CP ES FDE For Mac 3.2 AdminGuide PDF

Endpoint Security Full Disk
Encryption for Mac

3.2
Administration Guide
27 April, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10527
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security
Full Disk Encryption for Mac 3.2 Administration Guide).
2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a
list of relevant copyrights.
Contents
Preface.....................................................................................................................5
Who should read this guide? ............................................................................... 5
Related Documentation ....................................................................................... 5
Data Security Types ............................................................................................ 6
File Encryption ................................................................................................ 6
Full Disk Encryption ........................................................................................ 6
Full Disk Encryption Features and Benefits ......................................................... 7
Benefits for Administrators .............................................................................. 7
Deploying Full Disk Encryption on One or Many ............................................. 7
User Account Acquisition ................................................................................ 8
Deployment Overview ......................................................................................... 8
Getting Started .................................................................................................... 9
Full Disk Encryption Terminology .................................................................... 9
Roadmap ........................................................................................................ 9
An Administration Overview ................................................................................11
Authority Levels ..................................................................................................11
Administrator .................................................................................................11
User ...............................................................................................................12
Permissions for Roles ....................................................................................12
Overview of the Full Disk Encryption Management Console ..........................13
Full Disk Encryption Management Console Dialog Box..................................13
Configuring System Settings ...............................................................................14
Accessing Local Settings ....................................................................................14
Status Information..........................................................................................15
Editing Local Settings .........................................................................................15
Install Settings ...............................................................................................16
Mount Points ..................................................................................................17
System Passwords Policy ..............................................................................19
User Account Acquisition ...............................................................................20
Wake on LAN ................................................................................................21
Logon ............................................................................................................23
Configuring Group and User Account Settings ..................................................24
Local Settings for Groups and User Accounts ....................................................24
System Settings for Groups ................................................................................25
Group Settings ...............................................................................................26
Creating Group and User Accounts ....................................................................35
Group and User Account Basics .........................................................................35
Creating Group Accounts ...................................................................................35
Default Values and How the Effective Values of Settings are Determined .....37
Adding a User Account to a Group .....................................................................38
Password Authentication ...............................................................................41
Dynamic Token Authentication ......................................................................42
Moving User Accounts........................................................................................44
Working with Configuration Sets.........................................................................45
Set Basics ..........................................................................................................45
Root Directory Path ............................................................................................45
Directories .....................................................................................................45
Creating a New Set ............................................................................................46
Set Management ................................................................................................49
Working with Installation and Update Profiles ...................................................51
Working with Profiles an Overview ..................................................................51
Full Disk Encryption Profile Basics .....................................................................52
Whats in a Profile? ........................................................................................52

Profile Types ..................................................................................................52
Preparing to Work With Profiles .....................................................................53
Basing a New Profile on Another Profile or Local Settings .............................53
Creating Installation Profiles ...............................................................................53
Sanity Checks ................................................................................................57
Working With Update Profiles .............................................................................59
Creating an Update Profile .............................................................................59
Configuring Update Profiles ...........................................................................59
Deploying Profiles ..............................................................................................61
Deploying an Install Profile.............................................................................61
Deploying Update Profiles .............................................................................63
Updating Full Disk Encryption Software ..............................................................63
Changing the Graphic Images Displayed in Preboot ......................................63
Remote Help ..........................................................................................................65
webRH or Full Disk Encryption Management Console? ......................................65
Implementing a Remote Help Procedure ............................................................65
Remote Help Settings ....................................................................................66
Types of Remote Help ........................................................................................67
Verifying Users ...................................................................................................67
Providing Remote Help .......................................................................................67
Removing Full Disk Encryption ...........................................................................70
Uninstall Profiles .................................................................................................70
Creating an Uninstall Profile...........................................................................70
Deploying an Uninstall Profile ........................................................................72
Removing Full Disk Encryption Management Console .......................................72
Before You Remove Full Disk Encryption Management Console ...................72
Removal Procedure .......................................................................................73
Recovery Media ....................................................................................................75
Full Disk Encryption Recovery File .....................................................................75
If the Recovery File Path is Not Found ...............................................................75
Creating a Recovery Media ................................................................................75
Before You Create a Recovery Media ............................................................76
Creating the Recovery Media with the Wizard ....................................................76
Creating the Recovery Media Manually ..............................................................78
Using a Recovery Media to Decrypt Volumes, Uninstall FDE, and Recover Information
...........................................................................................................................78
Mounting Encrypted Volumes .............................................................................79
Authenticating to Full Disk Encryption ...............................................................81
About Authentication ..........................................................................................81
Navigating......................................................................................................81
Authenticating for the First Time .........................................................................82
Using a Fixed Password ................................................................................82
Using a Dynamic Token .................................................................................83
What if I forget my password? ............................................................................84
What if I don't have access to my token? ............................................................85
Language Support ................................................................................................86
Languages Supported in the FDE Management Console ...................................86
Languages Supported on Clients........................................................................86
Specifying the Language Used in the FDEMC ....................................................87
Setting the Language Used on the Client ...........................................................87
Keyboard Layouts.................................................................................................88
Introduction ........................................................................................................88
The Default Keyboard Layout .............................................................................88
Changing the Keyboard Layout ..........................................................................88
Keyboard Layouts Supported in Preboot ............................................................89
Index ......................................................................................................................91
Chapter 1
Preface
This preface contains background information on Endpoint Security Full Disk Encryption for Mac benefits
and features, as well as a general discussion of how the product is designed and how it should be deployed.
Endpoint Security Full Disk Encryption for Mac is also referred to as Full Disk Encryption or FDE throughout
this document.
In This Chapter
Who should read this guide?
Related Documentation
Data Security Types
Full Disk Encryption Features and Benefits
Deployment Overview
Getting Started
5
5
6
7
8
9
Who should read this guide?

Administrators who deploy and administer Full Disk Encryption and provide Remote Help within their
organization should read this guide.
Related Documentation
This release includes the following documentation:
Table 1-1 Endpoint Security Full Disk Encryption for Mac Documentation
Title
This document contains...

Encryption for Mac Installation
Guide
Instructions and information on how to install

Full Disk Encryption for the first time, the
so-called master installation.

Encryption for Mac Administration
Guide (This document)
Instructions and information on how to

configure, deploy, and administer Full Disk
Encryption.

Encryption for Mac Release Notes
System requirements.
Current information about the product, such as:
New features and functions in the current

release,
Problems that have been fixed since the

previous release, and
Any known issues about the current

release.
Page 5
Data Security Types
Data Security Types

There are two general types of protection for data at rest: file encryption and full disk encryption.
The following graphic illustrates the difference between unprotected data, standard file encryption, and Full
Disk Encryption protection:
File Encryption
File encryption enables users to protect vital data. Organizations often find file encryption insufficient,
however, because it is subject to user discretion regarding what to secure and the willingness of users to
consistently follow security procedures.
Full Disk Encryption

Unlike file encryption, which leaves security holes, Full Disk Encryption provides boot protection and
sector-by-sector disk encryption.
Boot protection means authenticating users before a computer is booted.
Full Disk Encryption uses the users credentials to derive a user key, which is used to encrypt the disk
volume keys. The disk volume keys encrypt the Mac disk volumes.
This prevents unauthorized persons from accessing the operating system using authentication bypass tools
at the operating system level or alternative boot media to bypass boot protection.
Disk encryption includes the system files, temp files, and even deleted files. Encryption is user-transparent
and automatic, so there is no need for user intervention or user training. There is no user downtime because
encryption occurs in the background without noticeable performance loss. This provides enforceable
security that users cannot bypass. Because the data on the disk is encrypted, it is inaccessible to any
unauthorized person.
Preface
Page 6

Full Disk Encryption secures desktop and laptop computers from unauthorized physical access by using
both boot protection and full disk encryption. Full Disk Encryption provides the following security functions:
Strong user authentication
Support for user identification using dynamic tokens
Secure Remote Help for users who have forgotten their passwords
Central configuration and administration
Keyboard lock and screen saver
Limited number of failed logon attempts with automatic locking
Audit logging of events such as successful and failed logon attempts
With Full Disk Encryption, all logical partitions/volumes are boot protected and encrypted, even if the disk is
removed and loaded into a controlled machine.
The integration of boot protection and automatic encryption provides a high degree of security with minimal
impact on users. This allows an organization to determine the security level instead of leaving it up to the
user to encrypt information.
Boot protection prevents subversion of the operating system or the introduction of rogue programs, while
sector-by-sector encryption makes it impossible to copy individual files for brute force attacks.
Full Disk Encryption guarantees that unauthorized users cannot access or manipulate information on a
protected computer, from either available, erased or temporary files. Full Disk Encryption safeguards the
operating system and the important system files (which often contain clues to passwords), shared devices,
and the network.
The Full Disk Encryption installation on the users Mac contains all the necessary user account information,
keys, and other data to protect the Mac. This means there is no central user database or key repository to
manage.
Benefits for Administrators

As a Full Disk Encryption administrator, you have centralized control of a decentralized system where you
can perform:
Installation, modification and removal of Full Disk Encryption on users Macs in the network.
Configuration and deployment of a wide range of security and policy settings on users Macs.
Modification of security policy settings to suit the needs of the entire user population, selected groups of
users, or individual users.
The daily administration of the system.
Deploying Full Disk Encryption on One or Many

Using just one installation profile, you can deploy Full Disk Encryption to anywhere from 1 to thousands of
users from a central location.
You do not need to know the details of which users are using which computers when you deploy Full Disk
Encryption, that is, you do not need to create individual user accounts manually or migrate user accounts to
a central database. User accounts, no matter how many, are established without your intervention on the
individual Macs to which Full Disk Encryption is deployed.
Full Disk Encryption has two methods for creating user accounts for large-scale deployments: Temporary
User Accounts and User Account Acquisition.
Temporary User Accounts

Users receive the installation profile via a generic temporary user account. The user logs on for the first time
to this account using generic user credentials provided by the administrator. The user is then forced to
Preface
Page 7
Deployment Overview
create a new user name and password. This deletes the temporary account, and the user is established as
a normal user in the system.
User Account Acquisition

User account acquisition is an alternative and preferred method of creating user accounts.
The administrator deploys a profile to targeted groups of users. The first time the user logs on to the
machine to which the profile is deployed, the users Mac username and password are acquired for use as
Full Disk Encryption credentials.
When a profile with user account acquisition enabled is deployed, the machine goes directly to the Mac OSX
logon dialog box after the first reboot. The user then enters his Mac user credentials. When the machine is
booted again, the Full Disk Encryption preboot logon dialog box displays, and the user can log on using the
same Mac user credentials.
This method has several advantages over using temporary user accounts to create Full Disk Encryption
users:
User account acquisition is transparent to the user, who continues to use the same user credentials he
had before Full Disk Encryption was deployed.
With user account acquisition, the administrator does not need to convey a generic username and
password to the users and then rely on them to create their own credentials, as is the case with
temporary user accounts.
When user account acquisition and single sign-on are both enabled, passwords can be managed
centrally, and users log on one time with one password to gain access to the Mac, Full Disk Encryption,
and network resources.
For instructions on enabling user account acquisition, see "User Account Acquisition" on page 20. For
instructions on enabling single sign-on, see "Single Sign-On (SSO) Settings" on page 31.
Deployment Overview
You can think of Full Disk Encryption deployment in three major steps:
1. The Full Disk Encryption program is first installed and configured on a Full Disk Encryption
administrators workstation. This is called the master installation.
2. The administrator then configures a Full Disk Encryption installation profile containing all the information
and software necessary to install and manage Full Disk Encryption on the Macs in the network.
3. The administrator uses the installation profile to deploy Full Disk Encryption to users.
The following graphic provides an overview of the deployment process via profiles:
Preface
Page 8
Getting Started
Each of the three major steps are broken down into more detail in this guide. The following is a more
detailed overview of the steps you take to deploy Full Disk Encryption.
Getting Started
The following information is intended to prepare you to begin working with Full Disk Encryption.
Full Disk Encryption Terminology

You may find it helpful to familiarize yourself with the following Full Disk Encryption terms.
Group
A group is a collection of user accounts. Each user account must belong to a group.
Fact: The System group is created automatically when you install Full Disk Encryption. You must create at
least one other group, however, to store user accounts you create that do not belong to the System group.
Set
A set is a share point from which you carry out your remote management tasks for groups and users. Such
tasks are carried out via profiles, which are collected in the set. Sets help to keep you organized by allowing
you to create separate sets for each type of configuration profile. For instance, you can create a set named
Accounting which can be the share point for configuration profiles you want to deploy to the Accounting
department.
Profile
A profile contains all the settings, account information, and software to install Full Disk Encryption on a
client Mac, update settings on a machine with Full Disk Encryption already installed, or uninstall Full Disk
Encryption. Profiles must belong to a set.
Fact: You must create a set before you create profiles.
Roadmap
This summary provides a birds eye view of installing, configuring, deploying, and managing Full Disk
Encryption.
Prepare the Master Installation

