Professional Documents
Culture Documents
27 April, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10527
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security
Full Disk Encryption for Mac 3.2 Administration Guide).
Contents
Preface.....................................................................................................................5
Who should read this guide? ............................................................................... 5
Related Documentation ....................................................................................... 5
Data Security Types ............................................................................................ 6
File Encryption ................................................................................................ 6
Full Disk Encryption ........................................................................................ 6
Full Disk Encryption Features and Benefits ......................................................... 7
Benefits for Administrators .............................................................................. 7
Deploying Full Disk Encryption on One or Many ............................................. 7
User Account Acquisition ................................................................................ 8
Deployment Overview ......................................................................................... 8
Getting Started .................................................................................................... 9
Full Disk Encryption Terminology .................................................................... 9
Roadmap ........................................................................................................ 9
An Administration Overview ................................................................................11
Authority Levels ..................................................................................................11
Administrator .................................................................................................11
User ...............................................................................................................12
Permissions for Roles ....................................................................................12
Overview of the Full Disk Encryption Management Console ..........................13
Full Disk Encryption Management Console Dialog Box..................................13
Configuring System Settings ...............................................................................14
Accessing Local Settings ....................................................................................14
Status Information..........................................................................................15
Editing Local Settings .........................................................................................15
Install Settings ...............................................................................................16
Mount Points ..................................................................................................17
System Passwords Policy ..............................................................................19
User Account Acquisition ...............................................................................20
Wake on LAN ................................................................................................21
Logon ............................................................................................................23
Configuring Group and User Account Settings ..................................................24
Local Settings for Groups and User Accounts ....................................................24
System Settings for Groups ................................................................................25
Group Settings ...............................................................................................26
Creating Group and User Accounts ....................................................................35
Group and User Account Basics .........................................................................35
Creating Group Accounts ...................................................................................35
Default Values and How the Effective Values of Settings are Determined .....37
Adding a User Account to a Group .....................................................................38
Password Authentication ...............................................................................41
Dynamic Token Authentication ......................................................................42
Moving User Accounts........................................................................................44
Working with Configuration Sets.........................................................................45
Set Basics ..........................................................................................................45
Root Directory Path ............................................................................................45
Directories .....................................................................................................45
Creating a New Set ............................................................................................46
Set Management ................................................................................................49
Working with Installation and Update Profiles ...................................................51
Working with Profiles an Overview ..................................................................51
Full Disk Encryption Profile Basics .....................................................................52
Chapter 1
Preface
This preface contains background information on Endpoint Security Full Disk Encryption for Mac benefits
and features, as well as a general discussion of how the product is designed and how it should be deployed.
Endpoint Security Full Disk Encryption for Mac is also referred to as Full Disk Encryption or FDE throughout
this document.
In This Chapter
Who should read this guide?
Related Documentation
Data Security Types
Full Disk Encryption Features and Benefits
Deployment Overview
Getting Started
5
5
6
7
8
9
Related Documentation
This release includes the following documentation:
Table 1-1 Endpoint Security Full Disk Encryption for Mac Documentation
Title
System requirements.
Current information about the product, such as:
Page 5
File Encryption
File encryption enables users to protect vital data. Organizations often find file encryption insufficient,
however, because it is subject to user discretion regarding what to secure and the willingness of users to
consistently follow security procedures.
Preface
Page 6
Secure Remote Help for users who have forgotten their passwords
With Full Disk Encryption, all logical partitions/volumes are boot protected and encrypted, even if the disk is
removed and loaded into a controlled machine.
The integration of boot protection and automatic encryption provides a high degree of security with minimal
impact on users. This allows an organization to determine the security level instead of leaving it up to the
user to encrypt information.
Boot protection prevents subversion of the operating system or the introduction of rogue programs, while
sector-by-sector encryption makes it impossible to copy individual files for brute force attacks.
Full Disk Encryption guarantees that unauthorized users cannot access or manipulate information on a
protected computer, from either available, erased or temporary files. Full Disk Encryption safeguards the
operating system and the important system files (which often contain clues to passwords), shared devices,
and the network.
The Full Disk Encryption installation on the users Mac contains all the necessary user account information,
keys, and other data to protect the Mac. This means there is no central user database or key repository to
manage.
Installation, modification and removal of Full Disk Encryption on users Macs in the network.
Configuration and deployment of a wide range of security and policy settings on users Macs.
Modification of security policy settings to suit the needs of the entire user population, selected groups of
users, or individual users.
Preface
Page 7
Deployment Overview
create a new user name and password. This deletes the temporary account, and the user is established as
a normal user in the system.
User account acquisition is transparent to the user, who continues to use the same user credentials he
had before Full Disk Encryption was deployed.
With user account acquisition, the administrator does not need to convey a generic username and
password to the users and then rely on them to create their own credentials, as is the case with
temporary user accounts.
When user account acquisition and single sign-on are both enabled, passwords can be managed
centrally, and users log on one time with one password to gain access to the Mac, Full Disk Encryption,
and network resources.
For instructions on enabling user account acquisition, see "User Account Acquisition" on page 20. For
instructions on enabling single sign-on, see "Single Sign-On (SSO) Settings" on page 31.
Deployment Overview
You can think of Full Disk Encryption deployment in three major steps:
1. The Full Disk Encryption program is first installed and configured on a Full Disk Encryption
administrators workstation. This is called the master installation.
2. The administrator then configures a Full Disk Encryption installation profile containing all the information
and software necessary to install and manage Full Disk Encryption on the Macs in the network.
3. The administrator uses the installation profile to deploy Full Disk Encryption to users.
The following graphic provides an overview of the deployment process via profiles:
Preface
Page 8
Getting Started
Each of the three major steps are broken down into more detail in this guide. The following is a more
detailed overview of the steps you take to deploy Full Disk Encryption.
Getting Started
The following information is intended to prepare you to begin working with Full Disk Encryption.
Group
A group is a collection of user accounts. Each user account must belong to a group.
Fact: The System group is created automatically when you install Full Disk Encryption. You must create at
least one other group, however, to store user accounts you create that do not belong to the System group.
