space bar to confirm the selection 8 On the next step set a password and email f
6. N wy Note The protection password must be 6 to 30 characters in length and must contain at least one uppercase letter A Z one lowercase letter a z one number 0 9 and one special character If you set up the protection password during the installation the password is required when you change the client settings or uninstall the client The protection password can be reset by the server admin To install the guardian with the install wizard follow these steps 1 Extract the installation package Theft_Deterrent_client_guardian_ version zip into a temporary folder 2 Inthe temporary folder open the guardian folder under bin right click setup exe and select Run as administrator to open the installation wizard 3 Select a language of your choice and then click OK 4 Click Next on the welcome page 45 Intel Education Theft Deterrent Deployment Guide Revision 1 5 Set the protection password for the client and then click Next If you do not want to set the password leave the password field blank click Next and then click OK on the confirmation window 6 Click Next to start the installation This might take a few minutes When the installation completes click Finish 8 Click Yes on the popup window to reboot the system Oo Note The protection password must be 6 to 30 characters in length and must contain at least one uppercase letter A Z one lowercase letter a z one number 0 9 and one
7. default key for server 4 x when migration completes If both server 3 x and 4 x have existing clients before the migration one of these client group will download and update the server Public Key if their current keys are not set as the default key Database Whether to merge the database of the old server with that of the new server Database Because the server 3 x and 4 x both contain an admin account created by Account default during server deployment you will need to decide whether to overwrite the admin account of the server 4 x with that of the server 3 x You will see this option only if you choose to merge the database Once you understand the options the next section will give you the details of running the tool 7 2 Migrate to server on a different machine 7 2 1 Pre migration Check 1 Install a server 4 x on a different server machine See chapter 5 or 6 for detailed installation steps 2 Make sure that the server 3 x is running correctly 3 Run the following command on the server 3 x to check the Java version Make sure that the version is Sun Java 6 or above java version Figure 21 Check Java Version java version 1 7 0 17 Java TM SE Runtime Environment build 1 7 0 17 b 2 Java HotSpot TM 64 Bit Server VM build 23 7 b01 mixed mode 4 If the server 3 x is installed on Windows download and install vcredist_x64 exe from the Microsoft official website 7 2 2 Mi
8. intel Education Intel Education Theft Deterrent Deployment Guide December 2014 Intel Education Theft Deterrent Deployment Guide Revision 1 Legal Notices Information in this document is provided in connection with Intel products No license express or implied by estoppels or otherwise to any intellectual property rights is granted by this document Except as provided in Intel s Terms and Conditions of Sale for such products Intel assumes no liability whatsoever and Intel disclaims any express or implied warranty relating to sale and or use of Intel products including liability or warranties relating to fitness for a particular purpose merchantability or infringement of any patent copyright or other intellectual property right Intel products are not intended for use in medical life saving or life sustaining applications Intel may make changes to specifications and product descriptions at any time without notice The API and software may contain design defects or errors known as errata which may cause the product to deviate from published specifications Current characterized errata are available on request This document and the software described in it are furnished under license and may only be used or copied in accordance with the terms of the license The information in this document is furnished for informational use only is subject to change without notice and should not be construed as a commitment by I
9. must be initialized in manufactory line before you deploy the client and guardian or the components will report error 10 1 Deploy Theft Deterrent client and guardian on Windows For devices running the Windows operating system the installation package Theft Deterrent client guardian version zip supports two deployment methods e Command line which Installs client and guardian together e Install wizards which Install client and guardian separately For large deployments it is recommended that you use the command line to install the client and guardian Such deployment provides efficiency because the two components are deployed together while no user interaction is required during the process If you are deploying on a single device you can use the install wizards which are more user friendly 10 1 1 Prerequisite Before you install the client you must install Net 3 5 SP1 on the Windows operating system if not already installed e For Windows 7 you can install Net 3 5 SP1 either by turning on the feature in Windows Feature or by downloading and installing the package from Microsoft website e For Windows 8 download and install Net 3 5 SP1 from Microsoft website AA Intel Education Theft Deterrent Deployment Guide Revision 1 10 1 2 Install with Command Line To install the client and guardian with command line follow these steps 1 Extract the installation package Theft_Deterrent_client_guardian_ v
10. not found Installer files are missing Installer is missing or incorrect Failed to write in installer file Installer file copying failed Installer file removing failed Deploying failed SSL key creating failed Webserver register failed Database register failed Broadcast register failed Database setting failed Your installation package might be corrupted Please contact the designated support personnel Socket Connecting failed Please make sure that no database management tool is connected to the database Disconnect any database management tool from the database server For more details about the installation error check the log files in the following location e On Debian var log theftdeterrentserver install e OnWindows systemdrive log theftdeterrentserver install 51 Intel Education Theft Deterrent Deployment Guide Revision 1 12 FAQ 1 How do I start stop and restart the server as well as check server status Answer The steps differ according to the server operating system e Windows Click Start menu gt All Programs gt Intel Education Software gt Theft Deterrent server gt click Start Server Stop Server or Check Server Status e Debian Run the following commands with root privilege service theftdeterrentserver start service theftdeterrentserver stop service theftdeterrentserver restart service theftdeterr
11. special character This protection password will replace the password set during the client installation 10 2 Deploy Theft Deterrent client and guardian on Debian 10 2 1 Install Dependency You must install dbus on your Debian 7 operating system if not already installed To install dbus follow these steps oO Note Connect the machine to the Internet or use the Debian CD 1 Change to root account with the following command Input password when needed su 2 Install dbus with the following command apt get install dbus wireless tools 10 2 2 Install Theft Deterrent client and guardian Copy the server installation packages Theft Deterrent client guardian version tar gz to any folder in the local disk Go to the folder and then run the following commands with root privilege 1 Change to root account with the following command Input password when needed SU 2 Extract the installation package into a temporary folder for example tmp with a command such as the following tar zxvf install tar gz C tmp 3 Goto the bin folder in the temporary folder cd tmp bin 4 Run the installation script chmod a x install sh install sh Language Replace language with one of the following values to assign a display language for the client The default display language is English 46 Intel Education Theft Deterrent Deployment Guide Revision 1
12. the server 13 3 How to Understand the Network Stability You can understand the network stability through the network latency Connect a test machine to the network to stand for the server and ping a URL or IP address such as a device IP with the following command ping URL The result should include a series of numbers representing the communication delay which looks as follows Figure 36 Check Network Latency Pinging 192 168 1 2 with 32 bytes of data Reply from 192 168 1 2 bytes 32 time 41ms TTL 128 Reply from 192 168 1 2 bytes 32 time 2ms TTL 128 Reply from 192 168 1 2 bytes 32 time 3ms TTL 128 Reply from 192 168 1 2 bytes 32 time 2ms TTL 128 Ping statistics for 192 168 1 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 2ms Maximum 41ms Average 12ms Find the average round trip times which is an approximate value for the network latency Usage the latency should be smaller than 100ms If the network latency always bigger than 300ms it mean your network is quite stable 56 Intel Education Theft Deterrent Deployment Guide Revision 1 13 4 How to Calculate the Required Network Bandwidth Once powered on devices will send heartbeat requests to the server regularly 10 minutes by default In general the device will send 2 5K bytes to the server and receive more than 3 3K bytes from the server during each heartbeat Howeve
13. this website to the zone Websites about internet http update microsoft com http windowsupdate com http windowsupdate microsoft com zi baten tien mm mm an I Require server verification https for all sites in this zone oe Click Yes on the confirmation window Click Close Make sure that the security level for Trusted sites is Medium and then click OK 24 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 19 Configure Security Level General Security Privacy Content Connections Programs Advanced Select a zone to view or change security settings Internet Trusted sites This zone contains websites that you trust not to damage your computer or your files You have websites in this zone Security level for this zone Allowed levels for this zone All Medium ts before downloading potentially unsafe content T Unsigned ActiveX controls will not be downloaded I Enable Protected Mode requires restarting Internet Explorer Custom level Default level Reset all zones to default level 6 2 2 Tune the Performance The default configuration of the server has limited the resource assignment which could be a bottleneck for the server performance To improve the performance of the server you can tune the database service web service log and download service with the perfconfig tool If your server
14. time of the device is earlier than that on the server the CA certificate cannot be installed correctly and the client will keep receiving the install message To solve the issue synchronize the system time between the device and the server 52 Intel Education Theft Deterrent Deployment Guide Revision 1 5 What is the broadcast service Answer The broadcast service is the server component that performs the Automatic Server Broadcast which functions only on LAN In the current version of the server the web service and the broadcast service are always installed on the same machine and no configuration is required for the broadcast service during deployment Therefore this service is not mentioned in the server overview 6 Will I lose all server data when I uninstall the server Answer When you uninstall the server with the steps in chapter 5 5 or 6 4 all the data and settings of the server are not removed from the machine Therefore you can restore the data and settings with the upgrade steps when you install a new server on the machine 7 Can I upgrade from my server 3 x to a server 4 x in another language For example from a server 3 x in Spanish to a server 4 x in English Answer Yes By following the upgrade steps in chapter 7 you can upgrade your server 3 x to server 4 x regardless of the server display language The server 4 x supports 4 displays languages English Spanish Portuguese and Turkish You can chang
15. to the table below 31 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 23 Migration Options on the New Server 2 Espafiol N A 3 Portugu s N A 4 T rk e N A Input 1 2 3 4 default 1 1 Are the old server and the new server installed on the same machine 1 Yes 2 No Input 1 2 default 2 2 Which server is installed on this machine 1 Old server 2 New server Input 1 2 default 1 2 Input the location of the restore zip package Input root restorize zip Input package password gt The key store was saved successfully lt Do you want to migrate both the keystore and the database 1 Key store only 2 Key store and database Input 1 2 default 2 2 Initializing database please wait Do you want to set the keys from the old server keystore as the default keys 1 Yes 2 No Input 1 2 default 1 2 Do you want to overwrite the data of the admin account 1 Yes 2 No Input 1 2 default 2 1 Migrating for test now please wait Information gt Migration testing was successful lt 2 No Input 1 2 default 2 1 Migrating now please walt Information gt Migration testing was successful lt 2 device s migrated device s not migrated 10 track s migrated track s not migrated 1 account s migrated account s not migrated gt The operation will take effect after you restart the web server l
