Dell Data Protection
Contents
1. If your DDP Server is v7 7 or later DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8443 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn T NOTE Although the About box in the client displays software version number information it does not display whether a full client is installed or EME only To locate this information go to C ProgramData Dell Dell Data Protection Encryption CMGShield log on an XP the path is C Documents and Settings All Users Application Data Dell Dell Data Protection Encryption CMGShield log and locate the following entry lt date timestamp gt Devicelnfo lt gt Shield Information SM External Media Only SB DELL UNF FQUN last sweep 0 0 Convert External Media Edition to Enterprise Edition e Runa command line similar to the following If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8081 xapi REINSTALL ALL EME 0 REINSTALLMODE vemus gn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLIC2. Then Dell ControlVault C extracted UshCvReset Dell ControlVault Software Update Child Installer The following example installs Dell Control Vault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart 1 v CVinstall log qn 40 Enterprise Edition Administrator Guide Then DDPJE Encryption Client ClextractedlEncryption The following example installs the client with default parameters encryption client Encrypt for Sharing CREDActivate no dialogue no progress bar no restart logs at the specified location installed in the default location of C Program File DellDell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8081 xapi norestart l v Shieldinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8443 xapi n
3. BitLocker Manager External Media Edition and Cloud Edition See Cloud Edition Activation and User Experience to learn how to use Cloud Edition BitLocker Manager Client C extracted Security Tools The following example installs BitLocker Manager silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files DellDell Data Protection EMAgent XXbit setup exe s v CM EDITION 1 SERVERHOST server organization com ERVERPORT 8888 SECURITYSERVERHOST securityserver organization com T S SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 ADDLOCAL DI ELL Security Tools BITLOCKER FEATURE BLM 1 v Bitlockerinstall gn log norestart Then DDPJE Encryption Client C extracted Encryption The following example installs EME only silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection Enterprise Edition Administrator Guide 45 If your DDP Server is pre v7 7 DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8081 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn If your DDP Serv
4. Command Line Uninstallation For a command line uninstallation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the uninstallation Switch Meaning lv Pass variables to the msi inside the exe files required a Administrative installation Ix Uninstall mode s Silent mode Parameters The following table details the parameters available for the uninstallation Log File Parameters A fullpath filename log CM_EDITION 1 lt remote management gt INSTALLDIR lt change the installation destination gt SERVERHOST lt coreserver organization com gt SERVERPORT 8888 SECURITYSERVERHOST lt securityserver organization com gt SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 lt no entry in the Control Panel Programs list gt Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Options Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog wit
5. Command Line Installation For a command line installation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the installation Switch Meaning lv Pass variables to the msi inside the setup exe s Silent mode Parameters The following table details the parameters available for the installation NOTE The I v parameter is not needed A log is generated at temp DellDriverlnstaller log Parameters SUPPRESSREBOOT 1 INSTALLPATH lt change the installation destination gt ARPSYSTEMCOMPONENT 1 lt no entry in the Control Panel Programs list gt Enterprise Edition Administrator Guide 63 64 Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Option Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only us
6. For Windows XP the log file path is C Documents and Settings All Users Application Data Dell Dell Data Protection Encryption For Windows 7 Windows 8 and Windows 8 1 the log file path is C ProgramData Dell Dell Data Protection Encryption The Encryption Removal Agent log file is not created until after the Encryption Removal Agent Service runs which does not happen until the computer is restarted Once the client is successfully uninstalled and the computer is fully decrypted the log file is permanently deleted Check Encryption Removal Agent Status When the Encryption Removal Agent runs its status displays in the description of the Windows Service panel Start gt Run gt services msc gt OK as follows Waiting for Deactivation DDP E is still installed is still configured or both Decryption does not start until DDP E is uninstalled Initial sweep The Service is making an initial sweep calculating the number of encrypted files and bytes The initial sweep occurs one time Decryption sweep The Service is decrypting files and possibly requesting to decrypt locked files Decrypt on Reboot partial The decryption sweep is complete and some locked files but not all are to be decrypted on the next restart Decrypt on Reboot The decryption sweep is complete and all locked files are to be decrypted on the next restart Enterprise Edition Administrator Guide 11 All files could not be decrypted The
7. Manager SSL trust validation is now turned off DDP Enterprise Server VE If a self signed certificate is used on VE for SED or Bitlocker Manager SSL trust validation must be disabled on the client computer On the VE Server SSL trust validation is disabled by default On the client computer add the following registry entry HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 NOTE Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc Dell does not recommend the use of self signed certificates for a production environment Manager SSL trust validation is now turned off Enterprise Edition Administrator Guide 109 110 Enterprise Edition Administrator Guide How to Use the Initial Access Code Policy This policy is used to log on to a computer when network access is unavailable Meaning access to the DDP Server and AD are both unavailable Only use the nztra Access Code policy if absolutely necessary Dell does not recommend this method to log in Using the nitial Access Code policy does not provide the same level of security as the usual method of logging in using User Name Domain and Password In addition to being a less secure method of logging in if an end user is activated using the nitral Access Code then there is no record on the DDP Server of that user activating on this computer In turn there is
8. Enterprise Edition Administrator Guide OXXXXXAO X
9. Enterprise Edition Administrator Guide 53 Install DDP E Interactively e Use these instructions to install DDP Enterprise Edition interactively This method can be used to install the Enterprise Edition suite of products on one computer at a time This installer includes the components you need for either software encryption or hardware encryption for computers equipped with Hardware Crypto Accelerator HCA Locate DDPSetup exe in the Dell installation media Copy it to the local computer 2 Double click DDPSetup exe to launch the installer Dialogs display that alert you to the status of the installing the prerequisites This may take several minutes Dell Data Protection InstallShield Wizard 4 Dell Data Protection Installer Setup is preparing the InstallShield Wizard which will guide you through the program setup process Please wait Extracting Dell Data Protection Installer msi cancel Installing Prerequisites please wait Click Next when the Welcome screen displays Read the license agreement agree to the terms and click Next 5 Select Enterprise Edition on the Choose Edition screen If you intend to install External Media Edition on y select the External Media Edition only check box 54 Enterprise Edition Administrator Guide 6 Click Next Choose Edition Enter the edition you w ant to Install Personal Edition Data is managed by the Local Management Console 9 Enterp
10. Install DDP E Interactively spa kaal A 54 Install DDP E Using the Command Line 59 Uninstallation Process 60 4 Enterprise Edition Administrator Guide Section II EES a O NI as mt De 61 Drivers Installation Tasks 63 Install Drivers arc ri A a les bad 63 Command Line Installation 63 Section Ill DDPIJE Encryption Client 65 Encryption Client Installation Tasks 67 Best Practices 0 45 bets a in Bw Det ARS De eee nue 67 Install Encryption Client 22 o ta Bad a ewe wate fut 67 Command Line Installation 68 Install External Media Edition EME 69 Convert External Media Edition to Enterprise Edition 70 Create a Custom Transform File 70 Encryption Client Uninstallation and Decryption Tasks 73 BeSt Practices 3 35 atu oo oak eee ek ee ee ee ee eee 73 Piereg isites na hake woe kha ee ESS oe RE Bee das 73 Uninstall Encryption Client iii ey Pe ko ps Be eS ue 74 Command Line Uninstallation 74 Uninstall External Media Edition 76 How to Create an Encryption Removal Agent Log File Optional 11 Check Encryption Removal Agent St
11. log in to the Remote Management Console In the left pane click Protect amp Manage gt Endpoints Select the appropriate Endpoint Type Select Show gt Visible Hidden or All If you know the Hostname of the computer enter it in the Hostname field wildcarding is supported You may leave the field blank to display all computers Click Search a FF WwW N If you do not know the Hostname scroll through the list of available computers to locate the computer A computer or list of computers displays based on your search filter Select the Details icon of the desired computer Click Security Policies on the top menu From the Policy Category drop down menu select Self Encrypting Drives oo N oo Expand the SED Administration area and change the Enable SED Management and Activate PBA policies from True to False 10 Click Save 11 In the left pane click Actions gt Commit Policies 12 Click Apply Changes Wait for the policy to propagate from the DDP Server to the computer targeted for deactivation After the PBA is deactivated you may uninstall the clients Enterprise Edition Administrator Guide 99 Uninstall SED Client e The uninstallation is performed using the EMAgent XAbit setup exe DP_XXbit_setup exe and Dell_CV_SW_Update_xXX exe files located in the C lextracted Security Tools C lextracted Security ToolslAuthentication and C lextracted UshCvReset Dell ControlVault Software Update Child Installer folders
12. 0n with SEDs is that RAID requires access to the disk to read and write RAID related data at a high sector not available on a locked SED from start and cannot wait to read this data until after the user is logged on Change the SATA operation in the BIOS from RAID On to AHCI to resolve the issue If the operating system does not have the AHCI controller drivers pre installed the operating system will blue screen when switched from RAID On to AHCI Drivers Intel Rapid Storage Technology Driver http wwwdell com support drivers us en 19 DriverDetails Product latitude e6440 laptop driverld 1 KX2H amp osCode W764 amp fileld 3356216042 amp languageCode en amp categoryld SA Enterprise Edition Administrator Guide 17 Client Prerequisites The installer installs these components if not already installed on the computer Prerequisites e Microsoft Visual C 2012 Update 3 or later Redistributable Package x86 and x64 e Microsoft NET Framework v4 0 BEST PRACTICE Potential installation problems can be avoided if Microsoft NET Framework is installed on the target computer prior to client installation Opal Compliant SEDs Drives with X are supported for SED management but are not qualified for or shipped in Dell systems Drive Availability Standard Seagate ST320LT009 FIPS Julius Y Opal 1 Seagate ST500LT015 Yarra 1D FIPS 500 Y Opal 2 eDrive Seagate
13. Cloud Edition on an iOS device 176 Cloud Edition on an Android device 176 Share Files With External Users 177 Administrator Tasks 177 External User Tasks 177 Cloud Edition Frequently Asked Questions FAQs 178 Administrator FAUS orador a Mid dite t 178 Folder Management FAQs 179 Dropbox FAQS occas a anal dues ue de ner ue 180 Box Syne Client FAQS 2 4 go oo a ar AA a ent AURA un 180 Miscellaneous FAQs 181 Appendix A Change Secure Boot UEFI to Legacy Boot Mode in BIOS 183 A O LE ARS a mia a AR De En Mer nt 185 10 Enterprise Edition Administrator Guide Introduction This guide details how to install and configure the DDP E encryption client SED management client Advanced Authentication and its drivers BitLocker Manager and Cloud Edition You can install all the clients together using the master installer user interface or individually by extracting the child installers out of the master installer and then installing them by command line or user interface The clients can be installed using any push technology available to your organization Generally the best practice is to follow this order 1 Install the Dell Enterprise Server or DDP Ente
14. Dell CV SW Update xXX exe to install Dell ControlVault software updates used by Security Tools using a scripted installation using batch files or any other push technology available to your organization Enterprise Edition Administrator Guide 95 Command Line Installation For a command line installation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the installation Switch Meaning lv Pass variables to the msi inside the exe files required a Administrative installation Ix Uninstall mode s Silent mode Parameters The following table details the parameters available for the installation Log File Parameters A v fullpath filename log CM_EDITION 1 lt remote management gt INSTALLDIR lt change the installation destination gt SERVERHOST lt coreserver organization com gt SERVERPORT 8888 SECURITYSERVERHOST lt securityserver organization com gt SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT lt no entry in the Control Panel Programs list gt Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Options Meaning q No Progress dialog restarts itself after process com
15. Do not install Encryption Removal Agent CMGSILENTMODE Property for silent uninstallation 1 Silent 0 Not Silent Required Properties DA_SERVER FQHN for the DDP Enterprise Server hosting the negotiate session DA_PORT Port on the DDP Enterprise Server for request default is 8050 SVCPN Username in UPN format that the Dell Key Server service is logged on as on the DDP Enterprise Server DA_RUNAS Username in SAM compatible format under whose context the key fetch request will be made This user must be in the Key Server list in the DDP Enterprise Server DA_RUNASPWD Password for the runas user FORENSIC_ADMIN The Forensic administrator account on the DDP Enterprise Server VE This account is used only when the Server is a DDP Enterprise Server VE FORENSIC_ADMIN_PWD The password for the Forensic administrator account This account is used only when the Server is a DDP Enterprise Server VE Optional Properties SVCLOGONUN Username in UPN format for Encryption Removal Agent service logon as parameter SVCLOGONPWD Password for logon as user NOTE The Forensic administrator account is created in the VE Remote Management Console Use the Forensic administrator s credentials only when the client to be uninstalled is activated against a DDP Enterprise Server VE When the Server is a non VE Server use the DA_PORT and SVCPN parameters Options The following table details th
16. Encryption Removal Agent Status for information on how to check decryption status following uninstallation NOTE If performing a silent uninstall of a client that is activated against a DDP Enterprise Server VE and using a password on the command line is a security concern Dell recommends that the administrator 1 Create a Forensic Administrator account in the VE Remote Management Console for the purpose of performing the silent uninstallation 2 Use a temporary password for that account that is unique to that account and time period 3 After the silent uninstallation has been completed remove the temporary account from the list of administrators or change its password Command Line Uninstallation For a command line uninstallation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available upon the uninstallation 74 Switch Meaning Iv Pass variables to the msi inside the DDPE_xxbit_setup exe a Administrative uninstallation Ix Uninstall mode s Silent mode Enterprise Edition Administrator Guide Parameters The following table details the parameters available for the uninstallation Parameter Selection CMG_DECRYPT Property for selecting the type of Encryption Removal Agent installation 1 Download keys from the DDP Server 0
17. HCA True This step causes the PBA partition to be created The computer will restart to complete the process Enterprise Edition Administrator Guide 49 50 Enterprise Edition Administrator Guide Section Enterprise Edition Administrator Guide Dell Data Protection Installer Master Installer 52 Enterprise Edition Administrator Guide Dell Data Protection Master Installer The Dell Data Protection Master Installer is commonly known as the Master Installer as it installs the Enterprise Edition suite of products The master installer does not support upgrades from pre v8 0 components For upgrade needs extract the appropriate child installer from the master installer See Extract the Child Installers from the Master Installer for extraction instructions You will be securing access to this computer using advanced authentication credentials that are managed and enrolled using Dell Data Protection Security Tools DDP ST is now the primary manager of your authentication credentials for Windows Sign in including Windows password fingerprints and smart cards Picture password PIN and fingerprint credentials enrolled using the Microsoft Operating System will not be recognized at Windows Sign in To continue using the Microsoft Operating System to manage your credentials uninstall DDP ST The default location of log files is C ProgramData Dell Dell Data Protection If yo
18. HCA policy has been set to True HCA If you must switch to a different authentication method you must either Remove all the users from the PBA and then re enroll the users or e Deactivate the PBA SED or set the HCA policy to False HCA change the authentication method and then re activate the PBA SED or set the HCA policy to True HCA On computers equipped with a Hardware Crypto Accelerator or a self encrypting drive to use smart cards with Preboot Authentication the following registry value must be set on the client computer HKLM SOFTWARE DigitalPersona Policies Default SmartCards MSSmartcardSupport dword 1 0 or no key Smart Card Support Off 1 Smart Card Support On Enterprise Edition Administrator Guide 39 DDP E Client and Advanced Authentication See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the H
19. If Cloud Edition is installed it can be uninstalled independently without uninstalling the clients listed above Cloud Edition Cloud_xxbit_setup exe 4 When all clients are uninstalled run the master installer s DDPSetup exe to uninstall the master installer 60 Enterprise Edition Administrator Guide Section Il Enterprise Edition Administrator Guide Drivers 62 Enterprise Edition Administrator Guide Drivers Installation Tasks Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM e Ifyou have not extracted the individual installer yet follow the procedure in Extract the Child Installers from the Master Installer The drivers can be installed by command line using any push technology available to your organization Install Drivers Drivers locate the installer at C extracted Drivers e Use setup exe to install using a scripted installation batch files or any other push technology available to your organization
20. Install a Cloud Sync Client NOTE The installation steps will prompt you for the Server Name that this computer will communicate with such as server domain com This information is supplied by your Administrator The best practice is to select and install just one sync client to work with Cloud Edition If applicable use your company s preferred cloud sync client 1 Click one of the following to install a sync client e Dropbox if your company allows business and personal accounts this is the personal account see https www dropbox com install Dropbox for Business If your company has Dropbox for Business your Administrator will provide you with a link for downloading and installing it Your enterprise will determine if internal users can have a business account only or if they can use both business and personal folders If you install Dropbox for Business see Authenticate Dropbox for Business e Box see https Avww box com platform e OneDrive see https onedrive live com about en us download 2 Inthe sync client create a shared folder or accept an existing one from another person or group in your company If you are running one of the following you can access a sync client folder from the system tray Dropbox Dropbox for Business Click the Dropbox icon and select Dropbox Folder Box Right click the Box icon and select Open Box Sync folder e OneDrive Click the OneDrive icon and select Open your OneDrive fold
21. Latitude E6430 ATG v Latitude E5430 v Latitude E5530 y Latitude E7240 v v Latitude E7440 v v Latitude E6440 v v Latitude E6540 v v Precision M4600 Y Precision M6600 y Precision M4700 y 14 Enterprise Edition Administrator Guide Windows Hardware Operating Systems The following table details supported operating systems Precision M6700 Precision M4800 y Precision M6800 v Precision T3600 Precision T3610 y Precision T5600 Precision T5610 y Precision T7600 Precision T7610 y Precision T1650 Precision T1700 y OptiPlex 9010 AIO OptiPlex 9010 OptiPlex 7010 v OptiPlex 7020 v OptiPlex XE2 Y OptiPlex 9020 AIO v OptiPlex 9020 y OptiPlex 9020 Micro y OptiPlex 9030 AIO v NOTE The Encryption client does not support dual boot configurations as it is possible to encrypt system files of the other operating system which would interfere with its operation XP Mode is not compatible with the Encryption client it is designed to run Microsoft Windows 7 or later natively Windows Operating Systems 32 and 64 bit e Microsoft Windows XP SP3 Professional Edition NOTE Software encryption only is supported on Microsoft Windows XP SP3 Enterprise Edition Administrator Guide e Microsoft Windows 7 SP0 SP1 Enterprise Professional Ultimate 15 Windows Operating Systems 32 and 64 bit e Microsoft Windows 8 Enterprise Pro e
22. SED Client e The user account performing the installation must be a local or domain Admin user which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE e To successfully install SED management the computer must have network connectivity Be prepared to shutdown and restart the computer after you apply policies and are ready to begin enforcing them e Windows 8 1 should not be installed on drive 1 on self encrypting drives This operating system configuration is not supported because Windows 8 1 creates a recovery partition on drive 0 which in turn breaks Preboot Authentication Instead either install Windows 8 1 on the drive configured as drive 0 or restore Windows 8 1 as an image to any of the drives The SED management client does not support UEFI Secure Boot with self encrypting drives on Windows 8 or Windows 8 1 For more information about UEFI see http en community dell com techcenter extras m white_papers 20278835 aspx e Supported Opal compliant SEDs require updated Intel Rapid Storage Technology Drivers located at http www dell com support drivers us en 19 DriverDetails Product latitude e6440 laptop driverld 1KX2HosCode W764 amp fileld 3356216042 amp languageCode en amp categoryld SA NOTE IPv6is not supported IMPORTANT Due to the nature of RAID and SEDs SED management supports RAID only with the Intel Rapid Storage Technology Driver configured to use a single disk The issue with RAID
23. SED Management and Advanced Authentication 95 Command Line Installation 96 SED and Advanced Authentication Deactivation and Uninstallation L SSP Sine et Bi oaas den ke a a va a 99 Prerequisites 99 Deactivate the PBA 99 6 Enterprise Edition Administrator Guide Uninstall SED Client 100 Command Line Uninstallation 100 SED and US Recovery ses memassossrpussiorusessinsnesrst 103 Selt Recovery OS LOTO it aa ARAS 103 Self Recovery PBA 106 Assisted Recovery PBA 108 Prerequisites 23 tut t e Dh due kuvand du 108 Retrieve the Recovery Bundle 108 How to Turn Off Manager SSL Trust Validation 109 How to Use the Initial Access Code Policy 111 How to Create a PBA Log File for Troubleshooting 112 Section V User Experience Credential Management and Authentication Applications ts Oe US cath Ode sor eg bs 113 Configure Credentials in the Security Console 115 Use the Authentication Applications 0 123 GredentldlS seu sta ce mena Oy tenn Wat oe Eee esi ee anes 124 Enrollment Status era Si ant aa Shae ote o 124 Backup and R
24. Support On e Use these instructions to install software encryption or hardware encryption for computers equipped with an HCA card Best Practices IT best practices should be followed during deployment This includes but is not limited to controlled test environments for initial tests and staggered deployments to users Back up any important data e To reduce encryption time run the Windows Disk Cleanup Wizard to remove temporary files and any other unnecessary data e Tum off sleep mode to prevent an unattended computer from going to sleep Encryption cannot occur on a sleeping computer e In environments where systems are installed with images it is strongly recommended to install the Encryption client after image installation If it is necessary to incorporate the Encryption client in an image it should be done in an unencrypted state Should you have questions or concerns contact Dell Pro Support e When upgrading Dell recommends doing so when no encryption sweep is running Performing an upgrade during an encryption sweep may prevent the client from restarting normally after the installation finishes If this occurs a computer restart corrects the issue Install Encryption Client DDP E Encryption Client locate the installer at C extracted Encryption e Use DDPE XXbit setup exe to install or upgrade using a scripted installation using batch files or any other push technology available to your organization NO
25. Traditional Taiwan PT BR Portuguese Brazilian PT PT Portuguese Portugal Iberian e RU Russian e ES Spanish JA Japanese 20 Enterprise Edition Administrator Guide BitLocker Manager Client If Windows BitLocker is not yet deployed in your environment consider reviewing BitLocker requirements The user account performing the installation must be a local or domain Admin user which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE Ensure that the PBA partition is already set up If BitLocker Manager is installed before the PBA partition is set up BitLocker cannot be enabled and BitLocker Manager will not be operational See Pre Installation Configuration to Set Up a BitLocker PBA Partition Tum on and enable the TPM BitLocker Manager will take ownership of the TPM and will not require a reboot However if TPM ownership already exists BitLocker Manager will begin the encryption setup process no restart is required The point is that the TPM must be owned and enabled The keyboard mouse and video components must be directly connected to the computer Do not use a KVM switch to manage peripherals as the KVM switch can interfere with the computer s ability to properly identify hardware Client Prerequisites The installer installs this component if not already installed on the computer Prerequisites e Microsoft NET Framework v4 0 BEST PRACT