Install Full Disk Encryption on your workstation
See the Endpoint Security Full Disk Encryption for Mac Installation Guide, which describes how to do a
first-time so-called master installation FDE installation on your Mac.
Configure Full Disk Encryption system settings on your workstation
Configure the settings for your FDE installation. See "An Administration Overview" on page 11 and
"Configuring System Settings" on page 14.
Prepare Your Groups and User Accountss

Configure settings
Configure the settings that control authentication and permission rights for the group and user accounts you
create. See "Configuring Group and User Account Settings" on page 24.
Create group and user accounts
Preface
Page 9
Getting Started
A group is a collection of users. Every user must belong to a group. Therefore, you must create a group or
groups before you create user accounts.
Best practice is to create a temporary user account for every group you create. This generic account
facilitates large-scale deployment by allowing Full Disk Encryption to deployed to many users without the
need to create user accounts for each user prior to deployment. After Full Disk Encryption is installed on the
users machine, the user simply logs on to the temporary account, at which time he or she is forced to
change the user name and password, thus creating his or her own user account. See "Creating Group and
User Accounts" on page 35.
Prepare Your Remote Administration Points (Sets)

Create Configuration Sets
A configuration set is a distribution point and storage place from which you carry out your remote
management tasks for groups and users in the Full Disk Encryption system. Remote management tasks
include installing/uninstalling Full Disk Encryption on remote clients and updating configuration on remote
clients. See "Working with Configuration Sets" on page 45.
Prepare to Install FDE on Client Machines

Create installation profiles
A profile contains all the settings and account information that you configured for groups and users, as well
as the software to install Full Disk Encryption on a client machine. You also use profiles to update settings or
remove Full Disk Encryption on machines where Full Disk Encryption is already installed. Profiles can exist
only in a set. See "Working with Installation and Update Profiles" on page 51.
Install Full Disk Encryption on Client Machines

Deploy the installation profile to install Full Disk Encryption on client Macs and create user accounts. See
"Working with Installation and Update Profiles" on page 51.
Perform Administration Tasks

Once you install Full Disk Encryption on client Macs, you can perform administration tasks, such as:
Configuring and deploying update profiles. See "Working with Installation and Update Profiles" on page
51.
Providing Remote Help to locked out users. See "Remote Help" on page 65.
Uninstalling Full Disk Encryption. See "Removing Full Disk Encryption" on page 70.
Recovering a Full Disk Encryption Mac. See "Recovery Media" on page 75.
Preface
Page 10
Chapter 2
An Administration Overview
Full Disk Encryption is managed from the Full Disk Encryption Management Console on any computer that
has Full Disk Encryption installed. This gives administrators control over and easy access to higher-level
functionality without being tied to any one machine.
This chapter explains authority levels, how to access administration functions from any computer, and how
to establish the initial system settings.
In This Chapter
Authority Levels
11
Authority Levels
There are two authority levels in Full Disk Encryption: an administrator, who has full authority, and users
whose authority is limited to logging on, viewing his or her settings, and receiving Remote Help. The user
can also change his or her password if the administrator has allowed it.
Administrator
Administrators have centralized control of the creation of the profiles that are used to install, update, and
uninstall Full Disk Encryption on client computers while simultaneously allowing local control of the
deployment of those profiles.
In the example below, administrators can perform the following tasks:
Create and manage profiles
Configure system settings
Add and remove user accounts
Configure settings foruser accounts
Give Remote Help to users who are locked out or have forgotten their passwords.
Page 11
Authority Levels
At least two competent individuals must be designated as administrators to manage Full Disk Encryption
and the security of the information it contains.
It is imperative that Full Disk Encryption administrators receive adequate training and are not careless,
willfully negligent, or hostile. Full Disk Encryption administrative personnel should follow the instructions
provided in this guide and keep their authentication data private.
User
Users have limited authority, according to what has been defined by the administrator in the system settings.
Each user is assigned an account with a unique user identity and password that together authorize access
to the entire hard disk.
Authorized Full Disk Encryption users must keep their authentication data private.
Permissions for Roles

The following tables list the Privileged Permissions, Permissions, and Remote Help settings
structure for Full Disk Encryption user accounts and administrators.
Table 2-2 Privileged Permissions
Privileged Permissions
User
Authority Level
Administrator
X
Table 2-3 Permissions

Permissions
User
Change Password
Administrator
X
A user can change his own password if the Change Password setting for his account is set to Yes. The
administrator can change authentication for every user.
Table 2-4 Privileged Permissions
Permissions
User
Administrators
Provide 'Remote Password

Change'
Provide 'One Time Logon'
Page 12
Authority Levels
Permissions
User
Receive 'Remote Password

Change'
Receive 'One Time Logon'
Administrators
For more information, see "Configuring Group and User Account Settings" on page 24.
Overview of the Full Disk Encryption Management

Console
The Full Disk Encryption Management Console gives you quick and easy access to all Full Disk Encryption
functions.
To start the Full Disk Encryption Management Console:
Click Applications, navigate to the FDEMC icon and double-click it.
The Full Disk Encryption Management Console program starts:
Full Disk Encryption Management Console Dialog Box

In the Full Disk Encryption Management Console dialog box, you can select an option either in the folder
tree to the left or by clicking the active link in the relevant dialog box image in the pane to the right, for
example, Go to Local.
The Full Disk Encryption Management Console dialog box contains the following options:
Option
Description
Local Installation
Select to manage the local installation of the Full Disk

Encryption.
Remote Installation
Select to manage profiles, sets, and recovery files for

remote installations
Remote Help
Select to help locked-out users change the account

password or temporarily log on.
Page 13
Chapter 3
Configuring System Settings
System settings are related to aspects of the product such as installation, logon, and required path
specifications. You use system settings to configure Full Disk Encryption.
Other settings - those for Groups and User Accounts - are relevant for volume access, logging on,
authentication, permissions, and Remote Help. These settings are described in "Configuring Group and
User Account Settings" on page 24.
In This Chapter
Accessing Local Settings
Editing Local Settings
14
15
Accessing Local Settings

The Full Disk Encryption Management Console, shown below, allows you to work with system, local, and
remote settings. It provides wizards for defining, among other things, sets, groups, and users accounts.
Local settings are settings for the machine on which you are logged on, usually the machine on which Full
Disk Encryption is first installed and from which the installation of Full Disk Encryption is deployed to all
clients.
To access the local settings:
Start Full Disk Encryption and select one of the following:
Local in the folder tree to the left
Go To Local under Local Installation in the main panel
Page 14
The Local dialog box is displayed:
Status Information
The following Status information is displayed in the main panel:
Table 3-5 Status Information
Status field
Explanation
Locally installed version
The version of Full Disk Encryption currently

installed on this machine.
Full Disk Encryption User
The name of the user account currently logged on

to Full Disk Encryption Management Console.

To edit Local settings:
1. In the main panel under Actions, click Edit Settings.
The folder tree is displayed in the left panel.
2. Click the folder for the settings you wish to edit.
See the following for descriptions and editing details of the various system settings.
Page 15
Install Settings
Install contains the following settings:
Setting
Description
Set Update Validation

Password
The administrator uses Set Update Validation Password

to set the password clients use to validate update profiles
they pull from a shared folder. This password is crucial to
the update or uninstall process and has a maximum length
of 31 bytes.
The update validation password (UVP) on the client is
initially set by the installation profile, or manually on the
client machine via System Settings > Install > Set
Update Validation Password.
Set Update Validation

Password (continued)
Example:
The UVP on the admin machine is changed to B.
The admin machine deploys an update profile to the
clients. This update profile is saved on the admin machine
after the UVP is changed to B (The profile must be saved
if the UVP in the profile is to be updated to the current
UVP of the admin machine).
This profile actually contains both UVPs A and B, and
when clients pull the profile, they accept it because it
contains A.
In addition, they recognize that the UVP is set to B in this
profile, so they change their UVPs to B.
Now, if a client changed its UVP to C and this client
deploys a UVP (containing UVPs B and C) to all other
clients, the clients that pull the profile will have UVP C.
After they have UVP C, none of these clients will accept
an update profile deployed from the admin machine that
still has UVP B.
Product License
Check Point license for the Full Disk Encryption product.

If necessary, this can be changed by clicking on the
Check Point license. A dialog opens where you can click
the Browse button to import a Check Point license (.lic)
file.
Note - Full Disk Encryption supports only one single
license, not multiple licenses.
Page 16
Setting
Description
Set Update Profile Path
Path to the directory or directories from which the

installation downloads update profiles.
Enter the path(s) to the directory or directories where Full
Disk Encryption is to look for update profiles to use when
updating system and user information. Best practice is to
specify the path in the format /var/share.
Full Disk Encryption downloads these profiles according to
the predefined update interval. Default is every third hour
or at the next restart, i.e. when the Full Disk Encryption
Dock program is loaded next. See "Working with
Installation and Update Profiles" on page 51 for more
information.
Set Recovery Path
Path to the directory or directories in which the installation

stores recovery data. Best practice is to specify the path in
the format /var/share/.
Encrypt everything
Set Encrypt everything to Yes when you want to encrypt

the entire disk of the client Macs on which an install profile
is deployed. This setting is displayed only when you are
configuring settings in an install profile.
Mount Points
Mount Points contains the following settings:
You can click on a drive in the Mount Points folder to obtain information about how a drive is encrypted and
the status of the encryption process.
If drives are encrypted, no drives are listed in the Mount Points folder and the Mount Points settings are not
visible.
Table 3-6 Mount Points

Setting
Description
Algorithm
Algorithm used to encrypt the drive.
Page 17
Setting
Description
Key Length
Strength of the key used to encrypt the drive.
Device name
Identification information of the drive.
Mount point
Name of the mount point
Device encryption status
Status of the encryption process. In the example

above, this field shows that the device is encrypting.
You can also view encryption progress by either
Rolling your mouse over the Full Disk

Encryption icon in the upper taskbar
or
Clicking the Full Disk Encryption icon and

selecting Encryption status
or
Device encryption progress
Running the remote status indication command

line utility. See "External Status Indication
Command Line Utility" on page 18 for
instructions.
Shows how far along encryption is in percent.
External Status Indication Command Line Utility

The External Status Indication Command Line Utility retrieves encryption status from each mounted volume
for the attributes Volume, GUID, and Status.
Volume
The volume name is always displayed, for example, /.
GUID
If the volume is encrypted by Full Disk Encryption, the GUID for the volume is displayed. If the volume is not
encrypted, this information is not displayed.
Status
The attribute Status displays the current action (Encrypted, Encrypting, Decrypting, Decrypted) and its
percentage of completion for FDE-encrypted volumes.
Example of output for an FDE-encrypted volume:

Volume: / GUID: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX Status: Encrypted 100.00
Example of output for a non FDE-encrypted volume:

Volume: /Volumes/prodop Status: Volume is not encrypted with Check Point Endpoint
Security.
To run the External Status Indication Command Line Utility:

1. Open a terminal.
2. Run the command
Cd /usr/local/ppc-<VERSION_NUMBER>-<BUILD_NUMBER>/bin/
3. Run the command ./FDEEncStatus.
Page 18
System Passwords Policy

System Passwords Policy contains the following settings:
Table 3-7 System Passwords Policy

Setting
Description
Require Letters and Digits
If set to Yes, both letters and digits must be used in

passwords.
Enable Case Sensitivity
Accept uppercase and lowercase letters in passwords.