16. using the server make sure that you follow these rules 40 Intel Education Theft Deterrent Deployment Guide Revision 1 e On both Windows and Debian do not change the access permission to the installation directories e On Windows do not access the installation directories with a standard user account by inputting the administrator password when prompted by Windows User Account Control The installation directories of the server are as follows Windows e SystemDrive Program Files Intel Education Software Theft Deterrent server e 6 SystemDrive ProgramData TheftDeterrent2 Debian e opt TheftDeterrentserver e etc TheftDeterrent2 The location of the binary files and log files are as follows Operating Linux Windows System Shortcut usr local theftdeterrentserver Start menu gt Intel Education Software gt Theft Deterrent server Log folder var log theftdeterrentserver asystemdrives log theftdeterren opt TheftDeterrentserver Site tserver logs A1 Intel Education Theft Deterrent Deployment Guide Revision 1 9 Use Separate Download Server To use a separate download server for your server you must first complete the deployment steps in chapter 5 or 6 and the pre configuration steps in chapter 8 Then configure the server to use the separate download server You can either set up a separate download server or use an existing download services provided by a CDN op
17. EEES 22 6 2 2 TUM E the PerrormanC Esos ekna doe ae ee aaa i n e Eosi 25 6 3 Upgrade Theft Deterrent ServVef ssessssssssesssrrrrsesrrrerrsseerrerrssrnssrrrersnssrerrtennssenrrernesrnsrereeenessee 25 6 4 Repair or Re install Theft Deterrent Server sesssssesssesssererssssrerrerssssesrrereessesrrerensresreerrereessee 26 6 5 Uninstall Theft Deterrent Server srrnnrenrnnrnvrrvnrrnrrersennnnerserrenesnnrseseennenseserrensennrsessennrsessenseeenne 26 7 Migrate to Theft Deterrent server 4 X rnnnnannrarrrennrnnersrreneennrneseennnnssssrsvnsennrsssrennesennrseseennrssssenneneene 28 Ai Migration TOON maa ras dcpiecsnvceteanducssdenanesccundveoduenncdsdebneedcaddaecessecesdesvantectediuenvesnceaecedeevendesenes 28 7 1 1 Migr tion Requirements 2essssasrsrs skadde ad chessies asasads km egdeedsd ende uke sddnnnan bade iae aiaa 28 7 1 2 Migration OPTIONS cccscccesccvsesiovevsuessevocsencevectensavcinenvavesdeassveiuen tavetueesavedkentavesdeassvedventevente 29 7 2 Migrate to server on a different machine rrrnnnrrrnrnrononnnnrrrnrnnnrnnsnnrrnnnnnsnnnsnnrnnnnnnsnnnannvnnsnnsnnn 29 7 2 1 Pr migration CHECK a ccs cass evdovennvctivantoeroncedsvcotventcsancesadian terdead eededadartccastvedsdastbebeenstereance 29 7 2 2 Migration StepS iunum mtnnanssmmikeike mettes EN EETAS E EE Eae ai i Er riS 29 7 3 Migrate to server on the same machine rrrrnnnnrorrrnnnnnnannnnrrnnrnnnnnnannrsnnrnnsnnnannrnnnnnssnnnannrnnsensnne 34 7 3 1 Pre migr
18. Start menu gt Control Panel gt Hardware gt Device 1 manager 23 Intel Education Theft Deterrent Deployment Guide Revision 1 2 Double click Disk drivers in the Device Manager window 3 Right click the hard disk device where the server is installed and select Properties 4 On the popup window click on the Polices tab and check Enable write caching on the device Then click OK Figure 17 Configure Performance 3 Write caching policy F Enable write caching on the device Improves system performance by enabling write caching on the device but a power outage or equipment failure might result in data loss or comuption E Tum off Windows write cache buffer flushing on the device To prevent data loss do not select this check box unless the device has a separate power supply that allows the device to flush its buffer in case of power failure More information about write caching settings Add the server URL to Trusted sites with the following steps On Internet Explorer click Tools gt Internet Options gt Security Tab On the Security page select Trusted Sites and click the Sites button Policies Volumes Driver Details On the popup window input https localhost and then click the Add button Figure 18 Add Trusted Sites Trusted sites xj You can add and remove websites from this zone All websites in this zone will use the zone s security settings Add
19. ailed 12 gt FAQa users eee OEE 13 Anpendikesestis Re 55 13 1 CHOOSE ROOT KEY Pall EE chug dievcoedasedactie swore art dete E cual Cree edsesuerdore de 55 13 2 Choose Server Support Mode rrrrnnnrrrnrrnnssnnnnrrnnnnnsnnnsnnrsnnsnnsnnnsnnrnnsnnssnnnannrnnsensssnnannnnnsensnne 55 13 3 How to Understand the Network Stability cccccssscccccecsessssscecececeeseaeeeeeesseeseeeeeeeesees 56 13 4 How to Calculate the Required Network Bandwidth rrrrnnnnrornrnnsnonnnnrrrnrnnsonnsnnrrnvnnnsnnnnnn 57 13 5 How to Improve the Download Performance 13 6 How to Back up Theft Deterrent Server arnrrrnraranannrnrvrnrrrnnonnnnnsnr 13 7 How to offline Transfer Devices to Theft Deterrent server 4 X mrrnnnannrrnnrennrrnrrrrnrnsersrreseernr 58 Intel Education Theft Deterrent Deployment Guide Revision 1 List of Figures Figure 1 Theft Deterrent architecture ccccccccccccesssssssecececeeseseeeeseeececseseseeseescecsesesseseesceseeseeaeseeseseeesees 3 Figure 2 Centralized Architecture c cccccccccccssscccececesssssscecececeesseeseceescecseaeeeseeecseseeeaeseeeeessesasaeseeseseeesees 6 Figure 3 Decentralized Architecture ccccsscccccccsssessssecececeesesesesececeeseaessesececeesesesaeseeseesseseeaeseesesesesees 7 Figure 4 gt Hj rarchized ArchiteCtune ies sccciscscasscescccceaveerssaseeceedvaanvens cceececedssnetensaaavecskenecesedisesveadeaaeeessaveaedes Figure 5 Theft Deter
20. ation CHECK onccecccsceceoreddecasconsoetatecdeneslentedadiecseduchuccdcedsedsedastuctededaweestenleehecesnerences 34 7 3 2 IM SPATIOMESTO IS yi vsa sics snne ss nnsa osaan Ee AEEA E RE E EAA RENET 34 Intel Education Theft Deterrent Deployment Guide Revision 1 7 4 Theft Deterrent Client Migration Options cccccccccccecsssssececececsesssaeseeececsessaseeeeesceeseaaeees 35 7 4 1 SUPPORTER F aturesananaluseder tanken Nanesan teori eet 35 8 Theft Deterrent server Pre configurations rrrnnnrrnnrrnananannrvrvrnnsnnnannrnnvrnnsnnnannvnnrnnsssnsnnrnnsnnnsennnnn 37 8 1 First Time Config yrat ONS aara a a E Rae E a A aE a EE aeaa ian 37 8 1 1 Activate Theft Deterrent server rrmrrsnnrnrannrrvnrennrrnsrennensenerreneennrnessernenssnnrsvseennrssssennessene 37 8 1 2 Reactivate Theft Deterrent SCrvelr ccsecccecssececssceceeseececeeeeeceeseeeecseueeeseeaeecesneeeeeeeaaes 38 8 1 3 Set up Server Name amp Address cccccccccssssscccccecsessaeseeccecsesesaeseecescseeeaeseeeesceeseaeaeeeeeees 39 8 1 4 Set up E mail Notification Service ccccccccccecsesssseseeececsesesaeseeececsesseaeseseesceeseaeaeeeeeees 39 8 2 Modify the Server Log LeV a a E e E sere 40 8 3 Server Installation Directories and Log Files rrrrrrnrnnanannnnrvnnrnnnnnnnnnrrnnrnnsnnnsnnrnnsrnssnnnannrnnsnnsnnn 40 9 Use Separate Download Server ccccccccecssssssccececeesessssececccseseseeeeseeecsesesesaesecscesesaeseeeesceesesasseeeesees 42 9 1 Config
21. e Revision 1 Windows 7 or 8 Client C Program Files x86 Intel Education 64 bits Software Theft Deterrent client Guardian C Program Files x86 Intel Education Software Theft Deterrent guardian Debian 7 Client opt TheftDeterrentclient client Guardian opt TheftDeterrentclient guardian Android Client data data com intel cmpc td agent Guardian data data com intel cmpc td guardian service The location of the log files are as follows Operating system Log Windows 7 or 8 C ProgramData Intel TheftDeterrent Debian 7 var theftdeterrent opt TheftDeterrentclient client Theft_Deterrent_clie nt autorun log Android data data com intel cmpc td agent agent log Oo Note For devices running Android it is recommended that you install the Android Debug Bridge adb to access the log files For example you can copy the log files to another directory with the following command adb pull data data com intel cmpc td agent agent log For more information about adb see Android Debug Bridge 50 Intel Education Theft Deterrent Deployment Guide Revision 1 11 Troubleshooting 11 1 Theft Deterrent server Installation Failed If the installation of the server failed the install wizard displays an error message Follow the solutions in this table according to the error message displayed Error message Solution Environment variables
22. e URL the location of the upgrade packages in the download server which must be in HTTP scheme For example if you use another Theft Deterrent server as the download server the URL is http DownloadServer URL tdupdate Note This URL is provided to clients for downloading upgrade packages when the Smart Client Upgrade function is enabled However you must copy the upgrade packages to your download server manually e Concurrent Download Limitation the maximum number of devices that can download the upgrade packages at the same time 42 Intel Education Theft Deterrent Deployment Guide Revision 1 e Client Speed Limitation the maximum network speed for a device to download the upgrade packages 4 Click the Save Button You can configure multiple download servers However it is recommended that you keep the maximum number of download servers below 15 You can select one or multiple download servers to implement the download function at the same time The local server is the local download feature provided by default Note When you add edit or delete a download server the configuration takes effect only after you click the Save button Figure 30 Configure Download Server Configure Download Server Click Add Server and fill in the information to add a download server Click a table cell to edit the information Concurrent Download Client Speed Limitation Limitation shwde6433 Local Address 100
23. e client tray manual from the client tray icon and click About The client version number is displayed on the popup window 54 Intel Education Theft Deterrent Deployment Guide Revision 1 13 Appendix 13 1 Choose Root Key Pair Although Intel hosts a root CA server for external usage it is strongly recommended that you deploy your own root CA server which can support a central server for your Theft Deterrent solution Also by running your own root CA server you will have full control of your Theft Deterrent solution You will be responsible for the management of your own root CA server instead of interacting with the Intel root CA server admin 13 2 Choose Server Support Mode The server supports two modes e Stand alone mode e Central Server supported mode While the Stand alone mode contains two options e Deploy with your own Root Public Key Import the Root Public Key to the server during deployment e Deploy with the Intel Root Public Key No importing step required Note The Root Public Key is generated by the root CA server For more information see the Intel Education Theft Deterrent Root CA Server User Manual See the following table for more information about the server modes Server Root Public Key Theft Deterrent Descriptions Support Components Mode Stand alone Deploy with Intel root CA e No server activation is required the Intel Root server after the instal
24. e devices are protected by the Theft Deterrent solution only after activation completes e Guarantee that the devices can check in with the server Note It is highly recommended that you do not install any unrelated software on the server machine 4 3 4 Other Requirements Also if you have installed a server earlier than version 3 x including 3 x on the system it is highly recommended that you uninstall this server and its dependencies Tomcat and PostgreSQL before installing the current server to avoid port conflict However if you want to keep the earlier version of the server you must stop its dependency Tomcat while installing and running the current server 14 Intel Education Theft Deterrent Deployment Guide Revision 1 5 Deploy Theft Deterrent server on Debian This chapter introduces the procedures to deploy the server on Debian The deployment steps install the download feature as part of the web service by default If you want to use a separate download server complete the following deployment steps and then configure the server to use the separate download server with the steps in chapter 9 5 1 Install Dependencies You must install the following dependencies on your Debian system before installing the server Dependency Version sudo gt 1 7 ufw gt 0 2 python gt 2 6 dialog gt 1 0 To install the dependencies follow these steps Note Connect the machine to the In