Set
A set is a share point from which you carry out your remote management tasks for groups and users. Such
tasks are carried out via profiles, which are collected in the set. Sets help to keep you organized by allowing
you to create separate sets for each type of configuration profile. For instance, you can create a set named
Accounting which can be the share point for configuration profiles you want to deploy to the Accounting
department.
Profile
A profile contains all the settings, account information, and software to install Full Disk Encryption on a
client Mac, update settings on a machine with Full Disk Encryption already installed, or uninstall Full Disk
Encryption. Profiles must belong to a set.
Fact: You must create a set before you create profiles.
Roadmap
This summary provides a birds eye view of installing, configuring, deploying, and managing Full Disk
Encryption.
Preface
Page 9
Getting Started
A group is a collection of users. Every user must belong to a group. Therefore, you must create a group or
groups before you create user accounts.
Best practice is to create a temporary user account for every group you create. This generic account
facilitates large-scale deployment by allowing Full Disk Encryption to deployed to many users without the
need to create user accounts for each user prior to deployment. After Full Disk Encryption is installed on the
users machine, the user simply logs on to the temporary account, at which time he or she is forced to
change the user name and password, thus creating his or her own user account. See "Creating Group and
User Accounts" on page 35.
Preface
Page 10
Chapter 2
An Administration Overview
Full Disk Encryption is managed from the Full Disk Encryption Management Console on any computer that
has Full Disk Encryption installed. This gives administrators control over and easy access to higher-level
functionality without being tied to any one machine.
This chapter explains authority levels, how to access administration functions from any computer, and how
to establish the initial system settings.
In This Chapter
Authority Levels
11
Authority Levels
There are two authority levels in Full Disk Encryption: an administrator, who has full authority, and users
whose authority is limited to logging on, viewing his or her settings, and receiving Remote Help. The user
can also change his or her password if the administrator has allowed it.
Administrator
Administrators have centralized control of the creation of the profiles that are used to install, update, and
uninstall Full Disk Encryption on client computers while simultaneously allowing local control of the
deployment of those profiles.
In the example below, administrators can perform the following tasks:
Give Remote Help to users who are locked out or have forgotten their passwords.
Page 11
Authority Levels
At least two competent individuals must be designated as administrators to manage Full Disk Encryption
and the security of the information it contains.
It is imperative that Full Disk Encryption administrators receive adequate training and are not careless,
willfully negligent, or hostile. Full Disk Encryption administrative personnel should follow the instructions
provided in this guide and keep their authentication data private.
User
Users have limited authority, according to what has been defined by the administrator in the system settings.
Each user is assigned an account with a unique user identity and password that together authorize access
to the entire hard disk.
Authorized Full Disk Encryption users must keep their authentication data private.
User
Authority Level
Administrator
X
User
Change Password
Administrator
X
A user can change his own password if the Change Password setting for his account is set to Yes. The
administrator can change authentication for every user.
Table 2-4 Privileged Permissions
Permissions
User
Administrators
An Administration Overview
Page 12
Authority Levels
Permissions
User
Administrators
For more information, see "Configuring Group and User Account Settings" on page 24.
Description
Local Installation
Remote Installation
Remote Help
An Administration Overview
Page 13
Chapter 3
Configuring System Settings
System settings are related to aspects of the product such as installation, logon, and required path
specifications. You use system settings to configure Full Disk Encryption.
Other settings - those for Groups and User Accounts - are relevant for volume access, logging on,
authentication, permissions, and Remote Help. These settings are described in "Configuring Group and
User Account Settings" on page 24.
In This Chapter
Accessing Local Settings
Editing Local Settings
14
15
Page 14
Status Information
The following Status information is displayed in the main panel:
Status field
Explanation
Page 15
Install Settings
Install contains the following settings:
Setting
Description
Example:
The UVP on the admin machine is changed to B.
The admin machine deploys an update profile to the
clients. This update profile is saved on the admin machine
after the UVP is changed to B (The profile must be saved
if the UVP in the profile is to be updated to the current
UVP of the admin machine).
This profile actually contains both UVPs A and B, and
when clients pull the profile, they accept it because it
contains A.
In addition, they recognize that the UVP is set to B in this
profile, so they change their UVPs to B.
Now, if a client changed its UVP to C and this client
deploys a UVP (containing UVPs B and C) to all other
clients, the clients that pull the profile will have UVP C.
After they have UVP C, none of these clients will accept
an update profile deployed from the admin machine that
still has UVP B.
Product License
Page 16
Setting
Description
Encrypt everything
Mount Points
Mount Points contains the following settings:
You can click on a drive in the Mount Points folder to obtain information about how a drive is encrypted and
the status of the encryption process.
If drives are encrypted, no drives are listed in the Mount Points folder and the Mount Points settings are not
visible.
Description
Algorithm
Page 17
Setting
Description
Key Length
Device name
Mount point
or
or
Volume
The volume name is always displayed, for example, /.
GUID
If the volume is encrypted by Full Disk Encryption, the GUID for the volume is displayed. If the volume is not
encrypted, this information is not displayed.
Status
The attribute Status displays the current action (Encrypted, Encrypting, Decrypting, Decrypted) and its
percentage of completion for FDE-encrypted volumes.
Page 18
Description
Page 19
Description
If you set Enable User Account Acquisition to Yes, you must select a Full Disk Encryption group in which to
place the Full Disk Encryption user accounts that are created through the user account acquisition function.
See "Select Group" on page 21 for instructions.
Page 20
Select Group
Select Group contains the following setting:
Setting
Description
Select Group
Wake on LAN
Full Disk Encryption can be used together with Wake-on-LAN (WOL) network cards, which can be
configured to start the system in Wake-on-LAN mode. The FDE Wake-on-LAN functionality will
automatically log on to the computer after the computer has booted with the help of WOL network cards.
This allows the operating system to start and remote updates to be performed.