If the check box is cleared, all letters are interpreted
as uppercase regardless of their case when entered.
This setting cannot be changed if the setting Require
Upper and Lower Case is set to Yes.
Allow Special Characters
Allow the use of the following special characters in

passwords:
!"#$%&()*+,-./:;<=>?@{}
Allow Consecutive, Identical

Characters
Accept passwords having more than two consecutive,

identical characters.
Require Upper and Lower

Case
Passwords must contain both upper- and lowercase

characters. This setting cannot be changed if the
setting Enable Case Sensitivity is set to Yes.
Allow Embedded Space

Characters
Passwords may contain embedded space characters.
Allow Leading or Trailing

Characters
Passwords may contain leading or trailing characters,

or both.
Allow Password of Adjoining

Characters
Passwords may consist of a series of characters from

adjoining keys on a keyboard.
Set Minimum Length
Set the minimum length for passwords. Setting this

value to 0 means there is no minimum length
restriction.
Page 19
User Account Acquisition

User Account Acquisition contains the following setting:
Table 3-8 User Account Acquisition

Setting
Description
Enable User Account

Acquisition
Enables Full Disk Encryption to automatically acquire

Macintosh user accounts and use them to set up Full Disk
Encryption user accounts.
Note - The first user who logs on to a machine on which user
account acquisition is enabled is the user whose Mac
credentials are acquired for use as Full Disk Encryption
credentials. If the user already exists in Full Disk Encryption,
then User Account Acquisition is disabled on that machine
when the user logs on.
The user account acquisition functionality is an alternative
and preferred method of creating user accounts. For an
explanation of the two methods of user account creation,
temporary user accounts and user account acquisition, see
Deploying Full Disk Encryption to One or Many.
For maximum transparency for the user, enable both the
User Account Acquisition setting and Single Sign-On. See
"Single Sign-On (SSO) Settings" on page 31.
If you set Enable User Account Acquisition to Yes, you must select a Full Disk Encryption group in which to
place the Full Disk Encryption user accounts that are created through the user account acquisition function.
See "Select Group" on page 21 for instructions.
Page 20
Select Group
Select Group contains the following setting:
Setting
Description
Select Group
Here you select the group of users whose Mac user

accounts you want to acquire to make Full Disk
Encryption user accounts.
Wake on LAN
Full Disk Encryption can be used together with Wake-on-LAN (WOL) network cards, which can be
configured to start the system in Wake-on-LAN mode. The FDE Wake-on-LAN functionality will
automatically log on to the computer after the computer has booted with the help of WOL network cards.
This allows the operating system to start and remote updates to be performed.
Wake on Lan Example

The following is an example of working with Full Disk Encryption WOL. In this example, the number of
permitted WOL logons is five.
1. The Full Disk Encryption profile is deployed to the Full Disk Encryption-protected computer and the WOL
settings are implemented.
2. The computer is booted, and WOL logs on and boots the machine. The WOL logon process is now
started, and WOL will log on as many times as specified in the profile.
3. The computer is rebooted four times, and WOL logs on and boots the computer.
4. The computer is rebooted. Now, all the WOL logons specified have been used and WOL is disabled on
the computer.
The Wake-on-LAN settings are located under Full Disk Encryption > System Settings > Wake on LAN.
The following settings are available for Wake on LAN:
Page 21
Setting
Description
Enable Wake on LAN
Enables Wake-on-LAN functionality. This setting will

cause the computer to automatically boots the
operating system.
Note - On a machine on which Wake on LAN is
enabled, successfully logging on to the management
console will disable Wake on LAN.
After being diabled, Wake on LAN must again be
enabled via this setting. An example of this is when
an administrator is deploying updates to remote
machines, updates that require reboot and restart,
and thus require that Wake on LAN be enabled. But
a logon to the management console indicates that a
user is currently using the machine, so Wake on LAN
is automatically disabled so the user can carry on
working and not be disrupted by the update. To
re-enable Wake on LAN, use this setting.
Set Max Number of Logons

Allowed
Sets the maximum number of Wake-on-LAN logons

allowed, if any.
Note - This setting and Set Expiration Date must be
specified for Wake on LAN to start.
Set Expiration Date
Sets the date on which the Wake-on-LAN

functionality will be disabled.
Note - This setting and Set Max Number of Logons
Allowed must be specified for Wake on LAN to start.
Page 22
Logon
The Logon settings apply to the Full Disk Encryption preboot logon. The Logon settings are located under
Full Disk Encryption > System Settings > Logon. The following settings are available for Logon:
Setting
Description
Set Logon Verification Time
Sets the number of seconds that the verification text

for a successful logon is displayed, or disable the
display of the logon verification text.
Set Max Failed Logons Before Sets the maximum number of failed logons allowed
Reboot
before a reboot is invoked or disables this function.
Page 23
Chapter 4
Configuring Group and User Account
Settings
This chapter introduces the configurable settings for both groups and user accounts, which you will create
later. These settings are related to logging on, authentication, and permissions.
Each setting has a default value, but a value that you set (specify) always overrides a default value. Thus,
for certain important settings, for example, those related to password policy, you may want to set the values
rather than relying on the defaults.
In This Chapter
Local Settings for Groups and User Accounts
System Settings for Groups
24
25
Local Settings for Groups and User

Accounts
To open the Local Settings:
1. Start Full Disk Encryption and select one of the following:
Local in the folder tree to the left
Go To Local under Local Installation in the main panel
Page 24
The Local dialog box is displayed:
2. Click Edit Settings to display the Local folder tree in the left panel.
These settings can be specified for both groups and user accounts.
3. Do one of the following:
For group settings

Under Groups, expand the System folder to see the folders that contain Group Settings.
For user account settings

Under User Accounts, expand the tree for a user (admin1 in the example below) and then expand
the Account Settings folder that is displayed. You see the folders containing the account settings.
Notice that the same settings exist for both groups and user accounts:

Click System under Groups.
Configuring Group and User Account Settings
Page 25
The following settings are displayed:
Table 4-9 System Settings for Groups

Setting
Description
GUID
(Globally Unique Identifier) The GUID is a unique reference

number that identifies each group and user account. GUIDs are
used internally by Full Disk Encryption to guarantee each group
and user accounts uniqueness.
Expiration Date
This is where you specify an expiry date for user accounts.
Group Settings
Click Group Settings.
The folders containing group settings are displayed:
Page 26
Logon Settings
Click Logon under Group Settings.
Table 4-10 Logon Settings

Setting
Description
Set Max Failed Logons
Set the maximum number of failed logons allowed

before the account is locked.
Authentication Settings
Fixed Password
Click Fixed Password.
Page 27
Table 4-11 Fixed Password Settings

Setting
Description
Require Letters and Digits
If set to Yes, both letters and digits must be used in

passwords.
Enable Case Sensitivity
Accept uppercase and lowercase letters in passwords. If

the check box is cleared, all letters are interpreted as
uppercase regardless of their case when entered.
Allow Special Characters
Allow the use of the following special characters in

passwords:
!"#$%&()*+,-./:;<=>?@{}
Allow Consecutive,
Identical Characters
Accept passwords having more than two consecutive,

identical characters.
Require Upper and Lower

Case
Passwords must contain both upper- and lowercase

characters.
Allow Embedded Space

Characters
Passwords may contain embedded space characters.
Allow Leading or Trailing

Characters
Passwords may contain leading or trailing characters, or

both.
Allow Password of
Adjoining Characters
Passwords may consist of a series of characters from

adjoining keys on a keyboard.
Set Minimum Length
Set the minimum length for passwords.
Page 28
Setting
Description
Set Maximum Age
Set the maximum allowed age of a password in days.

Note - If you specified a maximum age at the group level,
and later decide you want it set at the user account level,
do the following:
To clear the setting, set the value to 0 (unlimited).
(Do not use "Disable", which disables only this feature.)
Password History
Number of passwords that must be used before a

previously used password may be used again. If
password settings are changed in Fixed Password, the
changes appear the next time the password is changed
in Full Disk Encryption Management Console.
Note - If you specify that a group of accounts must use fixed

passwords, you must ensure that the settings for the passwords meet
strict security standards:
Always specify complex passwords that require letters,

numbers, special characters and spaces. Do not include
repeating characters.
Use a mix of uppercase and lowercase letters.
Use non-alphanumeric symbols such as the dollar sign ($) and

percentage symbol (%).
Make sure the password does not include any word that can
be found in a dictionary you can use parts of words.
Make sure the password can be remembered without having to

be written down.
When deploying Full Disk Encryption, create a policy to go with

the password, including end-user education and enforcement
as well as a procedure for action if someone forgets their
password or simply cannot get it to work.
Dynamic Token
Full Disk Encryption supports dynamic tokens.
Click Dynamic Token.
Page 29
Table 4-12 Dynamic Token Settings

Setting
Description
Challenge length
Set the number of digits contained in the challenge.
Response length
Set the number of digits contained in the response.
Privileged Permissions Settings

Click Privileged Permissions.
Page 30
Table 4-13 Privileged Permissions Settings

Setting
Description
Authority Level
Specify the authority level of the account to Administrator

or User.
Permissions Settings
Click Permissions.
Table 4-14 Permissions Settings

Setting
Description
Change Password
Set whether the account(s) are allowed to change

their own fixed passwords and/or credentials.
Change Single Sign-On
When set to Yes, the SSO Active checkbox is

activated in the preboot logon dialog box. This
allows the user to choose to disable SSO
temporarily while logging into preboot by clearing
the checkbox before continuing to boot up in the
Mac OS X.
Single Sign-On (SSO) Settings

When single sign-on (SSO) is enabled for a Full Disk Encryption user account, the user must authenticate
only during preboot. The user is then logged in automatically to the Mac OS X. For SSO to work, the user
account name and password used to authenticate in preboot must be the username and password used in
Mac OS X. (Thus, when a temp user account is used to create an FDE for Mac user account that will use
SSO, the user must specify his/her Mac OS X username. Otherwise, SSO will be disabled for that user.)
To enable SSO, select Yes in the Enable SSO dialog box in the FDEMC (Group Settings > Single
Sign-On > Enable SSO).
After enabling SSO for a Full Disk Encryption account on a computer, Full Disk Encryption learns the
accounts network credentials. At the first logon, after SSO is enabled, the user logs on to the network as
Page 31
usual. Full Disk Encryption stores this information securely and uses it on subsequent logons where SSO
has been enabled. When the option is not selected, no credentials are passed to the network. This permits a
different network account to be used.
When SSO is turned off, no network credentials are recorded or used, and the chain is broken. When SSO
is turned back on, the previous credentials must be specified again for SSO to function.
Note - When Remote Help is used to authenticate a user account that

uses single sign-on (SSO), the recorded SSO credentials for that user
account are invalidated. This is to prevent a Remote Help
administrator from leveraging SSO to impersonate a user.
Single Sign-On and Network Password Changes

Periodically, it is necessary to change the accounts network password. Full Disk Encryption looks for
Change Password dialog boxes to record the changes. At the next reboot, SSO works as usual because
the new password has already been stored.
Single Sign-On and Mac Password Changes

SSO ensures that the Full Disk Encryption password is always set to the Mac password. After they are
synchronized, changing the Mac password automatically changes the Full Disk Encryption password to the
new Mac password.
Single Sign-On
Click Single Sign-On.
The following setting is displayed:
Table 4-15 Single Sign-On Setting

Setting
Description
Enable SSO
Set whether single sign-on functionality is to be

enabled for the account(s).
Page 32
Remote Help
Click Remote Help.
Note - For Remote Help to function, both the user account of the
Remote Help provider and of the Remote Help recipient must exist on
the computer. Note also that the Remote Help providers group
authority level must be equal to or higher than the group authority level
of the Remote Help recipient.
Table 4-16 Remote Help Settings

Setting
Description
Provide Remote Password

Change
Set whether or not the account(s) are allowed to

provide Remote Password Change for other user
accounts.
For a user account to be able to provide Remote
Help, this option must be selected in providers user
account settings and the Receive Remote
Password Change setting must be enabled in the
receivers user account settings.
Receive Remote Password

Change

receive Remote Password Change.
For a user account to be able to receive Remote
Help, this option must be selected in receivers user
account settings and the Provide Remote
Password Change setting must be enabled in the
providers user account settings.
Provide One-Time Logon

provide One Time Logon for other user accounts.
For a user account to be able to provide One-Time
Logon, this option must be selected in providers
user account settings and the Receive One-Time
Logon setting must be enabled in the receivers
user account settings.
Page 33
Setting
Description
Receive One-Time Logon

receive One Time Logon.
For a user account to be able to receive One-Time
Logon, this option must be selected in receivers
user account settings and the Provide One-Time
Logon setting must be enabled in the providers
user account settings.
Page 34
Chapter 5
Creating Group and User Accounts
This chapter explains how to create and manage Full Disk Encryption groups and user accounts on the
computer on which you installed Full Disk Encryption.
In This Chapter
Group and User Account Basics
Creating Group Accounts
Adding a User Account to a Group
Moving User Accounts
35
35
38
44
Group and User Account Basics

In Full Disk Encryption, a user account always belongs to one (and only one) group. This means that before
you create any user accounts, you must first create one or more groups to contain user accounts.
Best practice is to create groups that contain user accounts with similar rights, access needs, and controls.
Each group you create can have completely different settings than other groups. For example, You can
create a group called Accounting, where all user accounts in the Accounting department reside. This group
can have different settings than a group you might create for Development.

