Full Disk Encryption Policies - Online Help Home - Trend Micro

Trend Micro Incorporated reserves the right to make changes to this document and to 

the product described herein without notice. Before installing and using the product, 

please review the readme files, release notes, and/or the latest version of the applicable 

documentation, which are available from the Trend Micro website at: 

http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx 

Trend Micro, the Trend Micro t-ball logo, Endpoint Encryption, PolicyServer, Full Disk 

Encryption, FileArmor, and KeyArmor are trademarks or registered trademarks of 

Trend Micro Incorporated. All other product or company names may be trademarks or 

registered trademarks of their owners. 

Copyright © 2012. Trend Micro Incorporated. All rights reserved. 

Document Part No.: APEM35670/120920 

Release Date: Dec 2012 

Protected by U.S. Patent No.: Patents pending.

This documentation introduces the main features of the product and/or provides 

installation instructions for a production environment. Read through the documentation 

before installing or using the product. 

Detailed information about how to use specific features within the product may be 

available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at 

the Trend Micro website. 

Trend Micro always seeks to improve its documentation. If you have questions, 

comments, or suggestions about this or any Trend Micro document, please contact us at 

docs@trendmicro.com. 

Evaluate this documentation on the following site: 

http://www.trendmicro.com/download/documentation/rating.asp

Table of Contents 

Preface 

Preface ................................................................................................................. ix 

Product Document Set ...................................................................................... x 

Document Conventions .................................................................................... x 

Intended Audience ............................................................................................ xi 

Terminology ...................................................................................................... xii 

About Trend Micro ........................................................................................ xiv 

Chapter 1: Understanding Trend Micro Endpoint Encryption 

About Endpoint Encryption ......................................................................... 1-2 

Endpoint Encryption Components ..................................................... 1-2 

System Requirements ............................................................................. 1-4 

Key Features & Benefits ................................................................................ 1-8 

Understanding Encryption ............................................................................ 1-9 

File Encryption ....................................................................................... 1-9 

Full Disk Encryption ............................................................................. 1-9 

Key Management .................................................................................. 1-10 

About FIPS ........................................................................................... 1-10 

Management and Integration ...................................................................... 1-11 

Account Roles and Authentication ............................................................ 1-12 

Account Roles ....................................................................................... 1-12 

Access Control by Application ........................................................... 1-13 

Authentication Options by Application ........................................... 1-13 

Security Options ................................................................................... 1-14 

Authentication Methods ...................................................................... 1-14 

New Features in Endpoint Encryption 3.1.3 ........................................... 1-19 

Multi-language Support ....................................................................... 1-19 

Active Directory Synchronization ..................................................... 1-19 

PolicyServer 3.1.3 Enhancements ...................................................... 1-20 

i

Trend Micro Endpoint Encryption 3.1.3 Administrator's Guide 

ii 

Full Disk Encryption 3.1.3 Enhancements ...................................... 1-20 

Chapter 2: Getting Started with PolicyServer 

Authenticating for the First Time ................................................................ 2-2 

Introducing PolicyServer ............................................................................... 2-2 

PolicyServer MMC Interface ................................................................ 2-3 

Working with Groups and Users ................................................................. 2-4 

Defining Users and Groups .................................................................. 2-5 

Adding a Top Group ............................................................................. 2-5 

Adding a New User to a Group ........................................................... 2-7 

Adding a New Enterprise User ............................................................ 2-9 

Adding an Existing User to a Group ................................................ 2-11 

Understanding Policy Controls .................................................................. 2-13 

Visual Indicators for Policies .............................................................. 2-14 

Policy Fields and Buttons .................................................................... 2-14 

Modifying Policies ................................................................................ 2-15 

Enabling Applications .................................................................................. 2-17 

Chapter 3: Understanding Policies 

Working with Policies .................................................................................... 3-2 

Policy Management ........................................................................................ 3-2 

Selecting a Policy for Modification ...................................................... 3-3 

Editing Policies with Ranges ................................................................ 3-4 

Editing Polices with True/False or Yes/ No Responses ................. 3-5 

Editing Policies with Multiple-choice / Single-selection ................. 3-7 

Editing Policies with Text String Arguments ..................................... 3-9 

Editing Policies with Multiple Options ............................................ 3-10 

PolicyServer Policies .................................................................................... 3-12 

Admin Console Policies ...................................................................... 3-12 

Administrator Policies ......................................................................... 3-12 

Authenticator Policies .......................................................................... 3-13 

Log Alert Policies ................................................................................. 3-14 

PDA Policies ......................................................................................... 3-15 

Service Pack Download Policies ........................................................ 3-16


Welcome Message Policies ................................................................. 3-16 

Full Disk Encryption Policies ..................................................................... 3-17 

Common Policies ................................................................................. 3-17 

PC Policies ............................................................................................. 3-19 

PPC Policies .......................................................................................... 3-22 

FileArmor Policies ........................................................................................ 3-23 

Computer Policies ................................................................................ 3-23 

Encryption Policies .............................................................................. 3-24 

Login Policies ........................................................................................ 3-26 

Password Policies ................................................................................. 3-27 

MobileSentinel Policies ................................................................................ 3-28 

Common Policies ................................................................................. 3-28 

PPC Policies .......................................................................................... 3-29 

KeyArmor Policies ....................................................................................... 3-32 

Antivirus Policies .................................................................................. 3-32 

KeyArmor Security Policies ................................................................ 3-32 

Login Policies ........................................................................................ 3-33 

Notice Message Policies ...................................................................... 3-34 

PolicyServer Connection Policies ...................................................... 3-35 

DriveArmor Policies .................................................................................... 3-36 

Authentication Policies ........................................................................ 3-36 

Communications Policies .................................................................... 3-38 

Device Policies ...................................................................................... 3-39 

Common Policies ......................................................................................... 3-40 

Agent Policy .......................................................................................... 3-40 

Authentication Policies ........................................................................ 3-41 

Chapter 4: Working with Groups, Users, and Devices 

Working with Groups .................................................................................... 4-2 

Adding a Top Group ............................................................................. 4-2 

Adding a Subgroup ................................................................................ 4-4 

Modifying a Group ................................................................................. 4-5 

Removing a Group ................................................................................. 4-5 

Working with Offline Groups ...................................................................... 4-5 

Creating an Offline Group .................................................................... 4-6 

iii


iv 

Updating an Offline Group .................................................................. 4-9 

Working with Users ..................................................................................... 4-10 

Add Users to PolicyServer .................................................................. 4-10 

Finding a User ....................................................................................... 4-13 

Modifying a User .................................................................................. 4-14 

Viewing a User's Group Membership ............................................... 4-15 

Adding a New User to a Group ......................................................... 4-16 

Adding an Existing User to a Group ................................................ 4-17 

Changing a User’s Default Group ..................................................... 4-19 

Allowing User to Install to a Group .................................................. 4-20 

Removing Individual Users From a Group ..................................... 4-21 

Removing All Users From a Group .................................................. 4-21 

Restoring a Deleted User .................................................................... 4-22 

Working with Passwords ..................................................................... 4-22 

Working with Devices ................................................................................. 4-30 

Adding a Device to a Group .............................................................. 4-30 

Removing a Device from a Group .................................................... 4-32 

Removing a Device from the Enterprise .......................................... 4-33 

Viewing Directory Contents ............................................................... 4-34 

Viewing Device Attributes .................................................................. 4-34 

Viewing Directory Listing ................................................................... 4-35 

Killing a Device .................................................................................... 4-35 

Locking a Device .................................................................................. 4-36 

Rebooting a Device .............................................................................. 4-36 

Restoring a Deleted Device ................................................................ 4-37 

Chapter 5: Working with Full Disk Encryption 

Endpoint Encryption Tools .......................................................................... 5-2 

Full Disk Encryption Preboot Authentication ........................................... 5-2 

Menu Options ......................................................................................... 5-3 

Network Connectivity ........................................................................... 5-4 

On-Screen Keyboard ............................................................................. 5-4 

Changing the Keyboard Layout ........................................................... 5-4 

Changing Authentication Methods ...................................................... 5-4 

Changing Passwords .............................................................................. 5-5 

Remote Help ........................................................................................... 5-8


Smart Card ............................................................................................... 5-9 

Self Help ................................................................................................ 5-11 

Full Disk Encryption Connectivity ............................................................ 5-13 

Updating Full Disk Encryption Clients ............................................ 5-14 

Full Disk Encryption Recovery Console .................................................. 5-15 

Accessing Recovery Console .............................................................. 5-16 

Accessing Recovery Console from Windows .................................. 5-17 

Using Decrypt Disk ............................................................................. 5-17 

Mount Partitions ................................................................................... 5-19 

Restore Boot ......................................................................................... 5-19 

Manage Full Disk Encryption Users ................................................. 5-20 

Manage Policies .................................................................................... 5-22 

View Logs .............................................................................................. 5-22 

Network Setup ...................................................................................... 5-22 

Full Disk Encryption Recovery Methods ................................................. 5-24 

Repair CD ...................................................................................................... 5-25 

Recovering Data with Repair CD ...................................................... 5-27 

Chapter 6: Working with FileArmor 

FileArmor Authentication ............................................................................. 6-2 

FileArmor First-time Authentication .................................................. 6-2 

FileArmor Domain Authentication ..................................................... 6-2 

FileArmor Smart Card Authentication ................................................ 6-4 

FileArmor ColorCode Authentication ................................................ 6-5 

FileArmor PIN Authentication ............................................................ 6-5 

Changing Password in FileArmor ........................................................ 6-6 

Forced Password Reset .......................................................................... 6-6 

FileArmor System Tray Icon Menu ............................................................. 6-8 

Syncing with PolicyServer ..................................................................... 6-9 

Syncing with PolicyServer Offline Files .............................................. 6-9 

Changing PolicyServer ......................................................................... 6-10 

FileArmor Encryption ................................................................................. 6-10 

FileArmor Local Key Encryption ...................................................... 6-11 

FileArmor Shared Key Encryption ................................................... 6-12 

FileArmor Fixed Password Encryption ............................................ 6-12 

v


vi 

FileArmor Digital Certificate Encryption ......................................... 6-13 

FileArmor Archive and Burn ...................................................................... 6-14 

Burning an Archive with a Fixed Password ..................................... 6-14 

Burning an Archive with a Certificate ............................................... 6-15 

FileArmor Secure Delete ............................................................................. 6-15 

Chapter 7: Working with KeyArmor 

KeyArmor Authentication ............................................................................ 7-2 

Authenticating to KeyArmor for the First Time ............................... 7-2 

Changing Authentication Methods ...................................................... 7-3 

Fixed Password ....................................................................................... 7-3 

KeyArmor Features ........................................................................................ 7-4 

Device Components .............................................................................. 7-4 

Protecting Files with KeyArmor .......................................................... 7-5 

No Information Left Behind ................................................................ 7-5 

KeyArmor Antivirus Updates and Activity ........................................ 7-5 

KeyArmor Check Disk Notification ................................................... 7-6 

Using KeyArmor ............................................................................................ 7-6 

Warning About Unencrypted Devices ................................................ 7-6 

KeyArmor Taskbar ................................................................................ 7-7 

KeyArmor Menu .................................................................................... 7-7 

Protecting Files with KeyArmor ........................................................ 7-12 

KeyArmor Activity Logging ............................................................... 7-12 

Safely Removing KeyArmor ............................................................... 7-13 

KeyArmor Full Scan ............................................................................ 7-13 

Reassigning a KeyArmor Device to Another User ......................... 7-15 

Adding a Deleted KeyArmor Back to the Enterprise .................... 7-16 

Chapter 8: Working with Logs and Reports 

Log Events ....................................................................................................... 8-2 

Managing Log Events ............................................................................ 8-2 

Alerts ........................................................................................................ 8-3 

Setting PolicyServer Alerts .................................................................... 8-3 

Enabling PolicyServer to relay SMS and Email Delivery ................. 8-3


Reports ............................................................................................................. 8-5 

Report Options ....................................................................................... 8-6 

Report Icons ............................................................................................ 8-6 

Report Types ........................................................................................... 8-7 

Displaying Reports ................................................................................. 8-9 

Scheduling Reports .............................................................................. 8-10 

Displaying Report Errors .................................................................... 8-10 

Chapter 9: Getting Support 

Trend Community .......................................................................................... 9-2 

Support Portal ................................................................................................. 9-2 

Contacting Technical Support ...................................................................... 9-3 

Resolving Issues Faster .......................................................................... 9-3 

TrendLabs ........................................................................................................ 9-4 

Appendix A: PolicyServer Message IDs 

Index 

Index .............................................................................................................. IN-1 

vii

Preface 

Preface 

Welcome to the Trend Micro Endpoint Encryption Administrator’s Guide. This 

guide explains the major aspects of Endpoint Encryption: security architecture, 

encryption, authentication, and endpoint management. Topics include how to use server 

and endpoint client applications to support security objectives, how to provision users, 

groups and devices to implement policies, and how to use reports and logs to analyze 

enterprise security. This guide also includes information about troubleshooting 

configurations, using tools, and resolving issues. 

This preface covers the following topics: 

• Product Document Set on page x 

• Document Conventions on page x 

• Intended Audience on page xi 

• Terminology on page xii 

• About Trend Micro on page xiv 

ix


Product Document Set 

x 

The documentation set for Trend Micro Endpoint Encryption includes the following: 

TABLE 1. Product Documentation 

DOCUMENT DESCRIPTION 

Installation Guide The Installation Guide explains system requirements and 

contains detailed instructions about how to deploy, install, 

migrate, and upgrade PolicyServer and endpoint clients. 

Administrator’s Guide The Administrator’s Guide explains product concepts, 

features and detailed instructions about how to configure and 

manage PolicyServer and endpoint clients. 

Readme file The Readme file contains late-breaking product information 

that is not found in the online or printed documentation. 

Topics include a description of new features, known issues, 

and product release history. 

Knowledge Base An online database of problem-solving and troubleshooting 

information. It provides the latest information about known 

product issues. To access the Knowledge Base, go to the 

following website: 

Note 

All documentation is accessible from: 

docs.trendmicro.com 

Document Conventions 

http://esupport.trendmicro.com 

The documentation uses the following conventions:

TABLE 2. Document Conventions 

CONVENTION DESCRIPTION 

UPPER CASE Acronyms, abbreviations, and names of certain 

commands and keys on the keyboard 

Bold Menus and menu commands, command buttons, tabs, 

and options 

Italics References to other documents 

Monospace Sample command lines, program code, web URLs, file 

names, and program output 

Navigation > Path The navigation path to reach a particular screen 

Note 

Tip 

Important 

WARNING! 

Intended Audience 

Preface 

For example, File > Save means, click File and then click 

Save on the interface 

Configuration notes 

Recommendations or suggestions 

Information regarding required or default configuration 

settings and product limitations 

Critical actions and configuration options 

This guide is for IT Administrators deploying Trend Micro Endpoint Encryption in 

medium to large enterprises and Help Desk personnel who manage users, groups, 

policies, and devices. The documentation assumes basic device, networking and security 

knowledge, including: 

• Device hardware setup and configuration 

xi


xii 

• Hard drive partitioning, formatting, and maintenance 

• Client-server architecture 

Terminology 

The following table provides terminology used throughout the documentation: 

TABLE 3. Endpoint Encryption Terminology 

TERM DESCRIPTION 

Authentication The process of identifying a user. 

ColorCode A color-sequence password. 

Command Line Helper Create encrypted values to secure credentials when creating 

an installation script. 

Command Line Installer 

Helper 

Create encrypted values to secure credentials when 

generating scripts for automated installations. 

Device Computer, laptop, or removal media (external drive, USB 

drive) hardware. 

Domain authentication Single sign-on (SSO) using Active Directory. 

DriveTrust Hardware-based encryption technology by Seagate. 

Endpoint client Any device with an Endpoint Encryption application installed. 

FileArmor The Endpoint Encryption client for file and folder encryption 

on local drives and removable media. 

FIPS Federal Information Processing Standard. United States 

federal government computing standards. 

Fixed password A standard user password consisting of letters and/or 

numbers and/or special characters. 

Full Disk Encryption The Endpoint Encryption client for hardware and software 

encryption with preboot authentication.

TERM DESCRIPTION 

KeyArmor The Endpoint Encryption client for a password-protected, 

encrypted USB drive. 

OCSP The Online Certificate Status Protocol (OCSP) is an Internet 

protocol used for X.509 digital certificates. 

OPAL Trusted Computing Group's Security Subsystem Class for 

client devices. 

Password Any type of authentication data, such as fixed, PIN, and 

ColorCode. 

Preface 

PolicyServer The central management server that deploys encryption and 

authentication policies to the endpoint clients (Full Disk 

Encryption, FileArmor, KeyArmor). 

SED Secure Encrypted Device. A hard drive, or other device, 

which is encrypted. 

Smart card A physical card used in conjunction with a PIN or fixed 

password. 

PIN A Personal Identification Number, commonly used for ATM 

transactions. 

Recovery Console Recover a device in the event of primary OS failure, 

troubleshoot network issues, and manage users, policies, 

and logs. 

Remote Help Interactive authentication for users who forget their 

credentials or devices that have not synchronized policies 

within a pre-determined amount of time. 

Repair CD Use this bootable CD to decrypt drive before removing Full 

Disk Encryption in the event that the disk becomes corrupted, 

RSA SecurID A mechanism for performing two-factor authentication for a 

user to a network resource. 

Self Help Question and answer combinations that allow users to reset 

a forgotten password without contacting Support. 

xiii


About Trend Micro 

xiv 

As a global leader in cloud security, Trend Micro develops Internet content security and 

threat management solutions that make the world safe for businesses and consumers to 

exchange digital information. With over 20 years of experience, Trend Micro provides 

top-ranked client, server, and cloud-based solutions that stop threats faster and protect 

data in physical, virtualized, and cloud environments. 

As new threats and vulnerabilities emerge, Trend Micro remains committed to helping 

customers secure data, ensure compliance, reduce costs, and safeguard business 

integrity. For more information, visit: 

http://www.trendmicro.com 

Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro 

Incorporated and are registered in some jurisdictions. All other marks are the trademarks 

or registered trademarks of their respective companies.

Chapter 1 

Understanding Trend Micro Endpoint 

Encryption 

Trend Micro Endpoint Encryption provides robust data protection and device 

control for a wide range of devices, including laptops, desktops, tablets, CDs, DVDs, 

USB drives, and other removable media. 

This chapter covers the following topics: 

• About Endpoint Encryption on page 1-2 

• Key Features & Benefits on page 1-8 

• Understanding Encryption on page 1-9 

• System Requirements on page 1-4 

• Account Roles and Authentication on page 1-12 

• New Features in Endpoint Encryption 3.1.3 on page 1-19 

1-1


About Endpoint Encryption 

1-2 

Trend Micro Endpoint Encryption is a fully integrated hardware-based and softwarebased 

encryption solution to protect laptops and desktops, files and folders, removable 

media, and encrypted USB drives with embedded anti-malware/antivirus protection. 

With Endpoint Encryption, Administrators can use a single management console to 

flexibly manage a combination of hardware and software-based encryption with full 

transparency for end-users. 

Trend Micro Endpoint Encryption ensures end-to-end data protection by providing 

FIPS 140-2 encryption of the data residing on the management server; all data 

transmitted to/from the server; all data stored on the endpoint device; and, all locally 

stored client logs. 

Using FIPS 140-2 accredited cryptography, Endpoint Encryption offers the following 

benefits: 

• Comprehensive data protection through fully integrated full disk, file, folder, USB 

drives, and removable media encryption. 

• Centralized policy administration and key management through a single 

management server and console. 

• Device management through device-specific information gathering and remote 

lock, reset, and the capability to wipe all endpoint data. 

• Advanced real-time reporting and auditing to ensure security compliance. 

Endpoint Encryption Components 

Endpoint Encryption consists of one central management server (PolicyServer Web 

Service) that manages the policy and log databases (MobileArmor DB), LDAP 

authentication with Active Directory, and all client-server activity. Endpoint Encryption 

clients cannot interface directly with PolicyServer and must connect through the Client 

Web Service. For an illustration of this architecture, see Figure 1-1: Endpoint Encryption 

Client-Server Architecture on page 1-3.

Note 

Understanding Trend Micro Endpoint Encryption 

The port settings for all HTTP traffic is configurable at time of installation or through 

settings on the Endpoint Encryption client. 

FIGURE 1-1. Endpoint Encryption Client-Server Architecture 

The following table describes these components. 

1-3


1-4 

TABLE 1-1. Endpoint Encryption Components 

COMPONENT DESCRIPTION 

PolicyServer Web 

Service 

The IIS web service that provides central management of 

policy administration, authentication, and reporting. 

PolicyServer MMC The PolicyServer Microsoft Management Console (MMC) 

is the interface used to control PolicyServer. 

Endpoint Encryption 

client 

An Endpoint Encryption client is any device with either Full 

Disk Encryption, FileArmor, or KeyArmor installed. 

• Full Disk Encryption provides hardware and software full 

disk encryption, and preboot authentication. 

• FileArmor provides file and folder encryption for content 

on local drives and removable media. 

• KeyArmor is a hardened, encrypted USB drive with 

integrated antivirus protection. 

MobileArmorDB The Microsoft SQL Server database storing all user, policy, 

and log details. 

Active Directory The PolicyServer Web Service synchronizes user account 

information by communicating with Active Directory using 

LDAP. Account information is cached locally in the 

MobileArmorDB. 

Note 

Active Directory is optional. 

Client Web Service The IIS web service that Endpoint Encryption clients use to 

communicate with the PolicyServer Web Service. 

System Requirements 

The tables below outline the system requirements for Endpoint Encryption.

TABLE 1-2. PolicyServer Hardware Requirements 

PolicyServer Host (3,000 

Users) 

• 2GHz Dual Quad Core 

Core2 Intel Xeon 

Processors 

• 4GB RAM 

• 40GB hard disk space 


SEPARATE HOSTS SINGLE HOST 

SQL Server Host (3,000 

Users) 

• 2GHz Dual Quad Core 


Processors 

• 8GB RAM 


TABLE 1-3. PolicyServer Minimum Software Requirements 

FUNCTION REQUIREMENT 

PolicyServer and SQL 

Server (1,500 Users) 

• 2GHz Quad Core 


Processors 

• 8GB RAM 

Operating System • Windows Server 2003 SP2 32/64-bit 


• Windows Server 2008 or 2008 R2 64-bit 

Applications and Settings • Application Server 

• IIS 

• Allow Active Server pages 

• Allow ASP.NET 

• .Net Framework 2.0 SP2 

Note 

PolicyServer 3.1.3 requires two IIS locations. 

The PolicyServer Administration Interface and 

the Client Application Interface should be 

installed on different IIS locations. 

Database • Microsoft SQL 2005/2008/2008 R2 

• Microsoft SQL Express 2005(SP3)/2008 

• Mixed Mode Authentication (SA password) 

installed 

• Reporting services installed 

1-5


1-6 

TABLE 1-4. Full Disk Encryption System Requirements 

ITEM REQUIREMENT 

Processor Intel Core 2 or compatible processor. 