Page 21
Setting
Description
Page 22
Logon
The Logon settings apply to the Full Disk Encryption preboot logon. The Logon settings are located under
Full Disk Encryption > System Settings > Logon. The following settings are available for Logon:
Setting
Description
Set Max Failed Logons Before Sets the maximum number of failed logons allowed
Reboot
before a reboot is invoked or disables this function.
Page 23
Chapter 4
Configuring Group and User Account
Settings
This chapter introduces the configurable settings for both groups and user accounts, which you will create
later. These settings are related to logging on, authentication, and permissions.
Each setting has a default value, but a value that you set (specify) always overrides a default value. Thus,
for certain important settings, for example, those related to password policy, you may want to set the values
rather than relying on the defaults.
In This Chapter
Local Settings for Groups and User Accounts
System Settings for Groups
24
25
Page 24
2. Click Edit Settings to display the Local folder tree in the left panel.
These settings can be specified for both groups and user accounts.
3. Do one of the following:
Page 25
Description
GUID
Expiration Date
Group Settings
Click Group Settings.
The folders containing group settings are displayed:
Page 26
Logon Settings
Click Logon under Group Settings.
The following settings are displayed:
Description
Authentication Settings
Fixed Password
Click Fixed Password.
Page 27
Description
Allow Consecutive,
Identical Characters
Allow Password of
Adjoining Characters
Page 28
Setting
Description
Password History
Make sure the password does not include any word that can
be found in a dictionary you can use parts of words.
Dynamic Token
Full Disk Encryption supports dynamic tokens.
Click Dynamic Token.
Page 29
Description
Challenge length
Response length
Page 30
Description
Authority Level
Permissions Settings
Click Permissions.
The following settings are displayed:
Description
Change Password
Page 31
usual. Full Disk Encryption stores this information securely and uses it on subsequent logons where SSO
has been enabled. When the option is not selected, no credentials are passed to the network. This permits a
different network account to be used.
When SSO is turned off, no network credentials are recorded or used, and the chain is broken. When SSO
is turned back on, the previous credentials must be specified again for SSO to function.
Single Sign-On
Click Single Sign-On.
The following setting is displayed:
Description
Enable SSO
Page 32
Remote Help
Click Remote Help.
The following settings are displayed:
Note - For Remote Help to function, both the user account of the
Remote Help provider and of the Remote Help recipient must exist on
the computer. Note also that the Remote Help providers group
authority level must be equal to or higher than the group authority level
of the Remote Help recipient.
Description
Page 33
Setting
Description
Page 34
Chapter 5
Creating Group and User Accounts
This chapter explains how to create and manage Full Disk Encryption groups and user accounts on the
computer on which you installed Full Disk Encryption.
In This Chapter
Group and User Account Basics
Creating Group Accounts
Adding a User Account to a Group
Moving User Accounts
35
35
38
44
Page 35
2. Click the New Group button and enter a group name in the New Group dialog box:
3. Click OK. The new group is now listed in the tree under Groups (in this example, it is ABC Group).
There are currently no user accounts in the User Accounts folder in ABC Group:
4. In the Group Settings folder for the new group you created, configure the relevant group settings. See
"Configuring Group and User Account Settings" on page 24.
5. Click on the group name (in this example, it is ABC Group), to display the following setting:
Page 36
Description
Expiration Date
6. Expand the Group Settings folder tree for the new group, and you see the folders as described in
"Configuring Group and User Account Settings" on page 24:
Enabled
Disabled
Disabled
Allow Special
Characters
Enabled
Disabled
Allow Consecutive,
Identical Characters
Disabled
Disabled
Enabled
Disabled
Disabled
Allow Leading or
Trailing Space
Characters
Disabled
Disabled
Page 37
Password Settings
Allow Password of
Adjoining Characters
Disabled
Disabled
Six characters
Disabled
Password History
Disabled
Default
Disabled
Default
Authority Level
Administrator
Administrator
Default
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Page 38
Under the System group folder is a tree of User Accounts where you find the two user accounts you
defined during installation.
These two users are assigned administrator privileges, for example, the Privileged Permissions is set to
Administrator and the Permissions are set to Yes. Almost all other user accounts you define are assigned
significantly more restricted privileges than those of an administrator.
Page 39
Normal
A regular user account is usually created for users of the
computer on which you are working. This account can also
be used as an administrator account and be included in a
profile when you deploy Full Disk Encryption.
Temporary
This account is used in a profile to create user accounts
for large-scale deployment of Full Disk Encryption, without
the need to create individual user accounts manually.
3.
Password
Dynamic Token
After specifying the logon name, type and password authentication method, click OK.
A temporary user account is defined in the same way as a normal user account.
Page 40
Password Authentication
1. Fill in the password details:
Description
Password protection
The password must meet the criteria you specified for fixed
passwords in Group Settings. While you enter the password
and confirm it in the Confirm Password text box, the label
Password Match displays a red icon until the password is
matched. The red icon displays until the password meets all the
configured criteria for passwords. When criteria are met, a
green icon displays.
Confirm Password
Force change of
password at next
logon
Password Rules
2. Click Next, and after viewing the result do one of the following:
Page 41
If you want to make changes, click Back, make the changes and click Finish.
Use the above procedure to define any other user accounts that will use password authentication.
2. Click Next.
Page 42
Description
Enter the token key you received with the token from Check
Point.
Challenge Length
Response Length
Challenge Format
Response Format
If you want to make changes, click Back, make the changes and click Finish.
Use the above procedure to define any other user accounts that will use dynamic token authentication.
Page 43
Page 44
Chapter 6
Working with Configuration Sets
This chapter explains configuration sets and how to create, use, and manage them.
In This Chapter
Set Basics
Root Directory Path
Creating a New Set
Set Management
45
45
46
49
Set Basics
Configuration sets, hereafter referred to as sets, are share (or collection) points where you store the profiles
you use to carry out your remote management tasks. Typical remote management tasks include installing
(and uninstalling) Full Disk Encryption on remote clients and updating the configuration on remote clients,
and so on.