After Full Disk Encryption is installed and you have opened the Full Disk Encryption Management Console,
you can see that a group called System has already been created. Under the System group folder, there is
a tree of User Accounts where you find the two users you defined during installation (in this example,
admin1 and admin2).
You can now create new group accounts.
To create a new group account:

1. Secondary click Groups.
Page 35
The New Group button is displayed:
2. Click the New Group button and enter a group name in the New Group dialog box:
3. Click OK. The new group is now listed in the tree under Groups (in this example, it is ABC Group).
There are currently no user accounts in the User Accounts folder in ABC Group:
4. In the Group Settings folder for the new group you created, configure the relevant group settings. See
"Configuring Group and User Account Settings" on page 24.
5. Click on the group name (in this example, it is ABC Group), to display the following setting:
Page 36
Table 5-17 Group Settings

Setting
Description
Expiration Date
Date this group expires.
6. Expand the Group Settings folder tree for the new group, and you see the folders as described in
"Configuring Group and User Account Settings" on page 24:
Default Values and How the Effective Values of Settings

are Determined
If no value has been specified for a setting in either the group or user account, the default value for that
setting prevails. See the Default column in the tables below.
When the values set for a group and a user account in that group differ, Full Disk Encryption sets an
effective value, which is the most secure value for the setting. The tables below list the effective values.
Table 5-18 Password Effective Values and Default Settings

Password Settings
Effective Value if Group and

User Account Differ
Default (if no value

specified)
Require Letter and

Digits
Enabled
Disabled
Enable Case Sensitivity Disabled
Disabled
Allow Special
Characters
Enabled
Disabled
Allow Consecutive,
Identical Characters
Disabled
Disabled
Require Upper and

Lower Case
Enabled
Disabled
Allow Embedded Space Disabled

Characters
Disabled
Allow Leading or
Trailing Space
Characters
Disabled
Disabled
Page 37
Password Settings

User Account Differ
Default (if no value

specified)
Allow Password of
Adjoining Characters
Disabled
Disabled
Set Minimum Length
The larger of the two values
Six characters
Set Maximum Age
The smaller of the two values
Disabled
Password History
The larger of the two values
Disabled
Table 5-19 Logon Effective Values and Default Settings

Logon Settings

User Account Differ
Default
Set Max Failed Logons
The smaller of the two values
Disabled
Table 5-20 Privileged Permissions Effective Values and Default Settings

Privileged Permissions
Settings

User Account Differ
Default
Authority Level
Administrator
Administrator
Table 5-21 Remote Help Effective Values and Default Settings

Remote Help Settings

User Account Differ
Default
Provide Reset Password
Disabled
Disabled
Provide One-Time Logon
Disabled
Disabled
Receive Reset Password
Disabled
Disabled
Receive One-Time Logon
Disabled
Disabled

hen you open the Full Disk Encryption Management Console, you can see that a group called System has
already been created.
Page 38
Under the System group folder is a tree of User Accounts where you find the two user accounts you
defined during installation.
These two users are assigned administrator privileges, for example, the Privileged Permissions is set to
Administrator and the Permissions are set to Yes. Almost all other user accounts you define are assigned
significantly more restricted privileges than those of an administrator.
To add another user account to the group:

1. Secondary click User Accounts.
The Add User Account button becomes active:
2. Click Add User Account to activate the User Account wizard:
Page 39
Table 5-22 User Account Dialog Fields

User account name
The name must be 1-31 characters long. See Endpoint

Security Full Disk Encryption for Mac Release Notes for the
keyboards (locale codes) supported.
Type of user account
The type of user account can be:
Normal
A regular user account is usually created for users of the
computer on which you are working. This account can also
be used as an administrator account and be included in a
profile when you deploy Full Disk Encryption.
Temporary
This account is used in a profile to create user accounts
for large-scale deployment of Full Disk Encryption, without
the need to create individual user accounts manually.
When someone logs in using a temporary user account when

Full Disk Encryption is deployed to a computer, she is
prompted for a new user account name and password.
Based on the new user account name and password, Full Disk
Encryption creates a new user account and deletes the
temporary account. This makes large-scale deployment of Full
Disk Encryption easy, as one Full Disk Encryption profile can
be used for all computers and you do not need to know
exactly which user is on what computer.
A temporary account can also be created to limit the time the
user can access the computer.
For more information on profiles, see "Working with
Installation and Update Profiles" on page 51.
Note - As an alternative and preferred method to creating new
user accounts with a temporary user account, you can use the
User Account Acquisition setting. This setting enables Full
Disk Encryption to acquire Macintosh user accounts
automatically and use them to set up Full Disk Encryption user
accounts. For more information, see "User Account
Acquisition" on page 20.
Authentication method
3.
Authentication for this user account is done via:
Password
Dynamic Token
After specifying the logon name, type and password authentication method, click OK.
A temporary user account is defined in the same way as a normal user account.
Page 40
Password Authentication
1. Fill in the password details:
Table 5-23 Password Fields

Field
Description
Password protection
The password must meet the criteria you specified for fixed
passwords in Group Settings. While you enter the password
and confirm it in the Confirm Password text box, the label
Password Match displays a red icon until the password is
matched. The red icon displays until the password meets all the
configured criteria for passwords. When criteria are met, a
green icon displays.
Confirm Password
Enter the password you entered in the Password text box.
Force change of
password at next
logon
Selecting this option forces the user to specify a new user

account password at the next logon.
Password Rules
Password rules shown here are according to the password

policy set for the user account. If the user account is new, that
is, not an existing account that you are editing, the following
default password rules apply.
Length Adjoining Characters Retype Match A red icon displays next to each of the labels until a password
meeting all password criteria is entered. The icons then turn
green and the user can proceed to the next page.
2. Click Next, and after viewing the result do one of the following:
If you are satisfied, click Finish.
Page 41
If you want to make changes, click Back, make the changes and click Finish.
Use the above procedure to define any other user accounts that will use password authentication.
Dynamic Token Authentication

To use dynamic token authentication:
1. Enter logon name and type of account, and select Dynamic Token:
2. Click Next.
Page 42
3. Enter the required information:
Table 5-24 Dynamic Token Dialog Fields

Field
Description
Dynamic Token Key
Enter the token key you received with the token from Check
Point.
Challenge Length
Must be 4 or 8 characters in length.
Response Length
Must be 4 or 8 characters in length.
Challenge Format
Choose either Hexadecimal or Ascii.
Response Format
Choose either Friendly or Decimal.
4. Click Next, and do one of the following:
If you are satisfied, click Finish.
If you want to make changes, click Back, make the changes and click Finish.
Use the above procedure to define any other user accounts that will use dynamic token authentication.
Page 43

You cannot move a user account from one group to another. You must delete the user account from its
current group and then redefine it in the other group.
Page 44
Chapter 6
Working with Configuration Sets
This chapter explains configuration sets and how to create, use, and manage them.
In This Chapter
Set Basics
Root Directory Path
Creating a New Set
Set Management
45
45
46
49
Set Basics
Configuration sets, hereafter referred to as sets, are share (or collection) points where you store the profiles
you use to carry out your remote management tasks. Typical remote management tasks include installing
(and uninstalling) Full Disk Encryption on remote clients and updating the configuration on remote clients,
and so on.
Best practice is to create sets to collect logical groupings of profiles. For example, you can create
Set_Accounting to house the profiles for the Accounting department, Set_Development for profiles
belonging to the Development department, and so on.
Root Directory Path

When you define a set, one of the things you do is specify a root directory path, for example, /var/share/fde.
This path serves as the central repository for the Full Disk Encryption deployment. The root directory path
points to shared directories on a server. The shared directories are created automatically when you create a
set, but you may have already created the recovery directory manually when you performed the master
installation. These directories are described below.
Directories
Storage
The Storage directory is where you store profiles while you edit them in the Full Disk Encryption
Management Console prior to publishing them. As long as the profiles are in this directory, they cannot be
pulled by clients. It is a dedicated share for profile development.
Install
The Install directory is where you publish installation packages, installation profiles, and other configuration
files that clients need to access to install Full Disk Encryption, for example, the Full Disk Encryption
Install.pkg file.
Recovery
The Recovery directory in where Full Disk Encryption stores recovery files and serves as the target directory
for clients recovery files. Recovery files contain information required to decrypt the Full Disk
Page 45
Creating a New Set
Encryption-protected computer. You normally create the recovery path during the master installation. For
more information on recovery, see "Recovery Media" on page 75.
In a profile, this path is referred to as the Recovery Path. Set by editing the profile and specifying the path to
use in System Settings > Install > Set Recovery Path.
Update
The Update Profile directory is where update and uninstall profiles are published so they can be pulled by
the clients.
In a profile, this path is referred to as the Update Profile Path. Set it by editing the profile and specifying the
path to use in System Settings > Install > Set Update Profile Path.
Creating a New Set

Note - Profiles in a storage directory display in all sets that share that
same profile storage directory. Therefore, to keep your profiles
organized, define a separate profile storage directory for each set.
To create a new set:

1. Start the Full Disk Encryption Management Console (FDEMC) and select Remote:
2. Click New Set.

The Create New Set Wizard opens:
Page 46
Creating a New Set
3. Enter a name that makes clear what the configurations and profiles belong to, for example
"Set_Accounting" for a set that contains the configuration and profiles for the accounting department,
"Set_Development", etc.
You can select Automatically create a directory structure if you want Full Disk Encryption to create
folders. This requires that you have previously configured a root directory on which to create the
directory structure. This root directory must be a shared folder on the network, for example:
/var/share/
You must also have the required permissions to create the directories. If these conditions are met, and
you specify the shared folder under Enter the root directory in which the directories will be created,
the Full Disk Encryption Management Console automatically creates the following subfolders in the
shared folder and displays them in the relevant fields of the wizard:
<shared folder>\storage
<shared folder>\install
<shared folder>\recovery
<shared folder>\update
4. Click Next.
The Name dialog box opens:
5. Specify a storage path, the path to a directory that holds the profiles while you edit them.
The profiles you are working on are stored in this directory until you publish them. As long as they are in
the storage directory, you can edit them, and they cannot be pulled by remote clients. You must click
Add for the path to be included in the set.
Page 47
Creating a New Set
6. When no more paths are to be added, click Next:
7. Specify an Install path, the path to a directory containing the Full Disk Encryption installation package.
You must click Add for the path to be included in the set.
8. Specify the recovery path, the path to the directory where the sets recovery files are located and to
which clients copy their recovery files.
This path must also be set in the profiles that are put in this directory; in the profile, this path is referred
to as the update profile path, and is set by editing the profile and setting this path in System Settings >
Install > Recovery Path. You must click Add for the path to be included in the set.
Page 48
Set Management
9. Create the set by clicking Finish.
The set is created. The set configuration is saved when the set is created.
Set Management
After you create a set, Full Disk Encryption provides a dialog box where you can manage the set and view
information about it.
To manage a set:
Click the set name in the Full Disk Encryption Management Console.
The following dialog box is displayed:
Table 6-25 Set Management Dialog Box

Label
Description
Set name
Name of the set you selected.
Created
Date and time the set was created.
Profile Storage Path
Path where profiles for this set are stored.
Page 49
Set Management
Label
Description
Update Profiles
Path(s)
Path where update profiles for this set are stored.
Installation Profiles
Path(s)
Path where installation profiles for this set are stored.
Actions
The links in the Action section allow you to edit set properties
and open wizards to help you to create a new profile, publish a
new profile, and create recovery media.
Last Published Profile Publication date and time of the profile most recently published
to this set.
Notes
A free text area where you can enter information or notes about
the set.
Page 50
Chapter 7
Working with Installation and Update
Profiles
This chapter explains how to create Full Disk Encryption profiles that you can use to:
Install Full Disk Encryption on the computers (client machines) in your networks
Uninstall/remove Full Disk Encryption from client machines
Manage the user accounts, groups and other settings on client machines
In This Chapter
Working with Profiles an Overview
Full Disk Encryption Profile Basics
Creating Installation Profiles
Working With Update Profiles
Deploying Profiles
Updating Full Disk Encryption Software
51
52
53
59
61
63
Working with Profiles an Overview

The following graphic provides a birds eye view of working with Full Disk Encryption profiles. The
administrator creates a profile and, depending upon the deployment method, either places it in a directory
where users can access it or sends it out to users silently or interactively.
Page 51

Full Disk Encryption profiles contain user and group account information, the settings which control which
volumes are to be encrypted, who can access the drives, privilege levels, and update settings.
Whats in a Profile?
All profiles contain system settings. They can also contain group settings and user account settings,
however, these settings are optional.
System Information
System information includes paths to the central server where recovery files, update profiles and software
updates are stored. It also includes settings related to, for example, installation and Remote Help.
In addition, installation profiles also contain information on which disk volumes are to be protected by Full
Disk Encryption, the encryption algorithms to be used, and the type of security (encryption and boot
protection, or boot protection only) to be used.
Group Information
Group information contains the system settings for local groups and their authorization rights, including the
user's right to receive Remote Help and security settings. Group information also contains the privileges for
administrators and user accounts at the group level.
User Account Information