Memory • Minimum: 1GB 

Disk space • Minimum: 30GB 

• Required: 20% free disk space 

• Required: 256MB contiguous free space 

Network connectivity Communication with PolicyServer 3.1.3 required for managed 

installations 

Operating Systems • Windows 8 (32/64-bit) 

• Windows 7 (32/64-bit) 

• Windows Vista with SP1 (32/64-bit) 

• Windows XP with SP3 (32-bit) 

Other software Additional requirements Windows 8: 

• Microsoft .NET Framework 3.5 is enabled 

• For devices with UEFI, see the Endpoint Encryption 

Installation Guide for instructions to change the boot 

priority. 

Additional requirements for Windows XP: 

• Microsoft .NET Framework 2.0 SP1 or later 

• Microsoft Windows Installer 3.1 

Hard disk • Seagate DriveTrust drives 

• Seagate OPAL and OPAL 2 drives 

Note 

• RAID and SCSI disks are not supported. 

• Full Disk Encryption for Windows 8 does not 

support RAID, SCSI, eDrive, or OPAL 2 drives.


Other hardware ATA, AHCI, or IRRT hard disk controller 

TABLE 1-5. FileArmor System Requirements 


Processor Intel Core2 or compatible processor. 

Memory • Minimum: 512MB 

• Recommended: 1GB 

Disk space • Minimum: 2GB 

• Required: 20% free disk space 


Network connectivity Communication with PolicyServer required for managed 

installations 


• Windows 7 (32/64-bit) 



Other software Additional requirements for Windows 8: 

• Microsoft .NET Framework 3.5 is enabled 

• For devices with UEFI, see the Endpoint Encryption 

Installation Guide for instructions to change the boot 

priority. 

Additional requirements for Windows XP: 


• Microsoft Windows Installer 3.1 

TABLE 1-6. KeyArmor System Requirements 


Hardware USB 2.0 port 

1-7


1-8 


Network connectivity Communication with PolicyServer required for managed 

installations 




Other software Additional software required when installing on Windows 

XP: 

Key Features & Benefits 


Endpoint Encryption includes the following key features and benefits: 

TABLE 1-7. Endpoint Encryption Key Features 

FEATURE BENEFITS 

Encryption • Protection for the full disk, including the master boot record 

(MBR), operating system, and all system files. 

• Hardware-based and software-based encryption for mixed 

environments. 

Authentication • Flexible authentication methods, including both single and 

multi-factor. 

• Policy updates before authentication and system boot. 

• Configurable actions on failed password attempt threshold. 

Device management • Policies to protect data on PCs, laptops, tablets, USB 

drives, CDs, and DVDs. 

• Ability to remotely lock, wipe, or kill a device.

FEATURE BENEFITS 


Central administration • Full control over encryption, monitoring, and data 

protection. 

Record keeping, 

reports, and auditing 

Understanding Encryption 

• Automated policy enforcement with remediation of security 

events. 

• Analyze usage statistics with scheduled reports and alert 

notifications. 

Encryption is the process of making data unreadable unless there is access to the 

encryption key. Encryption can be performed via software or hardware (or a 

combination of the two) to ensure that data is protected locally on a device, on 

removable media, on specific files and folders, and on data in transit across networks or 

the Internet. Endpoint encryption is the most important way to assure data security and 

to ensure that regulatory compliance mandates for data protection are met. 

File Encryption 

FileArmor protects individual files and folders on local hard drives, and removable 

media devices (USB drives). Administrators can set policies specifying which folders and 

drives are encrypted on the device and policies about encrypted data on removable 

media. File and folder encryption is performed after authentication takes place. 

FileArmor can also protect different files with different keys, allowing Administrators to 

set access policies to a device and separate policies for access to certain files. This is 

useful in environments where multiple users access one endpoint. 

Full Disk Encryption 

Full disk encryption is the most common encryption solution deployed to endpoints 

today because it protects all drive data, including operating system, program, temporary, 

and end-user files. Many full disk encryption applications also enhance operating system 

1-9


1-10 

security by requiring the user to authenticate before booting/unlocking the drive and 

providing access to the operating system. 

As an encryption solution, Trend Micro Full Disk Encryption offers both softwarebased 

and hardware-based encryption. While hardware-based encryption is simpler to 

deploy on new hardware, easier to maintain, and offers a higher level of performance, 

software-based encryption does not require any hardware and is cheaper to deploy to 

existing endpoints. Trend Micro PolicyServer is able to centrally administer Full Disk 

Encryption, providing organizations with flexibility to use either software-based or 

hardware-based encrypted devices as needed. 

Unique to Endpoint Encryption is a network-aware feature that updates policies in realtime 

prior to allowing authentication. Endpoint Encryption also enables administrators 

to lock or wipe a drive before the operating system (and any sensitive data) can be 

accessed. 

Key Management 

Unmanaged encryption products require Administrators or users to keep track of the 

encryption key on a USB device. Endpoint Encryption secures and escrows encryption 

keys transparently while enabling an Administrator to use a key to log on the protected 

device to recover protected data. 

KeyArmor USB drives secures data with always-on hardware encryption and embedded 

antivirus/anti-malware protection to meet regulatory compliance requirements and 

stringent government mandates. With KeyArmor, Administrators have complete 

visibility and control of who, when, where, and how USB drives are used in their 

organization. 

About FIPS 

The Federal Information Processing Standard (FIPS) Publication 140-2 is a United States 

government device security standard that specifies the security requirements for 

encryption modules. FIPS 140-2 includes four levels of security:

TABLE 1-8. FIPS 140-2 Security Levels 

LEVEL DESCRIPTION 


Level 1 Requires all encryption components to be production grade, and absent 

of obvious security holes. 

Level 2 Includes level 1 requirements and adds physical tamper-evidence and 

role-based authentication. 

Level 3 Includes level 2 requirements and adds physical tamper-resistance and 

identity-based authentication. 

Level 4 Includes level 3 requirements and adds additional physical security 

requirements. 

Endpoint Encryption ensures end-to-end data protection by providing FIPS 140-2 level 

encryption of data residing on the PolicyServer; all data transmitted between 

PolicyServer and endpoint clients; all data stored on the endpoint device; and, all locally 

stored client logs. 

Management and Integration 

When end-users require fortified data protection on multiple types of devices, which 

may require different encryption types, a centrally managed and integrated Endpoint 

Encryption solution reduces administration and maintenance costs. Endpoint 

Encryption is a centrally managed solution enabling the following data protection 

features: 

• Centrally and transparently update the Endpoint Encryption clients when new 

versions are released 

• Administer and leverage security policies to individuals and groups from a single 

policy server 

• Control password strength and regularity for password changes 

• Update security policies in real-time, before authentication, to revoke user 

credentials before booting the operating system 

1-11


Account Roles and Authentication 

1-12 

Trend Micro Endpoint Encryption offers Administrators a number of account roles and 

authentication methods depending on their specific needs, including multi-factor 

authentication. 

Account Roles 

Endpoint Encryption includes several different account types intended for different 

roles within the enterprise. These roles determine how accounts access and perform 

various tasks. 

TABLE 1-9. Endpoint Encryption Account Roles 

ROLES DESCRIPTION 

Enterprise Administrator Controls entire enterprise and has administrative rights to 

all groups, users, devices, and policies regardless of 

where they reside within the enterprise. 

Group Administrator Administrative rights over any group and its subgroups that 

they are assigned. 

Note 

Rights do not apply to parent groups, groups at the 

same level in the hierarchy or their subgroups. 

Enterprise Authenticator Intended for Help Desk personnel to provide remote 

assistance. This can occur when a user must call the help 

desk because they forgot their password or have technical 

problem. Enterprise Authenticators have configurable 

privileges over the entire enterprise. 

Group Authenticator Similar to Enterprise Authenticator, but limited to the group 

level only. 

User For end-users who make use of the endpoint clients, but 

are not assigned administrative or authenticator 

responsibilities.

Access Control by Application 


Authentication and access control are important in any enterprise. Full Disk Encryption 

limits system access at boot up and file and folder access once the user is logged on the 

operating system. FileArmor, KeyArmor, and PolicyServer provide the same level of 

security and access control by enabling two-factor authentication. 

Each Endpoint Encryption application offers unique characteristics and levels of 

control. 

TABLE 1-10. Authentication Control by Application 

APPLICATION CONTROL 

PolicyServer Application access to the management console. 

Full Disk Encryption Authentication control before booting into Windows. 

FileArmor File and folder-level access control once in the operating 

system. 

KeyArmor Device control for access to encrypted content on removable 

devices. 

Authentication Options by Application 

TABLE 1-11. Authentication Options Available to Endpoint Clients 

PRODUCT 

FIXED 

PASSWORD 

DOMAIN 

PASSWORD 

AUTHENTICATION OPTIONS 

SMART 

CARD 

PIN RSA COLORCODE 

PolicyServer Yes Yes Yes No No No 

Full Disk 


Yes Yes Yes Yes No Yes 

FileArmor Yes Yes Yes Yes No Yes 

KeyArmor Yes No Yes Yes Yes Yes 

1-13


Security Options 

1-14 

If a user is unable to authenticate, he/she is prompted to re-enter the credentials. 

Depending on policy settings, too many consecutive unsuccessful authentication 

attempts will delay the next log on attempt, lock, or erase all data from the endpoint. 

TABLE 1-12. Authentication Security Options 

SECURITY OPTION DESCRIPTION 

Time delay The device is locked and no authentication attempts can be 

made until the lockout time is passed. 

Remote authentication 

required 

• Ensure that the credentials are correct 

• Use Self Help (if available) to avoid waiting for the time 

delay period. 

The device is locked. 

• Ensure that the credentials are correct. 

• Contact the Administrator to use Remote Help and 

unlock the device. For details, see Remote Help on page 

1-18. 

Erase the device All data is removed from the device. 

Authentication Methods 

Endpoint Encryption offers several authentication methods. The specific methods 

available to the endpoint client are determined by PolicyServer. 

TABLE 1-13. Supported Authentication Methods 

AUTHENTICATION TYPE DESCRIPTION 

Domain authentication Single sign-on (SSO) using Active Directory. 

Fixed password A string of characters, numbers, and symbols. 

PIN A standard personal identification number. 

ColorCode Use a sequence of colors as a password.

AUTHENTICATION TYPE DESCRIPTION 


Smart card A physical card used in conjunction with a PIN or fixed 

password. 

Self Help Question and answer combinations that allow users to reset 

a forgotten password without contacting Support. 

Remote Help Interactive authentication for users who forget their 

credentials or devices that have not synchronized policies 

within a pre-determined amount of time. 

Domain Authentication 

Domain authentication using Active Directory permits single sign-on (SSO). Users only 

need to provide credentials once to authenticate to Full Disk Encryption, log on 

Windows, and access FileArmor. 

Prerequisites 

For seamless integration, ensure the following requirements are met: 

• All devices are on the same domain as PolicyServer. 

• The user name configured in Active Directory exactly matches the one in 

PolicyServer, including case. 

• The user name is located within a PolicyServer group and the Domain 

Authentication policy is set to Yes. 

• Common > Network Login policies (Host Name, Domain Name) are configured 

correctly based on the LDAP or Active Directory server settings. 

Note 

For details about configuring LDAP and Active Directory settings, see Active Directory 

Synchronization on page 1-19. 

1-15


1-16 

Fixed Passwords 

Fixed passwords are the most common authentication method. A fixed password is 

created by the user and can be almost anything. Administrators can place restrictions on 

fixed passwords to ensure that they are not easily compromised. 

PIN 

A Personal Identification Number (PIN) is another common identification method. 

Similar to a fixed password, a PIN is created by the user and can be almost anything. 

Like fixed passwords, Administrators may place restrictions on the PIN combination. 

ColorCode 

ColorCode is a unique authentication method designed to easily remembered and 

quickly provide. Instead of using numbers or letters for a password, ColorCode


authentication consists of a user-created sequence of colors (for example: red, red, blue, 

yellow, blue, green). 

FIGURE 1-2. ColorCode Logon 

Smart Card 

Smart card authentication requires both a PIN and a physical card when confirming a 

user's identity. Insert the smart card before providing a PIN. 

Important 

To allow smart card authentication for all Endpoint Encryption clients, enable the 

following policy: Full Disk Encryption > PC > Login > Token Authentication. 

1-17


1-18 

Self Help 

Use Self Help to authenticate when users have forgotten their credentials. Self Help 

requires users to respond with answers to predefined personal challenge questions. Self 

Help can also be used instead of fixed password or other authentication methods. 

Important 

PolicyServer must be configured to allow Self Help authentication. For more information, 

see Understanding Policies on page 3-1. 

WARNING! 

A maximum of six questions can display to endpoint clients. Do not create more than six 

questions in PolicyServer, or users will be unable to log on. 

Remote Help 

Use Remote Help when a user is locked out of an endpoint client after too many failed 

logon attempts or when the period between the last PolicyServer synchronization has 

been too long. 

Within each application’s policies, set the action to Remote Authentication. 

TABLE 1-14. Policies Affecting Remote Help Authentication 

POLICY DESCRIPTION 

Login > Account Lockout Period The number of days that a device can not 

communicate with PolicyServer before 

Account Lockout Action is called. 

Login > Account Lockout Action The action taken when the length of time in 

Account Lockout Actions include: erase, 

remote authentication. 

Login > Failed Login Attempts 

Allowed 

The number of failed login attempts allowed 

before executing the action defined in Device 

Locked



Login > Device Locked Action The action taken when the Failed Attempts 

Allowed policy value has been exceeded. 

Actions include: time delay, erase, remote 


New Features in Endpoint Encryption 3.1.3 

Trend Micro Endpoint Encryption 3.1.3 includes the following enhancements: 

Multi-language Support 

Endpoint Encryption now offers support for the following languages: 

TABLE 1-15. Supported Languages 

PRODUCT 

LANGUAGES 

SPANISH FRENCH GERMAN 

Full Disk Encryption Yes Yes Yes 

FileArmor Yes Yes Yes 

PolicyServer Yes Yes Yes 

KeyArmor No No No 

Active Directory Synchronization 

Endpoint Encryption now supports account synchronization between Active Directory 

and PolicyServer. Active Directory can be leveraged for single-sign-on across all 

endpoint client applications. 

See the Endpoint Encryption Installation Guide for detailed instructions about how to 

configure PolicyServer for AD synchronization. The Installation Guide is available at: 

1-19


1-20 


PolicyServer 3.1.3 Enhancements 

• The PolicyServer installer now allows for a trial license that expires after 30 days. 

The Enterprise name and Enterprise Administrator account are configured at time 

of installation. 

• The port number for web services can now be set during installation. 

• To improve security, PolicyServer now has a Client Web Service that allows all 

clients to connect to PolicyServer using this new interface. 

• Improved policy lookup and naming. 

• Improved audit logs. 

• A new Recycle Bin node allows Administrators to recover deleted users and 

devices. 

• Global policies now allow for policy changes to easily push to subgroups from the 

parent level. 

Full Disk Encryption 3.1.3 Enhancements 

New Features 

• OPAL 2 is now supported 

• Windows 8 is now supported on non-UEFI devices 

• Policies now automatically synchronize with PolicyServer when a device loads the 

preboot logon 

• Password sharing between devices in the same PolicyServer group (for password 

sharing devices) is now supported 

• Unmanaged installations now fully support hardware and software based 

encryption 

• Console-based preboot now works for unsupported display configurations

Easier Installation 


• There is now one installer for software and hardware based encryption (Seagate 

OPAL and DriveTrust). This same installer also supports 32 and 64-Bit OS 

installations 

• Improved pre-install check and error/log reporting 

• Full Disk Encryption can now install without encrypting and without a preboot 

(via policy setting). This provides better control of phased roll-out to distribute 

software, enable preboot authentication, and turn on encryption 

Improved Management and Administration 

• Recovery Console access in Windows and preboot 

• Easily update the PolicyServer information and re-assign a device to the original 

PolicyServer or a new PolicyServer 

• More Robust Repair CD 

• Scripted Uninstalls 

1-21

Chapter 2 

Getting Started with PolicyServer 

Before configuring PolicyServer to centrally manage endpoint clients, PolicyServer 

services, databases, and PolicyServer MMC should already be installed. See the Endpoint 

Encryption Installation Guide for detailed instructions about setting up PolicyServer 

services, databases, and PolicyServer MMC. The Installation Guide is available at: 



• Authenticating for the First Time on page 2-2 

• Introducing PolicyServer on page 2-2 

• Working with Groups and Users on page 2-4 

• Understanding Policy Controls on page 2-13 

• Enabling Applications on page 2-17 

2-1


Authenticating for the First Time 

2-2 

The Enterprise name and Enterprise Administrator account were configured at the time 

of installation. PolicyServer functions normally with all client applications, unlimited 

devices, and 100 users available for a 30-day trial period. After 30 days, contact 

Technical Support to receive a license file. Users/devices can still log on after the trial 

period expires. 

This task explains how to import the license file and then log on PolicyServer. It is 

usually provided as a text file 

Procedure 

1. Open PolicyServer MMC. 

2. Go to File > Import License. 

3. Provide the license file unlock code. 

4. Browse to the license file and then click Update. 

5. Provide the enterprise, user name, password and the PolicyServer IP address or 

hostname specified in the license file. 

6. Click Login. 

Introducing PolicyServer 

PolicyServer utilizes a Microsoft Management Console (MMC). PolicyServer has a 

hierarchical structure that distributes administrative responsibility while maintaining 

centralized control when: 

• Defining security policy parameters 

• Managing users, devices, and groups (including offline groups) 

• Enabling/Disabling endpoint applications


Use PolicyServer MMC auditing and reporting functions to monitor the security 

infrastructure and meet compliance requirements. 

PolicyServer MMC Interface 

PolicyServer MMC interface contains the following panes: 

TABLE 2-1. PolicyServer MMC Interface 

WINDOW DESCRIPTION 

Left pane (1) Use the left pane to view users, groups, policies, devices, and 

applications. Expand the top level to manage nested elements 

within the tree structure. Open items will update the content in the 

results window. 

Right pane (2) Use the right pane to modify policies, user information, and group 

information. The currently selected tree item is displayed in the 

results window. The exact format of the information shown in the 

results window depends on the item selected in the tree. 

FIGURE 2-1. PolicyServer MMC Interface 

2-3


2-4 

Within the left pane tree structure, there are a number of different nodes. The following 

table describes each node: 

TABLE 2-2. PolicyServer MMC Tree Structure Hierarchy 

NODE PURPOSE 

Enterprise users View all Administrators, authenticators and users within the 

entire enterprise. To see group affiliation, open the group and 

click Users. 

Enterprise devices View all instances of endpoint clients and which device they 

are connecting from. To see group affiliation, open the group 

and click Devices. 

Enterprise policies Control whether endpoint applications can connect to 

PolicyServer. Also, manage all enterprise policies. Group 

policies override enterprise policies. 

Enterprise log events View all log entries for the enterprise. 

Enterprise reports Manage various reports and alerts. No group-only reports are 

available. 

Enterprise maintenance Manage PolicyServer MMC application plug-ins. 

Recycle bin View deleted users and devices. 

Groups Manage users, devices, policies and log events for a collection 

of users. 

Working with Groups and Users 

This section explains how to get started with Endpoint Encryption groups and users. 

First define the users and groups, and then assign users to groups. It is also possible to 

add new users directly to a group. At least one Top Group is required. 

User and group structure recommendations: 

• Follow the Active Directory structure when configuring a group structure.


• Create a new group whenever there is a policy difference between groups of users. 

If one group requires domain authentication and another requires fixed password, 

then two separate policy groups are required. 

• Create multiple groups to minimize access to devices within a group. All members 

of a group are allowed access to any device in that group. 

Defining Users and Groups 

Define all roles and group affiliations before adding any users or groups to PolicyServer. 

1. Identify Enterprise Administrators/Authenticators. 

2. Create Enterprise Administrators/Authenticators. 

3. Identify groups. 

4. Create groups. 

5. Identify Group Administrators/Authenticators. 

6. Create Group Administrators/Authenticators. 

7. Identify users to be assigned to each group. 

8. Import or create new users each group. 

Adding a Top Group 

Groups simplify managing enabled applications, users, policies, subgroups, and devices. 

A Top Group is the highest level group. 

Note 

Procedure 

Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a 

Group Administrator, add a user and change his/her permissions within the group. 

1. Right-click the enterprise name in the left pane, and click Add Top Group. 

2-5


2-6 

FIGURE 2-2. Adding a Top Group 

The Add New Group screen appears. 

2. Provide the name and a description for the group. 

3. Only select Support Legacy Devices if using legacy devices that do not support 

Unicode encoding. Some legacy devices may not be able to communicate with 

PolicyServer using Unicode. Assign Unicode and legacy devices to different groups.

FIGURE 2-3. Add New Group 

4. Click Apply. 

5. At the confirmation message, click OK. 

The new group is added to the tree structure in the left pane. 

Adding a New User to a Group 

Note 

Procedure 

• Adding a user to the enterprise does not assign the user to any groups. 


• Adding a user to a group adds the user to the group and to the enterprise. 

1. Expand the Group and open Users. 

2. Right-click whitespace in the right pane and select Add New User. 

2-7


2-8 

The Add New User screen appears. 

FIGURE 2-4. Add New User Screen 

3. Specify user information. User name, first name, and last name are required. 

4. Only select Freeze if the account should be temporarily disabled. While frozen, the 

user is unable to log on devices. 

5. Use the Group User Type field to set the privileges of the new account. 

Enterprise Administrators and Authenticators cannot be added to groups. 

6. Select One Group to disable the user from multiple groups membership. 

7. Select the Authentication Method. 

Note 

8. Click OK. 

The default authentication method for users is None.


The new user is added to the selected group and to the Enterprise. The user can 

now log on a device. 

Adding a New Enterprise User 

Note 

Procedure 



1. Expand the Enterprise and open Users. 

2. Right-click whitespace in the right pane and select Add User. 

The Add New User screen displays. 

2-9


2-10 





5. Use the User Type field to set the privileges of the new account. Enterprise 

Administrators and Authenticators cannot be added to groups. 



Note 

8. Click OK. 

The default authentication method for users is None.


The new user is added this PolicyServer Enterprise. The user cannot log on a 

device until he/she is added to a group. 

Adding an Existing User to a Group 

A user can be added to numerous groups. 

Procedure 

1. Expand the group in the left pane and then click Users. 

2. Right-click whitespace in the right pane, and select Add Existing User. 

The Add Users To Group screen appears. 

2-11


2-12 

FIGURE 2-6. Add Existing Users To Group Screen 

3. Specify user details and then click Search. 

If there is a match, the Source field populates with accounts. 

4. Select user accounts from the list and click the blue arrow to add them. See 

Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls. 

TABLE 2-3. Icons to Add/Remove Users 

CENTER ICONS DESCRIPTION 

Add a single selected user to Destination field.


5. To change a user’s password: 


Add all found users based on search criteria to Destination field. 

Delete a single select user from Destination field. 

Delete all users from Destination field. 

a. In the Destination field, highlight the user. 

b. Click Enter User Password located at the bottom of the window. 

c. In the window that appears, specify the user’s authentication method. 

d. Click Apply. 


The user is added to the group. If this is the only group that the user belongs to, 

then the user is now able to log on to the endpoint client. 

Understanding Policy Controls 

After setting up all users and groups in the enterprise, set policies for the enterprise or 

group. Each group in the left pane tree structure (whether a Top Group or subgroup) 

contains one or more endpoint application policy folders. 

For details about the PolicyServer interface, see PolicyServer MMC Interface on page 2-3. 