Best practice is to create sets to collect logical groupings of profiles. For example, you can create
Set_Accounting to house the profiles for the Accounting department, Set_Development for profiles
belonging to the Development department, and so on.
Directories
Storage
The Storage directory is where you store profiles while you edit them in the Full Disk Encryption
Management Console prior to publishing them. As long as the profiles are in this directory, they cannot be
pulled by clients. It is a dedicated share for profile development.
Install
The Install directory is where you publish installation packages, installation profiles, and other configuration
files that clients need to access to install Full Disk Encryption, for example, the Full Disk Encryption
Install.pkg file.
Recovery
The Recovery directory in where Full Disk Encryption stores recovery files and serves as the target directory
for clients recovery files. Recovery files contain information required to decrypt the Full Disk
Page 45
Encryption-protected computer. You normally create the recovery path during the master installation. For
more information on recovery, see "Recovery Media" on page 75.
In a profile, this path is referred to as the Recovery Path. Set by editing the profile and specifying the path to
use in System Settings > Install > Set Recovery Path.
Update
The Update Profile directory is where update and uninstall profiles are published so they can be pulled by
the clients.
In a profile, this path is referred to as the Update Profile Path. Set it by editing the profile and specifying the
path to use in System Settings > Install > Set Update Profile Path.
Page 46
3. Enter a name that makes clear what the configurations and profiles belong to, for example
"Set_Accounting" for a set that contains the configuration and profiles for the accounting department,
"Set_Development", etc.
You can select Automatically create a directory structure if you want Full Disk Encryption to create
folders. This requires that you have previously configured a root directory on which to create the
directory structure. This root directory must be a shared folder on the network, for example:
/var/share/
You must also have the required permissions to create the directories. If these conditions are met, and
you specify the shared folder under Enter the root directory in which the directories will be created,
the Full Disk Encryption Management Console automatically creates the following subfolders in the
shared folder and displays them in the relevant fields of the wizard:
<shared folder>\storage
<shared folder>\install
<shared folder>\recovery
<shared folder>\update
4. Click Next.
The Name dialog box opens:
5. Specify a storage path, the path to a directory that holds the profiles while you edit them.
The profiles you are working on are stored in this directory until you publish them. As long as they are in
the storage directory, you can edit them, and they cannot be pulled by remote clients. You must click
Add for the path to be included in the set.
Page 47
7. Specify an Install path, the path to a directory containing the Full Disk Encryption installation package.
You must click Add for the path to be included in the set.
8. Specify the recovery path, the path to the directory where the sets recovery files are located and to
which clients copy their recovery files.
This path must also be set in the profiles that are put in this directory; in the profile, this path is referred
to as the update profile path, and is set by editing the profile and setting this path in System Settings >
Install > Recovery Path. You must click Add for the path to be included in the set.
Page 48
Set Management
The set is created. The set configuration is saved when the set is created.
Set Management
After you create a set, Full Disk Encryption provides a dialog box where you can manage the set and view
information about it.
To manage a set:
Click the set name in the Full Disk Encryption Management Console.
The following dialog box is displayed:
Description
Set name
Created
Page 49
Set Management
Label
Description
Update Profiles
Path(s)
Installation Profiles
Path(s)
Actions
The links in the Action section allow you to edit set properties
and open wizards to help you to create a new profile, publish a
new profile, and create recovery media.
Last Published Profile Publication date and time of the profile most recently published
to this set.
Notes
A free text area where you can enter information or notes about
the set.
Page 50
Chapter 7
Working with Installation and Update
Profiles
This chapter explains how to create Full Disk Encryption profiles that you can use to:
Install Full Disk Encryption on the computers (client machines) in your networks
Manage the user accounts, groups and other settings on client machines
In This Chapter
Working with Profiles an Overview
Full Disk Encryption Profile Basics
Creating Installation Profiles
Working With Update Profiles
Deploying Profiles
Updating Full Disk Encryption Software
51
52
53
59
61
63
Page 51
Whats in a Profile?
All profiles contain system settings. They can also contain group settings and user account settings,
however, these settings are optional.
System Information
System information includes paths to the central server where recovery files, update profiles and software
updates are stored. It also includes settings related to, for example, installation and Remote Help.
In addition, installation profiles also contain information on which disk volumes are to be protected by Full
Disk Encryption, the encryption algorithms to be used, and the type of security (encryption and boot
protection, or boot protection only) to be used.
Group Information
Group information contains the system settings for local groups and their authorization rights, including the
user's right to receive Remote Help and security settings. Group information also contains the privileges for
administrators and user accounts at the group level.
Profile Types
There are three types of Full Disk Encryption profiles:
Installation profiles
Update profiles
Uninstall profiles
Installation Profiles
An installation profile, which is called an install profile in Full Disk Encryption Management Console,
contains the group and user account information and system settings you configured. You deploy the install
profile together with the Full Disk Encryption Install.pkg file to install Full Disk Encryption on one
or many clients.
You can be deploy an installation profile in the following ways:
Interactive installation: You create and save an install profile on a secure workstation. You then move the
install profile and the .pkg file to the install directory, a secure shared directory on the network. The install
profile can be started from any device that can map a drive and install a .pkg file from that location. The
installation proceeds in much the same way as a master installation, except the client user is not prompted
to create administrator accounts or insert the Check Point license. See "Publishing an Install Profile" on
page 61.
Silent installation: You write a command that causes Full Disk Encryption to be installed on the client
without any interaction with the user. See "Deploying an Install Profile Silently" on page 62 for details.
Page 52
Update Profiles
As changes in security requirements and personnel occur, you deploy update profiles, which contain new or
changed settings, to Full Disk Encryption-protected computers.
You do this by creating and placing an update profile in the Update directory on the designated file server.
Full Disk Encryption-protected computers regularly check this directory for new update profiles. When they
find a new update profile they download it automatically and implement the changes. For more information,
see "Creating an Update Profile" on page 59.
Uninstall Profiles
An uninstall profile contains the settings needed to remove Full Disk Encryption from a Mac. If, for any
reason, you need to remove Full Disk Encryption from computers in your network, you can do so by placing
an uninstall profile in the Update directory. See "Removing Full Disk Encryption" on page 70 for more
information.
