Full Disk Encryption Policies - Online Help Home - Trend Micro
Full Disk Encryption Policies - Online Help Home - Trend Micro
Full Disk Encryption Policies - Online Help Home - Trend Micro
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Trend</strong> <strong>Micro</strong> Incorporated reserves the right to make changes to this document and to<br />
the product described herein without notice. Before installing and using the product,<br />
please review the readme files, release notes, and/or the latest version of the applicable<br />
documentation, which are available from the <strong>Trend</strong> <strong>Micro</strong> website at:<br />
http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx<br />
<strong>Trend</strong> <strong>Micro</strong>, the <strong>Trend</strong> <strong>Micro</strong> t-ball logo, Endpoint <strong>Encryption</strong>, PolicyServer, <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong>, FileArmor, and KeyArmor are trademarks or registered trademarks of<br />
<strong>Trend</strong> <strong>Micro</strong> Incorporated. All other product or company names may be trademarks or<br />
registered trademarks of their owners.<br />
Copyright © 2012. <strong>Trend</strong> <strong>Micro</strong> Incorporated. All rights reserved.<br />
Document Part No.: APEM35670/120920<br />
Release Date: Dec 2012<br />
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or provides<br />
installation instructions for a production environment. Read through the documentation<br />
before installing or using the product.<br />
Detailed information about how to use specific features within the product may be<br />
available in the <strong>Trend</strong> <strong>Micro</strong> <strong>Online</strong> <strong>Help</strong> and/or the <strong>Trend</strong> <strong>Micro</strong> Knowledge Base at<br />
the <strong>Trend</strong> <strong>Micro</strong> website.<br />
<strong>Trend</strong> <strong>Micro</strong> always seeks to improve its documentation. If you have questions,<br />
comments, or suggestions about this or any <strong>Trend</strong> <strong>Micro</strong> document, please contact us at<br />
docs@trendmicro.com.<br />
Evaluate this documentation on the following site:<br />
http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents<br />
Preface<br />
Preface ................................................................................................................. ix<br />
Product Document Set ...................................................................................... x<br />
Document Conventions .................................................................................... x<br />
Intended Audience ............................................................................................ xi<br />
Terminology ...................................................................................................... xii<br />
About <strong>Trend</strong> <strong>Micro</strong> ........................................................................................ xiv<br />
Chapter 1: Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
About Endpoint <strong>Encryption</strong> ......................................................................... 1-2<br />
Endpoint <strong>Encryption</strong> Components ..................................................... 1-2<br />
System Requirements ............................................................................. 1-4<br />
Key Features & Benefits ................................................................................ 1-8<br />
Understanding <strong>Encryption</strong> ............................................................................ 1-9<br />
File <strong>Encryption</strong> ....................................................................................... 1-9<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> ............................................................................. 1-9<br />
Key Management .................................................................................. 1-10<br />
About FIPS ........................................................................................... 1-10<br />
Management and Integration ...................................................................... 1-11<br />
Account Roles and Authentication ............................................................ 1-12<br />
Account Roles ....................................................................................... 1-12<br />
Access Control by Application ........................................................... 1-13<br />
Authentication Options by Application ........................................... 1-13<br />
Security Options ................................................................................... 1-14<br />
Authentication Methods ...................................................................... 1-14<br />
New Features in Endpoint <strong>Encryption</strong> 3.1.3 ........................................... 1-19<br />
Multi-language Support ....................................................................... 1-19<br />
Active Directory Synchronization ..................................................... 1-19<br />
PolicyServer 3.1.3 Enhancements ...................................................... 1-20<br />
i
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
ii<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> 3.1.3 Enhancements ...................................... 1-20<br />
Chapter 2: Getting Started with PolicyServer<br />
Authenticating for the First Time ................................................................ 2-2<br />
Introducing PolicyServer ............................................................................... 2-2<br />
PolicyServer MMC Interface ................................................................ 2-3<br />
Working with Groups and Users ................................................................. 2-4<br />
Defining Users and Groups .................................................................. 2-5<br />
Adding a Top Group ............................................................................. 2-5<br />
Adding a New User to a Group ........................................................... 2-7<br />
Adding a New Enterprise User ............................................................ 2-9<br />
Adding an Existing User to a Group ................................................ 2-11<br />
Understanding Policy Controls .................................................................. 2-13<br />
Visual Indicators for <strong>Policies</strong> .............................................................. 2-14<br />
Policy Fields and Buttons .................................................................... 2-14<br />
Modifying <strong>Policies</strong> ................................................................................ 2-15<br />
Enabling Applications .................................................................................. 2-17<br />
Chapter 3: Understanding <strong>Policies</strong><br />
Working with <strong>Policies</strong> .................................................................................... 3-2<br />
Policy Management ........................................................................................ 3-2<br />
Selecting a Policy for Modification ...................................................... 3-3<br />
Editing <strong>Policies</strong> with Ranges ................................................................ 3-4<br />
Editing Polices with True/False or Yes/ No Responses ................. 3-5<br />
Editing <strong>Policies</strong> with Multiple-choice / Single-selection ................. 3-7<br />
Editing <strong>Policies</strong> with Text String Arguments ..................................... 3-9<br />
Editing <strong>Policies</strong> with Multiple Options ............................................ 3-10<br />
PolicyServer <strong>Policies</strong> .................................................................................... 3-12<br />
Admin Console <strong>Policies</strong> ...................................................................... 3-12<br />
Administrator <strong>Policies</strong> ......................................................................... 3-12<br />
Authenticator <strong>Policies</strong> .......................................................................... 3-13<br />
Log Alert <strong>Policies</strong> ................................................................................. 3-14<br />
PDA <strong>Policies</strong> ......................................................................................... 3-15<br />
Service Pack Download <strong>Policies</strong> ........................................................ 3-16
Table of Contents<br />
Welcome Message <strong>Policies</strong> ................................................................. 3-16<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> <strong>Policies</strong> ..................................................................... 3-17<br />
Common <strong>Policies</strong> ................................................................................. 3-17<br />
PC <strong>Policies</strong> ............................................................................................. 3-19<br />
PPC <strong>Policies</strong> .......................................................................................... 3-22<br />
FileArmor <strong>Policies</strong> ........................................................................................ 3-23<br />
Computer <strong>Policies</strong> ................................................................................ 3-23<br />
<strong>Encryption</strong> <strong>Policies</strong> .............................................................................. 3-24<br />
Login <strong>Policies</strong> ........................................................................................ 3-26<br />
Password <strong>Policies</strong> ................................................................................. 3-27<br />
MobileSentinel <strong>Policies</strong> ................................................................................ 3-28<br />
Common <strong>Policies</strong> ................................................................................. 3-28<br />
PPC <strong>Policies</strong> .......................................................................................... 3-29<br />
KeyArmor <strong>Policies</strong> ....................................................................................... 3-32<br />
Antivirus <strong>Policies</strong> .................................................................................. 3-32<br />
KeyArmor Security <strong>Policies</strong> ................................................................ 3-32<br />
Login <strong>Policies</strong> ........................................................................................ 3-33<br />
Notice Message <strong>Policies</strong> ...................................................................... 3-34<br />
PolicyServer Connection <strong>Policies</strong> ...................................................... 3-35<br />
DriveArmor <strong>Policies</strong> .................................................................................... 3-36<br />
Authentication <strong>Policies</strong> ........................................................................ 3-36<br />
Communications <strong>Policies</strong> .................................................................... 3-38<br />
Device <strong>Policies</strong> ...................................................................................... 3-39<br />
Common <strong>Policies</strong> ......................................................................................... 3-40<br />
Agent Policy .......................................................................................... 3-40<br />
Authentication <strong>Policies</strong> ........................................................................ 3-41<br />
Chapter 4: Working with Groups, Users, and Devices<br />
Working with Groups .................................................................................... 4-2<br />
Adding a Top Group ............................................................................. 4-2<br />
Adding a Subgroup ................................................................................ 4-4<br />
Modifying a Group ................................................................................. 4-5<br />
Removing a Group ................................................................................. 4-5<br />
Working with Offline Groups ...................................................................... 4-5<br />
Creating an Offline Group .................................................................... 4-6<br />
iii
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
iv<br />
Updating an Offline Group .................................................................. 4-9<br />
Working with Users ..................................................................................... 4-10<br />
Add Users to PolicyServer .................................................................. 4-10<br />
Finding a User ....................................................................................... 4-13<br />
Modifying a User .................................................................................. 4-14<br />
Viewing a User's Group Membership ............................................... 4-15<br />
Adding a New User to a Group ......................................................... 4-16<br />
Adding an Existing User to a Group ................................................ 4-17<br />
Changing a User’s Default Group ..................................................... 4-19<br />
Allowing User to Install to a Group .................................................. 4-20<br />
Removing Individual Users From a Group ..................................... 4-21<br />
Removing All Users From a Group .................................................. 4-21<br />
Restoring a Deleted User .................................................................... 4-22<br />
Working with Passwords ..................................................................... 4-22<br />
Working with Devices ................................................................................. 4-30<br />
Adding a Device to a Group .............................................................. 4-30<br />
Removing a Device from a Group .................................................... 4-32<br />
Removing a Device from the Enterprise .......................................... 4-33<br />
Viewing Directory Contents ............................................................... 4-34<br />
Viewing Device Attributes .................................................................. 4-34<br />
Viewing Directory Listing ................................................................... 4-35<br />
Killing a Device .................................................................................... 4-35<br />
Locking a Device .................................................................................. 4-36<br />
Rebooting a Device .............................................................................. 4-36<br />
Restoring a Deleted Device ................................................................ 4-37<br />
Chapter 5: Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Endpoint <strong>Encryption</strong> Tools .......................................................................... 5-2<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Authentication ........................................... 5-2<br />
Menu Options ......................................................................................... 5-3<br />
Network Connectivity ........................................................................... 5-4<br />
On-Screen Keyboard ............................................................................. 5-4<br />
Changing the Keyboard Layout ........................................................... 5-4<br />
Changing Authentication Methods ...................................................... 5-4<br />
Changing Passwords .............................................................................. 5-5<br />
Remote <strong>Help</strong> ........................................................................................... 5-8
Table of Contents<br />
Smart Card ............................................................................................... 5-9<br />
Self <strong>Help</strong> ................................................................................................ 5-11<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Connectivity ............................................................ 5-13<br />
Updating <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Clients ............................................ 5-14<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Console .................................................. 5-15<br />
Accessing Recovery Console .............................................................. 5-16<br />
Accessing Recovery Console from Windows .................................. 5-17<br />
Using Decrypt <strong>Disk</strong> ............................................................................. 5-17<br />
Mount Partitions ................................................................................... 5-19<br />
Restore Boot ......................................................................................... 5-19<br />
Manage <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Users ................................................. 5-20<br />
Manage <strong>Policies</strong> .................................................................................... 5-22<br />
View Logs .............................................................................................. 5-22<br />
Network Setup ...................................................................................... 5-22<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Methods ................................................. 5-24<br />
Repair CD ...................................................................................................... 5-25<br />
Recovering Data with Repair CD ...................................................... 5-27<br />
Chapter 6: Working with FileArmor<br />
FileArmor Authentication ............................................................................. 6-2<br />
FileArmor First-time Authentication .................................................. 6-2<br />
FileArmor Domain Authentication ..................................................... 6-2<br />
FileArmor Smart Card Authentication ................................................ 6-4<br />
FileArmor ColorCode Authentication ................................................ 6-5<br />
FileArmor PIN Authentication ............................................................ 6-5<br />
Changing Password in FileArmor ........................................................ 6-6<br />
Forced Password Reset .......................................................................... 6-6<br />
FileArmor System Tray Icon Menu ............................................................. 6-8<br />
Syncing with PolicyServer ..................................................................... 6-9<br />
Syncing with PolicyServer Offline Files .............................................. 6-9<br />
Changing PolicyServer ......................................................................... 6-10<br />
FileArmor <strong>Encryption</strong> ................................................................................. 6-10<br />
FileArmor Local Key <strong>Encryption</strong> ...................................................... 6-11<br />
FileArmor Shared Key <strong>Encryption</strong> ................................................... 6-12<br />
FileArmor Fixed Password <strong>Encryption</strong> ............................................ 6-12<br />
v
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
vi<br />
FileArmor Digital Certificate <strong>Encryption</strong> ......................................... 6-13<br />
FileArmor Archive and Burn ...................................................................... 6-14<br />
Burning an Archive with a Fixed Password ..................................... 6-14<br />
Burning an Archive with a Certificate ............................................... 6-15<br />
FileArmor Secure Delete ............................................................................. 6-15<br />
Chapter 7: Working with KeyArmor<br />
KeyArmor Authentication ............................................................................ 7-2<br />
Authenticating to KeyArmor for the First Time ............................... 7-2<br />
Changing Authentication Methods ...................................................... 7-3<br />
Fixed Password ....................................................................................... 7-3<br />
KeyArmor Features ........................................................................................ 7-4<br />
Device Components .............................................................................. 7-4<br />
Protecting Files with KeyArmor .......................................................... 7-5<br />
No Information Left Behind ................................................................ 7-5<br />
KeyArmor Antivirus Updates and Activity ........................................ 7-5<br />
KeyArmor Check <strong>Disk</strong> Notification ................................................... 7-6<br />
Using KeyArmor ............................................................................................ 7-6<br />
Warning About Unencrypted Devices ................................................ 7-6<br />
KeyArmor Taskbar ................................................................................ 7-7<br />
KeyArmor Menu .................................................................................... 7-7<br />
Protecting Files with KeyArmor ........................................................ 7-12<br />
KeyArmor Activity Logging ............................................................... 7-12<br />
Safely Removing KeyArmor ............................................................... 7-13<br />
KeyArmor <strong>Full</strong> Scan ............................................................................ 7-13<br />
Reassigning a KeyArmor Device to Another User ......................... 7-15<br />
Adding a Deleted KeyArmor Back to the Enterprise .................... 7-16<br />
Chapter 8: Working with Logs and Reports<br />
Log Events ....................................................................................................... 8-2<br />
Managing Log Events ............................................................................ 8-2<br />
Alerts ........................................................................................................ 8-3<br />
Setting PolicyServer Alerts .................................................................... 8-3<br />
Enabling PolicyServer to relay SMS and Email Delivery ................. 8-3
Table of Contents<br />
Reports ............................................................................................................. 8-5<br />
Report Options ....................................................................................... 8-6<br />
Report Icons ............................................................................................ 8-6<br />
Report Types ........................................................................................... 8-7<br />
Displaying Reports ................................................................................. 8-9<br />
Scheduling Reports .............................................................................. 8-10<br />
Displaying Report Errors .................................................................... 8-10<br />
Chapter 9: Getting Support<br />
<strong>Trend</strong> Community .......................................................................................... 9-2<br />
Support Portal ................................................................................................. 9-2<br />
Contacting Technical Support ...................................................................... 9-3<br />
Resolving Issues Faster .......................................................................... 9-3<br />
<strong>Trend</strong>Labs ........................................................................................................ 9-4<br />
Appendix A: PolicyServer Message IDs<br />
Index<br />
Index .............................................................................................................. IN-1<br />
vii
Preface<br />
Preface<br />
Welcome to the <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> Administrator’s Guide. This<br />
guide explains the major aspects of Endpoint <strong>Encryption</strong>: security architecture,<br />
encryption, authentication, and endpoint management. Topics include how to use server<br />
and endpoint client applications to support security objectives, how to provision users,<br />
groups and devices to implement policies, and how to use reports and logs to analyze<br />
enterprise security. This guide also includes information about troubleshooting<br />
configurations, using tools, and resolving issues.<br />
This preface covers the following topics:<br />
• Product Document Set on page x<br />
• Document Conventions on page x<br />
• Intended Audience on page xi<br />
• Terminology on page xii<br />
• About <strong>Trend</strong> <strong>Micro</strong> on page xiv<br />
ix
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Product Document Set<br />
x<br />
The documentation set for <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> includes the following:<br />
TABLE 1. Product Documentation<br />
DOCUMENT DESCRIPTION<br />
Installation Guide The Installation Guide explains system requirements and<br />
contains detailed instructions about how to deploy, install,<br />
migrate, and upgrade PolicyServer and endpoint clients.<br />
Administrator’s Guide The Administrator’s Guide explains product concepts,<br />
features and detailed instructions about how to configure and<br />
manage PolicyServer and endpoint clients.<br />
Readme file The Readme file contains late-breaking product information<br />
that is not found in the online or printed documentation.<br />
Topics include a description of new features, known issues,<br />
and product release history.<br />
Knowledge Base An online database of problem-solving and troubleshooting<br />
information. It provides the latest information about known<br />
product issues. To access the Knowledge Base, go to the<br />
following website:<br />
Note<br />
All documentation is accessible from:<br />
docs.trendmicro.com<br />
Document Conventions<br />
http://esupport.trendmicro.com<br />
The documentation uses the following conventions:
TABLE 2. Document Conventions<br />
CONVENTION DESCRIPTION<br />
UPPER CASE Acronyms, abbreviations, and names of certain<br />
commands and keys on the keyboard<br />
Bold Menus and menu commands, command buttons, tabs,<br />
and options<br />
Italics References to other documents<br />
Monospace Sample command lines, program code, web URLs, file<br />
names, and program output<br />
Navigation > Path The navigation path to reach a particular screen<br />
Note<br />
Tip<br />
Important<br />
WARNING!<br />
Intended Audience<br />
Preface<br />
For example, File > Save means, click File and then click<br />
Save on the interface<br />
Configuration notes<br />
Recommendations or suggestions<br />
Information regarding required or default configuration<br />
settings and product limitations<br />
Critical actions and configuration options<br />
This guide is for IT Administrators deploying <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> in<br />
medium to large enterprises and <strong>Help</strong> Desk personnel who manage users, groups,<br />
policies, and devices. The documentation assumes basic device, networking and security<br />
knowledge, including:<br />
• Device hardware setup and configuration<br />
xi
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
xii<br />
• Hard drive partitioning, formatting, and maintenance<br />
• Client-server architecture<br />
Terminology<br />
The following table provides terminology used throughout the documentation:<br />
TABLE 3. Endpoint <strong>Encryption</strong> Terminology<br />
TERM DESCRIPTION<br />
Authentication The process of identifying a user.<br />
ColorCode A color-sequence password.<br />
Command Line <strong>Help</strong>er Create encrypted values to secure credentials when creating<br />
an installation script.<br />
Command Line Installer<br />
<strong>Help</strong>er<br />
Create encrypted values to secure credentials when<br />
generating scripts for automated installations.<br />
Device Computer, laptop, or removal media (external drive, USB<br />
drive) hardware.<br />
Domain authentication Single sign-on (SSO) using Active Directory.<br />
DriveTrust Hardware-based encryption technology by Seagate.<br />
Endpoint client Any device with an Endpoint <strong>Encryption</strong> application installed.<br />
FileArmor The Endpoint <strong>Encryption</strong> client for file and folder encryption<br />
on local drives and removable media.<br />
FIPS Federal Information Processing Standard. United States<br />
federal government computing standards.<br />
Fixed password A standard user password consisting of letters and/or<br />
numbers and/or special characters.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> The Endpoint <strong>Encryption</strong> client for hardware and software<br />
encryption with preboot authentication.
TERM DESCRIPTION<br />
KeyArmor The Endpoint <strong>Encryption</strong> client for a password-protected,<br />
encrypted USB drive.<br />
OCSP The <strong>Online</strong> Certificate Status Protocol (OCSP) is an Internet<br />
protocol used for X.509 digital certificates.<br />
OPAL Trusted Computing Group's Security Subsystem Class for<br />
client devices.<br />
Password Any type of authentication data, such as fixed, PIN, and<br />
ColorCode.<br />
Preface<br />
PolicyServer The central management server that deploys encryption and<br />
authentication policies to the endpoint clients (<strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong>, FileArmor, KeyArmor).<br />
SED Secure Encrypted Device. A hard drive, or other device,<br />
which is encrypted.<br />
Smart card A physical card used in conjunction with a PIN or fixed<br />
password.<br />
PIN A Personal Identification Number, commonly used for ATM<br />
transactions.<br />
Recovery Console Recover a device in the event of primary OS failure,<br />
troubleshoot network issues, and manage users, policies,<br />
and logs.<br />
Remote <strong>Help</strong> Interactive authentication for users who forget their<br />
credentials or devices that have not synchronized policies<br />
within a pre-determined amount of time.<br />
Repair CD Use this bootable CD to decrypt drive before removing <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong> in the event that the disk becomes corrupted,<br />
RSA SecurID A mechanism for performing two-factor authentication for a<br />
user to a network resource.<br />
Self <strong>Help</strong> Question and answer combinations that allow users to reset<br />
a forgotten password without contacting Support.<br />
xiii
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
About <strong>Trend</strong> <strong>Micro</strong><br />
xiv<br />
As a global leader in cloud security, <strong>Trend</strong> <strong>Micro</strong> develops Internet content security and<br />
threat management solutions that make the world safe for businesses and consumers to<br />
exchange digital information. With over 20 years of experience, <strong>Trend</strong> <strong>Micro</strong> provides<br />
top-ranked client, server, and cloud-based solutions that stop threats faster and protect<br />
data in physical, virtualized, and cloud environments.<br />
As new threats and vulnerabilities emerge, <strong>Trend</strong> <strong>Micro</strong> remains committed to helping<br />
customers secure data, ensure compliance, reduce costs, and safeguard business<br />
integrity. For more information, visit:<br />
http://www.trendmicro.com<br />
<strong>Trend</strong> <strong>Micro</strong> and the <strong>Trend</strong> <strong>Micro</strong> t-ball logo are trademarks of <strong>Trend</strong> <strong>Micro</strong><br />
Incorporated and are registered in some jurisdictions. All other marks are the trademarks<br />
or registered trademarks of their respective companies.
Chapter 1<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint<br />
<strong>Encryption</strong><br />
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> provides robust data protection and device<br />
control for a wide range of devices, including laptops, desktops, tablets, CDs, DVDs,<br />
USB drives, and other removable media.<br />
This chapter covers the following topics:<br />
• About Endpoint <strong>Encryption</strong> on page 1-2<br />
• Key Features & Benefits on page 1-8<br />
• Understanding <strong>Encryption</strong> on page 1-9<br />
• System Requirements on page 1-4<br />
• Account Roles and Authentication on page 1-12<br />
• New Features in Endpoint <strong>Encryption</strong> 3.1.3 on page 1-19<br />
1-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
About Endpoint <strong>Encryption</strong><br />
1-2<br />
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> is a fully integrated hardware-based and softwarebased<br />
encryption solution to protect laptops and desktops, files and folders, removable<br />
media, and encrypted USB drives with embedded anti-malware/antivirus protection.<br />
With Endpoint <strong>Encryption</strong>, Administrators can use a single management console to<br />
flexibly manage a combination of hardware and software-based encryption with full<br />
transparency for end-users.<br />
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> ensures end-to-end data protection by providing<br />
FIPS 140-2 encryption of the data residing on the management server; all data<br />
transmitted to/from the server; all data stored on the endpoint device; and, all locally<br />
stored client logs.<br />
Using FIPS 140-2 accredited cryptography, Endpoint <strong>Encryption</strong> offers the following<br />
benefits:<br />
• Comprehensive data protection through fully integrated full disk, file, folder, USB<br />
drives, and removable media encryption.<br />
• Centralized policy administration and key management through a single<br />
management server and console.<br />
• Device management through device-specific information gathering and remote<br />
lock, reset, and the capability to wipe all endpoint data.<br />
• Advanced real-time reporting and auditing to ensure security compliance.<br />
Endpoint <strong>Encryption</strong> Components<br />
Endpoint <strong>Encryption</strong> consists of one central management server (PolicyServer Web<br />
Service) that manages the policy and log databases (MobileArmor DB), LDAP<br />
authentication with Active Directory, and all client-server activity. Endpoint <strong>Encryption</strong><br />
clients cannot interface directly with PolicyServer and must connect through the Client<br />
Web Service. For an illustration of this architecture, see Figure 1-1: Endpoint <strong>Encryption</strong><br />
Client-Server Architecture on page 1-3.
Note<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
The port settings for all HTTP traffic is configurable at time of installation or through<br />
settings on the Endpoint <strong>Encryption</strong> client.<br />
FIGURE 1-1. Endpoint <strong>Encryption</strong> Client-Server Architecture<br />
The following table describes these components.<br />
1-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-4<br />
TABLE 1-1. Endpoint <strong>Encryption</strong> Components<br />
COMPONENT DESCRIPTION<br />
PolicyServer Web<br />
Service<br />
The IIS web service that provides central management of<br />
policy administration, authentication, and reporting.<br />
PolicyServer MMC The PolicyServer <strong>Micro</strong>soft Management Console (MMC)<br />
is the interface used to control PolicyServer.<br />
Endpoint <strong>Encryption</strong><br />
client<br />
An Endpoint <strong>Encryption</strong> client is any device with either <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong>, FileArmor, or KeyArmor installed.<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> provides hardware and software full<br />
disk encryption, and preboot authentication.<br />
• FileArmor provides file and folder encryption for content<br />
on local drives and removable media.<br />
• KeyArmor is a hardened, encrypted USB drive with<br />
integrated antivirus protection.<br />
MobileArmorDB The <strong>Micro</strong>soft SQL Server database storing all user, policy,<br />
and log details.<br />
Active Directory The PolicyServer Web Service synchronizes user account<br />
information by communicating with Active Directory using<br />
LDAP. Account information is cached locally in the<br />
MobileArmorDB.<br />
Note<br />
Active Directory is optional.<br />
Client Web Service The IIS web service that Endpoint <strong>Encryption</strong> clients use to<br />
communicate with the PolicyServer Web Service.<br />
System Requirements<br />
The tables below outline the system requirements for Endpoint <strong>Encryption</strong>.
TABLE 1-2. PolicyServer Hardware Requirements<br />
PolicyServer Host (3,000<br />
Users)<br />
• 2GHz Dual Quad Core<br />
Core2 Intel Xeon<br />
Processors<br />
• 4GB RAM<br />
• 40GB hard disk space<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
SEPARATE HOSTS SINGLE HOST<br />
SQL Server Host (3,000<br />
Users)<br />
• 2GHz Dual Quad Core<br />
Core2 Intel Xeon<br />
Processors<br />
• 8GB RAM<br />
• 100GB hard disk space<br />
TABLE 1-3. PolicyServer Minimum Software Requirements<br />
FUNCTION REQUIREMENT<br />
PolicyServer and SQL<br />
Server (1,500 Users)<br />
• 2GHz Quad Core<br />
Core2 Intel Xeon<br />
Processors<br />
• 8GB RAM<br />
Operating System • Windows Server 2003 SP2 32/64-bit<br />
• 120GB hard disk space<br />
• Windows Server 2008 or 2008 R2 64-bit<br />
Applications and Settings • Application Server<br />
• IIS<br />
• Allow Active Server pages<br />
• Allow ASP.NET<br />
• .Net Framework 2.0 SP2<br />
Note<br />
PolicyServer 3.1.3 requires two IIS locations.<br />
The PolicyServer Administration Interface and<br />
the Client Application Interface should be<br />
installed on different IIS locations.<br />
Database • <strong>Micro</strong>soft SQL 2005/2008/2008 R2<br />
• <strong>Micro</strong>soft SQL Express 2005(SP3)/2008<br />
• Mixed Mode Authentication (SA password)<br />
installed<br />
• Reporting services installed<br />
1-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-6<br />
TABLE 1-4. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> System Requirements<br />
ITEM REQUIREMENT<br />
Processor Intel Core 2 or compatible processor.<br />
Memory • Minimum: 1GB<br />
<strong>Disk</strong> space • Minimum: 30GB<br />
• Required: 20% free disk space<br />
• Required: 256MB contiguous free space<br />
Network connectivity Communication with PolicyServer 3.1.3 required for managed<br />
installations<br />
Operating Systems • Windows 8 (32/64-bit)<br />
• Windows 7 (32/64-bit)<br />
• Windows Vista with SP1 (32/64-bit)<br />
• Windows XP with SP3 (32-bit)<br />
Other software Additional requirements Windows 8:<br />
• <strong>Micro</strong>soft .NET Framework 3.5 is enabled<br />
• For devices with UEFI, see the Endpoint <strong>Encryption</strong><br />
Installation Guide for instructions to change the boot<br />
priority.<br />
Additional requirements for Windows XP:<br />
• <strong>Micro</strong>soft .NET Framework 2.0 SP1 or later<br />
• <strong>Micro</strong>soft Windows Installer 3.1<br />
Hard disk • Seagate DriveTrust drives<br />
• Seagate OPAL and OPAL 2 drives<br />
Note<br />
• RAID and SCSI disks are not supported.<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> for Windows 8 does not<br />
support RAID, SCSI, eDrive, or OPAL 2 drives.
ITEM REQUIREMENT<br />
Other hardware ATA, AHCI, or IRRT hard disk controller<br />
TABLE 1-5. FileArmor System Requirements<br />
ITEM REQUIREMENT<br />
Processor Intel Core2 or compatible processor.<br />
Memory • Minimum: 512MB<br />
• Recommended: 1GB<br />
<strong>Disk</strong> space • Minimum: 2GB<br />
• Required: 20% free disk space<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
Network connectivity Communication with PolicyServer required for managed<br />
installations<br />
Operating Systems • Windows 8 (32/64-bit)<br />
• Windows 7 (32/64-bit)<br />
• Windows Vista with SP1 (32/64-bit)<br />
• Windows XP with SP3 (32-bit)<br />
Other software Additional requirements for Windows 8:<br />
• <strong>Micro</strong>soft .NET Framework 3.5 is enabled<br />
• For devices with UEFI, see the Endpoint <strong>Encryption</strong><br />
Installation Guide for instructions to change the boot<br />
priority.<br />
Additional requirements for Windows XP:<br />
• <strong>Micro</strong>soft .NET Framework 2.0 SP1 or later<br />
• <strong>Micro</strong>soft Windows Installer 3.1<br />
TABLE 1-6. KeyArmor System Requirements<br />
ITEM REQUIREMENT<br />
Hardware USB 2.0 port<br />
1-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-8<br />
ITEM REQUIREMENT<br />
Network connectivity Communication with PolicyServer required for managed<br />
installations<br />
Operating Systems • Windows 7 (32/64-bit)<br />
• Windows Vista with SP1 (32/64-bit)<br />
• Windows XP with SP3 (32-bit)<br />
Other software Additional software required when installing on Windows<br />
XP:<br />
Key Features & Benefits<br />
• <strong>Micro</strong>soft .NET Framework 2.0 SP1 or later<br />
Endpoint <strong>Encryption</strong> includes the following key features and benefits:<br />
TABLE 1-7. Endpoint <strong>Encryption</strong> Key Features<br />
FEATURE BENEFITS<br />
<strong>Encryption</strong> • Protection for the full disk, including the master boot record<br />
(MBR), operating system, and all system files.<br />
• Hardware-based and software-based encryption for mixed<br />
environments.<br />
Authentication • Flexible authentication methods, including both single and<br />
multi-factor.<br />
• Policy updates before authentication and system boot.<br />
• Configurable actions on failed password attempt threshold.<br />
Device management • <strong>Policies</strong> to protect data on PCs, laptops, tablets, USB<br />
drives, CDs, and DVDs.<br />
• Ability to remotely lock, wipe, or kill a device.