2-13


2-14 

Note 

Policies can be enabled or disabled at the enterprise or group level. See Working with Policies 

on page 3-2. 

Visual Indicators for Policies 

Colored circles beside each policy indicate the state of the policy. 

TABLE 2-4. Policy Indicators 

INDICATOR DESCRIPTION 

The policy value is inherited from the parent group or the Enterprise. 

A policy is modified for the group. 

Policy Fields and Buttons 

The policy may have multiple arrays of values. 

The policy has one or more sub-policies. 

Use the fields and buttons shown below to control policy elements. All modified values 

are propagated to a group's subgroups. Depending on what the policy controls, certain 

fields are not present. 

TABLE 2-5. Policy Fields and Buttons 

FIELD/BUTTON DESCRIPTION CHANGEABLE? 

OK Saves changes to the selected policy N/A 

Description Explains the selected policy No 

Policy Range Displays the value range that the selected 

policy can fall between 

Yes


FIELD/BUTTON DESCRIPTION CHANGEABLE? 

Policy Value Depending on the policy, displays the actual 

value of the selected policy, whether it 

contains a string, number, or series of entries 

Policy Multiple Value Specifies whether this policy can be used 

multiple times for different settings (multiple “if 

found” strings) 

Policy Name Displays the name of the selected policy No 

Policy Type Specifies the category for the selected policy No 

Enterprise controlled Makes this policy mirror changes to the same 

policy at the Enterprise level 

Save to subgroups Pushes policy settings to the same policy in all 

subgroups 

Modifying Policies 

PolicyServer has a common set of windows to modify policies. Different types of input 

is available depending on what the policy controls and which parameters are required. 

The steps required to edit one policy are different to modify another policy. This task 

gives a general overview about editing a policy. 

For more details about modifying policies, including explanations about configuring 

different policy types, see Policy Management on page 3-2. 

Procedure 

1. Expand the Enterprise. 

2. Choose which policy level to modify: 

a. For enterprise-level policies, expand Enterprise Policies. 

b. For group-level policies, expand the Group Name and then expand Policies. 

3. Open the specific application or select Common. 

The policy list displays in the results windows. 

Yes 

No 

Yes 

Yes 

2-15


2-16 

FIGURE 2-7. Modifying a Policy 

4. Go to a policy and double-click to open the editor window. For this example, 

Console Timeout is used.

FIGURE 2-8. Console Timeout Policy Editor Window 

5. Specify changes appropriate for the policy, and then click OK. 

Enabling Applications 

Procedure 

Important 


To ensure proper communication and policy synchronization, the Endpoint Encryption 

application must be enabled in PolicyServer before installation. 

1. Log on PolicyServer MMC. 

2-17


2-18 

2. Click Enterprise Policies. 

All applications appear in the right pane 

FIGURE 2-9. Enable Applications 

3. Right-click the application and then select Enable. 

Note 

In order to use Full Disk Encryption, both Full Disk Encryption and MobileSentinel 

applications must be enabled. 

The application is enabled and managed by PolicyServer.

Understanding Policies 

Chapter 3 

This chapter explains how to use policies and provides detailed information about 

individual policy setting values. For information about managing users, groups, and 

devices, see Working with Groups, Users, and Devices on page 4-1. 

This chapter explains the following topics: 

• Working with Policies on page 3-2 

• Policy Management on page 3-2 

• PolicyServer Policies on page 3-12 

• Full Disk Encryption Policies on page 3-17 

• FileArmor Policies on page 3-23 

• MobileSentinel Policies on page 3-28 

• KeyArmor Policies on page 3-32 

• DriveArmor Policies on page 3-36 

• Common Policies on page 3-40 

3-1


Working with Policies 

3-2 

This section explains how to use various windows to change a policy, but does not 

explain the process to modify every policy. All policies have default values. PolicyServer 

MMC has a common set of windows to use when modifying a policy. One policy will 

have an editor window available to edit the numbers, ranges and values associated with 

the policy while another policy will have a window to modify text strings. 

When managing policies, note the following: 

• Policies are configurable by application within each group. 

• Policy inheritance only occurs when a subgroup is created. For details about group 

permissions, see Working with Groups on page 4-2. 

Policy Management 

Every group in the left pane tree structure (whether a Top Group or subgroup) contains 

one or more endpoint application policy folders. 

The results window in the right pane displays controls to: 

• Display a list of policies and their values. 

• Modify a policy using the editor window. 

• Run reports and other log events. 

• Run enterprise maintenance. 

For a detailed explanation of the interface, see PolicyServer MMC Interface on page 2-3.

FIGURE 3-1. PolicyServer MMC Window 

Selecting a Policy for Modification 

Procedure 

1. Go to Group Name > Policies > Application Name. 

Example: Group1 > Policies > Full Disk Encryption. 

2. Go to the specific policy. 

Example: Common > Client > Allow User to Uninstall. 

3. Right-click the policy and select Properties. 


3-3


Editing Policies with Ranges 

3-4 

An example of editing policies with ranges is the Failed Login Attempts Allowed 

policy. Failed Login Attempts Allowed controls whether a device is locked when a 

user exceeds the number of failed authentication attempts allowed. 

FIGURE 3-2. Policy with Ranges Window 

Using the parameters defined in the Policy Range fields, an Administrator can indicate 

the number of failed authentication attempts allowed per user in the Policy Value field. 

Procedure 

1. Right-click the policy to be modified and then click Properties.


2. In the Policy Range Minimum field, specify the lowest number of failed 

authentication attempts that can be made by a user in this group before the device 

is locked. 

Note 

The minimum and maximum values for the policy range can be the same as the 

parent's range, or they can be modified. The minimum and maximum values cannot 

be extended. 

3. In the Policy Range Maximum field, specify the highest number of 

authentication attempts that can be made by a user in this group before 

authentication fails and the device is locked. 

4. In the Policy Value field, specify the number of failed authentication attempts 

allowed for a user in this group before the device is locked. 

5. Click OK to save any changes to this window. 

The policy change is activated once the endpoint client synchronizes with 

PolicyServer. 

Editing Polices with True/False or Yes/ No Responses 

Some policies only have True/False or Yes/No options. For this example, Preboot 

Bypass is used. 

A Group Administrator can define whether the Full Disk Encryption Preboot should 

display. If the Parent Group allows Yes and No, then the subgroup Authenticators have 

the right to set the range to Yes and No, just Yes, or just No. If the Parent Group has 

3-5


3-6 

set the range to either Yes or No, then the subgroup Administrator can only select that 

same range. 

FIGURE 3-3. Policy with Yes/No Values 

Procedure 

1. Right-click the policy to be modified and then click Properties. 

2. The Policy Value field sets whether the policy is turned on. 

3. The Range field sets whether this policy is available to other users or groups. For 

example, if this policy is set to No by an Enterprise Administrator in Enterprise 

Policies, then the policy will not be available to set to yes by other groups. 

4. Click OK to save any changes to this window.


PolicyServer. 


Editing Policies with Multiple-choice / Single-selection 

Some policies have multiple options available. The Device Locked Action policy is 

edited in a multiple-choice/single-selection window. Administrators can only select one 

Policy Value. In this example, the Group Administrator must define the action to take 

when a user exceeds the allowed number of authentication attempts. 

FIGURE 3-4. Policy with Multiple Choice/Single Selection 

3-7


3-8 

Procedure 


2. Select the desired default setting for the Policy Value drop-down. 

3. Select the available options for the Policy Range area. 

Note 

Removing an option removes the value from the Policy Value drop-down. 

4. Click OK to save changes. 


PolicyServer.

Editing Policies with Text String Arguments 


Some policies have an editable text string for single array arguments. The Dead Man 

Switch policy is an example of a policy that provides the capability to specify a string of 

text. 

FIGURE 3-5. Policy with Text String Argument 

Procedure 


3-9


3-10 

2. For the Policy Value field, specify the sequence of characters for this policy. 

3. Click OK to save any changes to this window. 


PolicyServer. 

Editing Policies with Multiple Options 

Some policies can have multiple options stored in sub-policies affecting that policy. 

Multiple option policies are designed to create separate lines in a text string; each subpolicy 

is a new line in the string. For example, the IF Found policy displays how to 

return a found device. A normal address format displays the name, street address, and 

city/state/zip on three separate lines. 

Note 

Procedure 

The number of sub-policies is limited to endpoint application capabilities — which is 

generally no greater than six lines of text. 

1. Right-click the policy to be modified and then click Add.

FIGURE 3-6. If Found Policy: Adding a New Option 


2. In the policy window that displays, specify details in the Policy Value field. 

Note 

Depending on the policy, a new policy might be added and then modified by rightclicking 

and selecting Properties. 

3. Click OK to save any changes to this window and repeat if necessary. 

FIGURE 3-7. If Found Policy: Results After Adding Multiple Options 

4. To make changes, right-click the child policy and then select Properties. 


PolicyServer. 

3-11


PolicyServer Policies 

3-12 

This section explains the configurable options for all enterprise policies affecting 

PolicyServer. 

Admin Console Policies 

Policies governing the administration tools like Enterprise Security Manager and 

PolicyServer MMC. 

TABLE 3-1. PolicyServer Admin Console Policies 

POLICY NAME DESCRIPTION 

Console Timeout Exit the administration tool after the Timeout 

(minutes) has expired with no activity. 

Failed Login 

Attempts Allowed 

Lockout the admin logon after this number of 

consecutive failed log on attempts. 

Legal Notice Contains the legal notice that must be displayed 

before the Administrator or Authenticator can use 

the administration tools. 

Administrator Policies 

Policies governing PolicyServer group Administrator privileges. 

TABLE 3-2. PolicyServer Administrator Policies 


Add Devices Specify whether group administrators are 

allowed to add devices. 

Add Users Specify whether group administrators are 

allowed to add new users. 

VALUE RANGE 

AND DEFAULT 

1-60 

Default: 20 

0-100 

Default: 0 

1-1024 chars 

Default: N/A 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes


Add Users to 

Enterprise 

Specify whether group administrators are 

allowed to add new users to the enterprise. 

Add/Modify Groups Specify whether group administrators are 

allowed to add/modify subgroups. 

Change Policies Specify whether group administrators are 

allowed to change policies. 

Copy/Paste Groups Specify whether group administrators are 

allowed to copy and paste subgroups. 

Remove Devices Specify whether group administrators are 

allowed to remove devices. 

Remove Groups Specify whether group administrators are 

allowed to remove subgroups. 

Remove Users Specify whether group administrators are 

allowed to remove users. 

Remove Users from 

Enterprise 

Authenticator Policies 

Specify whether group administrators are 

allowed to remove users from the enterprise. 

Policies governing enterprise and group authenticator rights and privileges. 

TABLE 3-3. PolicyServer Authenticator Policies 


Add Devices Specify whether authenticators are allowed to 

add devices. 

Add Users Specify whether authenticators are allowed to 

add new users. 


VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: No 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Yes, No 

Default: No 

3-13


3-14 


Add Users to 

Enterprise 

Specify whether authenticators are allowed to 

add new users to the enterprise. 

Add/Modify Groups Specify whether authenticators are allowed to 

add/modify subgroups. 

Copy/Paste 

Groups 


copy and paste subgroups. 

Remove Devices Specify whether authenticators are allowed to 

remove devices. 

Remove Groups Specify whether authenticators are allowed to 

remove subgroups. 

Remove Users Specify whether authenticators are allowed to 

remove users. 

Remove Users 

from Enterprise 

Log Alert Policies 


remove users from the enterprise. 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Policies governing email messages sent for important PolicyServer log events. 

TABLE 3-4. PolicyServer Log Alerts Policies 


From Email Address Specify the email address that is used as the 

source email address for the alerts email 

message. 

SMTP Server Name Specify the SMTP server responsible for 

sending alert email messages. 

VALUE RANGE 

AND DEFAULT 

1-255 

characters 

Default: N/A 

1-255 

characters 

Default: N/A

PDA Policies 

Policies governing how PDA devices can communicate with PolicyServer. 

TABLE 3-5. PolicyServer PDA Policies 

CATEGORY POLICY NAME DESCRIPTION 

PDA Cell Phone 

PDA 

Specify whether cell phone PDA 

devices are notified via SMS or 

Email the installation message. 

PDA Email Email settings used to send 

installation notification to the user. 

PDA > 

Email 

PDA > 

Email 

SMTP Server 

Name 

Specify the SMTP server 

responsible for sending email 

messages. 

Subject Specify the subject text that is 

displayed to the user in the Subject 

Line of the email. 

PDA SMS Specify whether devices are 

notified via SMS if policy/user 

settings have changed. 


VALUE RANGE AND 

DEFAULT 

SMS, Email, 

None 

Default: None 

1-255 characters 


Enable, Disable 

Default: Disable 

PDA > SMS Email Domain Specify the target email domain. 1-255 characters 

PDA > SMS SMTP Server 

Name 

Specify the SMTP server 

responsible for sending SMS 

notifications. 

PDA > SMS Source Email Specify the email address that 

SMS and email notifications are 

sent from. 

PDA Tethered PDA Specify whether wireless, 

BlueTooth, cradled, or cell phone 

PDA devices are notified via Email 

the installation message. 



Email, None 

Default: None 

3-15


3-16 


PDA Welcome 

Message 

Service Pack Download Policies 

Contains the welcome message 

file whose contents are displayed 

to the user during the download 

process. 

Policies governing automatic client service pack download times. 

TABLE 3-6. PolicyServer Service Pack Download Policies 


Service Pack Download 

Begin Hour 

Service Pack Download 

End Hour 

Welcome Message Policies 


DEFAULT 

1-1024 

characters 

VALUE RANGE 

AND DEFAULT 

Set the time to download service packs. 0-23 

Default: 0 

Set the time to stop downloading any 

service pack. 

0-23 

Default: 0 

Policies governing whether to send a welcome message to users when they have been 

added to a group. 

TABLE 3-7. PolicyServer Welcome Message Policies 


VALUE RANGE 

AND DEFAULT 

Message Contains the welcome message file. 1-1024 

characters 

Default: N/A 

SMTP Server Name Specify the SMTP server responsible for 

sending welcome email messages. 

1-255 

characters 

Default: N/A


Source Email Specify the email address that is used as the 

source email address for welcome email 

message. 


VALUE RANGE 

AND DEFAULT 

1-255 

characters 

Default: N/A 

Subject The Welcome message subject line. 1-255 

characters 

Default: N/A 

Full Disk Encryption Policies 

This section explains the configurable options for all policies affecting Full Disk 

Encryption clients. 

Common Policies 

Common policies affecting Full Disk Encryption, including logging in, uninstalling Full 

Disk Encryption, and locking devices. 

TABLE 3-8. Full Disk Encryption Common Policies 


Client Allow User to 

Uninstall 

Specify whether user can 

uninstall Full Disk Encryption. 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

3-17


3-18 


Login Account 

Lockout Action 

Login Account 

Lockout Period 

Login Dead Man 

Switch 

Login Device Locked 

Action 

Login Failed Login 

Attempts 

Allowed 

Login > If 

Found 

Specify the action to be taken 

when the device has failed to 

communicate with the 

PolicyServer as specified in the 

policy Account Lockout Period. 

• Erase: All content on the 

device is wiped. 

• Remote Authentication: 

Require user to perform 


Specify the number of days that 

the client may be out of 

communication with the 

PolicyServer. 

Specify a sequence of characters, 

when entered will erase all 

contents on the device. 


when the device locks. 

• Time Delay: The amount of 

time that must elapse before 

the user can retry logging on. 






Specify the number of failed Login 

attempts before using Lock 

Device Time Delay. 

If Found Specify information to be 

displayed. 

VALUE RANGE 

AND DEFAULT 

Erase, Remote 

Authentication 

Default: 

Remote 


0-999 

Default: 360 

1-255 

characters 

Default: N/A 

Time Delay, 

Erase, Remote 


Default: Time 

Delay 

0-100 

Default: 5 

1-255 

characters 

Default: N/A


Login Legal Notice Specify whether a legal notice 

should be displayed. 

Login > Legal 

Notice 

Login > Legal 

Notice 

Legal Notice 

Display Time 

Legal Notice 

Text 

Login Lock Device 

Time Display 

Specify when the configured legal 

notice should be displayed to the 

user. 

Specify the body of the legal 

notice. 

Lock device for X minutes if user 

exceeds Failed Attempts Allowed. 

Login Preboot Bypass Specify if the preboot should be 

bypassed. 

Login > 

Support Info 

PC Policies 

Support Info Display Help Desk information or 

administrator contact. 

Policies governing devices or laptops running Full Disk Encryption. 

TABLE 3-9. Full Disk Encryption PC Policies 


Client Allow User 

Recovery 

Encryption Encrypt 

Device 

Specify if users are allowed to 

access system recovery 

utilities on the device. 

Specify whether the device 

should be encrypted. 


VALUE RANGE 

AND DEFAULT 

Enable/Disable 

Default: 

Disabled 

Installation, 

Startup 

Default: Startup 

Insert File 

Default: N/A 

1-999,999 

Default: 1 

Yes, No 

Default: No 

Default: N/A 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Yes, No 

Default: Yes 

3-19


3-20 


Login Token 


Login > Token 


Login > Token 

Authentication > 

OCSP Validation 

Login > Token 



Login > Token 



Login > Token 



OCSP 

Validation 

OCSP CA 

Certificates 

OCSP Expired 

Certificate 

Status Action 

Policy related to physical 

tokens including smart cards 

and USB tokens. All subpolicies 

are visible only when 

Token Authentication is 

enabled. 

Verifying certificates via 

OCSP allows for the 

revocation of invalid 

certificates via the CA. 

Note 

All sub-policies are 

visible only when OCSP 

Validation is Enabled. 

Certificate Authority 

certificates. 

Defines the action to take if 

the OCSP certificate status is 

expired. 

OCSP Grace A grace period in days that 

allows authentication to occur 

even if the OCSP server has 

not verified the certificate in 

this number of days. 

OCSP 

Responders 


certificates. 

VALUE RANGE 

AND DEFAULT 





0-1024 bytes 

Default: N/A 

Time Delay, 

Erase, Remote 

Authentication, 

Denial of Login, 

Allow Access 

Default: Denial 

of Login 

0-365 

Default: 7 

Yes, No 

Default: Yes


Login > Token 



> OCSP 

Responders 

Login > Token 



> OCSP 

Responders 

Login > Token 



Login > Token 



Login > Token 



OCSP 

Responder 

Certificate 

OCSP 

Responder 

URL 

OCSP 

Revoked 

Certificate 

Status Action 

OCSP Show 

Success 

OCSP 

Unknown 

Certificate 

Status Action 

Login Token 

Passthru 

Password Authentication 

Methods 

Allowed 


VALUE RANGE 

AND DEFAULT 

Certificate Authority Certificate 0-1024 bytes 

Default: N/A 


certificates. 

Defines the action to take if 

the OCSP certificate status is 

revoked. 

Whether success of OCSP 

reply should be displayed. 

Specify the action when an 

OCSP certificate status is 

unknown. 

Pass the token to the desktop 

GINA for further processing 

during the boot process. 

Specify the allowed type(s) of 

authentication methods that 

can be used. 

0-1024 bytes 

Default: N/A 

Time Delay, 

Erase, Remote 



Allow Access 


of Login 

Yes, No 

Default: Yes 

Time Delay, 

Erase, Remote 



Allow Access 


of Login 

Yes, No 

Default: No 

Fixed, 

ColorCode, Pin, 

Remote, RSA 

Default: Fixed 

3-21


PPC Policies 

3-22 

Policies governing pocket Full Disk Encryption PPC devices. 

TABLE 3-10. Full Disk Encryption PPC Policies 


Encryption PPC Encrypt 

Appointments 


Contacts 


Device 


Email 


Other 

Databases 

Encryption > 

PPC Encrypt 

Other 

Databases 

PPC Encrypt 

Tasks 

Specify whether the 

Appointments database should 

be encrypted on the PPC 

device. 

Specify whether the Contacts 

database should be encrypted 

on the PPC device. 

Specify whether all external 

media and internal storage on 

the PPC device is encrypted. 

Specify whether the Email 

database is encrypted on the 

PPC device. 

Specify a list of databases to be 

encrypted on the PPC device. 

Specify whether the Tasks 

database should be encrypted 

on the PPC device. 

PPC Logging Policies defining the log file on 

the PPC device. 

Logging PPC Log File 

Size 

Login Allow 

Emergency Call 

Specify the size of the log file 

on the PPC device (measured 

in kilobytes). 

Specify whether the user may 

make emergency phone calls 

from their device. 


DEFAULT 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 

Yes, No 

Default: Yes 


Default: N/A 

Yes, No 

Default: Yes 

5-512 

Default: 512 

Yes, No 

Default: No


Login PPC Account 


Login PPC Device 

Timeout 

Login PPC Launch 

After logon 

Password PPC 


Methods 

PPC PPC Erase 

Media on Wipe 

FileArmor Policies 






Actions are: 






Specify the number of minutes 

that the authentication screen 

appears while inactive. 

Specify an application to be 

launched on the device after a 

successful authentication. 

Specify the allowed 

authentication methods on the 

PPC device. 

Device wipe erases data on 

mounted media. 



DEFAULT 

Erase, Remote 


Default: Remote 


0-60 

Default: 1 


Default: N/A 

Fixed, Colorcode, 

Pin, Remote 


Yes, No 

Default: No 

This section explains the configurable options for all enterprise policies affecting 

FileArmor clients. 

Computer Policies 

Policies governing installation privileges on devices with FileArmor installed. 

3-23


3-24 

TABLE 3-11. FileArmor Computer Policies 


Computer Allow User to 

Uninstall 

Encryption Policies 

This policy specifies whether a user 

other than an Administrator can 

uninstall the endpoint application. 

Polices governing how encryption is handled on FileArmor devices. 

TABLE 3-12. FileArmor Encryption Policies 


Allow Secure 

Delete 

Disable Optical 

Drive 

Encryption Key 

Used 

Specify whether to allow the user to 

delete files. 

Disable access to CD or DVD 

drives. 

• User Key: choose a key unique 

to the user. 

• Group Key: choose a key 

unique to the group, so all 

users in the group will also 

have access to files. 

• Enterprise Key: choose a key 

unique to the enterprise, so all 

users in the enterprise will also 

have access to files. 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: Yes 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: Yes 

Yes, No 

Default: No 

User Key, 

Group Key, 

Enterprise 

Key 

Default: 

Group Key


Removable 

Media 

Removable 

Media 

Removable 

Media 

Removable 

Media 

Removable 

Media 


Method Allowed 

Fully Encrypt 

Device 

Allow USB 

Devices 

Disable USB 

Drive 

Folders to 

Encrypt on 

Removable 

Media 

Fully Encrypt 

Device 

Choose which allowable ways to 

encrypt files are allowed: 

1. User Key 

2. Group Key 

3. User-created password 

4. Digital Certificates 

Specify whether all files/folders on 

removable media are encrypted. 


VALUE RANGE 

AND DEFAULT 

User’s Unique 

Key, Group 

Unique Key, 

Encrypt With 

Static 

Password, 

Encrypt With 

Certificate 

Default: All 

Yes, No 

Default: No 

Specify permitted USB devices. Any, 

KeyArmor 

Disable the USB drive when not 

logged in, always disable, and never 

disable drive. 

The drive letter is given and the 

policy value corresponds to a valid 

removable media device. Nonexistent 

folders are created. If no 

drive letter is given then all 

removable media devices attached 

to the device at login will use the 

policy values. 