26. Win H After the end user has created a logon the regular user interface displays Current User Tech Security Console Dell Data Protection Security Tools Setup Authentication Encryption Password Manager Password Manager Settings Manage your logons to websites and programs Access accounts without having to remember passwords To place a logon in a category drag and drop the logon on the category Categories Your Logons All accounts google com Manage Y E mail someone2 gmail com Manage Y Banking login yahoo com Manage Y News someone yahoo com Manage Y Enterprise Edition Administrator Guide 139 Logons are grouped by domain If an end user has multiple logons for the same web domain the logons will be listed indented under their domain accounts google com nobody gmail comm login yahoo com Windows User Name online citibank com someone citibank com someone citibank com someone citibank com Ifthe end user clicks the Manage command next to a logon a drop down menu shows a subset of the following commands depending on whether a domain or a logon is selected Open default also triggered if the end user double clicks the logon Edit Add Delete e The logons show a password strength indicator bar for each account added The indicator bar changes from red weak to yellow medium to green strong To accommodate color blindness the length of the stre
27. any commands or policies and you need to bypass the PBA login Some examples include You need to remove SED management because it is malfunctioning and you need to get to the Windows login screen You need to deactivate the computer but cannot because a PBA failure has occurred the operating system has been accidentally re imaged so there effectively is not an SED client Prerequisites Ensure that the following prerequisites are met before beginning the recovery process e Ensure that you have physical access to the drive to be recovered e Ensure that you have USB media or a network drive available to save the recovery file downloaded from the Remote Management Console e Ensure that you have access to the Dell installation media The files in the Windows Recovery Kit folder contain the files needed for this process Be prepared to create a WinPE image All instructions and special drivers that are needed to create a WinPE image and recover the computer are included in the Windows Recovery Kit folder Retrieve the Recovery Bundle This section details part of the steps to take when data recovery is needed for an SED 1 Asa Dell Administrator log in to the Remote Management Console 2 Inthe left pane click Actions gt Recover Data 3 Click the SED tab on the top menu 4 Inthe Recover SED Endpoint area enter the Host Name of the computer and click Create Recovery File The Host Nameis typically the fully
28. correct user authentication The newest release of DDP E offers enhanced Preboot Authentication PBA for the Dell HCA The enhanced PBA uses a separate preboot partition to provide encryption of the full windows volume and optional secondary partitions Enhanced PBA provides features equivalent to PBA for self encrypting drives such as network authentication multi user support and network unlock When HCA policies are in play System Data Encryption SDE policies are ignored Legacy Hardware Crypto Accelerator HCA Computers equipped with legacy HCA use a BIOS password to emulate preboot authentication The BIOS of most of these computers can be upgraded to take advantage of the newest HCA features used by DDP E v8 3 and later If the BIOS cannot be upgraded DDP E can be installed and run but the computer will not have access to the newest features of HCA See Also Hardware Crypto Accelerator HCA Preboot Authentication PBA Preboot Authentication PBA serves as an extension of the BIOS or boot firmware and guarantees a secure tamper proof environment external to the operating system as a trusted authentication layer The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct credentials Protected For SED a computer is protected once it has been activated and the PBA is deployed Enterprise Edition Administrator Guide 185 System Data Encrypt
29. data to launch the Backup and Restore Wizard 3 End users can also view a text log of backup and restore operations performed on this computer by clicking View Backup and Restore log at the bottom of the Backup and Restore page NOTE The data backed up does not include operating system or PBA logon credentials or credential specific information such as the end user s fingerprints Current User eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Backup and Restore Backup and Restore Dell Data Protection Security Tools Backup and Restore Wizard helps you to securely back up data managed by Dell Data Protection Security Tools applications This data can be restored on any computer protected by Dell Data Protection Security Tools Credentials such as fingerprint data are not backed up Choose what you would like to do Back up data Restore data 126 Enterprise Edition Administrator Guide Back up Data 1 Click Back up data to launch the Backup and Restore Wizard The first page of the wizard allows the end user to select the application data to back up By default Password Manager is selected 2 The end user clicks Next Current User eu Security Console Dell Data Protection Setup Authentication Choose data to back up Backup and Re You can back up the data managed by the Dell Data Protection Security Tools applications listed below MO Pas
30. e You must have a local or domain Administrator account to uninstall BitLocker Manager e Use the same EMAgent_XXbit_setup exe file to uninstall that was used to install Uninstall BitLocker Manager Command Line Uninstallation For a command line uninstallation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the uninstallation Switch Meaning Iv Pass variables to the msi inside the EMAgent_XXbit_setup exe required a Administrative installation Ix Uninstall mode s Silent mode Parameters The following table details the parameters available for the uninstallation Log File Parameters A fullpath filename log CM_EDITION 1 lt remote management gt INSTALLDIR lt change the installation destination gt SERVERHOST lt coreserver organization com gt SERVERPORT 8888 SECURITYSERVERHOST lt securityserver organization com gt SECURITYSERVERPORT 8443 ADDLOCAL DELL Security Tools ARPSYSTEMCOMPONENT 1 lt no entry in the Control Panel Programs list gt Enterprise Edition Administrator Guide 147 Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Options Meaning
31. is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart 1 v CVinstall log qn 48 Enterprise Edition Administrator Guide Then DDPJE Encryption Client ClextractedlEncryption The following example installs the client with default parameters encryption client Encrypt for Sharing CREDActivate no dialogue no progress bar no restart logs at the specified location installed in the default location of C Program File DellDell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8081 xapi norestart l v Shieldinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8443 xapi norestart l v Shieldinstall log qn Then e Configure user credentials and recovery questions in the Security Console See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication Then Enable hardware based encryption by issuing a policy of Hardware Crypto Accelerator
32. no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell Dell Data Protection EMAgent XXbit setup exe s v CM EDITION 1 SERVERHOST server organization com ERVERPORT 8888 SECURITYSERVERHOST securityserver organization com T S SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 ADDLOCAL DI ELL Security Tools BITLOCKER FEATURE BLM 1 v Bitlockerinstall gn log norestart Then DDP E Encryption Client C extracted Encryption The following example installs EME only silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8081 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8443 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn T
33. organization com lt Allow gt Allows this specific user to register with the DDP Server lt Allow gt Ggmail com lt Allow gt Allows all Gmail users to register with the with the DDP Server Blacklist The blacklist prevents specific users or groups of users from registering with the DDP Server and using Cloud Edition This list does not prevent users who are already registered from using Cloud Edition Users whose email addresses are entered in the blacklist receive a message stating that they cannot register for Cloud Edition You can use the blacklist to exclude specific users who are members of approved groups on the whitelist Additionally using the wildcard entire domains can be placed on the blacklist which will prevent anyone with an email address in that domain from registering See the following examples lt deny gt Corganization com lt deny gt Prevents all organization com email addresses from registering with the DDP Server lt deny gt jdoe organization com lt deny gt Prevents this specific user from registering this email address with the DDP Server lt deny gt gmail com lt deny gt Prevents all Gmail users from registering with the DDP Server To modify the whitelist blacklist follow the instructions below 1 Goto lt Security Server install dir gt conf 2 Open registration access xml with a text editor 3 Allow or deny users based on the above information and the following example lt xml version
34. preparing to enter setup F2 or preparing one time boot menu F12 Enter BIOS Administrator password if prompted NOTE Typically you will not see this prompt if this is a new computer since the BIOS password has not yet been configured 2 If the computer is equipped with legacy HCA follow this step Otherwise skip to step Define the BIOS Administrator Password if not already configured Under Settings click the plus sign next to Security and then click Admin Password You must complete this step before you can create a System Preboot password Enter your new Admin password information and click Apply If the computer is equipped with legacy HCA follow this step Otherwise skip to step Define a System Preboot Password if not already configured Click System Password in the same menu Enter your new System Password information and click Apply IMPORTANT Before performing Steps 4 and 5 understand that you should never clear TPM or DDP HCA ownership after HCA policies have 4 5 been implemented If you ignore the BIOS warning and clear the TPM or HCA after policies have been implemented you will lose access to the encrypted hard drive and must complete a recovery process to regain access Clear and activate the TPM Click TPM Security in the same menu Select the Clear option and click Apply Select the Activate option and click Apply Clear HCA ownership C
35. q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only use and after qb Example Command Line Uninstallation e The uninstallation is performed using the EMAgent XAbit setup exe file located in the C extracted Security Tools folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I C Logs will create install logs in a CALogs folder EMAgent XXbit setup exe x s v l Uninstall log qn Reboot the computer when prompted BitLocker Manager is uninstalled 148 Enterprise Edition Administrator Guide BitLocker Manager Recovery To recover data you obtain a recovery password or key package from the Remote Management Console which then allows you to unlock data on the computer Recover Data 1 2 3 4 As a Dell Administrator log in to the Remote Management Console In the left pane click Action
36. qualified host name If not you can find the Host Name on the Endpoint Detail page in the Endpoint Detail section It is listed as the Unique ID 5 When prompted save this file to USB media or a network drive Dell suggests using the default naming convention of hostname dat 6 Go to the Dell installation media and locate the Windows Recovery Kit folder Open Instructions for building the WinPe txt and follow the instructions to create the WinPE image that will be used to recover the computer 108 Enterprise Edition Administrator Guide How to Turn Off Manager SSL Trust Validation When using SED or BitLocker Manager and you want to turn off Manager SSL trust validation follow the steps below Dell Enterprise Server NOTE The Server Configuration Tool and the Remote Management Console cannot run simultaneously Close the Remote Management Console before opening the Server Configuration Tool 1 In the Server Configuration Tool on the Settings tab check the box for Disable Trust Chain Check Save your changes and close the Server Configuration Tool On the client computer add the following registry entry HKLM System CurrentControlSet Service CredMgmtAgent ParametersDisableSSLCert Trust DWORD 32 bit Value 1 NOTE Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc Dell does not recommend the use of self signed certificates for a production environment
37. the end user Log on with Password Manager Click the Password Manager icon or authenticate to log on e To start the logon process an end user can perform any of the following actions a Scan enrolled credentials An end user with an enrolled fingerprint or contactless smart card can touch the fingerprint reader with an enrolled fingerprint or present an enrolled card to the card reader b Double click the active area of the Password Manager icon arrow or click the active area and select the appropriate item from the context menu c Press the Password Manager hot key combination user configurable the default is Ctrl Win H Enterprise Edition Administrator Guide 135 The end user must authenticate according to the Session Logon authentication policy in force which is configurable in the Remote Management Console Upon a successful authentication the logon data is filled in on the logon screen The end user is prompted to choose the account to use if more than one logon for the logon screen exists Select Logon Data There is more than one set of logon data for this screen in Password Manager Choose the logon data you wantto submit E online citibank com 83 online citibank com someone1 citibank com 23 online citibank com someone2 citibank com Additional options are available through the context menu upon successful authentication Fill in logon data If the end user selects i in logon da
38. to Password Manager Click this icon on logon screens Press Ctrl Win H Add Logon The Password Manager icon in the upper left area of a screen indicates that this screen can be trained with the software e To start training a logon screen an end user can perform any of the following actions Scan enrolled credentials An end user with an enrolled fingerprint or contactless smart card can touch the fingerprint reader with an enrolled fingerprint or present an enrolled card to the card reader Double click the active area of the Password Manager icon arrow or click the active area and select the appropriate item from the context menu Press the Password Manager hot key combination user configurable The default is Ctrl Win H Enterprise Edition Administrator Guide 131 After performing one of the above listed actions the Add Logon to Password Manager dialog displays accounts google com Account information The following logon fields for this website or program have been detected Type the information that you want Dell Data Protection Security Tools to fill in automatically Email name gmail com n or Submit account data Add Logon 132 The end user adds their logon information for the website or program in the Add Logon dialog The end user can add or subtract logon fields or edit the field labels through the More fields button For password fields a password strength ind
39. website or program have been detected Type the information that you want Dell Data Protection Security Tools to fill in automatically Windows User Name Windows User Principal Name Windows Domain User Name Windows Domain Use Old Password e It is possible that an end user may modify a password in Password Manager and then have the password rejected by the application In this case the application allows the end user to use a previous password a password previously entered for this logon page instead of the most recent one User name bd Password Windows User Password Use previous password Show password More fields If the end user selects Use previous password then after authentication the end user is prompted to choose an old password from the Password Manager list The list includes seven passwords and can be deleted permanently by clicking Clear list Choose Password Te e To use a previous password instead of your current one i selectthe password and click OK Old passwords password Enterprise Edition Administrator Guide 137 Password Change e Password Manager provides a change password functionality that helps the end user create stronger passwords When the application detects a password change screen a dedicated Password Manager icon is shown on the password screen F Upon authentication the end user can change their
40. 1 0 encoding UTF 8 gt lt access gt lt whitelist gt lt allow gt userl organization com lt allow gt lt allow gt organization com lt allow gt gt lt allow gt lt allow gt lt whitelist gt lt blacklist gt lt All addresses not specifically allowed are denied lt deny gt lt deny gt gt lt blacklist gt lt access gt 4 Save and close the file An email is automatically sent as configured in the Server Configuration Tool s SMTP tab to the users added to the whitelist directing them to https yoursecurityservername domain com 8443 cloudweb register Enterprise Edition Administrator Guide 157 Use Dropbox for Business Cloud Edition with Dropbox for Business offers additional functionality Remote Wipe a Team Member Account e With a DDP Enterprise Server Virtual Edition v8 4 or later you can set policies to control how business and personal Dropbox folders are protected If your enterprise allows both business and personal accounts end users should understand encryption of each type of account See Policy for Business and Personal Accounts Policy for Business and Personal Accounts Your enterprise may have guidelines on whether team members can use business and personal accounts Also the enterprise may allow only certain users to have both business and personal accounts NOTE If your enterprise allows both business and personal accounts and an end user chooses to use both the user must
41. A with the UPN user format Insert the USB drive into the computer that the logs are to be collected from during this step After inserting the USB drive wait for 5 10 seconds then remove the drive A credpbaenv tgz file is created in the CredantSED folder that contains the needed log files 112 Enterprise Edition Administrator Guide Section V User Experience Credential Management and Authentication Applications Enterprise Edition Administrator Guide 113 114 Enterprise Edition Administrator Guide Configure Credentials in the Security Console The Security Console is the centralized user interface for all end users of the computer The Security Console is used to set up and manage users credentials view the enrollment status of their credentials back up and restore program data as well as Password Manager logons and credentials for Windows The Security Console provides a wizard driven user interface to enable end users to configure their credentials and self recovery questions The Security Console provides end users with an easy way to enroll their authentication credentials manage their logons to websites programs and network resources back up and restore program data and monitor encryption status The Security Console contains three tabs Setup Authentication and Encryption 1 Instruct end users to launch the Security Console from the Start Menu or the System Tray 2 When the Security Console launches the
42. CA driver and the Trusted Software Stack TSS for TPM The ControlVault driver and firmware update is installed as part of this scenario Drivers C extracted Drivers The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then SED Client C extracted Security Tools The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list and is installed in the default location of C Program Files Dell Dell Data Protection EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SEDinstall log norestart qn NOTE The SED clientis required for Advanced Authentication in v8 x Then Advanced Authentication Client C extracted Security Tools Authentication The following example installs Advanced Authentication silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection DP XXbit setup exe s v norestart l v DPinstall log qn
43. CON 1 HIDEOVERLAYICONS 1 REBOOT ReallySuppress qn E Install External Media Edition EME The following example installs EME only silent installation no progress bar automatic restart installed in the default location of C Program File DellDell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8081 xapi EME 1 qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8443 xapi EME 1 qn Enterprise Edition Administrator Guide 69 The following example installs EME only silent installation no reboot with logs at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8081 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn
44. DDP Enterprise Server VE e When using the option Encryption Removal Agent Import Keys from a file you must use the CMGAd utility prior to launching the Encryption Removal Agent to obtain the encryption key bundle The CMGAd utility and its instructions are located in the Dell installation media Dell Offline Admin XXbit 8 x x xxx zip Enterprise Edition Administrator Guide 73 Optionally create an Encryption Removal Agent log file to aid in troubleshooting See How to Create an Encryption Removal Agent Log File Optional If you do not intend to decrypt SDE User or Common encrypted files during the uninstall process you do not need to create an Encryption Removal Agent log file You must have a local or domain Admin user account to perform the uninstallation Dell ControlVault is typically not uninstalled as it is a driver for your fingerprint reader Uninstall Encryption Client Before you begin ensure the following items are complete If the uninstallation target device is activated against a DDP Enterprise Server ensure that a domain account is configured for the Logon As in the Dell Key Server service If the uninstallation target device is activated against a DDP Enterprise Server ensure that the DA_RUNAS user is in the Key Server list in the Remote Management Console See How to Create an Encryption Removal Agent Log File Optional for instructions on how to create an Encryption Removal Agent log file See Check
45. Dell Data Protection EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SEDinstall log norestart gn Enterprise Edition Administrator Guide 41 Then Advanced Authentication Client C extracted Security Tools Authentication The following example installs Advanced Authentication silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection DP XXbit setup exe s v norestart l v DPinstall log qn Then Dell ControlVault C extracted UshCvReset Dell ControlVault Software Update Child Installer The following example installs Dell Control Vault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart 1 v CVinstall log qn Then DDPJE Encryption Client C extracted Encryption e The following example installs EME only silent installation no reboot log file at the specified location installed in the default locatio
46. Dell Data Protection Encryption Enterprise Edition Administrator Guide DDP E Encryption Client SED Advanced Authentication BitLocker Manager and Cloud Edition O 2014 Dell Inc Registered trademarks and trademarks used in the DDP E E DDP ST and DDP CE suite of documents Del and t the Dell logo Dell Precision OptiPlex ControlVault Latitude XPS and KACE are trademarks of Dell Inc Intel Pentium Intel Core Inside Duo Itanium and Xeon are registered trademarks of Intel Corporation i m the U S and other countries Adobe Acrobat and Flash are registered trademarks of Adobe Systems Incorporated Authen Tee and Fikon are registered trademarks of Authen Tec AMD is E registered trademark of Advanced Micro Devices Inc Microsoft Windows and Windows Server Internet Explorer M5 DOS Windows Vista MSN ActiveX Active Directory Access ActiveSync BitLocker BitLocker To Go Excel Hyper ve Silverlight Outlook PowerPoint OneDrive SOL Server and Visual C are either trademarks or registered trademarks of Microsoft Corporation i in the United States and or other countries VMware is a registered trademark or trademark of VMware Inc in the United States or other countries Box is a registered trademark of Box Dropbox is a service mark of Dropbox Inc Google Android Google Chrome Gmail YouTube and Goo
47. Enterprise Server restarts Ifusing superadmin in Step 3 and the superadmin password is not changeit it must be changed here Save and close the file Sample Configuration File lt xml version 1 0 encoding utf 8 gt lt configuration gt lt appSettings gt lt add key port value 8050 gt TCP port the Dell Key Server will listen to Default is 8050 lt add key maxConnections value 2000 gt number of active socket connections the Dell Key Server will allow lt add key url value https keyserver domain com 8443 xapi gt Dell Device Server URL the format is 8081 xapi for a pre v7 7 DDP Enterprise Server lt add key verifyCertificate value false gt true verifies certs set to false to not verify or if using self signed certs lt add key user value superadmin gt User name used to communicate with the Dell Device Server This user must have the Administrator role selected in the Remote Management Console The superadmin format can be any method that can authenticate to the DDP Enterprise Server The SAM account name UPN or domain username is acceptable Any method that can authenticate to the DDP Enterprise Server is acceptable because validation is required for that user account for authorization against Active Directory For example in a multi domain environment only entering a SAM account name such as jdoe will likely will fail because the DDP Enterprise Server
48. ICE Potential installation problems can be avoided if Microsoft NET Framework is installed on the target computer prior to client installation Hardware The following table details supported hardware Hardware e Intel Pentium class processors Operating Systems The following table details supported operating systems Windows Operating Systems e Microsoft Windows 7 SP0 SP1 32 and 64 bit Enterprise Ultimate e Microsoft Windows 8 64 bit Enterprise Fdition e Microsoft Windows 8 1 64 bit Enterprise Edition Pro Edition e Microsoft Windows Server 2008 R2 64 bit Standard Edition Enterprise Edition Enterprise Edition Administrator Guide 21 Language Support BitLocker Manager is Multilingual User Interface MUI compliant and supports the following languages Language Support EN English JA Japanese e ES Spanish e KO Korean FR French PT BR Portuguese Brazilian e IT Italian PT PT Portuguese Portugal Iberian e DE German Cloud Edition Client The user account performing the installation must be a local or domain Admin user which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE e Cloud Edition can be used with DDP E v7 2 4 or later Ensure that target devices have connectivity to https yoursecurityservername domain com 8443 cloudweb register and https yoursecurityservername domain com 8443
49. IIS As a Dell administrator login to the Dell Remote Management Console In the left pane click Protect amp Manage gt Enterprise Click Security Policies on the top menu Select the Policy Category Cloud Storage from the drop down list Expand the Policy grouping 2 to show Cloud Storage Settings Scroll to the Software Update Server URL policy and enter https lt YOUR HOST URL gt CloudUpdate NOTE CloudUpdate is only an example to match the example above 14 15 16 Click Save to store the policy modification in the queue to commit Click Actions gt Commit Policies Click Apply Changes Allow Deny Users on Whitelist Blacklist The whitelist and blacklist entries determine which users can register with the DDP Server to use Cloud Edition For adequate security be sure to carefully set up and manage these lists 156 Enterprise Edition Administrator Guide Whitelist The whitelist allows specific users or groups of users to register with the DDP Server and to use Cloud Edition To allow external users they must be placed on the whitelist to allow registration However in order for the blacklist to be used if you have used a wildcard in the whitelist it must be removed See the following examples lt Allow gt organization com lt Allow gt Allows all organization com email addresses to register with the DDP Server lt Allow gt lt Allow gt All users are allowed to register DDP Server lt Allow gt jdoe