FEATURE BENEFITS<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
Central administration • <strong>Full</strong> control over encryption, monitoring, and data<br />
protection.<br />
Record keeping,<br />
reports, and auditing<br />
Understanding <strong>Encryption</strong><br />
• Automated policy enforcement with remediation of security<br />
events.<br />
• Analyze usage statistics with scheduled reports and alert<br />
notifications.<br />
<strong>Encryption</strong> is the process of making data unreadable unless there is access to the<br />
encryption key. <strong>Encryption</strong> can be performed via software or hardware (or a<br />
combination of the two) to ensure that data is protected locally on a device, on<br />
removable media, on specific files and folders, and on data in transit across networks or<br />
the Internet. Endpoint encryption is the most important way to assure data security and<br />
to ensure that regulatory compliance mandates for data protection are met.<br />
File <strong>Encryption</strong><br />
FileArmor protects individual files and folders on local hard drives, and removable<br />
media devices (USB drives). Administrators can set policies specifying which folders and<br />
drives are encrypted on the device and policies about encrypted data on removable<br />
media. File and folder encryption is performed after authentication takes place.<br />
FileArmor can also protect different files with different keys, allowing Administrators to<br />
set access policies to a device and separate policies for access to certain files. This is<br />
useful in environments where multiple users access one endpoint.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
<strong>Full</strong> disk encryption is the most common encryption solution deployed to endpoints<br />
today because it protects all drive data, including operating system, program, temporary,<br />
and end-user files. Many full disk encryption applications also enhance operating system<br />
1-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-10<br />
security by requiring the user to authenticate before booting/unlocking the drive and<br />
providing access to the operating system.<br />
As an encryption solution, <strong>Trend</strong> <strong>Micro</strong> <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> offers both softwarebased<br />
and hardware-based encryption. While hardware-based encryption is simpler to<br />
deploy on new hardware, easier to maintain, and offers a higher level of performance,<br />
software-based encryption does not require any hardware and is cheaper to deploy to<br />
existing endpoints. <strong>Trend</strong> <strong>Micro</strong> PolicyServer is able to centrally administer <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong>, providing organizations with flexibility to use either software-based or<br />
hardware-based encrypted devices as needed.<br />
Unique to Endpoint <strong>Encryption</strong> is a network-aware feature that updates policies in realtime<br />
prior to allowing authentication. Endpoint <strong>Encryption</strong> also enables administrators<br />
to lock or wipe a drive before the operating system (and any sensitive data) can be<br />
accessed.<br />
Key Management<br />
Unmanaged encryption products require Administrators or users to keep track of the<br />
encryption key on a USB device. Endpoint <strong>Encryption</strong> secures and escrows encryption<br />
keys transparently while enabling an Administrator to use a key to log on the protected<br />
device to recover protected data.<br />
KeyArmor USB drives secures data with always-on hardware encryption and embedded<br />
antivirus/anti-malware protection to meet regulatory compliance requirements and<br />
stringent government mandates. With KeyArmor, Administrators have complete<br />
visibility and control of who, when, where, and how USB drives are used in their<br />
organization.<br />
About FIPS<br />
The Federal Information Processing Standard (FIPS) Publication 140-2 is a United States<br />
government device security standard that specifies the security requirements for<br />
encryption modules. FIPS 140-2 includes four levels of security:
TABLE 1-8. FIPS 140-2 Security Levels<br />
LEVEL DESCRIPTION<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
Level 1 Requires all encryption components to be production grade, and absent<br />
of obvious security holes.<br />
Level 2 Includes level 1 requirements and adds physical tamper-evidence and<br />
role-based authentication.<br />
Level 3 Includes level 2 requirements and adds physical tamper-resistance and<br />
identity-based authentication.<br />
Level 4 Includes level 3 requirements and adds additional physical security<br />
requirements.<br />
Endpoint <strong>Encryption</strong> ensures end-to-end data protection by providing FIPS 140-2 level<br />
encryption of data residing on the PolicyServer; all data transmitted between<br />
PolicyServer and endpoint clients; all data stored on the endpoint device; and, all locally<br />
stored client logs.<br />
Management and Integration<br />
When end-users require fortified data protection on multiple types of devices, which<br />
may require different encryption types, a centrally managed and integrated Endpoint<br />
<strong>Encryption</strong> solution reduces administration and maintenance costs. Endpoint<br />
<strong>Encryption</strong> is a centrally managed solution enabling the following data protection<br />
features:<br />
• Centrally and transparently update the Endpoint <strong>Encryption</strong> clients when new<br />
versions are released<br />
• Administer and leverage security policies to individuals and groups from a single<br />
policy server<br />
• Control password strength and regularity for password changes<br />
• Update security policies in real-time, before authentication, to revoke user<br />
credentials before booting the operating system<br />
1-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Account Roles and Authentication<br />
1-12<br />
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> offers Administrators a number of account roles and<br />
authentication methods depending on their specific needs, including multi-factor<br />
authentication.<br />
Account Roles<br />
Endpoint <strong>Encryption</strong> includes several different account types intended for different<br />
roles within the enterprise. These roles determine how accounts access and perform<br />
various tasks.<br />
TABLE 1-9. Endpoint <strong>Encryption</strong> Account Roles<br />
ROLES DESCRIPTION<br />
Enterprise Administrator Controls entire enterprise and has administrative rights to<br />
all groups, users, devices, and policies regardless of<br />
where they reside within the enterprise.<br />
Group Administrator Administrative rights over any group and its subgroups that<br />
they are assigned.<br />
Note<br />
Rights do not apply to parent groups, groups at the<br />
same level in the hierarchy or their subgroups.<br />
Enterprise Authenticator Intended for <strong>Help</strong> Desk personnel to provide remote<br />
assistance. This can occur when a user must call the help<br />
desk because they forgot their password or have technical<br />
problem. Enterprise Authenticators have configurable<br />
privileges over the entire enterprise.<br />
Group Authenticator Similar to Enterprise Authenticator, but limited to the group<br />
level only.<br />
User For end-users who make use of the endpoint clients, but<br />
are not assigned administrative or authenticator<br />
responsibilities.
Access Control by Application<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
Authentication and access control are important in any enterprise. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
limits system access at boot up and file and folder access once the user is logged on the<br />
operating system. FileArmor, KeyArmor, and PolicyServer provide the same level of<br />
security and access control by enabling two-factor authentication.<br />
Each Endpoint <strong>Encryption</strong> application offers unique characteristics and levels of<br />
control.<br />
TABLE 1-10. Authentication Control by Application<br />
APPLICATION CONTROL<br />
PolicyServer Application access to the management console.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Authentication control before booting into Windows.<br />
FileArmor File and folder-level access control once in the operating<br />
system.<br />
KeyArmor Device control for access to encrypted content on removable<br />
devices.<br />
Authentication Options by Application<br />
TABLE 1-11. Authentication Options Available to Endpoint Clients<br />
PRODUCT<br />
FIXED<br />
PASSWORD<br />
DOMAIN<br />
PASSWORD<br />
AUTHENTICATION OPTIONS<br />
SMART<br />
CARD<br />
PIN RSA COLORCODE<br />
PolicyServer Yes Yes Yes No No No<br />
<strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong><br />
Yes Yes Yes Yes No Yes<br />
FileArmor Yes Yes Yes Yes No Yes<br />
KeyArmor Yes No Yes Yes Yes Yes<br />
1-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Security Options<br />
1-14<br />
If a user is unable to authenticate, he/she is prompted to re-enter the credentials.<br />
Depending on policy settings, too many consecutive unsuccessful authentication<br />
attempts will delay the next log on attempt, lock, or erase all data from the endpoint.<br />
TABLE 1-12. Authentication Security Options<br />
SECURITY OPTION DESCRIPTION<br />
Time delay The device is locked and no authentication attempts can be<br />
made until the lockout time is passed.<br />
Remote authentication<br />
required<br />
• Ensure that the credentials are correct<br />
• Use Self <strong>Help</strong> (if available) to avoid waiting for the time<br />
delay period.<br />
The device is locked.<br />
• Ensure that the credentials are correct.<br />
• Contact the Administrator to use Remote <strong>Help</strong> and<br />
unlock the device. For details, see Remote <strong>Help</strong> on page<br />
1-18.<br />
Erase the device All data is removed from the device.<br />
Authentication Methods<br />
Endpoint <strong>Encryption</strong> offers several authentication methods. The specific methods<br />
available to the endpoint client are determined by PolicyServer.<br />
TABLE 1-13. Supported Authentication Methods<br />
AUTHENTICATION TYPE DESCRIPTION<br />
Domain authentication Single sign-on (SSO) using Active Directory.<br />
Fixed password A string of characters, numbers, and symbols.<br />
PIN A standard personal identification number.<br />
ColorCode Use a sequence of colors as a password.
AUTHENTICATION TYPE DESCRIPTION<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
Smart card A physical card used in conjunction with a PIN or fixed<br />
password.<br />
Self <strong>Help</strong> Question and answer combinations that allow users to reset<br />
a forgotten password without contacting Support.<br />
Remote <strong>Help</strong> Interactive authentication for users who forget their<br />
credentials or devices that have not synchronized policies<br />
within a pre-determined amount of time.<br />
Domain Authentication<br />
Domain authentication using Active Directory permits single sign-on (SSO). Users only<br />
need to provide credentials once to authenticate to <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, log on<br />
Windows, and access FileArmor.<br />
Prerequisites<br />
For seamless integration, ensure the following requirements are met:<br />
• All devices are on the same domain as PolicyServer.<br />
• The user name configured in Active Directory exactly matches the one in<br />
PolicyServer, including case.<br />
• The user name is located within a PolicyServer group and the Domain<br />
Authentication policy is set to Yes.<br />
• Common > Network Login policies (Host Name, Domain Name) are configured<br />
correctly based on the LDAP or Active Directory server settings.<br />
Note<br />
For details about configuring LDAP and Active Directory settings, see Active Directory<br />
Synchronization on page 1-19.<br />
1-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-16<br />
Fixed Passwords<br />
Fixed passwords are the most common authentication method. A fixed password is<br />
created by the user and can be almost anything. Administrators can place restrictions on<br />
fixed passwords to ensure that they are not easily compromised.<br />
PIN<br />
A Personal Identification Number (PIN) is another common identification method.<br />
Similar to a fixed password, a PIN is created by the user and can be almost anything.<br />
Like fixed passwords, Administrators may place restrictions on the PIN combination.<br />
ColorCode<br />
ColorCode is a unique authentication method designed to easily remembered and<br />
quickly provide. Instead of using numbers or letters for a password, ColorCode
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
authentication consists of a user-created sequence of colors (for example: red, red, blue,<br />
yellow, blue, green).<br />
FIGURE 1-2. ColorCode Logon<br />
Smart Card<br />
Smart card authentication requires both a PIN and a physical card when confirming a<br />
user's identity. Insert the smart card before providing a PIN.<br />
Important<br />
To allow smart card authentication for all Endpoint <strong>Encryption</strong> clients, enable the<br />
following policy: <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> > PC > Login > Token Authentication.<br />
1-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-18<br />
Self <strong>Help</strong><br />
Use Self <strong>Help</strong> to authenticate when users have forgotten their credentials. Self <strong>Help</strong><br />
requires users to respond with answers to predefined personal challenge questions. Self<br />
<strong>Help</strong> can also be used instead of fixed password or other authentication methods.<br />
Important<br />
PolicyServer must be configured to allow Self <strong>Help</strong> authentication. For more information,<br />
see Understanding <strong>Policies</strong> on page 3-1.<br />
WARNING!<br />
A maximum of six questions can display to endpoint clients. Do not create more than six<br />
questions in PolicyServer, or users will be unable to log on.<br />
Remote <strong>Help</strong><br />
Use Remote <strong>Help</strong> when a user is locked out of an endpoint client after too many failed<br />
logon attempts or when the period between the last PolicyServer synchronization has<br />
been too long.<br />
Within each application’s policies, set the action to Remote Authentication.<br />
TABLE 1-14. <strong>Policies</strong> Affecting Remote <strong>Help</strong> Authentication<br />
POLICY DESCRIPTION<br />
Login > Account Lockout Period The number of days that a device can not<br />
communicate with PolicyServer before<br />
Account Lockout Action is called.<br />
Login > Account Lockout Action The action taken when the length of time in<br />
Account Lockout Actions include: erase,<br />
remote authentication.<br />
Login > Failed Login Attempts<br />
Allowed<br />
The number of failed login attempts allowed<br />
before executing the action defined in Device<br />
Locked
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
POLICY DESCRIPTION<br />
Login > Device Locked Action The action taken when the Failed Attempts<br />
Allowed policy value has been exceeded.<br />
Actions include: time delay, erase, remote<br />
authentication.<br />
New Features in Endpoint <strong>Encryption</strong> 3.1.3<br />
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 includes the following enhancements:<br />
Multi-language Support<br />
Endpoint <strong>Encryption</strong> now offers support for the following languages:<br />
TABLE 1-15. Supported Languages<br />
PRODUCT<br />
LANGUAGES<br />
SPANISH FRENCH GERMAN<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Yes Yes Yes<br />
FileArmor Yes Yes Yes<br />
PolicyServer Yes Yes Yes<br />
KeyArmor No No No<br />
Active Directory Synchronization<br />
Endpoint <strong>Encryption</strong> now supports account synchronization between Active Directory<br />
and PolicyServer. Active Directory can be leveraged for single-sign-on across all<br />
endpoint client applications.<br />
See the Endpoint <strong>Encryption</strong> Installation Guide for detailed instructions about how to<br />
configure PolicyServer for AD synchronization. The Installation Guide is available at:<br />
1-19
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
1-20<br />
http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx<br />
PolicyServer 3.1.3 Enhancements<br />
• The PolicyServer installer now allows for a trial license that expires after 30 days.<br />
The Enterprise name and Enterprise Administrator account are configured at time<br />
of installation.<br />
• The port number for web services can now be set during installation.<br />
• To improve security, PolicyServer now has a Client Web Service that allows all<br />
clients to connect to PolicyServer using this new interface.<br />
• Improved policy lookup and naming.<br />
• Improved audit logs.<br />
• A new Recycle Bin node allows Administrators to recover deleted users and<br />
devices.<br />
• Global policies now allow for policy changes to easily push to subgroups from the<br />
parent level.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> 3.1.3 Enhancements<br />
New Features<br />
• OPAL 2 is now supported<br />
• Windows 8 is now supported on non-UEFI devices<br />
• <strong>Policies</strong> now automatically synchronize with PolicyServer when a device loads the<br />
preboot logon<br />
• Password sharing between devices in the same PolicyServer group (for password<br />
sharing devices) is now supported<br />
• Unmanaged installations now fully support hardware and software based<br />
encryption<br />
• Console-based preboot now works for unsupported display configurations
Easier Installation<br />
Understanding <strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong><br />
• There is now one installer for software and hardware based encryption (Seagate<br />
OPAL and DriveTrust). This same installer also supports 32 and 64-Bit OS<br />
installations<br />
• Improved pre-install check and error/log reporting<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> can now install without encrypting and without a preboot<br />
(via policy setting). This provides better control of phased roll-out to distribute<br />
software, enable preboot authentication, and turn on encryption<br />
Improved Management and Administration<br />
• Recovery Console access in Windows and preboot<br />
• Easily update the PolicyServer information and re-assign a device to the original<br />
PolicyServer or a new PolicyServer<br />
• More Robust Repair CD<br />
• Scripted Uninstalls<br />
1-21
Chapter 2<br />
Getting Started with PolicyServer<br />
Before configuring PolicyServer to centrally manage endpoint clients, PolicyServer<br />
services, databases, and PolicyServer MMC should already be installed. See the Endpoint<br />
<strong>Encryption</strong> Installation Guide for detailed instructions about setting up PolicyServer<br />
services, databases, and PolicyServer MMC. The Installation Guide is available at:<br />
http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx<br />
This chapter covers the following topics:<br />
• Authenticating for the First Time on page 2-2<br />
• Introducing PolicyServer on page 2-2<br />
• Working with Groups and Users on page 2-4<br />
• Understanding Policy Controls on page 2-13<br />
• Enabling Applications on page 2-17<br />
2-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Authenticating for the First Time<br />
2-2<br />
The Enterprise name and Enterprise Administrator account were configured at the time<br />
of installation. PolicyServer functions normally with all client applications, unlimited<br />
devices, and 100 users available for a 30-day trial period. After 30 days, contact<br />
Technical Support to receive a license file. Users/devices can still log on after the trial<br />
period expires.<br />
This task explains how to import the license file and then log on PolicyServer. It is<br />
usually provided as a text file<br />
Procedure<br />
1. Open PolicyServer MMC.<br />
2. Go to File > Import License.<br />
3. Provide the license file unlock code.<br />
4. Browse to the license file and then click Update.<br />
5. Provide the enterprise, user name, password and the PolicyServer IP address or<br />
hostname specified in the license file.<br />
6. Click Login.<br />
Introducing PolicyServer<br />
PolicyServer utilizes a <strong>Micro</strong>soft Management Console (MMC). PolicyServer has a<br />
hierarchical structure that distributes administrative responsibility while maintaining<br />
centralized control when:<br />
• Defining security policy parameters<br />
• Managing users, devices, and groups (including offline groups)<br />
• Enabling/Disabling endpoint applications
Getting Started with PolicyServer<br />
Use PolicyServer MMC auditing and reporting functions to monitor the security<br />
infrastructure and meet compliance requirements.<br />
PolicyServer MMC Interface<br />
PolicyServer MMC interface contains the following panes:<br />
TABLE 2-1. PolicyServer MMC Interface<br />
WINDOW DESCRIPTION<br />
Left pane (1) Use the left pane to view users, groups, policies, devices, and<br />
applications. Expand the top level to manage nested elements<br />
within the tree structure. Open items will update the content in the<br />
results window.<br />
Right pane (2) Use the right pane to modify policies, user information, and group<br />
information. The currently selected tree item is displayed in the<br />
results window. The exact format of the information shown in the<br />
results window depends on the item selected in the tree.<br />
FIGURE 2-1. PolicyServer MMC Interface<br />
2-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-4<br />
Within the left pane tree structure, there are a number of different nodes. The following<br />
table describes each node:<br />
TABLE 2-2. PolicyServer MMC Tree Structure Hierarchy<br />
NODE PURPOSE<br />
Enterprise users View all Administrators, authenticators and users within the<br />
entire enterprise. To see group affiliation, open the group and<br />
click Users.<br />
Enterprise devices View all instances of endpoint clients and which device they<br />
are connecting from. To see group affiliation, open the group<br />
and click Devices.<br />
Enterprise policies Control whether endpoint applications can connect to<br />
PolicyServer. Also, manage all enterprise policies. Group<br />
policies override enterprise policies.<br />
Enterprise log events View all log entries for the enterprise.<br />
Enterprise reports Manage various reports and alerts. No group-only reports are<br />
available.<br />
Enterprise maintenance Manage PolicyServer MMC application plug-ins.<br />
Recycle bin View deleted users and devices.<br />
Groups Manage users, devices, policies and log events for a collection<br />
of users.<br />
Working with Groups and Users<br />
This section explains how to get started with Endpoint <strong>Encryption</strong> groups and users.<br />
First define the users and groups, and then assign users to groups. It is also possible to<br />
add new users directly to a group. At least one Top Group is required.<br />
User and group structure recommendations:<br />
• Follow the Active Directory structure when configuring a group structure.
Getting Started with PolicyServer<br />
• Create a new group whenever there is a policy difference between groups of users.<br />
If one group requires domain authentication and another requires fixed password,<br />
then two separate policy groups are required.<br />
• Create multiple groups to minimize access to devices within a group. All members<br />
of a group are allowed access to any device in that group.<br />
Defining Users and Groups<br />
Define all roles and group affiliations before adding any users or groups to PolicyServer.<br />
1. Identify Enterprise Administrators/Authenticators.<br />
2. Create Enterprise Administrators/Authenticators.<br />
3. Identify groups.<br />
4. Create groups.<br />
5. Identify Group Administrators/Authenticators.<br />
6. Create Group Administrators/Authenticators.<br />
7. Identify users to be assigned to each group.<br />
8. Import or create new users each group.<br />
Adding a Top Group<br />
Groups simplify managing enabled applications, users, policies, subgroups, and devices.<br />
A Top Group is the highest level group.<br />
Note<br />
Procedure<br />
Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a<br />
Group Administrator, add a user and change his/her permissions within the group.<br />
1. Right-click the enterprise name in the left pane, and click Add Top Group.<br />
2-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-6<br />
FIGURE 2-2. Adding a Top Group<br />
The Add New Group screen appears.<br />
2. Provide the name and a description for the group.<br />
3. Only select Support Legacy Devices if using legacy devices that do not support<br />
Unicode encoding. Some legacy devices may not be able to communicate with<br />
PolicyServer using Unicode. Assign Unicode and legacy devices to different groups.
FIGURE 2-3. Add New Group<br />
4. Click Apply.<br />
5. At the confirmation message, click OK.<br />
The new group is added to the tree structure in the left pane.<br />
Adding a New User to a Group<br />
Note<br />
Procedure<br />
• Adding a user to the enterprise does not assign the user to any groups.<br />
Getting Started with PolicyServer<br />
• Adding a user to a group adds the user to the group and to the enterprise.<br />
1. Expand the Group and open Users.<br />
2. Right-click whitespace in the right pane and select Add New User.<br />
2-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-8<br />
The Add New User screen appears.<br />
FIGURE 2-4. Add New User Screen<br />
3. Specify user information. User name, first name, and last name are required.<br />
4. Only select Freeze if the account should be temporarily disabled. While frozen, the<br />
user is unable to log on devices.<br />
5. Use the Group User Type field to set the privileges of the new account.<br />
Enterprise Administrators and Authenticators cannot be added to groups.<br />
6. Select One Group to disable the user from multiple groups membership.<br />
7. Select the Authentication Method.<br />
Note<br />
8. Click OK.<br />
The default authentication method for users is None.
Getting Started with PolicyServer<br />
The new user is added to the selected group and to the Enterprise. The user can<br />
now log on a device.<br />
Adding a New Enterprise User<br />
Note<br />
Procedure<br />
• Adding a user to the enterprise does not assign the user to any groups.<br />
• Adding a user to a group adds the user to the group and to the enterprise.<br />
1. Expand the Enterprise and open Users.<br />
2. Right-click whitespace in the right pane and select Add User.<br />
The Add New User screen displays.<br />
2-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-10<br />
FIGURE 2-5. Add New User Screen<br />
3. Specify user information. User name, first name, and last name are required.<br />
4. Only select Freeze if the account should be temporarily disabled. While frozen, the<br />
user is unable to log on devices.<br />
5. Use the User Type field to set the privileges of the new account. Enterprise<br />
Administrators and Authenticators cannot be added to groups.<br />
6. Select One Group to disable the user from multiple groups membership.<br />
7. Select the Authentication Method.<br />
Note<br />
8. Click OK.<br />
The default authentication method for users is None.
Getting Started with PolicyServer<br />
The new user is added this PolicyServer Enterprise. The user cannot log on a<br />
device until he/she is added to a group.<br />
Adding an Existing User to a Group<br />
A user can be added to numerous groups.<br />
Procedure<br />
1. Expand the group in the left pane and then click Users.<br />
2. Right-click whitespace in the right pane, and select Add Existing User.<br />
The Add Users To Group screen appears.<br />
2-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-12<br />
FIGURE 2-6. Add Existing Users To Group Screen<br />
3. Specify user details and then click Search.<br />
If there is a match, the Source field populates with accounts.<br />
4. Select user accounts from the list and click the blue arrow to add them. See<br />
Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls.<br />
TABLE 2-3. Icons to Add/Remove Users<br />
CENTER ICONS DESCRIPTION<br />
Add a single selected user to Destination field.
CENTER ICONS DESCRIPTION<br />
5. To change a user’s password:<br />
Getting Started with PolicyServer<br />
Add all found users based on search criteria to Destination field.<br />
Delete a single select user from Destination field.<br />
Delete all users from Destination field.<br />
a. In the Destination field, highlight the user.<br />
b. Click Enter User Password located at the bottom of the window.<br />
c. In the window that appears, specify the user’s authentication method.<br />
d. Click Apply.<br />
6. Click Apply.<br />
The user is added to the group. If this is the only group that the user belongs to,<br />
then the user is now able to log on to the endpoint client.<br />
Understanding Policy Controls<br />
After setting up all users and groups in the enterprise, set policies for the enterprise or<br />
group. Each group in the left pane tree structure (whether a Top Group or subgroup)<br />
contains one or more endpoint application policy folders.<br />
For details about the PolicyServer interface, see PolicyServer MMC Interface on page 2-3.<br />
2-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-14<br />
Note<br />
<strong>Policies</strong> can be enabled or disabled at the enterprise or group level. See Working with <strong>Policies</strong><br />
on page 3-2.<br />
Visual Indicators for <strong>Policies</strong><br />
Colored circles beside each policy indicate the state of the policy.<br />
TABLE 2-4. Policy Indicators<br />
INDICATOR DESCRIPTION<br />
The policy value is inherited from the parent group or the Enterprise.<br />
A policy is modified for the group.<br />
Policy Fields and Buttons<br />
The policy may have multiple arrays of values.<br />
The policy has one or more sub-policies.<br />
Use the fields and buttons shown below to control policy elements. All modified values<br />
are propagated to a group's subgroups. Depending on what the policy controls, certain<br />
fields are not present.<br />
TABLE 2-5. Policy Fields and Buttons<br />
FIELD/BUTTON DESCRIPTION CHANGEABLE?<br />
OK Saves changes to the selected policy N/A<br />
Description Explains the selected policy No<br />
Policy Range Displays the value range that the selected<br />
policy can fall between<br />
Yes
Getting Started with PolicyServer<br />
FIELD/BUTTON DESCRIPTION CHANGEABLE?<br />
Policy Value Depending on the policy, displays the actual<br />
value of the selected policy, whether it<br />
contains a string, number, or series of entries<br />
Policy Multiple Value Specifies whether this policy can be used<br />
multiple times for different settings (multiple “if<br />
found” strings)<br />
Policy Name Displays the name of the selected policy No<br />
Policy Type Specifies the category for the selected policy No<br />
Enterprise controlled Makes this policy mirror changes to the same<br />
policy at the Enterprise level<br />
Save to subgroups Pushes policy settings to the same policy in all<br />
subgroups<br />
Modifying <strong>Policies</strong><br />
PolicyServer has a common set of windows to modify policies. Different types of input<br />
is available depending on what the policy controls and which parameters are required.<br />
The steps required to edit one policy are different to modify another policy. This task<br />
gives a general overview about editing a policy.<br />
For more details about modifying policies, including explanations about configuring<br />
different policy types, see Policy Management on page 3-2.<br />
Procedure<br />
1. Expand the Enterprise.<br />
2. Choose which policy level to modify:<br />
a. For enterprise-level policies, expand Enterprise <strong>Policies</strong>.<br />
b. For group-level policies, expand the Group Name and then expand <strong>Policies</strong>.<br />
3. Open the specific application or select Common.<br />
The policy list displays in the results windows.<br />
Yes<br />
No<br />
Yes<br />
Yes<br />
2-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-16<br />
FIGURE 2-7. Modifying a Policy<br />
4. Go to a policy and double-click to open the editor window. For this example,<br />
Console Timeout is used.
FIGURE 2-8. Console Timeout Policy Editor Window<br />
5. Specify changes appropriate for the policy, and then click OK.<br />
Enabling Applications<br />
Procedure<br />
Important<br />
Getting Started with PolicyServer<br />
To ensure proper communication and policy synchronization, the Endpoint <strong>Encryption</strong><br />
application must be enabled in PolicyServer before installation.<br />
1. Log on PolicyServer MMC.<br />
2-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
2-18<br />
2. Click Enterprise <strong>Policies</strong>.<br />
All applications appear in the right pane<br />
FIGURE 2-9. Enable Applications<br />
3. Right-click the application and then select Enable.<br />
Note<br />
In order to use <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, both <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> and MobileSentinel<br />
applications must be enabled.<br />
The application is enabled and managed by PolicyServer.
Understanding <strong>Policies</strong><br />
Chapter 3<br />
This chapter explains how to use policies and provides detailed information about<br />
individual policy setting values. For information about managing users, groups, and<br />
devices, see Working with Groups, Users, and Devices on page 4-1.<br />
This chapter explains the following topics:<br />
• Working with <strong>Policies</strong> on page 3-2<br />
• Policy Management on page 3-2<br />
• PolicyServer <strong>Policies</strong> on page 3-12<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> <strong>Policies</strong> on page 3-17<br />
• FileArmor <strong>Policies</strong> on page 3-23<br />
• MobileSentinel <strong>Policies</strong> on page 3-28<br />
• KeyArmor <strong>Policies</strong> on page 3-32<br />
• DriveArmor <strong>Policies</strong> on page 3-36<br />
• Common <strong>Policies</strong> on page 3-40<br />
3-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Working with <strong>Policies</strong><br />
3-2<br />
This section explains how to use various windows to change a policy, but does not<br />
explain the process to modify every policy. All policies have default values. PolicyServer<br />
MMC has a common set of windows to use when modifying a policy. One policy will<br />
have an editor window available to edit the numbers, ranges and values associated with<br />
the policy while another policy will have a window to modify text strings.<br />
When managing policies, note the following:<br />
• <strong>Policies</strong> are configurable by application within each group.<br />
• Policy inheritance only occurs when a subgroup is created. For details about group<br />
permissions, see Working with Groups on page 4-2.<br />
Policy Management<br />
Every group in the left pane tree structure (whether a Top Group or subgroup) contains<br />
one or more endpoint application policy folders.<br />
The results window in the right pane displays controls to:<br />
• Display a list of policies and their values.<br />
• Modify a policy using the editor window.<br />
• Run reports and other log events.<br />
• Run enterprise maintenance.<br />
For a detailed explanation of the interface, see PolicyServer MMC Interface on page 2-3.
FIGURE 3-1. PolicyServer MMC Window<br />
Selecting a Policy for Modification<br />
Procedure<br />
1. Go to Group Name > <strong>Policies</strong> > Application Name.<br />
Example: Group1 > <strong>Policies</strong> > <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>.<br />
2. Go to the specific policy.<br />
Example: Common > Client > Allow User to Uninstall.<br />
3. Right-click the policy and select Properties.<br />
Understanding <strong>Policies</strong><br />
3-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Editing <strong>Policies</strong> with Ranges<br />
3-4<br />
An example of editing policies with ranges is the Failed Login Attempts Allowed<br />
policy. Failed Login Attempts Allowed controls whether a device is locked when a<br />
user exceeds the number of failed authentication attempts allowed.<br />
FIGURE 3-2. Policy with Ranges Window<br />
Using the parameters defined in the Policy Range fields, an Administrator can indicate<br />
the number of failed authentication attempts allowed per user in the Policy Value field.<br />
Procedure<br />
1. Right-click the policy to be modified and then click Properties.
Understanding <strong>Policies</strong><br />
2. In the Policy Range Minimum field, specify the lowest number of failed<br />
authentication attempts that can be made by a user in this group before the device<br />
is locked.<br />
Note<br />
The minimum and maximum values for the policy range can be the same as the<br />
parent's range, or they can be modified. The minimum and maximum values cannot<br />
be extended.<br />
3. In the Policy Range Maximum field, specify the highest number of<br />
authentication attempts that can be made by a user in this group before<br />
authentication fails and the device is locked.<br />
4. In the Policy Value field, specify the number of failed authentication attempts<br />
allowed for a user in this group before the device is locked.<br />
5. Click OK to save any changes to this window.<br />
The policy change is activated once the endpoint client synchronizes with<br />
PolicyServer.<br />
Editing Polices with True/False or Yes/ No Responses<br />
Some policies only have True/False or Yes/No options. For this example, Preboot<br />
Bypass is used.<br />
A Group Administrator can define whether the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot should<br />
display. If the Parent Group allows Yes and No, then the subgroup Authenticators have<br />
the right to set the range to Yes and No, just Yes, or just No. If the Parent Group has<br />
3-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-6<br />
set the range to either Yes or No, then the subgroup Administrator can only select that<br />
same range.<br />
FIGURE 3-3. Policy with Yes/No Values<br />
Procedure<br />
1. Right-click the policy to be modified and then click Properties.<br />
2. The Policy Value field sets whether the policy is turned on.<br />
3. The Range field sets whether this policy is available to other users or groups. For<br />
example, if this policy is set to No by an Enterprise Administrator in Enterprise<br />
<strong>Policies</strong>, then the policy will not be available to set to yes by other groups.<br />
4. Click OK to save any changes to this window.
The policy change is activated once the endpoint client synchronizes with<br />
PolicyServer.<br />
Understanding <strong>Policies</strong><br />
Editing <strong>Policies</strong> with Multiple-choice / Single-selection<br />
Some policies have multiple options available. The Device Locked Action policy is<br />
edited in a multiple-choice/single-selection window. Administrators can only select one<br />
Policy Value. In this example, the Group Administrator must define the action to take<br />
when a user exceeds the allowed number of authentication attempts.<br />
FIGURE 3-4. Policy with Multiple Choice/Single Selection<br />
3-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-8<br />
Procedure<br />
1. Right-click the policy to be modified and then click Properties.<br />
2. Select the desired default setting for the Policy Value drop-down.<br />
3. Select the available options for the Policy Range area.<br />
Note<br />
Removing an option removes the value from the Policy Value drop-down.<br />
4. Click OK to save changes.<br />
The policy change is activated once the endpoint client synchronizes with<br />
PolicyServer.