Specify whether all files/folders on 

removable media are encrypted 

Default: Any 

Always, 

Logged Out, 

Never 

Default: 

Logged Out 

1-255 

characters 

Default: N/A 

Yes, No 

Default: No 

3-25


3-26 


Login Policies 

Specify Folders 

to Encrypt 

Security policies governing logging on FileArmor. 

TABLE 3-13. FileArmor Login Policies 

List the folders that will be 

encrypted on the hard drive. Nonexistent 

folders are created. A valid 

drive letter to the hard drive must 

also be supplied. A valid policy 

value is: C:\EncryptedFolder. 



Methods 

Allowed 

Device Locked 

Action 

Failed Login 

Attempts 

Allowed 


authentication that can be used 

Action to be taken when the device 

is locked. 

Number of failed logon attempts 

before using Lock Device Time 

Delay. 0 allows for unlimited 

attempts. 

VALUE RANGE 

AND DEFAULT 

1-255 

characters 

Default: 

%DESKTOP%\ 

FileArmor 

Encrypted 

VALUE RANGE 

AND DEFAULT 

Fixed, 

ColorCode, 

Pin, Smart 

Card, RSA 


Time Delay, 

Remote 


Default: Time 

Delay 

0-100 

Default: 5


Legal 

Notice 

Legal 

Notice 

Legal Notice 

Display Time 

Legal Notice 

Text 

Lock Device 

Time Delay 

Password Policies 

Policies governing FileArmor passwords. 

TABLE 3-14. FileArmor Password Policies 

Specify when the configured legal 

notice is displayed to the user. 

Note 

Policy is only available for 

PolicyServer 3.1.3 (or newer) 

and a legal notice will not 

display to endpoints running 

FileArmor 3.1.3 or earlier. 

Specify the body of the legal notice. 

Note 


Force Talking to 

Server 

Policy is only available for 

PolicyServer 3.1.3 (or newer) 

and a legal notice will not 

display to endpoints running 

FileArmor 3.1.3 or earlier. 


exceeds Failed Attempts Allowed. 

Makes FileArmor talk to the server after X 

amount of days. 0 will make FileArmor 

standalone 


VALUE RANGE 

AND DEFAULT 

Installation, 

Startup 

Default: 

Startup 

Insert File 

Default: N/A 

0-999,999 

Default: 1 


0-999 

DEFAULT 

Default: 360 

3-27


3-28 


Physical Token 

Required 

MobileSentinel Policies 

Make users use a physical token (smart cards) 

to log on. 


DEFAULT 

Yes, No 

Default: No 

This section explains the configurable options for MobileSentinel. Full Disk Encryption 

uses MobileSentinel policies. 


Policies for all devices using MobileSentinel. 

TABLE 3-15. MobileSentinel Common Policies 


Common Compliance Compliance policies for all devices. 

Common > 

Compliance 

Synchronization 

Timeout 

Common Network 

Compliance 


allows a wireless device not to 

synchronize with the PolicyServer. 

The device will be forced to 

communicate to the PolicyServer for 

synchronization when the specified 

number of days has been reached. 

Specify access to corporate network 

resources by ensuring that devices 

comply with company policy. 

VALUE RANGE 

AND DEFAULT 

0-65,535 days 

Default: 1


Common > 

Network 

Compliance 

Common > 

Network 

Compliance 

Common > 

Network 

Compliance 

PPC Policies 

Compliance 

Network 

Address 

Compliance 

Network 

NetMask 

Compliance 

Server Address 

Policies specific to the MobileSentinel PC device. 

Specify the IP address of the 

network that allows the device to resynchronize 

with PolicyServer when 

out of compliance. When a device is 

out of compliance this will be the 

only network that the device can 

access until the device has been 

brought back into compliance. 

Specify the netmask address for the 

compliance network address 

(Compliance Network Address 

policy). This mask and the address 

will be used to limit devices from 

accessing network resources 

outside of the entered values until 

the device has been brought into 

compliance. 

Specify the address of the 

PolicyServer that will be used as the 

host for the wireless devices in this 

group. The server address for 

wireless devices is the server that 

devices call back; when a 

synchronization request is received 

by the device or when the device 

detects that it must synchronize with 

the server to ensure that policies 

have been updated. 


VALUE RANGE 

AND DEFAULT 

1-225 

characters 

Default: N/A 

1-225 

characters 

Default: N/A 

1-225 

characters 

Default: N/A 

3-29


3-30 

TABLE 3-16. MobileSentinel PPC Policies 


PPC Compliance Specific policies for the PPC 

device. 

PPC > 

Compliance 

PPC > PPC 

Compliance 

Object List 

PPC > PPC 

Compliance 

Object List 

PPC > PPC 

Compliance 

Object List > 

PPC Object 

Auto-Restore 

PPC > PPC 

Compliance 

Object List > 

PPC Object 

Auto-Restore 

PPC > PPC 

Compliance 

Object List 

PPC 

Compliance 

Object List 

PPC 

Compliance 

Network 

Restriction 

PPC Object 

Auto-Restore 

PPC Auto- 

Restore 

Object 

PPC Auto- 

Restore 

Object Run 

Flag 

PPC Object 

Compliance 

Info 

Specify objects required on the 

PPC device. Network routing will 

be limited to the compliance 

network if these objects are not 

present on the device. 

Determines whether to restrict 

network access if the device is 

found to be out of compliance. 

Set policy value to Yes for 

automatic restoration of the object 

that is missing on the device. Set 

policy value to No to direct the 

user to the URL address specified 

in the policy PPC Remediation 

URL. 

Specify the object to be restored 

to the PPC device if the policy 

PPC Auto Restore has been 

enabled. 

Specify the actions to be taken on 

the remediation object. 

Specify information for users if the 

specified object is found to be out 

of compliance. 

VALUE RANGE 

AND DEFAULT 



Yes, No 

Default: Yes 

Copy, Run 

Default: Copy 

1-255 

characters 

Default: N/A


PPC > PPC 

Compliance 

Object List 

PPC > PPC 

Compliance 

Object List 

PPC > PPC 

Compliance 

Object List 

PPC Object 

Name 

PPC Object 

Version 

PPC 

Remediation 

URL 

PPC Device 

Management 

PPC > Device 

Management 

PPC > Device 

Management 

Collect 

Device 

Attributes 

Interval 

Collect 

Directory Info 

Interval 

PPC Disable 

Bluetooth 

PPC PPC Disable 

New 

Applications 


New 

Applications 


OBEX 

Specify the fully qualified path 

name for the compliance object. 

Specify the minimum version 

number for the compliance object. 

If this policy value is left blank, the 

object version will not be checked 

for compliance. 

Specify the Remediation URL 

address to be shown if the policy 

PPC Object Auto Restore is set to 

false. 

Policies specific to collecting 

device data. 

Collect key pieces of information 

on hardware and software every X 

days; 0 = off 

Perform a snapshot of files and 

directories every X days; 0 = off. 

Disable/enable use of the 

BlueTooth radio. 

Disable /enable the addition of 

new applications via Windows 

Mobile installers. 

Disable/enable the addition of new 

applications via Windows Mobile 

installers. 

Disable/enable incoming Object 

Exchange via IR and BlueTooth. 


VALUE RANGE 

AND DEFAULT 

1-255 

characters 

Default: N/A 

1-255 

characters 

Default: N/A 

1-255 

characters 

Default: N/A 

0-365 days 

Default: 30 

0-365 days 

Default: 7 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

Yes, No 

Default: No 

3-31


KeyArmor Policies 

3-32 

This section explains the configurable options for all enterprise policies governing 

KeyArmor devices. 

Antivirus Policies 

Security policies for antivirus control on KeyArmor devices. 

TABLE 3-17. KeyArmor Antivirus Policies 


Infected File Action Indicates what remediation action to 

take with any infected file found. 

Repair Infected File First Indicates whether or not to attempt to 

repair any infected files found before 

taking the action dictated by the 

Infected File Action policy. 

Update Frequency Sets the antivirus update frequency, 

in hours. A value of 0 means that 

updates will never be requested. 

Update Source A list of vendor server URLs to 

contact for updates, specified in 

order. If the list is empty, then the 

application-defined default location 

will be used. 

KeyArmor Security Policies 

Security policies to control KeyArmor. 


DEFAULT 

Delete File, Kill 

Device 

Default: Delete File 

Yes, No 

Default: Yes 

0 - 9,999 hours 

Default: 1 

1 - 255 characters 

Default: N/A

TABLE 3-18. KeyArmor policies 


Dead Man Switch Specify a sequence of characters 

which will erase all contents of the 

device when entered. 

Inactivity Timeout If the KeyArmor device is not 

accessed within X minutes, then log 

out of device. 

Login Policies 

Security policies governing logging on KeyArmor. 

TABLE 3-19. KeyArmor Login Policies 


Allow Only One 

User Per Device 


Methods Allowed 



DEFAULT 


Default: N/A 

1 - 999 

Default:15 

This policy determines whether a single user or 

multiple users may access a device. A policy 

value of YES dictates only one user may have 

access to the device at a given time. 

Note 

This policy does not impact Administrator 

or Authenticator roles. 

Specify the allowed type(s) of authentication that 

can be used. 

VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Fixed, 

ColorCode, 

Pin, Smart 

Card, RSA 


3-33


3-34 


Device Locked 

Action 

Failed Login 

Attempts Allowed 

Lock Device Time 

Delay 

Password 

Synchronization 

Notice Message Policies 

Specify the action to be taken when the device 

has failed to communicate with the PolicyServer 

as specified in the policy Lock Device Time 

Delay. 

Number of failed logon attempts before using 

Lock Device Time Delay. 0 allows for unlimited 

attempts. 

Lock device for X minutes if user exceeds Failed 

Attempts Allowed. 

This policy determines whether users of a group 

may establish a password and use it on other 

devices without the need to register via an one 

time password. This policy only impacts 

passwords of type Fixed, PIN, ColorCode, and 

Certificates. Third party password schemas such 

as Microsoft Windows domain passwords and 

RSA SecurID are not affected. 

Messages to be displayed to KeyArmor device users. 

TABLE 3-20. KeyArmor Notice Messages Policies 


If Found Specify information to be displayed 

on the device during the device lock 

out. 

VALUE RANGE 

AND DEFAULT 

Erase, Remote 


Time Delay 

Default: 

Remote 


0 - 100 

Default: 5 

1 -999,999 

Default: 5 

Yes, No 

Default: No 


DEFAULT 


Default: N/A 

Legal Notice Legal Notice(s) to display to user. Insert File with 1 - 255 

characters 

Default: N/A


Show Legal Notice 

on Insertion 

Select whether a notice is displayed 

to the user as the first screen when 

the KeyArmor device is inserted in a 

device. 

Support Info Display Help Desk information or 

Administrator contact information. 

PolicyServer Connection Policies 

Policies for connecting to PolicyServer with KeyArmor devices. 

TABLE 3-21. PolicyServer Connection Policies 


Action Due to No 

Contract 

Must Be Connected 

to PolicyServer 

Offline Time Before 

Forced Connection 

Secondary Action 

Due to No Contract 

Secondary Action 

Period 

Action to perform when KeyArmor device 

has not connected to the PolicyServer 

within the time specified by Offline Time 

Before Forced Connection. 

Force User to Connect to PolicyServer to 

access files on USB. 

The amount of time in days before user 

must connect to PolicyServer. 0 indicates 

KeyArmor device does not need to 

connect to the PolicyServer. 

Action to perform when KeyArmor device 

has not authenticated against the 

PolicyServer and has passed the 

Secondary Action Period. 

Secondary Time Period in X amount of 

Days, before the Secondary Action is 

Enforced. 



Yes, No 

Default: No 

DEFAULT 


Default: N/A 


DEFAULT 

Time Delay, Remote 

Authentication, Wipe 

Default: Remote 


Yes, No 

Default: No 

0 - 999 

Default: 360 

Wipe, Remote 

Authentication, None 

Default: None 

0 - 999 

Default: 0 

3-35


DriveArmor Policies 

3-36 

This section explains the configurable options for all enterprise policies affecting Full 

Disk Encryption clients. 

Important 

DriveArmor policies are only available in PolicyServer 3.1.3 if PolicyServer was upgraded 

from a previous version which had DriveArmor policies configured. 

Authentication Policies 

Policies that govern authentication on DriveArmor devices. 

TABLE 3-22. DriveArmor Authentication Policies 


Local Login Allowed 


Methods 

Local Login Device Locked 

Action 

Local Login Failed 

Attempts 

Allowed 


authentication methods that can 

be used. 


when the device locks. Actions 

are: 




require user to perform a 


• Time Delay: take the Lock 

Device Time Delay policy 

action. 

Specify the number of failed 

logon attempts before using 

Lock Device Time Delay. 


DEFAULT 

Fixed, Colorcode, 

PIN 

Default: All 

Time Delay, 

Erase, Remote 


Default: Time 

Delay 

0-255 

Default: 10


Local Login Lock Device 

Time Delay 


exceeds Failed Attempts 

Allowed policy rules. 

Authentication Network Login Specify policies regarding 

Authentication to the device that 

may include the network. 

Network Login RSA 


Authentication Token 


Token 


Token 


> OCSP 

Validation 

Token 


> OCSP 

Validation 

OCSP 

Validation > 

OCSP 

Responders 

OCSP 

Validation 

OCSP CA 

Certificates 

OCSP 

Responders 

OCSP 

Responder 

Certificate 

Specify if users will be verified 

against an RSA ACE server 

using SecurID. 

Verifying certificates via OCSP 

allows for the revocation of 

invalid certificates via the CA. 

sub-policies are only visible 

when this policy is enabled. 

Verifying certificates via OCSP 

allows for the revocation of 

invalid certificates via the CA. 

sub-policies are only visible 

when this policy is enabled. 



DEFAULT 

1-1000000 

Default: 1 

Yes, No 

Default: No 

Yes, No 

Default: N/A 

Yes, No 

Default: N/A 

Certificate Authority certificates. 0-1024 

Default: N/A 

Certificate Authority certificates. Yes, No 

Default: Yes 

Certificate Authority certificates. 0-1024 

Default: N/A 

3-37


3-38 


OCSP 

Validation > 

OCSP 

Responders 

Token 


Note 

OCSP 

Responder 

URL 

Token 

Passthru 


DEFAULT 

Certificate Authority certificates. 0- 1024 

Default: N/A 

Pass the token to the desktop 

GINA for further processing 

during the boot process. 

OCSP stands for Online Certificate Status Protocol. 

Communications Policies 

Yes, No 

Specify policies that govern DriveArmor communication and information. 

TABLE 3-23. DriveArmor Communications Policies 


Communications Account 







• Erase: all contents on the 

device will be wiped 


require the user to perform 

a remote authentication 

• Ignore: do not take any 

action 

Default: No 

VALUE RANGE 

AND DEFAULT 

Erase, Remote 


Ignore 

Default: Ignore


Communications Account 

Lockout Period 


the client may be out of 

communication with the 

PolicyServer. 

Communications Information Specify policies that provide 

information to the user. 

Information IF Found Specify information to be 

displayed on the device during 

the device lock out. 

Information Legal Notice Specify whether a legal notice 

should be displayed. 

Information > 

Legal Notice 

Information > 

Legal Notice 

Legal Notice 

Display Time 

Legal Notice 

Text 

Specify when the configured 

legal notice should be displayed 

to the user. 

Specify the body of the legal 

notice. 

Information Support Info Display Help Desk information 

or Administrator contact 

information. 

Communications Sync Interval Specify how often (in minutes) 

DriveArmor attempts to 

communicate to the 

PolicyServer from the device to 

receive updated information. 

Device Policies 


VALUE RANGE 

AND DEFAULT 

0-1000000 

Default: 360 

1-1024 

characters 

Default: N/A 

Installation, 

Startup 

Default: Startup 

Insert File 

Default: N/A 

1-1024 

characters 

Default: N/A 

0-1000000 

Default: 120 

Specify policies that govern generic actions to the device with DriveArmor installed. 

3-39


3-40 

TABLE 3-24. DriveArmor Device Policies 


Allow User Administration 

Access 

Specify if users are allowed to access 

system administration utilities on the 

device. 

Allow User To Uninstall Specify whether a standard 

DriveArmor user can uninstall 

DriveArmor. 

Dead Man Switch Specify a sequence of characters, 

when entered will destroy the device. 

Preboot Bypass Specify if the preboot should be 

bypassed. 


VALUE RANGE 

AND DEFAULT 

Yes, No 

Default: No 

Yes, No 

Default: No 

1-255 

characters 

Default: N/A 

Yes, No 

Default: No 

This section explains the configurable options for all enterprise policies affecting all 

Endpoint Encryption products. 

Agent Policy 

TABLE 3-25. Common Agent Policies 


Sync Interval Specify how often (in minutes) the application 

communicates to PolicyServer from the 

device to receive updated information. 

VALUE RANGE 

AND DEFAULT 

1-1440 

Default: 30

Authentication Policies 


Specify policies that govern authentication on devices from all Endpoint Encryption 

applications. 

TABLE 3-26. Common Authentication Policies 


Local Login Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Allowed 

Character Types 

Can Contain 

User Name 

Consecutive 

Characters 

Allowed 

Specify policies regarding 

Authentication local to the 

device only. 

Specify whether passwords 

can contain alpha, numeric, 

special or a combination. 

Specify if the user name can 

be contained in the password. 

Specify the number of 

consecutive characters allowed 

in a password. 

Minimum Length Specify the minimum length 

allowed for passwords. 

Password 

History 

Retention 

Require How 

Many 

Characters 

Require How 

Many Lower 

Case 

Characters 

Specify the number of past 

passwords the user is not 

allowed to use. 

Specify the number of alpha 

characters that must be used 


Specify the number of lower 

case characters that must be 

used in a password. 

VALUE RANGE 

AND DEFAULT 

Alpha, 

Numeric, 

Special 

Default: All 

Yes, No 

Default: Yes 

0-255 

Default: 3 

0-255 

Default: 6 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

3-41


3-42 


Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Local Login > 

Admin 

Password 

Require How 

Many Numbers 

Require How 

Many Special 

Characters 

Require How 

Many Upper 

Case 

Characters 

Specify the number of numeric 



Specify the number of special 



Specify the number of upper 



Local Login Self Help Specify the policies that are 

used for Self Help. 

Local Login > 


Local Login > 


Number of 

Questions 

Personal 

Challenge 


questions required to be 

answered correctly to 

authenticate the user. 

Specify the personal challenge 

question(s) used for Self Help. 

Local Login User Password Specify the policies that are 

used for User Passwords. 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Allow Offline 

Password 

Change 

Allowed 

Character Types 

Can Contain 

User Name 

Change 

Password Every 

Specify if users can change 

their password when not 

connected to the PolicyServer. 

Specify whether passwords 

can contain alpha, numeric, 

special or a combination. 

Specify if the user name can 

be contained in the password. 

Specify (in days) when to force 

a user to change their 

password. 

VALUE RANGE 

AND DEFAULT 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

1-6 

Default: 1 

1-1024 

Default: N/A 

Yes, No 

Default: No 

Alpha, 

Numeric, 

Special 

Default: All 

Yes, No 

Default: Yes 

1-1000000 

Default: 60


Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Local Login > 

User Password 

Consecutive 

Characters 

Allowed 


consecutive characters allowed 


Minimum Length Specify the minimum length 

allowed for passwords. 

Password 

History 

Retention 

Require How 

Many 

Characters 

Require How 

Many Lower 

Case 

Characters 

Require How 

Many Numbers 

Require How 

Many Special 

Characters 

Require How 

Many Upper 

Case 

Characters 

User Name 

Case Sensitive 

Specify the number of past 

passwords the user is not 

allowed to use. 

Specify the number of alpha 



Specify the number of lower 



Specify the number of numeric 



Specify the number of special 



Specify the number of upper 



Specify if the user name is 

case sensitive 


VALUE RANGE 

AND DEFAULT 

0-255 

Default: 3 

0-255 

Default: 6 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

0-255 

Default: 0 

Yes, No 

Default: No 

3-43


3-44 


Network Login Distinguished 

Name 

Network Login Domain 


Optional: Specify the 

distinguished name of the 

authentication server. If no 

Distinguished Name is 

specified, this will default to the 

LDAP server Default Naming 

Convention. 

Specifies if the Windows 

credentials should be used to 

authenticate. 

Network Login Domain Name NetBIOS name of the domain 

for Single Sign On. Default is 

NetBIOS value used by the 

PolicyServer. 

Network Login Host Name Specify the hostname. The 

hostname can be a domain 

name. 

Network Login Port Number Optional: 0 = use default. 

Specifies the port to be used 

for the connection. If no port 

number is specified, the LDAP 

provider uses the default port 

number. 

Network Login Server Type Type of server used to 

authenticate client user 

requests. 

Authentication Remember User 

Between Login 

Remember last used user 

name and display it in the 

authentication screen. 

VALUE RANGE 

AND DEFAULT 

1-255 

Default: N/A 

Yes, No 

Default: No 

1-255 

Default: N/A 

1-255 

Default: N/A 

0-65535 

Default: 0 

LDAP, 

LDAProxy 

Default: LDAP 

Yes, No 

Default: Yes

Chapter 4 

Working with Groups, Users, and 

Devices 

Endpoint Encryption utilizes both role-based and identity-based authentication to 

secure the data on endpoints. Configuring users, groups, and devices correctly ensures 

that data remains encrypted for unauthorized users, thus preventing data loss risk from 

accidental information release or deliberate sabotage. 


• Working with Groups on page 4-2 

• Working with Offline Groups on page 4-5 

• Working with Users on page 4-10 

• Working with Passwords on page 4-22 

• Working with Devices on page 4-30 

4-1


Working with Groups 

4-2 

Groups are managed in the PolicyServer MMC, and consist of the following types: 

TABLE 4-1. PolicyServer Group Types 

GROUP DESCRIPTION 

Top Groups The highest level of groups under the enterprise. Each top 

group has a unique node underneath the enterprise. 

Subgroups Groups created within a top group. A subgroup will inherit the 

policies of its parent group. 

Note 

• Policy inheritance only occurs when a subgroup is 

created. 

• Policy changes to a top level group do not filter down to 

existing subgroups. 

• Subgroup policies cannot be more permissive than the 

parent groups. 

• Subgroups inherit all existing policies of the parent group. However, Administrators 

must add users and devices separately. 

• Adding a user to a subgroup does not automatically add the user to the top group. 

However, you can add a user to both the top group and subgroup. 

Adding a Top Group 

Groups simplify managing enabled applications, users, policies, subgroups, and devices. 

A Top Group is the highest level group. 

Note 

Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a 

Group Administrator, add a user and change his/her permissions within the group.

Procedure 

Working with Groups, Users, and Devices 

1. Right-click the enterprise name in the left pane, and click Add Top Group. 

FIGURE 4-1. Adding a Top Group 

The Add New Group screen appears. 

2. Provide the name and a description for the group. 

3. Only select Support Legacy Devices if using legacy devices that do not support 

Unicode encoding. Some legacy devices may not be able to communicate with 

PolicyServer using Unicode. Assign Unicode and legacy devices to different groups. 

4-3


4-4 

FIGURE 4-2. Add New Group 



The new group is added to the tree structure in the left pane. 

Adding a Subgroup 

Subgroups inherit all existing policies of the parent group. However, Administrators 

must add users and devices separately. 