An existing profile, or
The local settings of the computer on which you create the profile.
When you base a new profile on local settings or an existing profile, you can select which settings you want
to use (if you do not choose to base it on Group Settings, the User Account Settings choice is grayed out
and cannot be selected).
Deploying the profile to computers in the network; see "Deploying Profiles" on page 61.
Page 53
Note - Before you can create any profiles, ensure the Update
Validation Password (Local > Edit Settings > System Settings >
Install) is set.
In addition, you should already have the appropriate set or sets in
place. For the purposes of the following instructions, we created three
sets: Set Accounting, Set Development and Set Sales. See "Working
with Configuration Sets" on page 45 for instructions on creating sets.
2. Click Next.
Page 54
3. Select the set in which you want to include the installation profile, and click Next:
5. Enter the name of the new profile (in this example, it is install_accounting).
Note - The / character is not allowed in profile names. For example,
update profile.upp is a valid profile name, but update
profile/admin.upp is not.
6. Enter and confirm the password, which is required when you edit the profile.
Note - The password policy applied to the password specified here is
the default policy for the profiles. It consists of the three rules shown in
the Password Rules section of the New Profile dialog box.
7. Click Next:
Page 55
8. Select Existing profile or local settings to base the profile on the local settings of the computer on
which you are creating the profile or on an existing profile:
9. You can either click Next or select to base the profile on Existing profile or local settings, and then
click Next.
If you click Next without choosing to base the profile on an existing profile or local settings, the profile is
based on default system settings only.
10. If you select to base the profile on Existing profile or local settings, you must then either browse to an
existing profile, or
Double-click on a set that contains a profile you want to base the new profile on and then select the
profile, or
Specify which local settings the new profile is to be based on (System, Group, or User Account).
11. Make your choice, and click Next.
12. View the information and, if satisfied, complete the creation of the profile by clicking Finish:
Page 56
The installation profile created in this example is displayed under Set Accounting:
Sanity Checks
The profile you just created contains system settings that are installed on the client machines when you
deploy the profile.
When you click OK, Full Disk Encryption performs a number of sanity checks on the profile before you can
save it. The Settings That Might Have Undesirable Effects window displays the results of the sanity
checks, for example:
Page 57
You must fix the problems listed in the sanity check dialog box before the profile can be created.
The following sanity checks are performed on the profile:
Are there any accounts in the profile for which no type of authentication has been defined?
This warning occurs only when you create a profile based on local settings. You must manually set the
authentication:
1.
2.
3.
Do at least two user accounts in the profile have authority level set to administrator?
Recovery media cannot be created, and the system cannot be recovered unless at least two user
accounts have administrator authority on the machine on which Full Disk Encryption is installed with this
profile.
You cannot remove Full Disk Encryption from the machine on which it has been installed with this profile
unless the profile contains at least two user accounts that have administrator authority.
Has an expiration date been set for each temp user account in the profile?
You should define an expiration date for each temp user account. If you do not, you are warned about
each temp user account that does not have an expiration date defined.
To make changes to settings that have caused a warning in the Settings That Might Have
Undesirable Effects window:
Click OK to acknowledge the sanity check dialog box and then alter the relevant setting or settings.
Each time you make corrections and click OK to create the profile, the sanity checks are performed, and
any warnings of problematic settings are displayed. If none of the sanity checks produce a warning, the
profile is created.
The new profile is prepopulated with the local System Settings of the machine on which the profile was
created. If any of these values have not been set on the local machine, the Full Disk Encryption default
values are used. It is good practice to examine the System Settings in the profile and make any required
changes.
3. Examine the default settings in the installation profile and decide if they are to your satisfaction:
System Settings: If necessary, change the settings to the desired values. See "Configuring System
Settings" on page 14 for a description of these settings.
Page 58
Group settings for the Administrator group: Set the permissions for the group that contains the
administrators. Administrators usually have stricter rules for passwords than normal user accounts.
See "Configuring Group and User Account Settings" on page 24 for a description of these settings.
Note - Basing the update profile on an existing profile can cut down on
configuration time.
An update profile applies all settings from the user account and group settings to the target installation(s).
2. Follow the rest of the procedure "Creating Installation Profiles" on page 53 to complete the update
profile.
If you wish to base the update profile on an existing profile, select the appropriate option in the wizard
when prompted.
Page 59
Remove user account: Remove user account deletes all data regarding the user or group in the profile. If
you deploy this profile, it does not affect the users or groups you just removed because there is information
left in the profile regarding these users or groups.
Because Remove user account simply removes data from the profile, it is a way to edit the contents of a
profile. You might have five groups, and want to update a setting for only one of the groups. In this case, you
could remove the four groups you do not want to affect, leaving only the group you want to change in the
profile.
Mark for removal: When marking a group or user account for removal, the group or user remains in the
profile and acts as a container for sending the information to remove the group or user on the machine(s)
the profile is deployed to.
Mark for Removal is used to remove data at remote machines; in other words, all the information about the
user or group is in the profile because it has to be sent to the client(s) where it removes the user or group.
The information must be sent to the client, so it is designated as "Mark for Removal" to signify to the admin
that this user or group is to be removed on the client machine(s).
Alternative 2
1.
2.
3.
4.
Page 60
Deploying Profiles
Note - Do not place the profile in the shared Update Profile directory
because this causes the deletion of all user accounts created with the
temporary user account.
Deploying Profiles
Note - All computers on which you want to deploy Full Disk Encryption
profiles must have read and execute permissions to the applicable
directory, that is, the Profile, Update, or Install directories.
Page 61
Deploying Profiles
The Update Profile paths that have been configured in the set are displayed as selectable choices under
Publish profile.
2. Select the configured update profile path you want.
The profile is automatically copied to the selected path.
3. Place the Full Disk Encryption Install.pkg file in the same directory as the profile.
The install profile is published. You are now ready to deploy the install profile interactively (see
"Deploying an Install Profile Interactively" on page 62), or silently (see "Deploying an Install Profile
Silently" on page 62).