Editing <strong>Policies</strong> with Text String Arguments<br />
Understanding <strong>Policies</strong><br />
Some policies have an editable text string for single array arguments. The Dead Man<br />
Switch policy is an example of a policy that provides the capability to specify a string of<br />
text.<br />
FIGURE 3-5. Policy with Text String Argument<br />
Procedure<br />
1. Right-click the policy to be modified and then click Properties.<br />
3-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-10<br />
2. For the Policy Value field, specify the sequence of characters for this policy.<br />
3. Click OK to save any changes to this window.<br />
The policy change is activated once the endpoint client synchronizes with<br />
PolicyServer.<br />
Editing <strong>Policies</strong> with Multiple Options<br />
Some policies can have multiple options stored in sub-policies affecting that policy.<br />
Multiple option policies are designed to create separate lines in a text string; each subpolicy<br />
is a new line in the string. For example, the IF Found policy displays how to<br />
return a found device. A normal address format displays the name, street address, and<br />
city/state/zip on three separate lines.<br />
Note<br />
Procedure<br />
The number of sub-policies is limited to endpoint application capabilities — which is<br />
generally no greater than six lines of text.<br />
1. Right-click the policy to be modified and then click Add.
FIGURE 3-6. If Found Policy: Adding a New Option<br />
Understanding <strong>Policies</strong><br />
2. In the policy window that displays, specify details in the Policy Value field.<br />
Note<br />
Depending on the policy, a new policy might be added and then modified by rightclicking<br />
and selecting Properties.<br />
3. Click OK to save any changes to this window and repeat if necessary.<br />
FIGURE 3-7. If Found Policy: Results After Adding Multiple Options<br />
4. To make changes, right-click the child policy and then select Properties.<br />
The policy change is activated once the endpoint client synchronizes with<br />
PolicyServer.<br />
3-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
PolicyServer <strong>Policies</strong><br />
3-12<br />
This section explains the configurable options for all enterprise policies affecting<br />
PolicyServer.<br />
Admin Console <strong>Policies</strong><br />
<strong>Policies</strong> governing the administration tools like Enterprise Security Manager and<br />
PolicyServer MMC.<br />
TABLE 3-1. PolicyServer Admin Console <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Console Timeout Exit the administration tool after the Timeout<br />
(minutes) has expired with no activity.<br />
Failed Login<br />
Attempts Allowed<br />
Lockout the admin logon after this number of<br />
consecutive failed log on attempts.<br />
Legal Notice Contains the legal notice that must be displayed<br />
before the Administrator or Authenticator can use<br />
the administration tools.<br />
Administrator <strong>Policies</strong><br />
<strong>Policies</strong> governing PolicyServer group Administrator privileges.<br />
TABLE 3-2. PolicyServer Administrator <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Add Devices Specify whether group administrators are<br />
allowed to add devices.<br />
Add Users Specify whether group administrators are<br />
allowed to add new users.<br />
VALUE RANGE<br />
AND DEFAULT<br />
1-60<br />
Default: 20<br />
0-100<br />
Default: 0<br />
1-1024 chars<br />
Default: N/A<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes
POLICY NAME DESCRIPTION<br />
Add Users to<br />
Enterprise<br />
Specify whether group administrators are<br />
allowed to add new users to the enterprise.<br />
Add/Modify Groups Specify whether group administrators are<br />
allowed to add/modify subgroups.<br />
Change <strong>Policies</strong> Specify whether group administrators are<br />
allowed to change policies.<br />
Copy/Paste Groups Specify whether group administrators are<br />
allowed to copy and paste subgroups.<br />
Remove Devices Specify whether group administrators are<br />
allowed to remove devices.<br />
Remove Groups Specify whether group administrators are<br />
allowed to remove subgroups.<br />
Remove Users Specify whether group administrators are<br />
allowed to remove users.<br />
Remove Users from<br />
Enterprise<br />
Authenticator <strong>Policies</strong><br />
Specify whether group administrators are<br />
allowed to remove users from the enterprise.<br />
<strong>Policies</strong> governing enterprise and group authenticator rights and privileges.<br />
TABLE 3-3. PolicyServer Authenticator <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Add Devices Specify whether authenticators are allowed to<br />
add devices.<br />
Add Users Specify whether authenticators are allowed to<br />
add new users.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: No<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
3-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-14<br />
POLICY NAME DESCRIPTION<br />
Add Users to<br />
Enterprise<br />
Specify whether authenticators are allowed to<br />
add new users to the enterprise.<br />
Add/Modify Groups Specify whether authenticators are allowed to<br />
add/modify subgroups.<br />
Copy/Paste<br />
Groups<br />
Specify whether authenticators are allowed to<br />
copy and paste subgroups.<br />
Remove Devices Specify whether authenticators are allowed to<br />
remove devices.<br />
Remove Groups Specify whether authenticators are allowed to<br />
remove subgroups.<br />
Remove Users Specify whether authenticators are allowed to<br />
remove users.<br />
Remove Users<br />
from Enterprise<br />
Log Alert <strong>Policies</strong><br />
Specify whether authenticators are allowed to<br />
remove users from the enterprise.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
<strong>Policies</strong> governing email messages sent for important PolicyServer log events.<br />
TABLE 3-4. PolicyServer Log Alerts <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
From Email Address Specify the email address that is used as the<br />
source email address for the alerts email<br />
message.<br />
SMTP Server Name Specify the SMTP server responsible for<br />
sending alert email messages.<br />
VALUE RANGE<br />
AND DEFAULT<br />
1-255<br />
characters<br />
Default: N/A<br />
1-255<br />
characters<br />
Default: N/A
PDA <strong>Policies</strong><br />
<strong>Policies</strong> governing how PDA devices can communicate with PolicyServer.<br />
TABLE 3-5. PolicyServer PDA <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
PDA Cell Phone<br />
PDA<br />
Specify whether cell phone PDA<br />
devices are notified via SMS or<br />
Email the installation message.<br />
PDA Email Email settings used to send<br />
installation notification to the user.<br />
PDA ><br />
Email<br />
PDA ><br />
Email<br />
SMTP Server<br />
Name<br />
Specify the SMTP server<br />
responsible for sending email<br />
messages.<br />
Subject Specify the subject text that is<br />
displayed to the user in the Subject<br />
Line of the email.<br />
PDA SMS Specify whether devices are<br />
notified via SMS if policy/user<br />
settings have changed.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE AND<br />
DEFAULT<br />
SMS, Email,<br />
None<br />
Default: None<br />
1-255 characters<br />
1-255 characters<br />
Enable, Disable<br />
Default: Disable<br />
PDA > SMS Email Domain Specify the target email domain. 1-255 characters<br />
PDA > SMS SMTP Server<br />
Name<br />
Specify the SMTP server<br />
responsible for sending SMS<br />
notifications.<br />
PDA > SMS Source Email Specify the email address that<br />
SMS and email notifications are<br />
sent from.<br />
PDA Tethered PDA Specify whether wireless,<br />
BlueTooth, cradled, or cell phone<br />
PDA devices are notified via Email<br />
the installation message.<br />
1-255 characters<br />
1-255 characters<br />
Email, None<br />
Default: None<br />
3-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-16<br />
CATEGORY POLICY NAME DESCRIPTION<br />
PDA Welcome<br />
Message<br />
Service Pack Download <strong>Policies</strong><br />
Contains the welcome message<br />
file whose contents are displayed<br />
to the user during the download<br />
process.<br />
<strong>Policies</strong> governing automatic client service pack download times.<br />
TABLE 3-6. PolicyServer Service Pack Download <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Service Pack Download<br />
Begin Hour<br />
Service Pack Download<br />
End Hour<br />
Welcome Message <strong>Policies</strong><br />
VALUE RANGE AND<br />
DEFAULT<br />
1-1024<br />
characters<br />
VALUE RANGE<br />
AND DEFAULT<br />
Set the time to download service packs. 0-23<br />
Default: 0<br />
Set the time to stop downloading any<br />
service pack.<br />
0-23<br />
Default: 0<br />
<strong>Policies</strong> governing whether to send a welcome message to users when they have been<br />
added to a group.<br />
TABLE 3-7. PolicyServer Welcome Message <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
VALUE RANGE<br />
AND DEFAULT<br />
Message Contains the welcome message file. 1-1024<br />
characters<br />
Default: N/A<br />
SMTP Server Name Specify the SMTP server responsible for<br />
sending welcome email messages.<br />
1-255<br />
characters<br />
Default: N/A
POLICY NAME DESCRIPTION<br />
Source Email Specify the email address that is used as the<br />
source email address for welcome email<br />
message.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
1-255<br />
characters<br />
Default: N/A<br />
Subject The Welcome message subject line. 1-255<br />
characters<br />
Default: N/A<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> <strong>Policies</strong><br />
This section explains the configurable options for all policies affecting <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> clients.<br />
Common <strong>Policies</strong><br />
Common policies affecting <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, including logging in, uninstalling <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong>, and locking devices.<br />
TABLE 3-8. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Common <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Client Allow User to<br />
Uninstall<br />
Specify whether user can<br />
uninstall <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
3-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-18<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Login Account<br />
Lockout Action<br />
Login Account<br />
Lockout Period<br />
Login Dead Man<br />
Switch<br />
Login Device Locked<br />
Action<br />
Login Failed Login<br />
Attempts<br />
Allowed<br />
Login > If<br />
Found<br />
Specify the action to be taken<br />
when the device has failed to<br />
communicate with the<br />
PolicyServer as specified in the<br />
policy Account Lockout Period.<br />
• Erase: All content on the<br />
device is wiped.<br />
• Remote Authentication:<br />
Require user to perform<br />
remote authentication.<br />
Specify the number of days that<br />
the client may be out of<br />
communication with the<br />
PolicyServer.<br />
Specify a sequence of characters,<br />
when entered will erase all<br />
contents on the device.<br />
Specify the action to be taken<br />
when the device locks.<br />
• Time Delay: The amount of<br />
time that must elapse before<br />
the user can retry logging on.<br />
• Erase: All content on the<br />
device is wiped.<br />
• Remote Authentication:<br />
Require user to perform<br />
remote authentication.<br />
Specify the number of failed Login<br />
attempts before using Lock<br />
Device Time Delay.<br />
If Found Specify information to be<br />
displayed.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Erase, Remote<br />
Authentication<br />
Default:<br />
Remote<br />
Authentication<br />
0-999<br />
Default: 360<br />
1-255<br />
characters<br />
Default: N/A<br />
Time Delay,<br />
Erase, Remote<br />
Authentication<br />
Default: Time<br />
Delay<br />
0-100<br />
Default: 5<br />
1-255<br />
characters<br />
Default: N/A
CATEGORY POLICY NAME DESCRIPTION<br />
Login Legal Notice Specify whether a legal notice<br />
should be displayed.<br />
Login > Legal<br />
Notice<br />
Login > Legal<br />
Notice<br />
Legal Notice<br />
Display Time<br />
Legal Notice<br />
Text<br />
Login Lock Device<br />
Time Display<br />
Specify when the configured legal<br />
notice should be displayed to the<br />
user.<br />
Specify the body of the legal<br />
notice.<br />
Lock device for X minutes if user<br />
exceeds Failed Attempts Allowed.<br />
Login Preboot Bypass Specify if the preboot should be<br />
bypassed.<br />
Login ><br />
Support Info<br />
PC <strong>Policies</strong><br />
Support Info Display <strong>Help</strong> Desk information or<br />
administrator contact.<br />
<strong>Policies</strong> governing devices or laptops running <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>.<br />
TABLE 3-9. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> PC <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Client Allow User<br />
Recovery<br />
<strong>Encryption</strong> Encrypt<br />
Device<br />
Specify if users are allowed to<br />
access system recovery<br />
utilities on the device.<br />
Specify whether the device<br />
should be encrypted.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
Enable/Disable<br />
Default:<br />
Disabled<br />
Installation,<br />
Startup<br />
Default: Startup<br />
Insert File<br />
Default: N/A<br />
1-999,999<br />
Default: 1<br />
Yes, No<br />
Default: No<br />
Default: N/A<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: Yes<br />
3-19
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-20<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Login Token<br />
Authentication<br />
Login > Token<br />
Authentication<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
OCSP<br />
Validation<br />
OCSP CA<br />
Certificates<br />
OCSP Expired<br />
Certificate<br />
Status Action<br />
Policy related to physical<br />
tokens including smart cards<br />
and USB tokens. All subpolicies<br />
are visible only when<br />
Token Authentication is<br />
enabled.<br />
Verifying certificates via<br />
OCSP allows for the<br />
revocation of invalid<br />
certificates via the CA.<br />
Note<br />
All sub-policies are<br />
visible only when OCSP<br />
Validation is Enabled.<br />
Certificate Authority<br />
certificates.<br />
Defines the action to take if<br />
the OCSP certificate status is<br />
expired.<br />
OCSP Grace A grace period in days that<br />
allows authentication to occur<br />
even if the OCSP server has<br />
not verified the certificate in<br />
this number of days.<br />
OCSP<br />
Responders<br />
Certificate Authority<br />
certificates.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Enable, Disable<br />
Default: Disable<br />
Enable, Disable<br />
Default: Disable<br />
0-1024 bytes<br />
Default: N/A<br />
Time Delay,<br />
Erase, Remote<br />
Authentication,<br />
Denial of Login,<br />
Allow Access<br />
Default: Denial<br />
of Login<br />
0-365<br />
Default: 7<br />
Yes, No<br />
Default: Yes
CATEGORY POLICY NAME DESCRIPTION<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
> OCSP<br />
Responders<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
> OCSP<br />
Responders<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
Login > Token<br />
Authentication ><br />
OCSP Validation<br />
OCSP<br />
Responder<br />
Certificate<br />
OCSP<br />
Responder<br />
URL<br />
OCSP<br />
Revoked<br />
Certificate<br />
Status Action<br />
OCSP Show<br />
Success<br />
OCSP<br />
Unknown<br />
Certificate<br />
Status Action<br />
Login Token<br />
Passthru<br />
Password Authentication<br />
Methods<br />
Allowed<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
Certificate Authority Certificate 0-1024 bytes<br />
Default: N/A<br />
Certificate Authority<br />
certificates.<br />
Defines the action to take if<br />
the OCSP certificate status is<br />
revoked.<br />
Whether success of OCSP<br />
reply should be displayed.<br />
Specify the action when an<br />
OCSP certificate status is<br />
unknown.<br />
Pass the token to the desktop<br />
GINA for further processing<br />
during the boot process.<br />
Specify the allowed type(s) of<br />
authentication methods that<br />
can be used.<br />
0-1024 bytes<br />
Default: N/A<br />
Time Delay,<br />
Erase, Remote<br />
Authentication,<br />
Denial of Login,<br />
Allow Access<br />
Default: Denial<br />
of Login<br />
Yes, No<br />
Default: Yes<br />
Time Delay,<br />
Erase, Remote<br />
Authentication,<br />
Denial of Login,<br />
Allow Access<br />
Default: Denial<br />
of Login<br />
Yes, No<br />
Default: No<br />
Fixed,<br />
ColorCode, Pin,<br />
Remote, RSA<br />
Default: Fixed<br />
3-21
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
PPC <strong>Policies</strong><br />
3-22<br />
<strong>Policies</strong> governing pocket <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> PPC devices.<br />
TABLE 3-10. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> PPC <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
<strong>Encryption</strong> PPC Encrypt<br />
Appointments<br />
<strong>Encryption</strong> PPC Encrypt<br />
Contacts<br />
<strong>Encryption</strong> PPC Encrypt<br />
Device<br />
<strong>Encryption</strong> PPC Encrypt<br />
Email<br />
<strong>Encryption</strong> PPC Encrypt<br />
Other<br />
Databases<br />
<strong>Encryption</strong> ><br />
PPC Encrypt<br />
Other<br />
Databases<br />
PPC Encrypt<br />
Tasks<br />
Specify whether the<br />
Appointments database should<br />
be encrypted on the PPC<br />
device.<br />
Specify whether the Contacts<br />
database should be encrypted<br />
on the PPC device.<br />
Specify whether all external<br />
media and internal storage on<br />
the PPC device is encrypted.<br />
Specify whether the Email<br />
database is encrypted on the<br />
PPC device.<br />
Specify a list of databases to be<br />
encrypted on the PPC device.<br />
Specify whether the Tasks<br />
database should be encrypted<br />
on the PPC device.<br />
PPC Logging <strong>Policies</strong> defining the log file on<br />
the PPC device.<br />
Logging PPC Log File<br />
Size<br />
Login Allow<br />
Emergency Call<br />
Specify the size of the log file<br />
on the PPC device (measured<br />
in kilobytes).<br />
Specify whether the user may<br />
make emergency phone calls<br />
from their device.<br />
VALUE RANGE AND<br />
DEFAULT<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: Yes<br />
1-255 characters<br />
Default: N/A<br />
Yes, No<br />
Default: Yes<br />
5-512<br />
Default: 512<br />
Yes, No<br />
Default: No
CATEGORY POLICY NAME DESCRIPTION<br />
Login PPC Account<br />
Lockout Action<br />
Login PPC Device<br />
Timeout<br />
Login PPC Launch<br />
After logon<br />
Password PPC<br />
Authentication<br />
Methods<br />
PPC PPC Erase<br />
Media on Wipe<br />
FileArmor <strong>Policies</strong><br />
Specify the action to be taken<br />
when the device has failed to<br />
communicate with the<br />
PolicyServer as specified in the<br />
policy Account Lockout Period.<br />
Actions are:<br />
• Erase: All content on the<br />
device is wiped.<br />
• Remote Authentication:<br />
Require user to perform<br />
remote authentication.<br />
Specify the number of minutes<br />
that the authentication screen<br />
appears while inactive.<br />
Specify an application to be<br />
launched on the device after a<br />
successful authentication.<br />
Specify the allowed<br />
authentication methods on the<br />
PPC device.<br />
Device wipe erases data on<br />
mounted media.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE AND<br />
DEFAULT<br />
Erase, Remote<br />
Authentication<br />
Default: Remote<br />
Authentication<br />
0-60<br />
Default: 1<br />
1-255 characters<br />
Default: N/A<br />
Fixed, Colorcode,<br />
Pin, Remote<br />
Default: Fixed<br />
Yes, No<br />
Default: No<br />
This section explains the configurable options for all enterprise policies affecting<br />
FileArmor clients.<br />
Computer <strong>Policies</strong><br />
<strong>Policies</strong> governing installation privileges on devices with FileArmor installed.<br />
3-23
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-24<br />
TABLE 3-11. FileArmor Computer <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Computer Allow User to<br />
Uninstall<br />
<strong>Encryption</strong> <strong>Policies</strong><br />
This policy specifies whether a user<br />
other than an Administrator can<br />
uninstall the endpoint application.<br />
Polices governing how encryption is handled on FileArmor devices.<br />
TABLE 3-12. FileArmor <strong>Encryption</strong> <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Allow Secure<br />
Delete<br />
Disable Optical<br />
Drive<br />
<strong>Encryption</strong> Key<br />
Used<br />
Specify whether to allow the user to<br />
delete files.<br />
Disable access to CD or DVD<br />
drives.<br />
• User Key: choose a key unique<br />
to the user.<br />
• Group Key: choose a key<br />
unique to the group, so all<br />
users in the group will also<br />
have access to files.<br />
• Enterprise Key: choose a key<br />
unique to the enterprise, so all<br />
users in the enterprise will also<br />
have access to files.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: Yes<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: Yes<br />
Yes, No<br />
Default: No<br />
User Key,<br />
Group Key,<br />
Enterprise<br />
Key<br />
Default:<br />
Group Key
CATEGORY POLICY NAME DESCRIPTION<br />
Removable<br />
Media<br />
Removable<br />
Media<br />
Removable<br />
Media<br />
Removable<br />
Media<br />
Removable<br />
Media<br />
<strong>Encryption</strong><br />
Method Allowed<br />
<strong>Full</strong>y Encrypt<br />
Device<br />
Allow USB<br />
Devices<br />
Disable USB<br />
Drive<br />
Folders to<br />
Encrypt on<br />
Removable<br />
Media<br />
<strong>Full</strong>y Encrypt<br />
Device<br />
Choose which allowable ways to<br />
encrypt files are allowed:<br />
1. User Key<br />
2. Group Key<br />
3. User-created password<br />
4. Digital Certificates<br />
Specify whether all files/folders on<br />
removable media are encrypted.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
User’s Unique<br />
Key, Group<br />
Unique Key,<br />
Encrypt With<br />
Static<br />
Password,<br />
Encrypt With<br />
Certificate<br />
Default: All<br />
Yes, No<br />
Default: No<br />
Specify permitted USB devices. Any,<br />
KeyArmor<br />
Disable the USB drive when not<br />
logged in, always disable, and never<br />
disable drive.<br />
The drive letter is given and the<br />
policy value corresponds to a valid<br />
removable media device. Nonexistent<br />
folders are created. If no<br />
drive letter is given then all<br />
removable media devices attached<br />
to the device at login will use the<br />
policy values.<br />
Specify whether all files/folders on<br />
removable media are encrypted<br />
Default: Any<br />
Always,<br />
Logged Out,<br />
Never<br />
Default:<br />
Logged Out<br />
1-255<br />
characters<br />
Default: N/A<br />
Yes, No<br />
Default: No<br />
3-25
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-26<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Login <strong>Policies</strong><br />
Specify Folders<br />
to Encrypt<br />
Security policies governing logging on FileArmor.<br />
TABLE 3-13. FileArmor Login <strong>Policies</strong><br />
List the folders that will be<br />
encrypted on the hard drive. Nonexistent<br />
folders are created. A valid<br />
drive letter to the hard drive must<br />
also be supplied. A valid policy<br />
value is: C:\EncryptedFolder.<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Authentication<br />
Methods<br />
Allowed<br />
Device Locked<br />
Action<br />
Failed Login<br />
Attempts<br />
Allowed<br />
Specify the allowed type(s) of<br />
authentication that can be used<br />
Action to be taken when the device<br />
is locked.<br />
Number of failed logon attempts<br />
before using Lock Device Time<br />
Delay. 0 allows for unlimited<br />
attempts.<br />
VALUE RANGE<br />
AND DEFAULT<br />
1-255<br />
characters<br />
Default:<br />
%DESKTOP%\<br />
FileArmor<br />
Encrypted<br />
VALUE RANGE<br />
AND DEFAULT<br />
Fixed,<br />
ColorCode,<br />
Pin, Smart<br />
Card, RSA<br />
Default: Fixed<br />
Time Delay,<br />
Remote<br />
Authentication<br />
Default: Time<br />
Delay<br />
0-100<br />
Default: 5
CATEGORY POLICY NAME DESCRIPTION<br />
Legal<br />
Notice<br />
Legal<br />
Notice<br />
Legal Notice<br />
Display Time<br />
Legal Notice<br />
Text<br />
Lock Device<br />
Time Delay<br />
Password <strong>Policies</strong><br />
<strong>Policies</strong> governing FileArmor passwords.<br />
TABLE 3-14. FileArmor Password <strong>Policies</strong><br />
Specify when the configured legal<br />
notice is displayed to the user.<br />
Note<br />
Policy is only available for<br />
PolicyServer 3.1.3 (or newer)<br />
and a legal notice will not<br />
display to endpoints running<br />
FileArmor 3.1.3 or earlier.<br />
Specify the body of the legal notice.<br />
Note<br />
POLICY NAME DESCRIPTION<br />
Force Talking to<br />
Server<br />
Policy is only available for<br />
PolicyServer 3.1.3 (or newer)<br />
and a legal notice will not<br />
display to endpoints running<br />
FileArmor 3.1.3 or earlier.<br />
Lock device for X minutes if user<br />
exceeds Failed Attempts Allowed.<br />
Makes FileArmor talk to the server after X<br />
amount of days. 0 will make FileArmor<br />
standalone<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
Installation,<br />
Startup<br />
Default:<br />
Startup<br />
Insert File<br />
Default: N/A<br />
0-999,999<br />
Default: 1<br />
VALUE RANGE AND<br />
0-999<br />
DEFAULT<br />
Default: 360<br />
3-27
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-28<br />
POLICY NAME DESCRIPTION<br />
Physical Token<br />
Required<br />
MobileSentinel <strong>Policies</strong><br />
Make users use a physical token (smart cards)<br />
to log on.<br />
VALUE RANGE AND<br />
DEFAULT<br />
Yes, No<br />
Default: No<br />
This section explains the configurable options for MobileSentinel. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
uses MobileSentinel policies.<br />
Common <strong>Policies</strong><br />
<strong>Policies</strong> for all devices using MobileSentinel.<br />
TABLE 3-15. MobileSentinel Common <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Common Compliance Compliance policies for all devices.<br />
Common ><br />
Compliance<br />
Synchronization<br />
Timeout<br />
Common Network<br />
Compliance<br />
Specify the number of days that<br />
allows a wireless device not to<br />
synchronize with the PolicyServer.<br />
The device will be forced to<br />
communicate to the PolicyServer for<br />
synchronization when the specified<br />
number of days has been reached.<br />
Specify access to corporate network<br />
resources by ensuring that devices<br />
comply with company policy.<br />
VALUE RANGE<br />
AND DEFAULT<br />
0-65,535 days<br />
Default: 1
CATEGORY POLICY NAME DESCRIPTION<br />
Common ><br />
Network<br />
Compliance<br />
Common ><br />
Network<br />
Compliance<br />
Common ><br />
Network<br />
Compliance<br />
PPC <strong>Policies</strong><br />
Compliance<br />
Network<br />
Address<br />
Compliance<br />
Network<br />
NetMask<br />
Compliance<br />
Server Address<br />
<strong>Policies</strong> specific to the MobileSentinel PC device.<br />
Specify the IP address of the<br />
network that allows the device to resynchronize<br />
with PolicyServer when<br />
out of compliance. When a device is<br />
out of compliance this will be the<br />
only network that the device can<br />
access until the device has been<br />
brought back into compliance.<br />
Specify the netmask address for the<br />
compliance network address<br />
(Compliance Network Address<br />
policy). This mask and the address<br />
will be used to limit devices from<br />
accessing network resources<br />
outside of the entered values until<br />
the device has been brought into<br />
compliance.<br />
Specify the address of the<br />
PolicyServer that will be used as the<br />
host for the wireless devices in this<br />
group. The server address for<br />
wireless devices is the server that<br />
devices call back; when a<br />
synchronization request is received<br />
by the device or when the device<br />
detects that it must synchronize with<br />
the server to ensure that policies<br />
have been updated.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
1-225<br />
characters<br />
Default: N/A<br />
1-225<br />
characters<br />
Default: N/A<br />
1-225<br />
characters<br />
Default: N/A<br />
3-29
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-30<br />
TABLE 3-16. MobileSentinel PPC <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
PPC Compliance Specific policies for the PPC<br />
device.<br />
PPC ><br />
Compliance<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC > PPC<br />
Compliance<br />
Object List ><br />
PPC Object<br />
Auto-Restore<br />
PPC > PPC<br />
Compliance<br />
Object List ><br />
PPC Object<br />
Auto-Restore<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC<br />
Compliance<br />
Object List<br />
PPC<br />
Compliance<br />
Network<br />
Restriction<br />
PPC Object<br />
Auto-Restore<br />
PPC Auto-<br />
Restore<br />
Object<br />
PPC Auto-<br />
Restore<br />
Object Run<br />
Flag<br />
PPC Object<br />
Compliance<br />
Info<br />
Specify objects required on the<br />
PPC device. Network routing will<br />
be limited to the compliance<br />
network if these objects are not<br />
present on the device.<br />
Determines whether to restrict<br />
network access if the device is<br />
found to be out of compliance.<br />
Set policy value to Yes for<br />
automatic restoration of the object<br />
that is missing on the device. Set<br />
policy value to No to direct the<br />
user to the URL address specified<br />
in the policy PPC Remediation<br />
URL.<br />
Specify the object to be restored<br />
to the PPC device if the policy<br />
PPC Auto Restore has been<br />
enabled.<br />
Specify the actions to be taken on<br />
the remediation object.<br />
Specify information for users if the<br />
specified object is found to be out<br />
of compliance.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Enable, Disable<br />
Default: Disable<br />
Yes, No<br />
Default: Yes<br />
Copy, Run<br />
Default: Copy<br />
1-255<br />
characters<br />
Default: N/A
CATEGORY POLICY NAME DESCRIPTION<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC > PPC<br />
Compliance<br />
Object List<br />
PPC Object<br />
Name<br />
PPC Object<br />
Version<br />
PPC<br />
Remediation<br />
URL<br />
PPC Device<br />
Management<br />
PPC > Device<br />
Management<br />
PPC > Device<br />
Management<br />
Collect<br />
Device<br />
Attributes<br />
Interval<br />
Collect<br />
Directory Info<br />
Interval<br />
PPC Disable<br />
Bluetooth<br />
PPC PPC Disable<br />
New<br />
Applications<br />
PPC PPC Disable<br />
New<br />
Applications<br />
PPC PPC Disable<br />
OBEX<br />
Specify the fully qualified path<br />
name for the compliance object.<br />
Specify the minimum version<br />
number for the compliance object.<br />
If this policy value is left blank, the<br />
object version will not be checked<br />
for compliance.<br />
Specify the Remediation URL<br />
address to be shown if the policy<br />
PPC Object Auto Restore is set to<br />
false.<br />
<strong>Policies</strong> specific to collecting<br />
device data.<br />
Collect key pieces of information<br />
on hardware and software every X<br />
days; 0 = off<br />
Perform a snapshot of files and<br />
directories every X days; 0 = off.<br />
Disable/enable use of the<br />
BlueTooth radio.<br />
Disable /enable the addition of<br />
new applications via Windows<br />
Mobile installers.<br />
Disable/enable the addition of new<br />
applications via Windows Mobile<br />
installers.<br />
Disable/enable incoming Object<br />
Exchange via IR and BlueTooth.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
1-255<br />
characters<br />
Default: N/A<br />
1-255<br />
characters<br />
Default: N/A<br />
1-255<br />
characters<br />
Default: N/A<br />
0-365 days<br />
Default: 30<br />
0-365 days<br />
Default: 7<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
3-31
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
KeyArmor <strong>Policies</strong><br />
3-32<br />
This section explains the configurable options for all enterprise policies governing<br />
KeyArmor devices.<br />
Antivirus <strong>Policies</strong><br />
Security policies for antivirus control on KeyArmor devices.<br />
TABLE 3-17. KeyArmor Antivirus <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Infected File Action Indicates what remediation action to<br />
take with any infected file found.<br />
Repair Infected File First Indicates whether or not to attempt to<br />
repair any infected files found before<br />
taking the action dictated by the<br />
Infected File Action policy.<br />
Update Frequency Sets the antivirus update frequency,<br />
in hours. A value of 0 means that<br />
updates will never be requested.<br />
Update Source A list of vendor server URLs to<br />
contact for updates, specified in<br />
order. If the list is empty, then the<br />
application-defined default location<br />
will be used.<br />
KeyArmor Security <strong>Policies</strong><br />
Security policies to control KeyArmor.<br />
VALUE RANGE AND<br />
DEFAULT<br />
Delete File, Kill<br />
Device<br />
Default: Delete File<br />
Yes, No<br />
Default: Yes<br />
0 - 9,999 hours<br />
Default: 1<br />
1 - 255 characters<br />
Default: N/A
TABLE 3-18. KeyArmor policies<br />
POLICY NAME DESCRIPTION<br />
Dead Man Switch Specify a sequence of characters<br />
which will erase all contents of the<br />
device when entered.<br />
Inactivity Timeout If the KeyArmor device is not<br />
accessed within X minutes, then log<br />
out of device.<br />
Login <strong>Policies</strong><br />
Security policies governing logging on KeyArmor.<br />
TABLE 3-19. KeyArmor Login <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Allow Only One<br />
User Per Device<br />
Authentication<br />
Methods Allowed<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE AND<br />
DEFAULT<br />
1 - 255 characters<br />
Default: N/A<br />
1 - 999<br />
Default:15<br />
This policy determines whether a single user or<br />
multiple users may access a device. A policy<br />
value of YES dictates only one user may have<br />
access to the device at a given time.<br />
Note<br />
This policy does not impact Administrator<br />
or Authenticator roles.<br />
Specify the allowed type(s) of authentication that<br />
can be used.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Fixed,<br />
ColorCode,<br />
Pin, Smart<br />
Card, RSA<br />
Default: Fixed<br />
3-33
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-34<br />
POLICY NAME DESCRIPTION<br />
Device Locked<br />
Action<br />
Failed Login<br />
Attempts Allowed<br />
Lock Device Time<br />
Delay<br />
Password<br />
Synchronization<br />
Notice Message <strong>Policies</strong><br />
Specify the action to be taken when the device<br />
has failed to communicate with the PolicyServer<br />
as specified in the policy Lock Device Time<br />
Delay.<br />
Number of failed logon attempts before using<br />
Lock Device Time Delay. 0 allows for unlimited<br />
attempts.<br />
Lock device for X minutes if user exceeds Failed<br />
Attempts Allowed.<br />
This policy determines whether users of a group<br />
may establish a password and use it on other<br />
devices without the need to register via an one<br />
time password. This policy only impacts<br />
passwords of type Fixed, PIN, ColorCode, and<br />
Certificates. Third party password schemas such<br />
as <strong>Micro</strong>soft Windows domain passwords and<br />
RSA SecurID are not affected.<br />
Messages to be displayed to KeyArmor device users.<br />
TABLE 3-20. KeyArmor Notice Messages <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
If Found Specify information to be displayed<br />
on the device during the device lock<br />
out.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Erase, Remote<br />
Authentication,<br />
Time Delay<br />
Default:<br />
Remote<br />
Authentication<br />
0 - 100<br />
Default: 5<br />
1 -999,999<br />
Default: 5<br />
Yes, No<br />
Default: No<br />
VALUE RANGE AND<br />
DEFAULT<br />
1 - 4096 characters<br />
Default: N/A<br />
Legal Notice Legal Notice(s) to display to user. Insert File with 1 - 255<br />
characters<br />
Default: N/A
POLICY NAME DESCRIPTION<br />
Show Legal Notice<br />
on Insertion<br />
Select whether a notice is displayed<br />
to the user as the first screen when<br />
the KeyArmor device is inserted in a<br />
device.<br />
Support Info Display <strong>Help</strong> Desk information or<br />
Administrator contact information.<br />
PolicyServer Connection <strong>Policies</strong><br />
<strong>Policies</strong> for connecting to PolicyServer with KeyArmor devices.<br />
TABLE 3-21. PolicyServer Connection <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Action Due to No<br />
Contract<br />
Must Be Connected<br />
to PolicyServer<br />
Offline Time Before<br />
Forced Connection<br />
Secondary Action<br />
Due to No Contract<br />
Secondary Action<br />
Period<br />
Action to perform when KeyArmor device<br />
has not connected to the PolicyServer<br />
within the time specified by Offline Time<br />
Before Forced Connection.<br />
Force User to Connect to PolicyServer to<br />
access files on USB.<br />
The amount of time in days before user<br />
must connect to PolicyServer. 0 indicates<br />
KeyArmor device does not need to<br />
connect to the PolicyServer.<br />
Action to perform when KeyArmor device<br />
has not authenticated against the<br />
PolicyServer and has passed the<br />
Secondary Action Period.<br />
Secondary Time Period in X amount of<br />
Days, before the Secondary Action is<br />
Enforced.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE AND<br />
Yes, No<br />
Default: No<br />
DEFAULT<br />
1 - 4096 characters<br />
Default: N/A<br />
VALUE RANGE AND<br />
DEFAULT<br />
Time Delay, Remote<br />
Authentication, Wipe<br />
Default: Remote<br />
Authentication<br />
Yes, No<br />
Default: No<br />
0 - 999<br />
Default: 360<br />
Wipe, Remote<br />
Authentication, None<br />
Default: None<br />
0 - 999<br />
Default: 0<br />
3-35
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
DriveArmor <strong>Policies</strong><br />
3-36<br />
This section explains the configurable options for all enterprise policies affecting <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong> clients.<br />
Important<br />