Procedure 

1. Right-click a group in the left pane tree structure, and then click Add. 

The Add New Group window appears. 

2. Follow the steps in Adding a Top Group on page 2-5, but in the first step.


The new group is added to the tree structure inside the Top Group’s hierarchy. 

Modifying a Group 

Procedure 

1. Right-click a group in the left pane tree structure, and then click Modify. 

The Modify Group screen appears. 

2. Specify changes and click Apply. 

Removing a Group 

Use the tree structure to remove a group. Removing a Top Group will also remove all 

subgroups. 

Procedure 

1. Right-click a group in the left pane tree structure, and then click Remove. 

A PolicyServer Warning message appears. 

2. Click Yes to remove the group. 

The selected group no longer appears in the tree structure. 

Working with Offline Groups 

An offline group is a group of endpoint clients that did not connect to PolicyServer 

during installation. The group’s policies, users, and devices can be exported to a file and 

delivered to the offline clients. When the group requires changes, the changes must be 

exported to a new file and again delivered to the offline endpoint client. 

4-5


4-6 

Policies are automatically updated when an offline endpoint client connects to 

PolicyServer. 

WARNING! 

For Full Disk Encryption clients that will never connect to PolicyServer, perform an 

unmanaged installation instead. No offline group is required because policies are managed 

using Recovery Console. 

Creating an Offline Group 

Groups can be exported to allow for Full Disk Encryption and FileArmor installation 

on devices that do not need to or cannot communicate with PolicyServer. The client 

application installation files must be available from the server that PolicyServer is 

installed. 

Note 

Procedure 

Exported groups must contain at least one user. The group name must also be 

alphanumeric only. 

WARNING! 

Offline groups only work for DataArmor SP7 and below. For Full Disk Encryption clients 

that will not connect to PolicyServer, perform an unmanaged installation instead. Policies 

are managed using Recovery Console. 

1. From the left pane, right-click the group and then select Export. 

The PolicyServer Export Group Wizard appears.

FIGURE 4-3. PolicyServer Exporting Group Wizard 


2. Select Create off-line devices, specify export location and export password, and 

then click Next. 

Note 

The export password is used to authenticate the executable on the endpoint client. 

3. Click Add... to browse to and upload Endpoint Encryption client installers. 

4-7


4-8 

TABLE 4-2. Endpoint Encryption Installation Filenames 

INSTALLATION FILE PURPOSE 

DataArmorInstaller.exe Installs older versions of Full Disk Encryption client 

application: DataArmor. DataArmor 3.0.12.861 or 

below will work with off-line groups. For details 

about managed installations, see the Installation 

Guide. 

TMFDEInstall.exe Installs the Full Disk Encryption client application. 

This will not work for off-line devices. For details 

about managed installations, see the Installation 

Guide. 

FASetup.msi Installs the FileArmor client application for 32-bit 

operating systems. 

FASetup(x64).msi FileArmor client application for 64-bit operating 

systems. 

Add as many installers as needed. For example, a group might require both Full 

Disk Encryption and FileArmor. 

4. Click Next. 

5. Depending on the license type, specify the number of devices to be installed on. 

The number of license available is reduced with every device. 

6. Optionally specify a Device Name Prefix. PolicyServer uses the device prefix 

number to generate a unique Device ID and device encryption key for each device 

in this group. 


The offline group build begins. 

8. Click Done to generate the export file at the specified location. 

A generated executable file named Export is created on the desktop. Use this to 

distribute group changes to offline clients.

Updating an Offline Group 

Follow these steps to create an update for an offline group. 

Procedure 

WARNING! 


For Full Disk Encryption clients that will not connect to PolicyServer, perform an 

unmanaged installation instead. Policies are managed using Recovery Console. 

1. From the left pane, right-click the group, and then select Export. 

The PolicyServer Export Group Wizard displays. 

2. Select Create off-line devices. 

3. Specify the export password. 

Note 

The export password is used to authenticate the executable on the endpoint client. 

4. Click Browse to specify a location to store the 

5. Click Next 

The offline group build begins. 

6. Click Done. 

The export file is generated at the specified location. 

7. Install the software on the device using the generated executable or script. For 

details, see the Endpoint Encryption Installation Guide. 

4-9


Working with Users 

4-10 

To provide identity-based authentication, Endpoint Encryption offers a number of 

different user levels, adding or importing users, assigning users to groups, managing 

users, and removing users. 

Add Users to PolicyServer 

Use the following methods to add users to Endpoint Encryption: 

• Add users manually, one at a time 

• Bulk import numerous users with a CSV file 

• Use an External Directory Browser with Active Directory 

Adding a New Enterprise User 

Note 

Procedure 



1. Expand the Enterprise and open Users. 

2. Right-click whitespace in the right pane and select Add User. 

The Add New User screen displays.






5. Use the User Type field to set the privileges of the new account. Enterprise 

Administrators and Authenticators cannot be added to groups. 



Note 

8. Click OK. 

The default authentication method for users is None. 

4-11


4-12 

The new user is added this PolicyServer Enterprise. The user cannot log on a 

device until he/she is added to a group. 

Importing Users from a CSV File 

Use a Comma Separated Values (CSV) file to import multiple users simultaneously. 

Use the following format: 

user name (required), first name, last name, employee ID, email 

address. 

Include a comma for fields with no data. 

Note 

Procedure 

When using the Bulk Import Users function, all users in the file are added to the same 

group. Create a file for each group of users to import. 


2. Right-click whitespace in the right pane, and select Bulk Import Add Users. 

The open file window appears. 

3. Go to the CSV file and click Open. 

4. At the confirmation, click OK. 

The users in your file are added to the group and the Enterprise. 

Importing Active Directory Users 

Add Active Directory users to existing PolicyServer groups using the External Directory 

Browser. PolicyServer maintains a user directory separate from the Active Directory 

database. This allows PolicyServer to provide absolute security over access to all devices, 

user rights, and authentication methods.


For information about configuring Active Directory integration, see the Endpoint 

Encryption Installation Guide. 

Procedure 

1. From the left pane, open Enterprise Users, right-click the right pane (whitespace) 

and then select External Directory Browser. 

The Active Directory User Import window displays. 

2. Click Edit > Connect to Domain. 

3. Specify the Active Directory LDAP server hostname. 

4. Specify a user name and password with access to the Active Directory domain. 

5. Click OK. 

The user accounts load in the right pane. 

6. Click File and then select Add to Enterprise or Add to Group, depending on 

where the users are to be added. 

7. Click OK to add the users to the specified location. 

A confirmation window displays. 

8. Click OK to confirm. 

An import status message displays. 

9. Click OK. 

Finding a User 

It is faster to search for users at the group level; however, this is at the cost of searching 

the entire enterprise. 

Procedure 

1. From the left pane, click Enterprise Users or expand the group and click Users. 

4-13


4-14 

2. At the upper corner of right pane, click Search. 

The User Search Filter window appears. 

FIGURE 4-5. User Search Filter window 

3. Specify search details and then click Search. 

All accounts matching the search criteria display. 

Note 

Modifying a User 

If there are many users, use Page Counter to go from one page to another or click 

Clear to remove all results. 

Any Group Administrator can change a user's profile information.

Note 

Procedure 


• Enterprise-level changes are applied to the user universally, but group-level changes 

apply only to that group. 

1. Open Enterprise Users. 

2. In the right pane, right-click the user and select Modify User. 

The Modify User screen appears. 

3. Make the necessary changes. If the authentication method changes to Fixed 

Password, provide the default user password. 

4. Click OK. 


Viewing a User's Group Membership 

Administrators can view a user's groups - if the user belongs to multiple groups. 

Procedure 


2. Right-click the user and select List Groups. 

The Group Membership list appears. 

4-15


Adding a New User to a Group 

4-16 

Note 

Procedure 



1. Expand the Group and open Users. 

2. Right-click whitespace in the right pane and select Add New User. 

The Add New User screen appears. 


3. Specify user information. User name, first name, and last name are required.




5. Use the Group User Type field to set the privileges of the new account. 

Enterprise Administrators and Authenticators cannot be added to groups. 



Note 

8. Click OK. 

The default authentication method for users is None. 

The new user is added to the selected group and to the Enterprise. The user can 

now log on a device. 

Adding an Existing User to a Group 

A user can be added to numerous groups. 

Procedure 


2. Right-click whitespace in the right pane, and select Add Existing User. 

The Add Users To Group screen appears. 

4-17


4-18 

FIGURE 4-7. Add Existing Users To Group Screen 

3. Specify user details and then click Search. 


4. Select user accounts from the list and click the blue arrow to add them. See 

Chapter 2, Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls. 

TABLE 4-3. Icons to Add/Remove Users 


Add a single selected user to Destination field.


5. To change a user’s password: 


Add all found users based on search criteria to Destination field. 

Delete a single select user from Destination field. 

Delete all users from Destination field. 

a. In the Destination field, highlight the user. 

b. Click Enter User Password located at the bottom of the window. 

c. In the window that appears, specify the user’s authentication method. 

d. Click Apply. 


The user is added to the group. If this is the only group that the user belongs to, 

then the user is now able to log on to the endpoint client. 

Changing a User’s Default Group 

The first group listed is the default group for the user. 

Note 

The user must be allowed to install to their default group. For details, see Allowing User to 

Install to a Group on page 4-20 

. 

4-19


4-20 

Procedure 


2. Right-click the user and then select List Groups. 


3. Right-click the user and then select Move to top. 

The User’s default groups has been changed. 

Allowing User to Install to a Group 

This option allows users to install Endpoint Encryption devices to a group that they are 

a member of, without requiring Administrator approval. 

Note 

Procedure 

The default setting is Disallow User To Install To This Group. 


2. Right-click the user and then select List Groups. 


3. Right-click the user and then select Allow User To Install To This Group. 

The user can now install devices to this group.

Removing Individual Users From a Group 

Procedure 

WARNING! 


Before removing a Group Administrator or authenticator account, reassign this role to 

another user. Otherwise, only enterprise-level Administrators or authenticators can make 

group-level changes. 

1. Expand the group and click Users. 

2. In the right pane, right-click the user and select Remove User. 

A warning message displays. 

3. To remove the user from the enterprise as well, enable Remove from Enterprise. 

Note 

4. Click Yes. 

Removing a user from the enterprise also removes that user from all groups and 

subgroups. 

The user is removed. 

Removing All Users From a Group 

Procedure 

WARNING! 

Before removing a Group Administrator or Authenticator account, reassign this role to 

another user. Otherwise, only Enterprise Administrators/Authenticators can make grouplevel 

changes. 

1. Expand the group and then click Users. 

4-21


4-22 

2. In the right pane, right-click the user and select Remove All Users. 


3. To remove all users from the enterprise as well, enable Remove from Enterprise. 

Note 

4. Click Yes. 

Removing a user from the enterprise also removes that user from all groups and 

subgroups. 

Restoring a Deleted User 

All deleted users are stored in the Recycle Bin at the Enterprise level. Groups do not 

have a Recycle Bin. Restoring a user does not add the user back to previously assigned 

groups. 

Procedure 

1. Expand the Recycle Bin. 

2. Open Deleted Users. 

The right pane load all deleted users. 

3. Right-click the user and select Restore User. 

The user is added back the Enterprise, but does not belong to any groups. 

Working with Passwords 

When an user forgets his/her password or misplaces a device, the user can be reset their 

password using methods defined by enterprise or group policies. The following 

password reset methods are available: 

• Microsoft Windows Active Directory

• PolicyServer MMC 

• Remote Help 

• Self Help 


All of these options involve setting the policy at the enterprise level and then at the 

group level whenever necessary. Use the Support Information policy to provide 

support-related information to users about password resets. 

Resetting an Enterprise Administrator/Authenticator 

Password 

Only Enterprise Administrators can reset an Enterprise Administrator passwords. An 

Authenticator within the same group permissions or higher, can reset an Administrator 

or Authenticator password within that group. 

Tip 

Procedure 

Trend Micro recommends having at least three Enterprise Administrator accounts at all 

times as a safeguard against password loss. If an Enterprise Administrator account 

password is lost, it is possible to reset the password by using Self Help. 

1. Log on PolicyServer MMC using an Enterprise Administrator account. 


3. Right-click the Enterprise Administrator or Authenticator account with the lost 

password, and then select Change Password. 

The Change Password window appears. 

4. Select an authentication method. 

5. Specify the password (if requested). 


The account password is reset. 

4-23


4-24 

Note 

The User must change password at next logon option is only available after the 

endpoint client updates policies. 

Resetting a Group Administrator/Authenticator Password 

All passwords changes are for the group only. If an Administrator wants to have just 

one password, then he/she should only belong to one Top Group. 

Procedure 

1. Log on PolicyServer MMC using an Group Administrator account. 

2. Expand the group and open Users. 

3. Right-click the Group Administrator or Authenticator account with the lost 

password, and then select Change Password. 


4. Select an authentication method. 

5. Specify and confirm the password (if requested). 


The account password is reset. 

Note 

The User must change password at next logon option is only available after the 

client updates. 

Resetting a User's Password 

When resetting a user’s password, select the User must change password at next 

logon check box to require a user to change his/her password at next log on. Once the


user logs on and changes the password, he/she must also change the password for all 

devices. 

Note 

Trend Micro recommends using the domain authentication. 

Resetting to a Fixed Password 

Procedure 

1. Open Enterprise Users or expand the group and open Users. 

2. Select users from the right pane. 

Hold SHIFT to select multiple users. Multiple selection is only available at the 

group level. 

3. Right-click and select Change Password. 


4. For the Authentication Method, select Fixed Password. 

5. Specify and confirm the password. 


The user is required to change his/her password at next time log on. 

Resetting a User Password with Active Directory 

Trend Micro recommends using Active Directory to reset the user password, especially 

if the user has access to the company Help Desk, has network connectivity, or if 

Windows Single Sign-on (SSO) is enabled. 

Refer to the appropriate Windows Operating System Guide for more information about 

resetting a domain user password using Active Directory. 

4-25


4-26 

Using Self Help Password Support 

This task explains how to configure policies for Self Help. Users who have forgotten 

their passwords can use Self Help to authenticate without Help Desk assistance. Use the 

Number of Questions and the Personal Challenge policies to set the number of personal 

challenge questions and the questions that the user must answer, respectively. Self Help 

questions are answered during the initial user authentication and when users change 

their passwords. 

For details about using Self Help, see Self Help on page 1-18. 

Note 

Procedure 

Self Help requires network connectivity to PolicyServer. 

1. Expand Enterprise Policies or expand the group and then expand Policies. 

2. Go to Common > Authentication > Local Login > Self Help. 

FIGURE 4-8. Self Help Policy 

3. Open Number of Questions to set the required number of questions that users 

must answer.

WARNING! 


Do not set Number of Questions greater than six. Otherwise, users will be unable 

to log on. 

4. Right-click Personal Challenge and select Add to set a question that the user 

must answer. Repeat until all personal challenge questions are defined. 

The next time users log on, they will be prompted to set their personal challenge 

question answers. 

Remote Help Password Support 

Reset forgotten passwords with Remote Help. A user who has a locked account or 

forgets their password has to reset their password before logging in with the new 

password. Remote Help requires that the user contact the Help Desk for a Challenge 

Response. Remote help does not require network connectivity to PolicyServer. 

Procedure 

1. Log on PolicyServer MMC with an Enterprise Administrator account or a Group 

Administrator/Authenticator account within the same policy group as the user. 

2. Ask the user to click Help > Remote Help from his/her endpoint client. 

3. Ask the user for the Device ID displayed. 

4-27


4-28 

FIGURE 4-9. Remote Help Assistance 

4. In PolicyServer MMC, open Enterprise Devices or expand the user’s group and 

open Devices, icon in the user's group. 

5. In the right pane, right-click the user device and then select Soft Token. 

The Software Token window appears. 

6. Ask the user to read the16-digit Challenge field, and type it into the Challenge 

field of the Software Token window. 

7. Click Get Response.

The Response field loads with an 8-character string. 

8. Tell the user the 8-character string from the Response field. 


9. The user inputs the string in the Response field on the endpoint and clicks Login. 

10. The user is prompted to provide a new password. 

Support Information Setup 

The Support Information policy specifies information about an organization’s Support 

Help Desk. The Support Information policy can be configured uniquely for each group. 

Procedure 

1. Log on PolicyServer MMC with either an Enterprise Administrator account or a 

Group Administrator/Authenticator account within the same policy group as the 

user. 

2. Expand the user’s group and go to Policies > Full Disk Encryption > Common 

> Login. 

3. Right-click the Support Info policy and select Add. 

4. Specify support information (phone number, location). 

4-29


4-30 

5. Click OK. 

Working with Devices 

Devices are computers, laptops, smartphones, and any other endpoint with Full Disk 

Encryption, FileArmor, or KeyArmor installed. Devices are automatically added to the 

Enterprise when any Endpoint Encryption application is installed. 

Note 

Each device can only be a part of one group. 

Adding a Device to a Group 

Procedure 

1. In the left pane, expand the desired policy group and click Devices. 

2. In the right pane, right-click the whitespace and select Add Device.

The Add Devices to Group screen appears. 

FIGURE 4-10. Add Devices to Group Screen 

3. Type the device details and then click Search. 



4. Select the device from the list and click the blue arrow to add them. See table for 

additional controls. 

TABLE 4-4. Icons to Add/Remove Devices 


Add a single selected device to Destination field. 

Add all found devices based on search criteria to Destination field. 

4-31


4-32 


Delete a single selected device from Destination field. 

Delete all devices from Destination field. 

5. Click Apply to add the device to the selected group. 

The device is added to the group. 

Removing a Device from a Group 

Removing a device from a group removes the device from the selected group only. 

Procedure 

WARNING! 

To remove a device from all groups, remove it from the Enterprise. Before deleting a 

device from the Enterprise, verify that the device has been unencrypted and all Trend 

Microproducts were uninstalled. Failure to do so may result in irreversible data loss. 

1. Expand the group and open Devices. 

2. In the right pane, right-click the device and select Remove Device. 

A warning message appears. 

3. Click Yes. 

The device is removed.

Removing a Device from the Enterprise 


Deleting a device from the Enterprise removes the device from all groups and the 

Enterprise. The device will continue to function as long as connectivity and password 

policies are current on the device. Files cannot be recovered if the device fails in this 

state. To mitigate this risk, decrypt the device immediately, uninstall Full Disk 

Encryption, and then reinstall Full Disk Encryption as an unmanaged client. 

WARNING! 

Verify that the device has been unencrypted and all Trend Micro applications are 

uninstalled before deleting a device from the Enterprise. Failure to do so may result in 

irreversible data loss. 

For information about removing a device from a specific group, but not the Enterprise, 

see Removing a Device from a Group on page 4-32. 

Note 

Procedure 

Go to the Recycle Bin to add a removed device back to the Enterprise again. 

1. Uninstall the endpoint client application from the device. For information about 

endpoint client uninstallation, see the Endpoint Encryption Installation Guide. 

2. Open Enterprise Devices. 

3. In the right pane, right-click the device and select Remove Device. Locate and 

click on the selected device. 


4. Click Yes. 

The device is removed. 

4-33


Viewing Directory Contents 

4-34 

Use the directory listing option to view a snapshot of all applications downloaded to the 

selected device. 

Procedure 

1. Open Enterprise Devices or expand a group and open Devices. 

2. In the right pane, right-click the device and select Directory Listing. 

The Device Directory Snapshot window displays all applications downloaded to 

the device. 

Viewing Device Attributes 

Use Device Attributes (memory, operating system, battery life, etc.) option to view a 

current snapshot of the selected device. 

Procedure 


2. In the right pane, right-click the device and select Directory Listing.

The Device Attributes window displays. 

FIGURE 4-11. Device Attributes List 

Viewing Directory Listing 


Use directory listing to view the directory structure of KeyArmor devices only. 

Procedure 


2. In the right pane, right-click the device and select Directory Listing. 

The Device Directory Snapshot window displays. 

Killing a Device 

Killing a device completely deletes all data. For DriveArmor, Full Disk Encryption, and 

KeyArmor, the kill command is issued when the device communicates with 

PolicyServer. 

4-35


4-36 

Procedure 

WARNING! 

Killing a device cannot be undone. Back up all the data before performing this action. 


2. In the right pane, right-click the device and select Kill Device. 

3. At the warning message, click Yes. 


Locking a Device 

Locking a device reboots the device and forces it into a state that requires Remote Help. 

For DriveArmor, Full Disk Encryption, and KeyArmor, the lock command is issued 

when the device communicates with the PolicyServer. 

Lock a device to prevent a user from authenticating to the device until a successful 

Remote Help authentication is performed. 

Procedure 


2. In the right pane, right-click the device and select Lock Device. 



Rebooting a Device 

Use Soft Reset to reboot a device. For DriveArmor, Full Disk Encryption and 

KeyArmor, the soft reset command is issued when the device communicates with 

PolicyServer.

Procedure 


2. In the right pane, right-click the device and select Soft Reset. 



Restoring a Deleted Device 


All deleted devices are stored in the Recycle Bin at the Enterprise level. Groups do not 

have a Recycle Bin. Restoring a device does not add the device back to previously 

assigned groups. 

Procedure 

1. Expand the Recycle Bin. 

2. Open Deleted Devices. 

The right pane load all deleted users. 

3. Right-click the device and select Restore Device. 

The device is added back the Enterprise, but does not belong to any groups. 

4-37

Chapter 5 

Working with Full Disk Encryption 

Full Disk Encryption provides comprehensive endpoint data security using mandatory 

strong authentication and full disk encryption. Full Disk Encryption secures not only the 

data files, but also all applications, registry settings, temporary files, swap files, print 

spoolers, and deleted files. Until the user is validated, strong preboot authentication 

restricts access to the vulnerable host operating system. 


• Endpoint Encryption Tools on page 5-2 

• Full Disk Encryption Preboot Authentication on page 5-2 

• Full Disk Encryption Connectivity on page 5-13 

• Full Disk Encryption Recovery Console on page 5-15 

• Full Disk Encryption Recovery Methods on page 5-24 

• Repair CD on page 5-25 

5-1


Endpoint Encryption Tools 

5-2 

TABLE 5-1. Endpoint Encryption Tools 

TOOL PURPOSE 

Recovery Console • Recover a device in the event of primary OS failure. 

• Troubleshoot network issues. 

• Manage users and logs. 

Command Line Helper • Create encrypted values to secure credentials when 

creating an installation script. 

Command Line Installer 

Helper 

• Generate scripts for automatic installations. 

• Create encrypted values to secure credentials when 

creating an installation script. 

DAAutoLogin • Used for Windows patching. DAAutoLogin allows for a 

one-time bypass of Endpoint Encryption Preboot. 

Repair CD • Use this bootable CD to decrypt drive before removing 

Full Disk Encryption in the event that the disk becomes 

corrupted, 

• Only use the Repair CD if standard removal methods are 

not possible. A typical symptom of a corrupted disk is a 

black screen. 

Full Disk Encryption Preboot Authentication 

After installing Full Disk Encryption, Full Disk Encryption Preboot now appears before 

Windows loads. Full Disk Encryption Preboot plays an important role in ensuring only 

authorized users are able to access devices, and for updating local security policies when 

connected to PolicyServer. From this screen, you can perform a number of tasks: 

• Authenticating to an endpoint 

• Changing passwords 

• Logging on to the Recovery Console

FIGURE 5-1. The Full Disk Encryption Preboot screen 

Menu Options 


There are several options available in the top-left menu of Full Disk Encryption 

Preboot. 