50. Icon Settings Configure the Password Manager icon 9 Promptto add logons for logon screens F Exclude this screen Do not prompt to add logons for logon screens a m 134 Enterprise Edition Administrator Guide Web Domain Support e Ifan end user has trained a logon screen for a specific web domain but then wants to access his account on that web domain from a different logon screen the end user can navigate to the new logon screen The end user is then prompted to use an existing logon or to add a new one to Password Manager Logon with Password Manager eS There are already logons for this web domain in Password Manager Select a logon from Password Manager or add a new one Logons for this screen A login yahoo com 2 login yahoo com 2 Add logon Use logon Cancel Ifthe end user clicks Use Jogon they are logged on to the previously created account The next time the end user tries to access that account from the new logon screen they can access without the prompt e Ifthe end user clicks Add Jogon the Add logon dialog is shown Logging on to Trained Logon Screens If the end user directly navigates to a web or application logon the application detects whether this screen was trained and shows the Password Manager icon in the upper left corner of the screen e The first three times the end user accesses a trained logon an information balloon is shown to guide
51. Microsoft Windows 8 1 Windows 8 1 Update 1 Enterprise Edition Pro Edition e Windows Embedded 8 1 Industry Enterprise e VMware Workstation 5 5 and higher e Windows Embedded Standard 7 in Application Compatibility Mode Operating Systems for External Media Edition EME The following table details the operating systems supported when accessing media protected by EME NOTE To host External Media Shield EMS removable storage must have approximately 55MB available plus open space on the media that is equal to the largest file to be encrypted Operating Systems Supported to Access EMS Protected Media 32 and 64 bit e Microsoft Windows XP SP3 Professional Edition Home Edition Media Center Edition NOTE Software encryption only is supported on Microsoft Windows XP SP3 e Microsoft Windows 7 SP0 SP1 Enterprise Professional Ultimate Home Premium e Microsoft Windows 8 Enterprise Pro Windows 8 Consumer e Microsoft Windows 8 1 Windows 8 1 Update 1 Enterprise Edition Pro Edition 16 Enterprise Edition Administrator Guide Language Support The Encryption client is Multilingual User Interface MUI compliant and supports the following languages Language Support EN English JA Japanese e ES Spanish KO Korean FR French PT BR Portuguese Brazilian e IT Italian PT PT Portuguese Portugal Iberian e DE German
52. Policy gt Dropbox Encrypt Personal Folders Each time the user logs in e When the user creates or adds a new file or folder to a personal Dropbox account If you set the Dropbox Encrypt Personal Folders policy to False for an Endpoint or Endpoint Group personal accounts of all users on those endpoints will remain unencrypted Business and Personal Folders If your enterprise has Dropbox for Business and you allow end users to have both business and personal folders you may want to run reports to ensure that all business files have the xen file extension in case an end user copies a sensitive unprotected file into a business folder See Run Reports 158 Enterprise Edition Administrator Guide Remote Wipe a Team Member Account If your enterprise has Dropbox for Business you can remotely remove a team member from the corporate Dropbox for Business team account if for example a user leaves the company Files and folders associated with the team member s account will be removed from all devices used by the account This revokes that user s access to those files Prerequisites NOTE Before you perform this procedure you must back up any files or folders from the team member account that might be needed by the enterprise or other Dropbox for Business team members Only a Dropbox for Business Administrator can remote wipe a Dropbox for Business account The end user must have activated Cloud Edition and connected to Dropbox
53. Questions Enterprise Edition Administrator Guide 103 2 Clicking the link displays the questions selected by the end user during their initial setup in the Security Console The end user enters the answers and clicks OK 3 Upon successful entry of the answers to the questions the end user is in Access Recovery mode The following options are available to end users e Change their Windows password Re enroll their credentials e Go directly into Windows 104 Enterprise Edition Administrator Guide The end user selects one option and clicks Next NOTE If none of the options are selected within the Windows timeout period the end user is automatically logged into Windows without further action Enterprise Edition Administrator Guide 105 Self Recovery PBA This workflow enables end users to log on with provisioned recovery questions Once the end user s recovery questions have been set up then the option to use the recovery questions for PBA self recovery is available 1 At the PBA login screen the end user enters their user name and clicks the gear in lower left 2 The end user selects Forgot Password 106 Enterprise Edition Administrator Guide 3 The end user enters the correct answers to the recovery questions and clicks Finish Enterprise Edition Administrator Guide 107 Assisted Recovery PBA e Assisted recovery will be needed if you cannot gain access to the computer using
54. ST500LT012 Yarra 1D non FIPS 500 X Opal 2 eDrive Seagate ST500LM020 Kahuna V FIPS Y Opal 2 Travelstar 5K750 series X Opal Travelstar 7K750 series X Opal Travelstar Z5K320 series X Opal MKxx61GSYD series X MKxx61GSYG series X Samsung SM841 OPAL SSD Y Opal 2 Samsung SM841N OPAL SSD 7 Opal 2 LiteOn LIM OPAL SSD Model LMT 256L9M 41 A Opal 2 LiteOn M3 series SSD Y Opal 1 LiteOn M6 series SSD Y Opal 2 Micron RealSSD C400 SSD X Opal 1 18 Enterprise Edition Administrator Guide Operating Systems The following table details the supported operating system Windows Operating Systems 32 and 64 bit e Microsoft Windows 7 SP0 SP1 Enterprise Professional Microsoft Windows 8 Enterprise Professional Windows 8 Consumer e Microsoft Windows 8 1 Enterprise Edition Pro Edition Language Support The SED client is Multilingual User Interface MUI compliant and supports the following languages NOTE PBA localization is not supported in Russian Traditional Chinese or Simplified Chinese Language Support EN English e KO Korean e FR French e ZH CN Chinese Simplified e IT Italian e ZH TW Chinese Traditional Taiwan DE German PT BR Portuguese Brazilian e ES Spanish PT PT Portuguese Portugal Iberian JA Japanese e RU Russian Advanced Authentication Client Hardware The following table details supported Dell hardware Drivers for fing
55. Setup tab displays The end user clicks Setup to launch the Setup wizard Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Safeguard your account To get started with Dell Data Protection Security Tools and its advanced options select Setup below A guided wizard walks you through the setup of your credentials such as fingerprint and Account tech user 2 Meet PE ARE smartcard 3 The end user clicks Next at the Welcome page 4 Verify Your Identity Enterprise Edition Administrator Guide 115 The end user enters their Windows password to verify their identity and clicks Next Current User tech user 2 Security Console Dell Data Protection Security Tools Setup Authentication Encryption Verify Your Identity i Verify your identity with Windows password This prevents other users from setting Recovery Ouestions up Dell Data Protection Security Tools under your account Choose Credentials Enroll Credentials Summary Windows password 5 Recovery Questions A question and answer based method of authentication is provided for end users to access their Windows account if other credentials are unavailable for example if they forgot their password The end user selects the Administrator s pre defined questions these questions were selected when policies were set up in the Remote Management Console from the drop down menu and then enters an
56. TE Drivers are needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM Enterprise Edition Administrator Guide 67 Command Line Installation For a command line installation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the installation Switch Meaning lv Pass variables to the msi inside the DDPE_XXbit_setup exe a Administrative installation s Silent mode Parameters The following table details the parameters available for the installation Command Line Parameters SERVERHOSTNAME lt ServerName gt POLICYPROXYHOSTNAME lt RGKName gt MANAGEDDOMAIN lt MyDomain gt DEVICESERVERURL lt ServerName gt GKPORT lt NewGKPort gt MACHINEID lt MachineName gt RECOVERYID lt RecoveryID gt REBOOT ReallySuppress HIDEOVERLAYICONS 1 HIDESYSTRAYICON 1 EME 1 Component Log File All A v fullpath filename log NOTE Although the reboot can be suppressed an eventual reboot is required Encryption cannot begin until the computer has rebooted Options The following table details the display options that can be specified at the end of t
57. User or Common encrypted files during the uninstall process you do not need to create an Encryption Removal Agent log file Best Practices Back up all data To reduce decryption time run the Windows Disk Cleanup Wizard to remove temporary files and other unneeded data Disable UAC UAC may prevent uninstallation of the Encryption client Plan to decrypt overnight if possible a Aa O N Turn off sleep mode to prevent an unattended computer from going to sleep Decryption cannot occur on a sleeping computer 6 Ensure that you have the correct version of the DDPE_XXbit_setup exe file Use the same version to uninstall as was used to install 7 Shut down all processes and applications to minimize decryption failures because of locked files 8 Follow your existing process for decrypting data such as issuing a policy update 9 Before performing a restart run WSScan to ensure that all data is decrypted See Use WSScan for instructions 10 Disable all network connectivity Otherwise new policies may be acquired that would re enable encryption 11 Periodically Check Encryption Removal Agent Status If the Encryption Removal Agent Service exists then data decryption is still in process Prerequisites e When using the option Encryption Removal Agent Download Keys from Server you must first configure the Dell Key Server and DDP Enterprise Server See Configure Dell Key Server for instructions The Dell Key Server is not used with the
58. Windows If the HCA card was unowned prior to recovery then the recovery process takes ownership of the HCA and escrows the HCA Critical Data to the server 82 Enterprise Edition Administrator Guide When the computer restarts it downloads the updated HCA Critical Data to complete the recovery It will attempt to download the HCA Critical Data on every login until it succeeds in obtaining the new data Once this has happened the drive s device icon should be green again in the console After the escrow takes place the local console requests the updated data from the server the next time anyone logs in If recovery fails refer to Troubleshooting HCA Recovery for assistance Troubleshooting HCA Recovery Check the Recovery Log File The recovery log file is located in C ProgramData Dell Dell Data Protection Encryption LSARecovery log If you are booted into WinPE the recovery log file path defaults to drive X ProgramData Dell Dell Data Protection Encryption LSARecovery log Drive X is in memory and will disappear after you restart the computer If you want have the log file to examine later save the log file to a permanent location When Escrow Cannot Be Completed during the WinPE Recovery HCA If escrow cannot be completed during the WinPE recovery the recovery saves a new copy of the backup file to the recovery directory specified after clicking Recover Use the extracted LSARecovery file and the following command line options t
59. YPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8443 xapi REINSTALL ALL EME 0 REINSTALLMODE vemus gn NOTE A decrypt operation is not needed when converting External Media Edition to Enterprise Edition Create a Custom Transform File The DDPE_XAbit_setup exe file provides the ability to create custom transform files Dell Pro Support is provided for issues relating to the use of the DDPE_XAbit_setup exe file or the extraction of the msi file Creating transforms requires specialized knowledge of the tool used to create the transform and of the environment in which the transform will be deployed Dell Pro Support cannot provide support for third party tools Once the transform file is created issues related to troubleshooting or deployment should be handled by your in house subject matter expert NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks Do not run the extracted MSI There is a high risk of installing components in the wrong order or missing an installation step Run DDPE_XXbit_setup exe for installation Follow the steps below to extract the necessary client files to create a custom transform file 1 Enter the following command to create an administrative installation package DDPE XXbit setup exe a 70 Enterprise Edition Admi
60. allation settings click Back Click Cancel to exit the wizar InstallShield Enterprise Edition Administrator Guide 57 A status window displays This may take several minutes Installing Drivers please wait Computing space requirements va Cancel 13 Select Yes I want to restart my computer now and click Finish when the InstallShield Wizard Complete dialog displays InstallShield Wizard Complete The InstallShield Wizard has successfully installed Dell Data Protection Before you can use the program you must restart your computer 9 Yes want to restart my computer now No will restart my computer later Remove any disks from their drives and then click Finish to complete setup lt Back Finish Cancel Installation of the selected products is complete 58 Enterprise Edition Administrator Guide Install DDP E Using the Command Line e Command line options are case sensitive Switches The following table describes the switches that can be used with the master installer Switch Meaning y gm2 Pre extraction of master installer The y and gm2 switches must be used together Do not separate the switches S Silent installation z Pass variables to the msi inside the DDPSetup exe Parameters The following table describes the parameters that can be used with the master installer Parameter Description SUPPRESSREBOOT Silent mode Suppresses the
61. ansparently with your cloud sync client Before using Cloud Edition be sure to learn about the cloud storage provider e Dropbox support at https www dropbox com help e Box support at https support box com home e OneDrive support at http Avindows microsoft com en us onedrive onedrive help onedrive other Pre existing Folders with Unencrypted Files When you install DDP CE and have pre existing folders that are now being synced by a sync client DDP CE will not encrypt them Using Windows Explorer one person within the group that shares that folder must move the files out of the sync client s folder to a temporary location outside of the sync client s folder When the sync client folder indicates that it has completed syncing the changes move the files back into the original folder or For large content request permission to have the Manage Folders option Select that folder Enterprise Edition Administrator Guide 11 Access a Cloud Storage Provider Dropbox In the system tray click the Dropbox icon and select Dropbox com NOTE If you use Chrome or Firefox to open Dropbox com be sure to close it after you finish working with files and folders Even if you open another tab in the browser the content will be encrypted This could include email an attachment or uploads using the browser Box In the system tray right click the Box icon and select Open Box web site OneDrive In the system tray right click the OneD
62. ardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM Drivers C extracted Drivers e The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then SED Client C extracted Security Tools e The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell Dell Data Protection 46 Enterprise Edition Administrator Guide EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SEDinstall log norestart qn Then Advanced Authentication Client C extracted Security Tools Authentication The following example installs Advanced Authentication silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection DP XXbit setup exe s v norestart l v DPinstall log qn Then Dell ControlVault C extracted UshCvReset Dell C
63. assed to the v switch to achieve your expected behavior Options Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and gn in the same command line Only use and after qb Example Command Line Installation e The installation is performed using the Cloud_XXbit_setup exe file located in the C extracted Cloud folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I v CALogs will create install logs in a C Logs folder e The following example installs Cloud Edition silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection Cloud XXbit setup exe s v SERVER securityserver organization com norestart 1 v Cloudinstall log qn Reboot the computer and authenticate to Windows Installation of Cloud Edition is compl
64. atus 11 Encryption Client Data Recovery 79 PrerequisitaS cea ripeado dete pas behead oes ots 79 Retrieve the Recovery Bundle 79 Recover Data 79 Enterprise Edition Administrator Guide Troubleshooting HCA Recovery 83 Check the Recovery Log File 83 When Escrow Cannot Be Completed during the WinPE Recovery HCA 83 Reset TPM Security HCA 83 Recover User Access to a Computer Equipped with HCA 84 SAH REGOVERY la css ns Den LU ns dots ded dado eh M EE les 84 Recover Access using Challenge Response Codes 86 Assisted Recovery 86 Configure Dell Key Server 87 Windows Service Instructions 87 Key Server Config File Instructions 87 sample Configuration File gt oe oe eee RE OMe RU ee eee ed 88 Windows Service Instructions 88 Remote Management Console Instructions 89 WSO VV CGI eorne 2158 mi Sl Che tal et A Sy 91 Section IV SED Management and Advanced Authentication 93 SED Management and Advanced Authentication Installation Tasks 95 BeStiPractiGeS 22 1 488 DURS gal RE da dd 95 Install
65. automatic reboot after the installation completes SERVER Ul mode Specifies the URL of the Dell Enterprise Server or Enterprise Server VE InstallPath NOTE Although the reboot can be suppressed an eventual reboot is required Encryption cannot begin until the computer has rebooted Silent mode Specifies the path for the installation Examples of Command Line Installation e This example installs DDP E using silent installation and installs it in the specified location of C Program Files Dell My_Directory DPSetup D e This exa X y gm2 S z InstallPath C Program Files Dell My Directory mple installs DDP E and configures it to use the specified Server DPSetup x y gm2 S z SERVER server organization com D This example suppresses rebooting at the end of an installation DDPSetup exe y gm2 S z SUPPRESSREBOOT 1 Enterprise Edition Administrator Guide 59 Uninstallation Process To uninstall each product must be uninstalled separately in a specific order 1 Extract the child installers following the process in Extract the Child Installers from the Master Installer 2 When complete go to C extracted to obtain each client installed on the computer 3 Uninstall the clients in the following order DDP E DDPE_xxbit_setup exe Security Framework EMAgent_xxbit_setup exe DDP Authentication DP_xxbit_setup exe
66. ay This is a policy setting that takes effect on new folders only Enhanced Details Screen While pressing lt Ctrl gt lt Shift gt click the Dell Data Protection Cloud Edition system tray icon and then select Details In addition to Files and Folders the following display Security Lists the key key type and state 174 Enterprise Edition Administrator Guide Audit Lists modules user ID and event type Information is in queue in this audit log and then sent to the server at specified intervals The Administrator can use Compliance Reporter to create reports for auditing See Compliance Reporter Help Policy Lists the policy names and values for your enterprise To view log files from the bottom left corner of the Details screen click View Log NOTE Log files can be also be found at C ProgramData Dell Dell Data Protection Cloud Edition If needed Administrators can increase logging levels to aid in troubleshooting as follows Create or modify the registry setting HKLM SOFTWARE Dell Dell Data Protection Cloud Edition LogVerbosity DWORD value 0x1f 31 By default the logging level is set to Oxf 15 Available values Off 0x0 0 Critical 0x1 1 Error 0x3 3 Warning 0x7 7 Information Oxf 15 Debug 0x1f 31 Cloud Edition Policy Settings To view the policy setting for your enterprise 1 Press lt Ctrl gt lt Shift gt 2 In the system tray click the Cloud Edition icon and then select D
67. bers 4 At the confirmation for Remote Wipe click Yes The User Detail page lists the date the remote wipe is performed 5 In your Dropbox for Business Administrator Console Members page refresh the list of Team Members The user is removed from the list You can select the Removed Members tab to view which users have been removed Enterprise Edition Administrator Guide 159 Run Reports Reports about your Cloud Edition environment are available through Dell Compliance Reporter a component of the Dell Enterprise Server and DDP Enterprise Server VE For example you can run reports that detail the following e User activations e Applied policy on a device e Actions performed on encrypted files e Dropbox for Business file encryption status For more information on running reports see Compliance Reporter Help Essential Steps You can run reports to confirm that all internal users have completed some essential steps For example e End users must activate Cloud Edition e If your enterprise uses Dropbox for Business the end user must connect to it through Cloud Edition Otherwise you won t have the ability to use Dropbox for Business Remote Wipe option Provide Temporary Folder Management Rights If users uploaded files before you installed Cloud Edition you can provide temporary Folder Management rights to some users 1 Set the Folder Management Enabled policy for specific end points to True 2 Instruct the user to manuall
68. ce Starter GPO and click OK Name DOPE Registry Push Source Starter GPO none gt 4 Right click the GPO that was created and select Edit a Ble Bion yew Window Hep es mi a Bum a he Pop ui DDPE Registry Push E cours Scope Detals Settings Delegation El 3 dev2k8 com Links Display inks in this location cevascom The following stes domains and OUs are inked to this GPO A Default Domain Control Kai B Group Polcy Objects WMI Fiters Starter GPOs Stes Y Group Policy Modeling m T Group Policy Results Enterprise Edition Administrator Guide 33 5 The Group Policy Management Editor loads Access Computer Configuration gt Preferences gt Windows Settings gt Registry A Group Policy Management Editor Ele Action View Help es 3150 mc 186 Uf DOPE Registry Push Voyager dev2k8 com Pobey E e Computer Configuration e El Policies S 1 Preferences There are no items to show in this view Gi Control Panel Settings E El User Configuration m T Policies 1 Preferences o Right click the Registry and select New Registry Item Complete the following Action Create Hive HKEY LOCAL MACHINE Key Path SOFTWARE Dell Dell Data Protection Value name Server Value type REG_SZ Value data lt IP address of Server gt Enterprise Edition Administrator Guide 7 Click OK 8 Log out and then back into the workstation or run gpupdate forc
69. cloudweb e Before deploying Cloud Edition it is best if the target devices do not yet have Dropbox Box or OneDrive accounts set up This is not essential but it prevents problems with data ownership Should end users decide to keep their existing accounts they should ensure that any files that are to remain unencrypted are moved out of Dropbox Box or OneDrive before installing Cloud Edition End users should be prepared to restart Windows computers after the client is installed e Cloud Edition does not interfere with the behavior of Dropbox Box or OneDrive Therefore Administrators and end users should familiarize themselves with how these applications work prior to deploying Cloud Edition For more information see Box support at https support box com home Dropbox support at https www dropbox com help or OneDrive support at http Avindows microsoft com en us onedrive onedrive help onedrive other NOTE IPv6 is not supported Client Prerequisites The installer installs these components if not already installed on the computer Prerequisites e Microsoft Visual C 2010 SP1 Redistributable Package x86 and x64 e Microsoft NET Framework 4 0 Client Profile 22 Enterprise Edition Administrator Guide Cloud Sync Clients The following table details the latest tested sync clients Sync clients release updates fairly frequently later released versions may work properly with DDP CE but should be tested prior to ro
70. d and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the installation Switch Meaning Iv Pass variables to the msi inside the EMAgent_XXbit_setup exe required a Administrative installation x Uninstall mode s Silent mode Enterprise Edition Administrator Guide 145 Parameters The following table details the parameters available for the installation Log File A v fullpath filename log Parameters CM_EDITION 1 lt remote management gt INSTALLDIR lt change the installation destination gt SERVERHOST lt coreserver organization com gt SERVERPORT 8888 SECURITYSERVERHOST lt securityserver organization com gt SECURITYSERVERPORT 8443 ADDLOCAL DELL Security Tools ARPSYSTEMCOMPONENT 1 lt no entry in the Control Panel Programs list gt Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Options Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts it
71. d Client C extracted Cloud The following example installs Cloud Edition silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection Cloud_XXbit_setup exe s v SERVER securityserver organization com norestart 1 v Cloudinstall log qn Enterprise Edition Administrator Guide 47 DDPJE Client and Advanced Authentication for Computers with HCA NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM The ControlVault driver and firmware update is installed as part of the following scenario BIOS Configuration e Complete the instructions in DDP HCA Pre Installation BIOS Configuration Then Drivers C extracted Drivers The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c locati
72. d at any time by re launching the Setup Wizard Current User tech user 2 ui Security Console Dell Data Protection Security Tools Setup Authentication Encryption Verify Your Identity E A Sr With Dell Data Protection Security Tools you can use the credentials below to sign in to your Recovery Questions computer websites or applications Choose Credentials A Choose the credentials to enroll Enr Credentia Windows Password Fingerprints Contactless Card 7 Enroll Credentials During the process of enrolling the credentials selected in the previous step a series of pages are presented to the end user to enroll their credentials The actual pages shown will vary depending on the credentials selected by the end user a Fingerprint Enrollment The end user enrolls their fingerprint credential on the Choose Credentials page Enterprise Edition Administrator Guide 117 The end user clicks the desired finger to enroll and clicks Save The end user may also click Skip fingerprint enrollment to bypass this page at this time NOTE The minimum and maximum number fingerprints to enroll is Administrator configured in the Remote Management Console 118 Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Verify Your Identit Y fy y Fingerprints provide a secure and convenient way to verify your identity Highlighted fin