User account information contains settings for individual user accounts, including the accounts authorization
for different volumes, Remote Help and security settings. User account information also contains the
privileges for administrators and user accounts.
Profile Types
There are three types of Full Disk Encryption profiles:
Installation profiles
Update profiles
Uninstall profiles
Installation Profiles
An installation profile, which is called an install profile in Full Disk Encryption Management Console,
contains the group and user account information and system settings you configured. You deploy the install
profile together with the Full Disk Encryption Install.pkg file to install Full Disk Encryption on one
or many clients.
You can be deploy an installation profile in the following ways:
Interactive installation: You create and save an install profile on a secure workstation. You then move the
install profile and the .pkg file to the install directory, a secure shared directory on the network. The install
profile can be started from any device that can map a drive and install a .pkg file from that location. The
installation proceeds in much the same way as a master installation, except the client user is not prompted
to create administrator accounts or insert the Check Point license. See "Publishing an Install Profile" on
page 61.
Silent installation: You write a command that causes Full Disk Encryption to be installed on the client
without any interaction with the user. See "Deploying an Install Profile Silently" on page 62 for details.
Working with Installation and Update Profiles
Page 52
Update Profiles
As changes in security requirements and personnel occur, you deploy update profiles, which contain new or
changed settings, to Full Disk Encryption-protected computers.
You do this by creating and placing an update profile in the Update directory on the designated file server.
Full Disk Encryption-protected computers regularly check this directory for new update profiles. When they
find a new update profile they download it automatically and implement the changes. For more information,
see "Creating an Update Profile" on page 59.
Uninstall Profiles
An uninstall profile contains the settings needed to remove Full Disk Encryption from a Mac. If, for any
reason, you need to remove Full Disk Encryption from computers in your network, you can do so by placing
an uninstall profile in the Update directory. See "Removing Full Disk Encryption" on page 70 for more
information.
Preparing to Work With Profiles

Create Configuration Sets
Each profile must belong to a set, which help you locate and organize your profiles. Therefore, you must first
create a set or sets before you create profiles. For example, you might want to have a set for each
departments profiles if they differ.
See "Working with Configuration Sets" on page 45 for more information.
Basing a New Profile on Another Profile or Local Settings

To make it easier to specify system settings, group settings, and user account settings in a new profile, you
can base the new profile on
An existing profile, or
The local settings of the computer on which you create the profile.
When you base a new profile on local settings or an existing profile, you can select which settings you want
to use (if you do not choose to base it on Group Settings, the User Account Settings choice is grayed out
and cannot be selected).
Note - A new installation or upgrade profile inherits the Check Point

license number of the computer on which it is created even if Base
new profile on Existing profile or existing settings is not selected.

The process of creating and deploying an installation profile involves:
Creating the profile.
Adding group and user accounts.
Configuring the profile settings.
Deploying the profile to computers in the network; see "Deploying Profiles" on page 61.
Page 53
Note - Before you can create any profiles, ensure the Update
Validation Password (Local > Edit Settings > System Settings >
Install) is set.
In addition, you should already have the appropriate set or sets in
place. For the purposes of the following instructions, we created three
sets: Set Accounting, Set Development and Set Sales. See "Working
with Configuration Sets" on page 45 for instructions on creating sets.
To create an installation profile:

1. Start the Full Disk Encryption Management Console and do one of the following:
Click Remote > <setname> > New Profile
Click Remote > New Profile:
The New Profile Wizard is displayed:
2. Click Next.
Page 54
3. Select the set in which you want to include the installation profile, and click Next:
4. Select Install, and click Next:
5. Enter the name of the new profile (in this example, it is install_accounting).
Note - The / character is not allowed in profile names. For example,
update profile.upp is a valid profile name, but update
profile/admin.upp is not.
6. Enter and confirm the password, which is required when you edit the profile.
Note - The password policy applied to the password specified here is
the default policy for the profiles. It consists of the three rules shown in
the Password Rules section of the New Profile dialog box.
7. Click Next:
Page 55
8. Select Existing profile or local settings to base the profile on the local settings of the computer on
which you are creating the profile or on an existing profile:
9. You can either click Next or select to base the profile on Existing profile or local settings, and then
click Next.
If you click Next without choosing to base the profile on an existing profile or local settings, the profile is
based on default system settings only.
10. If you select to base the profile on Existing profile or local settings, you must then either browse to an
existing profile, or
Double-click on a set that contains a profile you want to base the new profile on and then select the
profile, or
Specify which local settings the new profile is to be based on (System, Group, or User Account).
11. Make your choice, and click Next.
12. View the information and, if satisfied, complete the creation of the profile by clicking Finish:
Page 56
You are returned to the Full Disk Encryption Management Console.

13. Click the OK button at the lower right of the console.
The installation profile created in this example is displayed under Set Accounting:
Sanity Checks
The profile you just created contains system settings that are installed on the client machines when you
deploy the profile.
When you click OK, Full Disk Encryption performs a number of sanity checks on the profile before you can
save it. The Settings That Might Have Undesirable Effects window displays the results of the sanity
checks, for example:
Page 57
You must fix the problems listed in the sanity check dialog box before the profile can be created.
The following sanity checks are performed on the profile:
Are there any accounts in the profile for which no type of authentication has been defined?
This warning occurs only when you create a profile based on local settings. You must manually set the
authentication:
1.
Secondary click each user in the tree structure.
2.
Select Name and Authentication.
3.
Define the authentication details.
Is at least one user account defined in this installation profile?

If no user accounts are defined in the profile, no user account can log on to the machine on which Full
Disk Encryption is installed with this profile.
Do at least two user accounts in the profile have authority level set to administrator?
Recovery media cannot be created, and the system cannot be recovered unless at least two user
accounts have administrator authority on the machine on which Full Disk Encryption is installed with this
profile.
You cannot remove Full Disk Encryption from the machine on which it has been installed with this profile
unless the profile contains at least two user accounts that have administrator authority.
Has an expiration date been set for each temp user account in the profile?
You should define an expiration date for each temp user account. If you do not, you are warned about
each temp user account that does not have an expiration date defined.
To make changes to settings that have caused a warning in the Settings That Might Have
Undesirable Effects window:
Click OK to acknowledge the sanity check dialog box and then alter the relevant setting or settings.
Each time you make corrections and click OK to create the profile, the sanity checks are performed, and
any warnings of problematic settings are displayed. If none of the sanity checks produce a warning, the
profile is created.
The new profile is prepopulated with the local System Settings of the machine on which the profile was
created. If any of these values have not been set on the local machine, the Full Disk Encryption default
values are used. It is good practice to examine the System Settings in the profile and make any required
changes.
Creating Groups and User Accounts in the Profile

The next step is to create groups and user accounts in the profile you created.
To create groups and user accounts:

1. At the profile symbol in FDEMC Remote, double click the profile, create groups and user accounts.
2. Define a group that contains at least two administrator user accounts.
Note - Best practice: Create another group in which you define a
temporary user account. It is preferable to work with group settings
rather than with individual user account settings
There are two reasons a specific group should be created for the
temporary user:
The settings should be completely separate from those of the

administrator accounts.
This group can be used to delete user accounts created with a

temporary user account. For instructions on doing this, see
"Deleting user accounts created with a temporary user
account" on page 61.
3. Examine the default settings in the installation profile and decide if they are to your satisfaction:
System Settings: If necessary, change the settings to the desired values. See "Configuring System
Settings" on page 14 for a description of these settings.
Page 58
Group settings for the Administrator group: Set the permissions for the group that contains the
administrators. Administrators usually have stricter rules for passwords than normal user accounts.
See "Configuring Group and User Account Settings" on page 24 for a description of these settings.
Group settings for the group containing the temp user.

The profile is now ready for deployment. See "Deploying Profiles" on page 61 for instructions.

You can update security settings on Full Disk Encryption-protected computers easily by creating and
deploying an update profile.
You can either create an update profile from scratch or base it on an already existing installation or update
profile.
Note - Basing the update profile on an existing profile can cut down on
configuration time.
An update profile applies all settings from the user account and group settings to the target installation(s).
Creating an Update Profile

To create an update profile:
1. Follow the same procedure as for "Creating Installation Profiles" on page 53, however, in step 4, select
Update instead of Install:
2. Follow the rest of the procedure "Creating Installation Profiles" on page 53 to complete the update
profile.
If you wish to base the update profile on an existing profile, select the appropriate option in the wizard
when prompted.
Configuring Update Profiles

You can add, edit, and delete group and user accounts on a Full Disk Encryption-protected computer by
configuring accounts in an update profile. These tasks are done in the update profiles the same as for
installation profiles. See "Configuring Group and User Account Settings" on page 24 and "Creating Group
and User Accounts" on page 35.
Page 59
Commonly Used Configurations in Update Profiles

The following is explanatory information for certain settings that are commonly used in update profiles.
Remove User Account and Mark for Removal

Judging from their names, these two settings may seem similar. They have different functions, however, and
it is important that you employ the right one for the task you want to accomplish with the update profile.
To view these settings, secondary click on the user account you want to work with in the update profile.
Remove user account: Remove user account deletes all data regarding the user or group in the profile. If
you deploy this profile, it does not affect the users or groups you just removed because there is information
left in the profile regarding these users or groups.
Because Remove user account simply removes data from the profile, it is a way to edit the contents of a
profile. You might have five groups, and want to update a setting for only one of the groups. In this case, you
could remove the four groups you do not want to affect, leaving only the group you want to change in the
profile.
Mark for removal: When marking a group or user account for removal, the group or user remains in the
profile and acts as a container for sending the information to remove the group or user on the machine(s)
the profile is deployed to.
Mark for Removal is used to remove data at remote machines; in other words, all the information about the
user or group is in the profile because it has to be sent to the client(s) where it removes the user or group.
The information must be sent to the client, so it is designated as "Mark for Removal" to signify to the admin
that this user or group is to be removed on the client machine(s).
Ensuring that the Required User Accounts are in Place

To get the relevant user accounts on the machines that require them:
Alternative 1
1. Install Full Disk Encryption on the admin machine.
2. Create the installation profile to install Full Disk Encryption on the client machines.
3. Create an update profile based on the installation profile used to install on the client machines, including
Admin_A and Admin_B in this update profile. Thus, Admin_A, Admin_B, Admin_C, and Admin_D
will be on the admin machine and Admin_C and Admin_D will be on the client machines.
4. Update the admin machine using the update profile created in the previous step.
Alternative 2
1.
2.
3.
4.
Install Full Disk Encryption on the admin machine.

Create the installation profile to install Full Disk Encryption on the client machines.
Uninstall Full Disk Encryption from the admin machine.
Use the installation profile created above to install Full Disk Encryption on the admin machine after
adding Admin_A and Admin_B to the profile. Now Admin_A, Admin_B, Admin_C, and Admin_D are
in the admin machine and Admin_C and Admin_D are on the client machines.
Page 60
Deploying Profiles
Deleting user accounts created with a temporary user account

To delete user accounts created with a temporary user account:
1. Create an update profile based on the install profile containing the temporary user account, based only
on Groups.
2. Open the update profile for editing and remove all groups except the one that contains the temporary
user.
3. Mark the only remaining group for removal.
4. Save the profile by clicking OK.
5. Place this profile in the Update folder on the client machine from which you want to remove the user
account.
Note - Do not place the profile in the shared Update Profile directory
because this causes the deletion of all user accounts created with the
temporary user account.
Deploying Profiles
Note - All computers on which you want to deploy Full Disk Encryption
profiles must have read and execute permissions to the applicable
directory, that is, the Profile, Update, or Install directories.
Deploying an Install Profile

Deploying an install profile causes Full Disk Encryption, with the settings you configured, to be installed on
the clients to which it is deployed.
You can deploy an installation profile interactively or silently.
Both types of deployment are carried out in two stages: First, you publish the profile, second, the profile is
installed either interactively or silently on the client Mac.
Note - Consider the security implications when selecting the
deployment method:
With interactive deployment, users must cooperate with the

installation by clicking on the .pkg file. If they do not, Full Disk
Encryption is not installed.
With silent deployment, installation is fully automated and centrally

enforced. The user cannot choose whether to install Full Disk
Encryption.
Therefore, silent deployment is the preferred option if you want to be

sure the Macs you want to protect with Full Disk Encryption are in fact
protected.
Publishing an Install Profile

To publish an install profile:
1. Secondary click the profile.
Page 61
Deploying Profiles
The Update Profile paths that have been configured in the set are displayed as selectable choices under
Publish profile.
2. Select the configured update profile path you want.
The profile is automatically copied to the selected path.
3. Place the Full Disk Encryption Install.pkg file in the same directory as the profile.
The install profile is published. You are now ready to deploy the install profile interactively (see
"Deploying an Install Profile Interactively" on page 62), or silently (see "Deploying an Install Profile
Silently" on page 62).
Deploying an Install Profile Interactively

To deploy an install profile interactively:
1. Perform the procedure "Publishing an Install Profile" on page 61.
2. Tell the users the location of the directory where you published the profile, and instruct them to
double-click on the .pkg file to start the installation.
The installation runs in view of the user, however, the user is not prompted to create administrator
accounts nor to insert license information.
3. The user is prompted to reboot the system to complete the installation.
Deploying an Install Profile Silently