TABLE 5-2. Full Disk Encryption Preboot Menu Options 

MENU ITEM DESCRIPTION 

Authentication Change the authentication method used to log on. 

Communication Manually synchronize with PolicyServer. 

Note 

Unmanaged endpoints display a null value. 

Computer View information about Full Disk Encryption, change the keyboard 

layout, access the on-screen keyboard, or restart/shutdown the 

device. 

5-3


Network Connectivity 

5-4 

The network connection icon ( ) appears in the top-right corner when Full Disk 

Encryption is installed as a managed client. The icon is only highlighted when the device 

is connected to the network and has communication with PolicyServer. When Full Disk 

Encryption is unmanaged, the network icon never displays. 

On-Screen Keyboard 

Access the on-screen keyboard from Full Disk Encryption Preboot by navigating to: 

Menu > Computer > On-Screen Keyboard 

To insert the cursor in the desired field when the keyboard is displayed, click Focus on 

the bottom-right corner of the keyboard. 

Changing the Keyboard Layout 

Changing the keyboard layout affects both keystrokes and the on-screen keyboard. Once 

Windows boots, the keyboard layout is set by the Windows operating system. 

Procedure 

1. Navigate to Menu > Computer > Change Keyboard Layout. 

The Select the keyboard language (layout) screen appears. 

2. Select a keyboard layout. 

3. Click OK. 

Changing Authentication Methods 

Procedure 

1. At Full Disk Encryption Preboot, select Change Password After Login.

2. Specify the user name and password. 




4. From the top-left menu, select Authentication, and choose the desired 

authentication method. 

The New Password window for the chosen authentication method appears. 

5. Provide and confirm the new password, and then click Next. 

The device boots into Windows. 

Changing Passwords 

Procedure 

1. At Full Disk Encryption Preboot, select Change Password After Login. 

2. Specify the user name and password 



4. Provide and confirm the new password, and click Next. 


ColorCode 

ColorCode is a unique authentication method designed to easily remembered and 

quickly provide. Instead of using numbers or letters for a password, ColorCode 

5-5


5-6 

authentication consists of a user-created sequence of colors (for example: red, red, blue, 

yellow, blue, green). 

FIGURE 5-2. ColorCode Logon 

Creating a ColorCode Password 

The total count (total number of steps in the ColorCode) is defined by PolicyServer. The 

default count is six. 

Procedure 

1. Change the authentication method to ColorCode.

Note 


For details about changing authentication methods, see Changing Authentication Methods 

on page 5-4. 

The ColorCode Change Password screen appears. 

FIGURE 5-3. ColorCode Change Password Screen 

2. Choose the first color by clicking it using the square to the left. 

The count increases by one. 

3. Click additional colors in the sequence. 

Tip 

If there was a mistake, click Back to delete the last color clicked, or click Clear to 

start over. 

5-7


5-8 

4. After the sequence is complete, confirm the ColorCode password using the square 

to the right. 

5. Click Next to finish. 

Remote Help 

Use Remote Help when a user is locked out of an endpoint client after too many failed 

logon attempts or when the period between the last PolicyServer synchronization has 

been too long. 

Within each application’s policies, set the action to Remote Authentication. 

TABLE 5-3. Policies Affecting Remote Help Authentication 


Login > Account Lockout Period The number of days that a device can not 

communicate with PolicyServer before 

Account Lockout Action is called. 

Login > Account Lockout Action The action taken when the length of time in 

Account Lockout Actions include: erase, 


Login > Failed Login Attempts 

Allowed 

The number of failed login attempts allowed 

before executing the action defined in Device 

Locked 

Login > Device Locked Action The action taken when the Failed Attempts 

Allowed policy value has been exceeded. 

Actions include: time delay, erase, remote 

authentication.

Using Remote Help to Unlock Full Disk Encryption 

Procedure 

Important 

• Restarting the endpoint device resets the challenge code. 


• Manually synchronizing policies with PolicyServer also resets the challenge code. 

• The Challenge Code and Response Code are case not sensitive. 

1. From Full Disk Encryption Preboot, go to Menu > Authentication > Remote 

Help. 

2. Provide the Challenge Code to the PolicyServer Administrator. 

3. Type the Response Code provided by the PolicyServer Administrator. 



Note 

If the account uses domain authentication, the device will boot directly into 

Windows. 

5. Specify and confirm new password, then click Next. 

Smart Card 


Smart card authentication requires both a PIN and a physical card when confirming a 

user's identity. Insert the smart card before providing a PIN. 

5-9


5-10 

Important 

To allow smart card authentication for all Endpoint Encryption clients, enable the 

following policy: Full Disk Encryption > PC > Login > Token Authentication. 

Supported Smart Cards 

CARD 

MANUFACTURER 

PRODUCT NAME 

Axalto Axalto Cyberflex Access 64k v1 

soft mask 4 version 1 

Axalto Cyberflex Access 64k v1 

soft mask 4 version 2 

LASER ENGRAVING ON BACK OF 

CARD 

Axalto Access 64KV2 

Axalto Access 64KV2 

Gemalto Cyberflex Access v2c 64K Gemalto Access 64KV2 

GemaltoGemCombiXpresso R4 

dual interface 

Gemalto GCX4 72K DI 

Gemalto TOP DL GX4 144K Gemalto TOP DL GX4 144K 

Gemplus GemXpresso (GXP) PRO 64 K Gemplus GXP3 64V2N 

Oberthur CosmopollC v4 32K Oberthur CosmopollC v4 

RSA RSA 5100 

Galactic v1 32K OCS Gal 2.1 

ID-One Cosmo v5.2D 64k Oberthur C.S. Cosmo64 V5.2D 

ID-One Cosmo v5.2 72k Oberthur ID One V5.2 

ID-One Cosmo v5.2D 72k Oberthur ID One V5.2 Dual 

RSA 5200 

RSA 6100 

RSA SID 800

CARD 

MANUFACTURER 

Schlumberger 

(Axalto) 

PRODUCT NAME 

Cyberflex 32k v2 card with 

Softmask 7 Version 2 

Authenticating with a Smart Card 

Procedure 

1. Insert the smart card in the reader. 

2. Connect the reader to the device. 

3. Provide the user name and fixed password,. 

4. Click Continue 

A message window appears. 

5. Click Continue. 

6. At the Register Token window: 


a. Type the new PIN provided by the Administrator. 

b. Confirm the new PIN. 

c. Select the smart card type from the Token drop-down list. 


LASER ENGRAVING ON BACK OF 

CARD 

Schlumberger Access 32K V2 

d. Click Continue to finish registering the token, and access the PC. 

Use Self Help to authenticate when users have forgotten their credentials. Self Help 

requires users to respond with answers to predefined personal challenge questions. Self 

Help can also be used instead of fixed password or other authentication methods. 

5-11


5-12 

Important 

PolicyServer must be configured to allow Self Help authentication. For more information, 

see Understanding Policies on page 3-1. 

WARNING! 

A maximum of six questions can display to endpoint clients. Do not create more than six 

questions in PolicyServer, or users will be unable to log on. 

Setting Up Self Help 

If the Self Help policy is enabled, the user is prompted to define answers for the Self 

Help questions after his/her first login. If the user changes their password, they must 

define Self Help question answers again. 

Note 

Procedure 

Self Help answers are stored on the device. If a user logs on another Full Disk Encryption 

device, the user must define Self Help answers for that device. 

1. Provide the user name and password. 


The Self Help window appears. 

3. Define answers for all of the Self Help questions. 


The device boots into Windows.

Using Self Help 

Procedure 


1. From the top-left menu of Full Disk Encryption Preboot, go to Menu > 

Authentication > Self Help. 


2. Answer all of the Self Help questions. 


4. Define a new password, and then click Next. 


Changing Self Help Answers 

Procedure 

1. At Full Disk Encryption Preboot, provide your credentials, select Change 

Password After Login, then click Login. 


2. Provide and confirm the new password, and then click Next. 


3. Define new answers for all of the Self Help questions, and then click Next. 


Full Disk Encryption Connectivity 

Endpoint Encryption uses a FIPS 140-2 approved encryption process for data passed 

between Full Disk Encryption Preboot and PolicyServer. Full Disk Encryption clients 

5-13


5-14 

that have network connectivity to PolicyServer can receive policy updates and upload 

audit data from the endpoint client. All client-server communications are internally 

encrypted and can be sent over insecure connections such as the Internet. 

System Administrators have flexibility in determining connectivity options for their 

organization. Administrators can place PolicyServer within a DMZ (Demilitarized Zone) 

for access to both internal networks and the Internet. 

TABLE 5-4. Full Disk Encryption Connectivity Requirements 

RESOURCE FUNCTION 

PolicyServer Updated security policies from PolicyServer can be sent 

to Full Disk Encryption Preboot or using connectivity 

established within Windows, LAN, VPN, etc. 

TCP/IP Access Network connectivity for PC devices requires full TCP/IP 

network access; dial-up or telephone access cannot be 

used to provide connectivity with PolicyServer during 

preboot authentication. 

Port 80 Full Disk Encryption communications use port 80 by 

default. To change the default port number, go to 

Recovery Console and update the PolicyServer. 

Updating Full Disk Encryption Clients 

Full Disk Encryption clients automatically receive policy updated from PolicyServer at 

intervals determined by policy. Do the following to manually synchronize policies: 

Procedure 

1. From the top-left menu of Full Disk Encryption Preboot, go to Communications 

> Synchronize policies. 

2. Go to Computer > About Full Disk Encryption. The timestamp of the latest 

PolicyServer policy synchronization displays.

Full Disk Encryption Recovery Console 


Recovery Console helps Administrators recover a device in the event of primary OS 

failure, troubleshoot network connectivity issues, and manage policies for unmanaged 

clients. 

WARNING! 

Use Recovery Console before running standard Windows diagnostic and repair utilities. 

TABLE 5-5. Recovery Console Functions 

CONSOLE ITEM DESCRIPTION 

Decrypt Disk Remove encryption from the disk drive. Use the Full Disk 

Encryption Preboot Recovery Console to access Decrypt Disk. 

Mount Partitions Provide access to the encrypted partitions for file management. Use 

the Full Disk Encryption Preboot Recovery Console to access 

Mount Partitions. 

Note 

Mount Partitions is only accessible on devices with software 

encryption. This option is grayed-out if a device has hardware 

encryption. 

Restore Boot Roll back the MBR to a state before Full Disk Encryption 

installation. Use the Full Disk Encryption Preboot Recovery Console 

to access Restore Boot. 

Note 

Restore Boot is only accessible on devices with software 

encryption. This option is grayed-out if a device has hardware 

encryption. 

Manage Users Add or remove users from the device when not connected to 

PolicyServer. 

5-15


5-16 

CONSOLE ITEM DESCRIPTION 

Manage Policies Modify policies for devices that are either not managed by 

PolicyServer or are managed but are temporarily not connected to 

PolicyServer. If the device is managed, policy changes are 

overwritten the next time that the device communicates with 

PolicyServer. 

View Logs View and search the various Full Disk Encryption logs. 

Note 

Logs are available only when the Recovery Console is 

accessed from Windows. 

Network Setup Verify, test, and modify network settings. 

Exit Exit the Recovery Console. 

Accessing Recovery Console 

Only Group Administrator/Authenticator accounts can access Recovery Console. To 

allow users to access Recovery Console, set PC > Client > Allow User Recovery to 

Yes. 

Procedure 

1. Reboot the device. 

2. When Full Disk Encryption Preboot appears, provide the user name and password. 

3. Select the Recovery Console option, and then log on. 

Recovery Console displays.

Accessing Recovery Console from Windows 

Procedure 


1. In Windows, go to the Full Disk Encryption installation directory. The default 

location is C:\Program Files\Trend Micro\Full Disk Encryption\ 

2. Open RecoveryConsole.exe. 

The Recovery Console window appears. 

3. Provide the user name and password, and then click Login. 

Recovery Console opens to the Decrypt Disk page. 

Using Decrypt Disk 

Selecting Decrypt Disk decrypts an encrypted Full Disk Encryption hard disk, but does 

not remove any of the encryption drivers. If using Decrypt Drive, disable DrAService 

before booting into Windows. 

Procedure 

WARNING! 

Read this procedure before using Decrypt Disk. Data loss can occur if performed 

incorrectly. Do not use Decrypt Disk to remove Full Disk Encryption from a device that is 

functioning normally. Use TMFDEUninstall.exe instead. 

1. At Full Disk Encryption Preboot, select Recovery Console, provide credentials, 

and then click Login. 

Recovery Console opens to the Decrypt Disk page. 

2. Click Decrypt to begin decrypting the drive. 

Decryption begins immediately and the Decrypt Disk page displays the decryption 

progress. 

5-17


5-18 

3. When decryption is finished, click Exit to reboot the device. 

4. If booting a repair tool CD, DVD, or USB key: 

a. After exiting Full Disk Encryption, press F12 (or the appropriate button to 

enter the boot options). 

b. Insert the repair tool CD / DVD and select CD/DVD drive from the boot 

options screen. 

c. Proceed with established recovery actions. 

5. If booting into Windows: 

a. Hold F8 and select Safe Mode before system begins booting into Windows. 

WARNING! 

If the Windows boot options screen is missed, immediately turn off the device. 

If Windows boots normally (not in Safe Mode), DrAService will immediately 

start encrypting the drive again. Any recovery actions taken at this point will 

risk irreparable damage to data on the drive. 

6. Open Device Management and navigate to Services and Applications > 

Services. 

The Device Management window appears. 

7. Locate and double-click DrAService to open the DrAService Properties window. 

8. On the General tab, change Startup type to Disabled. 

9. Click Apply, and then click OK. 

10. Reboot the device. 

11. Log on Full Disk Encryption Preboot, and then Windows. 

What to do next 

After all recovery actions are complete, set DrAService to Automatic. The device 

automatically re-encrypts the hard disk after the next reboot.

Mount Partitions 


Use Mount Partitions to copy files between the encrypted hard disk and a storage device 

before imaging or reformatting the drive. The encrypted contents on the drive are 

displayed in the left pane and an unencrypted device can be mounted in the right pane. 

Use copy and past to move file between panes. Files copied to the encrypted drive will 

be encrypted. Files copied out of the encrypted drive will be unencrypted. 

Restore Boot 

The Restore Boot option restores the original boot on the device, when the device is 

fully decrypted and is only available from Full Disk Encryption Preboot. 

Decrypt the disk before restoring the Master Boot Record (MBR). 

Procedure 

WARNING! 

Do not use Decrypt Disk before reading through the instructions. Data loss can occur. 

1. Log on Recovery Console. 

2. Click Decrypt Disk and then click Decrypt. 

3. Switch to the Restore Boot option. 

A Replace MBR confirmation window displays. 

4. Click Yes to replace the MBR. 

A message confirming the MBR replacement displays. 

5. Click Exit. 


5-19


Manage Full Disk Encryption Users 

5-20 

Add or remove users from the preboot cache or to change a user's cached password. 

This option is useful when Full Disk Encryption cannot connect to PolicyServer. Both 

the Full Disk Encryption Preboot and Windows Recovery Console can use this option. 

Note 

• Manage Users is only available when not connected to PolicyServer. 

• Changes made to users through Recovery Console are overridden when Full Disk 

Encryption connects to PolicyServer. 

Some considerations for passwords: 

• Assigned passwords, whether on a new account or for an existing one, are fixed 

password. 

• The user password expiration can be specified directly using the Password 

Expiration calendar. 

• The default setting for a new user is the date as determined by the Change 

Password Every policy located at: Common > Authentication > User 

Password. 

Note 

Editing Users 

Set the date to the current date or older to force an immediate password change, 

while setting it to the future will specify a change on that date. 

Editing users in the Recovery Console has all rules as in PolicyServer. For details about 

rules, see Add Users to PolicyServer on page 4-10. 

Procedure 

1. Select the user from the user list.

2. Update the desired information. 

3. Select the user type: Administrator, authenticator, or user. 

4. Set the password expiration date. 

5. Click Save. 

The user is updated. 

Adding Users 

Procedure 

1. Click Add User. 

2. Provide the user name and password, and confirm the password. 


3. Select the authentication method from the Authentication Type drop-down list. 

4. Set the password expiration date. 

5. Click Save. 

The new user appears in the User List. A confirmation window appears. 

6. Click OK to close the confirmation window. 

The new user is added. 

Deleting Users 

Procedure 

1. Select a user from the user list. 

2. Click Delete User. 

A delete user confirmation window appears. 

5-21


5-22 

3. Click Yes. 

The user is deleted from the user list. 

Manage Policies 

Use Manage Policies to set various policies for Full Disk Encryption Recovery Console. 

For an explanation of these polices, see Understanding Policies on page 3-1 for details. 

Note 

View Logs 

The Manage Policies option is only available when not connected to PolicyServer and any 

changes will be overridden the next time Full Disk Encryption connects to PolicyServer. 

View Logs provides the capability for an Administrator to search for and display logs 

based on specific criteria. View Logs is only available from Recovery Console using 

Windows. It is unavailable from the Full Disk Encryption Preboot. 

For information about viewing Full Disk Encryption logs, see Accessing Recovery Console 

from Windows on page 5-17. 

Network Setup 

Use Network Setup to verify, test, and/or change the network settings that are used by 

Full Disk Encryption Preboot. There are three tabs: IPv4, IPv6, and PolicyServer. 

Note 

New in Full Disk Encryption 3.1.3 is the ability to change PolicyServer or Enterprise 

without having to remove and reinstall Full Disk Encryption.

Managing Network Configuration 


By default, Get setting from Windows is selected for both IPv4 and IPv6. Deselect 

this control to manually configure the network settings. 

• Choosing DHCP (IPv4) or Automatically get address (IPv6) uses the 

dynamically assigned IP address. 

• Choosing Static IP enables all fields in that section. 

• In the IPv6 tab, choosing Static IP when the IP Address field is empty creates a 

unique IP address based on the hardware address of the machine. 

Managing PolicyServer Settings 

Procedure 

1. Open the PolicyServer tab. There are two text fields: Current Server and Current 

Enterprise. 

• To change the current enterprise: 

a. Click Change Enterprise. 

b. At the warning message appears, click Yes. 

c. Specify the new server user name, password, enterprise and server name, 

then click Save. 

WARNING! 

Changing the enterprise requires configuring policies again, recreating 

groups, and deletes any cached passwords, password history, and audit 

logs. 

• To change the current server: 

a. Click Change Server. 

b. At the warning message, click Yes. 

c. Specify the new server address and click Save. 

5-23


5-24 

2. Click Cancel to return to the Recovery Console menu options screen. 

Full Disk Encryption Recovery Methods 

Once a device is fully encrypted with Full Disk Encryption, scenarios may exist where 

an Administrator needs to accomplish system restore actions: 

• The local Administrator password is lost 

• The Windows environment is corrupted 

Important 

For software encryption, standard data recovery tools (Windows Recovery Disk, ERD 

Commander, UBCD) cannot access a Full Disk Encryption 3.1.3 encrypted system; 

therefore, the system must be decrypted before any recovery actions are performed. 

Data recovery methods are available to Endpoint Encryption Administrators/ 

Authenticators to recover data when the device is not functioning properly. Full Disk 

Encryption must be installed. 

TABLE 5-6. Recovery Methods for Full Disk Encryption-protected devices 

RECOVERY METHOD DESCRIPTION WHEN TO USE 


Uninstall 

Full Disk Encryption Uninstall 

removes Full Disk Encryption 

from the device. Once the 

uninstall is complete, you may 

proceed with established 

recovery action within Windows. 

Windows environment is 

working normally.


RECOVERY METHOD DESCRIPTION WHEN TO USE 

Recovery Console Selecting the Full Disk 

Encryption Recovery Console > 

Decrypt Disk option allows 

Administrators to decrypt the 

selected hard disk on-the-fly or 

save the image of the decrypted 

hard disk to removable media. 

Note 

This method is not 

recommended if Windows 

is functioning normally. 

Repair CD The Repair CD is a bootable CD 

that is used to decrypt a corrupt 

drive when the device cannot be 

booted to Full Disk Encryption. A 

typical symptom of a corrupted 

disk is a black screen. 

Note 

Repair CD 

WARNING! 

Do not use if Windows is 

functioning normally. 

Full Disk Encryption Preboot 

loads, but Windows does not. 

• Full Disk Encryption 

Preboot does not load. 

• Full Disk Encryption 

cannot authenticate. 

To decrypt drive, the user must have Endpoint Encryption Enterprise or Group 

Administrator rights and Windows Administrator rights. 

The Full Disk Encryption Repair CD is a bootable disk used to fully decrypt a device if 

the device is unable to boot. 

5-25


5-26 

Note 

• If physical damage (bad sectors) has occurred to the hard disk drive, the drive may not 

decrypt completely or may become unusable. 

• Verify that the hard-disk drive cable is properly connected. 

Several options are available after booting from Repair CD: 

TABLE 5-7. Repair CD Options 

OPTION DESCRIPTION 

Recovery Launches Recovery Console. 

Unlock Unlock a device that has been locked because: 

• too many unsuccessful login attempts 

• no communication with PolicyServer for a specified duration 

Note 

Reboot Restarts the device. 

Unlock option is only available when the policy Remote 

Authentication is set to Lock Out. 

Advanced Options Provides access to advanced options: 

• Remove Full Disk Encryption Preboot 

• Erase 

• Force Decryption

TABLE 5-8. Repair CD Advanced Options 

ADVANCED OPTION DESCRIPTION 

Remove Full Disk Encryption 

Preboot 

Removes the Full Disk Encryption Preboot 

authentication screen from the device. 

WARNING! 


This action cannot be undone, and does not 

decrypt the drive. Use the Decrypt Disk to 

remove encryption. 

Erase Removes all data from the drive. 

Return to the Main Return to the standard CD options. 

Force Decryption Allows an Administrator to decrypt the drive when Full 

Disk Encryption will not boot. 

WARNING! 

Data loss can occur if the Advanced Options are used incorrectly. 

Recovering Data with Repair CD 

Use Repair CD to attempt to recover data from an encrypted device. However, there are 

a number of considerations to keep in mind before trying to decrypt the disk: 

• Only use Repair CD if the device is encrypted, or has begun encryption. 

• If the device contains important data, make a backup image before continuing. For 

instructions, go to http://esupport.trendmicro.com/solution/en-us/1059802.aspx. 

• Do not attempt to decrypt a laptop unless it is connected to AC power. 

• If the Repair CD does not boot, verify that the device has the latest BIOS version 

installed. Upgrade the system BIOS if necessary. 

• Drive decryption using this method takes at least as long as the initial encryption 

process. 

5-27


5-28 

• If a bad sector is encountered, visible progress may slow down. Allow the CD to 

continue decryption and contact Trend Micro Support before interrupting the 

process. 

WARNING! 

Do not interrupt the process once you initiate decryption from the Repair CD. Otherwise, 

irreversible data loss may occur. 

Decrypting a Disk using the Repair CD 

Procedure 

1. Power on the networked system. 

a. Immediately press F12 (or the appropriate button to enter the boot options). 

b. Insert the Repair CD and select the CD/DVD drive from the boot options 

screen. 

The device boots into the Repair CD environment. 