73. d by the client that a computer shutdown and restart is required End users will log in to the computer through the PBA using their Windows password The drive is now managed by the DDP Server IMPORTANT Dell recommends that you do not change the authentication method after Preboot Authentication has been activated SED or HCA policy has been set to True HCA If you must switch to a different authentication method you must either Remove all the users from the PBA and then re enroll the users or Deactivate the PBA SED or set the HCA policy to False HCA change the authentication method and then re activate the PBA SED or set the HCA policy to True HCA Enterprise Edition Administrator Guide 97 98 Enterprise Edition Administrator Guide SED and Advanced Authentication Deactivation and Uninstallation Tasks These instructions detail the process of Deactivating the PBA which removes all PBA data from the computer and unlocks the SED key Uninstalling the SED client software e Uninstalling the Advanced Authentication client software Prerequisites e You must have an Administrator account to perform the uninstallation e Network connection to the DDP Server is required for PBA deactivation The PBA must be deactivated on the computer before uninstallation Use the same EMAgent XAbit setup exe and DP_XAbit_setup exe files to uninstall that were used to install Deactivate the PBA As a Dell Administrator
74. d confirms their answers The end user may also click Skip recovery questions setup to bypass this page at this time The end user clicks Next when finished NOTE After Recovery Questions have been set up this page no longer displays the Recovery Questions Instead links to the Ae enrol Recovery Questions page and Delete Recovery Questions page display Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Verify Your Identity Y i Recovery guestions will be presented if you are unable to authenticate using a Recovery Ouestions credential like a password fingerprint or smartcard To continue without creating your Recovery guestions click the Skip link below Enroll Credentials Summary Choose your guestion Answer Choose your question Answer Confirm O Choose your question Answer Confirm M Hide Answers Skip Recovery questions setup Bask 116 Enterprise Edition Administrator Guide 6 Choose Credentials On the Choose Credentials page the end user can select which additional credentials to enroll at this time By default all credentials permitted by the Administrator and supported by the computer s hardware and software are listed on this page Disconnected peripherals are not displayed until they are reconnected The end user clicks Next to continue to enroll the selected credentials NOTE Credentials may be enrolle
75. d personal files are encrypted or e Only business files and folders are encrypted Personal files remain unencrypted For security your enterprise may have an auditing policy File names in the personal folder are logged and sent to the Dell Data Protection Server If you use business and personal Dropbox accounts do not store business files in your personal Dropbox folder Decrypting Folders in a Personal Account If a personal folder is accidentally encrypted navigate to the Cloud Edition system tray icon gt Manage Folders and deselect folders that should be unencrypted Also you can remove folders from syncing by unlinking the account or unsyncing personal folders that should remain unencrypted Enterprise Edition Administrator Guide 173 Understand the Cloud Edition System Tray Menu Items Details Screen You can use the Details screen for troubleshooting or support issues For example e Ifa user creates a folder but it s not encrypting select Details gt Files gt Folder State e Check Cloud Edition Policy Settings e View logs for troubleshooting The Details screen has a basic view and an enhanced view with additional details Basic Details Screen Click the Cloud Edition system tray icon and then click Details The upper left corner of the Details screen displays the following information Service Status Status of the Cloud Edition Service Values are Stopped Start Pending Stop Pending Running Continue Pendin
76. de Legacy HCA Computers 27 Keg lrementss saa Gon tie a dk naa ala ka ee Meeta Ra Dd dni e oy kant 27 Upgrade Legacy HCA Computers 27 DDP HCA Pre Installation BIOS Configuration 29 Reset System Password 30 Pre Installation Configuration to Set Up a BitLocker PBA Partition 31 Set GPO on Domain Controller to Enable Entitlements Enterprise Edition Administrator Guide Extract the Child Installers from the Master Installer 37 Commonly Used Scenarios s vs wae ek a mile ad 39 DDPJE Client and Advanced Authentication 40 SED Client including Advanced Authentication and External Media Editions orar ees Pia ee Ae 41 SED Client including Advanced Authentication External Media Edition and Cloud Edition 0 224 c0e 00 ra 42 DDP E Client and Cloud Edition 44 BitLocker Manager and External Media Edition 45 BitLocker Manager External Media Edition and Cloud Edition 45 SED Client including Advanced Authentication DDP E Client and Cloud EdithON eesis 294 Aias bad Geek doe araks a bade lausad 46 DDP E Client and Advanced Authentication for Computers with HCA 48 Section Dell Data Protection Installer Master Installer 51 Dell Data Protection Master Installer 53
77. decryption sweep is complete but all files could not be decrypted This status means one of the following occurred The locked files could not be scheduled for decryption because they were too big or an error occurred while making the request to unlock them An input output error occurred while decrypting files e The files could not be decrypted by policy e The files are marked as should be encrypted An error occurred during the decryption sweep In all cases a log file is created if logging is configured when LogVerbosity 2 or higher is set To troubleshoot set the log verbosity to 2 and restart the Encryption Removal Agent Service to force another decryption sweep See How to Create an Encryption Removal Agent Log File Optional for instructions Complete The decryption sweep is complete The Service the executable the driver and the driver executable are all scheduled for deletion on the next restart Periodically refresh the Service highlight the Service gt right click gt Refresh to update its status 18 Enterprise Edition Administrator Guide Encryption Client Data Recovery Situations such as operating system failure or hardware failure may cause encrypted data to become inaccessible Data recovery allows you to regain access to encrypted data on computers encrypted by DDP E software encryption or HCA encryption Prerequisites e lt A recovery bundle is needed to recover data The bundle is a recov
78. default For more options available for the Bde HdCfg command see Microsofts BdelldCfg exe Parameter Reference NOTE You may need to partition the disk manually See Microsoft s Description of the BitLocker Drive Preparation Tool for further instructions Before installing BitLocker Manager turn on and activate the TPM BitLocker Manager will take ownership of the TPM and will not require a reboot However if TPM ownership already exists BitLocker Manager will begin the encryption setup process The point is that the TPM must be owned Enterprise Edition Administrator Guide 31 32 Enterprise Edition Administrator Guide Set GPO on Domain Controller to Enable Entitlements e If your clients will be entitled from the factory or you purchase licenses from the factory follow these instructions to set the GPO on the domain controller to enable entitlements this may not be the same server running Enterprise Edition e The workstation must be a member of the OU where the GPO is applied NOTE Ensure that outbound port 443 is available to communicate with the Server If port 443 is blocked for any reason the entitlement functionality will not work 1 On the Domain Controller to manage the clients click Start gt Administrative Tools gt Group Policy Management 2 Right click the OU where the policy should be applied and select Create a GPO in this domain and Link it here 3 Enter a name for the new GPO select none for Sour
79. dentials is complete The end user clicks Finish to close the wizard Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Verify Your Identity Recovery Questions Encryption You completed the Dell Data Protection Security Tools Setup Wizard Choose Credentials You successfully enrolled the following credentials Enroll Credentials Summary Windows Password Recovery Questions Fingerprints Contactless Card Enterprise Edition Administrator Guide 8 The Encryption tab displays the protection status of the computer Once provisioned encrypted the status updates to Protected Security Console Dell Data Protection Security Tools Setup Authentication Encryption Protect your data The encryption dashboard allows you to view the protection status of the computer Drive 0 Partition 0 238 47 GB 140 82 GB 000 Unprotected nn 1000 piot gore Partition 1 97 66 GB Unprotected Account tech user 2 Status is Unprotected Drive 1 Partition 0 958 8 MB 958 8 MB ESE Unprotected Enterprise Edition Administrator Guide Current User tech user 2 Disk C os 140 82 GB total 104 56 GB free 74 available Unprotected Disk D Images 97 66 GB total 88 98 GB free 91 available Unprotected Disk F 958 5 MB total 91 6 MB free 9 available Unprotected 121 122 Enterprise Edition Administrator Guide Use the Authe
80. e and after qb Example Command Line Installation The installation is performed using the setup exe file located in the C lextractedI Drivers folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 11 Enterprise Edition Administrator Guide Section Ill DDPJE Encryption Client Enterprise Edition Administrator Guide 66 Enterprise Edition Administrator Guide Encryption Client Installation Tasks e You can install the Encryption client by itself by extracting the child installer out of the master installer If you have not extracted the individual installer yet follow the procedure in Extract the Child Installers from the Master Installer The Encryption client can be installed using the user interface or by command line using any push technology available to your organization e On computers equipped with a Hardware Crypto Accelerator to use smart cards with Preboot Authentication the following registry value must be set on the client computer HKLM SOFTWARE DigitalPersona Policies Default SmartCards MSSmartcardSupport dword 1 0 or no key Smart Card Support Off 1 Smart Card
81. e display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Option Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only use and after gb Enterprise Edition Administrator Guide 15 Example Command Line Uninstallation The uninstallation is performed using the DDPE XAbit setup exe file located in the CAextracted Encryption folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I C Logs will create install logs in a CALogs folder Dell does not recommend using verbose logging in a command line uninstallation as the username password is recorded in the log file Should you decide to use verbose logging ensure that the log file is deleted and the recycle bin is emptied The DA_Server URL is case sensitive The f
82. e to apply the group policy Enterprise Edition Administrator Guide 35 36 Enterprise Edition Administrator Guide Extract the Child Installers from the Master Installer To install each client individually first extract the child executable files from the master installer 1 From the Dell installation media copy the master installer s DDPSetup exe file to the local computer 2 Open a command prompt in the same location as the DDPSetup exe file and enter DDPSetup exe z EXTRACT INSTALLERS C extracted The extracted child installers are located at C extracted am DL gt computa cabs C gt estates 20 EXE Ai Al File Edit View Tools Help Organize Include in library Share with v Burn New folder 7 a j i Computer Name Date modified amp Source files fatman public C de Cloud 1 13 2014 4 09 PM File folder 4 amp Local Disk C Drivers 1 13 2014 4 09 PM File folder di Encryption 1 13 2014 4 09 PM File folder di Security Tools 1 13 2014 4 09 PM File folder de UshCvReset Dell ControlVault Software Update Child Installer 1 13 2014 4 09 PM File folder 7 DellMasterinstaller log 1 13 2014 4 09 PM Text Document gt D AMD Ji Del p Drivers gt D extracted D FR Dia a 6 items Searching for items j Computer Enterprise Edition Administrator Guide 37 38 Enterprise Edition Administrator Guide Commonly Used Scenarios To install each cli
83. e you do this or valuable data may become unprotected in the cloud or possibly deleted Question Is there a reason that DDP CE does not download unobfuscated files in a managed session Answer DDP CE transforms everything that the browser sees into xen files This includes the clear text downloads after the file has been created You should encourage end users to protect all files in a managed cloud website 178 Enterprise Edition Administrator Guide Folder Management FAQs NOTE To use the Manage Folders option you may need to request permission from your Administrator Question Thave a folder with files that I have shared with another user In the system tray I used the Cloud Edition gt Manage Folders utility to unprotect that folder s contents Recently my files have become encrypted in the cloud again That folder no longer displays in the Manage Folders utility so I can no longer get those files to become unprotected in the cloud Answer An encryption key ID is associated with a folder based on the first user who adds a file to that folder If one user creates a folder and does not add any files their key is not associated with that folder The user whose encryption key ID has been set on the folder is the only one who can view the folder in the Manage Folders utility If the user who sees the folder deselects the folder in the Manage Folders utility and they share that folder with another DDP CE user the second user
84. ecify settings for Password Manager Open Password Manager with Ctrl Win H Y Prompt to add logons for logon screens URLs and captions where the Password Manager icon is hidden Deselect to redisplay Hide URL Window Caption Restore Defaults 141 142 Enterprise Edition Administrator Guide Section VI BitLocker Manager Enterprise Edition Administrator Guide 144 Enterprise Edition Administrator Guide BitLocker Manager Installation Tasks e You can install BitLocker Manager by itself by extracting the child installer out of the master installer If you have not extracted the individual installer yet follow the procedure in Extract the Child Installers from the Master Installer BitLocker Manager can be installed by command line using any push technology available to your organization Best Practices IT best practices should be followed during deployment This includes but is not limited to controlled test environments for initial tests and staggered deployments to users Install BitLocker Manager BitLocker Manager Client locate the installer at C extracted Security Tools Use EMAgent XAbit setup exe to install BitLocker Manager using a scripted installation using batch files or any other gent_ _setup 8 8 P 8 push technology available to your organization Command Line Installation For a command line installation the switches must be specified first The v switch is require
85. eld is used the selection in the drop down box is ignored If you do not want to write WSScan output to a file clear the Output to File check box If desired change the default path and filename in Path If you do not want to overwrite any existing WSScan output files select Add to Existing File Choose your output format as follows e Select Report Format for a report style list of scanned output This is the default format e Select Value Delimited File for output that can be imported into a spreadsheet application The default delimiter is although it can be changed to up to 9 alphanumeric space or keyboard punctuation characters e Select the Quoted Values option to enclose each value in double quotation marks e Select Fixed Width File for non delimited output containing a continuous line of fixed length information about each encrypted file Click Search To stop your search click Stop Searching To clear displayed messages click Clear Enterprise Edition Administrator Guide 91 WSScan Output WSScan information about encrypted files contains the following information Example Output 2010 07 28 07 52 33 SysData 7vdlxrsb _SDENCR_ c temp Dell test log is still AES256 encrypted Output Date time stamp The date and time the file was scanned Encryption type The type of encryption used to encrypt the file SysData SDE Encryption Key User User Encryption Key Common Common Encr
86. emark of Seagate Technology LLC in the United States and or other countries Travelstar is a registered trademark of HGST Inc in the United States and other countries UNIX is a registered trademark of The Open Group VALIDITY is a trademark of Validity Sensors Inc in the United States and other countries VeriSign and other related marks are the trademarks or registered trademarks of VeriSign Inc or its affiliates or subsidiaries in the U S and other countries and licensed to Symantec Corporation KVM on IP is a registered trademark of Video Products Yahoo is a registered trademark of Yahoo Inc This product uses parts of the 7 Zip program The source code can be found at www 7 zip org Licensing is under the GNU LGPL license unRAR restrictions www 7 zip org license txt 2014 08 Protected by one or more U S Patents including Number 7665125 Number 7437752 and Number 7665118 Information in this document is subject to change without notice Contents Introduction oireena oo a te oa DON e ee o o 11 REQUIFESMBENTS 225 cs oor sno ote AI eee ee eet Stee 13 Encryption Ghent a eae edhe ae Rae oe 13 SED CHICANE se sais 8 ache trade ete LEAS evo ae 17 Advanced Authentication Client 19 BitLocker Manager Client iaa tad poh A eee 21 Cloud Edition GNOME Le Me i cade ne arta rea cda e 22 Interoperability socias lit 25 Pre Installation Configuration to Enable DDP HCA 21 Upgra
87. ent individually the child executable files must first be extracted from the master installer as shown in Extract the Child Installers from the Master Installer The default location of log files is CAProgramData Dell Dell Data Protection If your computer has DDP JA installed now or has had it installed in the past be sure to follow the steps in Interoperability before you continue The computer restart has been suppressed in these examples but is eventually required for completion of the installation process You will be securing access to this computer using advanced authentication credentials that are managed and enrolled using Dell Data Protection Security Tools DDP ST is now the primary manager of your authentication credentials for Windows Sign in including Windows password fingerprints and smart cards Picture password PIN and fingerprint credentials enrolled using the Microsoft Operating System will not be recognized at Windows Sign in To continue using the Microsoft Operating System to manage your credentials uninstall DDP ST If the computer targeted for encryption is equipped with a Hardware Crypto Accelerator or a self encrypting drive ensure that the Active Directory option User Must Change Password at Next Logon is disabled Preboot Authentication does not support this Active Directory option Dell recommends that you do not change the authentication method after Preboot Authentication has been activated SED or
88. er 3 In Windows Explorer you can use the sync client to create folders and upload files NOTE You can upload files using the browser However the best practice is to upload files through the sync client in Windows Explorer For more information see Sync Folders Enterprise Edition Administrator Guide 169 Authenticate Dropbox for Business If you install Dropbox for Business Cloud Edition prompts for authentication 1 After you install Cloud Edition an Authentication window may open or click the Cloud Edition icon and then select Dropbox gt Connect The Authentication window notifies you that Cloud Edition must have access to your Dropbox account and may give instructions about business and personal accounts At the Authentication window click Next If a Network Threat Protection window opens click Yes In the Authentication window enter your domain email and Dropbox password oa BR N If you have linked your Dropbox business and personal accounts you will be prompted to select one now You must select your business account o At the next window click Allow 7 Click Finish or wait for the window to close Sync Folders Select the instructions for one sync client Dropbox for Business To sync folders 1 In the system tray click the Dropbox for Business icon Click the Settings icon and select Preferences Click the Account tab then click Selective Sync Select only folders or subfolders that you will s
89. er is v7 7 or later DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8443 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn T Then Cloud Client C extracted Cloud The following example installs Cloud Edition silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection Cloud XXbit setup exe s v SERVER securityserver organization com norestart 1 v Cloudinstall log qn SED Client including Advanced Authentication DDP E Client and Cloud Edition See Cloud Edition Activation and User Experience to learn how to use Cloud Edition See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting H
90. erprint readers and smart cards are located in the client installation package Other hardware vendors may require their own drivers Fingerprint and Smart Card Readers e Validity VFS495 in Secure Mode e Broadcom ControlVault Swipe Reader e UPEK TCS FIPS 201 Secure Reader 1 6 3 379 e Authentec Eikon and Eikon To Go USB Readers Enterprise Edition Administrator Guide 19 Smart Cards e PKCS 11 Smart Cards using the Actividentity client NOTE The Actividentity client is not pre loaded and must be installed separately e CSP Cards e Common Access Cards CACs NOTE With CACs that have more than one certificate at logon the user selects the correct certificate from a list Contactless Cards Contactless Cards using Contactless Card Readers built in to Dell laptops Operating Systems The following table details supported operating systems Windows Operating Systems 32 and 64 bit e Microsoft Windows 7 SP0 SP1 Enterprise Professional Ultimate e Microsoft Windows 8 Enterprise Pro e Microsoft Windows 8 1 Windows 8 1 Update 1 Enterprise Edition Pro Edition Language Support The Advanced Authentication client is Multilingual User Interface MUI compliant and supports the following languages Language Support e KO Korean e ZH CN Chinese Simplified EN English e FR French e IT Italian e DE German e ZH TW Chinese
91. erver Configuration Tool on the Settings tab check the box for Disable Trust Chain Check Save your changes and close the Server Configuration Tool On the client computer add the following registry entry HKLM System CurrentControlSet Services CredMgmtAgent ParametersDisableSSLCertTrust DWORD 32 bit Value 1 NOTE Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc Dell does not recommend the use of self signed certificates for a production environment Manager SSL trust validation is now turned off DDP Enterprise Server VE If a self signed certificate is used on VE for SED or Bitlocker Manager SSL trust validation must be disabled on the client computer On the VE Server SSL trust validation is disabled by default On the client computer add the following registry entry HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 NOTE Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc Dell does not recommend the use of self signed certificates for a production environment Manager SSL trust validation is now turned off Enterprise Edition Administrator Guide 151 152 Enterprise Edition Administrator Guide Section VII Cloud Edition Enterprise Edition Administrator Guide 154 Enterprise Edition Administrator Guide Cloud Edition Insta
92. erver is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8081 xapi 1 v Shieldinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICY PROXYHOSTNAMEF rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8443 xapi l v Shieldinstall log qn e The following example installs the encryption client Encrypt for Sharing and CREDActivate hides the DDP E system tray icon hides the overlay icons no dialogue no progress bar suppresses restart installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8081 xapi HIDESYSTRAYICON 1 HIDEOVERLAYICONS 1 REBOOT ReallySuppress qn T If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8443 xapi HIDESYSTRAYI
93. ery program that must be run with Administrative rights on the drive that it is recovering In Windows XP the user account under which the recovery program is run must at least be a member of the Administrator Group In Windows 7 Windows 8 and Windows 8 1 the recovery program must be Run as Administrator e If the target computer is not bootable data recovery must be performed on the computer booted into a pre installed environment or a slaved drive Instructions to create pre installed environments are located in the Dell installation media in Windows Recovery Kit Several sets of instructions are included for HCA SED and File Folder Encryption FFE Once you have created your pre installed environment and followed all instructions return to this document Retrieve the Recovery Bundle To perform data recovery a recovery program containing the disk s encryption keys must first be retrieved from the Remote Management Console 1 Asa Dell Administrator log in to the Remote Management Console 2 In the left pane click Actions gt Recover Endpoint 3 Select the appropriate Endpoint Type 4 Enter the fully qualified Host Name of the computer such as username organization com You can find the Host Name on the Endpoint Detail page in the Endpoint Detail section It is listed as the Unique ID Click Download When prompted create a Recovery Password for this computer and click Save al 7 When prompted save the file
94. estare 126 Backup Data Cie Latin ee Sk ee e Be A rene 127 Restore Data sn stunt RA ne Oe ans 2 eels 129 Password Manager 131 Website and Application Logon Training 131 Add LogoM erineda oies soute Aen ae Leona de ua he eae he BASES 132 Icon Context Menu 4 4 EE AE AEE A AS Re RAT Bee 2 eo a 134 Web Domain Support 135 Enterprise Edition Administrator Guide Section VI Section VII Logging on to Trained Logon Screens 135 Filling in with Windows Credentials 136 Use DId PaSSWordi1482 Arbi o s nat 137 Password Change 5 iia has ao ks ain c ARS ns 138 Password Manager Page 139 Settings Pages sue dm due mens as nb eme be Nek ae oe es 141 BitLocker Manager a 34424 hate dass tnt ee 143 BitLocker Manager Installation Tasks 145 Best PractCes ss lt 3 03h sek CREME AR RNA a o a SS ET 145 Install BitLocker Manager 145 Command Line Installation 145 BitLocker Manager Uninstallation Tasks 147 PREREQUISITES ista A iio A Dado dy Mn des 147 Uninstall BitLocker Manager 147 Command Line Uninstallation 147 BitLocker Mana
95. etails 3 Click the Policy tab 4 Look at the Value column for the Cloud Storage Protection Enabled policy True the client encrypts and protects all files and folders e False the client encrypts and protects all files and folders in the business account but the user can create a personal folder in which the contents are not encrypted When set to False the system displays a message each time the user logs in or reboots reminding them not to add business files to a personal folder since those files won t be protected Cloud Edition Manage Folders Menu Based on policy your Administrator grants access to this screen This feature is allowed or denied by policy and enables the management of encryption on a folder by folder basis within the sync client folders To access the Manage Folders screen click the Cloud Edition system tray icon and select Manage Folders If this feature is not enabled by policy Manage Folders does not display in the menu Additionally when the policy is enabled the menu item does not display until the end user has created a folder added files and those files are encrypted up to the cloud A hierarchical view of cloud synchronized folders on the computer displays for each sync client All folders are selected by default although the end user can clear folders they do not want to encrypt Enterprise Edition Administrator Guide 175 Using Cloud Edition with iOS or Android This section describes basic infor