25. e the display language on server 4 x webpage according to your needs 8 How do I find out the server support mode of my server Answer During the deployment of the server either of following server support mode is selected Stand alone or Central Server supported mode To find out the server support mode open the Advanced page under Settings and check the Central Server Support area e Stand alone mode with Intel Root Public Key the webpage does not contain such an area e Stand alone mode with your own Root Public Key the Activate Server button is displayed as follows Central Server Support You can upgrade the server to Central Server Supported Mode This will enable more features on the server such as device transfer and server backup through the Central Server Complete the activation process to upgrade to Central Server Supported Mode Activate Server If you want to recover the server activation you can reactivate the server e Central Server supported mode the Update button is displayed as follows Central Server Support The server is linked with the Central Server 192 168 0 122 Update the server information registered on the Central Server 9 How do I find the version of the server Answer The server version number is displayed at the button of the server webpage 53 Intel Education Theft Deterrent Deployment Guide Revision 1 10 How do I find the version of the client Answer Open th
26. eaesecececsesseaeseeeeseseseeaeaeeeeeees Figure 23 Migration Options on the New SePvel cccscccccceceesssssceceeececsesseaecececessesssaeseeeeecsesesaeeeeeesens Figure 24 Migration Result On Different Server Machine cc cccccssccccsssscceessececsesseeecessseceeseseceeaaes 34 Figure 25 Migration Result On the Same Server Machine c ccccssccccsssscceessesecessseeecssseeeseseseeseaaes 35 Figure 26 Activate Server 1 cccccccsscccssssececsssseceesececsssseceesssseceesaeeecsssececsssseceesaesecseaaececsssececsaeeeceeaaes Figure 27 Activate Server 2 ccc sscsiisssocccsasaccecsasasceaves5aledavececoaancicvodaadasedsenseass dasees chsed suynea adasshcansbans daveanens Figure 28 Set up E mail Notification Service oo cecccccssssecccecsesessssecececeeseseeaesecececseesaeseeseeceeseeasaeeeeeces Figure 29 Server Tab cccccccccccsssssseseeeceessstsaeees Figure 30 Configure Download Server 00 Figure 31 Client Inactive Tray Icon Windows Figure 32 Client Inactive Tray ICOM ccccsssscccecessssseeseceeecseseeaseeceeessessaeeaeseceesssesaeeeseceesesssneasseeeeseas Figure 33 Shortcut on GNOME ccccccccccccsessssesecccecsesesaesecececeeseeeeecececeeeeseseeseeececseseaaeseesescseeaasaeeeesees Figure 34 Shortcut on GNOME ClaSSIC ccccccccccecsessssececececeeseeeeececececseseeseeececessesnsaeseeeesseesesaeaeeeeeees Figure 35 Choose Server Support MOdEC cccs
27. eeeeeeeeeeeeeseneeses 4 3 2 Domain Name Requirement ranannnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnre 4 3 3 Security Guidelin amp uLmuuuunranmoraneieuokannGun nemne inudie 4 3 4 Other Requirements 5 Deploy Theft Deterrent server on Debian SI Inst llDep ndenaes sus seccdnsanscdendsnedsebschadaadcansescnaddsadentacsnaah ses E E Ea Eai 5 2 Install Theft Deterrent Servet ic ccicisecscecisstieeceecsseestcoaisssnonsacestsctsvececensnesedeaivetnnsssessttesseedesssines s 5 3 Best Practice of Performance TUNING cccccccsssssssesccccecsesessesecececsesesaeeeeeeeceesesaseeeeesceeseaeaaees 5 4 Upgrade Theft Deterrent SCrver ccccccscssssccccecssssceseeececsesnseeseeececeesesaeseeeesceeseaeeeeeeseeeseeeaeees 5 5 Repair or Re install Theft Deterrent S rver cccecccccccecsesssesecececseseaeseeececeeseaseeeeescesseseaeees 5 6 Uninstall Theft Deterrent Server cccccccececssnceceseececeeseeeeceeeeeceeaeeecseaaeeeceeeeecessaeeeceeueeeseeneeess 6 Deploy Theft Deterrent server on Windows rrrrrrarsrnvnnennrvvreennnnenserrenernnrreseennnnsensrreseennrsvssennesenne 20 6 1 Install Theft Deterrent SErver mmsrrrmrrrvrrerrrrerrerrrrerrenrenesserrenesnsrreseennensessrrensennrsessennrssssenseeenne 20 6 2 Best Practice of Performance Tuning rerrrnrrrnasnnrorvrnrrnnnannnnrrnnrnnnnnnannrsnnnnnsnnnannrnnnenssennannvnnsenssee 22 6 2 1 Common Configuratie uses ea aa a ri arra ean Ea a E aA rE EE aaea
28. endix 4 2 2 Requirements for Download Server You can either set up a separate download server or use an existing download services provided by a Content Delivery Network CDN operator a cloud based download server etc The download server you choose will affect the download performance For information on how to improve the download performance see Appendix oO Note The download feature you use must support HTTP download If you choose to use an existing download service make sure that the service provider offers stable download functions and you can skip this chapter If you want to set up your own download server make sure that the following requirements are met Online Requirement Recommended configuration Minimal configuration devices lt 10K CPU 1 x Intel Xeon 2 cores CPU 1 x Intel Xeon 2 cores Hardware Memory 4 GB Memory 4 GB OS Linux or Windows Linux or Windows Network bandwidth 6 3 Mbps 10 50K CPU 1 x Intel Xeon 2 cores CPU 1 x Intel Xeon 2 cores Hardware Memory 4 GB Memory 4 GB Os Linux or Windows Linux or Windows Network bandwidth 26 13 Mbps 50 CPU 1 x Intel Xeon 4 cores CPU 1 x Intel Xeon 2 cores Hardware 100K Memory 8 GB Memory 8 GB OS Linux Linux Network bandwidth 43 21 Mbps 100 CPU 1 x Intel Xeon 4 cores CPU 1 x Intel Xeon 4 cores Hardware 200K Memory 12 GB Memory 8 GB 12 I
29. entserver status Note In Windows if the server is running you can restart the server by clicking the Start Server option If the server is installed with a separate database make sure that you run the command on both the web server and the database server 2 What do do if the server webpages are distorted Answer First of all make sure that you are using a web browser supported by the server e Firefox e Chrome e Internet Explorer 8 or above Also it is recommended that you clear the cache cookies and history in your browser regularly 3 Why does the client version 2 x keeps rebooting the device after connecting with the server Answer The issue might be caused by either of the following reasons e The client is connected with and approved by a wrong server To solve the issue modify the URL in the client connection settings to connect the client to its related server e The system time on the device is earlier than that on the server To solve the issue synchronize the system time between the device and the server delete the CMPC TDS SN xxxxx certificate in your web browser and connect the device with the server again 4 Why does the client version 2 x keeps receiving a message asking to install SSL certificate Answer For clients with version earlier than 4 x user must first install the CA certificate by accepting the install message before the client can be activated by the server However if the system
30. equirements are displayed in the following table If your network latency gt 300ms contact your local TME for support Online Requirement Recommended configuration Minimal configuration devices lt 10K Hardware CPU 1 x Intel Xeon 4 cores CPU 1 x Intel Xeon 2 cores Memory 4 GB Memory 4 GB Os Linux or Windows Linux or Windows Network bandwidth 2 1 Mbps 10 50K Hardware CPU 1 x Intel Xeon 4 cores CPU 1x Intel Xeon 4 cores with hyper thread Memory 8 GB Memory 8 GB Os Linux or Windows Linux or Windows Network bandwidth 9 4 Mbps 50 100K Hardware CPU 2 x Intel Xeon 4 cores CPU 2 x Intel Xeon 4 cores for each with hyper thread for each with hyper thread Memory 16 GB Memory 12 GB OS Linux Linux Network bandwidth 18 9 Mbps 100 CPU 2 x Intel Xeon 6 cores CPU 2 x Intel Xeon 4 cores 200K Hardware for each with hyper thread for each with hyper thread Memory 24 GB Memory 16 GB OS Linux Linux Network 35 18 bandwidth 11 Intel Education Theft Deterrent Deployment Guide Revision 1 Mbps The minimum hard disk space required is 2GB However the recommended hard disk space for the server is 30 GB and above Note The network bandwidths recommended above are estimated according to the device numbers in four ranges To calculate the network requirement for your specific device number see App
31. erator a cloud based download server etc If you want to set up your own download server see Configure Download Server 9 1 Configure Download Server The deployment or configuration steps of the third party download server are beyond the scope of this document You can contact your third party server provider for support However if you have not decided which third party download server to use you can install another Theft Deterrent server to function as a download server with the following steps 1 Install another Theft Deterrent server on a machine that meets the download server requirements 2 Copy the client upgrade packages to the following location manually according to your operating system e Windows C Program Files Intel Education Software Theft Deterrent server Site webapps tdupdate e Debian opt TheftDeterrentserver Site webapps tdupdate oO Note To obtain a client upgrade package which ranges from 2MB to 10MB in size contact the Intel local TME 3 Connect this download server to the same network as the server 9 2 Configure Download Feature on Theft Deterrent server When the download server is ready configure the server to use the download server with the following steps 1 Login the server and open the Advanced page under Settings 2 Click the Configure download server s link in the Smart Client Upgrade area 3 Input the following information e Server Name the name of the download server
32. ersion zip into a temporary folder for example C TD 2 Click the Start menu gt Accessories gt right click Command Prompt gt select Run as administrator 3 Goto the bin folder in the temporary folder with a command such as the following cd c TD bin 4 Run install bat install bat The device will restart automatically once the installation completes The client displays the language of the operating system If the display language of the operating system is English Portuguese Turkish or Spanish the client follows the same display language Otherwise the client is displayed in English 10 1 3 Install with Install Wizard To install the client with the install wizard follow these steps 1 Extract the installation package Theft_Deterrent_client_guardian_ version zip into a temporary folder 2 In the temporary folder open the agent folder under bin right click setup exe and select Run as administrator to open the installation wizard 3 Select a language of your choice and then click OK 4 Click Next on the welcome page 5 Set the protection password for the client and then click Next If you do not want to set the password leave the password field blank click Next and then click OK on the confirmation window 6 Click Next to start the installation This might take a few minutes When the installation completes click Finish 8 Click Yes on the popup window to reboot the system
33. erver 1 Login the new server and click Export on the Security page under Settings to export the server Public Key Pub_Key bin to a USB disk On the old server 58 Intel Education Theft Deterrent Deployment Guide Revision 1 2 Create a temporary folder named KeyMigrate Copy the Public Key exported in step 1 and the KeyManagement tool to the folder 3 Go to the folder and run the following command with root privilege and a pre activated package named tcopp 200000000000000000X 200000000000000000xx Din will be generated in the folder java jar KeyManagement jar a b Pub Key bin Figure 38 Run KeyManagement Tool root debian home matrix Desktop cd KeyMigrate root debian home matrix Desktop KeyMigrate java jar KeyManagement jar a b Pub Key bin Pre activated packet saved in file tcopp_lc6f6adca5f1d56886d6_c641laf 646f 9aa64c67a6 bin On the new server 4 Log in the new server and open the Security page under Settings Browse to the pre activated package and click Import Figure 39 Import Pre activated Package Import pre activated package Select file On the devices 5 Right click the client tray icon and select Settings 6 On the client window click Edit gt input password if required gt change Theft Deterrent Server Address to the address of the new server gt click OK On the new server 7 After a while a Pending Approvals tab appears under Inventory Select t