To deploy an install profile silently:
1. Perform the procedure "Publishing an Install Profile" on page 61.
2. Ensure that the client machines are configured to automatically mount the network share where you
published the install profile and the .pkg file.
3. Use the following command line to run the silent installation on the client machines:
sudo installer -pkg ./<package name> -target / <enter>
Full Disk Encryption is installed on the client Macs silently, that is, without interaction with users; and,
after a clients first reboot, FDE starts encrypting the disk.
Note - Full Disk Encryption can take several hours to encrypt the disk.
During this time, the user can continue to work. It is also possible to
initiate an uninstallation of Full Disk Encryption while it is encrypting
the disk. If you do so, Full Disk Encryption will finish encrypting, and
then decrypt the disk again before it uninstalls Full Disk Encryption.
Verifying a Full Disk Encryption Deployment

After you deploy Full Disk Encryption on the clients, it is important to verify that Full Disk Encryption is
installed and that the clients volumes are encrypted.
Page 62
Check the recovery (.rec) files found in the predefined Recovery directory/directories on the file share(s).
The number of recovery files should correspond to the number of clients deployed; that is, there should be
200 recovery files in the directory/directories if Full Disk Encryption was deployed to 200 clients. Each
recovery file is identified with the client machines name and the computer serial number in the file name, for
example:
<computer name>_<computer serial number>.rec
Deploying Update Profiles

Full Disk Encryption-protected computers check for update profiles every three hours, or if the computer is
not connected to the network, the next time the user logs on to the network.
To publish an update profile in the profile list:

1. Secondary click the profile.
The update paths that have been configured in the set are displayed as selectable choices under
Publish profile.
2. Select the configured update path you want.
The update profile is automatically copied to the selected path.
How Update Profiles Affect Logged-On Users and Administrators

Update profiles that affect the normal logged-on user: Settings are implemented the next time the user
reboots the computer.
Update profiles that affect a logged-on administrator: Updates that affect administrator rights in the local
FDEMC take effect immediately.

Whenever a new version of Full Disk Encryption becomes available, you can easily deploy it to computers in
your network. Place the new .pkg file in the install directory, and tell the users where to find it. Users can
then click on the .pkg file to install it on their Macs.
Note - Users on computers on which you are updating Full Disk
Encryption must have read and execute permissions to this directory.
Changing the Graphic Images Displayed in Preboot

Before you update Full Disk Encryption, you can change the following Full Disk Encryption graphic images
to, for example, your companys logo:
Banner displayed in preboot
Background image displayed in preboot
Preboot screen saver image
Note - Do not use jpg images created with Photoshop 3.0.
To change the graphics displayed in preboot authentication:

1. Create a folder named oemvar in the folder that contains the Full Disk Encryption Install.pkg
file.
2. Add the relevant files (described below) to the oemvar folder.
During the upgrade, the files that have been added to this folder are registered as the files to be
displayed during preboot.
Page 63
Table 7-26 Files to add to the oemvar folder

Filename
Description
Specifications
Banner.jpg
Banner displayed in preboot
447w * 87h
Desktop.jpg
Background image displayed

in preboot.
1440w * 900h (The graphic is

automatically scaled to the native
screen resolution.)
Scrsvr.jpg
Preboot screen saver image.
260w * 128h
Page 64
Chapter 8
Remote Help
Full Disk Encryption users may be denied access to their workstations for a number of reasons. For
example, they might have entered an incorrect password too many times or forgotten their password or, in a
worst case scenario, a hacker may have tried to break into their workstation.
Full Disk Encryption Remote Help is designed to assist users in these types of situations. A user simply calls
his/her designated Remote Help administrator and follows the Remote Help procedure.
In This Chapter
webRH or Full Disk Encryption Management Console?
Implementing a Remote Help Procedure
Types of Remote Help
Verifying Users
Providing Remote Help
65
65
67
67
67
webRH or Full Disk Encryption

Management Console?
This document describes how to use Full Disk Encryption Management Console to provide users with
Remote Help.
If you have Endpoint Security webRH, a separate Check Point product, you can provide users with Remote
Help using webRH instead of the Full Disk Encryption Management Console. For information on using
Endpoint Security webRH, see the Endpoint Security webRH Administrators Guide. Note that the webRH
for FDE for Windows module and profiles are used to provide webRH Remote Help for FDE for Mac;
currently there is no separate webRH module for FDE for Mac.

Organizations implement Remote Help procedures to suit their individual needs and resources. One method
of implementing Remote Help is as follows:
Create designated administrator account(s) for Remote Help. The number of accounts you should
create depends on your organization.
After you create the accounts, assign them to the people providing Remote Help.
Inform users whom they should call when they need Remote Help.
Note - For Remote Help to function, both the user account of the
Remote Help provider and of the Remote Help recipient must exist on
the computer.
The Remote Help providers group authority level must be equal to or
higher than the group authority level of the Remote Help recipient.
Page 65
Remote Help Settings

To access Remote Help settings:
Start Full Disk Encryption and select Local > Edit Settings > Groups > Group Settings > Permissions >
Remote Help.
Table 8-27 Remote Help Settings

Setting
Description
Provide Remote
Password Change
Set whether or not the account(s) are allowed to provide

Remote Password Change for other user accounts.
For a user account to be able to provide Remote Help, this
option must be selected in providers user account settings
and the Receive Remote Password Change setting must
be enabled in the receivers user account settings.
Receive Remote
Password Change
Set whether or not the account(s) are allowed to receive

Remote Password Change.
For a user account to be able to receive Remote Help, this
option must be selected in receivers user account settings
and the Provide Remote Password Change setting must
be enabled in the providers user account settings.
Provide One-Time
Logon
Set whether or not the account(s) are allowed to provide One

Time Logon for other user accounts.
For a user account to be able to provide One-Time Logon,
this option must be selected in providers user account
settings and the Receive One-Time Logon setting must be
enabled in the receivers user account settings.
Receive One-Time
Logon
Set whether or not the account(s) are allowed to receive One

Time Logon.
For a user account to be able to receive One-Time Logon,
this option must be selected in receivers user account
settings and the Provide One-Time Logon setting must be
enabled in the providers user account settings.
Remote Help
Page 66

Full Disk Encryption provides two types of Remote Help for users who are denied access to their
workstations:
Remote Password Change

For users who use fixed passwords and have forgotten them. This type of Remote Help is not applicable
to users who use a dynamic token for authentication.
One-Time Logon
For users who have forgotten or lost their dynamic tokens.
Note - In cases where the Remote Help recipient is an administrator

who is trying to regain access to the FDEMC, the only type of Remote
Help that can be provided is One-Time Logon. Remote Password
Change is not available in this case, and results in an error message if
attempted.
Verifying Users
Before you provide Remote Help to a user, you must be sure that the user is actually authorized to access
the workstation. You can do this in a number of ways, for example:
Use predetermined questions and answers that only legitimate users know
Keep a list of sample questions to ask, such as the users name and favorite color, wife's maiden name,
brand of car, etc. Some of the questions could have randomized, fixed answers; for example, when
asked about his/her favorite pet, the user could answer clouds instead of cat.
Store the questions and answers in a separate database that is accessible to all Remote Help
administrators.
Use voice verification software

Use security software to extract unique vocal characteristics of the caller and compare them with the Full
Disk Encryption users reference voiceprint.

The following section describes how to access the Remote Help screen and how to help users change fixed
passwords and give one-time access to workstations.
To provide Remote Help:

1. Verify that the user who needs Remote Help is legitimate. See "Verifying Users" on page 67 for details.
Remote Help
Page 67
2. Using an account with Remote Help privileges, start the Full Disk Encryption Management Console and
open the Remote Help screen:
3. Enter the following information:

Table 8-28 Remote Help Screen Information
Field/option
Information/action
STEP 1
Type of end-user
assistance to be provided
Select the type of Remote Help the user needs:
One-Time Logon
If the user does not have access to her dynamic
token.
Remote password change

If the user has forgotten his password.
End-User Account Name
Enter the name of the end-user account.
Helper Account Name
Enter the name of the account you are using to provide

Remote Help.
Generate Response One to

end user
Click Generate to generate Response One.

Read Response One to the user who enters it in the
Response field.
Tell the user to press the TAB key to generate a
challenge.
STEP 2
Type of helper
authentication
Select the type of authentication used by the account

you are using to provide Remote Help:
Password
For a fixed password.
Dynamic Token
For a dynamic token.
Remote Help
Page 68
Field/option
Information/action
Response One
This is the first response you read to the user.
Challenge from end user
Enter the challenge the user receives from Full Disk

Encryption after entering Response One and pressing
the TAB key.
STEP 3
Helper Password
Enter the fixed password or dynamically generated

password for the account you are using to provide
Remote Help.
Generate Response Two to

end user
Response Two
Click Generate to generate Response Two.

Read Response Two to the user who enters it in the
Response field.
Tell the user to click OK.
This is the second response you read to the user.
The user is now forced to set a new password or is given one-time access to the workstation, depending
on the type of Remote Help you provided.
Remote Help
Page 69
Chapter 9
Removing Full Disk Encryption
You can remove Full Disk Encryption by:
Creating and deploying an uninstall profile, which allows for easy removal from many computers; see
"Uninstall Profiles" on page 70.
Allowing a user to remove Full Disk Encryption and decrypt their computer using Remote Help; see
"Remote Help" on page 65.
In This Chapter
Uninstall Profiles
Removing Full Disk Encryption Management Console
70
72
Uninstall Profiles
To complete the creation of the uninstall profile, Full Disk Encryption prompts for the authentication of two
system administrators. Therefore, the machine on which you create the uninstallation profile must contain at
least two system administrator accounts that are also on the clients you want to uninstall.
Note - An uninstallation profile cannot be edited.
The following sections explain how to create and deploy an uninstall profile.
Creating an Uninstall Profile

An uninstall profile enables you to remove Full Disk Encryption remotely from multiple machines within your
organization without having to visit each machine.
You can use an uninstall profile in a variety of scenarios, for example:
An employee is no longer with the company
An employee is traveling to a country where strong disk encryption is illegal
To create an uninstall profile:

1. Open Full Disk Encryption Management Console and click the Remote button.
2. Click New Profile to launch the profile wizard.
Page 70
Uninstall Profiles
3. Click Next and select the set name, (in this example, Set Accounting), and click Next:
4. Select Uninstall, click Next and enter the profile name.

5. Click Next and then Finish.
6. Enter the user account name and password of the first user account that is authorized to uninstall Full
Disk Encryption and click OK.
7. Enter the user account name and password of the second user account that is authorized to uninstall
Full Disk Encryption and click OK.
The uninstallation profile is created.
Ensuring that Administrator Accounts Exist on Both the Admin Machine

and all Client Machines
If you define a user account with the same name on two different machines, the accounts have unique
GUIDs. This means they are unique user accounts (In Full Disk Encryption, a GUID is the internal user
account ID).
Keeping track of which administrator accounts are defined on which machines can be of critical importance
when uninstalling Full Disk Encryption with an uninstall profile.
This is illustrated in the following example of a scenario in which you install Full Disk Encryption and
subsequently attempt to uninstall it from a machine using an uninstall profile.
Example
Let us say that you manually install Full Disk Encryption on what is called the admin machine. You define
two administrator user accounts, let us call them Admin_A and Admin_B.
To create an installation profile:

1. On the admin machine, create an installation profile, which you use to deploy Full Disk Encryption to 100
client machines.
2. In the installation profile, define two administrator user accounts, Admin_C and Admin_D.
These administrators are authorized to authenticate the uninstallation of any of the 100 clients that have
Full Disk Encryption installed on them via this installation profile.
3. Deploy the installation profile to the 100 client machines, and assume that Full Disk Encryption is
installed on the 100 client machines.
4. Create an uninstallation profile to remove Full Disk Encryption from one machine.
In the process of creating the profile, the two administrator accounts on the admin machine, Admin_A
and Admin_B, must authenticate the uninstall profile.
5. Deploy the uninstallation profile to the machine from which you want to uninstall Full Disk Encryption.
However, Full Disk Encryption is not uninstalled from the machine.
Why Full Disk Encryption is not uninstalled

Full Disk Encryption is not uninstalled from the target machine because the client machines were installed
with an installation profile that included Admin_C and Admin_D. When the target machine checked the
uninstallation profile, which was created on the admin machine, it finds that it was authenticated by
Page 71
Admin_A and Admin_B, two administrators who are unknown to the target machine (which knows of only
Admin_C and Admin_D). For this reason, the profile is not activated on the target machine.
You might think that you can define Admin_A and Admin_B on the target machine via an update profile.
However, this results in the creation of two user accounts named Admin_A and Admin_B on the target
machine. Although these accounts have the same name as the accounts on the admin machine, the
accounts on the target machine had GUIDs that are different from those of the Admin_A and Admin_B
accounts on the admin machine.
Deploying an Uninstall Profile

Note - If you want to deploy an uninstall profile directly after installing
Full Disk Encryption, check first that the installation and encryption
process is complete. An uninstall profile can be deployed only when
Full Disk Encryption is fully installed on the computer.
The logged-on account on the computer from which you want to
remove Full Disk Encryption must have read and execute permissions
to the Update directory.
The logged-on account must also have access to all volumes on the
computer in order to remove Full Disk Encryption.
After you configure the uninstall profile, you are ready to deploy it.
To deploy an uninstall profile:
Move the uninstall profile from wherever it is stored to the Publish directory you specified.
Note - When the decryption process is finished, the Mac is no longer
protected.