Note - Full Disk Encryption can take several hours to encrypt the disk.
During this time, the user can continue to work. It is also possible to
initiate an uninstallation of Full Disk Encryption while it is encrypting
the disk. If you do so, Full Disk Encryption will finish encrypting, and
then decrypt the disk again before it uninstalls Full Disk Encryption.
Page 62
Check the recovery (.rec) files found in the predefined Recovery directory/directories on the file share(s).
The number of recovery files should correspond to the number of clients deployed; that is, there should be
200 recovery files in the directory/directories if Full Disk Encryption was deployed to 200 clients. Each
recovery file is identified with the client machines name and the computer serial number in the file name, for
example:
<computer name>_<computer serial number>.rec
Page 63
Description
Specifications
Banner.jpg
447w * 87h
Desktop.jpg
Scrsvr.jpg
260w * 128h
Page 64
Chapter 8
Remote Help
Full Disk Encryption users may be denied access to their workstations for a number of reasons. For
example, they might have entered an incorrect password too many times or forgotten their password or, in a
worst case scenario, a hacker may have tried to break into their workstation.
Full Disk Encryption Remote Help is designed to assist users in these types of situations. A user simply calls
his/her designated Remote Help administrator and follows the Remote Help procedure.
In This Chapter
webRH or Full Disk Encryption Management Console?
Implementing a Remote Help Procedure
Types of Remote Help
Verifying Users
Providing Remote Help
65
65
67
67
67
Create designated administrator account(s) for Remote Help. The number of accounts you should
create depends on your organization.
After you create the accounts, assign them to the people providing Remote Help.
Inform users whom they should call when they need Remote Help.
Note - For Remote Help to function, both the user account of the
Remote Help provider and of the Remote Help recipient must exist on
the computer.
The Remote Help providers group authority level must be equal to or
higher than the group authority level of the Remote Help recipient.
Page 65
Description
Provide Remote
Password Change
Receive Remote
Password Change
Provide One-Time
Logon
Receive One-Time
Logon
Remote Help
Page 66
One-Time Logon
For users who have forgotten or lost their dynamic tokens.
Verifying Users
Before you provide Remote Help to a user, you must be sure that the user is actually authorized to access
the workstation. You can do this in a number of ways, for example:
Use predetermined questions and answers that only legitimate users know
Keep a list of sample questions to ask, such as the users name and favorite color, wife's maiden name,
brand of car, etc. Some of the questions could have randomized, fixed answers; for example, when
asked about his/her favorite pet, the user could answer clouds instead of cat.
Store the questions and answers in a separate database that is accessible to all Remote Help
administrators.
Remote Help
Page 67
2. Using an account with Remote Help privileges, start the Full Disk Encryption Management Console and
open the Remote Help screen:
Field/option
Information/action
STEP 1
Type of end-user
assistance to be provided
One-Time Logon
If the user does not have access to her dynamic
token.
STEP 2
Type of helper
authentication
Password
For a fixed password.
Dynamic Token
For a dynamic token.
Remote Help
Page 68
Field/option
Information/action
Response One
STEP 3
Helper Password
Response Two
The user is now forced to set a new password or is given one-time access to the workstation, depending
on the type of Remote Help you provided.
Remote Help
Page 69
Chapter 9
Removing Full Disk Encryption
You can remove Full Disk Encryption by:
Creating and deploying an uninstall profile, which allows for easy removal from many computers; see
"Uninstall Profiles" on page 70.
Allowing a user to remove Full Disk Encryption and decrypt their computer using Remote Help; see
"Remote Help" on page 65.
In This Chapter
Uninstall Profiles
Removing Full Disk Encryption Management Console
70
72
Uninstall Profiles
To complete the creation of the uninstall profile, Full Disk Encryption prompts for the authentication of two
system administrators. Therefore, the machine on which you create the uninstallation profile must contain at
least two system administrator accounts that are also on the clients you want to uninstall.
Note - An uninstallation profile cannot be edited.
The following sections explain how to create and deploy an uninstall profile.
Page 70
Uninstall Profiles
3. Click Next and select the set name, (in this example, Set Accounting), and click Next:
Example
Let us say that you manually install Full Disk Encryption on what is called the admin machine. You define
two administrator user accounts, let us call them Admin_A and Admin_B.
Page 71
Admin_A and Admin_B, two administrators who are unknown to the target machine (which knows of only
Admin_C and Admin_D). For this reason, the profile is not activated on the target machine.
You might think that you can define Admin_A and Admin_B on the target machine via an update profile.
However, this results in the creation of two user accounts named Admin_A and Admin_B on the target
machine. Although these accounts have the same name as the accounts on the admin machine, the
accounts on the target machine had GUIDs that are different from those of the Admin_A and Admin_B
accounts on the admin machine.
Move the uninstall profile from wherever it is stored to the Publish directory you specified.
Note - When the decryption process is finished, the Mac is no longer
protected.
One Full Disk Encryption administrator with the right to remove Full Disk Encryption,
and
One Full Disk Encryption user (who could also be an administrator) with the right to remove Full Disk
Encryption
Page 72
Removal Procedure
To remove Full Disk Encryption:
1. Open the Full Disk Encryption Management Console and select File > Uninstall.
2. Enter the user account name of the first user account that has administrator authority level in Full Disk
Encryption and click OK.
The following dialog box opens:
3. Enter the user account password of the first user account that has administrator authority level in Full
Disk Encryption and click OK.
The following dialog box opens:
4. Enter the user account name of the second user account that has administrator authority level in Full
Disk Encryption, and click OK.
Page 73
5. Enter the user account password of the second user account that is authorized to uninstall Full Disk
Encryption, and click OK.
You are notified that the uninstallation process is activated.
6. Click OK.
A dialog box opens, displaying the volumes protected by Full Disk Encryption.
7. Restart the computer.
When the computer has restarted and logon is successful, background decryption starts in the Mac OS.
When this is completed and the computer restarts, boot protection and Full Disk Encryption
Management Console is removed.