DriveArmor policies are only available in PolicyServer 3.1.3 if PolicyServer was upgraded<br />
from a previous version which had DriveArmor policies configured.<br />
Authentication <strong>Policies</strong><br />
<strong>Policies</strong> that govern authentication on DriveArmor devices.<br />
TABLE 3-22. DriveArmor Authentication <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Local Login Allowed<br />
Authentication<br />
Methods<br />
Local Login Device Locked<br />
Action<br />
Local Login Failed<br />
Attempts<br />
Allowed<br />
Specify the allowed type(s) of<br />
authentication methods that can<br />
be used.<br />
Specify the action to be taken<br />
when the device locks. Actions<br />
are:<br />
• Erase: All content on the<br />
device is wiped.<br />
• Remote Authentication:<br />
require user to perform a<br />
remote authentication.<br />
• Time Delay: take the Lock<br />
Device Time Delay policy<br />
action.<br />
Specify the number of failed<br />
logon attempts before using<br />
Lock Device Time Delay.<br />
VALUE RANGE AND<br />
DEFAULT<br />
Fixed, Colorcode,<br />
PIN<br />
Default: All<br />
Time Delay,<br />
Erase, Remote<br />
Authentication<br />
Default: Time<br />
Delay<br />
0-255<br />
Default: 10
CATEGORY POLICY NAME DESCRIPTION<br />
Local Login Lock Device<br />
Time Delay<br />
Lock device for X minutes if user<br />
exceeds Failed Attempts<br />
Allowed policy rules.<br />
Authentication Network Login Specify policies regarding<br />
Authentication to the device that<br />
may include the network.<br />
Network Login RSA<br />
Authentication<br />
Authentication Token<br />
Authentication<br />
Token<br />
Authentication<br />
Token<br />
Authentication<br />
> OCSP<br />
Validation<br />
Token<br />
Authentication<br />
> OCSP<br />
Validation<br />
OCSP<br />
Validation ><br />
OCSP<br />
Responders<br />
OCSP<br />
Validation<br />
OCSP CA<br />
Certificates<br />
OCSP<br />
Responders<br />
OCSP<br />
Responder<br />
Certificate<br />
Specify if users will be verified<br />
against an RSA ACE server<br />
using SecurID.<br />
Verifying certificates via OCSP<br />
allows for the revocation of<br />
invalid certificates via the CA.<br />
sub-policies are only visible<br />
when this policy is enabled.<br />
Verifying certificates via OCSP<br />
allows for the revocation of<br />
invalid certificates via the CA.<br />
sub-policies are only visible<br />
when this policy is enabled.<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE AND<br />
DEFAULT<br />
1-1000000<br />
Default: 1<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: N/A<br />
Yes, No<br />
Default: N/A<br />
Certificate Authority certificates. 0-1024<br />
Default: N/A<br />
Certificate Authority certificates. Yes, No<br />
Default: Yes<br />
Certificate Authority certificates. 0-1024<br />
Default: N/A<br />
3-37
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-38<br />
CATEGORY POLICY NAME DESCRIPTION<br />
OCSP<br />
Validation ><br />
OCSP<br />
Responders<br />
Token<br />
Authentication<br />
Note<br />
OCSP<br />
Responder<br />
URL<br />
Token<br />
Passthru<br />
VALUE RANGE AND<br />
DEFAULT<br />
Certificate Authority certificates. 0- 1024<br />
Default: N/A<br />
Pass the token to the desktop<br />
GINA for further processing<br />
during the boot process.<br />
OCSP stands for <strong>Online</strong> Certificate Status Protocol.<br />
Communications <strong>Policies</strong><br />
Yes, No<br />
Specify policies that govern DriveArmor communication and information.<br />
TABLE 3-23. DriveArmor Communications <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Communications Account<br />
Lockout Action<br />
Specify the action to be taken<br />
when the device has failed to<br />
communicate with the<br />
PolicyServer as specified in the<br />
policy Account Lockout Period.<br />
• Erase: all contents on the<br />
device will be wiped<br />
• Remote Authentication:<br />
require the user to perform<br />
a remote authentication<br />
• Ignore: do not take any<br />
action<br />
Default: No<br />
VALUE RANGE<br />
AND DEFAULT<br />
Erase, Remote<br />
Authentication,<br />
Ignore<br />
Default: Ignore
CATEGORY POLICY NAME DESCRIPTION<br />
Communications Account<br />
Lockout Period<br />
Specify the number of days that<br />
the client may be out of<br />
communication with the<br />
PolicyServer.<br />
Communications Information Specify policies that provide<br />
information to the user.<br />
Information IF Found Specify information to be<br />
displayed on the device during<br />
the device lock out.<br />
Information Legal Notice Specify whether a legal notice<br />
should be displayed.<br />
Information ><br />
Legal Notice<br />
Information ><br />
Legal Notice<br />
Legal Notice<br />
Display Time<br />
Legal Notice<br />
Text<br />
Specify when the configured<br />
legal notice should be displayed<br />
to the user.<br />
Specify the body of the legal<br />
notice.<br />
Information Support Info Display <strong>Help</strong> Desk information<br />
or Administrator contact<br />
information.<br />
Communications Sync Interval Specify how often (in minutes)<br />
DriveArmor attempts to<br />
communicate to the<br />
PolicyServer from the device to<br />
receive updated information.<br />
Device <strong>Policies</strong><br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
0-1000000<br />
Default: 360<br />
1-1024<br />
characters<br />
Default: N/A<br />
Installation,<br />
Startup<br />
Default: Startup<br />
Insert File<br />
Default: N/A<br />
1-1024<br />
characters<br />
Default: N/A<br />
0-1000000<br />
Default: 120<br />
Specify policies that govern generic actions to the device with DriveArmor installed.<br />
3-39
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-40<br />
TABLE 3-24. DriveArmor Device <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Allow User Administration<br />
Access<br />
Specify if users are allowed to access<br />
system administration utilities on the<br />
device.<br />
Allow User To Uninstall Specify whether a standard<br />
DriveArmor user can uninstall<br />
DriveArmor.<br />
Dead Man Switch Specify a sequence of characters,<br />
when entered will destroy the device.<br />
Preboot Bypass Specify if the preboot should be<br />
bypassed.<br />
Common <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
Yes, No<br />
Default: No<br />
Yes, No<br />
Default: No<br />
1-255<br />
characters<br />
Default: N/A<br />
Yes, No<br />
Default: No<br />
This section explains the configurable options for all enterprise policies affecting all<br />
Endpoint <strong>Encryption</strong> products.<br />
Agent Policy<br />
TABLE 3-25. Common Agent <strong>Policies</strong><br />
POLICY NAME DESCRIPTION<br />
Sync Interval Specify how often (in minutes) the application<br />
communicates to PolicyServer from the<br />
device to receive updated information.<br />
VALUE RANGE<br />
AND DEFAULT<br />
1-1440<br />
Default: 30
Authentication <strong>Policies</strong><br />
Understanding <strong>Policies</strong><br />
Specify policies that govern authentication on devices from all Endpoint <strong>Encryption</strong><br />
applications.<br />
TABLE 3-26. Common Authentication <strong>Policies</strong><br />
CATEGORY POLICY NAME DESCRIPTION<br />
Local Login Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Allowed<br />
Character Types<br />
Can Contain<br />
User Name<br />
Consecutive<br />
Characters<br />
Allowed<br />
Specify policies regarding<br />
Authentication local to the<br />
device only.<br />
Specify whether passwords<br />
can contain alpha, numeric,<br />
special or a combination.<br />
Specify if the user name can<br />
be contained in the password.<br />
Specify the number of<br />
consecutive characters allowed<br />
in a password.<br />
Minimum Length Specify the minimum length<br />
allowed for passwords.<br />
Password<br />
History<br />
Retention<br />
Require How<br />
Many<br />
Characters<br />
Require How<br />
Many Lower<br />
Case<br />
Characters<br />
Specify the number of past<br />
passwords the user is not<br />
allowed to use.<br />
Specify the number of alpha<br />
characters that must be used<br />
in a password.<br />
Specify the number of lower<br />
case characters that must be<br />
used in a password.<br />
VALUE RANGE<br />
AND DEFAULT<br />
Alpha,<br />
Numeric,<br />
Special<br />
Default: All<br />
Yes, No<br />
Default: Yes<br />
0-255<br />
Default: 3<br />
0-255<br />
Default: 6<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
3-41
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-42<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Local Login ><br />
Admin<br />
Password<br />
Require How<br />
Many Numbers<br />
Require How<br />
Many Special<br />
Characters<br />
Require How<br />
Many Upper<br />
Case<br />
Characters<br />
Specify the number of numeric<br />
characters that must be used<br />
in a password.<br />
Specify the number of special<br />
characters that must be used<br />
in a password.<br />
Specify the number of upper<br />
case characters that must be<br />
used in a password.<br />
Local Login Self <strong>Help</strong> Specify the policies that are<br />
used for Self <strong>Help</strong>.<br />
Local Login ><br />
Self <strong>Help</strong><br />
Local Login ><br />
Self <strong>Help</strong><br />
Number of<br />
Questions<br />
Personal<br />
Challenge<br />
Specify the number of<br />
questions required to be<br />
answered correctly to<br />
authenticate the user.<br />
Specify the personal challenge<br />
question(s) used for Self <strong>Help</strong>.<br />
Local Login User Password Specify the policies that are<br />
used for User Passwords.<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Allow Offline<br />
Password<br />
Change<br />
Allowed<br />
Character Types<br />
Can Contain<br />
User Name<br />
Change<br />
Password Every<br />
Specify if users can change<br />
their password when not<br />
connected to the PolicyServer.<br />
Specify whether passwords<br />
can contain alpha, numeric,<br />
special or a combination.<br />
Specify if the user name can<br />
be contained in the password.<br />
Specify (in days) when to force<br />
a user to change their<br />
password.<br />
VALUE RANGE<br />
AND DEFAULT<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
1-6<br />
Default: 1<br />
1-1024<br />
Default: N/A<br />
Yes, No<br />
Default: No<br />
Alpha,<br />
Numeric,<br />
Special<br />
Default: All<br />
Yes, No<br />
Default: Yes<br />
1-1000000<br />
Default: 60
CATEGORY POLICY NAME DESCRIPTION<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Local Login ><br />
User Password<br />
Consecutive<br />
Characters<br />
Allowed<br />
Specify the number of<br />
consecutive characters allowed<br />
in a password.<br />
Minimum Length Specify the minimum length<br />
allowed for passwords.<br />
Password<br />
History<br />
Retention<br />
Require How<br />
Many<br />
Characters<br />
Require How<br />
Many Lower<br />
Case<br />
Characters<br />
Require How<br />
Many Numbers<br />
Require How<br />
Many Special<br />
Characters<br />
Require How<br />
Many Upper<br />
Case<br />
Characters<br />
User Name<br />
Case Sensitive<br />
Specify the number of past<br />
passwords the user is not<br />
allowed to use.<br />
Specify the number of alpha<br />
characters that must be used<br />
in a password.<br />
Specify the number of lower<br />
case characters that must be<br />
used in a password.<br />
Specify the number of numeric<br />
characters that must be used<br />
in a password.<br />
Specify the number of special<br />
characters that must be used<br />
in a password.<br />
Specify the number of upper<br />
case characters that must be<br />
used in a password.<br />
Specify if the user name is<br />
case sensitive<br />
Understanding <strong>Policies</strong><br />
VALUE RANGE<br />
AND DEFAULT<br />
0-255<br />
Default: 3<br />
0-255<br />
Default: 6<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
0-255<br />
Default: 0<br />
Yes, No<br />
Default: No<br />
3-43
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
3-44<br />
CATEGORY POLICY NAME DESCRIPTION<br />
Network Login Distinguished<br />
Name<br />
Network Login Domain<br />
Authentication<br />
Optional: Specify the<br />
distinguished name of the<br />
authentication server. If no<br />
Distinguished Name is<br />
specified, this will default to the<br />
LDAP server Default Naming<br />
Convention.<br />
Specifies if the Windows<br />
credentials should be used to<br />
authenticate.<br />
Network Login Domain Name NetBIOS name of the domain<br />
for Single Sign On. Default is<br />
NetBIOS value used by the<br />
PolicyServer.<br />
Network Login Host Name Specify the hostname. The<br />
hostname can be a domain<br />
name.<br />
Network Login Port Number Optional: 0 = use default.<br />
Specifies the port to be used<br />
for the connection. If no port<br />
number is specified, the LDAP<br />
provider uses the default port<br />
number.<br />
Network Login Server Type Type of server used to<br />
authenticate client user<br />
requests.<br />
Authentication Remember User<br />
Between Login<br />
Remember last used user<br />
name and display it in the<br />
authentication screen.<br />
VALUE RANGE<br />
AND DEFAULT<br />
1-255<br />
Default: N/A<br />
Yes, No<br />
Default: No<br />
1-255<br />
Default: N/A<br />
1-255<br />
Default: N/A<br />
0-65535<br />
Default: 0<br />
LDAP,<br />
LDAProxy<br />
Default: LDAP<br />
Yes, No<br />
Default: Yes
Chapter 4<br />
Working with Groups, Users, and<br />
Devices<br />
Endpoint <strong>Encryption</strong> utilizes both role-based and identity-based authentication to<br />
secure the data on endpoints. Configuring users, groups, and devices correctly ensures<br />
that data remains encrypted for unauthorized users, thus preventing data loss risk from<br />
accidental information release or deliberate sabotage.<br />
This chapter covers the following topics:<br />
• Working with Groups on page 4-2<br />
• Working with Offline Groups on page 4-5<br />
• Working with Users on page 4-10<br />
• Working with Passwords on page 4-22<br />
• Working with Devices on page 4-30<br />
4-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Working with Groups<br />
4-2<br />
Groups are managed in the PolicyServer MMC, and consist of the following types:<br />
TABLE 4-1. PolicyServer Group Types<br />
GROUP DESCRIPTION<br />
Top Groups The highest level of groups under the enterprise. Each top<br />
group has a unique node underneath the enterprise.<br />
Subgroups Groups created within a top group. A subgroup will inherit the<br />
policies of its parent group.<br />
Note<br />
• Policy inheritance only occurs when a subgroup is<br />
created.<br />
• Policy changes to a top level group do not filter down to<br />
existing subgroups.<br />
• Subgroup policies cannot be more permissive than the<br />
parent groups.<br />
• Subgroups inherit all existing policies of the parent group. However, Administrators<br />
must add users and devices separately.<br />
• Adding a user to a subgroup does not automatically add the user to the top group.<br />
However, you can add a user to both the top group and subgroup.<br />
Adding a Top Group<br />
Groups simplify managing enabled applications, users, policies, subgroups, and devices.<br />
A Top Group is the highest level group.<br />
Note<br />
Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a<br />
Group Administrator, add a user and change his/her permissions within the group.
Procedure<br />
Working with Groups, Users, and Devices<br />
1. Right-click the enterprise name in the left pane, and click Add Top Group.<br />
FIGURE 4-1. Adding a Top Group<br />
The Add New Group screen appears.<br />
2. Provide the name and a description for the group.<br />
3. Only select Support Legacy Devices if using legacy devices that do not support<br />
Unicode encoding. Some legacy devices may not be able to communicate with<br />
PolicyServer using Unicode. Assign Unicode and legacy devices to different groups.<br />
4-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-4<br />
FIGURE 4-2. Add New Group<br />
4. Click Apply.<br />
5. At the confirmation message, click OK.<br />
The new group is added to the tree structure in the left pane.<br />
Adding a Subgroup<br />
Subgroups inherit all existing policies of the parent group. However, Administrators<br />
must add users and devices separately.<br />
Procedure<br />
1. Right-click a group in the left pane tree structure, and then click Add.<br />
The Add New Group window appears.<br />
2. Follow the steps in Adding a Top Group on page 2-5, but in the first step.
Working with Groups, Users, and Devices<br />
The new group is added to the tree structure inside the Top Group’s hierarchy.<br />
Modifying a Group<br />
Procedure<br />
1. Right-click a group in the left pane tree structure, and then click Modify.<br />
The Modify Group screen appears.<br />
2. Specify changes and click Apply.<br />
Removing a Group<br />
Use the tree structure to remove a group. Removing a Top Group will also remove all<br />
subgroups.<br />
Procedure<br />
1. Right-click a group in the left pane tree structure, and then click Remove.<br />
A PolicyServer Warning message appears.<br />
2. Click Yes to remove the group.<br />
The selected group no longer appears in the tree structure.<br />
Working with Offline Groups<br />
An offline group is a group of endpoint clients that did not connect to PolicyServer<br />
during installation. The group’s policies, users, and devices can be exported to a file and<br />
delivered to the offline clients. When the group requires changes, the changes must be<br />
exported to a new file and again delivered to the offline endpoint client.<br />
4-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-6<br />
<strong>Policies</strong> are automatically updated when an offline endpoint client connects to<br />
PolicyServer.<br />
WARNING!<br />
For <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> clients that will never connect to PolicyServer, perform an<br />
unmanaged installation instead. No offline group is required because policies are managed<br />
using Recovery Console.<br />
Creating an Offline Group<br />
Groups can be exported to allow for <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> and FileArmor installation<br />
on devices that do not need to or cannot communicate with PolicyServer. The client<br />
application installation files must be available from the server that PolicyServer is<br />
installed.<br />
Note<br />
Procedure<br />
Exported groups must contain at least one user. The group name must also be<br />
alphanumeric only.<br />
WARNING!<br />
Offline groups only work for DataArmor SP7 and below. For <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> clients<br />
that will not connect to PolicyServer, perform an unmanaged installation instead. <strong>Policies</strong><br />
are managed using Recovery Console.<br />
1. From the left pane, right-click the group and then select Export.<br />
The PolicyServer Export Group Wizard appears.
FIGURE 4-3. PolicyServer Exporting Group Wizard<br />
Working with Groups, Users, and Devices<br />
2. Select Create off-line devices, specify export location and export password, and<br />
then click Next.<br />
Note<br />
The export password is used to authenticate the executable on the endpoint client.<br />
3. Click Add... to browse to and upload Endpoint <strong>Encryption</strong> client installers.<br />
4-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-8<br />
TABLE 4-2. Endpoint <strong>Encryption</strong> Installation Filenames<br />
INSTALLATION FILE PURPOSE<br />
DataArmorInstaller.exe Installs older versions of <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> client<br />
application: DataArmor. DataArmor 3.0.12.861 or<br />
below will work with off-line groups. For details<br />
about managed installations, see the Installation<br />
Guide.<br />
TMFDEInstall.exe Installs the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> client application.<br />
This will not work for off-line devices. For details<br />
about managed installations, see the Installation<br />
Guide.<br />
FASetup.msi Installs the FileArmor client application for 32-bit<br />
operating systems.<br />
FASetup(x64).msi FileArmor client application for 64-bit operating<br />
systems.<br />
Add as many installers as needed. For example, a group might require both <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong> and FileArmor.<br />
4. Click Next.<br />
5. Depending on the license type, specify the number of devices to be installed on.<br />
The number of license available is reduced with every device.<br />
6. Optionally specify a Device Name Prefix. PolicyServer uses the device prefix<br />
number to generate a unique Device ID and device encryption key for each device<br />
in this group.<br />
7. Click Next.<br />
The offline group build begins.<br />
8. Click Done to generate the export file at the specified location.<br />
A generated executable file named Export is created on the desktop. Use this to<br />
distribute group changes to offline clients.
Updating an Offline Group<br />
Follow these steps to create an update for an offline group.<br />
Procedure<br />
WARNING!<br />
Working with Groups, Users, and Devices<br />
For <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> clients that will not connect to PolicyServer, perform an<br />
unmanaged installation instead. <strong>Policies</strong> are managed using Recovery Console.<br />
1. From the left pane, right-click the group, and then select Export.<br />
The PolicyServer Export Group Wizard displays.<br />
2. Select Create off-line devices.<br />
3. Specify the export password.<br />
Note<br />
The export password is used to authenticate the executable on the endpoint client.<br />
4. Click Browse to specify a location to store the<br />
5. Click Next<br />
The offline group build begins.<br />
6. Click Done.<br />
The export file is generated at the specified location.<br />
7. Install the software on the device using the generated executable or script. For<br />
details, see the Endpoint <strong>Encryption</strong> Installation Guide.<br />
4-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Working with Users<br />
4-10<br />
To provide identity-based authentication, Endpoint <strong>Encryption</strong> offers a number of<br />
different user levels, adding or importing users, assigning users to groups, managing<br />
users, and removing users.<br />
Add Users to PolicyServer<br />
Use the following methods to add users to Endpoint <strong>Encryption</strong>:<br />
• Add users manually, one at a time<br />
• Bulk import numerous users with a CSV file<br />
• Use an External Directory Browser with Active Directory<br />
Adding a New Enterprise User<br />
Note<br />
Procedure<br />
• Adding a user to the enterprise does not assign the user to any groups.<br />
• Adding a user to a group adds the user to the group and to the enterprise.<br />
1. Expand the Enterprise and open Users.<br />
2. Right-click whitespace in the right pane and select Add User.<br />
The Add New User screen displays.
FIGURE 4-4. Add New User Screen<br />
Working with Groups, Users, and Devices<br />
3. Specify user information. User name, first name, and last name are required.<br />
4. Only select Freeze if the account should be temporarily disabled. While frozen, the<br />
user is unable to log on devices.<br />
5. Use the User Type field to set the privileges of the new account. Enterprise<br />
Administrators and Authenticators cannot be added to groups.<br />
6. Select One Group to disable the user from multiple groups membership.<br />
7. Select the Authentication Method.<br />
Note<br />
8. Click OK.<br />
The default authentication method for users is None.<br />
4-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-12<br />
The new user is added this PolicyServer Enterprise. The user cannot log on a<br />
device until he/she is added to a group.<br />
Importing Users from a CSV File<br />
Use a Comma Separated Values (CSV) file to import multiple users simultaneously.<br />
Use the following format:<br />
user name (required), first name, last name, employee ID, email<br />
address.<br />
Include a comma for fields with no data.<br />
Note<br />
Procedure<br />
When using the Bulk Import Users function, all users in the file are added to the same<br />
group. Create a file for each group of users to import.<br />
1. Expand the group in the left pane and then click Users.<br />
2. Right-click whitespace in the right pane, and select Bulk Import Add Users.<br />
The open file window appears.<br />
3. Go to the CSV file and click Open.<br />
4. At the confirmation, click OK.<br />
The users in your file are added to the group and the Enterprise.<br />
Importing Active Directory Users<br />
Add Active Directory users to existing PolicyServer groups using the External Directory<br />
Browser. PolicyServer maintains a user directory separate from the Active Directory<br />
database. This allows PolicyServer to provide absolute security over access to all devices,<br />
user rights, and authentication methods.
Working with Groups, Users, and Devices<br />
For information about configuring Active Directory integration, see the Endpoint<br />
<strong>Encryption</strong> Installation Guide.<br />
Procedure<br />
1. From the left pane, open Enterprise Users, right-click the right pane (whitespace)<br />
and then select External Directory Browser.<br />
The Active Directory User Import window displays.<br />
2. Click Edit > Connect to Domain.<br />
3. Specify the Active Directory LDAP server hostname.<br />
4. Specify a user name and password with access to the Active Directory domain.<br />
5. Click OK.<br />
The user accounts load in the right pane.<br />
6. Click File and then select Add to Enterprise or Add to Group, depending on<br />
where the users are to be added.<br />
7. Click OK to add the users to the specified location.<br />
A confirmation window displays.<br />
8. Click OK to confirm.<br />
An import status message displays.<br />
9. Click OK.<br />
Finding a User<br />
It is faster to search for users at the group level; however, this is at the cost of searching<br />
the entire enterprise.<br />
Procedure<br />
1. From the left pane, click Enterprise Users or expand the group and click Users.<br />
4-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-14<br />
2. At the upper corner of right pane, click Search.<br />
The User Search Filter window appears.<br />
FIGURE 4-5. User Search Filter window<br />
3. Specify search details and then click Search.<br />
All accounts matching the search criteria display.<br />
Note<br />
Modifying a User<br />
If there are many users, use Page Counter to go from one page to another or click<br />
Clear to remove all results.<br />
Any Group Administrator can change a user's profile information.
Note<br />
Procedure<br />
Working with Groups, Users, and Devices<br />
• Enterprise-level changes are applied to the user universally, but group-level changes<br />
apply only to that group.<br />
1. Open Enterprise Users.<br />
2. In the right pane, right-click the user and select Modify User.<br />
The Modify User screen appears.<br />
3. Make the necessary changes. If the authentication method changes to Fixed<br />
Password, provide the default user password.<br />
4. Click OK.<br />
5. At the confirmation message, click OK.<br />
Viewing a User's Group Membership<br />
Administrators can view a user's groups - if the user belongs to multiple groups.<br />
Procedure<br />
1. Open Enterprise Users.<br />
2. Right-click the user and select List Groups.<br />
The Group Membership list appears.<br />
4-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Adding a New User to a Group<br />
4-16<br />
Note<br />
Procedure<br />
• Adding a user to the enterprise does not assign the user to any groups.<br />
• Adding a user to a group adds the user to the group and to the enterprise.<br />
1. Expand the Group and open Users.<br />
2. Right-click whitespace in the right pane and select Add New User.<br />
The Add New User screen appears.<br />
FIGURE 4-6. Add New User Screen<br />
3. Specify user information. User name, first name, and last name are required.
Working with Groups, Users, and Devices<br />
4. Only select Freeze if the account should be temporarily disabled. While frozen, the<br />
user is unable to log on devices.<br />
5. Use the Group User Type field to set the privileges of the new account.<br />
Enterprise Administrators and Authenticators cannot be added to groups.<br />
6. Select One Group to disable the user from multiple groups membership.<br />
7. Select the Authentication Method.<br />
Note<br />
8. Click OK.<br />
The default authentication method for users is None.<br />
The new user is added to the selected group and to the Enterprise. The user can<br />
now log on a device.<br />
Adding an Existing User to a Group<br />
A user can be added to numerous groups.<br />
Procedure<br />
1. Expand the group in the left pane and then click Users.<br />
2. Right-click whitespace in the right pane, and select Add Existing User.<br />
The Add Users To Group screen appears.<br />
4-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-18<br />
FIGURE 4-7. Add Existing Users To Group Screen<br />
3. Specify user details and then click Search.<br />
If there is a match, the Source field populates with accounts.<br />
4. Select user accounts from the list and click the blue arrow to add them. See<br />
Chapter 2, Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls.<br />
TABLE 4-3. Icons to Add/Remove Users<br />
CENTER ICONS DESCRIPTION<br />
Add a single selected user to Destination field.
CENTER ICONS DESCRIPTION<br />
5. To change a user’s password:<br />
Working with Groups, Users, and Devices<br />
Add all found users based on search criteria to Destination field.<br />
Delete a single select user from Destination field.<br />
Delete all users from Destination field.<br />
a. In the Destination field, highlight the user.<br />
b. Click Enter User Password located at the bottom of the window.<br />
c. In the window that appears, specify the user’s authentication method.<br />
d. Click Apply.<br />
6. Click Apply.<br />
The user is added to the group. If this is the only group that the user belongs to,<br />
then the user is now able to log on to the endpoint client.<br />
Changing a User’s Default Group<br />
The first group listed is the default group for the user.<br />
Note<br />
The user must be allowed to install to their default group. For details, see Allowing User to<br />
Install to a Group on page 4-20<br />
.<br />
4-19
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-20<br />
Procedure<br />
1. Open Enterprise Users.<br />
2. Right-click the user and then select List Groups.<br />
The Group Membership list appears.<br />
3. Right-click the user and then select Move to top.<br />
The User’s default groups has been changed.<br />
Allowing User to Install to a Group<br />
This option allows users to install Endpoint <strong>Encryption</strong> devices to a group that they are<br />
a member of, without requiring Administrator approval.<br />
Note<br />
Procedure<br />
The default setting is Disallow User To Install To This Group.<br />
1. Open Enterprise Users.<br />
2. Right-click the user and then select List Groups.<br />
The Group Membership list appears.<br />
3. Right-click the user and then select Allow User To Install To This Group.<br />
The user can now install devices to this group.
Removing Individual Users From a Group<br />
Procedure<br />
WARNING!<br />
Working with Groups, Users, and Devices<br />
Before removing a Group Administrator or authenticator account, reassign this role to<br />
another user. Otherwise, only enterprise-level Administrators or authenticators can make<br />
group-level changes.<br />
1. Expand the group and click Users.<br />
2. In the right pane, right-click the user and select Remove User.<br />
A warning message displays.<br />
3. To remove the user from the enterprise as well, enable Remove from Enterprise.<br />
Note<br />
4. Click Yes.<br />
Removing a user from the enterprise also removes that user from all groups and<br />
subgroups.<br />
The user is removed.<br />
Removing All Users From a Group<br />
Procedure<br />
WARNING!<br />
Before removing a Group Administrator or Authenticator account, reassign this role to<br />
another user. Otherwise, only Enterprise Administrators/Authenticators can make grouplevel<br />
changes.<br />
1. Expand the group and then click Users.<br />
4-21
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-22<br />
2. In the right pane, right-click the user and select Remove All Users.<br />
A warning message displays.<br />
3. To remove all users from the enterprise as well, enable Remove from Enterprise.<br />
Note<br />
4. Click Yes.<br />
Removing a user from the enterprise also removes that user from all groups and<br />
subgroups.<br />
Restoring a Deleted User<br />
All deleted users are stored in the Recycle Bin at the Enterprise level. Groups do not<br />
have a Recycle Bin. Restoring a user does not add the user back to previously assigned<br />
groups.<br />
Procedure<br />
1. Expand the Recycle Bin.<br />
2. Open Deleted Users.<br />
The right pane load all deleted users.<br />
3. Right-click the user and select Restore User.<br />
The user is added back the Enterprise, but does not belong to any groups.<br />
Working with Passwords<br />
When an user forgets his/her password or misplaces a device, the user can be reset their<br />
password using methods defined by enterprise or group policies. The following<br />
password reset methods are available:<br />
• <strong>Micro</strong>soft Windows Active Directory
• PolicyServer MMC<br />
• Remote <strong>Help</strong><br />
• Self <strong>Help</strong><br />
Working with Groups, Users, and Devices<br />
All of these options involve setting the policy at the enterprise level and then at the<br />
group level whenever necessary. Use the Support Information policy to provide<br />
support-related information to users about password resets.<br />
Resetting an Enterprise Administrator/Authenticator<br />
Password<br />
Only Enterprise Administrators can reset an Enterprise Administrator passwords. An<br />
Authenticator within the same group permissions or higher, can reset an Administrator<br />
or Authenticator password within that group.<br />
Tip<br />
Procedure<br />
<strong>Trend</strong> <strong>Micro</strong> recommends having at least three Enterprise Administrator accounts at all<br />
times as a safeguard against password loss. If an Enterprise Administrator account<br />
password is lost, it is possible to reset the password by using Self <strong>Help</strong>.<br />
1. Log on PolicyServer MMC using an Enterprise Administrator account.<br />
2. Open Enterprise Users.<br />
3. Right-click the Enterprise Administrator or Authenticator account with the lost<br />
password, and then select Change Password.<br />
The Change Password window appears.<br />
4. Select an authentication method.<br />
5. Specify the password (if requested).<br />
6. Click Apply.<br />
The account password is reset.<br />
4-23
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-24<br />
Note<br />
The User must change password at next logon option is only available after the<br />
endpoint client updates policies.<br />
Resetting a Group Administrator/Authenticator Password<br />
All passwords changes are for the group only. If an Administrator wants to have just<br />
one password, then he/she should only belong to one Top Group.<br />
Procedure<br />
1. Log on PolicyServer MMC using an Group Administrator account.<br />
2. Expand the group and open Users.<br />
3. Right-click the Group Administrator or Authenticator account with the lost<br />
password, and then select Change Password.<br />
The Change Password window appears.<br />
4. Select an authentication method.<br />
5. Specify and confirm the password (if requested).<br />
6. Click Apply.<br />
The account password is reset.<br />
Note<br />
The User must change password at next logon option is only available after the<br />
client updates.<br />
Resetting a User's Password<br />
When resetting a user’s password, select the User must change password at next<br />
logon check box to require a user to change his/her password at next log on. Once the
Working with Groups, Users, and Devices<br />
user logs on and changes the password, he/she must also change the password for all<br />
devices.<br />
Note<br />
<strong>Trend</strong> <strong>Micro</strong> recommends using the domain authentication.<br />
Resetting to a Fixed Password<br />
Procedure<br />
1. Open Enterprise Users or expand the group and open Users.<br />
2. Select users from the right pane.<br />
Hold SHIFT to select multiple users. Multiple selection is only available at the<br />
group level.<br />
3. Right-click and select Change Password.<br />
The Change Password window appears.<br />
4. For the Authentication Method, select Fixed Password.<br />
5. Specify and confirm the password.<br />
6. Click Apply.<br />
The user is required to change his/her password at next time log on.<br />
Resetting a User Password with Active Directory<br />
<strong>Trend</strong> <strong>Micro</strong> recommends using Active Directory to reset the user password, especially<br />
if the user has access to the company <strong>Help</strong> Desk, has network connectivity, or if<br />
Windows Single Sign-on (SSO) is enabled.<br />
Refer to the appropriate Windows Operating System Guide for more information about<br />
resetting a domain user password using Active Directory.<br />
4-25
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-26<br />
Using Self <strong>Help</strong> Password Support<br />
This task explains how to configure policies for Self <strong>Help</strong>. Users who have forgotten<br />
their passwords can use Self <strong>Help</strong> to authenticate without <strong>Help</strong> Desk assistance. Use the<br />
Number of Questions and the Personal Challenge policies to set the number of personal<br />
challenge questions and the questions that the user must answer, respectively. Self <strong>Help</strong><br />
questions are answered during the initial user authentication and when users change<br />
their passwords.<br />
For details about using Self <strong>Help</strong>, see Self <strong>Help</strong> on page 1-18.<br />
Note<br />
Procedure<br />
Self <strong>Help</strong> requires network connectivity to PolicyServer.<br />
1. Expand Enterprise <strong>Policies</strong> or expand the group and then expand <strong>Policies</strong>.<br />
2. Go to Common > Authentication > Local Login > Self <strong>Help</strong>.<br />
FIGURE 4-8. Self <strong>Help</strong> Policy<br />
3. Open Number of Questions to set the required number of questions that users<br />
must answer.