2. At Full Disk Encryption Preboot, select Recovery Console. 



Recovery Console displays. 

5. Select Decrypt Disk(s) to begin fully decrypting the device. 

6. When decryption completes, click Exit to return to Repair CD menu. 

7. Click Reboot to restart the device. 

Note 

Remove the CD in order to start the device normally. 

8. Log on Full Disk Encryption Preboot.

9. Log on Windows and proceed with the preferred recovery method. 

Cleaning Up Full Disk Encryption Files 


Decrypting a drive removes MBR changes and other essential elements used to protect 

the device. For software encryption, decrypt the disk completely before uninstalling Full 

Disk Encryption. Otherwise, the OS may crash. 

Procedure 

WARNING! 

If the MSI is executed to uninstall on non-DriveTrust machine, the OS will not be found 

after the client is restarted. 

1. From a command line: 

a. Run msiexec.exe /X{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA} 

2. From Windows: 

a. Open regedit within Windows and browse to the following key: HKLM 

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ 

\{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}. 

b. Browse to the UninstallString key: msiexec.exe /x 

{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}. 

c. Copy the string. 

d. Open Run... and paste the string in the Open field. 

e. Click OK. 

The Windows Installer window appears. 

f. At the uninstall confirmation, click Yes. 

Note 

If the User Account Control window appears, click Allow. 

5-29


5-30 

g. When prompted to turn off the DrAService, select the second radio button 

option Do not close applications, and then click OK. 

3. If prompted to reboot the device, click Yes. Otherwise, restart the device manually.

Working with FileArmor 

Chapter 6 

FileArmor protects individual files and folders on local hard drives, and removable 

media devices (USB drives). Administrators can set policies specifying which folders and 

drives are encrypted on the device and policies about encrypted data on removable 

media. Encryption is performed after authentication takes place. 

FileArmor can also protect different files with different keys, allowing Administrators to 

set access policies to a device and separate policies for access to certain files. This is 

useful in environments where multiple users access one endpoint. 


• FileArmor System Tray Icon Menu on page 6-8 

• FileArmor Authentication on page 6-2 

• FileArmor Encryption on page 6-10 

• FileArmor Secure Delete on page 6-15 

6-1


FileArmor Authentication 

6-2 

This section explains how to authenticate using FileArmor and aspects particular to 

using FileArmor. All authentication methods for Endpoint Encryption are available in 

FileArmor. See Account Roles and Authentication on page 1-12 for details about 

authentication methods. 

FileArmor First-time Authentication 

When FileArmor is launched for the first time, an initial registration is required to 

identify PolicyServer. The fixed password authentication method is default. Other 

options are available depending on policy settings. 

Procedure 

1. Right-click the FileArmor tray icon, and then select Register. 


3. Specify the PolicyServer IP address (or host name) and the PolicyServer enterprise. 

4. Click OK 

The Change Password screen appears 

5. Select desired authentication from the drop-down. 

6. Specify and confirm new password, and then click OK. 

Note 

Without authenticating to FileArmor, access to files and removable media is denied. 

FileArmor Domain Authentication 

For seamless integration and use of the FileArmor domain authentication/Single Sign- 

On (SSO) process, ensure the following requirements are met:


• The user belongs to a group with the policy Common > Authentication > 

Domain Authentication set to Yes 

• At the group level, go to Common > Authentication > Network Login policies 

and set Host Name and Domain Name. 

• PolicyServer and all devices using domain authentication are on the same domain. 

• The user account is configured in both Active Directory and PolicyServer. The user 

name is case sensitive and must match exactly. 

Note 

FileArmor SSO requires the following policy enabled: Common > Authentication > 

Network Login > Domain Authentication. 

Authenticating with Domain Authentication 

Enable domain authentication at: 

Group Name > Policies > Common > Authentication > Network Login > 

Domain Authentication. 

Procedure 

1. Choose Domain Authentication as the authentication type. 

2. Provide the user name and password for the domain account. 

3. Click OK. 

6-3


6-4 

Note 

• Changing passwords is not available for domain users and FileArmor cannot 

change a Windows domain password. That functionality is controlled by Active 

Directory. 

• Domain authentication cannot be used with a Smart Card PIN. 

• Remote Help is available to domain users. However, the domain password must 

be reset in Active Directory if it is forgotten. 

FileArmor Smart Card Authentication 

To use smart card authentication, ensure that the following requirements are met: 

• FileArmor policy Login > Password > Physical Token Required = Yes. 

• The smart card reader is connected and the smart card is inserted. 

Note 

FileArmor only supports CASC and PIC smart cards 

• ActivClient 6.1 with all service packs and updates must be installed. 

• Specify the smart card PIN in the password field. 

WARNING! 

Failure to provide a correct password will send a password error and can result in 

locking the smart card. 

Authenticating with a Smart Card 

FileArmor smart card authentication is only available if enabled by policy. In 

PolicyServer, mark Smart Card as an authentication option in FileArmor > Login > 

Authentication Methods Allowed.

Procedure 


1. In FileArmor, open FileArmor and select Smart Card from the authentication 

drop-down. 

2. Provide the user name. 

3. Provide the smart card PIN or fixed password (if applicable). 

4. Click OK. 

FileArmor ColorCode Authentication 

FileArmor ColorCode authentication is only available if enabled by policy. The policy is 

available at: Group Name > Policies > FileArmor > Login > Authentication 

Methods Allowed 

Procedure 

1. Select ColorCode from the authentication drop-down. 

2. Input unique ColorCode combination. 

3. Click OK. 

FileArmor PIN Authentication 

FileArmor PIN authentication is only available if enabled by policy. The policy is 

available at: Group Name > Policies > FileArmor > Login > Authentication 

Methods Allowed. 

Procedure 

1. Select PIN from the authentication drop-down. 

2. Specify the PIN combination. 

6-5


6-6 

3. Click OK. 

Changing Password in FileArmor 

To change the password, a user must authenticate to FileArmor with a User account. 

Administrator and Authenticator accounts cannot change password. The password can 

be changed to any method that is allowed by PolicyServer policies. 

Procedure 

1. Right-click the FileArmor tray icon and then select Change Password 

2. Specify the password and then click Next 

3. Select any available authentication method, provide and confirm the new password, 

and then click OK. 

The new password is updated and a confirmation displays. 

Forced Password Reset 

FileArmor prevents unauthorized access to encrypted files and folders by locking 

protected files if there are too many invalid authentication attempts or if the endpoint 

has not communicated with PolicyServer for a specified duration. Depending on a 

policy, FileArmor locks a user from access or enacts a time delay before authentication 

attempts can be made. 

Unlocking a Device 

If a user has exceeded the number of authentication attempts and policies are set to 

enact Remote Authentication, FileArmor locks Endpoint Encryption folders and 

notifies the user that Remote Help is required. Remote Help is used to unlock 

FileArmor and requires Enterprise/Group Authenticator assistance.

Procedure 

1. Right-click the FileArmor tray icon and select Remote Help. 

The Remote Help window appears. 

FIGURE 6-1. FileArmor Remote Help 

2. Specify the user name. 

3. Click Get Challenge. 

4. Type the Response provided by the Enterprise/Group Authenticator. 

5. Click Log In. 

The user is authenticated to FileArmor and a notification displays. 


6-7


6-8 

Time Delay 

If a user exceeds the number of authentication attempts and the policy is set to enact a 

temporary time delay that cannot be bypassed and must expire before authentication is 

permitted. 

After exceeding the allowed number of failed authentication attempts, FileArmor locks 

the device and notifies the user that the device is locked. The ability to log on or reset 

the password is disabled during the time delay. The duration of the time delay is 

determined by policy. Once the time delay has elapsed, the user may authenticate. 

FileArmor System Tray Icon Menu 

After FileArmor is installed, an icon ( ) is displayed in the system tray. The icon 

provides access to numerous FileArmor functions. Right-click the icon to display the 

menu items. 

TABLE 6-1. FileArmor system tray icon options 

MENU ITEM FUNCTION 

Register First-time user registration of FileArmor with the PolicyServer. 

For details, see FileArmor First-time Authentication on page 

6-2. 

Log In / Log Out Authenticate with PolicyServer. 

Change Password Permits non-domain authenticated users to change their 

password. For details, see Changing Password in FileArmor 

on page 6-6. 

Remote Help Unlock FileArmor using Remote Help to authenticate if the 

password is forgotten, there were too many failed 

authentication attempts, or the device has not communicated 

with the PolicyServer for a specified duration. For details, see 

Forced Password Reset on page 6-6. 

Sync with PolicyServer Manually download policy updates from PolicyServer. Useful 

for testing connectivity to PolicyServer. For details, see 

Syncing with PolicyServer on page 6-9.


Sync with PolicyServer 

Offline Files 


See Syncing with PolicyServer Offline Files on page 6-9 

for details. 

Hide Notification Silences all FileArmor notifications. 

About FileArmor Displays FileArmor information including version, last sync 

time, and authenticated user. For details, see FileArmor 

System Tray Icon Menu on page 6-8. 

Close Tray Temporarily removes the FileArmor tray icon. 

Syncing with PolicyServer 

Endpoint clients can manually download new FileArmor policies by opening the 

FileArmor tray icon and selecting Sync with PolicyServer. 

Note 

• Clients do not need to be authenticated to synchronize policies. 

• If a network connection or PolicyServer is unavailable, a Failed to sync with server 

error displays. 

Syncing with PolicyServer Offline Files 

Offline updates work with the FileArmor 3.0.13.2447 or higher and now work on x64 

installs of FileArmor. If the update is generated, the offline update will replace any 

existing user password with the new fixed password. 

Synchronized passwords will not replace a user password on update to maintain the 

same functionality of managed devices. 

A fixed password is required to add a user to an offline endpoint client. The offline 

process will generate two files: 

• The first file with the .exe extension is used for updating existing Full Disk 

Encryption devices 

6-9


6-10 

• The second file with the policy update extension is used to update FileArmor. 

Note 

Blackberry policies are removed from all new offline installs where Blackberry was not 

enabled by the license file. This will significantly decrease the size of the file. 

Changing PolicyServer 

The PolicyServer that FileArmor connects to can be updated from the About window. 

Procedure 

1. Right-click the FileArmor tray icon and select About FileArmor. 

The About windows displays. 

2. Click Edit PolicyServer. 

3. Specify the new PolicyServer hostname or IP address. 

4. Click OK. 

FileArmor is now managed by the new PolicyServer. 

FileArmor Encryption 

Files can be encrypted with FileArmor policies defined locally or from policies defined 

by PolicyServer. The method used depends on enterprise and endpoint user needs for 

file access and the level of security desired. 

Files can be encrypted automatically by saving files in several locations: 

• A folder on the device 

• A folder that resides on removable media 

• A fully encrypted removable media device


Files can also be encrypted by right-clicking the file and selecting one of the following 

from the FileArmor context menu: 

TABLE 6-2. FileArmor context menu items 


Archive Create an encrypted copy of the specified file. 

Archive and Burn Create an encrypted copy of the specified file and write it to 

CD/DVD. 

FileArmor Local Key Encryption 

Selecting the Local Key function allows a user to encrypt files for view strictly by that 

user. 

Note 

• Set FileArmor > Encryption > Encryption Method Allowed to User’s Unique 

Key. 

• Local Key files can only be accessed on a FileArmor device by the user who created 

them. 

• When a file is encrypted, FileArmor creates a new file. The original file remains 

unencrypted in its original location. 

WARNING! 

Depending on the Windows operating system a user may view folder contents if switching 

from one user to a separate user without restarting Windows. While file names and folder 

content may be viewed, the file contents are not available. This is due to Windows 

operating system caching the file structure for quick search capability. 

Creating a Local Key 

Procedure 

1. Right-click the desired file and select FileArmor > Archive > Local Key. 

6-11


6-12 

The original files or folders are unchanged and can be kept or deleted. 

FileArmor Shared Key Encryption 

Files can be encrypted strictly for viewing by members of a policy group using the 

Shared Key function. 

• Local Key files can only be accessed on a FileArmor device by the user who 

created them. 

• Set two policies: Allowed Encryption Methods to Group Unique Key and 

Encryption Key Used to Group Key. 

• To allow encrypted files to viewed by an FileArmor user within the PolicyServer 

Enterprise, set Encryption Key Used to Enterprise Key. 

• When a file is encrypted, FileArmor creates a new file. The original file is left in its 

original location unencrypted. 

WARNING! 

Depending on how Windows permissions are configured, a user can view encrypted folder 

contents if switching between users without restarting Windows. While the file names and 

folder content may be viewed, the file contents are not available. This is due to Windows 

Operating system caching the file structure for quick search capability. 

Creating a Shared Key 

Right-click the desired file and select FileArmor > Archive > Shared Key. The original 

files or folders are unchanged and can be kept or deleted. 

FileArmor Fixed Password Encryption 

FileArmor can create encrypted files using a fixed password. The encrypted file can 

optionally be self-extracting, meaning that the recipient does not need FileArmor to 

decrypt the file. Note the following:


• There is no functionality available for password recovery with self-extracting files. 

If a password is forgotten, the encrypted file cannot be recovered. 

• Due to a Windows limitation, executable (self-extracting) files cannot be larger than 

2GB. 

Creating a Fixed Password Key 

Procedure 

1. Right-click the desired file and then select FileArmor > Archive > Fixed 

Password. 

2. Provide the fixed password and confirm. 

Note 

3. Click OK. 

Mark Output encrypted data as a self-extracting archive if necessary. 

The file is encrypted. 

4. To unencrypt the file, double-click the file, provide the archive password, and then 

click OK. 

5. For self-extracting archives, double-click the file, provide the archive password, 

choose the extraction location, choose whether to open destination after extraction 

or to overwrite existing files, and then click Continue. 


FileArmor Digital Certificate Encryption 

FileArmor can encrypt files with digital certificates (smart cards) from the Windows 

certificate store. 

6-13


6-14 

Creating a Digital Certificate Key 

Procedure 

1. Right-click the desired file and select FileArmor > Archive > Certificate. 

2. Select a Certificate Store and then click Gather Certificates. 

3. Select one or more certificates and then click OK. 

Note 

Certificates are gathered from the Windows certificate store. 

4. Select an optical drive with a blank CD/DVD inserted in the drive. 

5. Click OK. 


FileArmor Archive and Burn 

The FileArmor Archive and Burn function can be used to write encrypted files to CD/ 

DVD. Files are self-extracting and can be encrypted using a Fixed Password or Digital 

Certificate. 

Burning an Archive with a Fixed Password 

Procedure 

1. Right-click the file to select and select FileArmor > Archive and Burn > Fixed 

Password from the FileArmor context menu. 

2. Provide a password and confirm. 

3. Select a drive with a writeable disk inserted in the drive. 

4. Click OK.

The self-extracting file is burned to CD/DVD. 

Burning an Archive with a Certificate 

Procedure 

1. Right-click the file to select and select FileArmor > Archive and Burn > 

Certificate from the FileArmor context menu 

2. Select a Certificate Store and click Gather Certificates. 

3. Select one or more certificates and click OK. 

4. Select an optical drive with a black CD/DVD inserted. 

5. Click OK. 

The self-extracting file is burned to CD/DVD. 

FileArmor Secure Delete 


FileArmor provides a secure delete function that wipes, erases, and cleans the selected 

files and the file history from your device. 

Procedure 

1. Right-click the file and go to FileArmor > Secure Delete. 

2. Click Yes to permanently delete the file. 

6-15

Working with KeyArmor 

Chapter 7 

KeyArmor USB drives secure data with always-on hardware encryption and embedded 

antivirus/anti-malware protection to meet regulatory compliance requirements and 

stringent government mandates. With KeyArmor, Administrators have complete 

visibility and control of who, when, where, and how USB drives are used in their 

organization. 


• KeyArmor Features on page 7-4 

• KeyArmor Authentication on page 7-2 

• Using KeyArmor on page 7-6 

7-1


KeyArmor Authentication 

7-2 

KeyArmor Authentication has the capability to provide users with a variety of 

identification methods. These choices offer flexibility that can be targeted to meet the 

security requirements of the enterprise. A successful authentication allows a user access 

to the device. 

For details about Endpoint Encryption authentication, see Account Roles and 

Authentication on page 1-12. 

Authenticating to KeyArmor for the First Time 

Procedure 

1. Insert the KeyArmor flash device into a USB port to launch the software. 

• If KeyArmor auto launches, the status bar displays and the KeyArmor icon is 

added to the tray. 

• If KeyArmor does not auto launch, go to My Device and open the KeyArmor 

drive. 

2. Specify the user name and password. 

3. Specify the PolicyServer in the Host Name or IP Address field. 

4. Specify the enterprise name in the Enterprise Name field. 

5. Click Login.

Changing Authentication Methods 

Note 

Procedure 


• Only one authentication method is valid for any particular user at any given time. 

• A user can change his/her authentication method only after successfully logging on a 

KeyArmor device. 

1. Right-click the KeyArmor icon from the tray and select Change Password. 

The Loading window appears and is followed by the Change Password screen 

for the user’s current authentication method. 

2. Click Authentication. 

3. Select a new authentication method. 

4. Specify current password. 

5. Click Change to display new authentication method screens. 

The Completed Authentication Method Change screen appears. 

Fixed Password 

Fixed passwords are the most common user identification method. The password is 

chosen by the user. To configure policy restrictions on passwords, go to KeyArmor > 

Login at the group or Enterprise level. 

Note 

Fixed password is always used as the initial authentication to KeyArmor. 

7-3


7-4 

Procedure 

1. Specify and confirm the new fixed password. 

2. Do one of the following: 

• To complete the password change, Click Change. 

• To remove any content from the fields, click Clear. 

The user is authenticated to KeyArmor and can now save data to the SECURE 

DATA folder; the KeyArmor icon displays in the system tray. 

KeyArmor Features 

This section explains the key features of KeyArmor. 

Device Components 

KeyArmor mounts two drives when the device is inserted in a USB port. 

FIGURE 7-1. KeyArmor Devices 

• KeyArmor (E:) contains the KeyArmor program files. 

• SECURE DATA (F:) is KeyArmor user storage. KeyArmor encrypts all files 

stored in this drive.

Protecting Files with KeyArmor 


To safeguard files using KeyArmor, copy or drag the selected folder, file, or document 

to the KeyArmor SECURE DATA drive. 

Files saved to KeyArmor are automatically encrypted and accessible with valid Endpoint 

Encryption credentials. Files remain encrypted as long as they are stored on KeyArmor. 

Note 

To ensure current antivirus definitions, do not copy any files to the KeyArmor device until 

the initial antivirus updates complete. 

No Information Left Behind 

There are several ways that KeyArmor avoids leaving any information on the local 

device: 

• Browsing files on the KeyArmor device copies no data to the host device. 

• Opening and editing documents using applications on the host device may store 

temporary or recovery file data on the host device. 

• Most software applications can be configured to store their temporary or recovery 

file data on the KeyArmor device. 

KeyArmor Antivirus Updates and Activity 

After authenticating, KeyArmor antivirus definitions will attempt to update. KeyArmor 

presents warnings about antivirus update activity. 

WARNING! 

Do not log off or remove a KeyArmor device from the endpoint client while the antivirus 

update is in process. 

Copying files or opening files from KeyArmor is an end-user initiated activity. Files are 

scanned as they are saved or copied to KeyArmor. If a virus is found, the system 

7-5


7-6 

Administrator controls the resulting action including an attempt to repair or delete the 

file; or to wipe the KeyArmor device completely. Users may have the ability to initiate a 

full scan of their KeyArmor device once authenticated. 

KeyArmor Check Disk Notification 

Improperly removing a KeyArmor device without safe removal can cause file system 

corruption. Always log off KeyArmor before physically removing the device. In the 

event of an improper shutdown, unsafe removal, or other unforeseen circumstance, you 

may be prompted to check the disk next time the key is inserted. It is safe to ignore and 

move past this prompt; KeyArmor will check the disk for you and correct any errors. 

Using KeyArmor 

This section explains how to use KeyArmor. 

Warning About Unencrypted Devices 

• KeyArmor users should follow their organization's policy related to transporting 

data beyond an individual's assigned work device. 

• KeyArmor encrypts all files stored to it. 

• KeyArmor software runs from the device and at no time does the KeyArmor 

software copy data to the host device. 

• Browsing files on the device also does not copy data to the host device. 

• Copying files to a host device is a user initiated action which can only be executed 

after proper authentication to a device. 

• Some software applications running on the host may store temporary or recovery 

file data on the host device.


• Most software applications can be configured to store temporary or recovery file 

data on the KeyArmor device. This action is recommended if the device will be 

permitted to travel outside the boundaries of the trusted/secure network. 

KeyArmor Taskbar 

Several options are available from opening KeyArmor from the taskbar: 

TABLE 7-1. KeyArmor Taskbar 


Start Full Scan Scans the KeyArmor device for threats. 

Download Policy 

Updates 

Downloads the most current policy updates. For example, if 

the Administrator makes a change to add an authentication 

method and removes the existing authentication methods, 

the user might be directed to download policy updates and 

immediately begin using the new authentication method. 

Change Password Permits non-domain authenticated users to change their 

password. 

Open Secure Data Opens the SECURE DATA drive. 

About KeyArmor Displays KeyArmor information including version, last sync 

time, and authenticated user. 

Logout Logs off KeyArmor. 

KeyArmor Menu 

Several options are available by opening the KeyArmor menu: 

TABLE 7-2. KeyArmor menu items 


Authentication See KeyArmor Authentication on page 7-2 for details. 

7-7


7-8 


Download Policy 

Updates 

Download the most current policy updates. For example, if 

the Administrator makes a change to add an authentication 

method and removes the existing authentication methods, 

the user might be directed to download policy updates and 

immediately begin using the new authentication method. 

Help See KeyArmor Menu Help on page 7-8 for details. 

KeyArmor Menu Help 

The KeyArmor Help menu has several user-assistance options. 

If Found 

When a KeyArmor device is lost and then found by a person other than the device 

owner, the If Found option provides contact information that will assist the finder in 

returning the device to its rightful owner. This option can be accessed by anyone 

without entering the proper credentials. 

The If Found message is created as a policy in the PolicyServer. 

Procedure 

1. To create an If Found message, go to KeyArmor > Notice Messages. 

2. Right-click If Found and then select Properties.

The Edit Policy Value window appears. 

FIGURE 7-2. Editing If Found Policy 

3. Specify the If Found message in the Policy Value field. 



7-9


7-10 

Q/A Password Reset 

Self Help allows users to respond to one or more predefined questions. The Self Help 

questions are created as policies in the PolicyServer. 

To define the questions: 

Procedure 

1. Go to Common > Authentication > Local Login > Self Help. 

2. Right-click Number Of Questions and select Properties. 

3. In the Policy Value field, specify the number of questions that must be answered 

correctly. 


5. Right-click Personal Challenge and click Add. 

6. Open the Personal Challenge policy that displays and specify one question in the 

Policy Value field, and then click Apply. 

Note 

Any user assigned to the group where the questions are created will be prompted to 

provide a response to each question the first time the user logs in subsequent to the 

new policy setting. 

Remote Password Reset 

Remote Help is a process that allows a user who has forgotten their password to have it 

reset remotely. When using Remote Help, the user must be able to (1) contact his/her 

Help Desk and (2) have access to the Remote Password Reset option in the KeyArmor 

Help menu. 