34. erver 3 x and 4 x use different server keys you must decide which key to set as the default key for server 4 x when migration completes If both server 3 x and 4 x have existing clients before the migration one of these client group will download and update the server Public Key if their current keys are not set as the default key Therefore to minimize the download and update action required select this option if the device records migrated from the server 3 x outnumber the existing device records on the server 4 x Select this option if the existing device records on the server 4 x outnumber the device records migrated from server 3 x 1 Yes Do you want to overwrite the data of the admin account If you want to replace the admin account of server 4 x with that of server 3 x select 1 Yes If you want to keep the admin account of server 4 x select 2 No 1 Yes 2 No Confirm the settings to start the migration Make sure that all the device records and accounts are migrated to server 4 x as shown in Figure 23 If you see any devices or accounts that cannot be migrated you will be prompted with the following options e Skip these devices or accounts 33 Intel Education Theft Deterrent Deployment Guide Revision 1 e Orcancel the whole migration process Figure 24 Migration Result On Different Server Machine gt Migration testing was successful lt 2 device s
35. erver in the centralized architecture This architecture deploys the server on the Internet at region or country level Therefore the general deployment scenario assumes that the number of devices to be managed is more than 5K First of all the following requirements must be met e The server must be protected against network DDoS attack e All the schools and students at home must be able to access the server with enough bandwidth and network latency which should be less than 300ms in both directions It is recommended that you deploy the server with the following modes Local database 10 Intel Education Theft Deterrent Deployment Guide Revision 1 Unless your deployment plan specifies otherwise deploy the server with the local database which supports the general deployment scenarios that manage less than 200K devices Separate download server It is recommended that you use a third party download server Also do not share the download bandwidth with the web server bandwidth Otherwise the downloading might use too much bandwidth and cause network congest which will prevent devices from connecting with the server 4 2 1 Requirements for Theft Deterrent server The requirements for the server differ according to the network latency which will cause time delay when data transmits between the server and the clients To estimate the latency of your network see Appendix If your network latency lt 300ms the server r
36. es No nput lt 1i2 gt default 11 1 s the key store file lt TCServer keystore gt stored at the default location I il V I Do you need to manually set the database information Exit lt Convert key store only Input lt 1i2i3 gt default 21 2 Cloning database please wait Set a password for the package Input Information gt Packaging was successful and saved to file E restore zip lt Prompts Descriptions Select Option Select language Select the display language of the migration 1 English tool Are the old server and the Specify whether the old server and the new 2 No new server installed on server are installed on the same machine the same machine because the migration steps for the two cases are different Which server is installed Specify whether this machine is the old 1 Old on this machine server or the new server server Is the key store file The migration tool backs up the old server TCServer keystore keystore in the default location 30 Intel Education Theft Deterrent Deployment Guide Revision 1 stored at the default location e Windows C VCMPC e Debian etc theftdeterrent If you have manually changed this keystore location for your current server you will need to input the new location in the migration tool Otherwise select 1 Yes Do you need to manually set the database information The migration tool acc
37. esses the old server database with the default configurations If you have manually changed the database configurations such as username password or database tool location you will need to input the information in the migration tool Otherwise select 2 No Set a password for the package The migration tool will create a package containing the keystore and database copied from the old server It is recommended that you set a password for the package However you can leave the field blank if you do not want a password A package named restore zip will be created in the same folder as the migration tool On the server 4 x 6 Copy restore zip from the old server to the new server e g root restore zip 7 Run the following command with root or admin privilege according to your operating system to start the migration tool e Debian usr local theftdeterrentserver migrate lt Max memory size gt e Windows cd C Program Files Intel Education Software Theft Deterrent server bin call migrate bat lt Max memory size gt lt Max memory size gt a value unit as M for the Java max memory size If the parameter is empty system will allocate max 1 4 of the system memory for Java For 200K devices records the system memory must bigger than 4G and the lt Max memory size gt parameter suggest to be 4000 You will be prompted for inputs shown in Figure 22 Select the options according
38. gration steps Then follow these steps to migrate the keystore and database of your old server to the new server On the server 4 x 1 Find the migration tool migrate jar at the following location according to your operating system and copy the tool to a removable device OS Migration Tool Location Debian opt TheftDeterrentserver Tools libs migrate jar Windows C Program Files Intel Education Software Theft Deterrent 29 Intel Education Theft Deterrent Deployment Guide Revision 1 server Tools libs migrate jar On the server 3 x 2 Copy migrate jar from server 4 x to the old server e g root migrate jar 3 Go to the folder that contains the migration tool For example cd root chmod a x migrat jar 4 Run the migration tool with root or admin privilege java jar migrate jar 5 You will be prompted for inputs shown in Figure 21 Select the options according to the table below Figure 22 Migration Options on the Old Server Copyright lt c gt Intel Corporation All rights reserved Select language 1 English 2 Espatol lt N A gt 3 Portugufls lt N A gt 4 T rkte lt N A gt Input 1121314 gt default 1 1 Are the old server and the new server installed on the same machine A Yes 2 No Input lt 1i2 gt default 21 2 Which server is installed on this machine 1 Old server 2 New server Input lt 1i2 gt default 11 1 Y
39. he devices and click Approve Device Note The device records are displayed in orange to notify users that the devices are installed with a client of earlier versions 8 After the devices reboot and connect to the server again the device records are moved to the Device Management page under Inventory You can now manage the devices with the new server 59
40. her of the following methods e Click the Theft Deterrent client application icon 8 on the desktop e Right click the client tray icon and select Open Theft Deterrent client If your operating system is Windows 8 you can open the client with one of the following methods 47 Intel Education Theft Deterrent Deployment Guide Revision 1 e Click the Theft Deterrent client application icon 8 on the Start screen e Click the Theft Deterrent client application icon on the desktop e Right click the client tray icon on the desktop and select Open Theft Deterrent client If the client is in Inactive status right click the client tray icon on the desktop and select Help for instructions on how to activate the client Figure 31 Client Inactive Tray Icon Windows P Inactive Cannot connect with the server 10 4 2 Open Theft Deterrent client on Debian If your operating system is Debian 7 you can open the client by clicking the client tray icon on the upper right corner of the desktop If the client is in Inactive status right click the tray icon and select Help for instructions on how to activate the client Figure 32 Client Inactive Tray Icon amp Cannot connect with the server Open Theft Deterrent client Help About Log in Theft Deterrent server oO Note The client tray icon is only supported in GNOME 3 4 or above Also if your Debian 7 displays the GNOME desktop you can open the c
41. hool transfer Server performance Kill pill out of school This architecture requires that the region or country has stable Internet connection The deployment options selected for this architecture is as follows Deployment Configurations Configured Settings Root key pair Your own root key pair Central server No central server Server support mode Stand alone mode with your own Root Public Key 3 1 2 Decentralized Architecture The server is hosted at individual school level in decentralized architecture Select this architecture in either of the following cases e Deploying a test or demo server e The schools or devices do not have stable Internet connection For example the network latency of your school network is larger than 300ms Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 3 Decentralized Architecture Theft Deterrent Server Running at school IT Admin Pro Se Easy to admin Hard to manage device s school transfer Simple infrastructure without internet Requires local IT administrator Easy to implement No centralized server backup Ideal for small deployment No kill pill outside of school network The network required for this architecture is LAN The deployment options selected for this architecture is as follows Deployment Configurations Configured Settings Root key pair Intel root key pair Central server No central server Serve
42. igrated JO device s not migrated 10 track s migrated Jo track s not migrated 1 account s migrated account s not migrated Restart the server after migration completes 7 4 Theft Deterrent Client Migration Options After you complete the server migration steps the server 4 x is ready to manage the clients from the old server Since server 4 x is backward compatible with clients 2 x you have the following client migration options e Upgrade the client by uninstalling the client v2 x and then install client and guardian v4 x e Keep the existing client v2 x However some server features might not be supported In both options you might need to configure the client network settings if the server 4 x does not have the same URL as server 3 x For more information see the Intel Education Theft Deterrent client User Manual For new devices deployed with client v4 x all server features are supported For more information about client first time setup see the Intel Education Theft Deterrent client User Manual 7 4 1 Supported Features For client version older than 2 x including 2 x you can manage the clients with the latest server but not all features are supported 35 Intel Education Theft Deterrent Deployment Guide Revision 1 Function Client v4 x Client v2 x Client Activation Yes Yes Download and apply One time Boot Yes Yes Certificate Loc
43. il service to send user account and server information to users via e mail Input the following information e E mail username the e mail address of your e mail account e E mail password the password of your e mail account e SMTP server the hostname of the SMTP server e Port the port number of the SMTP server e Security Mode select a security mode Figure 28 Set up E mail Notification Service Set up E mail Server Set up the e mail server for the Theft Deterrent Server to send user account information and server notifications to users You can skip this step and set up the e mail server later in Server Settings E mail username E mail password SMTP server Port Security mode 9 None SSL support Test After the email service is configured correctly the following cases lt Back TSL support Next gt server will send out e mails in the When to send e mails Admin creates new user accounts Recipient The new user Admin resets user passwords The user 39 Intel Education Theft Deterrent Deployment Guide Revision 1 Someone forgets his her password and requests The person him herself password reset Someone sets up the E mail Notification function The e mail addresses that this person configured for the function After you complete the first login settings you will see the server Home page You can also open the Inventory Groups amp Account
44. is deployed on LAN and manages less than 5K online devices no tuning step is required and you can skip this chapter Otherwise improve server performance with the following steps 1 Run the following commands with admin privilege to start the perfconfig tool cd C Program Files Intel Education Software Theft Deterrent server bin call perfconfig bat 2 Select a language of your choice Select the number of online devices that your server will manage 4 You might also need to configure the following settings g e Is your server deployed on LAN or the Internet e Input the default download speed limit KB s Set a download limit for the local download feature This setting will not affect any separate download server 5 Input 1 and press ENTER to restart the server 6 3 Upgrade Theft Deterrent server If upgrade failed the current server may be corrupted You can repair the server with the current installation package Before repair or re install it is recommended that you back up the server To upgrade a server follow these steps 25 Intel Education Theft Deterrent Deployment Guide Revision 1 1 Copy the latest server upgrade package named as Theft Deterrent server upgrade v4 0 3010X version zip to the local disk then extract the installation package into a temporary folder In the temporary folder right click setup exe and select Run as administrator to open the installation wizard 2 Se