Note - It can take several hours to decrypt the disk. If you shut down
the Mac during uninstallation, decryption continues when you restart
the Mac. Full Disk Encryption is not removed until the disk is fully
unencrypted and you reboot the Mac.
Page 74
Chapter 10
Recovery Media
This chapter discusses how to recover encrypted information.
In This Chapter
Full Disk Encryption Recovery File
If the Recovery File Path is Not Found
Creating a Recovery Media
Creating the Recovery Media with the Wizard
Creating the Recovery Media Manually
Using a Recovery Media to Decrypt Volumes, Uninstall FDE, and Recover
Information
Mounting Encrypted Volumes
75
75
75
76
78
78
79
A change in the machine's encryption state (for example, if the state changes from 'Encryption' to
'Encrypted')
Page 75
Recovery Media
Page 76
3. Choose either Find recovery file via a configuration set or Browse file system for recovery file. In
the example below we select the former:
4. Select the set that contains the recovery file from Available Configuration Sets, and click Next:
Recovery Media
Page 77
5. Select the recovery file from Available Recovery Files, and click Next:
6. Click Finish to launch the recovery tool for the recovery file displayed in the Finish Recovery Wizard:
The path to the recovery file (and the recovery file name)
Recovery Media
Page 78
Note - Do not, under any circumstances, press the power button while
performing a recovery. Doing so renders all data on the disk
unrecoverable.
Ensure that the Mac is connected to a reliable power source when
performing a recovery. Do not perform a recovery on battery power.
3.
4.
5.
6.
7.
The script works only on volumes that are fully encrypted (not
during bg-encryption or decryption).
Boot the machine while holding down T and connect to the other machine using FireWire (TDM).
OR
Boot machine with Netboot (including root volume mounted from the network)
1. Run /Volumes/RECIMG/recovery/attachslave.command
Where
<RECIMG> is the name of the recovery image volume. The attachslave.command script asks for the
username/password of the user in the recovery image (for example, admin).
You can open the terminal and run the attachslave.command on command line, or double-click it in
Finder.
The encrypted volume should appear (auto-mounted) under /Volumes (that it, as it would normally appear
when not encrypted).
Recovery Media
Page 79
Recovery Media
Page 80
Chapter 11
Authenticating to Full Disk
Encryption
This appendix discusses how users use fixed passwords and dynamic tokens to authenticate themselves to
access their Full Disk Encryption-protected computer.
Note - Full Disk Encryption administrators should distribute this
information, as deemed appropriate, to users before users access
their Full Disk Encryption-protected computers for the first time.
In This Chapter
About Authentication
Authenticating for the First Time
What if I forget my password?
What if I don't have access to my token?
81
82
84
85
About Authentication
Being authenticated means being verified by Full Disk Encryption as someone who is authorized to use a
specific computer. When you switch on or restart a Full Disk Encryption-protected computer, the User
Account Identification dialog box opens:
Here you must enter a valid user account name and password. Full Disk Encryption verifies that you are
authorized to access the computer and allows the computer to start.
Navigating
You can use a mouse to navigate in the Full Disk Encryption user identification boxes and to select options.
You can also move around in the dialog boxes by pressing TAB and ENTER, and you can select options
using the space bar.
Page 81
2. To ensure that your computer has not been tampered with, press CTRL+Command+Power.
Your computer restarts and Full Disk Encryption re-displays the User Identification dialog box.
3. In the Username field, enter the username you received from your administrator and press the TAB key
to move to the Password field:
4. Enter the password you received from your administrator. The password is obscured with asterisks (*)
when entered. Click OK.
Full Disk Encryption confirms that you entered a valid username and password.
Depending upon how the administrator configured your Full Disk Encryption installation, the SSO Active
checkbox may be enabled. If you want to log in only to the Mac OS X without being automatically logged
in to other applications, you must disable single sign-on temporarily. See the next step for instructions.
5. To disable single sign-on temporarily while logging into preboot, clear the checkbox before continuing to
boot up in the Mac OS X.
6. Click OK to close the message box.
Authenticating to Full Disk Encryption
Page 82
The following dialog box opens only if you are logging in with a temporary user account. If you do not
have a temporary user account, go to step 8.
8. Enter and confirm the password you want to use and click OK.
Note - If you are not logging in with a temporary user account, this
dialog box may not display, depending upon how Full Disk Encryption
is configured.
Full Disk Encryption confirms that you successfully accessed the computer for the first time using your
FDE Admin credentials:
Page 83
2. To ensure that your computer has not been tampered with, press CTRL+Command+Power.
Your computer restarts and Full Disk Encryption re-displays the User Identification dialog box.
3. In the User account name field, enter the user account name you received from your administrator and
click OK.
Full Disk Encryption recognizes that you will use a dynamic token to authenticate yourself and displays
the following dialog box:
4. In the dynamic token, enter the Full Disk Encryption challenge to generate a response. Enter the
response in the Response field and click OK.
Full Disk Encryption confirms that you successfully accessed the computer for the first time using your
FDEAdmin credentials:
Page 84
3. Call your Full Disk Encryption administrator or helpdesk to be guided through the password change
process.
Page 85
3. Call your Full Disk Encryption administrator or helpdesk to guide you through the one-time logon
process.
Language Support
The languages supported provided in Full Disk Encryption for Mac are described here.
For the languages FDE supports in the FDEMC, see "Languages Supported in the FDE Management
Console" on page 86. For the languages available on FDE clients, see "Languages Supported on Clients"
on page 86.
English (US)
Japanese
Chinese (Simplified)
Chinese (Taiwan)
English
French
German
Italian
Japanese
Spanish
Language Support
Page 86
In the tray, you can change the language used in the clients preboot interface, system tray, and recovery
utility. To do this, double-click or right-click the Full Disk Encryption icon. Navigate to where you select the
language. The Select Language drop-down menu contains the languages you can choose.