WARNING!<br />
Working with Groups, Users, and Devices<br />
Do not set Number of Questions greater than six. Otherwise, users will be unable<br />
to log on.<br />
4. Right-click Personal Challenge and select Add to set a question that the user<br />
must answer. Repeat until all personal challenge questions are defined.<br />
The next time users log on, they will be prompted to set their personal challenge<br />
question answers.<br />
Remote <strong>Help</strong> Password Support<br />
Reset forgotten passwords with Remote <strong>Help</strong>. A user who has a locked account or<br />
forgets their password has to reset their password before logging in with the new<br />
password. Remote <strong>Help</strong> requires that the user contact the <strong>Help</strong> Desk for a Challenge<br />
Response. Remote help does not require network connectivity to PolicyServer.<br />
Procedure<br />
1. Log on PolicyServer MMC with an Enterprise Administrator account or a Group<br />
Administrator/Authenticator account within the same policy group as the user.<br />
2. Ask the user to click <strong>Help</strong> > Remote <strong>Help</strong> from his/her endpoint client.<br />
3. Ask the user for the Device ID displayed.<br />
4-27
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-28<br />
FIGURE 4-9. Remote <strong>Help</strong> Assistance<br />
4. In PolicyServer MMC, open Enterprise Devices or expand the user’s group and<br />
open Devices, icon in the user's group.<br />
5. In the right pane, right-click the user device and then select Soft Token.<br />
The Software Token window appears.<br />
6. Ask the user to read the16-digit Challenge field, and type it into the Challenge<br />
field of the Software Token window.<br />
7. Click Get Response.
The Response field loads with an 8-character string.<br />
8. Tell the user the 8-character string from the Response field.<br />
Working with Groups, Users, and Devices<br />
9. The user inputs the string in the Response field on the endpoint and clicks Login.<br />
10. The user is prompted to provide a new password.<br />
Support Information Setup<br />
The Support Information policy specifies information about an organization’s Support<br />
<strong>Help</strong> Desk. The Support Information policy can be configured uniquely for each group.<br />
Procedure<br />
1. Log on PolicyServer MMC with either an Enterprise Administrator account or a<br />
Group Administrator/Authenticator account within the same policy group as the<br />
user.<br />
2. Expand the user’s group and go to <strong>Policies</strong> > <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> > Common<br />
> Login.<br />
3. Right-click the Support Info policy and select Add.<br />
4. Specify support information (phone number, location).<br />
4-29
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-30<br />
5. Click OK.<br />
Working with Devices<br />
Devices are computers, laptops, smartphones, and any other endpoint with <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong>, FileArmor, or KeyArmor installed. Devices are automatically added to the<br />
Enterprise when any Endpoint <strong>Encryption</strong> application is installed.<br />
Note<br />
Each device can only be a part of one group.<br />
Adding a Device to a Group<br />
Procedure<br />
1. In the left pane, expand the desired policy group and click Devices.<br />
2. In the right pane, right-click the whitespace and select Add Device.
The Add Devices to Group screen appears.<br />
FIGURE 4-10. Add Devices to Group Screen<br />
3. Type the device details and then click Search.<br />
If there is a match, the Source field populates with accounts.<br />
Working with Groups, Users, and Devices<br />
4. Select the device from the list and click the blue arrow to add them. See table for<br />
additional controls.<br />
TABLE 4-4. Icons to Add/Remove Devices<br />
CENTER ICONS DESCRIPTION<br />
Add a single selected device to Destination field.<br />
Add all found devices based on search criteria to Destination field.<br />
4-31
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-32<br />
CENTER ICONS DESCRIPTION<br />
Delete a single selected device from Destination field.<br />
Delete all devices from Destination field.<br />
5. Click Apply to add the device to the selected group.<br />
The device is added to the group.<br />
Removing a Device from a Group<br />
Removing a device from a group removes the device from the selected group only.<br />
Procedure<br />
WARNING!<br />
To remove a device from all groups, remove it from the Enterprise. Before deleting a<br />
device from the Enterprise, verify that the device has been unencrypted and all <strong>Trend</strong><br />
<strong>Micro</strong>products were uninstalled. Failure to do so may result in irreversible data loss.<br />
1. Expand the group and open Devices.<br />
2. In the right pane, right-click the device and select Remove Device.<br />
A warning message appears.<br />
3. Click Yes.<br />
The device is removed.
Removing a Device from the Enterprise<br />
Working with Groups, Users, and Devices<br />
Deleting a device from the Enterprise removes the device from all groups and the<br />
Enterprise. The device will continue to function as long as connectivity and password<br />
policies are current on the device. Files cannot be recovered if the device fails in this<br />
state. To mitigate this risk, decrypt the device immediately, uninstall <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong>, and then reinstall <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> as an unmanaged client.<br />
WARNING!<br />
Verify that the device has been unencrypted and all <strong>Trend</strong> <strong>Micro</strong> applications are<br />
uninstalled before deleting a device from the Enterprise. Failure to do so may result in<br />
irreversible data loss.<br />
For information about removing a device from a specific group, but not the Enterprise,<br />
see Removing a Device from a Group on page 4-32.<br />
Note<br />
Procedure<br />
Go to the Recycle Bin to add a removed device back to the Enterprise again.<br />
1. Uninstall the endpoint client application from the device. For information about<br />
endpoint client uninstallation, see the Endpoint <strong>Encryption</strong> Installation Guide.<br />
2. Open Enterprise Devices.<br />
3. In the right pane, right-click the device and select Remove Device. Locate and<br />
click on the selected device.<br />
A warning message displays.<br />
4. Click Yes.<br />
The device is removed.<br />
4-33
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Viewing Directory Contents<br />
4-34<br />
Use the directory listing option to view a snapshot of all applications downloaded to the<br />
selected device.<br />
Procedure<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Directory Listing.<br />
The Device Directory Snapshot window displays all applications downloaded to<br />
the device.<br />
Viewing Device Attributes<br />
Use Device Attributes (memory, operating system, battery life, etc.) option to view a<br />
current snapshot of the selected device.<br />
Procedure<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Directory Listing.
The Device Attributes window displays.<br />
FIGURE 4-11. Device Attributes List<br />
Viewing Directory Listing<br />
Working with Groups, Users, and Devices<br />
Use directory listing to view the directory structure of KeyArmor devices only.<br />
Procedure<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Directory Listing.<br />
The Device Directory Snapshot window displays.<br />
Killing a Device<br />
Killing a device completely deletes all data. For DriveArmor, <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, and<br />
KeyArmor, the kill command is issued when the device communicates with<br />
PolicyServer.<br />
4-35
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
4-36<br />
Procedure<br />
WARNING!<br />
Killing a device cannot be undone. Back up all the data before performing this action.<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Kill Device.<br />
3. At the warning message, click Yes.<br />
4. At the confirmation message, click OK.<br />
Locking a Device<br />
Locking a device reboots the device and forces it into a state that requires Remote <strong>Help</strong>.<br />
For DriveArmor, <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, and KeyArmor, the lock command is issued<br />
when the device communicates with the PolicyServer.<br />
Lock a device to prevent a user from authenticating to the device until a successful<br />
Remote <strong>Help</strong> authentication is performed.<br />
Procedure<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Lock Device.<br />
3. At the warning message, click Yes.<br />
4. At the confirmation message, click OK.<br />
Rebooting a Device<br />
Use Soft Reset to reboot a device. For DriveArmor, <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> and<br />
KeyArmor, the soft reset command is issued when the device communicates with<br />
PolicyServer.
Procedure<br />
1. Open Enterprise Devices or expand a group and open Devices.<br />
2. In the right pane, right-click the device and select Soft Reset.<br />
3. At the warning message, click Yes.<br />
4. At the confirmation message, click OK.<br />
Restoring a Deleted Device<br />
Working with Groups, Users, and Devices<br />
All deleted devices are stored in the Recycle Bin at the Enterprise level. Groups do not<br />
have a Recycle Bin. Restoring a device does not add the device back to previously<br />
assigned groups.<br />
Procedure<br />
1. Expand the Recycle Bin.<br />
2. Open Deleted Devices.<br />
The right pane load all deleted users.<br />
3. Right-click the device and select Restore Device.<br />
The device is added back the Enterprise, but does not belong to any groups.<br />
4-37
Chapter 5<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> provides comprehensive endpoint data security using mandatory<br />
strong authentication and full disk encryption. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> secures not only the<br />
data files, but also all applications, registry settings, temporary files, swap files, print<br />
spoolers, and deleted files. Until the user is validated, strong preboot authentication<br />
restricts access to the vulnerable host operating system.<br />
This chapter covers the following topics:<br />
• Endpoint <strong>Encryption</strong> Tools on page 5-2<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Authentication on page 5-2<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Connectivity on page 5-13<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Console on page 5-15<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Methods on page 5-24<br />
• Repair CD on page 5-25<br />
5-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Endpoint <strong>Encryption</strong> Tools<br />
5-2<br />
TABLE 5-1. Endpoint <strong>Encryption</strong> Tools<br />
TOOL PURPOSE<br />
Recovery Console • Recover a device in the event of primary OS failure.<br />
• Troubleshoot network issues.<br />
• Manage users and logs.<br />
Command Line <strong>Help</strong>er • Create encrypted values to secure credentials when<br />
creating an installation script.<br />
Command Line Installer<br />
<strong>Help</strong>er<br />
• Generate scripts for automatic installations.<br />
• Create encrypted values to secure credentials when<br />
creating an installation script.<br />
DAAutoLogin • Used for Windows patching. DAAutoLogin allows for a<br />
one-time bypass of Endpoint <strong>Encryption</strong> Preboot.<br />
Repair CD • Use this bootable CD to decrypt drive before removing<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> in the event that the disk becomes<br />
corrupted,<br />
• Only use the Repair CD if standard removal methods are<br />
not possible. A typical symptom of a corrupted disk is a<br />
black screen.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Authentication<br />
After installing <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot now appears before<br />
Windows loads. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot plays an important role in ensuring only<br />
authorized users are able to access devices, and for updating local security policies when<br />
connected to PolicyServer. From this screen, you can perform a number of tasks:<br />
• Authenticating to an endpoint<br />
• Changing passwords<br />
• Logging on to the Recovery Console
FIGURE 5-1. The <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot screen<br />
Menu Options<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
There are several options available in the top-left menu of <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Preboot.<br />
TABLE 5-2. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Menu Options<br />
MENU ITEM DESCRIPTION<br />
Authentication Change the authentication method used to log on.<br />
Communication Manually synchronize with PolicyServer.<br />
Note<br />
Unmanaged endpoints display a null value.<br />
Computer View information about <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, change the keyboard<br />
layout, access the on-screen keyboard, or restart/shutdown the<br />
device.<br />
5-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Network Connectivity<br />
5-4<br />
The network connection icon ( ) appears in the top-right corner when <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> is installed as a managed client. The icon is only highlighted when the device<br />
is connected to the network and has communication with PolicyServer. When <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> is unmanaged, the network icon never displays.<br />
On-Screen Keyboard<br />
Access the on-screen keyboard from <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot by navigating to:<br />
Menu > Computer > On-Screen Keyboard<br />
To insert the cursor in the desired field when the keyboard is displayed, click Focus on<br />
the bottom-right corner of the keyboard.<br />
Changing the Keyboard Layout<br />
Changing the keyboard layout affects both keystrokes and the on-screen keyboard. Once<br />
Windows boots, the keyboard layout is set by the Windows operating system.<br />
Procedure<br />
1. Navigate to Menu > Computer > Change Keyboard Layout.<br />
The Select the keyboard language (layout) screen appears.<br />
2. Select a keyboard layout.<br />
3. Click OK.<br />
Changing Authentication Methods<br />
Procedure<br />
1. At <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, select Change Password After Login.
2. Specify the user name and password.<br />
3. Click Login.<br />
The Change Password window appears.<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
4. From the top-left menu, select Authentication, and choose the desired<br />
authentication method.<br />
The New Password window for the chosen authentication method appears.<br />
5. Provide and confirm the new password, and then click Next.<br />
The device boots into Windows.<br />
Changing Passwords<br />
Procedure<br />
1. At <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, select Change Password After Login.<br />
2. Specify the user name and password<br />
3. Click Login.<br />
The Change Password window appears.<br />
4. Provide and confirm the new password, and click Next.<br />
The device boots into Windows.<br />
ColorCode<br />
ColorCode is a unique authentication method designed to easily remembered and<br />
quickly provide. Instead of using numbers or letters for a password, ColorCode<br />
5-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-6<br />
authentication consists of a user-created sequence of colors (for example: red, red, blue,<br />
yellow, blue, green).<br />
FIGURE 5-2. ColorCode Logon<br />
Creating a ColorCode Password<br />
The total count (total number of steps in the ColorCode) is defined by PolicyServer. The<br />
default count is six.<br />
Procedure<br />
1. Change the authentication method to ColorCode.
Note<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
For details about changing authentication methods, see Changing Authentication Methods<br />
on page 5-4.<br />
The ColorCode Change Password screen appears.<br />
FIGURE 5-3. ColorCode Change Password Screen<br />
2. Choose the first color by clicking it using the square to the left.<br />
The count increases by one.<br />
3. Click additional colors in the sequence.<br />
Tip<br />
If there was a mistake, click Back to delete the last color clicked, or click Clear to<br />
start over.<br />
5-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-8<br />
4. After the sequence is complete, confirm the ColorCode password using the square<br />
to the right.<br />
5. Click Next to finish.<br />
Remote <strong>Help</strong><br />
Use Remote <strong>Help</strong> when a user is locked out of an endpoint client after too many failed<br />
logon attempts or when the period between the last PolicyServer synchronization has<br />
been too long.<br />
Within each application’s policies, set the action to Remote Authentication.<br />
TABLE 5-3. <strong>Policies</strong> Affecting Remote <strong>Help</strong> Authentication<br />
POLICY DESCRIPTION<br />
Login > Account Lockout Period The number of days that a device can not<br />
communicate with PolicyServer before<br />
Account Lockout Action is called.<br />
Login > Account Lockout Action The action taken when the length of time in<br />
Account Lockout Actions include: erase,<br />
remote authentication.<br />
Login > Failed Login Attempts<br />
Allowed<br />
The number of failed login attempts allowed<br />
before executing the action defined in Device<br />
Locked<br />
Login > Device Locked Action The action taken when the Failed Attempts<br />
Allowed policy value has been exceeded.<br />
Actions include: time delay, erase, remote<br />
authentication.
Using Remote <strong>Help</strong> to Unlock <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Procedure<br />
Important<br />
• Restarting the endpoint device resets the challenge code.<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
• Manually synchronizing policies with PolicyServer also resets the challenge code.<br />
• The Challenge Code and Response Code are case not sensitive.<br />
1. From <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, go to Menu > Authentication > Remote<br />
<strong>Help</strong>.<br />
2. Provide the Challenge Code to the PolicyServer Administrator.<br />
3. Type the Response Code provided by the PolicyServer Administrator.<br />
4. Click Login.<br />
The Change Password window appears.<br />
Note<br />
If the account uses domain authentication, the device will boot directly into<br />
Windows.<br />
5. Specify and confirm new password, then click Next.<br />
Smart Card<br />
The device boots into Windows.<br />
Smart card authentication requires both a PIN and a physical card when confirming a<br />
user's identity. Insert the smart card before providing a PIN.<br />
5-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-10<br />
Important<br />
To allow smart card authentication for all Endpoint <strong>Encryption</strong> clients, enable the<br />
following policy: <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> > PC > Login > Token Authentication.<br />
Supported Smart Cards<br />
CARD<br />
MANUFACTURER<br />
PRODUCT NAME<br />
Axalto Axalto Cyberflex Access 64k v1<br />
soft mask 4 version 1<br />
Axalto Cyberflex Access 64k v1<br />
soft mask 4 version 2<br />
LASER ENGRAVING ON BACK OF<br />
CARD<br />
Axalto Access 64KV2<br />
Axalto Access 64KV2<br />
Gemalto Cyberflex Access v2c 64K Gemalto Access 64KV2<br />
GemaltoGemCombiXpresso R4<br />
dual interface<br />
Gemalto GCX4 72K DI<br />
Gemalto TOP DL GX4 144K Gemalto TOP DL GX4 144K<br />
Gemplus GemXpresso (GXP) PRO 64 K Gemplus GXP3 64V2N<br />
Oberthur CosmopollC v4 32K Oberthur CosmopollC v4<br />
RSA RSA 5100<br />
Galactic v1 32K OCS Gal 2.1<br />
ID-One Cosmo v5.2D 64k Oberthur C.S. Cosmo64 V5.2D<br />
ID-One Cosmo v5.2 72k Oberthur ID One V5.2<br />
ID-One Cosmo v5.2D 72k Oberthur ID One V5.2 Dual<br />
RSA 5200<br />
RSA 6100<br />
RSA SID 800
CARD<br />
MANUFACTURER<br />
Schlumberger<br />
(Axalto)<br />
PRODUCT NAME<br />
Cyberflex 32k v2 card with<br />
Softmask 7 Version 2<br />
Authenticating with a Smart Card<br />
Procedure<br />
1. Insert the smart card in the reader.<br />
2. Connect the reader to the device.<br />
3. Provide the user name and fixed password,.<br />
4. Click Continue<br />
A message window appears.<br />
5. Click Continue.<br />
6. At the Register Token window:<br />
Self <strong>Help</strong><br />
a. Type the new PIN provided by the Administrator.<br />
b. Confirm the new PIN.<br />
c. Select the smart card type from the Token drop-down list.<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
LASER ENGRAVING ON BACK OF<br />
CARD<br />
Schlumberger Access 32K V2<br />
d. Click Continue to finish registering the token, and access the PC.<br />
Use Self <strong>Help</strong> to authenticate when users have forgotten their credentials. Self <strong>Help</strong><br />
requires users to respond with answers to predefined personal challenge questions. Self<br />
<strong>Help</strong> can also be used instead of fixed password or other authentication methods.<br />
5-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-12<br />
Important<br />
PolicyServer must be configured to allow Self <strong>Help</strong> authentication. For more information,<br />
see Understanding <strong>Policies</strong> on page 3-1.<br />
WARNING!<br />
A maximum of six questions can display to endpoint clients. Do not create more than six<br />
questions in PolicyServer, or users will be unable to log on.<br />
Setting Up Self <strong>Help</strong><br />
If the Self <strong>Help</strong> policy is enabled, the user is prompted to define answers for the Self<br />
<strong>Help</strong> questions after his/her first login. If the user changes their password, they must<br />
define Self <strong>Help</strong> question answers again.<br />
Note<br />
Procedure<br />
Self <strong>Help</strong> answers are stored on the device. If a user logs on another <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
device, the user must define Self <strong>Help</strong> answers for that device.<br />
1. Provide the user name and password.<br />
2. Click Login.<br />
The Self <strong>Help</strong> window appears.<br />
3. Define answers for all of the Self <strong>Help</strong> questions.<br />
4. Click Next.<br />
The device boots into Windows.
Using Self <strong>Help</strong><br />
Procedure<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
1. From the top-left menu of <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, go to Menu ><br />
Authentication > Self <strong>Help</strong>.<br />
The Self <strong>Help</strong> window appears.<br />
2. Answer all of the Self <strong>Help</strong> questions.<br />
3. Click Login.<br />
4. Define a new password, and then click Next.<br />
The device boots into Windows.<br />
Changing Self <strong>Help</strong> Answers<br />
Procedure<br />
1. At <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, provide your credentials, select Change<br />
Password After Login, then click Login.<br />
The Change Password window appears.<br />
2. Provide and confirm the new password, and then click Next.<br />
The Self <strong>Help</strong> window appears.<br />
3. Define new answers for all of the Self <strong>Help</strong> questions, and then click Next.<br />
The device boots into Windows.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Connectivity<br />
Endpoint <strong>Encryption</strong> uses a FIPS 140-2 approved encryption process for data passed<br />
between <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot and PolicyServer. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> clients<br />
5-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-14<br />
that have network connectivity to PolicyServer can receive policy updates and upload<br />
audit data from the endpoint client. All client-server communications are internally<br />
encrypted and can be sent over insecure connections such as the Internet.<br />
System Administrators have flexibility in determining connectivity options for their<br />
organization. Administrators can place PolicyServer within a DMZ (Demilitarized Zone)<br />
for access to both internal networks and the Internet.<br />
TABLE 5-4. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Connectivity Requirements<br />
RESOURCE FUNCTION<br />
PolicyServer Updated security policies from PolicyServer can be sent<br />
to <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot or using connectivity<br />
established within Windows, LAN, VPN, etc.<br />
TCP/IP Access Network connectivity for PC devices requires full TCP/IP<br />
network access; dial-up or telephone access cannot be<br />
used to provide connectivity with PolicyServer during<br />
preboot authentication.<br />
Port 80 <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> communications use port 80 by<br />
default. To change the default port number, go to<br />
Recovery Console and update the PolicyServer.<br />
Updating <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Clients<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> clients automatically receive policy updated from PolicyServer at<br />
intervals determined by policy. Do the following to manually synchronize policies:<br />
Procedure<br />
1. From the top-left menu of <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, go to Communications<br />
> Synchronize policies.<br />
2. Go to Computer > About <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>. The timestamp of the latest<br />
PolicyServer policy synchronization displays.
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Console<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Recovery Console helps Administrators recover a device in the event of primary OS<br />
failure, troubleshoot network connectivity issues, and manage policies for unmanaged<br />
clients.<br />
WARNING!<br />
Use Recovery Console before running standard Windows diagnostic and repair utilities.<br />
TABLE 5-5. Recovery Console Functions<br />
CONSOLE ITEM DESCRIPTION<br />
Decrypt <strong>Disk</strong> Remove encryption from the disk drive. Use the <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> Preboot Recovery Console to access Decrypt <strong>Disk</strong>.<br />
Mount Partitions Provide access to the encrypted partitions for file management. Use<br />
the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Recovery Console to access<br />
Mount Partitions.<br />
Note<br />
Mount Partitions is only accessible on devices with software<br />
encryption. This option is grayed-out if a device has hardware<br />
encryption.<br />
Restore Boot Roll back the MBR to a state before <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
installation. Use the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot Recovery Console<br />
to access Restore Boot.<br />
Note<br />
Restore Boot is only accessible on devices with software<br />
encryption. This option is grayed-out if a device has hardware<br />
encryption.<br />
Manage Users Add or remove users from the device when not connected to<br />
PolicyServer.<br />
5-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-16<br />
CONSOLE ITEM DESCRIPTION<br />
Manage <strong>Policies</strong> Modify policies for devices that are either not managed by<br />
PolicyServer or are managed but are temporarily not connected to<br />
PolicyServer. If the device is managed, policy changes are<br />
overwritten the next time that the device communicates with<br />
PolicyServer.<br />
View Logs View and search the various <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> logs.<br />
Note<br />
Logs are available only when the Recovery Console is<br />
accessed from Windows.<br />
Network Setup Verify, test, and modify network settings.<br />
Exit Exit the Recovery Console.<br />
Accessing Recovery Console<br />
Only Group Administrator/Authenticator accounts can access Recovery Console. To<br />
allow users to access Recovery Console, set PC > Client > Allow User Recovery to<br />
Yes.<br />
Procedure<br />
1. Reboot the device.<br />
2. When <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot appears, provide the user name and password.<br />
3. Select the Recovery Console option, and then log on.<br />
Recovery Console displays.
Accessing Recovery Console from Windows<br />
Procedure<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
1. In Windows, go to the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> installation directory. The default<br />
location is C:\Program Files\<strong>Trend</strong> <strong>Micro</strong>\<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>\<br />
2. Open RecoveryConsole.exe.<br />
The Recovery Console window appears.<br />
3. Provide the user name and password, and then click Login.<br />
Recovery Console opens to the Decrypt <strong>Disk</strong> page.<br />
Using Decrypt <strong>Disk</strong><br />
Selecting Decrypt <strong>Disk</strong> decrypts an encrypted <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> hard disk, but does<br />
not remove any of the encryption drivers. If using Decrypt Drive, disable DrAService<br />
before booting into Windows.<br />
Procedure<br />
WARNING!<br />
Read this procedure before using Decrypt <strong>Disk</strong>. Data loss can occur if performed<br />
incorrectly. Do not use Decrypt <strong>Disk</strong> to remove <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> from a device that is<br />
functioning normally. Use TMFDEUninstall.exe instead.<br />
1. At <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, select Recovery Console, provide credentials,<br />
and then click Login.<br />
Recovery Console opens to the Decrypt <strong>Disk</strong> page.<br />
2. Click Decrypt to begin decrypting the drive.<br />
Decryption begins immediately and the Decrypt <strong>Disk</strong> page displays the decryption<br />
progress.<br />
5-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-18<br />
3. When decryption is finished, click Exit to reboot the device.<br />
4. If booting a repair tool CD, DVD, or USB key:<br />
a. After exiting <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, press F12 (or the appropriate button to<br />
enter the boot options).<br />
b. Insert the repair tool CD / DVD and select CD/DVD drive from the boot<br />
options screen.<br />
c. Proceed with established recovery actions.<br />
5. If booting into Windows:<br />
a. Hold F8 and select Safe Mode before system begins booting into Windows.<br />
WARNING!<br />
If the Windows boot options screen is missed, immediately turn off the device.<br />
If Windows boots normally (not in Safe Mode), DrAService will immediately<br />
start encrypting the drive again. Any recovery actions taken at this point will<br />
risk irreparable damage to data on the drive.<br />
6. Open Device Management and navigate to Services and Applications ><br />
Services.<br />
The Device Management window appears.<br />
7. Locate and double-click DrAService to open the DrAService Properties window.<br />
8. On the General tab, change Startup type to Disabled.<br />
9. Click Apply, and then click OK.<br />
10. Reboot the device.<br />
11. Log on <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, and then Windows.<br />
What to do next<br />
After all recovery actions are complete, set DrAService to Automatic. The device<br />
automatically re-encrypts the hard disk after the next reboot.
Mount Partitions<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Use Mount Partitions to copy files between the encrypted hard disk and a storage device<br />
before imaging or reformatting the drive. The encrypted contents on the drive are<br />
displayed in the left pane and an unencrypted device can be mounted in the right pane.<br />
Use copy and past to move file between panes. Files copied to the encrypted drive will<br />
be encrypted. Files copied out of the encrypted drive will be unencrypted.<br />
Restore Boot<br />
The Restore Boot option restores the original boot on the device, when the device is<br />
fully decrypted and is only available from <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot.<br />
Decrypt the disk before restoring the Master Boot Record (MBR).<br />
Procedure<br />
WARNING!<br />
Do not use Decrypt <strong>Disk</strong> before reading through the instructions. Data loss can occur.<br />
1. Log on Recovery Console.<br />
2. Click Decrypt <strong>Disk</strong> and then click Decrypt.<br />
3. Switch to the Restore Boot option.<br />
A Replace MBR confirmation window displays.<br />
4. Click Yes to replace the MBR.<br />
A message confirming the MBR replacement displays.<br />
5. Click Exit.<br />
The device boots into Windows.<br />
5-19
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Manage <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Users<br />
5-20<br />
Add or remove users from the preboot cache or to change a user's cached password.<br />
This option is useful when <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> cannot connect to PolicyServer. Both<br />
the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot and Windows Recovery Console can use this option.<br />
Note<br />
• Manage Users is only available when not connected to PolicyServer.<br />
• Changes made to users through Recovery Console are overridden when <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> connects to PolicyServer.<br />
Some considerations for passwords:<br />
• Assigned passwords, whether on a new account or for an existing one, are fixed<br />
password.<br />
• The user password expiration can be specified directly using the Password<br />
Expiration calendar.<br />
• The default setting for a new user is the date as determined by the Change<br />
Password Every policy located at: Common > Authentication > User<br />
Password.<br />
Note<br />
Editing Users<br />
Set the date to the current date or older to force an immediate password change,<br />
while setting it to the future will specify a change on that date.<br />
Editing users in the Recovery Console has all rules as in PolicyServer. For details about<br />
rules, see Add Users to PolicyServer on page 4-10.<br />
Procedure<br />
1. Select the user from the user list.
2. Update the desired information.<br />
3. Select the user type: Administrator, authenticator, or user.<br />
4. Set the password expiration date.<br />
5. Click Save.<br />
The user is updated.<br />
Adding Users<br />
Procedure<br />
1. Click Add User.<br />
2. Provide the user name and password, and confirm the password.<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
3. Select the authentication method from the Authentication Type drop-down list.<br />
4. Set the password expiration date.<br />
5. Click Save.<br />
The new user appears in the User List. A confirmation window appears.<br />
6. Click OK to close the confirmation window.<br />
The new user is added.<br />
Deleting Users<br />
Procedure<br />
1. Select a user from the user list.<br />
2. Click Delete User.<br />
A delete user confirmation window appears.<br />
5-21
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-22<br />
3. Click Yes.<br />
The user is deleted from the user list.<br />
Manage <strong>Policies</strong><br />
Use Manage <strong>Policies</strong> to set various policies for <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Console.<br />
For an explanation of these polices, see Understanding <strong>Policies</strong> on page 3-1 for details.<br />
Note<br />
View Logs<br />
The Manage <strong>Policies</strong> option is only available when not connected to PolicyServer and any<br />
changes will be overridden the next time <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> connects to PolicyServer.<br />
View Logs provides the capability for an Administrator to search for and display logs<br />
based on specific criteria. View Logs is only available from Recovery Console using<br />
Windows. It is unavailable from the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot.<br />
For information about viewing <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> logs, see Accessing Recovery Console<br />
from Windows on page 5-17.<br />
Network Setup<br />
Use Network Setup to verify, test, and/or change the network settings that are used by<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot. There are three tabs: IPv4, IPv6, and PolicyServer.<br />
Note<br />
New in <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> 3.1.3 is the ability to change PolicyServer or Enterprise<br />
without having to remove and reinstall <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>.
Managing Network Configuration<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
By default, Get setting from Windows is selected for both IPv4 and IPv6. Deselect<br />
this control to manually configure the network settings.<br />
• Choosing DHCP (IPv4) or Automatically get address (IPv6) uses the<br />
dynamically assigned IP address.<br />
• Choosing Static IP enables all fields in that section.<br />
• In the IPv6 tab, choosing Static IP when the IP Address field is empty creates a<br />
unique IP address based on the hardware address of the machine.<br />
Managing PolicyServer Settings<br />
Procedure<br />
1. Open the PolicyServer tab. There are two text fields: Current Server and Current<br />
Enterprise.<br />
• To change the current enterprise:<br />
a. Click Change Enterprise.<br />
b. At the warning message appears, click Yes.<br />
c. Specify the new server user name, password, enterprise and server name,<br />
then click Save.<br />
WARNING!<br />
Changing the enterprise requires configuring policies again, recreating<br />
groups, and deletes any cached passwords, password history, and audit<br />
logs.<br />
• To change the current server:<br />
a. Click Change Server.<br />
b. At the warning message, click Yes.<br />
c. Specify the new server address and click Save.<br />
5-23
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-24<br />
2. Click Cancel to return to the Recovery Console menu options screen.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Recovery Methods<br />
Once a device is fully encrypted with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, scenarios may exist where<br />
an Administrator needs to accomplish system restore actions:<br />
• The local Administrator password is lost<br />
• The Windows environment is corrupted<br />
Important<br />
For software encryption, standard data recovery tools (Windows Recovery <strong>Disk</strong>, ERD<br />
Commander, UBCD) cannot access a <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> 3.1.3 encrypted system;<br />
therefore, the system must be decrypted before any recovery actions are performed.<br />
Data recovery methods are available to Endpoint <strong>Encryption</strong> Administrators/<br />
Authenticators to recover data when the device is not functioning properly. <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> must be installed.<br />
TABLE 5-6. Recovery Methods for <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>-protected devices<br />
RECOVERY METHOD DESCRIPTION WHEN TO USE<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Uninstall<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Uninstall<br />
removes <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
from the device. Once the<br />
uninstall is complete, you may<br />
proceed with established<br />
recovery action within Windows.<br />
Windows environment is<br />
working normally.