45. k Yes Yes Unlock with Unlock Code Yes Yes Download and apply Global Certificate Yes Yes Unlock with crash recovery package Yes Yes Student log in to server Yes Yes Automatic Server Broadcast Auto discovery Yes Yes Sync up client status with server Yes Yes Configure Check in Interval Yes Yes Modification Warning Days and Times Yes Yes Smart Client Upgrade Yes Yes Transfer device online Yes Partially supported Password Protection Yes Yes Online help menu Yes No Assign device to group Yes No Remote unlock through network for Yes No Android only The function is supported only if it is used in the 2 x client before the migration For more information about the server features see the Intel Education Theft Deterrent server User Manual 36 Intel Education Theft Deterrent Deployment Guide Revision 1 8 Theft Deterrent server Pre configurations After server installation completes you can use the server functionalities by accessing the server webpage with the following URL where serverURL is the IP address or hostname of the server e https serverURL TheftDeterrent To log in the server with the master admin account use the following credentials e The username is admin e The password is the one set during the installation process 8 1 First Time Configurations When you log in the server for the first time you must complete certain settings before accessing the server functionalitie
46. lation Public Key e Cannot upgrade to other modes Deploy with Your own root CA e You can use the server without your own Root server amp activation Public Key Optional central e You can activate the server server The server is transformed to the Central Server supported mode Central Your own root CA e You must activate the server Server server amp central after the installation supported server Note Server activation is the process of registering the server information on the central server to enhance the server function 55 Intel Education Theft Deterrent Deployment Guide Revision 1 You must choose a mode for your server during deployment according to the deployment scenario of your Theft Deterrent solution Figure 35 Choose Server Support Mode our own or Intel roo CA server Intel root CA Your own root CA server server eed central server o not y Deploy central Do not deploy server central server Deploy the server with Stand alone mode with Intel Root Public Key Deploy the server with Deploy the server e Central Server supported mode with Stand alone or Stand alone mode with your mode with your own own Root Public Key Root Public Key Once deployment completes you cannot change the Root Public Key used in the Theft Deterrent solution Make sure that you deployed the server with the correct mode before you connect any device to
47. lect a language of your choice and accept the license agreement 3 Then wait for the wizard to complete the installation 4 Clear cache of your browser before login to server again Note The browser will cache old server and make the webpage display maybe distort after server upgrade 6 4 Repair or Re install Theft Deterrent server If upgrade failed the current server may be corrupted You can repair the server with the current installation package And you can reinstall the server to remove the server data settings and key files Before repair or re install it is recommended that you back up the server To repair or re install a server follow these steps 1 Copy the latest server upgrade package named as Theft Deterrent server v4 0 3010X version J zip to the local disk then extract the installation package into a temporary folder In the temporary folder right click setup exe and select Run as administrator to open the installation wizard 2 Select a language of your choice and accept the license agreement 3 Select Upgrade or Repair to keep all data and Re install to remove all data of your current server Figure 20 Repair or re install Theft Deterrent server i Intel R Education Theft Deterrent server InstallShield Wizard Keep Previous Settings Please select an installation type Upgrade or Repair All the data settings and key files of the previously installed server will be kept C Re ins
48. lient by clicking Applications gt All gt the Theft Deterrent client icon 48 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 33 Shortcut on GNOME Activities Sa Shotwell Simple Scan Software Settings m Startup Applicat Sudoku Swell Foop pdate Soi m XX I EA Synaptic Packag System Monitor System Settings Terminal Tetravex JE Theft Deterrent Time Tracking O Ww If your Debian 7 displays the GNOME Classic desktop you can open the client by clicking Applications gt System Tools gt Theft Deterrent client Figure 34 Shortcut on GNOME Classic Applications Places Fri Jun 7 1 04 PM fi Accessories ah Games Graphics Internet Ww Office FB sound amp Video 9 Universal Access gt Yee Preferences re Add Remove Software Q dconf Editor amp Disk Usage Analyzer 2 GDebi Package Installer p Log File Viewer Rij Power Statistics Reportbug amp Software Update m System Monitor BE Theft Deterrent client The installation directories of the client and guardian are as follows Operating system Component Installation Directory Windows 7 or 8 Client C Program Files Intel Education Software Theft 32 bits Deterrent client Guardian C Program Files Intel Education Software Theft Deterrent guardian 49 Intel Education Theft Deterrent Deployment Guid
49. ll a server follow these steps 1 Copy the latest serve install package Theft_Deterrent_server_v4 0 3010X version to the local disk 2 Open the installation wizard by following the steps in chapter 5 2 Theft_Deterrent_server_v4 3010X verstion install 2 Select a language of your choice and accept the license agreement 4 Onthe next page select Upgrade or Repair to keep all data and Re install to remove all data of your current server Figure 10 Repair or Re install Theft Deterrent server Settings gt Select an installation type Upgrade or Repair 2 Re install lt ext gt lt Exit gt 18 Intel Education Theft Deterrent Deployment Guide Revision 1 5 Follow the installation wizard to complete the installation 5 6 Uninstall Theft Deterrent server If you want to uninstall the server it is recommended that you back up the server before the action Note Make sure that no device is managed by the server any more Otherwise the devices might be locked within a certain period of time To uninstall the server follow these steps 1 Goto the directory that contains the server installation package 2 Run the following command with root privilege to uninstall the server Theft Deterrent server v4 9 391 X version remove 19 Intel Education Theft Deterrent Deployment Guide Revision 1 6 Deploy Theft Deterrent server on Windows
50. migrated JO device s not migrated 10 track s migrated Jo track s not migrated 1 account s migrated account s not migrated oO Note The tracks are the device IP history records that you can view on the server webpage Restart the server after migration completes 7 3 Migrate to server on the same machine It is recommended that you install the latest server on a different server machine However if no extra machine is available you can install the new server on the same machine as the old server for upgrade 7 3 1 Pre migration Check 1 On server 3 x stop Tomcat but make sure that the database is running correctly Run the script ControlTomcat6 sh to stop the TDv1 tomcat and remove it from the auto startup list su chmod a x ControlTomcat6 sh ControlTomcat6 sh remove Note If you want to restore the TDv1 server in this machine you can uninstall the TDv2 server then run the script ControlTomcat6 sh restore A manual system restart is necessary before restore the TDv1 service 2 Install a server 4 x on the current server machine See chapter 5 or 6 for detailed installation steps 7 3 2 Migration steps Then follow these steps to migrate the keystore and database of your old server to the new server 1 Run the following command with root or admin privilege according to your operating system to start the migration tool e Debian usr local theftdeterrentserver migrate lt Max me
51. mory size gt e Windows cd C Program Files Intel Education Software Theft Deterrent server bin call migrate bat lt Max memory size gt 2 You will be prompted for several inputs If the keystore and database of the old server have not been manually configured after server installation completed select the 34 Intel Education Theft Deterrent Deployment Guide Revision 1 default options as listed in the table below Otherwise you might need to locate the key store file or set the database information manually Choice Input Select language 1 English Are the old server and the new server installed on the same machine 2 Yes Is the key store file TCServer keystore stored at the default location 1 Yes Do you want to set the keys from the old server keystore as the default Reference keys the table above Do you want to overwrite the data of the admin account Reference the table above Do you need to manually set the database information Reference the table above Confirm the settings to start the migration Make sure that all the device records and accounts are migrated to server 4 x as shown in Figure 24 If you see any devices or accounts that cannot be migrated you can either skip these devices or accounts or cancel the whole migration process Figure 25 Migration Result On the Same Server Machine gt Migration testing was successful lt 2 device s m
52. n server Theft Deterrent server client Theft Deterrent client 1 2 2 Terms Term Description device online devices Intel classmate PC or Intel Education Tablet The devices that are connected with the server network and their clients are activated and communicating with the server 1 3 Revision History Revision Date 0 61 2013 9 Comment Add usage for server upgrade package and add re install server section Update the migrate tool usage 1 4 Reference Document Document Date Intel Education Theft Deterrent server User Manual 2013 04 Intel Education Theft Deterrent Deployment Guide Revision 1 Intel Education Theft Deterrent client User Manual 2013 02 Intel Education Theft Deterrent Root CA Server Deployment Guide 2013 04 Intel Education Theft Deterrent Central Server Deployment Guide 2013 07 Intel Education Theft Deterrent Deployment Guide Revision 1 2 Theft Deterrent Overview As part of the Intel Education Software suite Theft Deterrent provides a complete physical security management solution for your Intel Education Tablet and Intel classmate PC Note The term device is used throughout this document to refer to Intel Education Tablet and Intel classmate PC To be successful with Theft Deterrent you must first thoroughly plan and test the management features before you use Theft Deter
53. nstall security patches regularly e Close all the services not necessary for the server or restrict the services to be available only to internal IP For example the remote desktop VNC Operating System administrator security e Secure the admin root account of the operating system e Do not change the access permissions of the configuration files and keystore files which are set to read only and accessible by admin root account only by default e Do not add unnecessary account to the operating system or open guest accounts 13 Intel Education Theft Deterrent Deployment Guide Revision 1 Theft Deterrent account security e Keep the passwords of the database server account and the database administrator account secure e If the database server is deployed on a separated machine keep the machine in the internal network and configure the database server to be accessible by the web server only e Keep the user account passwords of the server secure For example require users to change their passwords frequently and never share their passwords with anyone General security e The server admin and other users should not log in the server from a public or shared computer Also it is recommended that you close all other websites when logged in the server e The server admin and other users must not misuse the server Device security activation and check in e It is recommended that you activate the devices in factory Th