96. ete Notify End Users Cloud Edition users must perform the following tasks in order for files and folders in their cloud sync clients to be protected e Activate Cloud Edition Download a cloud storage provider If your enterprise has a provider preference specify that If your enterprise uses Dropbox for Business provide users with a link for downloading and installing it NOTE Dropbox for Business users must connect to Dropbox for Business through Cloud Edition Also if your enterprise has previously blocked access to cloud storage you will need to change that setting Activate Cloud Edition and Install a Cloud Sync Client For information about Cloud Edition user tasks see Cloud Edition Activation and User Experience 162 Enterprise Edition Administrator Guide Cloud Edition Uninstallation Tasks If an end user has a local Administrator account they can uninstall Cloud Edition themselves See Cloud Edition User Guide This section describes the Administrator process for uninstalling Cloud Edition These instructions detail the process of e Removing protected files e Uninstalling Cloud Edition client software Prerequisites e You must have a local or domain Administrator account to perform the uninstallation e Use the same Cloud XXbit setup exe file to uninstall that was used to install Remove Protected Files All encrypted documents on the device must be removed locally Choose one of the following methods to rem
97. ew folder locally and added some files The sync client appears to be working but nothing has been created in the cloud Answer The Box sync client may require some time to collect information about new folders and files The process can take several minutes compared to other sync clients Be sure to wait for several minutes for the sync client to complete before creating new folders and files Question I am using the Box sync client I ran out of room on my primary partition so I moved it to another drive Now the My Box Files folder has one or more folders created and named New Folder Answer Currently when files are being synced between two machines to the same file share if one person moves that folder to another location then any new folders that other people create in that file share will create an empty folder named New Folder Solution Delete the New Folder directly from the cloud It will be removed from all systems that are sharing that folder 180 Enterprise Edition Administrator Guide Miscellaneous FAOs Question I moved the cloud provider s sync folder to Program Files and now I cannot decrypt the files that are being downloaded to my sync folder from the cloud Answer By design the Program Files folder or other excluded folders are unprotected based on policy DDP CE will not decrypt any files downloaded to this folder or its subfolders Solution Unlink or uninstall the syne client and move the s
98. field labels by clicking on the item in the fe ds list Add Logon to Password Manager More Fields Selectthe fields that are required for logon emt Y Password Stay signed in Enterprise Edition Administrator Guide 133 e For logon to applications Submit changes A drop down list of available options displays e When saving the entered logon data the end user is required to authenticate according to the Session Authentication policy in force configured in the Remote Management Console e The Add logon dialog box can also be launched by clicking the Password Manager icon on the white arrow of the blue circle and selecting the first menu item Fill in logon data Edit logon Add logon Open Password Manager Help Icon Context Menu The context menu displays the following options e Add lt domain gt to Password Manager launches the Add logon dialog e Open Password Manager launches the Password Manager page in the Security Console e Icon Settings Allows the end user to configure the display of the Password Manager icon on trainable logon pages NOTE The xc ude this screen option is not reversible for the specific logon screen for the current user The Prompt to add or Do not prompt to add options can be changed on the Settings page of the Password Manager application e Once trained the web or application logon displays in Password Manager p
99. for Business Register in Remote Management Console Only one Dropbox for Business Administrator needs to register 1 In the Remote Management Console select Settings in the left pane 2 Click the Cloud tab 3 Click Register The browser opens to the Dropbox for Business site If prompted log in to Dropbox with your Dropbox for Business Administrator account To allow access to Cloud Edition click Allow A confirmation page displays to indicate Dropbox authorization is granted to the DDP Enterprise Server VE 6 In the Remote Management Console return to Settings gt Cloud and refresh the page The Administrator name displays NOTE Generally the best practice is notto de register However to withdraw the privileges ofthe Dropbox for Business Administrator for removing team members from the Dropbox for Business team click De register Remote Wipe a Team Member Account NOTE The Remote Wipe option is available only for enrolled Dropbox for Business team member accounts If the Remote Wipe option does not display for a user account the user has not enrolled a Dropbox for Business account 1 In the Remote Management Console select Users in the left pane 2 Access the User Detail page In the Command column click Remote Wipe The remote wipe is performed NOTE Before you select Remote Wipe you must back up any files or folders from the team member account that might be needed by the enterprise or other Dropbox for Business team mem
100. g Pause Pending Paused Run State The device activation state Values are Active Reactivating Suspended Suspending User Mode Internal user a user within this domain address External user a user outside of this domain address Registration Email For Internal users this is the domain email address For External users this is the email they registered under Server URL DDP Server that communicates with this client Policy Last Modified Date and timestamp of when the policy was last modified and consumed by the client Policy Version Policy version generated by the DDP Server The Files and Folders areas of the Details screen display the following information Name Name of the file or folder Key Key ID assigned to that folder new files use that key for encryption Sync Client The last sync client to sync that folder Dropbox Box or OneDrive FolderOwnership This value indicates who the folder is owned by Value is determined by the Key ID FolderState The folder state is typically d e unless a sync client is working on a folder in which case it would be Enumerating Obfuscation Type A set on each folder indicating what type of xen files will be created in the cloud This is a policy set by your Administrator If your Administrator selects Extension only the actual filename with the xen extension will be displayed If your Administrator selects Guid a scrambled filename with the xen extension will displ
101. ge Secure Boot UEFT to Legacy Boot Mode in BIOS prior to client installation e Windows 8 1 should not be installed on drive 1 on HCA enabled computers This operating system configuration is not supported because Windows 8 1 creates a recovery partition on drive 0 which in turn breaks Preboot Authentication Instead either install Windows 8 1 on the drive configured as drive 0 or restore Windows 8 1 as an image to any of the drives e Non UEFI computers can have up to four primary partitions When the PBA is installed on a client computer it needs to create and use one of the four partitions for the startup partition also called the Preboot Authentication PBA partition If all four partitions are already in use on a client computer then the HCA card will fail to activate on it e Before configuring Preboot Authentication PBA on a computer equipped with an HCA card ensure that the computer has a network connection to the DDP Server e HCA features for v8 3 and later do not support RAID configuration Legacy HCA features pre v8 3 can be configured using RAID Client Prerequisites The installer installs these components if not already installed on the computer Prerequisites e Microsoft Visual C 2012 Update 3 or later Redistributable Package x86 and x64 e Microsoft SOL Server Compact 3 5 SP2 x86 and x64 e Microsoft NET Framework v4 0 BEST PRACTICE Potential installation problems can be avoided if Microsoft NET Framewor
102. ger Recovery 149 Recover Data iims Artise ds dada e eo de 149 How to Turn Off Manager SSL Trust Validation 151 Cloud Edition menie late aa et 153 Cloud Edition Installation Tasks 155 DDPServ r Tasks mt ahi don AN A we A ee bt 155 Configure DDP Enterprise Server VE for Cloud Edition 155 Configure Dell Enterprise Server for Cloud Edition 155 Allow Deny Users on Whitelist Blacklist 156 Enterprise Edition Administrator Guide Use Dropbox for BUSINESS 158 R Reports 4 3 in 088 de Page aia a ada ar aa 160 Provide Temporary Folder Management Rights 160 Update Cloud Edition Policy 160 Client Tasks este con ras tr ts Eat a 161 Before Installing 2000 i ula A oid See Ee dt 161 Best Practices tata kurat BRR AS Se ees Mose 161 Install Cloud Edition 161 Notify End Users 324 aa o A KA Se dan 162 Activate Cloud Edition and Install a Cloud Sync Client 162 Cloud Edition Uninstallation Tasks 163 PESTOQUISIES 0 avaks ib Adelea kal Lan RE Ad 163 Remove Protected Files 163 DrOPDOX an a e tet dee E ade Gh 163 BOX oy a ANN 164 ONEDEVEL Le te SD A ad dl a a et ites ea bls 164 Uninstall Cl
103. gers are Recovery Questions v enrolled Choose Credentials v Enroll Credentials Select a finger to begin the enrollment process Summary It is required that you enroll a minimum of two fingerprints ozs D X Skip fingerprint enrollment Back The number of swipes needed to complete fingerprint enrollment depends on the quality of the fingerprint scan The end user clicks Save when finished with each finger Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Verify Your Identit y i y Enroll your right index fingerprint Recovery Questions Enrolling a fingerprint means you are creating a composite image of your fingerprint Deriving Choose Credentials the composite image requires several good swipes Enroll Credentials Summary Scan your right index finger until enrollment is complete Skip fingerprint enrollment Enterprise Edition Administrator Guide To delete an enrolled fingerprint click the highlighted fingerprint A confirmation dialog displays which ensures that the end user intends to delete the fingerprint The end user clicks Save when finished Current User tech user 2 7 0X eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Enrollment Status Fingerprints Windows Password x Fingerprints provide a secure and convenient way to verify your identity Hig
104. gle Play are either trademarks or registered tr trademarks of Google Inc in the United States and other countries Apple Aperture APP Store Apple Remote Desktop Apple TV Boot Camp FileVault iCloud s iPad iPhone iPhoto iTunes Music Store Macintosh Safari and Siri are either servicemarks trademarks or registered trademarks of Apple Inc in the United States and or other countries GO ID RSA and SecurID are registered trademarks of EMC Corporation EnCase and Guidance Software are either trademarks or registered trademarks of Guidance Software Entrust isa registered trademark of Entrust Inc in the United States and other countries InstallShield is a registered trademark of Flexera Software in the United States China European Community Hong Kong Japan Taiwan and United Kingdom Micron and RealSSD are registered trademarks of Micron Technology Inc in the United States and other countries Mozilla Firefox is a registered trademark of Mozilla Foundation in the United States and or other countries iOS is a trademark or registered trademark of Cisco Systems Inc in the United States and certain other countries and is used under license Oracle and Java are registered trademarks of Oracle and or its affiliates Other names may be trademarks of their respective owners SAMSUNG is a trademark of SAMSUNG in the United States or other countries Seagate i is a registered trad
105. hare Click Update On the Update confirmation dialog click OK On the Dropbox Preferences window click OK M ow R N A pop up displays in the system tray that folders are being synced 170 Enterprise Edition Administrator Guide Box To sync folders 1 In the system tray right click the Box icon and select Open Box web site In the cloud right click a folder and select Sync Folder to Computer In the Sync folder window click Sync Folder The system tray icon indicates settings are being applied This may take several minutes a BB N When complete navigate to Windows Explorer gt Box Sync The synced folders display with a check mark OneDrive To sync folders 1 In the system tray right click the OneDrive icon and click Settings Select the Choose Folders tab and then click Choose Folders Next select Choose folders to sync A list of folders display Select or clear check boxes to sync those folders Click OK Click OK The system tray icon indicates settings are being applied This may take several minutes J oO CO R Ww N When complete navigate to Windows Explorer gt OneDrive The synced folders display with a check mark Work with Folders and Files You can continue to use Dropbox Box or OneDrive to sync and continue working on files as you normally would Depending on policy settings when files are synced into the cloud they are encrypted Cloud Storage Provider Help Cloud Edition works tr
106. hat was used when creating the PBA user Thus if you used the format username domain com you must enter username domain com for the Username 10 Respond to the Question and Answer prompts Click the blue arrow 11 Click OK when the Legal Notice screen displays Windows now launches and the computer can be used as usual Enterprise Edition Administrator Guide 111 How to Create a PBA Log File for Troubleshooting There may be cases when a PBA log file is needed for troubleshooting PBA issues such as You are unable to see the network connection icon yet you know there is network connectivity The log file contains DHCP information to track down the issue You are unable to see the Server connection icon The log file contains information to help diagnose Server connectivity issues Authentication fails even when entering correct credentials The log file used with the Server logs can help diagnose the issue Follow these steps to capture logs when booting into the PBA 1 2 3 4 Create a folder on a USB drive and name it CredantSED at the root level of the USB drive Create a file named actions txt and place it in the CredantSED folder In actions txt add the line get environment Save and close the file NOTE Do not insert the USB drive when the computer is powered down If the USB drive is already inserted during the shutdown state 5 6 remove the USB drive Power on the computer and log in to the PB
107. he Recover SED User Access area enter the Host Name of the computer to recover Enter the Host Name as a fully qualified host name You can find the Host Name on the Endpoint Detail page in the Endpoint Detail section It is listed as the Unique ID Click Search When the host is found select the user name from the list Enter the challenge code obtained from the endpoint and click Generate Response Instruct the user to enter the response code on his computer Assisted Recovery Assisted recovery will be needed if you need to bypass the PBA login for any reason Prerequisites When contacting Dell Support for recovery assistance ensure that the following prerequisites are met 86 Ensure that you have physical access to the drive to be recovered Ensure that you have the recovery keys Your recovery keys are saved on a network drive or on removable media Log on to www dell com support gt Endpoint Security Solutions and enter the Dell service tag number which is located on the bottom of the computer After entering the service tag number follow the instructions to contact Dell Support for recovery assistance and to obtain the necessary files Enterprise Edition Administrator Guide Configure Dell Key Server This section explains how to configure components for use with Kerberos Authentication Authorization when using a DDP Enterprise Server The DDP Enterprise Server VE does not use the Key Server Dell Key Server is a Se
108. he argument passed to the v switch to achieve your expected behavior Option Meaning q No Progress dialog restarts itself after process completion qb Progress dialog with Cancel button prompts for restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only use and after gb 68 Enterprise Edition Administrator Guide Example Command Line Installation e The installation is performed using the DDPE_XXbit_setup exe file located in the C lextracted Encryption folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I v CALogs will create install logs in a C Logs folder The Dell Device Server URL is case sensitive The following example installs the client with default parameters encryption client Encrypt for Sharing CREDActivate no dialogue no progress bar automatic restart logs at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP S
109. he only parameter needed in the command line is the Dell Device Server s URL If the recovery is occurring on a computer equipped with an HCA card as the recovery runs it escrows the new HCA Critical Data back to the Dell Device Server NOTE If the HCA card is already owned no escrow step is performed unless recovery generates new data A dialog displays prompting you to select the scenario that best describes your problem 3 Select the appropriate option For SDE Recovery select My system fails to boot and displays a message asking me to perform SDE recovery and click Next For HCA Decryption select I want to decrypt my HCA encrypted drive and click Next For HCA Recovery select I want to restore access to my HCA encrypted drive and click Next 4 Click Next when the Backup Recovery Information screen displays Select the disk to decrypt or recover and click Next Enter the recovery password This is the recovery password defined when the recovery bundle was retrieved from the Remote Management Console A dialog displays notifying you of the disk that is being recovered 7 Click Recover A dialog displays notifying you that recovery was completed successfully Click Finish Restart the computer when prompted and log in to Windows HCA NOTES At the end of an HCA decryption process if an HCA card is detected the HCA recovery process changes the boot order of the disk bypassing the PBA so that the system boots directly to
110. hlighted fingers are enrolled Recovery Questions Fingerprints Select a finger to begin the enrollment process aa Select a highlighted finger to delete the enrollment associated with that finger ards It is required that you enroll a minimum of two fingerprints Enterprise Edition Administrator Guide 119 120 b Card Enrollment To set up a built in contactless card place the card very close to the reader Once the contactless card communicates with the reader the end user is prompted to verify their identity The end user enters their Windows password and clicks Authenticate If authenticating with a CAC that has more than one certificate the user selects the correct certificate from a list The end user is prompted to Save the credential information after authentication of the card Current User tech user 2 7 0 X eu Security Console Dell Data Protection Security Tools Setup Current User tech user 2 ar eu Security Console Dell Data Protection Security Tools Recove Choose Enroll C Summa Verify Your Identity Recovery Questions Choose Credentials Enroll Credentials Summary c Enrollment summary Setup Authentication Encryption Verify your identity with Windows password This prevents other users from setting up Dell Data Protection Security Tools under your account Skip card setup A summary of the credentials enrolled is shown after enrollment of required cre
111. hout Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only use and after qb 100 Enterprise Edition Administrator Guide Example Command Line Uninstallation NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I C Logs will create install logs in a CALogs folder EMAgent XXbit setup exe x s v l Uninstall log qn Shut down and restart the computer Then DP XXbit setup exe x s v 1 DPuninstall log qn Then Dell CV SW Update xXX exe x s v l CVuninstall log qn Reboot the computer The SED client and Advanced Authentication clients are uninstalled Enterprise Edition Administrator Guide 101 102 Enterprise Edition Administrator Guide SED and OS Recovery Self Recovery OS Logon This workflow enables an end user to log on with provisioned recovery questions Once the end user s recovery questions have been set up and if the Allow recovery questions tor Windows logon setting is allowed by policy then the option to use the recovery questions for Windows logon is available from the Windows Start screen 1 The end user clicks Can t access your account to use the Recovery
112. icator is shown below the password field in the dialog The indicator bar changes from red weak to yellow medium to green strong To accommodate color blindness the length of the strength bar grows as the password becomes stronger A message is shown to alert the end user of the password strength Because this is training an existing logon the end user can only create a stronger password by going to the change password screen of the website or application Enterprise Edition Administrator Guide NOTE If there are several editable fields on the logon screen the software may not choose the desired editable fields automatically To specify which fields to include the end user can click the More fields button The More Fields dialog box is displayed and the end user can specify the desired fields When the end user navigates to a field in the More Fields dialog the corresponding field on the logon screen is highlighted Account Name accounts google com Account information The following logon fields for this website or program have been detected Type the information that you want Dell Data Protection Security Tools to fill in automatically Email name gmail com v Password Strength For strong password it is recommended to have a length of atleast 8 characters and mix of 2 characters from each group Alphabet Number and Symbol Password Submit account data An end user can edit
113. ick the Box icon and select Open Box web site In the Box web site right click a file or folder and select Synced gt Unsync In the Disable Sync window click Unsyne Folder The system tray icon indicates settings are being applied This may take several minutes a DN When complete navigate to Windows Explorer gt Box If any files or folders were not removed manually delete them OneDrive 1 In the system tray right click the OneDrive icon and click Settings Select the Choose Folders tab and then click Choose Folders Then select Choose folders to sync When the list of folders displays clear the check boxes to remove syncing and click OK Click OK The system tray icon indicates settings are being applied This may take several minutes J OO O1 R OUO N When complete navigate to Windows Explorer gt OneDrive If any files or folders were not removed manually delete them Uninstall Cloud Edition Command Line Uninstallation For a command line uninstallation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the uninstallation Switch Meaning Iv Pass variables to the msi inside the Cloud XXbit setup exe required a Administrative installation Ix Uninstall mode s Silent mode Parameters The following table details the
114. iles are still being protected by DDP CE even though that sync client is no longer there Enterprise Edition Administrator Guide 179 Solution To remove the old sync client option from the Manage Folders utility delete the folder that houses those protected files The best practice is to move any wanted folders files out of the default Sync folder prior to deleting it After you remove it that file or folder is no longer listed in the Folder Management utility Dropbox FAQs Question My Dropbox account has many conflicted files When I delete them from the cloud they keep being created Answer Sometimes when a folder has already been shared and then multiple Cloud Edition accounts are activated at the same time these files are seen as being created at the same time In an effort to preserve the original Dropbox will create multiple files of the same name and type and place them into the cloud Therefore Cloud Edition will allow all the files to be created without interfering Solution 1 Everyone who is sharing that file must collaborate on deselecting that folder for sync from the Dropbox application See Dropbox for Business 2 After all the files and the folder have been removed from each local machine one person must access the cloud and delete the duplicate files Then each person can use the selective sync to re add the folder to be synced Box Sync Client FAQs Question Tam using the Box sync client I created a n
115. ion SDE SDE policies encrypt the System Drive the Fixed Drives or both depending on the policy template chosen SDE policies do not encrypt the files needed by the operating system to start the boot process SDE policies do not require preboot authentication or interfere with the Master Boot Record in any way When the computer starts the encrypted files are available before user login to enable patch management SMS backup and recovery tools SDE is designed to encrypt the operating system and program files In order to accomplish this purpose SDE must be able to open its key while the operating system is booting without intervention of a password by the user Its intent is to prevent alteration or offline attacks on the operating system by an attacker SDE is not intended for user data Common and User key encryption are intended for sensitive user data because they require a user password in order to unlock encryption keys Trusted Platform Module TPM TPM is a security chip with three major functions secure storage measurement and attestation DDP E uses TPM for its secure storage function The TPM can also provide encrypted containers for the DDP E software vault and to protect the DDP E HCA encryption key Dell recommends provisioning the TPM The TPM is required for use with DDP E HCA User Encryption The User key makes files accessible only to the user who created them only on the device where they were created 186
116. ironment must have network connectivity to the Dell Device Server Establish HCA Card Ownership When the HCA card is already owned the recovery process can still be successful The recovery process will try to use the existing backup of the HCA Critical Data and password to establish and maintain the HCA ownership of an already owned HCA card If this attempt fails then the recovery operation fails When it fails reboot and clear the HCA card s ownership When Installing an HCA Card from Another Computer you must clear HCA ownership on the swapped HCA card and establish new ownership Since the HCA card from the other computer was previously owned recovery cannot succeed until the HCA owner is cleared in the BIOS See DDP HCA Pre Installation BIOS Configuration for instructions on clearing HCA ownership CAUTION Drives encrypted by HCA will become inaccessible if ownership is cleared The user will need to perform an HCA recovery or an HCA decrypt in order to restore access Set up a System Password Legacy HCA only Recovery of a computer equipped with legacy HCA requires a system password to be validated prior to recovery If no system password is set you will be prompted to go into the BIOS and set up a password See DDP HCA Pre Installation BIOS Configuration for instructions on setting up the system password Extract the Recovery File optional Running the recovery program at the command line with parameters gives you a litt