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
RECOVERY METHOD DESCRIPTION WHEN TO USE<br />
Recovery Console Selecting the <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> Recovery Console ><br />
Decrypt <strong>Disk</strong> option allows<br />
Administrators to decrypt the<br />
selected hard disk on-the-fly or<br />
save the image of the decrypted<br />
hard disk to removable media.<br />
Note<br />
This method is not<br />
recommended if Windows<br />
is functioning normally.<br />
Repair CD The Repair CD is a bootable CD<br />
that is used to decrypt a corrupt<br />
drive when the device cannot be<br />
booted to <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>. A<br />
typical symptom of a corrupted<br />
disk is a black screen.<br />
Note<br />
Repair CD<br />
WARNING!<br />
Do not use if Windows is<br />
functioning normally.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot<br />
loads, but Windows does not.<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Preboot does not load.<br />
• <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
cannot authenticate.<br />
To decrypt drive, the user must have Endpoint <strong>Encryption</strong> Enterprise or Group<br />
Administrator rights and Windows Administrator rights.<br />
The <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Repair CD is a bootable disk used to fully decrypt a device if<br />
the device is unable to boot.<br />
5-25
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-26<br />
Note<br />
• If physical damage (bad sectors) has occurred to the hard disk drive, the drive may not<br />
decrypt completely or may become unusable.<br />
• Verify that the hard-disk drive cable is properly connected.<br />
Several options are available after booting from Repair CD:<br />
TABLE 5-7. Repair CD Options<br />
OPTION DESCRIPTION<br />
Recovery Launches Recovery Console.<br />
Unlock Unlock a device that has been locked because:<br />
• too many unsuccessful login attempts<br />
• no communication with PolicyServer for a specified duration<br />
Note<br />
Reboot Restarts the device.<br />
Unlock option is only available when the policy Remote<br />
Authentication is set to Lock Out.<br />
Advanced Options Provides access to advanced options:<br />
• Remove <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot<br />
• Erase<br />
• Force Decryption
TABLE 5-8. Repair CD Advanced Options<br />
ADVANCED OPTION DESCRIPTION<br />
Remove <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Preboot<br />
Removes the <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot<br />
authentication screen from the device.<br />
WARNING!<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
This action cannot be undone, and does not<br />
decrypt the drive. Use the Decrypt <strong>Disk</strong> to<br />
remove encryption.<br />
Erase Removes all data from the drive.<br />
Return to the Main Return to the standard CD options.<br />
Force Decryption Allows an Administrator to decrypt the drive when <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong> will not boot.<br />
WARNING!<br />
Data loss can occur if the Advanced Options are used incorrectly.<br />
Recovering Data with Repair CD<br />
Use Repair CD to attempt to recover data from an encrypted device. However, there are<br />
a number of considerations to keep in mind before trying to decrypt the disk:<br />
• Only use Repair CD if the device is encrypted, or has begun encryption.<br />
• If the device contains important data, make a backup image before continuing. For<br />
instructions, go to http://esupport.trendmicro.com/solution/en-us/1059802.aspx.<br />
• Do not attempt to decrypt a laptop unless it is connected to AC power.<br />
• If the Repair CD does not boot, verify that the device has the latest BIOS version<br />
installed. Upgrade the system BIOS if necessary.<br />
• Drive decryption using this method takes at least as long as the initial encryption<br />
process.<br />
5-27
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-28<br />
• If a bad sector is encountered, visible progress may slow down. Allow the CD to<br />
continue decryption and contact <strong>Trend</strong> <strong>Micro</strong> Support before interrupting the<br />
process.<br />
WARNING!<br />
Do not interrupt the process once you initiate decryption from the Repair CD. Otherwise,<br />
irreversible data loss may occur.<br />
Decrypting a <strong>Disk</strong> using the Repair CD<br />
Procedure<br />
1. Power on the networked system.<br />
a. Immediately press F12 (or the appropriate button to enter the boot options).<br />
b. Insert the Repair CD and select the CD/DVD drive from the boot options<br />
screen.<br />
The device boots into the Repair CD environment.<br />
2. At <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, select Recovery Console.<br />
3. Provide the user name and password.<br />
4. Click Login.<br />
Recovery Console displays.<br />
5. Select Decrypt <strong>Disk</strong>(s) to begin fully decrypting the device.<br />
6. When decryption completes, click Exit to return to Repair CD menu.<br />
7. Click Reboot to restart the device.<br />
Note<br />
Remove the CD in order to start the device normally.<br />
8. Log on <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot.
9. Log on Windows and proceed with the preferred recovery method.<br />
Cleaning Up <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Files<br />
Working with <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Decrypting a drive removes MBR changes and other essential elements used to protect<br />
the device. For software encryption, decrypt the disk completely before uninstalling <strong>Full</strong><br />
<strong>Disk</strong> <strong>Encryption</strong>. Otherwise, the OS may crash.<br />
Procedure<br />
WARNING!<br />
If the MSI is executed to uninstall on non-DriveTrust machine, the OS will not be found<br />
after the client is restarted.<br />
1. From a command line:<br />
a. Run msiexec.exe /X{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}<br />
2. From Windows:<br />
a. Open regedit within Windows and browse to the following key: HKLM<br />
\SOFTWARE\<strong>Micro</strong>soft\Windows\CurrentVersion\Uninstall\<br />
\{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}.<br />
b. Browse to the UninstallString key: msiexec.exe /x<br />
{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}.<br />
c. Copy the string.<br />
d. Open Run... and paste the string in the Open field.<br />
e. Click OK.<br />
The Windows Installer window appears.<br />
f. At the uninstall confirmation, click Yes.<br />
Note<br />
If the User Account Control window appears, click Allow.<br />
5-29
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
5-30<br />
g. When prompted to turn off the DrAService, select the second radio button<br />
option Do not close applications, and then click OK.<br />
3. If prompted to reboot the device, click Yes. Otherwise, restart the device manually.
Working with FileArmor<br />
Chapter 6<br />
FileArmor protects individual files and folders on local hard drives, and removable<br />
media devices (USB drives). Administrators can set policies specifying which folders and<br />
drives are encrypted on the device and policies about encrypted data on removable<br />
media. <strong>Encryption</strong> is performed after authentication takes place.<br />
FileArmor can also protect different files with different keys, allowing Administrators to<br />
set access policies to a device and separate policies for access to certain files. This is<br />
useful in environments where multiple users access one endpoint.<br />
This chapter covers the following topics:<br />
• FileArmor System Tray Icon Menu on page 6-8<br />
• FileArmor Authentication on page 6-2<br />
• FileArmor <strong>Encryption</strong> on page 6-10<br />
• FileArmor Secure Delete on page 6-15<br />
6-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
FileArmor Authentication<br />
6-2<br />
This section explains how to authenticate using FileArmor and aspects particular to<br />
using FileArmor. All authentication methods for Endpoint <strong>Encryption</strong> are available in<br />
FileArmor. See Account Roles and Authentication on page 1-12 for details about<br />
authentication methods.<br />
FileArmor First-time Authentication<br />
When FileArmor is launched for the first time, an initial registration is required to<br />
identify PolicyServer. The fixed password authentication method is default. Other<br />
options are available depending on policy settings.<br />
Procedure<br />
1. Right-click the FileArmor tray icon, and then select Register.<br />
2. Provide the user name and password.<br />
3. Specify the PolicyServer IP address (or host name) and the PolicyServer enterprise.<br />
4. Click OK<br />
The Change Password screen appears<br />
5. Select desired authentication from the drop-down.<br />
6. Specify and confirm new password, and then click OK.<br />
Note<br />
Without authenticating to FileArmor, access to files and removable media is denied.<br />
FileArmor Domain Authentication<br />
For seamless integration and use of the FileArmor domain authentication/Single Sign-<br />
On (SSO) process, ensure the following requirements are met:
Working with FileArmor<br />
• The user belongs to a group with the policy Common > Authentication ><br />
Domain Authentication set to Yes<br />
• At the group level, go to Common > Authentication > Network Login policies<br />
and set Host Name and Domain Name.<br />
• PolicyServer and all devices using domain authentication are on the same domain.<br />
• The user account is configured in both Active Directory and PolicyServer. The user<br />
name is case sensitive and must match exactly.<br />
Note<br />
FileArmor SSO requires the following policy enabled: Common > Authentication ><br />
Network Login > Domain Authentication.<br />
Authenticating with Domain Authentication<br />
Enable domain authentication at:<br />
Group Name > <strong>Policies</strong> > Common > Authentication > Network Login ><br />
Domain Authentication.<br />
Procedure<br />
1. Choose Domain Authentication as the authentication type.<br />
2. Provide the user name and password for the domain account.<br />
3. Click OK.<br />
6-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-4<br />
Note<br />
• Changing passwords is not available for domain users and FileArmor cannot<br />
change a Windows domain password. That functionality is controlled by Active<br />
Directory.<br />
• Domain authentication cannot be used with a Smart Card PIN.<br />
• Remote <strong>Help</strong> is available to domain users. However, the domain password must<br />
be reset in Active Directory if it is forgotten.<br />
FileArmor Smart Card Authentication<br />
To use smart card authentication, ensure that the following requirements are met:<br />
• FileArmor policy Login > Password > Physical Token Required = Yes.<br />
• The smart card reader is connected and the smart card is inserted.<br />
Note<br />
FileArmor only supports CASC and PIC smart cards<br />
• ActivClient 6.1 with all service packs and updates must be installed.<br />
• Specify the smart card PIN in the password field.<br />
WARNING!<br />
Failure to provide a correct password will send a password error and can result in<br />
locking the smart card.<br />
Authenticating with a Smart Card<br />
FileArmor smart card authentication is only available if enabled by policy. In<br />
PolicyServer, mark Smart Card as an authentication option in FileArmor > Login ><br />
Authentication Methods Allowed.
Procedure<br />
Working with FileArmor<br />
1. In FileArmor, open FileArmor and select Smart Card from the authentication<br />
drop-down.<br />
2. Provide the user name.<br />
3. Provide the smart card PIN or fixed password (if applicable).<br />
4. Click OK.<br />
FileArmor ColorCode Authentication<br />
FileArmor ColorCode authentication is only available if enabled by policy. The policy is<br />
available at: Group Name > <strong>Policies</strong> > FileArmor > Login > Authentication<br />
Methods Allowed<br />
Procedure<br />
1. Select ColorCode from the authentication drop-down.<br />
2. Input unique ColorCode combination.<br />
3. Click OK.<br />
FileArmor PIN Authentication<br />
FileArmor PIN authentication is only available if enabled by policy. The policy is<br />
available at: Group Name > <strong>Policies</strong> > FileArmor > Login > Authentication<br />
Methods Allowed.<br />
Procedure<br />
1. Select PIN from the authentication drop-down.<br />
2. Specify the PIN combination.<br />
6-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-6<br />
3. Click OK.<br />
Changing Password in FileArmor<br />
To change the password, a user must authenticate to FileArmor with a User account.<br />
Administrator and Authenticator accounts cannot change password. The password can<br />
be changed to any method that is allowed by PolicyServer policies.<br />
Procedure<br />
1. Right-click the FileArmor tray icon and then select Change Password<br />
2. Specify the password and then click Next<br />
3. Select any available authentication method, provide and confirm the new password,<br />
and then click OK.<br />
The new password is updated and a confirmation displays.<br />
Forced Password Reset<br />
FileArmor prevents unauthorized access to encrypted files and folders by locking<br />
protected files if there are too many invalid authentication attempts or if the endpoint<br />
has not communicated with PolicyServer for a specified duration. Depending on a<br />
policy, FileArmor locks a user from access or enacts a time delay before authentication<br />
attempts can be made.<br />
Unlocking a Device<br />
If a user has exceeded the number of authentication attempts and policies are set to<br />
enact Remote Authentication, FileArmor locks Endpoint <strong>Encryption</strong> folders and<br />
notifies the user that Remote <strong>Help</strong> is required. Remote <strong>Help</strong> is used to unlock<br />
FileArmor and requires Enterprise/Group Authenticator assistance.
Procedure<br />
1. Right-click the FileArmor tray icon and select Remote <strong>Help</strong>.<br />
The Remote <strong>Help</strong> window appears.<br />
FIGURE 6-1. FileArmor Remote <strong>Help</strong><br />
2. Specify the user name.<br />
3. Click Get Challenge.<br />
4. Type the Response provided by the Enterprise/Group Authenticator.<br />
5. Click Log In.<br />
The user is authenticated to FileArmor and a notification displays.<br />
Working with FileArmor<br />
6-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-8<br />
Time Delay<br />
If a user exceeds the number of authentication attempts and the policy is set to enact a<br />
temporary time delay that cannot be bypassed and must expire before authentication is<br />
permitted.<br />
After exceeding the allowed number of failed authentication attempts, FileArmor locks<br />
the device and notifies the user that the device is locked. The ability to log on or reset<br />
the password is disabled during the time delay. The duration of the time delay is<br />
determined by policy. Once the time delay has elapsed, the user may authenticate.<br />
FileArmor System Tray Icon Menu<br />
After FileArmor is installed, an icon ( ) is displayed in the system tray. The icon<br />
provides access to numerous FileArmor functions. Right-click the icon to display the<br />
menu items.<br />
TABLE 6-1. FileArmor system tray icon options<br />
MENU ITEM FUNCTION<br />
Register First-time user registration of FileArmor with the PolicyServer.<br />
For details, see FileArmor First-time Authentication on page<br />
6-2.<br />
Log In / Log Out Authenticate with PolicyServer.<br />
Change Password Permits non-domain authenticated users to change their<br />
password. For details, see Changing Password in FileArmor<br />
on page 6-6.<br />
Remote <strong>Help</strong> Unlock FileArmor using Remote <strong>Help</strong> to authenticate if the<br />
password is forgotten, there were too many failed<br />
authentication attempts, or the device has not communicated<br />
with the PolicyServer for a specified duration. For details, see<br />
Forced Password Reset on page 6-6.<br />
Sync with PolicyServer Manually download policy updates from PolicyServer. Useful<br />
for testing connectivity to PolicyServer. For details, see<br />
Syncing with PolicyServer on page 6-9.
MENU ITEM FUNCTION<br />
Sync with PolicyServer<br />
Offline Files<br />
Working with FileArmor<br />
See Syncing with PolicyServer Offline Files on page 6-9<br />
for details.<br />
Hide Notification Silences all FileArmor notifications.<br />
About FileArmor Displays FileArmor information including version, last sync<br />
time, and authenticated user. For details, see FileArmor<br />
System Tray Icon Menu on page 6-8.<br />
Close Tray Temporarily removes the FileArmor tray icon.<br />
Syncing with PolicyServer<br />
Endpoint clients can manually download new FileArmor policies by opening the<br />
FileArmor tray icon and selecting Sync with PolicyServer.<br />
Note<br />
• Clients do not need to be authenticated to synchronize policies.<br />
• If a network connection or PolicyServer is unavailable, a Failed to sync with server<br />
error displays.<br />
Syncing with PolicyServer Offline Files<br />
Offline updates work with the FileArmor 3.0.13.2447 or higher and now work on x64<br />
installs of FileArmor. If the update is generated, the offline update will replace any<br />
existing user password with the new fixed password.<br />
Synchronized passwords will not replace a user password on update to maintain the<br />
same functionality of managed devices.<br />
A fixed password is required to add a user to an offline endpoint client. The offline<br />
process will generate two files:<br />
• The first file with the .exe extension is used for updating existing <strong>Full</strong> <strong>Disk</strong><br />
<strong>Encryption</strong> devices<br />
6-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-10<br />
• The second file with the policy update extension is used to update FileArmor.<br />
Note<br />
Blackberry policies are removed from all new offline installs where Blackberry was not<br />
enabled by the license file. This will significantly decrease the size of the file.<br />
Changing PolicyServer<br />
The PolicyServer that FileArmor connects to can be updated from the About window.<br />
Procedure<br />
1. Right-click the FileArmor tray icon and select About FileArmor.<br />
The About windows displays.<br />
2. Click Edit PolicyServer.<br />
3. Specify the new PolicyServer hostname or IP address.<br />
4. Click OK.<br />
FileArmor is now managed by the new PolicyServer.<br />
FileArmor <strong>Encryption</strong><br />
Files can be encrypted with FileArmor policies defined locally or from policies defined<br />
by PolicyServer. The method used depends on enterprise and endpoint user needs for<br />
file access and the level of security desired.<br />
Files can be encrypted automatically by saving files in several locations:<br />
• A folder on the device<br />
• A folder that resides on removable media<br />
• A fully encrypted removable media device
Working with FileArmor<br />
Files can also be encrypted by right-clicking the file and selecting one of the following<br />
from the FileArmor context menu:<br />
TABLE 6-2. FileArmor context menu items<br />
MENU ITEM DESCRIPTION<br />
Archive Create an encrypted copy of the specified file.<br />
Archive and Burn Create an encrypted copy of the specified file and write it to<br />
CD/DVD.<br />
FileArmor Local Key <strong>Encryption</strong><br />
Selecting the Local Key function allows a user to encrypt files for view strictly by that<br />
user.<br />
Note<br />
• Set FileArmor > <strong>Encryption</strong> > <strong>Encryption</strong> Method Allowed to User’s Unique<br />
Key.<br />
• Local Key files can only be accessed on a FileArmor device by the user who created<br />
them.<br />
• When a file is encrypted, FileArmor creates a new file. The original file remains<br />
unencrypted in its original location.<br />
WARNING!<br />
Depending on the Windows operating system a user may view folder contents if switching<br />
from one user to a separate user without restarting Windows. While file names and folder<br />
content may be viewed, the file contents are not available. This is due to Windows<br />
operating system caching the file structure for quick search capability.<br />
Creating a Local Key<br />
Procedure<br />
1. Right-click the desired file and select FileArmor > Archive > Local Key.<br />
6-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-12<br />
The original files or folders are unchanged and can be kept or deleted.<br />
FileArmor Shared Key <strong>Encryption</strong><br />
Files can be encrypted strictly for viewing by members of a policy group using the<br />
Shared Key function.<br />
• Local Key files can only be accessed on a FileArmor device by the user who<br />
created them.<br />
• Set two policies: Allowed <strong>Encryption</strong> Methods to Group Unique Key and<br />
<strong>Encryption</strong> Key Used to Group Key.<br />
• To allow encrypted files to viewed by an FileArmor user within the PolicyServer<br />
Enterprise, set <strong>Encryption</strong> Key Used to Enterprise Key.<br />
• When a file is encrypted, FileArmor creates a new file. The original file is left in its<br />
original location unencrypted.<br />
WARNING!<br />
Depending on how Windows permissions are configured, a user can view encrypted folder<br />
contents if switching between users without restarting Windows. While the file names and<br />
folder content may be viewed, the file contents are not available. This is due to Windows<br />
Operating system caching the file structure for quick search capability.<br />
Creating a Shared Key<br />
Right-click the desired file and select FileArmor > Archive > Shared Key. The original<br />
files or folders are unchanged and can be kept or deleted.<br />
FileArmor Fixed Password <strong>Encryption</strong><br />
FileArmor can create encrypted files using a fixed password. The encrypted file can<br />
optionally be self-extracting, meaning that the recipient does not need FileArmor to<br />
decrypt the file. Note the following:
Working with FileArmor<br />
• There is no functionality available for password recovery with self-extracting files.<br />
If a password is forgotten, the encrypted file cannot be recovered.<br />
• Due to a Windows limitation, executable (self-extracting) files cannot be larger than<br />
2GB.<br />
Creating a Fixed Password Key<br />
Procedure<br />
1. Right-click the desired file and then select FileArmor > Archive > Fixed<br />
Password.<br />
2. Provide the fixed password and confirm.<br />
Note<br />
3. Click OK.<br />
Mark Output encrypted data as a self-extracting archive if necessary.<br />
The file is encrypted.<br />
4. To unencrypt the file, double-click the file, provide the archive password, and then<br />
click OK.<br />
5. For self-extracting archives, double-click the file, provide the archive password,<br />
choose the extraction location, choose whether to open destination after extraction<br />
or to overwrite existing files, and then click Continue.<br />
The original files or folders are unchanged and can be kept or deleted.<br />
FileArmor Digital Certificate <strong>Encryption</strong><br />
FileArmor can encrypt files with digital certificates (smart cards) from the Windows<br />
certificate store.<br />
6-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
6-14<br />
Creating a Digital Certificate Key<br />
Procedure<br />
1. Right-click the desired file and select FileArmor > Archive > Certificate.<br />
2. Select a Certificate Store and then click Gather Certificates.<br />
3. Select one or more certificates and then click OK.<br />
Note<br />
Certificates are gathered from the Windows certificate store.<br />
4. Select an optical drive with a blank CD/DVD inserted in the drive.<br />
5. Click OK.<br />
The original files or folders are unchanged and can be kept or deleted.<br />
FileArmor Archive and Burn<br />
The FileArmor Archive and Burn function can be used to write encrypted files to CD/<br />
DVD. Files are self-extracting and can be encrypted using a Fixed Password or Digital<br />
Certificate.<br />
Burning an Archive with a Fixed Password<br />
Procedure<br />
1. Right-click the file to select and select FileArmor > Archive and Burn > Fixed<br />
Password from the FileArmor context menu.<br />
2. Provide a password and confirm.<br />
3. Select a drive with a writeable disk inserted in the drive.<br />
4. Click OK.
The self-extracting file is burned to CD/DVD.<br />
Burning an Archive with a Certificate<br />
Procedure<br />
1. Right-click the file to select and select FileArmor > Archive and Burn ><br />
Certificate from the FileArmor context menu<br />
2. Select a Certificate Store and click Gather Certificates.<br />
3. Select one or more certificates and click OK.<br />
4. Select an optical drive with a black CD/DVD inserted.<br />
5. Click OK.<br />
The self-extracting file is burned to CD/DVD.<br />
FileArmor Secure Delete<br />
Working with FileArmor<br />
FileArmor provides a secure delete function that wipes, erases, and cleans the selected<br />
files and the file history from your device.<br />
Procedure<br />
1. Right-click the file and go to FileArmor > Secure Delete.<br />
2. Click Yes to permanently delete the file.<br />
6-15
Working with KeyArmor<br />
Chapter 7<br />
KeyArmor USB drives secure data with always-on hardware encryption and embedded<br />
antivirus/anti-malware protection to meet regulatory compliance requirements and<br />
stringent government mandates. With KeyArmor, Administrators have complete<br />
visibility and control of who, when, where, and how USB drives are used in their<br />
organization.<br />
This chapter covers the following topics:<br />
• KeyArmor Features on page 7-4<br />
• KeyArmor Authentication on page 7-2<br />
• Using KeyArmor on page 7-6<br />
7-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
KeyArmor Authentication<br />
7-2<br />
KeyArmor Authentication has the capability to provide users with a variety of<br />
identification methods. These choices offer flexibility that can be targeted to meet the<br />
security requirements of the enterprise. A successful authentication allows a user access<br />
to the device.<br />
For details about Endpoint <strong>Encryption</strong> authentication, see Account Roles and<br />
Authentication on page 1-12.<br />
Authenticating to KeyArmor for the First Time<br />
Procedure<br />
1. Insert the KeyArmor flash device into a USB port to launch the software.<br />
• If KeyArmor auto launches, the status bar displays and the KeyArmor icon is<br />
added to the tray.<br />
• If KeyArmor does not auto launch, go to My Device and open the KeyArmor<br />
drive.<br />
2. Specify the user name and password.<br />
3. Specify the PolicyServer in the Host Name or IP Address field.<br />
4. Specify the enterprise name in the Enterprise Name field.<br />
5. Click Login.
Changing Authentication Methods<br />
Note<br />
Procedure<br />
Working with KeyArmor<br />
• Only one authentication method is valid for any particular user at any given time.<br />
• A user can change his/her authentication method only after successfully logging on a<br />
KeyArmor device.<br />
1. Right-click the KeyArmor icon from the tray and select Change Password.<br />
The Loading window appears and is followed by the Change Password screen<br />
for the user’s current authentication method.<br />
2. Click Authentication.<br />
3. Select a new authentication method.<br />
4. Specify current password.<br />
5. Click Change to display new authentication method screens.<br />
The Completed Authentication Method Change screen appears.<br />
Fixed Password<br />
Fixed passwords are the most common user identification method. The password is<br />
chosen by the user. To configure policy restrictions on passwords, go to KeyArmor ><br />
Login at the group or Enterprise level.<br />
Note<br />
Fixed password is always used as the initial authentication to KeyArmor.<br />
7-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-4<br />
Procedure<br />
1. Specify and confirm the new fixed password.<br />
2. Do one of the following:<br />
• To complete the password change, Click Change.<br />
• To remove any content from the fields, click Clear.<br />
The user is authenticated to KeyArmor and can now save data to the SECURE<br />
DATA folder; the KeyArmor icon displays in the system tray.<br />
KeyArmor Features<br />
This section explains the key features of KeyArmor.<br />
Device Components<br />
KeyArmor mounts two drives when the device is inserted in a USB port.<br />
FIGURE 7-1. KeyArmor Devices<br />
• KeyArmor (E:) contains the KeyArmor program files.<br />
• SECURE DATA (F:) is KeyArmor user storage. KeyArmor encrypts all files<br />
stored in this drive.
Protecting Files with KeyArmor<br />
Working with KeyArmor<br />
To safeguard files using KeyArmor, copy or drag the selected folder, file, or document<br />
to the KeyArmor SECURE DATA drive.<br />
Files saved to KeyArmor are automatically encrypted and accessible with valid Endpoint<br />
<strong>Encryption</strong> credentials. Files remain encrypted as long as they are stored on KeyArmor.<br />
Note<br />
To ensure current antivirus definitions, do not copy any files to the KeyArmor device until<br />
the initial antivirus updates complete.<br />
No Information Left Behind<br />
There are several ways that KeyArmor avoids leaving any information on the local<br />
device:<br />
• Browsing files on the KeyArmor device copies no data to the host device.<br />
• Opening and editing documents using applications on the host device may store<br />
temporary or recovery file data on the host device.<br />
• Most software applications can be configured to store their temporary or recovery<br />
file data on the KeyArmor device.<br />
KeyArmor Antivirus Updates and Activity<br />
After authenticating, KeyArmor antivirus definitions will attempt to update. KeyArmor<br />
presents warnings about antivirus update activity.<br />
WARNING!<br />
Do not log off or remove a KeyArmor device from the endpoint client while the antivirus<br />
update is in process.<br />
Copying files or opening files from KeyArmor is an end-user initiated activity. Files are<br />
scanned as they are saved or copied to KeyArmor. If a virus is found, the system<br />
7-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-6<br />
Administrator controls the resulting action including an attempt to repair or delete the<br />
file; or to wipe the KeyArmor device completely. Users may have the ability to initiate a<br />
full scan of their KeyArmor device once authenticated.<br />
KeyArmor Check <strong>Disk</strong> Notification<br />
Improperly removing a KeyArmor device without safe removal can cause file system<br />
corruption. Always log off KeyArmor before physically removing the device. In the<br />
event of an improper shutdown, unsafe removal, or other unforeseen circumstance, you<br />
may be prompted to check the disk next time the key is inserted. It is safe to ignore and<br />
move past this prompt; KeyArmor will check the disk for you and correct any errors.<br />
Using KeyArmor<br />
This section explains how to use KeyArmor.<br />
Warning About Unencrypted Devices<br />
• KeyArmor users should follow their organization's policy related to transporting<br />
data beyond an individual's assigned work device.<br />
• KeyArmor encrypts all files stored to it.<br />
• KeyArmor software runs from the device and at no time does the KeyArmor<br />
software copy data to the host device.<br />
• Browsing files on the device also does not copy data to the host device.<br />
• Copying files to a host device is a user initiated action which can only be executed<br />
after proper authentication to a device.<br />
• Some software applications running on the host may store temporary or recovery<br />
file data on the host device.
Working with KeyArmor<br />
• Most software applications can be configured to store temporary or recovery file<br />
data on the KeyArmor device. This action is recommended if the device will be<br />
permitted to travel outside the boundaries of the trusted/secure network.<br />
KeyArmor Taskbar<br />
Several options are available from opening KeyArmor from the taskbar:<br />
TABLE 7-1. KeyArmor Taskbar<br />
MENU ITEM FUNCTION<br />
Start <strong>Full</strong> Scan Scans the KeyArmor device for threats.<br />
Download Policy<br />
Updates<br />
Downloads the most current policy updates. For example, if<br />
the Administrator makes a change to add an authentication<br />
method and removes the existing authentication methods,<br />
the user might be directed to download policy updates and<br />
immediately begin using the new authentication method.<br />
Change Password Permits non-domain authenticated users to change their<br />
password.<br />
Open Secure Data Opens the SECURE DATA drive.<br />
About KeyArmor Displays KeyArmor information including version, last sync<br />
time, and authenticated user.<br />
Logout Logs off KeyArmor.<br />
KeyArmor Menu<br />
Several options are available by opening the KeyArmor menu:<br />
TABLE 7-2. KeyArmor menu items<br />
MENU ITEM DESCRIPTION<br />
Authentication See KeyArmor Authentication on page 7-2 for details.<br />
7-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-8<br />
MENU ITEM DESCRIPTION<br />
Download Policy<br />
Updates<br />
Download the most current policy updates. For example, if<br />
the Administrator makes a change to add an authentication<br />
method and removes the existing authentication methods,<br />
the user might be directed to download policy updates and<br />
immediately begin using the new authentication method.<br />
<strong>Help</strong> See KeyArmor Menu <strong>Help</strong> on page 7-8 for details.<br />
KeyArmor Menu <strong>Help</strong><br />
The KeyArmor <strong>Help</strong> menu has several user-assistance options.<br />
If Found<br />
When a KeyArmor device is lost and then found by a person other than the device<br />
owner, the If Found option provides contact information that will assist the finder in<br />
returning the device to its rightful owner. This option can be accessed by anyone<br />
without entering the proper credentials.<br />
The If Found message is created as a policy in the PolicyServer.<br />
Procedure<br />
1. To create an If Found message, go to KeyArmor > Notice Messages.<br />
2. Right-click If Found and then select Properties.
The Edit Policy Value window appears.<br />
FIGURE 7-2. Editing If Found Policy<br />
3. Specify the If Found message in the Policy Value field.<br />
4. Click Apply.<br />
Working with KeyArmor<br />
7-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-10<br />
Q/A Password Reset<br />
Self <strong>Help</strong> allows users to respond to one or more predefined questions. The Self <strong>Help</strong><br />
questions are created as policies in the PolicyServer.<br />
To define the questions:<br />
Procedure<br />
1. Go to Common > Authentication > Local Login > Self <strong>Help</strong>.<br />
2. Right-click Number Of Questions and select Properties.<br />
3. In the Policy Value field, specify the number of questions that must be answered<br />
correctly.<br />
4. Click Apply.<br />
5. Right-click Personal Challenge and click Add.<br />
6. Open the Personal Challenge policy that displays and specify one question in the<br />
Policy Value field, and then click Apply.<br />
Note<br />
Any user assigned to the group where the questions are created will be prompted to<br />
provide a response to each question the first time the user logs in subsequent to the<br />
new policy setting.<br />
Remote Password Reset<br />
Remote <strong>Help</strong> is a process that allows a user who has forgotten their password to have it<br />
reset remotely. When using Remote <strong>Help</strong>, the user must be able to (1) contact his/her<br />
<strong>Help</strong> Desk and (2) have access to the Remote Password Reset option in the KeyArmor<br />
<strong>Help</strong> menu.<br />
Procedure<br />
1. The user selects Remote Password Reset from the <strong>Help</strong> menu.
2. The user contacts the PolicyServer Administrator.<br />
3. The user reads the Device ID to the support person.<br />
Working with KeyArmor<br />
4. Support locates the Device ID in the PolicyServer MMC and right-clicks the<br />
device to display the menu options and then selects Soft Token.<br />
5. The user reads the Challenge to the Administrator.<br />
6. The Administrator enters the challenge in the Challenge field, clicks Get<br />
Response and reads the Response to the user.<br />
7. The user types the response in the Response field, and then clicks Login.<br />
The user is presented with a Change Password screen based on the current<br />
authentication method.<br />
8. The user must specify and confirm the new password.<br />
Support Information<br />
The Support Information screen generally provides the contact information for the<br />
company <strong>Help</strong> Desk.<br />
About KeyArmor<br />
The KeyArmor About screen is automatically populated and provides the following<br />
information:<br />
• Software version<br />
• User name<br />
• PolicyServer address<br />
• Enterprise<br />
• Device name<br />
• Last policy synchronization<br />
• FIPS version<br />
7-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Protecting Files with KeyArmor<br />
7-12<br />
Safeguarding your files is easy with KeyArmor. All you do is copy or drag the selected<br />
file/document to the KeyArmor drive. Any files or folders saved to KeyArmor is<br />
automatically encrypted and is accessible only by a person who logs on the device with a<br />
valid user name and password.<br />
• All files and folders saved to KeyArmor are automatically encrypted.<br />
• Files remain encrypted as long as they are stored on KeyArmor.<br />
FIGURE 7-3. Copying Files to KeyArmor<br />
KeyArmor Activity Logging<br />
All KeyArmor activity is logged and transparently uploaded to PolicyServer over the<br />
network. The PolicyServer MMC provides access to standard reports and detailed log<br />
activity. Administrators can drill to a specific device, file and end-user activity. For<br />
details about KeyArmor policies, see KeyArmor <strong>Policies</strong> on page 3-32.
Safely Removing KeyArmor<br />
Working with KeyArmor<br />
As with any USB storage device, safely remove a KeyArmor device before unplugging it<br />
from the USB port<br />
WARNING!<br />
Data and/or device corruption can occur if KeyArmor is improperly removed from a<br />
machine.<br />
Select one of the following options to safely remove an authenticated KeyArmor device.<br />
• Choosing Log out from either the KeyArmor interface (application window or<br />
right-click the tray) safely ejects the device.<br />
• Right-click the KeyArmor tray icon and select Log out.<br />
After logging off, KeyArmor will no longer be available from the Windows Safely<br />
Remove Hardware application and it is safe to remove the device from PC USB port.<br />
To safely eject an unauthenticated KeyArmor device, close the authentication dialog box<br />
before submitting credentials.<br />
KeyArmor <strong>Full</strong> Scan<br />
After authenticating, KeyArmor attempts to update antivirus definitions. KeyArmor<br />
presents warnings about antivirus update activity. Do not log off or remove a KeyArmor<br />
device from your host PC while the antivirus update is in progress. As files are saved or<br />
copied to KeyArmor, they are scanned for viruses.<br />
If a virus is found, PolicyServer policies control the resulting action including an attempt<br />
to repair or delete the file; or to wipe the KeyArmor device completely. The client also<br />
has the ability to initiate a full scan of their KeyArmor device.<br />
7-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-14<br />
TABLE 7-3. FileArmor Antivirus Activities<br />
ACTIVITY DESCRIPTION<br />
Antivirus Updates After antivirus definitions are loaded, KeyArmor updates<br />
definitions as defined by policy.<br />
File Scanning Activity Files are scanned for viruses as they are copied to<br />
KeyArmor. Files with viruses are not copied to the protected<br />
device.<br />
<strong>Full</strong> Device Scanning A full scan can be initiated from the KeyArmor Icon in the<br />
system tray by navigating to KeyArmor > Start <strong>Full</strong> Scan.<br />
Changing Default Antivirus Update Location<br />
Aside from the default update source, you can set another HTTP or FTP location where<br />
KeyArmor can download update for its antivirus components.<br />
Note<br />
Procedure<br />
• By default, KeyArmor policy is configured to obtain updates automatically from the<br />
following location: FTP://download.trendmicro.com/products/pattern/<br />
• Administrators may opt to change this policy to have KeyArmor obtain antivirus<br />
updates from other remote host locations or from a local source using HTTP or FTP<br />
conventions detailed below.<br />
1. To set an HTTP source:<br />
a. From the <strong>Trend</strong> <strong>Micro</strong> FTP server, copy any .zip files that begin with the<br />
characters “LPT” and the “opr.ini” file to the HTTP host location you<br />
have selected.<br />
b. Direct your KeyArmor devices to download the antivirus definitions from<br />
your HTTP web folder by specifying the full URL for the updates in the<br />
KeyArmor > Antivirus > Update Source policy value.<br />
For example, host these files on your PolicyServer machine by placing them in<br />
the main web directory: c:\inetpub\wwwroot\mawebservice2\
2. To set an FTP source:<br />
Working with KeyArmor<br />
a. Install the <strong>Micro</strong>soft IIS FTP Service or other FTP server software and<br />
configure an FTP folder for use by network clients.<br />
b. Copy any .zip files that begin with “lpt” and the opr.ini file from the<br />
<strong>Trend</strong> <strong>Micro</strong> download location to the configured FTP server directory (for<br />
example c:\inetpub\ftpsvc\)<br />
c. Direct your KeyArmor devices to download the antivirus definitions from<br />
your FTP folder by specifying the full URL in the KeyArmor > Antivirus ><br />
Update Source policy value.<br />
What to do next<br />
<strong>Trend</strong> <strong>Micro</strong> recommends testing this configuration change by synchronizing policies on<br />
a registered KeyArmor device and verifying whether:<br />
1. Antivirus updates complete successfully.<br />
2. Antivirus definitions are updated on the key.<br />
3. PolicyServer log entries are made showing the new policy defined URL.<br />
Reassigning a KeyArmor Device to Another User<br />
KeyArmor can be configured to allow all users in a group or a single user to access a<br />
device. To change this policy, set KeyArmor > Login > Allow Only One User Per<br />
Device. When set to Yes, only one user can access the device at a given time.<br />
Note<br />
Procedure<br />
This policy does not affect Administrator or Authenticator roles.<br />
1. Log on PolicyServer MMC and go to the group that the device is assigned.<br />
2. Remove the device by right-clicking the Device ID and selecting Remove Device.<br />
7-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
7-16<br />
Note<br />
• Do not remove the KeyArmor Device ID from your Enterprise - doing so will<br />
make the device unmanageable.<br />
• Security provisions are in place to prevent re-binding KeyArmor to an<br />
Enterprise once it has been tied to your Enterprise.<br />
• This same logic prevents re-adding KeyArmor to your enterprise should you<br />
inadvertently delete the Device ID from your PolicyServer.<br />
3. Insert the KeyArmor device into a PC and sync policies.<br />
4. Return to the MMC and add the device to the required group.<br />
5. Ensure the new user is a member of the required group.<br />
6. Assign the new user a fixed password.<br />
7. Distribute the device to the new user and provide him/her their user name and<br />
password.<br />
8. The device will now be tied to the new individual.<br />
WARNING!<br />
Any data that remained on the device from the previous user will be accessible to the<br />
new user. Administrators should follow their internal guidelines for reformatting or<br />
re-provisioning a device prior to assigning KeyArmor to a new user.<br />
Adding a Deleted KeyArmor Back to the Enterprise<br />
If a device is mistakenly deleted, it can be re-added to the enterprise in one of two ways:<br />
Procedure<br />
1. Automatically - when a user is logged into a device connected to PolicyServer, it<br />
will automatically be added back to the enterprise during the next device<br />
synchronization.