54. nt 3 1 Choose Theft Deterrent Solution Architecture 3 1 1 Centralized Architecture cccccssssssssecssecssssessecscessessnensesececsessnassesecessesseasseseesssesseaes 6 3 1 2 Decentralized Archit cture cccccsccccccessesssseceeececeeseaeseeeescseseeaeeesecsceesesaeeeseeseeeseaeaeees 6 3 1 3 Hierarchized Architecture siasa aeaaea AE caus ena suunesasaesoavbeceandss 7 3 2 Choose Database and Download Server LOCAatIONS cccsccccccessesssseeeeececsesesaeseeeeecsesseasseeeesens 8 3 2 1 Choose Database HOSting ccccccccsssssssecececsesesessecececeeseesseseesceeseseeaeseescsseesesaeseeseeeeeeees 9 3 2 2 Choose Download Feature Hosting rrrrrnnnnrnnnnrnrrrnnrornannrnvvnnsnnnnnnnrnvsnnssnnnannnnnsnnssnssenannnsnn 9 4 Theft Deterrent server Requirements sssi innnan aeiae aE n a ia ai iia 4 1 Requirements for Decentralized or Hierarchized Architecture 4 2 Requirements for deploying Centralized Architecture cccccccccceceesssssceceeecsesssssaeseeeeesseees 4 2 1 Requirements for Theft Deterrent server cccccccccccssssssssecececeesseeeseseeeceeseseeseeeeseseeees 4 2 2 Requirements for Download Server cceceseessssececececeeseeececececeeseaseesececeeseesaeseesesseegees 4 3 General Requirements ccccccccessssesecececseseeassecescseesseseeececeeseaeeseeeesceeseseseeseesceesesesaeseesceeeegees 4 3 1 Operating System REQUIFEMENKS cccccccccccccecececececeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
55. ntel Education Theft Deterrent Deployment Guide Revision 1 OS Linux Linux Network bandwidth 74 37 Mbps Oo Note The network bandwidths recommended above are estimated according to the device numbers in four ranges To calculate the network requirement for your specific device number see Appendix 4 3 General Requirements 4 3 1 Operating System Requirements The server supports the following operating systems e Windows Windows Server 2008 R2 64 bits e Linux Debian 6 0 3 64 bits and above You can find this operating system from the Debian official website 4 3 2 Domain Name Requirement For centralized and hierarchized architecture the servers or the central server are hosted on the Internet Therefore it is recommended that you configure a static domain name for the servers 4 3 3 Security Guideline The server is the root of trust for all devices in the Theft Deterrent solution Once deployed it is the responsibility of the IT admin to protect the server against unauthorized use or online attacks Therefore it is strongly recommended that you follow these guidelines to protect the server Physical security e Lock the machine in the cabinet and deny unauthorized personnel from physically accessing the server Network security e Install firewall IPS etc Operating system security e Configure the security settings of the operating system e Update the operating system and i
56. ntel Corporation Intel Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this document or any software that may be provided in association with this document Except as permitted by such license no part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means without the express written consent of Intel Corporation Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order Copyright 2011 Intel Corporation Third party names and brands may be claimed as the property of others Intel Education Theft Deterrent Deployment Guide Revision 1 Table of Contents 1 Introduetion e AAE E EE N TAA S E AEE AE E AE E 1 1 1 Document purpose and SCOPE seiretan iii nanka n EEE Erai idani aeea oiai 1 TD TErMINOlO BY eieaa a a Ee E e a E Ea aea a EAE EE A E O EEEE EO eT 1 1 2 1 Abbreviations ressesie eirias adsain i EE a E Ea A EE EE ASEE ASEE NEEESE 1 1 2 2 E A E ee E 1 1 3 Revision HIStOTV Ac cihecicccste Rhee arante ninan aran EEA aN a VANE aTa AERE EAEE EEA ANENE AVANE EA Eaa E aE EEEE 1 14 Reference DOCUMEN ects ei eaaa an e e aE n aa aiaa aa a aa AE SEER S 1 2 Theft Deterrent OVErViCW ccccccccccccessessssssecececsesesaeseeececsesesesseseeeceeseaesaesecececsesesaeseesesceesueaeaeeeesens 2 1 Deployment Workflow 3 Plan Theft Deterrent server Deployme
57. onal 3 Deploy Theft Deterrent server This component can be deployed at school district or country level 4 Deploy Theft Deterrent clients The remainder of this document focuses on the deployment of the server and the client To deploy the root CA server see the Intel Education Theft Deterrent Root CA Server Deployment Guide To deploy the central server see the Intel Education Theft Deterrent Central Server Deployment Guide Intel Education Theft Deterrent Deployment Guide Revision 1 3 Plan Theft Deterrent server Deployment The server can be deployed in different scenarios to meet different customers needs Therefore it is necessary to understand the options available and decide which option is appropriate for your environment e Choose Theft Deterrent solution architecture centralized decentralized or hierarchized e Choose the locations of the server database and download server local or separate For example you can refer to the following options for a typical deployment scenario Deployment Options Recommended Option Architecture Centralized Deploy server with your own root key pair No central server Deploy server with the Stand alone mode with your own Root Public Key Database hosting Local database Download feature hosting Separate download server For detailed information on how to choose these deployment options see the following chapters 3 1 Choose Theft Dete
58. ontain at least one lowercase letter a z uppercase letter A Z number 0 9 and special character It must not contain sequences of the same character e g aa 33 or numbers that are longer than 5 characters e g 12345 67890 To deploy the server with separate database contact the Intel local TME for support 6 2 Best Practice of Performance Tuning If your server is deployed on LAN no tuning step is required and you can skip this chapter If your server is deployed on the Internet improve the performance of your server with the following steps because the default configuration of the server has limited the resource assignment which could be a performance bottleneck 6 2 1 Common Configuration Configure the performance options in Windows with the following steps 1 From Windows desktop click the Start menu gt Control Panel gt System and Security gt System gt Advanced system settings 2 On the popup window switch to the Advanced tab and click Settings in the Performance area 3 Inthe Visual Effects tab select the Adjust for best performance option as shown below and then click Apply 22 Intel Education Theft Deterrent Deployment Guide Revision 1 4 Figure 15 Configure Performance 1 Advanced Data Execution Prevention Select the settings you want to use for the appearance and performance of Windows on this computer Let Windows choose what s best fo
59. or the master admin account Select Next and then press Enter 9 Confirm the settings and then select OK Press Enter 10 Wait for the installation to complete vw Note The password must be 8 to 30 characters in length and must contain at least one lowercase letter a z uppercase letter A Z number 0 9 and special character It must not contain sequences of the same character e g aa 33 or numbers that are longer than 5 characters e g 12345 67890 To deploy the server with a separate database contact the Intel local TME for support 5 3 Best Practice of Performance Tuning The default configuration of the server has limited the resource assignment which could be a bottleneck for the server performance To improve the performance of the server you can tune the database service web service log and download service with the perfconfig tool If your server is deployed on LAN and manages less than 5K online devices no tuning step is required and you can skip this chapter Otherwise improve server performance with the following steps 1 Run the following commands with root privilege to start the perfconfig tool cd usr local theftdeterrentserver perfconfig 2 Select a language of your choice Select the number of online devices that your server will manage 4 You might also need to configure the following settings e Is your server deployed on LAN or the Internet e Input the defaul
60. ows 6 5 100000 8 oebe og e In general the more devices the more valid bandwidth usage It is recommended that set devices to complete the download in 7 to 14 days 13 5 How to Improve the Download Performance The download server sends upgrade packages to devices to fix bugs or update client features The upgrade packages are generally larger than 6 5MB and therefore the download server will require large bandwidth for many devices to download the packages simultaneously You can improve the download performance of your server with one or several of the following methods to reduce the bandwidth requirements e Set up several download servers For example if devices use two ISPs A and B to connect with the server it would be too costly to put the download server into an Internet data centers IDC that has good connection to both ISPs In such cases you can set up download servers in both ISP A and ISP B 57 Intel Education Theft Deterrent Deployment Guide Revision 1 e Use Content Delivery Network CDN or cloud based download server Because client upgrade occurs only occasionally you can use a CDN service or cloud based download server instead of setting up your own download server For more information please contract CDN or cloud service provider e Set the HTTP proxy in the school If the schools have HTTP proxy you can configure the devices to use the proxy which saves download bandwidth and time 13 6 How
61. r because the devices will not send heartbeat requests simultaneously you must estimate the peak times of the heartbeat requests to calculate the required network bandwidth e Peak times peak requests average requests In general the minimal peak times is 2 but it is recommend that you use 4 The network bandwidth required at school for devices to connect with the server online devices e Download bandwidth Mbps er device download rate peak times 8 online devices F e Upload bandwidth Mbps hountbeatinterval device upload rate peak times 8 You can set device download rate 3 3K bytes s and device upload rate 2 5K bytes s The network bandwidth required for the web server online devices e Download bandwidth Mbps erre e Upload bandwidth Mbps online devices __ server upload rate peak times 8 server download rate peak times 8 heartbeat interval You can set server download rate 2 5K bytes s and server upload rate 3 3K bytes s The network bandwidth required for the download server Network bandwidth Mbps upgrade file x number of devices 8 i i pene 3600 download hours per day download days valid bandwidth usage For example the upgrade file for the client is about 6 5MB in general If the devices are powered on 8 hours a day 100K devices try to download the upgrade file in 7 days and only 60 bandwidth usage is valid then the required network bandwidth is as foll
62. r my computer Adjust for best appearance Adjust for best performance Custom Animate controls and elements inside windows Animate windows when minimizing and maximizing Animations in the taskbar and Start Menu Enable Aero Peek Enable desktop composition Enable transparent glass Fade or slide menus into view Fade or slide ToolTips into view Fade out menu items after clicking Save taskbar thumbnail previews Show shadows under mouse pointer Show shadows under windows Show thumbnails instead of icons Show translucent selection rectangle Show window contents while dragging Slide open combo boxes Smooth edges of screen fonts Smooth scroll list boxes Cc Lena Switch to the Advanced tab select Background services in the Processor scheduling area and then click OK Figure 16 Configure Performance 2 Visual Effects Advanced Data Execution Prevention Processor scheduling Choose how to allocate processor resources Adjust for best performance of Programs Background services Virtual memory A paging file is an area on the hard disk that Windows uses as ifit were RAM Total paging file size for all drives 3891 MB Enable Write caching for hard disks with the following steps From Windows desktop click the
63. r support mode Stand alone mode with the Intel Root Public Key 3 1 3 Hierarchized Architecture The server is hosted at individual school level in the hierarchized architecture This architecture requires a central server Figure 4 Hierarchized Architecture TD Server Running at school A N I Running at school B Pro Lon 0 w Distributed structure Infrastructure complex Manage local server backup recovery Internet connectivity Simplified school transfer process IT skillset Scale to country level deployment Intel Education Theft Deterrent Deployment Guide Revision 1 LAN is required for each school hosting the server while stable Internet connection is required for each school server to communicate with the central server hosted at country level The deployment options selected for this architecture is as follows Deployment Configurations Configured Settings Root key pair Your own root key pair Central server Deploy central server Server support mode Stand alone mode with your own Root Public Key or Central Server Supported mode Note If you choose to deploy the servers with Central Server Supported mode make sure that the central server is accessible to the servers for server activation For more information about the server support modes see Appendix 3 2 Choose Database and Download Server Locations Once you determine the options for the Theft Dete