Management Console
Before You Remove Full Disk Encryption Management
Console
Sets and Profiles Must be Deleted Manually
When you uninstall Full Disk Encryption Management Console, sets and profiles are not uninstalled from
the Mac. If you reinstall Full Disk Encryption on the same Mac, the sets and profiles from the previous
installation display in the file structure of the new installation.
Delete the set and profile files manually if you no longer need them.
Ensure Authorized Administrators are Authenticated

Before the removal process can start, the following people must be authenticated:
One Full Disk Encryption administrator with the right to remove Full Disk Encryption,
and
One Full Disk Encryption user (who could also be an administrator) with the right to remove Full Disk
Encryption
This ensures that users cannot remove Full Disk Encryption.
Page 72
Removal Procedure
To remove Full Disk Encryption:
1. Open the Full Disk Encryption Management Console and select File > Uninstall.
The following dialog box opens:
2. Enter the user account name of the first user account that has administrator authority level in Full Disk
Encryption and click OK.
3. Enter the user account password of the first user account that has administrator authority level in Full
Disk Encryption and click OK.
4. Enter the user account name of the second user account that has administrator authority level in Full
Disk Encryption, and click OK.
Page 73
5. Enter the user account password of the second user account that is authorized to uninstall Full Disk
Encryption, and click OK.
You are notified that the uninstallation process is activated.
6. Click OK.
A dialog box opens, displaying the volumes protected by Full Disk Encryption.
7. Restart the computer.
When the computer has restarted and logon is successful, background decryption starts in the Mac OS.
When this is completed and the computer restarts, boot protection and Full Disk Encryption
Management Console is removed.
Note - It can take several hours to decrypt the disk. If you shut down
the Mac during uninstallation, decryption continues when you restart
the Mac. Full Disk Encryption is not removed until the disk is fully
unencrypted and you reboot the Mac.
Page 74
Chapter 10
Recovery Media
This chapter discusses how to recover encrypted information.
In This Chapter
Full Disk Encryption Recovery File
If the Recovery File Path is Not Found
Creating a Recovery Media
Creating the Recovery Media with the Wizard
Creating the Recovery Media Manually
Using a Recovery Media to Decrypt Volumes, Uninstall FDE, and Recover
Information
Mounting Encrypted Volumes
75
75
75
76
78
78
79
Full Disk Encryption Recovery File

Full Disk Encryption stores the recovery file locally in the directory /var/fde/local/recovery. By
default, all users have full permissions to this directory. If you experience problems writing or accessing the
recovery file, ensure that the default permissions have not been changed.
Full Disk Encryption transfers the recovery file from the local directory to the directory specified in the Full
Disk Encryption Management Console under Local > Edit Settings > Full Disk Encryption > System
Settings > Install > Set Recovery Path. The transfer is triggered by:
A change in the machine's encryption state (for example, if the state changes from 'Encryption' to
'Encrypted')
An update profile is appled to the machine
If the Recovery File Path is Not Found

If no valid recovery path can be found when Full Disk Encryption is trying to write to the recovery file, an
error message is displayed. In this case, encryption does not start until Full Disk Encryption has ascertained
that it is possible to carry out a recovery later. Until then, the Mac is left unprotected.
Creating a Recovery Media

Click Create Recovery Media to create a recovery media on a USB memory stick via the Create Recovery
Media wizard, see "Creating the Recovery Media with the Wizard" on page 76. The only media that can be
used is USB memory sticks that are in Mac OS Extended Format (HFA+ format).
Note - The Create Recovery Media wizard will not complete if it does
not detect a supported USB memory stick on the system.
Page 75
Before You Create a Recovery Media

Note - The USB memory stick you use for the recovery media must be
HFS+ formatted. Any information saved on the media will be destroyed
when the recovery media is created.
USB devices containing recovery information must be handled
securely. Create them only when required and ensure that they are
securely destroyed when no longer needed.
When performing the procedure "Creating the Recovery Media with the Wizard" on page 76,ensure that you
use the correct recovery file for the computer you wish to recover. There is no risk to data or the computer if
you select the wrong file because the recovery simply will not work.
Recovery file names contain the host name and the serial number of the computer:
<hostname>_<serialnumber>.rec
If the host name is not unique to the computer you want to recover, you must use the computers serial
number to identify the correct recovery file.
For instructions on how to find the serial number for the computer, see the article MacBook: How to find the
Serial Number (article number 303720): http://docs.info.apple.com/article.html?artnum=303720
Creating the Recovery Media with the

Wizard
Read the section "Before You Create a Recovery Media" on page 76 before beginning this procedure.
To create a recovery media:

1. On the Full Disk Encryption system administrators workstation, click Remote.
2. Under Recovery, click Create Recovery Media:
Recovery Media
Page 76
The Recovery wizard opens:
3. Choose either Find recovery file via a configuration set or Browse file system for recovery file. In
the example below we select the former:
4. Select the set that contains the recovery file from Available Configuration Sets, and click Next:
Recovery Media
Page 77
5. Select the recovery file from Available Recovery Files, and click Next:
6. Click Finish to launch the recovery tool for the recovery file displayed in the Finish Recovery Wizard:

If you want to create the recovery media manually, you can run the mkrecovery.command, which is
located here:
/usr/local/ppc-3.2.0-<build number>/sbin/mkrecovery.command
This command requires the followng parameters:
The path to the recovery file (and the recovery file name)
The path to the USB memory stick
Using a Recovery Media to Decrypt

Volumes, Uninstall FDE, and Recover
Information
Recovery Media
Page 78
Note - Do not, under any circumstances, press the power button while
performing a recovery. Doing so renders all data on the disk
unrecoverable.
Ensure that the Mac is connected to a reliable power source when
performing a recovery. Do not perform a recovery on battery power.
To use a recovery media to recover encrypted data:

1. Insert the recovery media (the USB memory stick) into the Mac you want to recover.
2. Reboot the Mac by pressing and holding down the OPTION (ALT) key.
The Graphical Boot Manager opens and displays the following options:
3.
4.
5.
6.
7.
Check Point FDE
Check Point FDE Recovery

Click Check Point FDE Recovery.
The system boots from the recovery media.
When the authentication dialog box displays, log on as an administrator.
The Recovery dialog box opens and displays volumes available for recovery.
Click Recover All.
The recovery process begins, and the disk is decrypted. Remember, do not power off the Mac during
this process. If you do so, the data on your disk will be lost.
When recovery is complete, you are prompted to reboot.
Full Disk Encryption is uninstalled from the Mac, and you can access the now unencrypted volumes.

When you create a recovery media, it contains the directory /recovery. The /recovery directory
contains a script called
attachslave.command
You can use this script to mount the encrypted volumes either when booting from a Mac OS X installation
DVD or, for example, when mounting over FireWire using Target Disk Mode (TDM).
Note - The script has the following limitations:
The script works only on volumes that are fully encrypted (not
during bg-encryption or decryption).
This is a command line tool only.
To mount encrypted volumes using the attachslave.command:

1. Create the USB recovery media. See "Creating the Recovery Media with the Wizard" on page 76 for
instructions.
2. Boot from the Mac OS X installation DVD.
OR
Boot the machine while holding down T and connect to the other machine using FireWire (TDM).
OR
Boot machine with Netboot (including root volume mounted from the network)
1. Run /Volumes/RECIMG/recovery/attachslave.command
Where
<RECIMG> is the name of the recovery image volume. The attachslave.command script asks for the
username/password of the user in the recovery image (for example, admin).
You can open the terminal and run the attachslave.command on command line, or double-click it in
Finder.
The encrypted volume should appear (auto-mounted) under /Volumes (that it, as it would normally appear
when not encrypted).
Recovery Media
Page 79
Troubleshooting and recovering files using the attachslave.command

You can use a working machine with Full Disk Encryption installed (a so-called master machine) to access
the hard disk of another machine with Full Disk Encryption installed (a so-called slave machine) that you
cannot or do not want to boot up. Information on the slave machine is decrypted as you view it, and you can
copy files to the master machine as required.
To access the hard disk of a slave machine:

1. Connect a second machine via FireWire.
2. Run the following from the master machine:
3. /usr/local/ppc-[FDE for Mac version number]/sbin/attachslave.command
The script will initiate an authentication process towards the database on the slave. After username and
password have been entered, the encrypted volume should appear (auto-mounted) under /Volumes
(as it would normally appear when not encrypted).
Recovery Media
Page 80
Chapter 11
Authenticating to Full Disk
Encryption
This appendix discusses how users use fixed passwords and dynamic tokens to authenticate themselves to
access their Full Disk Encryption-protected computer.
Note - Full Disk Encryption administrators should distribute this
information, as deemed appropriate, to users before users access
their Full Disk Encryption-protected computers for the first time.
In This Chapter
About Authentication
Authenticating for the First Time
What if I forget my password?
What if I don't have access to my token?
81
82
84
85
About Authentication
Being authenticated means being verified by Full Disk Encryption as someone who is authorized to use a
specific computer. When you switch on or restart a Full Disk Encryption-protected computer, the User
Account Identification dialog box opens:
Here you must enter a valid user account name and password. Full Disk Encryption verifies that you are
authorized to access the computer and allows the computer to start.
Navigating
You can use a mouse to navigate in the Full Disk Encryption user identification boxes and to select options.
You can also move around in the dialog boxes by pressing TAB and ENTER, and you can select options
using the space bar.
Page 81

Depending upon how the administrator has configured your Full Disk Encryption configuration, you may use
a temporary username and password the first time Full Disk Encryption authenticates you. After you
successfully enter the name and password, Full Disk Encryption prompts you to change them to the user
account name and password you will use in the future.
If you do not use a temporary username and password for your first login, you may be asked to change your
password, depending upon how your Full Disk Encryption installation is configured.
Using a Fixed Password

A fixed password is a private string of characters, known only to you and Full Disk Encryption, which you
use each time you want to access the computer.
Note - Your Full Disk Encryption administrator provides a username
and password to use the first time you access the Full Disk
Encryption-protected computer.
To authenticate yourself using a fixed password:

1. Start your Full Disk Encryption-protected computer.
The User Identification dialog box opens:
2. To ensure that your computer has not been tampered with, press CTRL+Command+Power.
Your computer restarts and Full Disk Encryption re-displays the User Identification dialog box.
3. In the Username field, enter the username you received from your administrator and press the TAB key
to move to the Password field:
4. Enter the password you received from your administrator. The password is obscured with asterisks (*)
when entered. Click OK.
Full Disk Encryption confirms that you entered a valid username and password.
Depending upon how the administrator configured your Full Disk Encryption installation, the SSO Active
checkbox may be enabled. If you want to log in only to the Mac OS X without being automatically logged
in to other applications, you must disable single sign-on temporarily. See the next step for instructions.
5. To disable single sign-on temporarily while logging into preboot, clear the checkbox before continuing to
boot up in the Mac OS X.
6. Click OK to close the message box.
Authenticating to Full Disk Encryption
Page 82
The following dialog box opens only if you are logging in with a temporary user account. If you do not
have a temporary user account, go to step 8.
7. Enter your username and click OK.

8. Enter and confirm the password you want to use and click OK.
Note - If you are not logging in with a temporary user account, this
dialog box may not display, depending upon how Full Disk Encryption
is configured.
Full Disk Encryption confirms that you successfully accessed the computer for the first time using your
FDE Admin credentials:
9. Click Continue to close the dialog box.

Full Disk Encryption now allows the Mac OS to start.
Using a Dynamic Token

If you use a dynamic to authenticate to Full Disk Encryption, follow the steps below.
Note - Your Full Disk Encryption administrator provides you with a
dynamic token, the information you need to use it, and a user account
name.
To authenticate using a dynamic token:

Page 83
The User Account Identification dialog box opens:
2. To ensure that your computer has not been tampered with, press CTRL+Command+Power.
Your computer restarts and Full Disk Encryption re-displays the User Identification dialog box.
3. In the User account name field, enter the user account name you received from your administrator and
click OK.
Full Disk Encryption recognizes that you will use a dynamic token to authenticate yourself and displays
the following dialog box:
4. In the dynamic token, enter the Full Disk Encryption challenge to generate a response. Enter the
response in the Response field and click OK.
Full Disk Encryption confirms that you successfully accessed the computer for the first time using your
FDEAdmin credentials:
5. Click Continue to close the dialog box.