117. ition Administrator Guide 43 Cloud Client C extracted Cloud The following example installs Cloud Edition silent installation no reboot log file at the specified location installed in the default location of C Program Files DellDell Data Protection Cloud XXbit setup exe s v SERVER securityserver organization com norestart 1 w Cloudinstall log qn DDPJE Client and Cloud Edition See Cloud Edition Activation and User Experience to learn how to use Cloud Edition NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM Drivers C extracted Drivers The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then DDPJE Encryption Client C extracted Encryption The following example i
118. k is installed on the target computer prior to client installation Enterprise Edition Administrator Guide 13 Hardware Requirements The following table details supported hardware Windows Hardware e Intel Pentium class or AMD processor e 512 MB 1GB RAM e 110 MB of free disk space plus 250 MB free space in Preboot Authentication partition Optional Embedded Hardware e Trusted Platform Module TPM chipset with TCG Software Stack TSS version 1 2 1 42 NOTE TSS is a component that interfaces with the Trusted Platform Module TPM To find the TSS version go to default location C Program Files Dell Dell Data Protection Drivers TSS bin gt tesd_win32 exe Right click the file and select Properties Verify the file version on the Details tab e Dell Data Protection Hardware Crypto Accelerator NOTE Enterprise PBA is supported on Microsoft Windows 7 Microsoft Windows 8 and Microsoft Windows 8 1 on Dell X5 and X4 computers model numbers listed below Legacy PBA is not supported on Microsoft Windows 8 or Microsoft Windows 8 1 Legacy PBA is supported on Microsoft Windows 7 only on Dell X4 computers model numbers listed below Model Name Enterprise PBA Legacy PBA Latitude E6420 ATG v Latitude E6420 XFR v Latitude XT3 y Latitude E6430u Latitude E6530 Y Latitude E6230 y Latitude E6330 v Latitude E6430s v Latitude E6430 v
119. l Product Support m Refine your results 67 files Operating System Category Expand All Categories Collapse All Categories m Application 1 BOS 1 Dell Latitude 7440 System BIOS BIOS Recommended Description This package provides the Dell System BIOS update and ts supported on Dell Latitude 7440 for Windows and DOS Operating Systems Dell Data Protection 4 Drivers for 05 Deployment 4 m Video 2 Download your factory installed software Go to My Doll Downloads Now Dell PC Diagnostics More Details Dell Download Center Centralized source for Gownloading all your Dell software More Detail My Download List 0 files in my list See More Fiitering Options Release Date importance hd All v All v ariene Date Version Action nnou B E Porron Fe Pesna eruom Add to My Download List 5 Install the product using the DDPSetup exe file Using DDPSetup exe installs the Encryption client and Advanced Authentication 6 Re apply HCA policies and apply the change 28 Enterprise Edition Administrator Guide DDP HCA Pre Installation BIOS Configuration If the following hardware and BIOS instructions are not completed are inaccurate or are otherwise not met the Encryption client ignores HCA policies and software encryption is implemented 1 Boot into the BIOS Configuration Press F2 or F12 continuously during boot until a message in the upper right screen is similar to
120. le Instructions R N 6 7 If needed log on to the Remote Management Console Click Domains and click the Detail icon Click Key Server In the Key Server account list add the user that will be performing the Admin activities The format is Domain username Click Add Account Click Users in the left menu In the search box search for the username added in Step 4 Click Search Once the correct user is located click the Detail icon Select Admin Click Update The components are now configured for Kerberos Authentication Authorization Enterprise Edition Administrator Guide 89 90 Enterprise Edition Administrator Guide Use WSScan When uninstalling the Encryption client follow your existing process for decrypting data such as issuing a policy update After decrypting data but before performing a restart in preparation for uninstall run WSScan to ensure that all data is decrypted Administrator privileges are required to run this utility 1 2 3 4 5 N 0 10 From the Dell installation media copy WSScan exe to the Windows device to scan Launch a command line at the location above At the command prompt enter wsscan exe Click Advanced gt gt From the drop down box select the type of drive to scan A Drives Fixed Drives Removable Drives or CDROMs DVDROMs or To only scan a particular folder go to Scan Settings and enter the folder path in the Search Path field If this fi
121. le more control over the process and outcome Because the compressed recovery bundle that you downloaded from the Server does not respond to command line switches the LSARecovery file must be extracted from the bundle Follow these steps to obtain the LSARecovery file 1 Locate the downloaded recovery file 2 Right click it and select Run as administrator The recovery program runs and displays a dialog box 3 In Windows Explorer check the directory where the recovery file is located to find a file called LSARecovery_machinename_domain com exe 4 Copy the LSARecovery file to another location to save it Enterprise Edition Administrator Guide 81 5 Cancel the recovery dialog box Now you can use the LSARecovery file to run the recovery from a command line Recover the Data 1 Locate the recovery file downloaded from the Remote Management Console 2 Right click the recovery file and select Run as administrator Or if you extracted the recovery file in the previous procedure Run the LSARecovery executable from a command prompt x LSARecovery ex server https my Dell Enterprise Server com Or LSARecovery ex server IP address of the Dell Enterprise Server NOTE The Dell Enterprise Server can either be specified in the command line as the URL or as the IP address or by creating the servlet URL registry entry that the Shield uses If the recovery is an SDE or HCA decryption recovery no escrow takes place and t
122. lick Dell Encryption in the same menu Select the Clear Owner check box Click Yes at the warning dialog and then click Apply Click Exit NOTE If the check box is grayed out it is Owned If the HCA ownership check box will not clear select Load Default and then Exit 6 If the computer is equipped with legacy HCA enter the System Preboot Password After exiting the BIOS configuration you will be prompted for the System Preboot password defined in step 3 DDP HCA pre installation configuration is complete Log in to Windows Log in with local or domain Admin credentials when the computer boots to Windows Enterprise Edition Administrator Guide 29 Reset System Password If the computer is equipped with legacy HCA and you forget your System password log in with the BIOS Admin password and assign a new System password as described in DDP HCA Pre Installation BIOS Configuration If the BIOS password is also unknown you must contact Dell support to reset the passwords refer to your Welcome Letter for contact information 30 Enterprise Edition Administrator Guide Pre Installation Configuration to Set Up a BitLocker PBA Partition You must create the PBA partition before installing BitLocker Manager e Use the BdeHdCfg exe command to create the PBA partition The default parameter indicates that the command line tool will follow the same process as the BitLocker Setup Wizard BdeHdCfg target
123. ll the clients individually see Extract the Child Installers from the Master Installer and then Select the client or clients to deploy Encryption Client Installation Tasks Drivers Installation Tasks required if using Advanced Authentication on Dell hardware or if installing the encryption client SED Management and Advanced Authentication Installation Tasks BitLocker Manager Installation Tasks Cloud Edition Installation Tasks If you already understand the products and want to work with a list of our most commonly used scenarios see Commonly Used Scenarios Enterprise Edition Administrator Guide Requirements Encryption Client The user account performing the installation must be a local or domain Admin user which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE A non Admin user that has elevated privileges is not supported e To successfully install DDP E the computer must have network connectivity e Ifyou intend to use Hardware Crypto Accelerator HCA policies you must first set up the Trusted Platform Module TPM and if setting up a computer with legacy HCA create a System password Follow the instructions detailed in Pre Installation Configuration to Enable DDP HCA prior to DDP E installation e The features available as of v8 3 with HCA are supported on legacy BIOS non UEFI computers If running Windows 8 or Windows 8 1 follow the instructions detailed in Chan
124. llation Tasks Before you begin installing Cloud Edition you must first complete a few tasks on the DDP Server DDP Server Tasks Configure DDP Enterprise Server VE for Cloud Edition To configure VE to support Cloud Edition in the VE Remote Management Console set the Cloud Storage Protection Enabled protection policy to True Configure Dell Enterprise Server for Cloud Edition To configure Dell Enterprise Server to support Cloud Edition in the Remote Management Console set the Cloud Storage Protection Enabled protection policy to True then Set Up the Dell Security Server to Allow Cloud Client Downloads Set Up the Dell Security Server to Allow Cloud Client Downloads This section details the steps needed to allow end users to download the Windows Cloud client from your Dell Security Server 1 On the Dell Enterprise Server go to lt Security Server install dir gt webapps cloudweb brand dell resources and open the messages properties file with a text editor 2 Ensure that the entries are as follows download deviceWin mode remote download deviceWin local filename 32 cloud32 exe download deviceWin local filename 64 cloud64 exe download deviceWin remote link 32 https lt YOUR HOST URL gt lt PORT gt cloudweb download cloud32 exe download deviceWin remote link 64 https lt YOUR HOST URL gt lt PORT gt cloudweb download cloud64 exe Save and close the file Go to lt Security Server install dir gt and create a new folder u
125. lling out in a production environment Cloud Sync Clients e Dropbox 2 4 2 12 Dropbox for Business requires Dropbox version 2 8 or later plus the DDP Enterprise Server Virtual Edition VE v8 4 or later NOTE With a pre v8 4 VE Server or a Dell Enterprise Server the client protects all files and folders With VE v8 4 or later a user can upload files to a personal Dropbox account based on policy those files can remain unprotected Box 3 4 4 0 OneDrive 17 0 Hardware The following table details supported hardware for the Windows client Windows Hardware e Intel Pentium class or AMD processor e 512 MB 2 GB RAM depending on operating system 15 GB 20 GB free disk space depending on operating system e 10 100 1000 or Wi Fi network interface card e TCP IP installed and activated Enterprise Edition Administrator Guide 23 Operating Systems The following table details supported operating systems Windows Operating Systems 32 bit and 64 bit e Microsoft Windows 7 SPO SP1 Microsoft Windows 8 e Microsoft Windows 8 1 Box and Dropbox only Android Operating Systems e 4 0 Ice Cream Sandwich 4 1 4 3 Jelly Bean 4 4 KitKat iOS Operating Systems iOS 5 x iOS 6 x e iOS 7 x 24 Enterprise Edition Administrator Guide Interoperability Deprovision and Uninstall Dell Data Protection Access If DDP A is installed now
126. ly in the Security Console rather than in Windows If the Windows password is changed outside ofthe Security Console a password mismatch will occur requiring a recovery operation S Setup Authentication Encryption Current User Enrollment Status Windows Password Windows Password R Changing the Windows password reguires a correct entry of the existing password Recovery Questions Fingerprints i A EE erp New passwords may require password complexity requirements set by your administrator Cards Current Windows password New Windows password Confirm new password Recovery Questions The Recovery Questions page is as described in the Setup Wizard See Recovery Questions Fingerprints Fingerprint enrollment is as described in the Setup wizard See Fingerprint Enrollment You can grant permission to end users to enroll or modify fingerprint credentials in the Remote Management Console Cards Card enrollment is as described in the Setup Wizard See Card Enrollment If authenticating with a CAC that has more than one certificate the user selects the correct certificate from a list Enterprise Edition Administrator Guide 125 Backup and Restore The Backup and Restore Wizard helps end users securely back up passwords managed by Password Manager This data can be restored on any computer protected by Password Manager 1 Click the Backup and Restore tile on the Authentication page 2 Click either Back up data or Restore
127. mation on installing Cloud Edition on iOS or Android devices as well as a few tips When using Cloud Edition on an iOS or Android client if you open files directly through Dropbox Box or OneDrive the file names and file contents are encrypted and unreadable NOTE Be aware that Windows has more options for sync clients than some other devices For example on some mobile devices you can open and view Dropbox Box and OneDrive files but you cannot upload a change Prerequisite Before you install DDP CE you need the name of your enterprise s Dell Data Protection Server such as server domain com Cloud Edition on an iOS device Install on an iOS device 1 On your device tap App Store and search for Dell Data or Cloud Edition 2 Select and install the Dell Data Protection Cloud Edition app 3 For the Server field at the login screen enter the name of your company s Dell Data Protection Server such as server domain com 4 Select a cloud storage provider Dropbox Box or OneDrive Cloud Edition on an Android device Install on an Android device 1 On your device access Google Play and search for DDP 2 Select and install the DDP Cloud Edition app 3 For the Server field at the login screen enter the name of your company s Dell Data Protection Server such as server domain com Enter your user name and password and click Login Select a cloud storage provider Dropbox Box or OneDrive 176 Enterprise Edition Adminis
128. n 1 Select Windows or a device on which to install Cloud Edition 2 When prompted for the server name use the name at the top of the Download page Enterprise Edition Administrator Guide 177 Cloud Edition Frequently Asked Questions FAQs Administrator FAQs Question I changed the Obfuscate Filenames cloud policy from GUID to Extension only However the folders I had previously been syncing are still encrypting those files to the other format with GUID filenames Answer When a policy is changed on the DDP Server DDP CE maintains the previous policy for that folder Any new folders created will have the new policy applied and will encrypt to the Extension only format Solution To reapply the Extension only format to the old files cut and paste them to a new folder that has the new policy applied Question I installed and activated DDP CE but a new domain was stood up I disjoined the old domain and joined it to the new domain DDP CE is still showing as active but it is not getting any policy updates and no encryption occurs Answer Currently the DDP Server only recognizes the endpoint against which you originally activated If you change the endpoint name the DDP Server will not recognize that endpoint in order to send policy and DDP CE will not perform as expected Solution 1 Uninstall DDP CE and then reinstall 2 Activate the same user again NOTE Ensure that you stop syncing files to the local computer befor
129. n User Must Change Password at Next Logon is disabled Preboot Authentication does not support this Active Directory option e A self encrypting drive must be configured as the boot drive drive 0 for Preboot Authentication to function properly e To use smart cards with Preboot Authentication the following registry value must be set on the client computer HKLM SOFTWARE DigitalPersona Policies Default SmartCards MSSmartcardSupport dword 1 0 or no key Smart Card Support Off 1 Smart Card Support On Best Practices IT best practices should be followed during deployment This includes but is not limited to controlled test environments for initial tests and staggered deployments to users Install SED Management and Advanced Authentication NOTE The SED client is required for Advanced Authentication in v8 x SED Client locate the installer at C extracted Security Tools Advanced Authentication Client locate the installer at C extracted Security Tools Authentication Dell ControlVault Client locate the installer at C extracted UshCvReset Dell ControlVault Software Update Child Installer Use EMAgent_XAbit_setup exe to install SED management using a scripted installation using batch files or any other push technology available to your organization e Use DP_XXbit_setup exe to install Advanced Authentication using a scripted installation using batch files or any other push technology available to your organization Use
130. n of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8081 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8443 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn T SED Client including Advanced Authentication External Media Edition and Cloud Edition See Cloud Edition Activation and User Experience to learn how to use Cloud Fdition See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed ifinstalling the encryption client Additional drivers and sof
131. nd Authentication are 56 installed by default and cannot be deselected This is listed as Dell Data Protection Security Framework in the installer Drivers are installed by default and cannot be deselected Drivers installs smart card fingerprint reader and other necessary drivers Optionally select the check box for Dell Data Protection Encryption to install the encryption client for Windows computers Optionally select the check box for Del Data Protection Cloud Edition to install the Cloud client Optionally select the check box for BitLocker Management to install the BitLocker Manager client Enterprise Edition Administrator Guide 11 Click Next Select Features Select the features setup will install Select the features you want to install and deselect the features you do not want to install E a Dell Data Protection Security Framework Description Advanced Authentication Files and Services required for a M Drivers Advanced Authentication M Intemal Smart Card Readers WBF TouchChip Finger Print Reader i Internal Finger Print Readers E External Smart Card Readers 925 21 MB of space required on the C drive 353619 10 MB of space available on the C drive InstallShield _ lt Back JJ mei 12 Click Install to begin the installation Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation ai sty to review or change any of your inst
132. nd user clicks Finish to close the dialog Restore completed You have successfully restored the data for the following Dell Data Protection Security Tools applications Password Manager View Details 130 Enterprise Edition Administrator Guide Password Manager Password Manager allows an end user to automatically fill in and submit data required to log on to websites Windows applications and network resources Password Manager also provides the capability for an end user to change their logon passwords through the application ensuring that logon passwords maintained by Password Manager are kept in sync with those of the targeted resource NOTE Due to the ever changing structure of web logon screens the software may not be able to support all websites at all times Website and Application Logon Training e To train new website and application logons an end user launches the logon screen a web page or program to train An icon displays when the software detects the logon screen Alternatively the end user can click Add Logon and then navigate to the web page or program logon screen Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Password Manager Password Manager Settings Manage your logons to websites and programs Access accounts without having to remember passwords To get started click Add Logon Access points
133. nder it named Download Security Server Download Within the Download folder create another new folder and name it Cloudweb Security Server Download Cloudweb Add the 64 bit and the 32 bit setup files for Cloud Edition to the Cloudweb folder and rename them to cloud64 exe and cloud32 exe respectively ao ar BR Ww Enterprise Edition Administrator Guide 155 Set Up the Server for Automatic Downloads of the Windows Cloud Client Optional 1 On the server hosting your Dell Enterprise Server go to C inetpub wwwroot NOTE This web server must have a trusted certificate 2 Create a folder under wwwroot named CloudUpdate C inetpub wwwroot CloudUpdate NOTE CloudUpdate is used in this example but you can choose any name 3 4 5 ono N oo 10 11 12 3 a Place the updated executables in the Cloud Update folder Place the updated versions xml file in the CloudUpdate folder Open versions xml with a text editor and verify the filename path is correct for your environment Sample lt xml version 1 0 gt lt VERSIONS gt lt VERSION channel release brand 1 arch x86 version 1 0 0 1814 filename Cloud32 exe gt lt VERSION channel release brand 1 arch x64 version 1 0 0 1814 filename Cloud64 exe gt lt VERSIONS gt Version File version of the updated executables Filename Path from the end of the URL above CloudUpdate to the actual executables Save and close the file Restart
134. nged to a legacy boot mode the computer must be re imaged 184 Enterprise Edition Administrator Guide Glossary Activate d Activation occurs when the computer has been registered with the Server and has received at least an initial set of policies Active Directory AD A directory service created by Microsoft for Windows domain networks Cached Credentials Cached credentials are credentials that are added to the PBA database when a user successfully authenticates with Active Directory This information about the user is retained so that a user can log in when they do not have a connection to Active Directory for example when taking their laptop home Common Encryption The Common key makes files accessible to all managed users on the device where they were created Deactivate d Deactivation occurs when SED management is turned to FALSE in the Server Once the computer is deactivated the PBA database is deleted and there is no longer any record of cached users External Users Users outside the organization s domain address Likewise Internal Users are users inside the organization s domain address Hardware Crypto Accelerator HCA HCA cards enable hardware based encryption and provide advanced security During setup the HCA card is locked to the motherboard and a unique key is created encrypted signed and stored Thereafter access to your encrypted data is allowed only on that specific computer and only with the
135. ngth bar grows as the password is stronger Categories Your Logons All x accounts google com Manage Y a aaa Banking login yahoo com Re V a News Windows User Name ape online citibank com Manage someone citibank com Manage Y someone citibank com Manage Y someonel citibank com Manage Y Categories Your Logons All accounts google com Manage Y E mail nobody Ogmail comm Manage Y Banking login yahoo com Open News indows User Name Edit Delete someone citibank com Manage Y someone2 citibank com Manage Y someonel citibank com Manage 140 Enterprise Edition Administrator Guide Ifthe end user clicks the Add category the Add Category dialog displays Type the name of the new category the category OK Settings Page To place a logon in a category drag and drop the logon on Cancel e On the Settings page the end user can configure the following The display of the Password Manager icon on the logon screens that can be trained for automatic data fill in Clearing the Prompt to add logons for logon screens check box disables the Password Manager e The key combination that can be pressed to display the Logons menu The default key combination is Ctl Alt H Current User Tech eu Security Console Dell Data Protection Security Tools Setup Authentication Password Manager Enterprise Edition Administrator Guide Encryption Settings Sp
136. nistrator Guide In the Setup window specify the network location where you want to store the extracted files and click Install Consult the documentation of your specific transform tool to create the transform file to be used in the next step 4 Use a command line similar to the following to pass the transform file to the DDPE_XAbit_setup exe installer DDPE XXbit setup exe v PROPERTY1 value with spaces PROPERTY2 ValueWithoutSpaces INSTALLDIR D Program Files Destination TRANSFORMS NewTransforml mst qn Enterprise Edition Administrator Guide n 72 Enterprise Edition Administrator Guide Encryption Client Uninstallation and Decryption Tasks When using System Data Encryption SDE User or Common encryption file decryption optionally occurs at uninstallation if you choose to install the Encryption Removal Agent This enables you to decide whether or not to decrypt files When using HCA encryption all HCA encrypted drives must be decrypted prior to uninstallation The Encryption Removal Agent does not decrypt HCA encrypted drives To decrypt HCA encrypted drives publish the policy Hardware Crypto Accelerator False allow the decryption process to complete and then initiate the uninstall process Before beginning the uninstall process see How to Create an Encryption Removal Agent Log File Optional This log file is useful for troubleshooting an uninstall decryption operation If you do not intend to decrypt SDE
137. no way to generate a Response Code from the DDP Server for the end user if they fail password and self help questions The nitral Access Code can only be used one time immediately after activation After an end user has logged in the Initial Access Code will not be available again The first domain login that occurs after the nitral Access Code is entered will be cached and the nitral Access Code entry field will not be displayed again The Initial Access Code will only display under the following circumstances e A user has never activated inside the PBA e The client has no connectivity to the network or DDP Server Set a value for the ntial Access Code policy in the Remote Management Console Save and commit the policy Start the local computer R N Enter the nitral Access Code when the Access Code screen displays Click the blue arrow al Click OK when the Legal Notice screen displays Log in to Windows with the user credentials for this computer These credentials must be part of the domain After logging in open the Security Console and verify that the PBA user was successfully created Click Log in the top menu and look for the message Created PBA user for lt domainlusername gt which indicates the process was successful Shut down and restart the computer At the login screen enter the User Name Domain and Password that was previously used to log in to Windows NOTE You must match the UPN format t
138. nstalls the client with default parameters encryption client Encrypt for Sharing CREDActivate no dialogue no progress bar no restart logs at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8081 xapi norestart l v Shieldinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8443 xapi norestart l v Shieldinstall log qn Then Cloud Client C extracted Cloud 44 The following example installs Cloud Edition silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection Cloud_XXbit_setup exe s v SERVER securityserver organization com norestart 1 v Cloudinstall log qn Enterprise Edition Administrator Guide BitLocker Manager and External Media Edition BitLocker Manager Client C extracted Security Tools The following example installs BitLocker Manager silent installation