64. reboot the system 27 Intel Education Theft Deterrent Deployment Guide Revision 1 7 Migrate to Theft Deterrent server 4 x To take advantage of the latest features you can upgrade server from version 3 x to version 4 x and this chapter helps you plan for the upgrade Since server 4 x is backward compatible with clients 2 x upgrading the client to 4 x is not required but reconfiguration is so that the client 2 x can be managed by the latest server Note To grade server 4 x to a higher version follow the upgrade steps in chapter 5 4 or 6 3 according to your operating system You can upgrade the server 3 x with either of the following methods e Migrate to server 4 x installed on a different server machine e Migrate to server 4 x installed on the same server machine The first approach is recommended since it minimizes the impact of the current server system in production For information on the requirements of the server machine see chapter 4 Regardless of the choice above you must back up and migrate the current keystore and database to the new server to preserve the configuration and setting in place e Keystore contains the server keys and security certificates e Database contains an organized collection of the server data which includes o Device records o Device Tracking history o Accounts 7 1 Migration Tool The keystore and database are not migrated automatically but server 4 x includes a migration
65. rent in a production environment As a powerful management application Theft Deterrent can potentially affect every computer in your organization When you deploy and manage Theft Deterrent with careful planning and consideration of your business requirements Theft Deterrent can reduce your administrative overhead and total cost of ownership Figure 1 Theft Deterrent architecture Central server Root CA server optional 4 Theft Deterrent server Prior to deployment it is necessary to understand the different components of Theft Deterrent e Root CA server Each Theft Deterrent solution must contain one root CA server This server generates and manages the root key pair trusted by every Theft Deterrent client that it manages e Central server An optional component of the Theft Deterrent solution that enables device transfer among schools e Theft Deterrent server It manages the devices installed with the Theft Deterrent clients The functions of this server include provision certificates lock and unlock devices etc e Theft Deterrent client client This component runs on devices and can lock and unlock devices based on the certificates received from the Theft Deterrent server Intel Education Theft Deterrent Deployment Guide Revision 1 2 1 Deployment Workflow In general a new deployment of the Theft Deterrent solution follows this order 1 Deploy root CA server 2 Deploy central server This step is opti
66. rent server Options Figure 6 Local or Separate Download Feature Figure 7 Database Location ccccccecccceecsesseseceeeeessessseeeeeeesens Figure 8 Select Root Public Key Type Stand alone Mode Figure 9 Import Root Public Key Stand alone MOde c cccccssscecsecececssscececseeeecessseeecseeeeeesaeeeeseaaes Figure 10 Repair or Re install Theft Deterrent Server ccccccessscececececsesseaesececessesesaeseeeeeceeseaseeeeeeees Figure 17 D tab se Location orosenie ennea eenaa a ea a EEEa EEEE E EE e EEE EEan Figure 12 Server Support Mode cc cccccccecsessssesecececsesseesecececeeseseeeecececeeseseeseseeececseseaaeseesescseseaaeaeseeeees Figure 13 Stand alone Mode w cccecccccccccecssssaececececeeseeaesecececeesesaeeeeeesceeseseeaesececessesesueseeeessseseeaeaeeeesees Figure 14 Import Root Public Key Stand alone MOde cccscccccsssececsssceceesececsesaececsssseceeseseceeaaes Figure 15 Configure Performance 1 Figure 16 Configure Performance 2 Figure 17 Configure Performance 3 Figure 18 Add Trusted Sites Figure 19 Configure Security Level Figure 20 Repair or re install Theft Deterrent Server rrrrrrnsnnrnrrrnnananannrnrrrnrrrnnanannrsrnennsnsnannrsnnesssnsnnnn Figure 21 Check Java VErSiOMsssvecsassokneancaccnassasckndcaccuas aranea aa ai aE EAE AE E EiS Figure 22 Migration Options on the Old Server ccccscccccecessessececeeececsese
67. rrent Solution Architecture You can deploy the Theft Deterrent solution with one of the following architectures e Centralized e Decentralized e Hierarchized Each architecture requires different network settings and different sets of deployment configurations Please refer to the table below for the deployment configurations Deployment Configurations Descriptions Root key pair Root CA server generates root key pair trusted by every client that it manages You can choose to deploy your own root CA server to generate your own root key pair or use the key pair from Intel Central server Central server enables additional functions such as school transfer and server backup restore You can choose whether these are needed in your environment Server support mode Stand alone or Central Server Supported mode See the following chapters for detailed information about the three architectures For more information about the root key pair and server support modes see Appendix Intel Education Theft Deterrent Deployment Guide Revision 1 3 1 1 Centralized Architecture The server is hosted at region or country level in centralized architecture This architecture is recommended in general Figure 2 Centralized Architecture Better service availability Highly depend on internet connectivity Scalability to cover more schools Requiring additional service Call center Better manageability for sc
68. rrent architecture you can consider having a separate database server or download server for better performance or scalability of your server Deployment Options Descriptions Database hosting Database is created during server installation You can choose to have the database created in the same server machine or ona different machine Download feature hosting Download server stores client software packages that can be downloaded by clients version 4 x or above You can choose to have the download server installed in the same server machine or on a different machine Please see process map below for guidance Figure 5 Theft Deterrent server Options Device number To manage less than 5K online devices Local Database Local download server To manage less than 200K online devices l Local Database l Separate download server Intel Education Theft Deterrent Deployment Guide Revision 1 Note If you want to deploy a server to manage more than 200K devices contact the local Intel TME for support See the following chapters for detailed information on how to choose the locations for the database and download servers 3 2 1 Choose Database Hosting The server consists of database and web service components which come with the server installation package These components can be installed on a single machine or on differen
69. s The settings differ according to the server support mode which is set during the installation of the server Server Support Mode First login settings Stand alone e Setup Server Name amp Address e Setup Email Server Central Server supported e Activate the server or reactivate the server e Set up Server Name amp Address e Set up Email Server 8 1 1 Activate Theft Deterrent server If the server is installed with the Central Server supported mode you must activate or reactivate the server with the central server during first login You can skip this chapter if the server is installed with the Stand alone mode By activating the server with the central server you achieve the following functionalities e Register the school information of the server on the central server e Back up the keystore and database information of the server on the central server e Enable the server to manage the devices pre activated in factory e Enable the server to transfer devices via the central server to other servers Make sure that the server is connected with the central server If the server has never been registered or activated on the central server follow these steps to activate the server 1 On the Activate Theft Deterrent server page Step 1 input all server information and the IP address of the central server 2 Click Register Server and your activation request will be sent to the central server 37 Intel
70. s and Settings pages to access different functions Figure 29 Server Tabs intel Theft Deterrent Server Education Inventory Groups amp Accounts Settings 8 2 Modify the Server Log Level By default the server is set with the DEBUG log level to log all precise contexts concerning its running status in case any error occurs and requires debugging The log levels affect the server performance as follows Log Level Server Performance Information Detail DEBUG Low High INFO Medium Medium WARN High Low If you are experiencing slow server performance it is recommended that you lower the server log level with the following steps Otherwise you can skip this chapter 1 Open the log configure file e Debian opt TheftDeterrentserver Site webapps TheftDeterrent WEB INF classes log4j properties e Windows SystemDrive Program Files Intel Education Software Theft Deterrent server Site webapps TheftDeterrent WEB INF classes log4j properties 2 Set the log level to INFO or WARN by changing a line in the configure file as follows log4j logger com intel INFO or log4j logger com intel WARN 3 Restart the server e Debian run the following command service theftdeterrentserver restart e Windows click the Start menu gt All Programs gt Intel Education Software gt Theft Deterrent server gt Start Server 8 3 Server Installation Directories and Log Files While
71. scccccecssssssssecececeeseseseesecscecseeeaeseescecsesesaeseeeescsesesaeseeeesees Figure 36 Check Network Latency r rrrrrarnnnnnrvrnrnnnnonnnnrnnvennsrnnsnnnnnsnnssnnnnnnnnnsnnssnsnanannnsnnssnssnnannnnnnssssnnnnn Figure 37 Back up the Server sesiis niasin en iiaii Aaea a NASER a iE iia as aaa EEEa n iaaa Figure 38 Run KeyManagement Tool cccccssccccecsesessesecececeeseeesececscecseeeaesecececseesaeseeeescsesesasaeeeeeees Figure 39 Import Pre activated Package cccccccccccssssssssecececeeseesesecececeeseeeaesecececsessaeseeeeseseseeaeeeeeesees Intel Education Theft Deterrent Deployment Guide Revision 1 1 Introduction 1 1 Document purpose and scope This document introduces the procedures to deploy Intel Education Theft Deterrent solution for version 4 x The document contains the following information e Introduction to the Theft Deterrent solution e Requirements of the Theft Deterrent server depending on the deployment scenarios e Deployment steps for the Theft Deterrent server e Steps to migrate from earlier versions of the Theft Deterrent server to version 4 x e Pre configuration steps of the Theft Deterrent server e Configuration steps to enable the Theft Deterrent server to use a separate download server e Deployment steps for the Theft Deterrent client and guardian 4 x e Troubleshooting and FAQ 1 2 Terminology 1 2 1 Abbreviations Abbreviation Descriptio
72. server User Manual Intel Education Theft Deterrent Deployment Guide Revision 1 4 Theft Deterrent server Requirements The requirements of the server vary between the Theft Deterrent architectures centralized decentralized or hierarchized Configure your hardware software and network to meet the requirements specific to your architecture and then follow the general requirements 4 1 Requirements for Decentralized or Hierarchized Architecture This section introduces the requirements for deploying the server in the decentralized or hierarchized architecture Both architectures deploy the server on LAN in schools and the general deployment scenario assumes that the number of devices to be managed is less than 5K It is recommended that you deploy the server with the following modes e Local database e Local download feature The hardware and network requirements for the server are as follows Online Requirement Recommended configuration Minimal configuration devices lt 5K CPU 1 x Intel Xeon 4 cores CPU 1 x Intel Xeon 2 cores Hardware Memory 4 GB Memory 4 GB OS Linux or Windows Linux or Windows Network bandwidth 10 4 Mbps The minimum hard disk space required is 2GB However the recommended hard disk space for the server is 30 GB and above 4 2 Requirements for deploying Centralized Architecture This section introduces the requirements for deploying the s
73. t The operation takes effect after the Theft Deterrent server restarts Do you want to restart now 1 Yes 2 No Input 1 2 default 1 1 Restart now Done Prompts Descriptions Select Option Select language Select the display language of the migration 1 English tool 32 Intel Education Theft Deterrent Deployment Guide Revision 1 Are the old server and the new server installed on the same machine Specify whether the old server and the new server are installed on the same machine Which server is installed on this machine Specify whether this machine is the old server or the new server 2 New server Input the location of the restore zip package e g root restore zip Input package password The password set in the steps above Do you want to migrate both the keystore and the database You can choose to migrate only the keystore if the new server is a test server for temporary usage the server 3 x does not contain any device records or accounts or you do not want to migrate any device records or accounts to the new server In general it is recommended that you migrate both the keystore and database so that you can manage the old devices with the new server without further action required 1 keystore only 2 keystore and database Do you want to set the keys from the old server keystore as the default keys Since the s