Language Support
Page 87
Chapter 12
Keyboard Layouts
In This Chapter
Introduction
The Default Keyboard Layout
Changing the Keyboard Layout
Keyboard Layouts Supported in Preboot
88
88
88
89
Introduction
This appendix contains information on the available keyboard layouts in Full Disk Encryption and how to
change the keyboard layout.
Page 88
English (Canada)
en-CA
English (Ireland)
en-IE
en-GB
en-US
Danish (Denmark)
da-DK
Dutch (Netherlands)
nl-NL
Estonian (Estonia)
et-EE
Finnish (Finland)
fi-FI
French (Belgium)
fr-BE
French (France)
fr-FR
French (Switzerland)
fr-CH
French (Canada)
fr-CA
German (Austria)
de-AT
German (Germany)
de-DE
German (Switzerland)
de-CH
Greek (Greece)
el-GR
Hebrew (Israel)
he-IL
Icelandic (Iceland)
is-IS
Italian (Italy)
it-IT
Japanese (Japan)
ja-JP
Keyboard Layouts
Page 89
Keyboard Layout
Latvian (Latvia)
lv-LV
Lithuanian (Lithuania)
lt-LT
nb-NO
Portuguese (Brazil)
pt-BR
Portuguese (Portugal)
pt-PT
Slovak (Slovakia)
sk-SK
Spanish (Spain)
es-ES
Swedish (Sweden)
sv-SE
Polish (Poland)
pl-PL
Hungarian (Hungarian)
hu-HU
Czech (Czech)
cs-CZ
Thai (Thailand)
th-TH
Turkish (Turkey)
tr-TR
Keyboard Layouts
Page 90
Index
About Authentication 81
Accessing Local Settings 14
Adding a User Account to a Group 38
Administrator 11
Alternative 1 60
Alternative 2 60
An Administration Overview 11
Authenticating for the First Time 82
Authenticating to Full Disk Encryption 81
Authentication Settings 27
Authority Levels 11
B
Basing a New Profile on Another Profile or
Local Settings 53
Before You Create a Recovery Media 76
Before You Remove Full Disk Encryption
Management Console 72
Benefits for Administrators 7
C
Changing the Graphic Images Displayed in
Preboot 63
Changing the Keyboard Layout 88
Commonly Used Configurations in Update
Profiles 59
Configuring Group and User Account Settings
24
Configuring System Settings 14
Configuring Update Profiles 59
Create Configuration Sets 53
Creating a New Set 46
Creating a Recovery Media 75
Creating an Uninstall Profile 70
Creating an Update Profile 59
Creating Group Accounts 35
Creating Group and User Accounts 35
Creating Groups and User Accounts in the
Profile 58
Creating Installation Profiles 53
Creating the Recovery Media Manually 78
Creating the Recovery Media with the Wizard
76
D
Data Security Types 6
Default Values and How the Effective Values of
Settings are Determined 37
Deleting user accounts created with a
temporary user account 60
Deploying an Install Profile 61
Deploying an Install Profile Interactively 62
Deploying an Install Profile Silently 62
Deploying an Uninstall Profile 72
Deploying Full Disk Encryption on One or Many
7
Deploying Profiles 61
F
File Encryption 6
Fixed Password 27
Full Disk Encryption 6
Full Disk Encryption Features and Benefits 7
Full Disk Encryption Management Console
Dialog Box 13
Full Disk Encryption Profile Basics 52
Full Disk Encryption Recovery File 75
Full Disk Encryption Terminology 9
G
Getting Started 9
Group 9
Group and User Account Basics 35
Group Information 52
Group Settings 26
GUID 18
H
How Update Profiles Affect Logged-On Users
and Administrators 63
I
If the Recovery File Path is Not Found 75
Implementing a Remote Help Procedure 65
Install 45
Install Full Disk Encryption on Client Machines
10
Install Settings 16
Installation Profiles 52
Introduction 88
K
Keyboard Layouts 88
Keyboard Layouts Supported in Preboot 89
L
Language Support 86
Languages Supported in the FDE Management
Console 86
Mount Points 17
Mounting Encrypted Volumes 79
Moving User Accounts 44
Navigating 81
O
Overview of the Full Disk Encryption
Management Console 13
P
Password Authentication 41
Perform Administration Tasks 10
Permissions for Roles 12
Permissions Settings 30
Preface 5
Prepare the Master Installation 9
Prepare to Install FDE on Client Machines 10
Prepare Your Groups and User Accountss 9
Prepare Your Remote Administration Points
(Sets) 10
Preparing to Work With Profiles 53
Privileged Permissions Settings 30
Profile 9
Profile Types 52
Providing Remote Help 67
Publishing an Install Profile 61
R
Recovery 45
Recovery Media 75
Related Documentation 5
Remote Help 32, 65
Remote Help Settings 66
Removal Procedure 73
Remove User Account and Mark for Removal
59
Removing Full Disk Encryption 70
Removing Full Disk Encryption Management
Console 72
Roadmap 9
Root Directory Path 45
U
Uninstall Profiles 53, 70
Update 46
Update Profiles 53
Updating Full Disk Encryption Software 63
User 12
User Account Acquisition 8, 20
User Account Information 52
Using a Dynamic Token 83
Using a Fixed Password 82
Using a Recovery Media to Decrypt Volumes,
Uninstall FDE, and Recover Information 78
V
Verifying a Full Disk Encryption Deployment
62
Verifying Users 67
Volume 18
W
Wake on LAN 21
webRH or Full Disk Encryption Management
Console? 65
What if I don't have access to my token? 85
What if I forget my password? 84
Whats in a Profile? 52
Who should read this guide? 5
Why Full Disk Encryption is not uninstalled 71
Working with Configuration Sets 45
Working with Installation and Update Profiles
51
Working with Profiles an Overview 51
Working With Update Profiles 58
S
Sanity Checks 57
Select Group 21
Set 9
Set Basics 45
Set Management 49
Sets and Profiles Must be Deleted Manually
72
Setting the Language Used on the Client 87
Single Sign-On 32
Single Sign-On (SSO) Settings 31
Single Sign-On and Mac Password Changes
32
Page 92