139. ntication Applications The Security Console provides access to three applications through the tiles located on the Authentication tab The applications are e Credentials e Backup and Restore e Password Manager Current User tech user 2 eu Security Console Dell Data Protection Security Tools Setup Account tech user 2 Enterprise Edition Administrator Guide Encryption Manage your access Manage your authentication credentials from one easy location Manage fingerprint smartcard password and password recovery credentials Credentials Password Manager Backup program data and system settings or restore a previously backed up data set Backup and Restore O x Create stronger passwords that are more secure and easier to access 123 Credentials The Credentials application provides a way to enroll end user credentials By default end users enroll and modify their own credentials However Administrators may limit the ability of the end user to enroll or manage credentials Enrollment Status The Enrollment Status page is the default page shown when you click the Credentials tile This page displays a list of all supported credentials and specifies their status Required Optional or Disabled End users can access details about each credential by clicking the credential in the status list or through the navigation on the left menu However if you have prohibited end users from en
140. o escrow the data to the server from any Windows computer that has network connectivity to the server LSARecovery ex scrowAll server https my server com 8443 xapi Reset TPM Security HCA If there is a problem with the TPM recovery can fail When this occurs you need to reset TPM ownership TPM security must also be reset when a computer s motherboard is replaced See DDP HCA Pre Installation BIOS Configuration for instructions Enterprise Edition Administrator Guide 83 Recover User Access to a Computer Equipped with HCA Self Recovery This workflow enables end users to log on with provisioned recovery questions Once the end user s recovery questions have been configured in the Security Console then the option to use the recovery questions for self recovery is available See Configure Credentials in the Security Console for instructions on configuring recovery questions 1 At the PBA login screen the end user enters their user name and clicks the gear in lower left 2 The end user selects Forgot Password 84 Enterprise Edition Administrator Guide 3 The end user enters the correct answers to the recovery questions and clicks Finish Enterprise Edition Administrator Guide 85 Recover Access using Challenge Response Codes 1 2 3 4 on 6 dl As a Dell Administrator open the Remote Management Console In the left pane click Actions gt Recover Data Select the SED tab on the top menu In t
141. ollowing example downloads the keys from the DDP Enterprise Server DDPE XXbit setup exe s x v CMG DECRYPT 1 CMGSILENTMODE 1 DA SERVER server organization com DA PORT 8050 SVCPN administrator organization com DA RUNAS ORGANIZATION UserInKeyServerList DA RUNASPWD password qn Allow the Encryption Removal Agent to run and check its status as needed see Check Encryption Removal Agent Status for information The following example uses a temporary Forensic Administrator account to uninstall DDP EE when activated against DDP Enterprise Server VE DDPE XXbit setup exe s x v CMG DECRYPT 1 CMGSILENTMODE 1 FORENSIC ADMIN tempsuperadmin FORENSIC ADMIN PWD tempchangeit qn 1 c ddpe uninstall log Uninstall External Media Edition Run a command line similar to the following DDPE XXbit setup exe s x v qn 1 c Xddpe uninstall log Allow the Encryption Removal Agent to run and check its status as needed see Check Encryption Removal Agent Status for information NOTE Windows and EME Shields update the DDP Server to change the status to Unprotected at the beginning of a Shield uninstall process 76 However in the event that the client cannot contact the DDP Server regardless of the reason the status cannot be updated In this case you will need to manually Remove Endpo ntin the Remote Management Console If your organization uses this
142. omputer when prompted Cloud Edition is uninstalled OR Override Protection Check for Synchronized Files You can uninstall files without stopping synchronization However if you use this option and protected files are currently synchronizing these files could enter the cloud unencrypted Use this option with caution To override the check for synchronized files and perform a silent uninstall enter the following command Cloud XXbit setup exe x s v PROTECTIONCHECK 0 gn Reboot the computer when prompted Cloud Fdition is uninstalled Enterprise Edition Administrator Guide 165 166 Enterprise Edition Administrator Guide Section VIII User Experience Cloud Edition Enterprise Edition Administrator Guide 167 168 Enterprise Edition Administrator Guide Cloud Edition Activation and User Experience Activate Cloud Edition After Dell Data Protection Cloud Edition is installed and the computer reboots follow these steps 1 Log in to Windows 2 From the Cloud Edition system tray icon select User Activation 3 Enter your domain email address and domain password and click Activate After activation finishes a green check displays on the Cloud Edition system tray icon Confirm your user mode status Click the Cloud Edition system tray icon and select Details At the top confirm User Mode e Internal A user with an email address within the company s domain External A user with a non domain email address
143. on gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then SED Client C extracted Security Tools The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list and is installed in the default location of C Program Files Dell Dell Data Protection EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SI EDinstall log norestart qn NOTE The SED clientis required for Advanced Authentication in v8 x Then Advanced Authentication Client C extracted Security Tools Authentication The following example installs Advanced Authentication silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection DP XXbit setup exe s v norestart l v DPinstall log qn Then Dell ControlVault C extracted UshCvReset Dell ControlVault Software Update Child Installer The following example installs Dell ControlVault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer
144. ontrolVault C extracted UshCvReset Dell ControlVault Software Update Child Installer e The following example installs Dell Control Vault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart 1 v CVinstall log qn Then DDPJE Encryption Client C extracted Encryption The following example installs EME only silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICY PROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8081 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v EME 1 SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com DEVICESERVERURL https server organization com 8443 xapi MANAGEDDOMAIN ORGANIZATION norestart 1 v EMEinstall log qn Then T Enterprise Ed
145. ontrolVault Software Update Child Installer The following example installs Dell Control Vault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart 1 v CVinstall log qn Then DDP E Encryption Client C extracted Encryption The following example installs the client with default parameters encryption client Encrypt for Sharing CREDActivate no dialogue no progress bar no restart logs at the specified location installed in the default location of C Program Files Dell Dell Data Protection If your DDP Server is pre v7 7 DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANIZATION DEVICESERVERURL https server organization com 8081 xapi norestart l v Shieldinstall log qn If your DDP Server is v7 7 or later DDPE XXbit setup exe s v SERVERHOSTNAME server organization com POLICYPROXYHOSTNAME rgk organization com MANAGEDDOMAIN ORGANI ZATION DEVICESERVERURL https server organization com 8443 xapi norestart l v Shieldinstall log qn Then Clou
146. or further operation 6 Navigate to lt Key Server install dir gt log txt to verify that the Service started properly Key Server Config File Instructions 1 Navigate to lt Key Server install dir gt 2 Open Credant KeyServer exe contig with a text editor 3 Goto lt add key user value superadmin gt and change the superadmin value to the name of the appropriate user you may also leave as superadmin The superadmin format can be any method that can authenticate to the DDP Enterprise Server The SAM account name UPN or domain username is acceptable Any method that can authenticate to the DDP Enterprise Server is acceptable because validation is required for that user account for authorization against Active Directory For example in a multi domain environment only entering a SAM account name such as doe will likely will fail because the DDP Enterprise Server will not be able to authenticate jdoe because it cannot find jdoe In a multi domain environment the UPN is recommended although the domain username format is acceptable In a single domain environment the SAM account name is acceptable Enterprise Edition Administrator Guide 87 4 Go to lt add key epw value lt encrypted value of the password gt gt and change epw to password Then change lt encrypted value of the password gt to the password of the user from Step 3 This password is re encrypted when the DDP
147. or has been installed in the past on your computer before installing the Encryption client SED or Advanced Authentication you must deprovision the DDP A managed hardware and then uninstall DDP A If DDP A has not been used you may simply uninstall DDP A and restart the installation process Deprovisioning DDP A managed hardware includes the fingerprint reader smart card reader BIOS passwords TPM and the Self Encrypting Drive NOTE If running DDP E encryption products stop or pause an encryption sweep If running Microsoft BitLocker suspend the encryption policy Once DDPJA is uninstalled and Microsoft BitLocker policy is unsuspended initialize the TPM by following the instructions located at http technet microsoft com en us library cc753140 aspx Deprovision DDP A Managed Hardware 1 Launch DDP A and click the Advanced tab 2 Select Reset System This will require that you enter any provisioned credentials to verify your identity After DDP A verifies the credentials DDP A will perform the following actions e Remove all provisioned credentials from Dell ControlVault if present e Remove Dell ControlVault owner password if present e Remove all provisioned fingerprints from integrated fingerprint reader if present e Remove all BIOS passwords BIOS System BIOS Admin and HDD passwords e Clear the Trusted Platform Module e Remove the DDP A Credential Provider Once the computer is deprovisioned DDP A reboots the comp
148. orestart l v Shieldinstall log qn SED Client including Advanced Authentication and External Media Edition See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication NOTE Drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Drivers are also needed if installing the encryption client Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM Drivers C extracted Drivers e The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then SED Client C extracted Security Tools e The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell
149. other than the default location where the executable is located provide the complete path in the command For example I v CALogs will create install logs in a C Logs folder The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell Dell Data Protection EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SEDinstall log norestart qn Then The following example installs Dell Control Vault software updates used by Security Tools silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection If the target computer is not equipped with Dell ControlVault installing this software is not harmful and will have no effect Dell CV SW Update xXX exe s v norestart l v CVinstall log qn Then The following example installs Advanced Authentication silent installation no reboot log file at the specified location DP XXbit setup exe s v norestart l v DPinstall log qn Once policies are applied at the endpoint and are ready to be enforced the end user will be notifie
150. oud Edition A AA E a 164 Command Line Uninstallation 164 Section VIII User Experience Cloud Edition 167 Cloud Edition Activation and User Experience 169 Activate Cloud Edition 0 A A 169 Install a Cloud Syne Client 42 00044 000044644 004 rei 169 Authenticate Dropbox for Business 170 SINCE tern cee apo ra E Oe ROO ld aata 170 Dropbox for BUSINESS 170 BOX omk aE tS MERAY Oh Re eee ee ets 171 ONEDIIVES 1 3 2 sade au dew le AUB he ee BY See ee ds 171 Work with Folders and Files 0 000000 cece eee 171 Cloud Storage Provider Help 171 Enterprise Edition Administrator Guide Pre existing Folders with Unencrypted Files 171 Access a Cloud Storage Provider noaa aaa ee 172 Dropbox for Business 173 Connect Cloud Edition and Dropbox 173 Use Dropbox for Business Context Menu 173 Use Business and Personal Dropbox Accounts 173 Understand the Cloud Edition System Tray Menu Items 174 Details Screen 5 a Se enr nm es ka Led 174 Cloud Edition Manage Folders Menu 175 Using Cloud Edition with iOS or Android 176 Prerequisite 45252 544 at alal ah tn a oS BESS SH SORE ER 176
151. ove protected files Recommended method Turn off syncing from the sync folders All folders and files will remain in the cloud but will be removed from the local device e Delete the files directly from the cloud and allow syncing to occur The cloud service will show there are no files on the device and when syncing occurs the local device will remove all data from the shared folder e Delete the files directly from the local sync folder The sync client will observe the change and remove all files from the cloud service e The installer offers the option to override its protection check for synchronized files For more information see Override Protection Check for Synchronized Files Dropbox 1 In the system tray select the Dropbox icon and click the Settings icon In Preferences click the Account tab and then Selective Sync Click Update At the confirmation dialog click OK The folders will be removed from Dropbox on the computer but are still available on the web and other devices 2 3 Deselect folders to remove syncing 4 5 oo At the Dropbox Preferences window click OK The system tray icon indicates settings are being applied This may take several minutes 8 When the Dropbox icon indicates that remove syncing is complete navigate to Windows Explorer gt Dropbox If any files or folders were not removed manually delete them Enterprise Edition Administrator Guide 163 Box In the system tray right cl
152. parameters available for the uninstallation Log File Parameters A fullpath filename log SERVER lt securityserver organization com gt Options The following table details the display options that can be specified at the end of the argument passed to the v switch to achieve your expected behavior Options Meaning q No Progress dialog restarts itself after process completion 164 Enterprise Edition Administrator Guide Options Meaning qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and qn in the same command line Only use and after qb Example Command Line Uninstallation The uninstallation is performed using the Cloud_XXbit_setup exe file located in the C extracted Cloud folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I C Logs will create install logs in a CALogs folder Cloud XXbit setup exe x s v 1 Uninstall log gn Reboot the c
153. password from a dedicated change password dialog Generate password functionality is supported The end user can also choose the complexity criteria to be used in generating a password f Change password x A strong password helps prevent unauthorized access to your account Type your new password or click Create to generate it automatically New password Create ee ANN Password strength Medium a Specify the complexity requirements for the new password if itis generated automatically Show password Minimum password length s E Maximum password length 12 Password must contain Save and Fill in Letters and numbers with at least one number v 138 Enterprise Edition Administrator Guide Password Manager Page The Password Manager page allows an end user to launch their trained logons and to add remove and edit logon data Until the end user has created a logon instructional text is shown on the user interface to help the end user understand the password management functionality offered by the program Current User tech user 2 7 0x eu Security Console Dell Data Protection Security Tools Setup Authentication Encryption Password Manager Password Manager Manage your logons to websites and programs Access accounts without having to remember passwords To get started click Add Logon Access points to Password Manager Click this icon on logon screens Press Ctrl
154. pletion qb Progress dialog with Cancel button prompts for Restart qb Progress dialog with Cancel button restarts itself after process completion qb Progress dialog without Cancel button prompts for restart qb Progress dialog without Cancel button restarts itself after process completion qn No user interface NOTE Do not use both q and gn in the same command line Only use and after qb 96 Enterprise Edition Administrator Guide Example Command Line Installation Special drivers are needed for Advanced Authentication if installing on Dell hardware These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers Installing these drivers should be omitted if using Advanced Authentication on non Dell hardware as they may interfere with other vendor s drivers Additional drivers and software stack are required for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM The installation is performed using the EMAgent_XXbit_setup exe DP_XXbit_setup exe and Dell CV SW Update xXX exe files located in the C lextracted Security Tools C extracted Security Tools Authentication and C lextracted UshCvReset Dell Control Vault Software Update Child Installer folders NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location
155. protected in the cloud or possibly deleted Question On suspended Windows devices when I try to upload files into the cloud nothing happens When I close the windows that were already opened an error message states Access Denied Answer The error message is not from DDP CE You can access the files locally but will not get future updates to the files Enterprise Edition Administrator Guide 181 182 Enterprise Edition Administrator Guide Change Secure Boot UEFI to Legacy Boot Mode in BIOS The features available as of v8 3 with HCA are supported on legacy BIOS non UEFI systems If running Windows 8 or Windows 8 1 follow these instructions prior to client installation 1 Turn on the power to your Dell computer If the computer is already running reboot it 2 Press F2 or F12 continuously during boot until a message in the upper right screen says something similar to preparing to enter setup F2 or preparing one time boot menu F12 This launches the system BIOS 3 In Settings gt General gt Boot Sequence ensure that the Legacy Boot List Option is selected i e 4 In Settings gt General gt Advanced Boot Options ensure that the Enable Legacy Option ROMs check box is selected Enterprise Edition Administrator Guide 183 5 In Settings gt Secure Boot gt Secure Boot Enable ensure that the Secure Boot Enable selection is Disabled 6 Apply the changes 7 Now that the computer BIOS has been cha
156. r problem e My system fails to boot and displays a message asking me to perform SDE recovery My system does not allow me to access encrypted data edit policies or is being reinstalled e want to decrypt my HCA encrypted drive e I want to restore access to my HCA encrypted drive Select the second option My system does not allow me to access encrypted data edit policies or is being reinstalled and click Next Click Next at the Backup Recovery Information screen Select the disk to recover and click Next Enter the recovery password associated with this file This is the Recovery Password defined when the recovery bundle was retrieved from the Remote Management Console A dialog displays notifying you of the disk that is being recovered Click Recover A dialog displays notifying you that recovery was completed successfully Click Finish When recovery is finished close the console The self extracting file will delete the extracted files Recover Data using a Pre Installed Environment or a Slaved Drive This procedure covers these three scenarios Type of Recovery Description SDE recovery My system fails to boot and displays a message asking me to perform SDE recovery HCA decryption I want to decrypt my HCA encrypted drive HCA recovery I want to restore access to my HCA encrypted drive Prerequisites Ensure that the following prerequisites are met before beginning the recovery process 80 En
157. rise Edition Data is managed by the Remote Management Console Extemal Media Edition Only InstallShield 7 In the Dell Enterprise Server Name field enter the fully qualified host name of the DDP Server that will manage the target user such as server organization com In the Dell Device Server URL field enter the URL of the Device Server that the client will communicate with If your DDP Server is pre v7 7 the format is https server organization com 8081 xapi If your DDP Server is v7 7 or later the format is https server organization com 8443 xapi including the trailing forward slash Enterprise Edition Administrator Guide 55 8 Click Next Dell Enterprise Server Setup Please provide the follow ing information about your Dell Enterprise Server Please specify the fully qualified host name of the managing Dell Enterprise Server This server will be used to activate new users and retrieve their security policies For example servername domain com Dell Enterprise Server Name kerver organization com Please verify the fully qualified URL of the Dell Device Server This servlet will be used to activate new users Dell Device Server URL https server organization com 8443 xapi InstallShield 9 Click Next to install the products in the default location of C Program Files Dell Dell Data Protection 10 SelfEncrypting Drive management your SED must be supported by Dell to be managed a
158. rive icon and select Go to OneDrive com 172 Enterprise Edition Administrator Guide Dropbox for Business Dropbox for Business has specific requirements See Cloud Syne Clients Connect Cloud Edition and Dropbox If your company uses Dropbox for Business you must allow Cloud Edition to stay connected To connect 1 In the system tray click the Cloud Edition icon and then select Dropbox gt Connect 2 At the Dropbox Authentication window read the information and then click Next 3 Ifyou have linked your Dropbox business and personal accounts you will be prompted to select one now You must select your business account At the prompt to allow Cloud Edition to access your Dropbox files and folders click Allow Click Finish Use Dropbox for Business Context Menu In Windows Explorer when Cloud Edition is installed Dropbox for Business has an additional context menu NOTE You must connect Cloud Edition to Dropbox To access the context menu in Windows Explorer open a Dropbox folder and right click a file The cloud icon has these options Share Secure Dropbox link e View on Dropbox com e View previous versions Use Business and Personal Dropbox Accounts If your company has Dropbox for Business and also allows you to link a personal Dropbox account with your business account be sure to understand the policies set by your administrator for those accounts For example a company can set the following policies e Both business an
159. rolling their credentials the navigation to the end users credentials is hidden The following message displays on the page No credentials allowed for setup Please contact your administrator If you have prohibited modification of credentials the following message displays lt type of credential gt No credentials allowed for modification Please contact your system administrator The end user clicks OK to dismiss the dialog Current User tech user 2 Security Console Dell Data Protection Security Tools Setup Authentication Encryption Enrollment Status Enrollment Status Windows Password A credential is a means of verifying your identity For example your Windows password is a credential Recovery Questions Fingerprints With Dell Data Protection Security Tools you can use your credentials when signing in to your computer websites or applications Credentials may be disabled optional or required by your logon policy Status Cards of each credential is listed below Credentials Requirements Windows Password Optional Recovery Questions Optional Fingerprints Optional Contactless Card Optional 124 Enterprise Edition Administrator Guide Windows Password The Windows Password page allows end users to easily change their Windows password from within the Security Console Password changes are effective immediately after clicking Change NOTE End users should be instructed to change their Windows password on
160. rprise Edition Administrator Guide Restore Data 1 Click Restore data to launch the Backup and Restore Wizard and to restore the data that was previously backed up using Back up Data 2 The end user enters the name and location of the backup file or clicks Browse to navigate to the file and then enters the password for the file The end user clicks Next Current User eu Security Console Dell Data Protection Security Tools Setup Authentication Backup and Restore PIE 2 Specify file to restore The backup file is password protected You must type the same password you used when you backed up the data Backup file FAPMbackup DPB Password coed 3 On the next page of the wizard the end user is asked to select the data to restore By default all data that is managed is restored The end user can deselect specific applications that they do not want to have restored at this time The end user clicks Next Choose data to restore The backup file contains data for the applications listed below Data from the selected applications will be restored Y O Password Manager Select All Clear All 4 The final page of the wizard informs the end user that the restore has been completed and lists the applications that have had their data restored The end user clicks View Details to view a text log of the backup operations performed Enterprise Edition Administrator Guide 129 The e
161. rprise Server VE Virtual Edition before deploying clients If you have not yet installed the Server locate the appropriate guide as shown below follow the instructions and then return to this guide DDP Enterprise Server Installation and Migration Guide After Server installation either apply a policy template at the Enterprise level or apply policies individually as appropriate to specific domains user groups endpoint groups users or endpoints DDP Enterprise Server Virtual Edition Quick Start Guide and Installation Guide After Server installation verify that polices are set as desired for Enterprise domains user groups endpoint groups users and endpoint levels 2 Access the AdminHelp from in the Remote Management Console From the Table of Contents go to Manage Policies to learn about platforms and how to use each policy Enterprise Edition Administrator Guide contents g Index search TX Welcome Get Started Concepts Components Navigate the Enterprise Server 1 Manage Policies Global Settings Windows Encryption SS Drives BitLocker Cloud Storage Mac Encryption 7 Mobile EAS 7 Mobile 105 E Enterprise Server gt Work With Policy Templates Use Utilities Miscellaneous 11 Deploy the appropriate client or clients to end users Learn how to monitor your Enterprise and issue commands From the AdminHelp Table of Contents go to Navigate the En
162. rvice that listens for clients to connect on a socket Once a client connects a secure connection is negotiated authenticated and encrypted using Kerberos APIs if a secure connection cannot be negotiated the client is disconnected The Dell Key Server then checks with the Dell Device Server to see if the user running the client is allowed to access keys This access is granted on the Remote Management Console via individual domains NOTE If Kerberos Authentication Authorization is to be used then the server that contains the Dell Key Server component will need to be part of the affected domain NOTE The DDP Enterprise Server VE does not use the Dell Key Server which affects how the Encryption client is uninstalled Uninstallation uses standard forensic key retrieval through the Dell Security Server instead of the Key Server s Kerberos method For available parameters see Parameters Windows Service Instructions 1 Navigate to the Windows Service panel Start gt Run gt services msc gt OK 2 Right click Dell Key Server and select Properties 3 Go to the Log On tab and select the This account option button 4 In the This account field add the desired domain user This domain user must have at least local Admin rights to the Key Server folder must be able to write to the Key Server config file as well as the ability to write to the log txt file al Click OK Restart the Service leave the Windows Service panel open f