74. t machines for better performance and scalability In general it is recommended that you deploy the server with a local database unless your server is required to manage more than 200K online devices in which case contact the Intel local TME for support 3 2 2 Choose Download Feature Hosting The server includes a Smart Client Upgrade function which provides clients with upgrade packages through HTTP download The download performance is dependent on how you deploy the server download feature You can deploy the feature with either of the following methods e Local Deploy the download feature as a feature of the web service e Separate Use a third party download server to provide the download feature Figure 6 Local or Separate Download Feature Local Download Feature Separate Download Feature oO o Theft Deterrent Theft Deterrent Separate server server download server Web Web Download Service Database Service Database Service Download Service In general it is recommended that you deploy the server on the Internet with a separate download server if the number of online devices it manages is larger than 5K You can configure the server to specify the location where clients should download the packages according to the location of the download feature chosen Detailed configuration steps are introduced in chapter 9 For more information about the Smart Client Upgrade function see the Intel Education Theft Deterrent
75. t download speed limit KB s Set a download limit for the local download feature This setting will not affect any separate download server 17 Intel Education Theft Deterrent Deployment Guide Revision 1 5 Input 1 and press ENTER to restart the web service 5 4 Upgrade Theft Deterrent server You can upgrade the server from version 4 x to a higher version All the data and settings of the server are kept after the upgrade Before upgrading it is recommended that you back up the server To upgrade a server follow these steps 1 Copy the latest server upgrade package named as Theft Deterrent server upgrade v4 0 3010X version to the local disk 2 Open the installation wizard by following the steps Theft Deterrent server upgrade v4 0 391 X version install 3 Select a language of your choice and accept the license agreement Then wait for the wizard to complete the installation 5 Clear cache of your browser before login to server again Note The browser will cache old server and make the webpage display maybe distort after server upgrade 5 5 Repair or Re install Theft Deterrent server If upgrade failed the current server may be corrupted You can repair the server with the current installation package And you can reinstall the server to remove the server data settings and key files Before repair or re install it is recommended that you back up the server To repair or re insta
76. tall All the data settings and key files of the previously installed server will be removed Note Please make sure that the settings and database files of the previous server are not deleted if you choose to upgrade or repair the server 4 Follow the installation wizard to complete the installation 6 5 Uninstall Theft Deterrent server If you want to uninstall the server it is recommended that you back up the server before the action vw Note Make sure that no device is managed by the server any more Otherwise the 26 Intel Education Theft Deterrent Deployment Guide Revision 1 devices might be locked within a certain period of time You can uninstall the server by using either the installation package or the Control Panel To uninstall the server with the installation package follow these steps 1 2 TB Open the folder that contains the installation package In the folder right click setup exe and select Run as administrator to open the uninstall wizard Click Next on the welcome page Click Next Click Remove to uninstall the server Wait for the process to complete and then click Finish Reboot the system To uninstall the server from the Control Panel follow these steps PWN Click the Start menu gt Control Panel gt Programs gt Programs and Features Right click Intel R Education Theft Deterrent server and select Uninstall Click Yes to confirm the action Click Yes to
77. ternet or use the Debian CD to install the dependencies 1 Change to root account with the following command Input password when needed SU 2 Open the sources list located at etc apt sources list and add the following lines Replace release with the Debian release version deb http cdn debian net debian release main deb src http cdn debian net debian release main 3 Update the sources list with the following command apt get update 4 Install python ufw dialog and sudo with the following command apt get install python ufw dialog sudo 5 2 Install Theft Deterrent server Copy the server installation package Theft_Deterrent_server_v4 0 3010X version to any folder in the local disk Go to the folder and then run the following commands 1 Change to root account and input password when needed SU 2 Change the file permission of the installation package 15 Intel Education Theft Deterrent Deployment Guide Revision 1 chmod x Theft_Deterrent_server_v4 3010X version 3 Run the installation package to open the install wizard Theft_Deterrent_server_v4 3010X version install Follow these steps to deploy the server 1 Select the language of your choice and then select Next Press Enter 2 Press Enter to accept the license agreement 3 Select the Local database option and then select Next Press Enter
78. then click Next 5 Select a server support mode of your choice and then click Next 20 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 12 Server Support Mode j Intel R Education Theft Deterrent server InstallShield Wizard Server Support Mode 6 If you choose to install the Stand alone mode select the Root Public Key type for you deployment on the next page Figure 13 Stand alone Mode j Intel R Education Theft Deterrent server InstallShield Wizard 7 If you choose to deploy the server with your own Root Public Key you must import the Root Public Key file with the extension pubkey or bin by copying the key to your local machine and then browse to the location of the key e g C CmpcRoot pubkey 21 Intel Education Theft Deterrent Deployment Guide Revision 1 Figure 14 Import Root Public Key Stand alone Mode i Intel R Education Theft Deterrent server InstallShield Wizard x Stand alone Mode Import the Root Public Key of your region Select the Root Public Key file of your region which is also the Root Public Key file used by the Central Server some 8 On the next step set a password and email for the master admin account and then click Next 9 Confirm the settings and then click Install 10 The installation will be completed in about 20 minutes vw Note The password must be 8 to 30 characters in length and must c
79. to Back up Theft Deterrent server To back up the server follow these steps 1 Logon the server and open the Advanced page under Settings Note You must complete the pre configuration steps before you can access the Advanced page Click the Back up button To protect the backup files with password select the option and input a password To save a copy of the backup file to local disk select the option Click Back up If you chose to save a copy select a location and save the file NE GID oO Note The password must be 6 to 30 characters in length This password will be required when you restore the server Figure 37 Back up the server a OTS 1 Back up Server Server name Server IP address URL Click Back up to back up server data Save Backup file name backup 20130322 Central Server Support 7 Protect the backup file with password The server is linked with the overser Show characters Update the server information Download a copy to local disk Server Backup Back up Cancel You can back up server data Back up server data manually Backup Manage Backup 13 7 How to offline Transfer Devices to Theft Deterrent server 4 x To offline transfer devices from an old server version earlier than 3 x including 3 x to a new server version 4 x without central server obtain the KeyManagement tool from your local TME and then follow these steps On the new s
80. tool migrate jar in the installation directory to help you simplify the migration The tool enables admin to copy the keystore and database from the server 3 x and merge them with the keystore and database in the latest server By doing so the clients that were managed by the server 3 x can be managed by the latest server 7 1 1 Migration Requirements The migration tool supports the following operating systems e Windows 2008 R2 64 bits e Debian 6 or above 64 bits You can migrate the server keystore and database across platforms but make sure that the server 3 x and 4 x run on the supported operating system Note You can migrate between servers in different languages because the keystore and database are not language dependent Also make sure the current server keystore and database are securely backed up before the migration The keystore and database migrated from the previous server will merge with that in server 4 x Therefore it is recommended that you also back up the keystore and database in server 4 x if it contains any existing device records or accounts 28 Intel Education Theft Deterrent Deployment Guide Revision 1 7 1 2 Migration Options Prior to running the tool you need to understand the following options with regard to how you want to migrate the keystore and database Data Options Keystore Because the server 3 x and 4 x use different server keys you must decide which key to set as the
81. ure Download Server ccccccccccecssssssececccecesessececececsesesaeseeecscseaaeseeeesceesesasseeeesceeseaaaeees 42 9 2 Configure Download Feature on Theft Deterrent SCrVer cccccccccecssssscecececeesssesseeeesceessseeaeees 42 10 Manually Deploy Theft Deterrent client and QUArIAN c cccccccecesssssececececsesesaeeeeeeecsesesaseeeeeeees 44 10 1 Deploy Theft Deterrent client and guardian on Windows csccccccccsssessseceeecessestsaeeeeees 44 TOLL Prerequisitesin tdninarsear eee val irettesatt 10 1 2 Install with Command Line 10 1 3 Install with Install Wizard 10 2 Deploy Theft Deterrent client and guardian on Debian 10 2 1 Install Dependency rrrrnrrnnnonnrorvrnsnnnsnnrrnvvnnsrnnnnn 10 2 2 Install Theft Deterrent client and guardian 10 3 Pre set server address and address modify protection password 10 4 Open Theft Deterrent client s ccccccc ccceereleasccscveeceesedcesecveventuedisdeSeeecddnct edad ce cuedeste theses deseenndeeede 10 4 1 Open Theft Deterrent client on Windows rrnnrorrnnrnnanannnnrsnnsnnsnennnnrsnnssnssnnsnnrnnnenssnnnnne 10 4 2 Open Theft Deterrent client ON Debian rrrrnnrorrrnrananonnnnrvrnrnnsnonsnnrsrnrnnsnrnsnnrsnsrnnsennnnn 10 5 Installation Directories and Log Fil S cccecsccccccecsessssececececseseaesecececeeseasseeeesesesseasaeeeesees 11 Tr ubleshootingisnssssdedsseektksea dre Ea aa a aaae ibe cob cveanss aaa 11 1 Theft Deterrent server Installation F
82. ver If you had already activated a server that later crashed and its key pair are lost permanently you can replace the crashed server by installing a new server with the Central Server supported mode Then follow these steps to reactivate the server 1 2 3 Contact central server admin offline to request an activation code for reactivation On the Activate Theft Deterrent server page Step 1 click Skip On the Activate Theft Deterrent server page Step 2 input the activation code and the IP address of the central server Then click Reactivate Server 38 Intel Education Theft Deterrent Deployment Guide Revision 1 4 When you see the reactivation success message click OK When reactivation completes you can manage the devices that were manage by the crashed server when the devices connect with this server For more information about server activation see the Intel Education Central Server User Manual 8 1 3 Set up Server Name amp Address Server name e Server name must be less than 128 characters in length e If the server is installed with the Central Server supported mode the server name is already set during the activation process Server IP address URL e Server address is the IP address or URL of the server machine e This server address will be broadcasted to the clients when the Automatic Server Broadcast function is turned on 8 1 4 Set up E mail Notification Service You can set up the e ma
Download Pdf Manuals
Related Search