Working with KeyArmor<br />
a. An Enterprise Administrator must still manually move the device into the<br />
correct group to ensure ongoing user access to the device.<br />
Note<br />
• Best practice recommends locking or erasing a device prior to deletion.<br />
• A device deleted from the enterprise will lock if policies require communication<br />
with PolicyServer.<br />
2. Manually - an Administrator may complete the following:<br />
Note<br />
Connectivity to the new Enterprise PolicyServer is required.<br />
a. Log on the device with a valid Enterprise Administrator ID and password.<br />
b. Right click the KeyArmor icon from the tray menu and select About<br />
KeyArmor.<br />
c. Click Edit next to the Enterprise name box.<br />
d. Verify the Enterprise name is correct.<br />
e. Select OK.<br />
f. Select Close.<br />
g. The Enterprise Administrator will now need to add the device back into a<br />
group to make the device available for users.<br />
7-17
Chapter 8<br />
Working with Logs and Reports<br />
Endpoint <strong>Encryption</strong> keeps comprehensive logs and generates reports about events and<br />
updates. Use these logs and reports to assess your organization's policies and to verify<br />
that component updates were successful.<br />
This chapter covers the following topics:<br />
• Log Events on page 8-2<br />
• Reports on page 8-5<br />
8-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Log Events<br />
8-2<br />
PolicyServer records log events using predefined criteria that are built into the system<br />
such as access attempts, system errors, modifications to users or groups, policy changes,<br />
and compliance issues. This powerful tool can be used to report all aspects of server and<br />
client security. Managing log events allows a Group or Enterprise Administrator to<br />
select specific search criteria and then display the information on the screen.<br />
Managing Log Events<br />
Only messages within the last 7 days are displayed automatically. Use the filter function<br />
to view older messages. It is useful to search the logs using the Message ID. For<br />
example, searching for the Message ID 400008 will display all “Device <strong>Encryption</strong><br />
Complete” messages. See PolicyServer Message IDs on page A-1 for more details.<br />
Procedure<br />
1. There are two levels of log events:<br />
• For enterprise-level logs, expand Enterprise Log Events.<br />
• For group-level logs, go to Group Name > Log Events.<br />
The log window appears. All log events for the past 7 days are automatically<br />
displayed.<br />
2. Double-click any log to view details.<br />
3. Click Filter to search the log file:<br />
a. Provide the search criteria.<br />
b. Select the date range.<br />
c. Click Search.<br />
4. Click Refresh to update log data.<br />
5. Click Previous or Next to navigate through log data.
Alerts<br />
Working with Logs and Reports<br />
Administrators can customize alert criteria using predefined security levels to help<br />
categorize alerts. Send log events to individual or multiple email recipients by setting<br />
alerts at the enterprise or group.<br />
Note<br />
For details about message IDs, see PolicyServer Message IDs on page A-1.<br />
Setting PolicyServer Alerts<br />
Procedure<br />
1. From the PolicyServer MMC select Enterprise (or group) Log Events from the<br />
left hand navigation screen.<br />
2. Click Alerts.<br />
3. Right-click and select Add.<br />
The Edit Alert window appears.<br />
4. Provide an Alert Name.<br />
5. Select the severity of logs that trigger alerts.<br />
6. Select the message IDs trigger alerts.<br />
7. Provide an email address receive alerts, one per line.<br />
8. Choose whether to send alerts based on the number of events in a set time.<br />
9. Click Done.<br />
Enabling PolicyServer to relay SMS and Email Delivery<br />
This function only works for PolicyServers running on Windows Server 2008 or<br />
Windows Server 2008 R2.<br />
8-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
8-4<br />
Procedure<br />
1. Open Server Manager.<br />
2. Go to Features > Add Features.<br />
3. Mark SMTP Server.<br />
The Add role services and features required for SMTP Server window appears.<br />
4. Click Add Required Role Services.<br />
5. Click Next, Next, and then Install.<br />
The web Server IIS and SMTP Server installs<br />
6. Click Close.<br />
7. Go to Start > Administrative Tools > Internet Information Services (IIS) 6.0<br />
Manager.<br />
IIS 6.0 Manager opens<br />
8. Expand ServerName (local device).<br />
9. Right-click [SMTP Virtual Server #1] and click Properties.<br />
Note<br />
Mark Enable logging for future troubleshooting.<br />
10. Go to Access > Connection... and select Only the list below, and then click<br />
Add....<br />
11. Specify 127.0.0.1 for IP address and click OK.<br />
Note<br />
12. Click OK.<br />
Repeat to specify all IP addresses on local server<br />
13. Go to Delivery > Advanced... and specify the Masquerade domain in the<br />
following format: psproxy...
Working with Logs and Reports<br />
14. Click OK twice to close the SMTP Virtual Server #1 Properties window.<br />
15. Go to Enterprise <strong>Policies</strong> > PolicyServer > PDA > Email.<br />
16. Open SMTP ServerName, specify 127.0.0.1, and then click Apply.<br />
Configuring Advanced Premise<br />
For best results, create a Sender Policy Framework (SPF) DNS entry. To create an SPF<br />
record in other DNS Servers (BIND), consult the vendor documentation.<br />
Procedure<br />
1. On a Windows DNS Server, open DNS Management Console.<br />
2. Right-click the forward lookup zone for domain, and select Other New Records.<br />
3. Scroll down and select TEXT (TXT).<br />
4. Leave Record Name blank, and specify:<br />
v=spf1 ip4: -all<br />
5. Click OK.<br />
Reports<br />
PolicyServer records system activities (changes made to policies, successful<br />
authentication attempts, devices locked due to too many unsuccessful logon attempts)<br />
and maintains those records as log events. Administrators can generate reports on an asneeded<br />
or scheduled basis.<br />
PolicyServer has a variety of built-in reports to verify device encryption status, user/<br />
device activity, and PolicyServer integrity.<br />
8-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
8-6<br />
Note<br />
Only Enterprise Administrators can use reports.<br />
Report Options<br />
Different reports have different options. Right-click a report for options.<br />
TABLE 8-1. Options for reports<br />
REPORT OPTION OPTION DESCRIPTION<br />
Clear Removes all information displayed in the results window; it does<br />
not delete the information.<br />
Display Error View a description of the error causing the report to be invalid;<br />
available to Administrators only.<br />
Display Report View the report; available to Administrators only.<br />
Next Page Move to the next page of the search items.<br />
Previous Page Return to the previous page of the search items.<br />
Refresh Update the status of a submitted report.<br />
Remove Report Deletes the report.<br />
Schedule Report Set up a schedule for the report to be run on a specific day or<br />
time.<br />
Submit Report Generate the selected report.<br />
Report Icons<br />
TABLE 8-2. Report icons<br />
ICON DESCRIPTION<br />
Standard reports can be submitted on an as-needed basis to view statistics and<br />
other usage metrics.
ICON DESCRIPTION<br />
Report Types<br />
Working with Logs and Reports<br />
Alert reports are used to notify Administrators of potential security issues.<br />
Reports are designed to make information about logs easily understood.<br />
Running Standard Reports<br />
Standard reports can be submitted on an as-needed basis. Reporting functions are only<br />
available to Enterprise Administrators.<br />
Procedure<br />
1. Right-click the desired report and select Submit Report.<br />
2. Specify report parameters if required and then click Apply.<br />
3. To view the report, go to Enterprise Reports > Enterprise Submitted Reports.<br />
Standard Reports<br />
TABLE 8-3. List of Standard Reports<br />
REPORT NAME DESCRIPTION<br />
Device <strong>Encryption</strong> Status Reports the encryption status for all devices in<br />
the enterprise.<br />
Device Operating System Count Reports all device operating systems and the<br />
count for each.<br />
Device Version Count Reports all <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> versions and the<br />
count for each.<br />
8-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
8-8<br />
REPORT NAME DESCRIPTION<br />
Devices By Last Sync Date Reports all devices that synchronized with<br />
PolicyServer in the last x amount of days.<br />
Devices Not Communicating Reports the devices that have not<br />
communicated in the last x days.<br />
Devices with Last Logged in User Reports all devices and the last user to have<br />
authenticated to it.<br />
Enterprise Available License Reports the days left in the license, available<br />
devices and users, and count of used devices<br />
and users.<br />
Enterprise User Activity Reports total devices, total users, and the MMC<br />
user count along with device activity.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Device Not<br />
100% Encrypted<br />
Reports all devices in the last x days that started<br />
encrypting but did not finish.<br />
User Activity By Day Reports the user activity within x amount of days<br />
for the given user.<br />
Users Added Reports all users added within the last x days.<br />
Users Never Logged into a Device Reports all users that have never authenticated<br />
to any device.<br />
Running Alert Reports<br />
Reporting functions are only available to Enterprise Administrators.<br />
To view the report, go to Enterprise Reports > Enterprise Submitted Reports.<br />
Procedure<br />
1. Right-click the desired alert report and select Configure Alerts.<br />
The Alerts Configuration window appears.<br />
2. Provide the SMTP Server Address and the Sender that will process the outgoing<br />
email.
3. Click Apply.<br />
4. Right-click the desired report and select Submit Alert<br />
Alert Reports<br />
TABLE 8-4. List of Alert Reports<br />
ALERT NAME DESCRIPTION<br />
Consecutive Failed Logon Attempts<br />
on a Single Device<br />
Working with Logs and Reports<br />
An alert is sent when multiple, consecutive<br />
authentication attempts to an individual device<br />
have all failed.<br />
Log Integrity An alert is sent when there is an indication that the<br />
PolicyServer logs have been tampered with.<br />
Policy Tampering An alert is sent when PolicyServer detects that<br />
policies have been tampered with.<br />
Primary and Secondary Action<br />
Enforced<br />
Displaying Reports<br />
An alert is sent when the PolicyServer has had no<br />
connection, and the primary or secondary action<br />
has been enforced.<br />
Reporting functions are only available to Enterprise Administrators.<br />
Procedure<br />
1. Go to Enterprise Reports > Enterprise Submitted Reports<br />
2. Right-click desired report and select Display Report....<br />
The report displays.<br />
Note<br />
To export the report, click the Save icon and select Excel or Acrobat (PDF) file.<br />
8-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
Scheduling Reports<br />
8-10<br />
These steps allow reports to be run at any specific date and time.<br />
Procedure<br />
1. Open Enterprise Reports.<br />
2. Right-click the desired report and select Schedule Report.<br />
The Report Parameters window displays.<br />
3. Specify report parameters and click Apply .<br />
The Report Scheduler displays.<br />
4. Specify the report interval, date and time, and then click Apply.<br />
To view scheduled reports:<br />
5. Go to Enterprise Reports > Enterprise Scheduled Reports.<br />
Displaying Report Errors<br />
Sometimes an error prevents a report from running correctly. Follow these steps to view<br />
the error.<br />
Procedure<br />
1. Go to Enterprise Reports > Enterprise Submitted Reports.<br />
2. Right-click the report with an error and select Display Error....<br />
The report error message displays.
Getting Support<br />
Chapter 9<br />
Depending on the type of support needed, there are various places to get help.<br />
This chapter covers the following topics:<br />
• <strong>Trend</strong> Community on page 9-2<br />
• Support Portal on page 9-2<br />
• Contacting Technical Support on page 9-3<br />
• <strong>Trend</strong>Labs on page 9-4<br />
9-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
<strong>Trend</strong> Community<br />
9-2<br />
Get help, share experiences, ask questions, and discuss security concerns with other<br />
fellow users, enthusiasts, and security experts.<br />
http://community.trendmicro.com/<br />
Support Portal<br />
The <strong>Trend</strong> <strong>Micro</strong> Support Portal is a 24x7 online resource that contains thousands of<br />
helpful and easy to use technical support procedures for <strong>Trend</strong> <strong>Micro</strong> products and<br />
services. New solutions are added daily.<br />
Procedure<br />
1. Go to http://esupport.trendmicro.com.<br />
2. Select a product or service from the appropriate drop-down menu and specify any<br />
other related information, if prompted.<br />
The Technical Support product page displays.<br />
3. Specify any search criteria, for example an error message, and then click the search<br />
icon.<br />
A list of solutions displays.<br />
4. If the solution cannot be found, submit a case and a <strong>Trend</strong> <strong>Micro</strong> support engineer<br />
will investigate the issue. Response time is typically 24 hours or less.<br />
Submit a support case online at:<br />
http://esupport.trendmicro.com/srf/SRFMain.aspx
Contacting Technical Support<br />
Getting Support<br />
Technical support, pattern downloads, and product/service updates are available for one<br />
year with all product licenses. After one year, renew the license to continue receiving<br />
<strong>Trend</strong> <strong>Micro</strong> support.<br />
In the United States, reach <strong>Trend</strong> <strong>Micro</strong> representatives by phone, fax, or email:<br />
Address <strong>Trend</strong> <strong>Micro</strong>, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014<br />
Phone Toll free: +1 (800) 228-5651 (sales)<br />
Voice: +1 (408) 257-1500 (main)<br />
Fax +1 (408) 257-2003<br />
Website http://www.trendmicro.com<br />
Email address support@trendmicro.com<br />
• Get a list of the worldwide support offices at:<br />
http://www.trendmicro.com/us/about-us/contact/index.html<br />
• Get the latest <strong>Trend</strong> <strong>Micro</strong> documentation at:<br />
http://docs.trendmicro.com<br />
Resolving Issues Faster<br />
To speed up problem resolution, have the following information available:<br />
• Steps to reproduce the problem<br />
• Appliance or network information<br />
• Computer brand, model, and any additional hardware connected to the endpoint<br />
• Amount of memory and free hard disk space<br />
• Operating system and service pack version<br />
• Endpoint client version<br />
• Serial number or activation code<br />
9-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
9-4<br />
• Detailed description of install environment<br />
• Exact text of any error message received<br />
<strong>Trend</strong>Labs<br />
<strong>Trend</strong>Labs is a global network of research, development, and action centers committed<br />
to 24/7 threat surveillance, attack prevention, and timely and seamless solutions<br />
delivery. Serving as the backbone of the <strong>Trend</strong> <strong>Micro</strong> service infrastructure, <strong>Trend</strong>Labs<br />
is staffed by a team of several hundred engineers and certified support personnel that<br />
provide a wide range of product and technical support services.<br />
<strong>Trend</strong>Labs monitors the worldwide threat landscape to deliver effective security<br />
measures designed to detect, preempt, and eliminate attacks. The daily culmination of<br />
these efforts are shared with customers through frequent virus pattern file updates and<br />
scan engine refinements.<br />
Learn more about <strong>Trend</strong>Labs at:<br />
http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/<br />
index.html#trendlabs
PolicyServer Message IDs<br />
Appendix A<br />
This appendix lists the different PolicyServer message IDs and their meaning.<br />
TABLE A-1. PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 100002 Identifying Device <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 100003 Security Violation <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 100007 Critical Severity <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-2<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 100019 Policy Change<br />
Unsuccessful<br />
Administrator Alerts 100045 Unsupported<br />
configuration<br />
Administrator Alerts 100046 Enterprise Pool<br />
created<br />
Administrator Alerts 100047 Enterprise Pool<br />
deleted<br />
Administrator Alerts 100048 Enterprise Pool<br />
modified<br />
Administrator Alerts 100049 Admin User locked<br />
due to too many<br />
failed logins.<br />
Administrator Alerts 100052 Policy Value<br />
Integrity Check<br />
Failed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 100053 Policy request<br />
aborted due to<br />
failed policy integrity<br />
check.<br />
Administrator Alerts 100054 File request aborted<br />
due to failed policy<br />
integrity check.<br />
Administrator Alerts 100055 Admin<br />
Authentication<br />
Succeeded<br />
Administrator Alerts 100056 Admin<br />
Authentication<br />
Failed<br />
Administrator Alerts 100062 Admin Password<br />
Reset<br />
Administrator Alerts 100463 Unable to remove<br />
user. Try again.<br />
Administrator Alerts 100464 Unable to unable<br />
user. Try again.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-4<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 100470 Unable to change<br />
Self <strong>Help</strong> password.<br />
A response to one<br />
of the personal<br />
challenge questions<br />
was incorrect.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 102000 Enterprise Added <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 102001 Enterprise Deleted <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 102002 Enterprise Modified <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Administrator Alerts 102003 The number of<br />
users has exceeded<br />
the maximum<br />
allowed by this<br />
license. Reduce the<br />
number of existing<br />
users to restore this<br />
user account.<br />
Administrator Alerts 200000 Administrator<br />
updated policy<br />
Administrator Alerts 200001 Administrator added<br />
policy<br />
Administrator Alerts 200002 Administrator<br />
deleted policy<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 200003 Administrator<br />
enabled application<br />
Administrator Alerts 200004 Administrator<br />
disabled application<br />
Administrator Alerts 200100 Administrator added<br />
user<br />
Administrator Alerts 200101 Administrator<br />
deleted user<br />
Administrator Alerts 200102 Administrator<br />
updated user<br />
Administrator Alerts 200103 Administrator added<br />
user to group<br />
Administrator Alerts 200104 Administrator<br />
removed user from<br />
group<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
Administrator Alerts 200200 User added PolicyServer<br />
Administrator Alerts 200201 User deleted PolicyServer<br />
Administrator Alerts 200202 User added to<br />
group<br />
Administrator Alerts 200203 User removed from<br />
group<br />
PolicyServer<br />
PolicyServer<br />
Administrator Alerts 200204 User updated PolicyServer<br />
Administrator Alerts 200300 Administrator<br />
deleted device<br />
Administrator Alerts 200301 Administrator added<br />
device to group<br />
Administrator Alerts 200302 Administrator<br />
removed device<br />
from group<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
A-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-6<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 200500 Administrator added<br />
group<br />
Administrator Alerts 200501 Administrator<br />
deleted group<br />
Administrator Alerts 200502 Administrator<br />
updated group<br />
Administrator Alerts 200503 Administrator copy/<br />
pasted group<br />
Administrator Alerts 200600 PolicyServer update<br />
applied.<br />
Administrator Alerts 200602 User added to<br />
device<br />
Administrator Alerts 200603 User removed from<br />
device<br />
Administrator Alerts 200700 Event executed<br />
successfully<br />
Administrator Alerts 200701 Failed event<br />
execution<br />
Administrator Alerts 200800 Event installed<br />
successfully<br />
Administrator Alerts 200801 Failed to install<br />
event<br />
Administrator Alerts 700012 Administrator<br />
Logged In Using<br />
One Time Password<br />
Administrator Alerts 700013 Administrator<br />
Logged In Using<br />
Fixed Password<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
PolicyServer<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 700014 Administrator<br />
Logged In using<br />
Smart Card<br />
Administrator Alerts 700017 Administrator<br />
Logged In Using<br />
Remote<br />
Authentication<br />
Administrator Alerts 700030 Administrator Failed<br />
log In Using One<br />
Time Password<br />
Administrator Alerts 700031 Administrator Failed<br />
log In Using Fixed<br />
Password<br />
Administrator Alerts 700032 Administrator Failed<br />
log In using Smart<br />
Card<br />
Administrator Alerts 700035 Administrator Failed<br />
log In Using Remote<br />
Authentication<br />
Administrator Alerts 900100 Administrator<br />
logged in using onetime<br />
password.<br />
Administrator Alerts 900101 Administrator<br />
logged in using<br />
fixed password.<br />
Administrator Alerts 900102 Administrator<br />
logged in using<br />
Smart Card.<br />
Administrator Alerts 900103 Administrator<br />
logged in using<br />
domain<br />
authentication.<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
A-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-8<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 900104 Administrator<br />
logged in using<br />
remote<br />
authentication.<br />
Administrator Alerts 900105 Administrator<br />
logged in using<br />
ColorCode<br />
authentication.<br />
Administrator Alerts 900106 Administrator<br />
logged in using PIN.<br />
Administrator Alerts 900107 Administrator<br />
logged in using<br />
OCSP.<br />
Administrator Alerts 900250 Administrator Failed<br />
To Login Using One<br />
Time Password<br />
Administrator Alerts 900251 Administrator Failed<br />
To Login Using<br />
Fixed Password<br />
Administrator Alerts 900252 Administrator Failed<br />
To Login Using<br />
Smart Card<br />
Administrator Alerts 900253 Administrator failed<br />
to login using<br />
domain<br />
authentication.<br />
Administrator Alerts 900254 Administrator Failed<br />
To Login Using<br />
Remote<br />
Authentication<br />
Administrator Alerts 900255 Administrator failed<br />
to login using<br />
ColorCode<br />
authentication.<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Administrator Alerts 900256 Administrator failed<br />
to login using PIN.<br />
Administrator Alerts 900257 Administrator Failed<br />
To Login Using<br />
OCSP<br />
Administrator Alerts 900300 Administrator Failed<br />
log In Using Remote<br />
Authentication<br />
Administrator Alerts 901000 Administrator<br />
Renamed A File<br />
Administrator Alerts 901001 Administrator<br />
Changed A File<br />
Administrator Alerts 901002 Administrator<br />
Deleted A File<br />
Administrator Alerts 901003 Administrator<br />
Created A File<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
Audit Log Alerts 100015 Log Message <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Audit Log Alerts 103000 Audit Log<br />
Connection Opened<br />
Audit Log Alerts 103001 Audit Log<br />
Connection Closed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-9
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-10<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Audit Log Alerts 103100 Audit Log Record<br />
Missing<br />
Audit Log Alerts 103101 Audit Log Record<br />
Integrity Missing<br />
Audit Log Alerts 103102 Audit Log Record<br />
Integrity<br />
Compromised<br />
Audit Log Alerts 103103 Audit Log Record<br />
Integrity Validation<br />
Started<br />
Audit Log Alerts 104003 Authentication<br />
method set to<br />
SmartCard.<br />
Audit Log Alerts 904008 Unable To Send<br />
Log Alert<br />
Authenticator Alerts 700006 Authenticator<br />
Logged In Using<br />
One Time Password<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Authenticator Alerts 700007 Authenticator<br />
Logged In Using<br />
Fixed Password<br />
Authenticator Alerts 700008 Authenticator<br />
Logged In using<br />
Smart Card<br />
Authenticator Alerts 700009 Authenticator<br />
Logged In using<br />
Windows<br />
Credentials<br />
Authenticator Alerts 700011 Authenticator<br />
Logged In Using<br />
Remote<br />
Authentication<br />
Authenticator Alerts 700024 Authenticator Failed<br />
log In Using One<br />
Time Password<br />
Authenticator Alerts 700025 Authenticator Failed<br />
log In Using Fixed<br />
Password<br />
Authenticator Alerts 700026 Authenticator Failed<br />
log In using Smart<br />
Card<br />
Authenticator Alerts 700027 Authenticator Failed<br />
log In using<br />
Windows<br />
Credentials<br />
Authenticator Alerts 700029 Authenticator Failed<br />
log In Using Remote<br />
Authentication<br />
Authenticator Alerts 900050 Authenticator<br />
logged in using onetime<br />
password.<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
KeyArmor<br />
A-11
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-12<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Authenticator Alerts 900051 Authenticator<br />
logged in using<br />
fixed password.<br />
Authenticator Alerts 900052 Authenticator<br />
logged in using<br />
Smart Card.<br />
Authenticator Alerts 900053 Authenticator<br />
logged in using<br />
domain<br />
authentication.<br />
Authenticator Alerts 900054 Authenticator<br />
logged in using<br />
remote<br />
authentication.<br />
Authenticator Alerts 900055 Authenticator<br />
logged in using<br />
ColorCode<br />
authentication.<br />
Authenticator Alerts 900056 Authenticator<br />
logged in using PIN.<br />
Authenticator Alerts 900057 Authenticator<br />
logged in using<br />
OCSP.<br />
Authenticator Alerts 900161 User Failed To<br />
Login Using Self<br />
<strong>Help</strong><br />
Authenticator Alerts 900200 Authenticator Failed<br />
To Login Using One<br />
Time Password<br />
Authenticator Alerts 900201 Authenticator Failed<br />
To Login Using<br />
Fixed Password<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Authenticator Alerts 900202 Authenticator Failed<br />
To Login Using<br />
Smart Card<br />
Authenticator Alerts 900203 Authencticator failed<br />
to login using<br />
domain<br />
authentication.<br />
Authenticator Alerts 900204 Authenticator Failed<br />
To Login Using<br />
Remote<br />
Authentication<br />
Authenticator Alerts 900205 Authenticator failed<br />
to login using<br />
ColorCode<br />
authentication.<br />
Authenticator Alerts 900206 Authenticator failed<br />
to login using PIN.<br />
Authenticator Alerts 900207 Authenticator Failed<br />
To Login Using<br />
OCSP<br />
Authenticator Alerts 902000 Authenticator<br />
Renamed A File<br />
Authenticator Alerts 902001 Authenticator<br />
Changed A File<br />
Authenticator Alerts 902002 Authenticator<br />
Deleted A File<br />
Authenticator Alerts 902003 Authenticator<br />
Created A File<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
Certificate Alerts 104008 Certificate expired. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-13
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-14<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Device Alerts 100001 PDA to Desktop<br />
Sync Authentication<br />
was unsuccessful.<br />
There was no<br />
device ID for this<br />
PDA found.<br />
Device Alerts 100012 Device is not in its<br />
own Password<br />
Authentication File.<br />
PAF corrupted?<br />
Device Alerts 100044 Lock Device Action<br />
Received<br />
Device Alerts 100071 Device Kill<br />
Confirmed<br />
Device Alerts 100072 Device Lock<br />
Confirmed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
KeyArmor<br />
KeyArmor<br />
Device Alerts 100100 Install Started <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor<br />
Device Alerts 100101 Install Completed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor<br />
Device Alerts 100462 Unable to connect<br />
to PolicyServer.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Device Alerts 101001 The network<br />
connection is not<br />
working. Unable to<br />
get policy files from<br />
PolicyServer.<br />
Device Alerts 101002 Corrupted PAF<br />
(DAFolder.xml) file<br />
Device Alerts 105000 Unable to<br />
synchronize policies<br />
with client. Verify<br />
that there is a<br />
network connection<br />
and try again.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Device Alerts 200400 Device added PolicyServer<br />
Device Alerts 200401 Device deleted PolicyServer<br />
Device Alerts 200402 Device added to<br />
group<br />
Device Alerts 200403 Device removed<br />
from group<br />
PolicyServer<br />
PolicyServer<br />
Device Alerts 200404 Device modified PolicyServer<br />
Device Alerts 200405 Device status<br />
updated<br />
PolicyServer<br />
Device Alerts 200406 Device status reset PolicyServer<br />
Device Alerts 200407 Device Kill Issued <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-15
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-16<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Device Alerts 200408 Device Lock Issued <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Device Alerts 200409 Device<br />
Synchronized<br />
Device Alerts 904012 User Not Allowed<br />
To Register New<br />
Device<br />
PolicyServer<br />
PolicyServer<br />
Device Alerts 1000052 Uninstall of product <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor<br />
Device Alerts 1000053 Product Uninstall<br />
Denied By Policy<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor<br />
Error Alerts 100005 General Error <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Error Alerts 100006 Application Error <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
FileArmor Activity Alerts 700000 User Logged In<br />
Using One Time<br />
Password<br />
FileArmor Activity Alerts 700001 User Logged In<br />
Using Fixed<br />
Password<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
FileArmor Activity Alerts 700002 User Logged In<br />
using Smart Card<br />
FileArmor Activity Alerts 700003 User Logged In<br />
using Windows<br />
Credentials<br />
FileArmor Activity Alerts 700005 User Logged In<br />
Using Remote<br />
Authentication<br />
FileArmor Activity Alerts 700015 Administrator<br />
Logged In using<br />
Windows<br />
Credentials<br />
FileArmor Activity Alerts 700018 User Failed log In<br />
Using One Time<br />
Password<br />
FileArmor Activity Alerts 700019 User Failed log In<br />
Using Fixed<br />
Password<br />
FileArmor Activity Alerts 700020 User Failed log In<br />
using Smart Card<br />
FileArmor Activity Alerts 700021 User Failed log In<br />
using Windows<br />
Credentials<br />
FileArmor Activity Alerts 700023 User Could not log<br />
In Using Remote<br />
Authentication<br />
FileArmor Activity Alerts 700033 Administrator Failed<br />
log In using<br />
Windows<br />
Credentials<br />
FileArmor Activity Alerts 700036 Failed Login<br />
Attempts Exceeded<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
A-17
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-18<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
FileArmor Activity Alerts 701000 Encrypted File<br />
Using User Key<br />
FileArmor Activity Alerts 701001 Encrypted File<br />
Using Group Key<br />
FileArmor Activity Alerts 701002 Encrypted File<br />
Using Static<br />
Password<br />
FileArmor Activity Alerts 701003 Self-extracting<br />
encypted file<br />
created using a<br />
static password.<br />
FileArmor Activity Alerts 701004 Encrypted File<br />
Using Cert<br />
FileArmor Activity Alerts 701005 Self-extracting<br />
encrypted file<br />
created using<br />
certificate.<br />
FileArmor Activity Alerts 701006 Encrypted File<br />
Using CD/DVD<br />
Burning<br />
FileArmor Activity Alerts 701007 Encrypted Directory<br />
Using Group Key<br />
FileArmor Activity Alerts 701008 Encrypted Directory<br />
Using Static<br />
Password<br />
FileArmor Activity Alerts 701009 Self-extracting<br />
encypted directory<br />
created using a<br />
static password.<br />
FileArmor Activity Alerts 701010 Encrypted Directory<br />
Using Cert<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
FileArmor Activity Alerts 701011 Self-extracting<br />
encrypted directory<br />
created using<br />
certificate.<br />
FileArmor Activity Alerts 701012 Encrypted Directory<br />
Using CD/DVD<br />
Burning<br />
FileArmor Activity Alerts 701015 Removable Media<br />
was fully encrypted<br />
FileArmor Activity Alerts 701016 Removable Media<br />
Blocked<br />
FileArmor Activity Alerts 701017 Removable Media<br />
Created and<br />
Covered Folders<br />
FileArmor Activity Alerts 701018 File encrypted and<br />
moved to removable<br />
media.<br />
FileArmor Activity Alerts 701019 File deleted from<br />
removable media.<br />
FileArmor Activity Alerts 703000 File Armor<br />
Encrypted Folder<br />
Was Created<br />
FileArmor Activity Alerts 703001 Folder Was Created<br />
and Covered<br />
FileArmor Activity Alerts 703002 File Armor<br />
Encrypted Folder<br />
Was Deleted<br />
FileArmor Activity Alerts 703004 Removable Media<br />