Full Disk Encryption now allows your computer to start.

If you forget your password, you can use Full Disk Encryption's Remote Password Change option.
To change your password:

Page 84
2. Enter your username and select Remote Help.

3. Call your Full Disk Encryption administrator or helpdesk to be guided through the password change
process.

If you do not have access to your dynamic token, you can use Full Disk Encryption's One-time logon
option.
To use the One-time logon option:

2. Enter your user account name and select Remote Help.
Page 85
Languages Supported in the FDE Management Console
3. Call your Full Disk Encryption administrator or helpdesk to guide you through the one-time logon
process.
Language Support
The languages supported provided in Full Disk Encryption for Mac are described here.
For the languages FDE supports in the FDEMC, see "Languages Supported in the FDE Management
Console" on page 86. For the languages available on FDE clients, see "Languages Supported on Clients"
on page 86.
Languages Supported in the FDE

Management Console
The languages supported on the FDE Management console (FDEMC) are:
English (US)
Japanese
Languages Supported on Clients

The languages supported onFull Disk Encryption Clients are:
Chinese (Simplified)
Chinese (Taiwan)
English
French
German
Italian
Japanese
Spanish
Language Support
Page 86
Specifying the Language Used in the FDEMC
Specifying the Language Used in the

FDEMC
The administrator selects which language will be used in the Full Disk Encryption Management Console
(FDEMC) in the Language option on the FDEMC menu bar. The administrator can choose one of the
supported languages or he/she can choose Operating System, which sets the language to be used in the
FDEMC to the language of the Mac operating system.
To select the language
See "Languages Supported in the FDE Management Console" on page 86 for the languages that are
supported.
Setting the Language Used on the Client

The administrator configures which of the supported languages will used on a client in the clients preboot
interface, system tray, and the recovery utility. This is set initially via Local > Edit Settings > Install >
Select Language:
In the tray, you can change the language used in the clients preboot interface, system tray, and recovery
utility. To do this, double-click or right-click the Full Disk Encryption icon. Navigate to where you select the
language. The Select Language drop-down menu contains the languages you can choose.
Language Support
Page 87
Chapter 12
Keyboard Layouts
In This Chapter
Introduction
The Default Keyboard Layout
Changing the Keyboard Layout
Keyboard Layouts Supported in Preboot
88
88
88
89
Introduction
This appendix contains information on the available keyboard layouts in Full Disk Encryption and how to
change the keyboard layout.
The Default Keyboard Layout

The first time the preboot authentication dialog box is displayed after installation, Full Disk Encryption, by
default, uses the keyboard layout that is the default in the Mac operating system.
Changing the Keyboard Layout

If other keyboard layouts are available in your Mac installation (and supported by Full Disk Encryption), you
can scroll through the available layouts by repeatedly clicking on the icon in the lower left corner of the
dialog box, or you can also scroll through the available layouts by repeatedly pressing COMMAND +
SPACE or CONTROL + SPACE.
The active keyboard layout is the layout whose language identification tag is displayed in the icon in the
lower left corner of the figure below.
After selecting a keyboard layout and successfully logging on to Full Disk Encryption, the selected keyboard
will be active the next time the preboot authentication dialog box is displayed.
Page 88

The keyboard layouts available in preboot are determined from the list of layouts enabled in Mac OS X on
each client machine where Full Disk Encryption is installed. Full Disk Encryption implements a subset of the
available layouts as shown in Table B-1.
You can view the enabled layouts under System Preferences > International > Input Menu.
The currently selected keyboard layout in preboot is the layout currently selected in Mac OS X.
Note - The synchronization of available/selected layouts in preboot is

available only in Mac OS X 10.5 and above (Leopard). In Mac OS X
10.4 (Tiger), all the supported layouts are enabled as available in
preboot, and the currently selected layout after installation will be US
English.
The following table shows the keyboard layouts supported by Full Disk Encryption that are currently
implemented in preboot:
Keyboard Layout
Language Identification Tag
English (Canada)
en-CA
English (Ireland)
en-IE
English (United Kingdom)
en-GB
English (United States)
en-US
Danish (Denmark)
da-DK
Dutch (Netherlands)
nl-NL
Estonian (Estonia)
et-EE
Finnish (Finland)
fi-FI
French (Belgium)
fr-BE
French (France)
fr-FR
French (Switzerland)
fr-CH
French (Canada)
fr-CA
German (Austria)
de-AT
German (Germany)
de-DE
German (Switzerland)
de-CH
Greek (Greece)
el-GR
Hebrew (Israel)
he-IL
Icelandic (Iceland)
is-IS
Italian (Italy)
it-IT
Japanese (Japan)
ja-JP
Keyboard Layouts
Page 89
Keyboard Layout
Language Identification Tag
Latvian (Latvia)
lv-LV
Lithuanian (Lithuania)
lt-LT
Norwegian (Bokml) (Norway)
nb-NO
Portuguese (Brazil)
pt-BR
Portuguese (Portugal)
pt-PT
Slovak (Slovakia)
sk-SK
Spanish (Spain)
es-ES
Swedish (Sweden)
sv-SE
Polish (Poland)
pl-PL
Hungarian (Hungarian)
hu-HU
Czech (Czech)
cs-CZ
Thai (Thailand)
th-TH
Turkish (Turkey)
tr-TR
Keyboard Layouts
Page 90
Index
Deploying Update Profiles 63

Deployment Overview 8
Directories 45
Dynamic Token 29
Dynamic Token Authentication 42
About Authentication 81
Accessing Local Settings 14
Adding a User Account to a Group 38
Administrator 11
Alternative 1 60
Alternative 2 60
An Administration Overview 11
Authenticating for the First Time 82
Authenticating to Full Disk Encryption 81
Authentication Settings 27
Authority Levels 11
Editing Local Settings 15

Ensure Authorized Administrators are
Authenticated 72
Ensuring that Administrator Accounts Exist on
Both the Admin Machine and all Client
Machines 71
Ensuring that the Required User Accounts are
in Place 60
Example 71
Example of output for a non FDE-encrypted
volume: 18
Example of output for an FDE-encrypted
volume: 18
External Status Indication Command Line Utility
18
B
Basing a New Profile on Another Profile or
Local Settings 53
Before You Create a Recovery Media 76
Before You Remove Full Disk Encryption
Management Console 72
Benefits for Administrators 7
C
Changing the Graphic Images Displayed in
Preboot 63
Changing the Keyboard Layout 88
Commonly Used Configurations in Update
Profiles 59
24
Configuring System Settings 14
Configuring Update Profiles 59
Create Configuration Sets 53
Creating a New Set 46
Creating a Recovery Media 75
Creating an Uninstall Profile 70
Creating an Update Profile 59
Creating Group Accounts 35
Creating Group and User Accounts 35
Creating Groups and User Accounts in the
Profile 58
Creating Installation Profiles 53
Creating the Recovery Media Manually 78
76
D
Data Security Types 6
Default Values and How the Effective Values of
Settings are Determined 37
Deleting user accounts created with a
temporary user account 60
Deploying an Install Profile 61
Deploying an Install Profile Interactively 62
Deploying an Install Profile Silently 62
Deploying an Uninstall Profile 72
Deploying Full Disk Encryption on One or Many
7
Deploying Profiles 61
F
File Encryption 6
Fixed Password 27
Full Disk Encryption 6
Full Disk Encryption Features and Benefits 7
Full Disk Encryption Management Console
Dialog Box 13
Full Disk Encryption Profile Basics 52
Full Disk Encryption Recovery File 75
Full Disk Encryption Terminology 9
G
Getting Started 9
Group 9
Group and User Account Basics 35
Group Information 52
Group Settings 26
GUID 18
H
How Update Profiles Affect Logged-On Users
and Administrators 63
I
If the Recovery File Path is Not Found 75
Implementing a Remote Help Procedure 65
Install 45
Install Full Disk Encryption on Client Machines
10
Install Settings 16
Installation Profiles 52
Introduction 88
K
Keyboard Layouts 88
Keyboard Layouts Supported in Preboot 89
L
Language Support 86
Languages Supported in the FDE Management
Console 86
Languages Supported on Clients 86

Local Settings for Groups and User Accounts
24
Logon 22
Logon Settings 27
Mount Points 17
Mounting Encrypted Volumes 79
Moving User Accounts 44
Single Sign-On and Network Password

Changes 32
Specifying the Language Used in the FDEMC
87
Status 18
Status Information 15
Storage 45
System Information 52
System Passwords Policy 19
System Settings for Groups 25
Navigating 81
Temporary User Accounts 7

The Default Keyboard Layout 88
Types of Remote Help 67
O
Overview of the Full Disk Encryption
Management Console 13
P
Password Authentication 41
Perform Administration Tasks 10
Permissions for Roles 12
Permissions Settings 30
Preface 5
Prepare the Master Installation 9
Prepare to Install FDE on Client Machines 10
Prepare Your Groups and User Accountss 9
Prepare Your Remote Administration Points
(Sets) 10
Preparing to Work With Profiles 53
Privileged Permissions Settings 30
Profile 9
Profile Types 52
Providing Remote Help 67
Publishing an Install Profile 61
R
Recovery 45
Recovery Media 75
Related Documentation 5
Remote Help 32, 65
Remote Help Settings 66
Removal Procedure 73
Remove User Account and Mark for Removal
59
Removing Full Disk Encryption 70
Removing Full Disk Encryption Management
Console 72
Roadmap 9
Root Directory Path 45
U
Uninstall Profiles 53, 70
Update 46
Update Profiles 53
Updating Full Disk Encryption Software 63
User 12
User Account Acquisition 8, 20
User Account Information 52
Using a Dynamic Token 83
Using a Fixed Password 82
Using a Recovery Media to Decrypt Volumes,
Uninstall FDE, and Recover Information 78
V
Verifying a Full Disk Encryption Deployment
62
Verifying Users 67
Volume 18
W
Wake on LAN 21
webRH or Full Disk Encryption Management
Console? 65
What if I don't have access to my token? 85
What if I forget my password? 84
Whats in a Profile? 52
Who should read this guide? 5
Why Full Disk Encryption is not uninstalled 71
Working with Configuration Sets 45
51
Working with Profiles an Overview 51
Working With Update Profiles 58
S
Sanity Checks 57
Select Group 21
Set 9
Set Basics 45
Set Management 49
Sets and Profiles Must be Deleted Manually
72
Setting the Language Used on the Client 87
Single Sign-On 32
Single Sign-On (SSO) Settings 31
Single Sign-On and Mac Password Changes
32
Page 92

CP ES FDE For Mac 3.2 AdminGuide PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP ES FDE For Mac 3.2 AdminGuide PDF

Uploaded by

Copyright:

Available Formats

Endpoint Security Full Disk

Encryption for Mac

2010 Check Point Software Technologies Ltd.

Whats in a Profile? ........................................................................................52

Who should read this guide?

This document contains...

Endpoint Security Full Disk

Instructions and information on how to install

Endpoint Security Full Disk

Instructions and information on how to

Endpoint Security Full Disk

New features and functions in the current

Problems that have been fixed since the

Any known issues about the current

Data Security Types

Data Security Types

Full Disk Encryption

Full Disk Encryption Features and Benefits

Full Disk Encryption Features and Benefits

Strong user authentication

Support for user identification using dynamic tokens

Central configuration and administration

Keyboard lock and screen saver

Limited number of failed logon attempts with automatic locking

Audit logging of events such as successful and failed logon attempts

Benefits for Administrators

The daily administration of the system.

Deploying Full Disk Encryption on One or Many

Temporary User Accounts

User Account Acquisition

Full Disk Encryption Terminology

Prepare the Master Installation

Prepare Your Groups and User Accountss

Prepare Your Remote Administration Points (Sets)

Prepare to Install FDE on Client Machines

Install Full Disk Encryption on Client Machines

Perform Administration Tasks

Create and manage profiles

Configure system settings

Add and remove user accounts

Configure settings foruser accounts

Permissions for Roles

Table 2-3 Permissions

Provide 'Remote Password

Provide 'One Time Logon'

Receive 'Remote Password

Receive 'One Time Logon'

Overview of the Full Disk Encryption Management

Full Disk Encryption Management Console Dialog Box

Select to manage the local installation of the Full Disk

Select to manage profiles, sets, and recovery files for

Select to help locked-out users change the account

Accessing Local Settings

Local in the folder tree to the left

Go To Local under Local Installation in the main panel

Editing Local Settings

The Local dialog box is displayed:

Table 3-5 Status Information

Locally installed version

The version of Full Disk Encryption currently

Full Disk Encryption User

The name of the user account currently logged on