163. s DDP CE will re encrypt the contents Solution 1 Create a new folder 2 Move all the files to be protected to the new folder 3 In the system tray use the Cloud Edition gt Manage Folders utility again to decrypt those files NOTE If you unprotect the contents of a folder that are shared with other users who have DDP CE the other user s DDP CE will enforce the policy to encrypt them You can use the Manage Folders utility to unprotect files that are unshared with other DDP CE users The best practice is to unprotect only unshared folders Question I am syncing to a decrypted folder that I had deselected using the Manage Folders utility However when I try to upload it through the web browser I can only upload encrypted files Answer DDP CE is not designed to actively search for folders in the cloud With unencrypted folders DDP CE can sync through the sync client because it is controlling that environment Files going through the web browser are required to be protected Solution Add files to the sync folder Question I recently uninstalled my cloud based file sharing system Dropbox Box or OneDrive from my computer but when I opened the Manage Folders utility Dropbox was still listed as an option Answer DDP CE does not monitor installation or uninstallation of third party software Those options are still listed because by design when these clients are uninstalled they do not remove your existing files Those f
164. s gt Recover Data Click the Manager tab For BitLocker Enter the Recovery ID received from BitLocker Click Get Recovery Password or Create Key Package Depending on how you want to recover you will use this recovery password or key package to recover data For TPM Enter the Recovery ID received from BitLocker Click Get Recovery Password or Create Key Package Depending on how you want to recover you will use this recovery password or key package to recover data 5 To complete the recovery see Microsoft s Instructions for Recovery NOTE If BitLocker Manager does not own the TPM the TPM password and key package are not available in the Dell database You will receive an error message stating that Dell cannot find the key which is the expected behavior To recover a TPM that is owned by an entity other than BitLocker Manager you should follow the process to recover the TPM from that specific owner or follow your existing process for TPM recovery Enterprise Edition Administrator Guide 149 150 Enterprise Edition Administrator Guide How to Turn Off Manager SSL Trust Validation When using SED or BitLocker Manager and you want to turn off Manager SSL trust validation follow the steps below Dell Enterprise Server NOTE The Server Configuration Tool and the Remote Management Console cannot run simultaneously Close the Remote Management Console before opening the Server Configuration Tool 1 In the S
165. self after process completion qn No user interface NOTE Do not use both q and gn in the same command line Only use and after qb Example Command Line Installation The installation is performed using the EMAgent_XXbit_setup exe file located in the C extracted Security Tools folder NOTE Be sure to enclose a value that contains one or more special characters such as a blank space in escaped quotation marks To specify a log location other than the default location where the executable is located provide the complete path in the command For example I v CALogs will create install logs in a C Logs folder The following example installs BitLocker Manager silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell Dell Data Protection MAgent XXbit setup exe s v CM EDITION 1 SERV bd ERHOST server organization com ERVERPORT 8888 SECURITYSERVERHOST securityserver organization com ECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 ADDLOCAI ELL Security Tools BITLOCKER FEATURE B an L M 1 v Bitlockerinstall log norestart NUNN fd 146 Enterprise Edition Administrator Guide BitLocker Manager Uninstallation Tasks These instructions detail the process of uninstalling BitLocker Manager client software Prerequisites
166. sure that you have physical access to the drive to be recovered Ensure that you have access to the Dell installation media The files in the Windows Recovery Kit folder contain the files needed for this process Be prepared to create a WinPE image All instructions and special drivers that are needed to create a WinPE image and recover the computer are included in the Windows Recovery Kit folder Enterprise Edition Administrator Guide Prepare the Environment or Slaved Drive SDE Environment Prerequisite The computer must be booted into the appropriate recovery image or a slaved drive HCA Decryption Environment Prerequisites The computer must be booted into any Windows based alternate operating system environment on the computer to recover with the hard drive you are trying to recover attached This can be accomplished by booting to the appropriate recovery image or by booting from another drive or helper partition that has another version of Windows installed but not HCA encrypted This can be done on any computer running a compatible operating system as long as the drive to be decrypted is attached and accessible HCA Recovery Environment Prerequisites An HCA encrypted drive must be attached The computer must be booted to the appropriate recovery image the Win PE HCA recovery environment that has HCA drivers and other required components HCA recovery outside of this environment will not work The booted env
167. sword Manager 3 On the second page of the wizard the end user types the location and name of the file to be created or navigates to the desired location by clicking Browse If the end user attempts to back up the data to the same drive as the original data a warning displays a recommendation to back up the data to portable storage or a network drive 4 The end user clicks Next Specify backup file Type the location and the name of the backup file or click the Browse button Backup file Browse Enterprise Edition Administrator Guide 127 5 On the third page of the wizard the end user must enter and confirm a password to protect the data in the backup file The end user clicks Next 6 Protect backup file Specify the password used to protect the data in the backup file To restore the data you will need to type this password Password Confirm Password 7 The final page of the wizard informs the end user that the backup has been completed and lists the applications that 128 have had their data backed up The end user clicks View Details to view a text log of the backup operations performed The end user clicks Finish to close the dialog Backup completed You have successfully backed up the data of the following Dell Data Protection Security Tools applications Password Manager View Details Ente
168. ta or double clicks the active area of the icon the logon data populates the logon screen Using the context menu or pressing the Password Manager hot key combination default is Ctrl Win H are the only actions available to fill in logon data if password is the only authentication credential available no Fingerprint no Contactless or Smart card Edit logon Clicking the Edit Logon menu item opens the Edit Logon dialog The caption is dit Logon The text is the same as in the Add Logon dialog Add logon opens the Add ogon dialog Open Password Manager The Security Console is opened to the Password Manager page Fill in logon data Edit logon Add logon Open Password Manager Help Filling in with Windows Credentials 136 The application allows the end user to use their Windows credentials for web and application logon Instead of typing the username and password the end user can choose their Windows credentials from the drop down menus available in the Add Logon and Edit Logon dialogs For the username the end user can choose between the following types e Windows User Name e Windows User Principal Name e Windows Domain User Name e Windows Domain Enterprise Edition Administrator Guide For the password the end user can use their Windows password All options above are hard coded and cannot be modified Account Name login yahoo com 2 Account information The following logon fields for this
169. ted Files e Be prepared to restart the computer after Cloud Edition client is installed If applicable notify users of the timeframe during which their computers will be rebooted Best Practices IT best practices should be followed during deployment This includes but is not limited to controlled test environments for initial tests and staggered deployments to users Install Cloud Edition Cloud Edition Client locate the installer at C extracted Cloud e Use Cloud_XAbit_setup exe to install or upgrade using a scripted installation using batch files or any other push technology available to your organization Command Line Installation For a command line installation the switches must be specified first The v switch is required and takes an argument Other parameters go inside an argument that is passed to the v switch Switches The following table details the switches available for the installation Switch Meaning lv Pass variables to the msi inside the Cloud_XXbit_setup exe required a Administrative installation x Uninstall mode s Silent mode Parameters The following table details the parameters available for the installation Log File Parameters A v fullpath filename log SERVER lt securityserver organization com gt Enterprise Edition Administrator Guide 161 Options The following table details the display options that can be specified at the end of the argument p
170. terprise Server gt Monitor gt Dashboard gt Dashboard Tab gt Protection Status gt Endpoint Protection Status Endpoints By Platform Protected Not Protected and Total Endpoint Protection Status Endpoints By Platform Protected Not Protected and Total From the Dashboard click an endpoint platform link to display the Protection Status page On the Protection Status page you can view details for each endpoint in the list Each endpoint that is Protected will display a check mark in the Protected column ual endpoint details Endpoint Detail Windows Be sure to periodically check www dell com support for updated documentation Use this guide in the following order Requirements If needed see Pre Installation Configuration to Enable DDP HCA If needed see Pre Installation Configuration to Set Up a BitLocker PBA Partition If your clients will be entitled from the Dell factory or if you purchase licenses from the Dell factory see Set GPO on Domain Controller to Enable Entitlements NOTE If your clients will be entitled from the Dell factory or if you purchase licenses from the Dell factory ensure that outbound port 443 is 12 available to communicate with the Server If port 443 is blocked for any reason the entitlement functionality will not work If you intend to install the clients together from the master installer user interface see Dell Data Protection Master Installer If you intend to insta
171. to a convenient and accessible location You may now use this recovery bundle to Recover Data Recover Data There are two methods to recover data Recover Data using Current Computer If the target computer is still bootable data recovery can be accomplished in place e Recover Data using a Pre Installed Environment or a Slaved Drive If the target computer is not bootable data recovery must be accomplished on the computer booted into the pre installed environment or a slaved drive Instructions to create a pre installed environment are located in the Dell installation media in the Windows Recovery Kit folder Enterprise Edition Administrator Guide 79 Recover Data using Current Computer These instructions restore access to encrypted files by forcing DDP E to re acquire its keys from the server Follow these instructions when the computer is bootable but you are having problems accessing encrypted files 1 2 3 10 Locate the recovery bundle downloaded from the Remote Management Console Copy the recovery bundle to the target computer the computer to recover data Right click the file and select Run as Administrator to launch the recovery utility The recovery bundle that you downloaded from the Server is in a compressed self extracting format The compressed recovery file extracts to the same location as the compressed file and executes A dialog displays prompting you to select the scenario that best describes you
172. trator Guide Share Files With External Users An external user is one with a non domain email address If an internal user wants to work on or share files protected by Cloud Edition with an external user they must coordinate this with the Administrator Administrator Tasks The enterprise determines the extent to which internal users can share business sensitive files and folders with external users For example An internal user can send a request to any external user to register with and install Cloud Edition or e Best practice The enterprise blacklists any user not within the enterprise email domain Internal users must first request that the Administrator add an external user to the whitelist The Administrator can control this through policies and the whitelist blacklist See Allow Deny Users on Whitelist Blacklist External User Tasks The external user must have Administrator rights on their computer in order to install Dell Data Protection Cloud Edition DDP CE Register Cloud Edition The external user must do the following 1 When you receive a registration email click the link 2 At the Registration web page enter your email address and password Confirm your password and click Register 3 A confirmation email will be sent to you Follow the link in the email 4 Log in using the same email address and password you used to register Registration is complete A Cloud Edition download page opens Download Cloud Editio
173. tware stack are reguired for supporting Hardware Crypto Accelerator HCA This includes the HCA driver and the Trusted Software Stack TSS for TPM 42 Enterprise Edition Administrator Guide Drivers C extracted Drivers e The following example installs the drivers at the specified location does not create an entry in the Control Panel Programs list and suppresses the reboot setup exe S z InstallPath lt c location gt ARPSYSTEMCOMPONENT 1 SUPPRESSREBOOT 1 Then SED Client C extracted Security Tools e The following example installs remotely managed SED silent installation no reboot log file at the specified location no entry in the Control Panel Programs list installed in the default location of C Program Files Dell Dell Data Protection EMAgent XXbit setup exe S v CM EDITION 1 SERVERHOST server organization com SERVERPORT 8888 SECURITYSERVERHOST securityserver organization com SECURITYSERVERPORT 8443 ARPSYSTEMCOMPONENT 1 1 v SEDinstall log norestart qn Then Advanced Authentication Client C extracted Security Tools Authentication The following example installs Advanced Authentication silent installation no reboot log file at the specified location installed in the default location of C Program Files Dell Dell Data Protection DP XXbit setup exe s v norestart l v DPinstall log qn Then Dell C
174. understand folder management of both account types The following table describes encryption based on your DDP Server and policy Encryption DDP Server and Policy Deployment Considerations Encrypt all business and personal files and DDP Enterprise Server VE pre v8 4 or Before Cloud Edition is deployed users folders Dell Enterprise Server should back up pre existing business files that are in cloud storage sync folders to or locations outside the sync folders DDP Enterprise Server VE v8 4 or later la Users with personal files that should with remain unencrypted must move the files Policy gt Dropbox Encrypt Personal Folders out of sync folders or unlink personal gt set to True accounts from business sync clients True is the default After Cloud Edition is deployed cloud files and folders can be viewed only on computers or devices running Cloud Edition If a personal folder becomes unintentionally encrypted see Decrypting Folders in a Personal Account Encrypt all business account files and DDP Enterprise Server VE v8 4 or later You can use the optional Dropbox Encrypt folders Personal Folders Message policy to display a ge policy to display Allow personal account files and folders to customized message to remind users not to remain unencrypted store business files in personal accounts i gt set to False since those files won t be protected The message is displayed at these times with
175. ur computer has DDP JA installed now or has had it installed in the past be sure to follow the steps in Interoperability before you continue Ifthe computer targeted for encryption is equipped with a Hardware Crypto Accelerator or a self encrypting drive ensure that the Active Directory option User Must Change Password at Next Logon is disabled Preboot Authentication PBA does not support this Active Directory option Dell recommends that you do not change the authentication method after Preboot Authentication has been activated SED or HCA policy has been set to True HCA If you must switch to a different authentication method you must either e Remove all the users from the PBA and then re enroll the users Or e Deactivate the PBA SED or set the HCA policy to False HCA change the authentication method and then re activate the PBA SED or set the HCA policy to True HCA On computers equipped with a Hardware Crypto Accelerator or a self encrypting drive to use smart cards with Preboot Authentication the following registry value must be set on the client computer HKLM SOFTWARE DigitalPersona Policies Default SmartCards MSSmartcardSupport dword 1 0 or no key Smart Card Support Off 1 Smart Card Support On There are two methods available to install Dell Data Protection Encryption using the master installer Choose one of the following methods Install DDP E Interactively Install DDP E Using the Command Line
176. uter to restore the Windows default credential provider Uninstall DDP A Once the authentication hardware is deprovisioned uninstall DDP A 1 Launch DDP A and perform a Reset System This will remove all DDP A managed credentials and passwords and will clear the Trusted Platform Module TPM 2 Click Uninstall to launch the installer 3 When the uninstall finishes click Yes to restart NOTE If using a self encrypting drive removing DDP A will also unlock the SED and remove the Preboot Authentication Initialize the TPM 1 Follow the instructions located at http technet microsoft com en us library cc7 53 140 aspx Enterprise Edition Administrator Guide 25 26 Enterprise Edition Administrator Guide Pre Installation Configuration to Enable DDP HCA If the computer targeted for encryption is equipped with a Dell Data Protection Hardware Crypto Accelerator HCA and you intend to use Hardware Crypto Accelerator HCA policies you must first set up and activate the TPM If using legacy HCA you need to set up a System password Follow the instructions detailed in this section to configure DDP HCA prior to the Encryption client installation NOTE The features available as of v8 3 with Enterprise PBA are supported on legacy BIOS non UEFI computers If running Windows 8 or Windows 8 1 follow the instructions detailed in Change Secure Boot UEFI to Legacy Boot Mode in BIOS prior to performing these steps Upgrade Legacy HCA Comp
177. uters Requirements e Computers running legacy BIOS must upgrade to an enterprise BIOS The computer must have at least one partition free to accommodate the Preboot Authentication PBA partition Upgrade Legacy HCA Computers To upgrade legacy HCA computers follow these steps 1 Disable HCA policies and apply the policy change 2 Wait for hard drives to be decrypted 3 Uninstall the Encryption client and Security Tools if needed 4 Upgrade the BIOS a Close all applications b Goto support dell com c In General support gt Select a product click Laptops if Latitude or Desktops amp All in Ones if Precision or Optiplex d Select your model TIP The following computers need the updated BIOS versions to run Enterprise PBA Computer BIOS Needed Latitude E6440 A05 Latitude E6540 A08 Latitude E7240 A08 Latitude E7440 A08 OptiPlex 7010 A16 OptiPlex 9020 A05 OptiPlex 9020 AIO A06 Enterprise Edition Administrator Guide 27 Computer BIOS Needed OptiPlex XE2 A05 Precision M4800 A07 Precision M6800 A07 Precision T1700 A06 e Select Get drivers and downloads in the left menu f Click View All Drivers g Scroll down to Refine your results and expand the BIOS drop down Download and install the updated BIOS following the prompts in the BIOS installer package The following example displays a Latitude E7440 Drivers amp Downloads hange Product Enter Service Tag Additiona
178. will not be able to authenticate jdoe because it cannot find jdoe In a multi domain environment the UPN is recommended although the domain username format is acceptable In a single domain environment the SAM account name is acceptable lt add key cacheExpiration value 30 gt How often in seconds the Service should check to see who is allowed to ask for keys The Service keeps a cache and keeps track of how old it is Once the cache is older than the value it gets a new list When a user connects the Dell Key Server needs to download authorized users from the Dell Device Server If there is no cache of these users or the list has not been downloaded in the last x seconds it will be downloaded again There is no polling but this value configures how stale the list can become before it is refreshed when it is needed lt add key epw value encrypted value of the password gt Password used to communicate with the Dell Device Server If the superadmin password has been changed it must be changed here lt appSettings gt lt configuration gt Windows Service Instructions 1 2 3 4 Go back to the Windows Service panel Start gt Run gt services msc gt OK Restart the Dell Key Server service Navigate to lt Key Server install dir gt log txt to verify that the Service started properly Close the Windows Service panel Enterprise Edition Administrator Guide Remote Management Conso
179. workflow for compliance purposes Dell recommends that you verify that Unprotectedhas been set as expected either inthe Remote Management Console or Compliance Reporter Enterprise Edition Administrator Guide How to Create an Encryption Removal Agent Log File Optional Before beginning the uninstall process you can optionally create an Encryption Removal Agent log file This log file is useful for troubleshooting an uninstall decryption operation If you do not intend to decrypt files during the uninstall process you do not need to create an Encryption Removal Agent log file Create the following Windows Registry entry on the computer targeted for decryption to create an Encryption Removal Agent log file 1 Click All Programs gt Run from the Windows Start menu Enter regedit in the Open field Go to HKLM Software Credant DecryptionAgent Right click in the right pane and select New gt DWORD Value Name the key LogVerbosity Double click the key to open it Enter 0 1 2 3 or 5 in the Value Data field LogVerbosity 0 no logging J OO CO R N LogVerbosity 1 logs errors that prevent the Service from running LogVerbosity 2 logs errors that prevent complete data decryption recommended logging level LogVerbosity 3 logs information about all decrypting volumes and files LogVerbosity 5 logs debugging information 8 Select Hexadecimal in the Base section 9 Click OK to save and close the key 10 Close the Registry Editor
180. y turn on encryption for the pre existing folder The files will be encrypted when the files sync to the cloud 3 After the folders are encrypted set the Folder Management Enabled policy for those end points to False Update Cloud Edition Policy The Server Polling Period policy determines how often the client checks for policy updates If you modify a policy that internal end users need to implement before that time interval be sure to inform end users to check for the update 160 Enterprise Edition Administrator Guide Client Tasks You can install the Cloud Edition client by itself by extracting the child installer out of the master installer If you have not extracted the individual installer yet follow the procedure in Extract the Child Installers from the Master Installer The Cloud Edition client can be installed using the user interface or by command line using any push technology available to your organization Activation by the end user is still required Before Installing Asa best practice deploy Cloud Edition before users set up cloud storage accounts and store files in them If end users decide to keep existing cloud storage accounts on computers where Cloud Edition will be installed they must use the settings in the cloud storage application to deselect any folders that are to remain unencrypted before you install Cloud Edition Otherwise their existing personal data might be encrypted For more information see Remove Protec
181. ync folder back to its default location or to an alternate managed location NOTE For a list of managed and unmanaged locations contact your Administrator Question I had some archived xen files and I copied them to my desktop Some of them decrypted but others did not Answer During a sync DDP CE is designed to decrypt directly to the Sync folder or decrypt when downloading through a web browser For files that have been copied from another location use Windows Explorer and move the xen file into the syne client folder to be decrypted In the system tray click the Cloud Edition icon and then select Details Locate the xen file and its key to determine if that provides any information Solution Move the xen files into the Sync folder to have them uploaded into the cloud Then they will be decrypted locally Question I renamed my computer Now I am not getting any policy updates and I am not encrypting into the cloud Answer Currently the Server only recognizes the endpoint against which you originally activated If you change the endpoint name the Server will not recognize the location for sending the policy and DDP CE will not perform as expected Solution 1 Uninstall DDP CE and then reinstall You must have Administrator rights to uninstall 2 Activate the same user again NOTE Ensure that you stop syncing files to the local computer before you do this or you will run the risk of having valuable data become un
182. yption Key WSScan does not report files encrypted using Encrypt for Sharing DCID The Device ID As shown in the example above 7vdlxrsb If you are scanning a mapped network drive the scanning report does not return a DCID UCID The User ID As shown in the example above SDENCR The UCID is shared by all the users of that computer File The path of the encrypted file As shown in the example above c temp Dell test log Algorithm 92 The encryption algorithm being used to encrypt the file As shown in the example above is still AES256 encrypted RIJNDAEL 128 RIJNDAEL 256 AES 128 AES 256 3DES Enterprise Edition Administrator Guide Section IV SED Management and Advanced Authentication Enterprise Edition Administrator Guide 93 94 Enterprise Edition Administrator Guide SED Management and Advanced Authentication Installation Tasks e You can install the SED management client and Advanced Authentication clients by themselves by extracting the child installers out of the master installer If you have not extracted the individual installers yet follow the procedure in Extract the Child Installers from the Master Installer The SED management client and Advanced Authentication client can be installed using the user interfaces or by command line using any push technology available to your organization Before You Begin Ensure that the Active Directory optio
Download Pdf Manuals
Related Search