Folder was Created<br />
and Covered<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
A-19
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-20<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
FileArmor Activity Alerts 703005 Removable Media<br />
Device Was <strong>Full</strong>y<br />
Encrypted<br />
FileArmor Activity Alerts 703006 File In Folder Was<br />
Created<br />
FileArmor Activity Alerts 703007 File in Folder Was<br />
Deleted<br />
FileArmor Activity Alerts 703008 File in Folder Was<br />
Changed<br />
FileArmor Activity Alerts 703009 File in Folder Was<br />
Accessed<br />
FileArmor Activity Alerts 703010 File in Folder Was<br />
Last Written<br />
FileArmor Activity Alerts 703011 File Size Changed<br />
in Folder<br />
FileArmor Activity Alerts 703015 Folder <strong>Encryption</strong><br />
Started<br />
FileArmor Activity Alerts 703016 Folder Decryption<br />
Started<br />
FileArmor Activity Alerts 703017 Folder <strong>Encryption</strong><br />
Complete<br />
FileArmor Activity Alerts 703018 Folder Decryption<br />
Complete<br />
FileArmor Activity Alerts 703019 Folder Decryption In<br />
progress<br />
FileArmor Activity Alerts 703020 Folder <strong>Encryption</strong> In<br />
progress<br />
FileArmor Activity Alerts 704000 FileArmor Service<br />
Started<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
FileArmor Activity Alerts 704001 FileArmor Service<br />
Shutdown<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
300700 Device log<br />
maximum size limit<br />
reached, event log<br />
truncated.<br />
400001 User has<br />
successfully logged<br />
in.<br />
FileArmor SP6 or<br />
Earlier<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
400002 User login failed. <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
400003 Device decryption<br />
started.<br />
400004 Device <strong>Encryption</strong><br />
Started.<br />
400005 Mounted encrypted<br />
partition.<br />
400006 Restored native OS<br />
MBR.<br />
400007 Restored<br />
Application MBR.<br />
400008 Device encryption<br />
complete<br />
400009 Device Decryption<br />
Completed<br />
400010 Device <strong>Encryption</strong><br />
In Progress<br />
400011 System MBR<br />
Corrupt<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
A-21
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-22<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
400012 System Pre-boot<br />
Kernel Deleted<br />
401000 Recovery Console<br />
accessed<br />
401009 Recovery Console<br />
error<br />
401010 Decryption in place<br />
started<br />
401011 Decryption in place<br />
stopped<br />
401012 Decryption in place<br />
complete<br />
401013 Decryption of<br />
removable device<br />
started<br />
401014 Decryption to<br />
removable device<br />
stopped<br />
401015 Decryption to<br />
removable device<br />
complete<br />
401018 Decryption in place<br />
error<br />
401019 Decryption to<br />
removable device<br />
error<br />
401020 Encrypted files<br />
accessed<br />
401021 Encrypted files<br />
modified<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
401022 Encrypted files<br />
copied to removable<br />
device<br />
401029 Encrypted files<br />
access error<br />
401030 Network<br />
administration<br />
accessed<br />
401031 PolicyServer<br />
address changed<br />
401032 PolicyServer port<br />
number changed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401033 Switched to IPv6 <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401034 Switched to IPv4 <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401035 Switched to<br />
dynamic IP<br />
configuration<br />
401036 Switched to static IP<br />
configuration<br />
401037 DHCP port number<br />
changed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401038 IP address changed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401039 NetMask changed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401040 Broadcast address<br />
changed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
A-23
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-24<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
401041 Gateway changed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401042 Domain name<br />
changed<br />
401043 Domain name<br />
servers changed<br />
401049 Network<br />
administration error<br />
401050 User administration<br />
accessed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401051 User added <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401052 User removed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401053 User modified <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
401069 User administration<br />
error<br />
401070 Locally stored logs<br />
accessed<br />
401079 Locally stored logs<br />
access error<br />
401080 Original MBR<br />
restored<br />
401089 Original MBR<br />
restoration error<br />
401090 Default theme<br />
restored<br />
401099 Default theme<br />
restoration error<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Activity Alerts<br />
402000 Application Startup <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
402001 Application<br />
Shutdown<br />
600001 Update was<br />
successful in the<br />
Pre-boot.<br />
600002 Pre-boot Update<br />
failed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
or MobileSentinel<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
Installation Alerts 100004 Install Error <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Installation Alerts 100020 Successful<br />
Installation<br />
Installation Alerts 700037 Installation of<br />
FileArmor was<br />
successful<br />
Installation Alerts 700038 Installation of<br />
FileArmor was<br />
unsuccessful:<br />
Enterprise name is<br />
not valid.<br />
Installation Alerts 700039 Installation of<br />
FileArmor was<br />
unsuccessful:<br />
Username or<br />
password is<br />
incorrect.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
A-25
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-26<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
100034 Invalid Registry<br />
Setting Detected<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
500000 VirusDefense KeyArmor<br />
500001 Object Cleaned KeyArmor<br />
500002 Object Disinfected KeyArmor<br />
500003 Object Quarantined KeyArmor<br />
500004 Object Deleted KeyArmor<br />
500005 Virus Detected KeyArmor<br />
500006 <strong>Full</strong> Scan Started KeyArmor<br />
500007 <strong>Full</strong> Scan<br />
Completed<br />
KeyArmor<br />
500008 Object Suspicious KeyArmor<br />
500009 Object Scan<br />
Completed<br />
500010 Removable Media<br />
Scan Requested<br />
500011 Removable Media<br />
Scan Completed<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
500012 Folder Scan<br />
Requested<br />
500013 Folder Scan<br />
Completed<br />
500014 Access Denied To<br />
Object<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
500015 Object Corrupt KeyArmor<br />
500016 Object Clean KeyArmor<br />
500017 <strong>Full</strong> Scan Cancelled KeyArmor<br />
500018 Object Scan<br />
Cancelled<br />
500019 Removable Media<br />
Scan Cancelled<br />
500020 Folder Scan<br />
Cancelled<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
500021 Update Started KeyArmor<br />
500022 The update was<br />
unsuccessful. Try<br />
again.<br />
KeyArmor<br />
500023 Update Cancelled KeyArmor<br />
500024 Update Successful. KeyArmor<br />
500025 VirusDefense Up To<br />
Date<br />
KeyArmor<br />
A-27
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-28<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
500026 PalmVirusDefense KeyArmor<br />
500027 Object Scan<br />
Requested<br />
KeyArmor<br />
500028 PPCVirusDefense KeyArmor<br />
900000 User logged in<br />
using one-time<br />
password.<br />
900001 User logged in<br />
using fixed<br />
password.<br />
900002 User logged in<br />
using Smart Card.<br />
900003 User logged in<br />
using domain<br />
authentication.<br />
900004 User logged in<br />
using remote<br />
authentication.<br />
900005 User logged in<br />
using ColorCode<br />
authentication.<br />
900006 User logged in<br />
using PIN.<br />
900007 User logged in<br />
using OCSP<br />
900008 User logged in<br />
using Self <strong>Help</strong>.<br />
900009 User logged in<br />
using RSA<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
900150 User Failed To<br />
Login Using One<br />
Time Password<br />
900151 User Failed To<br />
Login Using Fixed<br />
Password<br />
900152 User Failed To<br />
Login Using Smart<br />
Card<br />
900153 User failed to login<br />
using domain<br />
authentication.<br />
900154 User Failed To<br />
Login Using Remote<br />
Authentication<br />
900155 User failed to login<br />
using ColorCode<br />
authentication.<br />
900156 User failed to login<br />
using PIN.<br />
900157 User Failed To<br />
Login Using OCSP<br />
900158 User locked out<br />
after too many failed<br />
login attempts.<br />
900301 Failed Login<br />
Attempts Exceeded<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
900350 Key Wiped KeyArmor<br />
903000 User Renamed A<br />
File<br />
KeyArmor<br />
A-29
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-30<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
903001 User Changed A<br />
File<br />
KeyArmor<br />
903002 User Deleted A File KeyArmor<br />
903003 User Created A File KeyArmor<br />
903100 Primary action<br />
enforced due to no<br />
PolicyServer<br />
connection.<br />
903101 Secondary action<br />
enforced due to no<br />
PolicyServer<br />
connection.<br />
903102 Policy updates<br />
applied<br />
904000 Repaired infected<br />
file<br />
904001 Unable to repair<br />
infected file.<br />
904002 Skipping infected<br />
file, repair<br />
unsupported<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
904003 Deleted infected file KeyArmor<br />
904004 Unable to delete<br />
infected file.<br />
904005 Killing device due to<br />
infected file<br />
904006 Error killing device<br />
due to infected file<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
KeyArmor Activity<br />
Alerts<br />
904007 Invoking infected file<br />
fall-back action<br />
904010 AntiVirus files<br />
updated<br />
904011 Unable to update<br />
antivirus files.<br />
Login / Logout Alerts 100013 Failed Login<br />
Attempt<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Login / Logout Alerts 100014 Successful Login <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Login / Logout Alerts 100016 Unable to log in.<br />
Use Remote<br />
Authentication to<br />
provide the<br />
PolicyServer<br />
Administrator with a<br />
challenge code.<br />
Login / Logout Alerts 100021 Unsuccessful<br />
ColorCode Login<br />
Login / Logout Alerts 100022 Unsuccessful Fixed<br />
Password Login<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-31
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-32<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Login / Logout Alerts 100023 Unsuccessful PIN<br />
Login<br />
Login / Logout Alerts 100024 Unsuccessful X99<br />
Login<br />
Login / Logout Alerts 100028 Successful<br />
ColorCode Login<br />
Login / Logout Alerts 100031 Successful X9.9<br />
Login<br />
Login / Logout Alerts 100032 Successful Remote<br />
Login<br />
Login / Logout Alerts 100035 Successful<br />
WebToken Login<br />
Login / Logout Alerts 100036 Unsuccessful<br />
WebToken Login<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Login / Logout Alerts 100050 Fixed Password<br />
login blocked due to<br />
lockout.<br />
Login / Logout Alerts 100051 User Login<br />
Successfully<br />
Unlocked<br />
Login / Logout Alerts 100057 LDAP User<br />
Authentication<br />
Succeeded<br />
Login / Logout Alerts 100058 LDAP User<br />
Authentication<br />
Failed<br />
Login / Logout Alerts 100059 LDAP User<br />
Password Change<br />
Succeeded<br />
Login / Logout Alerts 100060 LDAP User<br />
Password Change<br />
Failed<br />
Login / Logout Alerts 100061 Access request<br />
aborted due to<br />
failed policy integrity<br />
check.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-33
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-34<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Login / Logout Alerts 100070 Successful Logout <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Login / Logout Alerts 100433 The ColorCodes do<br />
not match.<br />
Login / Logout Alerts 100434 Unable to change<br />
ColorCode. The<br />
new ColorCode<br />
must be different<br />
than the current<br />
one.<br />
Login / Logout Alerts 100435 Unable to change<br />
ColorCode. The<br />
new ColorCode<br />
must meet the<br />
minimum length<br />
requirements<br />
defined by<br />
PolicyServer.<br />
Login / Logout Alerts 100436 Unable to change<br />
ColorCode. The<br />
new ColorCode<br />
must be different<br />
than any previous<br />
ColorCode used.<br />
Login / Logout Alerts 100437 ColorCode Change<br />
Failure - Internal<br />
Error<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Login / Logout Alerts 100459 X9.9 Password<br />
Change Failure -<br />
Can Not Connect<br />
toPolicyServer Host<br />
Login / Logout Alerts 100460 X9.9 Password<br />
Change Failure -<br />
Empty Serial<br />
Number<br />
Login / Logout Alerts 100461 X9.9 Password<br />
Change Failure -<br />
Internal Error<br />
Login / Logout Alerts 101004 Unable to reset<br />
locked device.<br />
Login / Logout Alerts 104000 Smart Card login<br />
successful.<br />
Login / Logout Alerts 104001 Smart Card login<br />
unsuccessful.<br />
Check that the card<br />
is seated properly<br />
and that the Smart<br />
Card PIN is valid.<br />
Mobile Device Alert 100037 Palm Policy<br />
Database is missing<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-35
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-36<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Mobile Device Alert 100038 Palm <strong>Encryption</strong><br />
Error<br />
Mobile Device Alert 100039 PPC Device<br />
<strong>Encryption</strong> Changed<br />
Mobile Device Alert 100040 PPC <strong>Encryption</strong><br />
Error<br />
MobileFirewall Activity<br />
Alerts<br />
MobileFirewall Activity<br />
Alerts<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
300000 MobileFirewall MobileFirewall<br />
300001 DenialOfServiceAtta<br />
ck<br />
OCSP Alerts 104005 OCSP certificate<br />
status good.<br />
OCSP Alerts 104006 OCSP certificate<br />
status revoked.<br />
OCSP Alerts 104007 OCSP certificate<br />
status unknown.<br />
MobileFirewall<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
OTA Alerts 100041 OTA Object Missing<br />
or Corrupt.<br />
OTA Alerts 100042 OTA Sync<br />
Successful<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
OTA Alerts 100043 OTA Device Killed <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Password Alerts 100017 Change Password<br />
Error<br />
Password Alerts 100018 Password Attempts<br />
Exceeded<br />
Password Alerts 100025 Password Reset to<br />
ColorCode<br />
Password Alerts 100026 Password Reset to<br />
Fixed<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-37
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-38<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Password Alerts 100027 Password Reset to<br />
PIN<br />
Password Alerts 100029 Successful Fixed<br />
Password Login<br />
Password Alerts 100030 Successful PIN<br />
Password Login<br />
Password Alerts 100033 Unable to Reset<br />
Password<br />
Password Alerts 100432 Unable to change<br />
password. The new<br />
password must be<br />
different than the<br />
current password.<br />
Password Alerts 100439 Unable to change<br />
password. The<br />
passwords do not<br />
match.<br />
Password Alerts 100441 Unable to change<br />
password. The<br />
password field<br />
cannot be empty.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Password Alerts 100442 Unable to change<br />
password. The<br />
password does not<br />
meet the minimum<br />
length requirements<br />
defined by<br />
PolicyServer.<br />
Password Alerts 100443 Unable to change<br />
password. Numbers<br />
are not permitted.<br />
Password Alerts 100444 Unable to change<br />
password. Letters<br />
are not permitted.<br />
Password Alerts 100445 Unable to change<br />
password. Special<br />
characters are not<br />
permitted.<br />
Password Alerts 100446 Unable to change<br />
password. The<br />
password cannot<br />
contain the user<br />
name.<br />
Password Alerts 100447 Unable to change<br />
password. The<br />
password does not<br />
contain enough<br />
special characters.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-39
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-40<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Password Alerts 100448 Unable to change<br />
password. The<br />
password does not<br />
contain enough<br />
numbers.<br />
Password Alerts 100449 Unable to change<br />
password. The<br />
password does not<br />
contain enough<br />
characters.<br />
Password Alerts 100450 Unable to change<br />
password. The<br />
password contains<br />
too many<br />
consecutive<br />
characters.<br />
Password Alerts 100451 Unable to change<br />
password. The new<br />
password must be<br />
different than any<br />
previous password<br />
used.<br />
Password Alerts 100452 Password Change<br />
Failure - Internal<br />
Error<br />
Password Alerts 101003 Successfully<br />
changed Fixed<br />
Password.<br />
Password Alerts 700100 Password reset to<br />
Fixed Password.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
FileArmor SP6 or<br />
Earlier
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Password Alerts 700101 Password reset to<br />
Smart Card<br />
Password Alerts 700102 Password reset to<br />
Domain<br />
Authentication.<br />
Password Alerts 900159 Unable to change<br />
password.<br />
Password Alerts 900160 Password changed<br />
successfully.<br />
Password Alerts 900302 Password reset to<br />
fixed password.<br />
Password Alerts 900303 Password reset To<br />
Smart Card<br />
Password Alerts 900304 Password reset to<br />
domain<br />
authentication.<br />
PIN Change Alerts 100438 Unable to change<br />
PIN. The PINs do<br />
not match.<br />
PIN Change Alerts 100440 Unable to change<br />
PIN. One of the<br />
fields are empty.<br />
PIN Change Alerts 100453 Unable to change<br />
PIN. The PINs do<br />
not match.<br />
FileArmor SP6 or<br />
Earlier<br />
FileArmor SP6 or<br />
Earlier<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
KeyArmor<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
A-41
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
A-42<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
PIN Change Alerts 100454 able to change PIN.<br />
The new PIN cannot<br />
be the same as the<br />
old PIN.<br />
PIN Change Alerts 100455 Unable to change<br />
PIN. The new PIN<br />
does not meet the<br />
minimum length<br />
requirements<br />
defined by<br />
PolicyServer.<br />
PIN Change Alerts 100456 Unable to change<br />
PIN. The PIN<br />
cannot contain the<br />
user name.<br />
PIN Change Alerts 100457 Unable to change<br />
PIN. The new PIN<br />
must be different<br />
than any previous<br />
PIN used.<br />
PIN Change Alerts 100458 PIN Change Failure<br />
- Internal Error<br />
Smart Card Alerts 104002 Registered<br />
SmartCard.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer
PolicyServer Message IDs<br />
CATEGORY MESSAGE ID DESCRIPTION PRODUCTS<br />
Smart Card Alerts 104004 Unable to register<br />
Smart Card. Check<br />
that the card is<br />
seated properly and<br />
that the Smart Card<br />
PIN is valid.<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>,<br />
FileArmor,<br />
DriveArmor,<br />
KeyArmor, or<br />
PolicyServer<br />
Windows Mobile Alerts 800000 OTA Install started <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
Windows Mobile Alerts 800001 OTA Install<br />
completed<br />
Windows Mobile Alerts 800100 OTA SMS message<br />
sent<br />
Windows Mobile Alerts 800200 OTA Directory<br />
Listing Received<br />
Windows Mobile Alerts 800300 OTA Device<br />
Attributes Received<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
Windows Mobile Alerts 800400 OTA Device Backup <strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
Windows Mobile Alerts 800500 OTA Device<br />
Restore<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong><br />
for Windows Mobile<br />
A-43
Index<br />
A<br />
about<br />
account types, 1-12<br />
client-server architecture, 1-2<br />
Endpoint <strong>Encryption</strong>, 1-2<br />
FileArmor, 6-1<br />
KeyArmor, 7-1<br />
PolicyServer, 2-1, 2-2<br />
users and groups, 2-4<br />
Accessibility<br />
on-screen keyboard, 5-4<br />
accounts<br />
types, 1-12<br />
Active Directory, 1-15, 1-19, 4-22<br />
resetting password, 4-25<br />
alerts, 8-3<br />
authentication, 1-8<br />
about, 1-12<br />
access control, 1-13<br />
account types, 1-12<br />
application comparision, 1-13<br />
change method, 5-4, 5-6<br />
changing password, 6-6<br />
ColorCode, 1-14, 1-16, 5-5, 6-5<br />
create ColorCode, 5-6<br />
domain, 1-15<br />
domain authentication, 1-14<br />
FileArmor, 6-2<br />
first-time, 6-2<br />
fixed password, 1-14, 1-16, 7-3<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, 5-2<br />
KeyArmor, 7-2<br />
first time, 7-2<br />
LDAP, 1-15<br />
methods, 1-14<br />
options, 1-13<br />
PIN, 1-14, 1-16, 6-5<br />
prerequisites, 1-15<br />
remote help, 1-14, 5-9<br />
Remote <strong>Help</strong>, 1-18, 5-8<br />
security options, 1-14<br />
self help<br />
using, 5-13<br />
Self <strong>Help</strong>, 1-14, 1-18, 4-26, 5-11<br />
answers, 5-13<br />
setup requirements, 1-15<br />
single sign-on, 6-2<br />
smart card, 1-17, 5-9, 6-4<br />
B<br />
burning discs, 6-14<br />
C<br />
central administration, 1-8<br />
central management, 1-11<br />
changing passwords, 5-5<br />
changing PolicyServers, 5-23<br />
client-server architecture, 1-2<br />
ColorCode, 1-16, 5-5<br />
Command Line <strong>Help</strong>er, 5-2<br />
Command Line <strong>Help</strong>er Installer, 5-2<br />
community, 9-2<br />
cryptography, 1-2<br />
csv, 4-12<br />
D<br />
DAAutoLogin, 5-2<br />
database requirements, 1-5<br />
data protection, 1-2<br />
IN-1
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
data recovery, 5-27<br />
Decrypt <strong>Disk</strong>, 5-17<br />
decryption<br />
Recovery Console, 5-17<br />
demilitarized zone, 5-14<br />
device management, 1-8<br />
devices, 4-1, 4-30<br />
add to group, 4-30<br />
directory listing, 4-35<br />
kill command, 4-35<br />
locking, 4-36<br />
reboot, 4-36<br />
remove from group, 4-32<br />
view attributes, 4-34<br />
view directory, 4-34<br />
domain authentication, 1-15<br />
FileArmor, 6-2<br />
E<br />
encryption, 1-9, 3-24<br />
archiving, 6-14<br />
digital certificate, 6-13<br />
features, 1-8<br />
file and folder, 1-9<br />
FileArmor<br />
archive and burn, 6-10<br />
file encryption, 6-1<br />
FIPS, 1-10, 7-11<br />
fixed password key, 6-12<br />
full disk, 1-9<br />
hardware-based, 1-9<br />
KeyArmor, 7-5<br />
keys<br />
shared, 6-12<br />
local key, 6-11<br />
self-extracting, 6-12<br />
software-based, 1-9<br />
IN-2<br />
Endpoint <strong>Encryption</strong><br />
about, 1-2<br />
tools, 5-2<br />
error messages<br />
authentication, 1-14<br />
F<br />
FileArmor, 6-1<br />
access control, 1-13<br />
archive, 6-10<br />
archive and burn, 6-10, 6-14<br />
authentication, 6-2<br />
domain, 6-3<br />
options, 1-13<br />
PIN, 6-5<br />
burn archive with certificate, 6-15<br />
burn archive with fixed password, 6-14<br />
change PolicyServer, 6-10<br />
changing password, 6-6<br />
changing PolicyServer, 6-10<br />
ColorCode, 6-5<br />
digital certificate, 6-13<br />
creating, 6-14<br />
encryption, 6-10<br />
file encryption, 1-9<br />
first-time use, 6-2<br />
fixed password key<br />
creating, 6-13<br />
local key, 6-11<br />
PolicyServer sync, 6-8<br />
Remote <strong>Help</strong>, 6-6, 6-8<br />
reset password, 6-6, 6-8<br />
secure delete, 6-15<br />
shared key, 6-12<br />
creating, 6-12<br />
single sign-on, 6-2<br />
smart cards, 6-4
supported operating systems, 1-7<br />
syncing with PolicyServer, 6-9<br />
sync offile files, 6-9<br />
system requirements, 1-7<br />
system tray icon, 6-8<br />
time delay, 6-8<br />
tray icon<br />
about, 6-8<br />
unlock device, 6-6<br />
FIPS, 1-2<br />
about, 1-10<br />
FIPS 140-2, 1-2, 1-10<br />
KeyArmor, 7-11<br />
security levels, 1-10<br />
FIPS 140-2, 1-2<br />
fixed password, 1-16<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, 5-1<br />
3.1.3 enhancements, 1-20<br />
access control, 1-13<br />
authentication, 1-18, 5-11<br />
changing password, 5-5<br />
options, 1-13<br />
change enterprise, 5-23<br />
change PolicyServer, 5-23<br />
clean up files, 5-29<br />
connectivity, 5-13<br />
Decrypt <strong>Disk</strong>, 5-17<br />
manage policies, 5-22<br />
manage users, 5-20<br />
menu options, 5-3<br />
network configuration, 5-23<br />
network setup, 5-22<br />
PolicyServer settings, 5-13<br />
port settings, 5-13<br />
Recovery Console, 5-16<br />
Windows, 5-17<br />
recovery methods, 5-24<br />
remote help, 5-9<br />
remove device, 4-33<br />
Self <strong>Help</strong>, 5-12<br />
smart cards, 1-17, 5-9<br />
supported operating systems, 1-6<br />
synchronize policies, 5-14<br />
system requirements, 1-6<br />
TCP/IP access, 5-13<br />
tools, 5-2<br />
uninstall, 5-24<br />
unmanaged install<br />
users, 5-20<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong> Preboot, 5-2<br />
authentication, 5-4<br />
keyboard layout, 5-4<br />
menu options, 5-3<br />
network connectivity, 5-4<br />
on-screen keyboard, 5-4<br />
G<br />
groups, 4-1<br />
creating offline groups, 4-6<br />
install to group, 4-20<br />
modifying, 4-5<br />
offline groups, 4-5<br />
remove device, 4-32, 4-33<br />
removing, 4-5<br />
subgroups, 4-2<br />
types, 4-2<br />
H<br />
hardware based encryption, 1-6<br />
help desk policies, 4-29<br />
I<br />
importing users, 4-12<br />
Index<br />
IN-3
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
K<br />
KeyArmor, 7-1<br />
about, 7-7<br />
access control, 1-13<br />
activity logging, 7-12<br />
antivirus, 7-13<br />
change update location, 7-14<br />
antivirus updates, 7-5<br />
authentication, 7-2<br />
first time, 7-2<br />
fixed password, 7-3<br />
methods, 7-3<br />
options, 1-13<br />
cached files, 7-6<br />
change password, 7-7<br />
check disk, 7-6<br />
deleted device, 7-16<br />
device components, 7-4<br />
encryption, 7-5<br />
FIPS, 7-11<br />
full scan, 7-13<br />
help<br />
if found, 7-8<br />
Remote Password Reset, 7-10<br />
Self <strong>Help</strong>, 7-10<br />
Support Info, 7-11<br />
key management, 1-10<br />
log off, 7-7<br />
menu, 7-7<br />
menu help, 7-8<br />
no information left behind, 7-5<br />
PolicyServer, 7-12<br />
policy updates, 7-7<br />
protecting files, 7-12<br />
reassign, 7-15<br />
safe removal, 7-6, 7-13<br />
IN-4<br />
secure data, 7-7<br />
SECURE DRIVE, 7-4<br />
system requirements, 1-7<br />
taskbar, 7-7<br />
temporary, 7-6<br />
unencrypted devices, 7-6<br />
using, 7-6<br />
warning, 7-6<br />
key features, 1-8<br />
key management, 1-10<br />
L<br />
LDAP, 1-15<br />
LDAP Proxy, 1-19, 4-10<br />
log events, 8-2<br />
logs, 5-22, 8-1<br />
alerts, 8-3<br />
managing events, 8-2<br />
setting alerts, 8-3<br />
M<br />
managing groups, 2-4<br />
managing users, 2-4<br />
MBR<br />
replacing, 5-19<br />
Mount Partitions, 5-19<br />
N<br />
Network Setup, 5-22<br />
O<br />
online<br />
community, 9-2<br />
on-screen keyboard, 5-4<br />
OPAL, 1-6<br />
P<br />
password
Self <strong>Help</strong>, 4-26<br />
passwords, 1-11, 4-22<br />
Remote <strong>Help</strong>, 4-27<br />
resetting, 4-24<br />
resetting Active Directory password,<br />
4-25<br />
resetting Admin/Authenticator, 4-23<br />
resetting enterprise authenticator<br />
password, 4-23<br />
resetting group Admin/Authenticator,<br />
4-24<br />
resetting to fixed password, 4-25<br />
resetting user password, 4-24<br />
Personal Identification Number (PIN), 1-16<br />
policies, 1-11<br />
allow user recovery, 5-16<br />
common, 3-40<br />
agent, 3-40<br />
authentication, 3-41<br />
DriveArmor, 3-36<br />
authentication, 3-36<br />
communications, 3-38<br />
device, 3-39<br />
FileArmor<br />
computer, 3-23<br />
encryption, 3-24<br />
password, 3-27<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, 3-17<br />
common, 3-17<br />
PC, 3-19<br />
PPC, 3-22<br />
KeyArmor, 3-32<br />
antivirus, 3-32<br />
login, 3-33<br />
notice message, 3-34<br />
PolicyServer connection, 3-35<br />
security, 3-32<br />
MobileSentinel, 3-28<br />
common, 3-28<br />
PPC, 3-29<br />
PolicyServer, 3-12<br />
admin console, 3-12<br />
Administrator, 3-12<br />
Authenticator, 3-13, 3-14<br />
log alerts, 3-14<br />
PDA, 3-15<br />
service pack download, 3-16<br />
welcome message, 3-16<br />
Support Info, 4-29<br />
synchronization, 1-9<br />
synchronizing clients, 5-14<br />
policy control, 1-9, 6-1<br />
PolicyServer<br />
3.1.3 enhancements, 1-20<br />
access control, 1-13<br />
add enterprise user, 2-9, 4-10<br />
add top group, 2-5, 4-2<br />
advanced premise, 8-5<br />
authentication, 2-2<br />
options, 1-13<br />
changing, 5-23<br />
client web service, 1-2<br />
devices, 4-30<br />
enabling applications, 2-17<br />
enhancements, 1-19<br />
fields and buttons, 2-14<br />
first time use, 2-2<br />
getting started, 2-1<br />
groups, 2-4<br />
adding users, 2-7, 4-16<br />
interface, 2-3<br />
introduction, 2-2<br />
Index<br />
IN-5
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
IN-6<br />
license file, 2-2<br />
log events, 8-2<br />
logs, 8-1<br />
MMC hierarchy, 2-4<br />
MMC window, 3-2<br />
modifying policies, 2-15<br />
offline groups, 4-5<br />
creating, 4-6<br />
updating, 4-9<br />
policies, 2-13, 3-1, 3-2<br />
Common, 3-40<br />
DriveArmor, 3-36<br />
editing, 3-3<br />
multiple choice, 3-7<br />
multiple option, 3-10<br />
policies with ranges, 3-4<br />
text string, 3-9<br />
True/False, Yes/No, 3-5<br />
FileArmor, 3-23<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, 3-17<br />
KeyArmor, 3-32<br />
MobileSentinel, 3-28<br />
PolicyServer policies, 3-12<br />
Support Info, 4-29<br />
relay SMS/email delivery, 8-3<br />
Remote <strong>Help</strong>, 4-27<br />
reports, 8-1, 8-5<br />
requirements<br />
SQL, 1-5<br />
setting log alerts, 8-3<br />
software requirements, 1-5<br />
SQL requirements, 1-5<br />
subgroups, 4-4<br />
Support Info, 4-29<br />
system requirements<br />
hardware, 1-5<br />
users, 2-4, 4-10<br />
add enterprise user, 2-7, 4-16<br />
add to group, 2-7, 2-11, 4-16, 4-17<br />
users and groups, 2-5<br />
web service, 1-2<br />
PolicyServer MMC, 1-2<br />
product components, 1-2<br />
product definitions, xii, xiii<br />
R<br />
recovery<br />
clean up files, 5-29<br />
recovery console<br />
log on, 5-17<br />
Recovery Console, 5-15<br />
access, 5-16<br />
Windows, 5-17<br />
changing enterprise or server, 5-23<br />
Decrypt <strong>Disk</strong>, 5-17<br />
functions, 5-15<br />
log on, 5-16<br />
manage policies, 5-22<br />
manage users, 5-20<br />
Mount Partitions, 5-19<br />
network configuration, 5-23<br />
Network Setup, 5-22<br />
recovery methods, 5-24<br />
repair cd, 5-28<br />
Restore Boot, 5-19<br />
users<br />
add, 5-21<br />
delete, 5-21<br />
edit, 5-20<br />
view logs, 5-22<br />
recovery methods, 5-24<br />
Remote <strong>Help</strong>, 1-18, 4-22, 4-27, 4-36, 5-8<br />
Repair CD, 5-2, 5-24, 5-25
data recovery, 5-27<br />
decryption, 5-28<br />
reporting, 1-2, 1-8<br />
reports, 8-1, 8-5<br />
alert, 8-8, 8-9<br />
display errors, 8-10<br />
displaying reports, 8-9<br />
icons, 8-6, 8-7<br />
options, 8-6<br />
schedue reports, 8-10<br />
standard, 8-7, 8-8<br />
types of, 8-7<br />
Restore Boot, 5-19<br />
S<br />
Seagate DriveTrust drives, 1-6<br />
security<br />
account lock, 1-18, 5-8<br />
account lockout action, 1-18, 5-8<br />
account lockout period, 1-18, 5-8<br />
anti-malware/antivirus protection, 1-2<br />
device lock, 1-18, 5-8<br />
erase device, 1-14<br />
failed login attempts allowed, 1-18, 5-8<br />
remote authentication required, 1-14<br />
time delay, 1-14<br />
Self <strong>Help</strong>, 1-18, 4-22, 5-11<br />
answers, 5-13<br />
defining answers, 5-12<br />
password support, 4-26<br />
smart card, 1-17, 5-9<br />
software, 1-5<br />
support<br />
knowledge base, 9-2<br />
resolve issues faster, 9-3<br />
<strong>Trend</strong>Labs, 9-4<br />
supported languages, 1-19<br />
synchronization<br />
FileArmor, 6-9<br />
synchronizing policies, 5-14<br />
system architecture, 1-2<br />
system requirements<br />
FileArmor, 1-7<br />
<strong>Full</strong> <strong>Disk</strong> <strong>Encryption</strong>, 1-6<br />
KeyArmor, 1-7<br />
PolicyServer, 1-5<br />
system tray icon, 6-8<br />
T<br />
terminology, xii, xiii<br />
tokens, 5-11<br />
tools<br />
Repair CD, 5-25<br />
top group, 2-5, 4-2<br />
<strong>Trend</strong>Labs, 9-4<br />
Index<br />
U<br />
understanding<br />
Endpoint <strong>Encryption</strong>, 1-1<br />
file encryption, 1-9<br />
FIPS, 1-10<br />
full disk encryption, 1-9<br />
key management, 1-10<br />
users, 4-1, 4-10<br />
Active Directory passwords, 4-25<br />
adding, 4-10<br />
adding existing user to group, 2-11, 4-17<br />
adding new user to group, 2-7, 4-16<br />
add new enterprise user, 2-9, 4-10<br />
change default group, 4-19<br />
external directory browser, 4-12<br />
finding, 4-13<br />
group membership, 4-15<br />
group vs enterprise changes, 4-14<br />
IN-7
<strong>Trend</strong> <strong>Micro</strong> Endpoint <strong>Encryption</strong> 3.1.3 Administrator's Guide<br />
importing AD users, 4-12<br />
importing with CSV, 4-12<br />
install to group, 4-20<br />
modifying, 4-14<br />
passwords, 4-22<br />
remove from group, 4-21<br />
users and groups, 2-5<br />
V<br />
VMware Virtual Infrastructure, 1-5<br />
W<br />
Windows 8, 1-6<br />
Windows Server 2008 considerations, 1-5<br />
IN-8