Procedure 

1. The user selects Remote Password Reset from the Help menu.

2. The user contacts the PolicyServer Administrator. 

3. The user reads the Device ID to the support person. 


4. Support locates the Device ID in the PolicyServer MMC and right-clicks the 

device to display the menu options and then selects Soft Token. 

5. The user reads the Challenge to the Administrator. 

6. The Administrator enters the challenge in the Challenge field, clicks Get 

Response and reads the Response to the user. 

7. The user types the response in the Response field, and then clicks Login. 

The user is presented with a Change Password screen based on the current 

authentication method. 

8. The user must specify and confirm the new password. 

Support Information 

The Support Information screen generally provides the contact information for the 

company Help Desk. 

About KeyArmor 

The KeyArmor About screen is automatically populated and provides the following 

information: 

• Software version 

• User name 

• PolicyServer address 

• Enterprise 

• Device name 

• Last policy synchronization 

• FIPS version 

7-11


Protecting Files with KeyArmor 

7-12 

Safeguarding your files is easy with KeyArmor. All you do is copy or drag the selected 

file/document to the KeyArmor drive. Any files or folders saved to KeyArmor is 

automatically encrypted and is accessible only by a person who logs on the device with a 

valid user name and password. 

• All files and folders saved to KeyArmor are automatically encrypted. 

• Files remain encrypted as long as they are stored on KeyArmor. 

FIGURE 7-3. Copying Files to KeyArmor 

KeyArmor Activity Logging 

All KeyArmor activity is logged and transparently uploaded to PolicyServer over the 

network. The PolicyServer MMC provides access to standard reports and detailed log 

activity. Administrators can drill to a specific device, file and end-user activity. For 

details about KeyArmor policies, see KeyArmor Policies on page 3-32.

Safely Removing KeyArmor 


As with any USB storage device, safely remove a KeyArmor device before unplugging it 

from the USB port 

WARNING! 

Data and/or device corruption can occur if KeyArmor is improperly removed from a 

machine. 

Select one of the following options to safely remove an authenticated KeyArmor device. 

• Choosing Log out from either the KeyArmor interface (application window or 

right-click the tray) safely ejects the device. 

• Right-click the KeyArmor tray icon and select Log out. 

After logging off, KeyArmor will no longer be available from the Windows Safely 

Remove Hardware application and it is safe to remove the device from PC USB port. 

To safely eject an unauthenticated KeyArmor device, close the authentication dialog box 

before submitting credentials. 

KeyArmor Full Scan 

After authenticating, KeyArmor attempts to update antivirus definitions. KeyArmor 

presents warnings about antivirus update activity. Do not log off or remove a KeyArmor 

device from your host PC while the antivirus update is in progress. As files are saved or 

copied to KeyArmor, they are scanned for viruses. 

If a virus is found, PolicyServer policies control the resulting action including an attempt 

to repair or delete the file; or to wipe the KeyArmor device completely. The client also 

has the ability to initiate a full scan of their KeyArmor device. 

7-13


7-14 

TABLE 7-3. FileArmor Antivirus Activities 

ACTIVITY DESCRIPTION 

Antivirus Updates After antivirus definitions are loaded, KeyArmor updates 

definitions as defined by policy. 

File Scanning Activity Files are scanned for viruses as they are copied to 

KeyArmor. Files with viruses are not copied to the protected 

device. 

Full Device Scanning A full scan can be initiated from the KeyArmor Icon in the 

system tray by navigating to KeyArmor > Start Full Scan. 

Changing Default Antivirus Update Location 

Aside from the default update source, you can set another HTTP or FTP location where 

KeyArmor can download update for its antivirus components. 

Note 

Procedure 

• By default, KeyArmor policy is configured to obtain updates automatically from the 

following location: FTP://download.trendmicro.com/products/pattern/ 

• Administrators may opt to change this policy to have KeyArmor obtain antivirus 

updates from other remote host locations or from a local source using HTTP or FTP 

conventions detailed below. 

1. To set an HTTP source: 

a. From the Trend Micro FTP server, copy any .zip files that begin with the 

characters “LPT” and the “opr.ini” file to the HTTP host location you 

have selected. 

b. Direct your KeyArmor devices to download the antivirus definitions from 

your HTTP web folder by specifying the full URL for the updates in the 

KeyArmor > Antivirus > Update Source policy value. 

For example, host these files on your PolicyServer machine by placing them in 

the main web directory: c:\inetpub\wwwroot\mawebservice2\

2. To set an FTP source: 


a. Install the Microsoft IIS FTP Service or other FTP server software and 

configure an FTP folder for use by network clients. 

b. Copy any .zip files that begin with “lpt” and the opr.ini file from the 

Trend Micro download location to the configured FTP server directory (for 

example c:\inetpub\ftpsvc\) 

c. Direct your KeyArmor devices to download the antivirus definitions from 

your FTP folder by specifying the full URL in the KeyArmor > Antivirus > 

Update Source policy value. 

What to do next 

Trend Micro recommends testing this configuration change by synchronizing policies on 

a registered KeyArmor device and verifying whether: 

1. Antivirus updates complete successfully. 

2. Antivirus definitions are updated on the key. 

3. PolicyServer log entries are made showing the new policy defined URL. 

Reassigning a KeyArmor Device to Another User 

KeyArmor can be configured to allow all users in a group or a single user to access a 

device. To change this policy, set KeyArmor > Login > Allow Only One User Per 

Device. When set to Yes, only one user can access the device at a given time. 

Note 

Procedure 

This policy does not affect Administrator or Authenticator roles. 

1. Log on PolicyServer MMC and go to the group that the device is assigned. 

2. Remove the device by right-clicking the Device ID and selecting Remove Device. 

7-15


7-16 

Note 

• Do not remove the KeyArmor Device ID from your Enterprise - doing so will 

make the device unmanageable. 

• Security provisions are in place to prevent re-binding KeyArmor to an 

Enterprise once it has been tied to your Enterprise. 

• This same logic prevents re-adding KeyArmor to your enterprise should you 

inadvertently delete the Device ID from your PolicyServer. 

3. Insert the KeyArmor device into a PC and sync policies. 

4. Return to the MMC and add the device to the required group. 

5. Ensure the new user is a member of the required group. 

6. Assign the new user a fixed password. 

7. Distribute the device to the new user and provide him/her their user name and 

password. 

8. The device will now be tied to the new individual. 

WARNING! 

Any data that remained on the device from the previous user will be accessible to the 

new user. Administrators should follow their internal guidelines for reformatting or 

re-provisioning a device prior to assigning KeyArmor to a new user. 

Adding a Deleted KeyArmor Back to the Enterprise 

If a device is mistakenly deleted, it can be re-added to the enterprise in one of two ways: 

Procedure 

1. Automatically - when a user is logged into a device connected to PolicyServer, it 

will automatically be added back to the enterprise during the next device 

synchronization.


a. An Enterprise Administrator must still manually move the device into the 

correct group to ensure ongoing user access to the device. 

Note 

• Best practice recommends locking or erasing a device prior to deletion. 

• A device deleted from the enterprise will lock if policies require communication 

with PolicyServer. 

2. Manually - an Administrator may complete the following: 

Note 

Connectivity to the new Enterprise PolicyServer is required. 

a. Log on the device with a valid Enterprise Administrator ID and password. 

b. Right click the KeyArmor icon from the tray menu and select About 

KeyArmor. 

c. Click Edit next to the Enterprise name box. 

d. Verify the Enterprise name is correct. 

e. Select OK. 

f. Select Close. 

g. The Enterprise Administrator will now need to add the device back into a 

group to make the device available for users. 

7-17

Chapter 8 

Working with Logs and Reports 

Endpoint Encryption keeps comprehensive logs and generates reports about events and 

updates. Use these logs and reports to assess your organization's policies and to verify 

that component updates were successful. 


• Log Events on page 8-2 

• Reports on page 8-5 

8-1


Log Events 

8-2 

PolicyServer records log events using predefined criteria that are built into the system 

such as access attempts, system errors, modifications to users or groups, policy changes, 

and compliance issues. This powerful tool can be used to report all aspects of server and 

client security. Managing log events allows a Group or Enterprise Administrator to 

select specific search criteria and then display the information on the screen. 

Managing Log Events 

Only messages within the last 7 days are displayed automatically. Use the filter function 

to view older messages. It is useful to search the logs using the Message ID. For 

example, searching for the Message ID 400008 will display all “Device Encryption 

Complete” messages. See PolicyServer Message IDs on page A-1 for more details. 

Procedure 

1. There are two levels of log events: 

• For enterprise-level logs, expand Enterprise Log Events. 

• For group-level logs, go to Group Name > Log Events. 

The log window appears. All log events for the past 7 days are automatically 

displayed. 

2. Double-click any log to view details. 

3. Click Filter to search the log file: 

a. Provide the search criteria. 

b. Select the date range. 

c. Click Search. 

4. Click Refresh to update log data. 

5. Click Previous or Next to navigate through log data.

Alerts 


Administrators can customize alert criteria using predefined security levels to help 

categorize alerts. Send log events to individual or multiple email recipients by setting 

alerts at the enterprise or group. 

Note 

For details about message IDs, see PolicyServer Message IDs on page A-1. 

Setting PolicyServer Alerts 

Procedure 

1. From the PolicyServer MMC select Enterprise (or group) Log Events from the 

left hand navigation screen. 

2. Click Alerts. 

3. Right-click and select Add. 

The Edit Alert window appears. 

4. Provide an Alert Name. 

5. Select the severity of logs that trigger alerts. 

6. Select the message IDs trigger alerts. 

7. Provide an email address receive alerts, one per line. 

8. Choose whether to send alerts based on the number of events in a set time. 

9. Click Done. 

Enabling PolicyServer to relay SMS and Email Delivery 

This function only works for PolicyServers running on Windows Server 2008 or 

Windows Server 2008 R2. 

8-3


8-4 

Procedure 

1. Open Server Manager. 

2. Go to Features > Add Features. 

3. Mark SMTP Server. 

The Add role services and features required for SMTP Server window appears. 

4. Click Add Required Role Services. 

5. Click Next, Next, and then Install. 

The web Server IIS and SMTP Server installs 

6. Click Close. 

7. Go to Start > Administrative Tools > Internet Information Services (IIS) 6.0 

Manager. 

IIS 6.0 Manager opens 

8. Expand ServerName (local device). 

9. Right-click [SMTP Virtual Server #1] and click Properties. 

Note 

Mark Enable logging for future troubleshooting. 

10. Go to Access > Connection... and select Only the list below, and then click 

Add.... 

11. Specify 127.0.0.1 for IP address and click OK. 

Note 

12. Click OK. 

Repeat to specify all IP addresses on local server 

13. Go to Delivery > Advanced... and specify the Masquerade domain in the 

following format: psproxy...


14. Click OK twice to close the SMTP Virtual Server #1 Properties window. 

15. Go to Enterprise Policies > PolicyServer > PDA > Email. 

16. Open SMTP ServerName, specify 127.0.0.1, and then click Apply. 

Configuring Advanced Premise 

For best results, create a Sender Policy Framework (SPF) DNS entry. To create an SPF 

record in other DNS Servers (BIND), consult the vendor documentation. 

Procedure 

1. On a Windows DNS Server, open DNS Management Console. 

2. Right-click the forward lookup zone for domain, and select Other New Records. 

3. Scroll down and select TEXT (TXT). 

4. Leave Record Name blank, and specify: 

v=spf1 ip4: -all 

5. Click OK. 

Reports 

PolicyServer records system activities (changes made to policies, successful 

authentication attempts, devices locked due to too many unsuccessful logon attempts) 

and maintains those records as log events. Administrators can generate reports on an asneeded 

or scheduled basis. 

PolicyServer has a variety of built-in reports to verify device encryption status, user/ 

device activity, and PolicyServer integrity. 

8-5


8-6 

Note 

Only Enterprise Administrators can use reports. 

Report Options 

Different reports have different options. Right-click a report for options. 

TABLE 8-1. Options for reports 

REPORT OPTION OPTION DESCRIPTION 

Clear Removes all information displayed in the results window; it does 

not delete the information. 

Display Error View a description of the error causing the report to be invalid; 

available to Administrators only. 

Display Report View the report; available to Administrators only. 

Next Page Move to the next page of the search items. 

Previous Page Return to the previous page of the search items. 

Refresh Update the status of a submitted report. 

Remove Report Deletes the report. 

Schedule Report Set up a schedule for the report to be run on a specific day or 

time. 

Submit Report Generate the selected report. 

Report Icons 

TABLE 8-2. Report icons 

ICON DESCRIPTION 

Standard reports can be submitted on an as-needed basis to view statistics and 

other usage metrics.

ICON DESCRIPTION 

Report Types 


Alert reports are used to notify Administrators of potential security issues. 

Reports are designed to make information about logs easily understood. 

Running Standard Reports 

Standard reports can be submitted on an as-needed basis. Reporting functions are only 

available to Enterprise Administrators. 

Procedure 

1. Right-click the desired report and select Submit Report. 

2. Specify report parameters if required and then click Apply. 

3. To view the report, go to Enterprise Reports > Enterprise Submitted Reports. 

Standard Reports 

TABLE 8-3. List of Standard Reports 

REPORT NAME DESCRIPTION 

Device Encryption Status Reports the encryption status for all devices in 

the enterprise. 

Device Operating System Count Reports all device operating systems and the 

count for each. 

Device Version Count Reports all Full Disk Encryption versions and the 

count for each. 

8-7


8-8 

REPORT NAME DESCRIPTION 

Devices By Last Sync Date Reports all devices that synchronized with 

PolicyServer in the last x amount of days. 

Devices Not Communicating Reports the devices that have not 

communicated in the last x days. 

Devices with Last Logged in User Reports all devices and the last user to have 

authenticated to it. 

Enterprise Available License Reports the days left in the license, available 

devices and users, and count of used devices 

and users. 

Enterprise User Activity Reports total devices, total users, and the MMC 

user count along with device activity. 

Full Disk Encryption Device Not 

100% Encrypted 

Reports all devices in the last x days that started 

encrypting but did not finish. 

User Activity By Day Reports the user activity within x amount of days 

for the given user. 

Users Added Reports all users added within the last x days. 

Users Never Logged into a Device Reports all users that have never authenticated 

to any device. 

Running Alert Reports 

Reporting functions are only available to Enterprise Administrators. 

To view the report, go to Enterprise Reports > Enterprise Submitted Reports. 

Procedure 

1. Right-click the desired alert report and select Configure Alerts. 

The Alerts Configuration window appears. 

2. Provide the SMTP Server Address and the Sender that will process the outgoing 

email.


4. Right-click the desired report and select Submit Alert 

Alert Reports 

TABLE 8-4. List of Alert Reports 

ALERT NAME DESCRIPTION 

Consecutive Failed Logon Attempts 

on a Single Device 


An alert is sent when multiple, consecutive 

authentication attempts to an individual device 

have all failed. 

Log Integrity An alert is sent when there is an indication that the 

PolicyServer logs have been tampered with. 

Policy Tampering An alert is sent when PolicyServer detects that 

policies have been tampered with. 

Primary and Secondary Action 

Enforced 

Displaying Reports 

An alert is sent when the PolicyServer has had no 

connection, and the primary or secondary action 

has been enforced. 

Reporting functions are only available to Enterprise Administrators. 

Procedure 

1. Go to Enterprise Reports > Enterprise Submitted Reports 

2. Right-click desired report and select Display Report.... 

The report displays. 

Note 

To export the report, click the Save icon and select Excel or Acrobat (PDF) file. 

8-9


Scheduling Reports 

8-10 

These steps allow reports to be run at any specific date and time. 

Procedure 

1. Open Enterprise Reports. 

2. Right-click the desired report and select Schedule Report. 

The Report Parameters window displays. 

3. Specify report parameters and click Apply . 

The Report Scheduler displays. 

4. Specify the report interval, date and time, and then click Apply. 

To view scheduled reports: 

5. Go to Enterprise Reports > Enterprise Scheduled Reports. 

Displaying Report Errors 

Sometimes an error prevents a report from running correctly. Follow these steps to view 

the error. 

Procedure 

1. Go to Enterprise Reports > Enterprise Submitted Reports. 

2. Right-click the report with an error and select Display Error.... 

The report error message displays.

Getting Support 

Chapter 9 

Depending on the type of support needed, there are various places to get help. 


• Trend Community on page 9-2 

• Support Portal on page 9-2 

• Contacting Technical Support on page 9-3 

• TrendLabs on page 9-4 

9-1


Trend Community 

9-2 

Get help, share experiences, ask questions, and discuss security concerns with other 

fellow users, enthusiasts, and security experts. 

http://community.trendmicro.com/ 

Support Portal 

The Trend Micro Support Portal is a 24x7 online resource that contains thousands of 

helpful and easy to use technical support procedures for Trend Micro products and 

services. New solutions are added daily. 

Procedure 

1. Go to http://esupport.trendmicro.com. 

2. Select a product or service from the appropriate drop-down menu and specify any 

other related information, if prompted. 

The Technical Support product page displays. 

3. Specify any search criteria, for example an error message, and then click the search 

icon. 

A list of solutions displays. 

4. If the solution cannot be found, submit a case and a Trend Micro support engineer 

will investigate the issue. Response time is typically 24 hours or less. 

Submit a support case online at: 

http://esupport.trendmicro.com/srf/SRFMain.aspx

Contacting Technical Support 

Getting Support 

Technical support, pattern downloads, and product/service updates are available for one 

year with all product licenses. After one year, renew the license to continue receiving 

Trend Micro support. 

In the United States, reach Trend Micro representatives by phone, fax, or email: 

Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014 

Phone Toll free: +1 (800) 228-5651 (sales) 

Voice: +1 (408) 257-1500 (main) 

Fax +1 (408) 257-2003 

Website http://www.trendmicro.com 

Email address support@trendmicro.com 

• Get a list of the worldwide support offices at: 

http://www.trendmicro.com/us/about-us/contact/index.html 

• Get the latest Trend Micro documentation at: 

http://docs.trendmicro.com 

Resolving Issues Faster 

To speed up problem resolution, have the following information available: 

• Steps to reproduce the problem 

• Appliance or network information 

• Computer brand, model, and any additional hardware connected to the endpoint 

• Amount of memory and free hard disk space 

• Operating system and service pack version 

• Endpoint client version 

• Serial number or activation code 

9-3


9-4 

• Detailed description of install environment 

• Exact text of any error message received 

TrendLabs 

TrendLabs is a global network of research, development, and action centers committed 

to 24/7 threat surveillance, attack prevention, and timely and seamless solutions 

delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs 

is staffed by a team of several hundred engineers and certified support personnel that 

provide a wide range of product and technical support services. 

TrendLabs monitors the worldwide threat landscape to deliver effective security 

measures designed to detect, preempt, and eliminate attacks. The daily culmination of 

these efforts are shared with customers through frequent virus pattern file updates and 

scan engine refinements. 

Learn more about TrendLabs at: 

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/ 

index.html#trendlabs

PolicyServer Message IDs 

Appendix A 

This appendix lists the different PolicyServer message IDs and their meaning. 

TABLE A-1. PolicyServer Message IDs 

CATEGORY MESSAGE ID DESCRIPTION PRODUCTS 

Administrator Alerts 100002 Identifying Device Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 100003 Security Violation Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 100007 Critical Severity Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-1


A-2 


Administrator Alerts 100019 Policy Change 

Unsuccessful 

Administrator Alerts 100045 Unsupported 

configuration 

Administrator Alerts 100046 Enterprise Pool 

created 


deleted 


modified 

Administrator Alerts 100049 Admin User locked 

due to too many 

failed logins. 

Administrator Alerts 100052 Policy Value 

Integrity Check 

Failed 

Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



Administrator Alerts 100053 Policy request 

aborted due to 

failed policy integrity 

check. 

Administrator Alerts 100054 File request aborted 

due to failed policy 

integrity check. 

Administrator Alerts 100055 Admin 


Succeeded 

Administrator Alerts 100056 Admin 


Failed 

Administrator Alerts 100062 Admin Password 

Reset 

Administrator Alerts 100463 Unable to remove 

user. Try again. 

Administrator Alerts 100464 Unable to unable 

user. Try again. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-3


A-4 


Administrator Alerts 100470 Unable to change 

Self Help password. 

A response to one 

of the personal 

challenge questions 

was incorrect. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 102000 Enterprise Added Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 102001 Enterprise Deleted Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 102002 Enterprise Modified Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Administrator Alerts 102003 The number of 

users has exceeded 

the maximum 

allowed by this 

license. Reduce the 

number of existing 

users to restore this 

user account. 

Administrator Alerts 200000 Administrator 

updated policy 

Administrator Alerts 200001 Administrator added 

policy 


deleted policy 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer




enabled application 


disabled application 


user 


deleted user 


updated user 


user to group 


removed user from 

group 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

Administrator Alerts 200200 User added PolicyServer 

Administrator Alerts 200201 User deleted PolicyServer 

Administrator Alerts 200202 User added to 

group 

Administrator Alerts 200203 User removed from 

group 

PolicyServer 

PolicyServer 

Administrator Alerts 200204 User updated PolicyServer 


deleted device 


device to group 


removed device 

from group 

PolicyServer 

PolicyServer 

PolicyServer 

A-5


A-6 



group 


deleted group 


updated group 

Administrator Alerts 200503 Administrator copy/ 

pasted group 

Administrator Alerts 200600 PolicyServer update 

applied. 

Administrator Alerts 200602 User added to 

device 

Administrator Alerts 200603 User removed from 

device 

Administrator Alerts 200700 Event executed 

successfully 

Administrator Alerts 200701 Failed event 

execution 

Administrator Alerts 200800 Event installed 

successfully 

Administrator Alerts 200801 Failed to install 

event 


Logged In Using 

One Time Password 




PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

PolicyServer 

FileArmor SP6 or 

Earlier 


Earlier




Logged In using 

Smart Card 



Remote 


Administrator Alerts 700030 Administrator Failed 

log In Using One 

Time Password 


log In Using Fixed 

Password 


log In using Smart 

Card 


log In Using Remote 



logged in using onetime 

password. 


logged in using 

fixed password. 



Smart Card. 



domain 



Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

A-7


A-8 




remote 




ColorCode 



logged in using PIN. 



OCSP. 


To Login Using One 

Time Password 


To Login Using 




Smart Card 

Administrator Alerts 900253 Administrator failed 

to login using 

domain 




Remote 




ColorCode 


KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor




to login using PIN. 



OCSP 





Renamed A File 


Changed A File 


Deleted A File 


Created A File 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

Audit Log Alerts 100015 Log Message Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Audit Log Alerts 103000 Audit Log 

Connection Opened 

Audit Log Alerts 103001 Audit Log 

Connection Closed 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-9


A-10 


Audit Log Alerts 103100 Audit Log Record 

Missing 


Integrity Missing 


Integrity 

Compromised 


Integrity Validation 

Started 

Audit Log Alerts 104003 Authentication 

method set to 

SmartCard. 

Audit Log Alerts 904008 Unable To Send 

Log Alert 

Authenticator Alerts 700006 Authenticator 


One Time Password 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


Earlier








Smart Card 



Windows 

Credentials 



Remote 


Authenticator Alerts 700024 Authenticator Failed 

log In Using One 

Time Password 


log In Using Fixed 

Password 


log In using Smart 

Card 


log In using 

Windows 

Credentials 





logged in using onetime 

password. 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 

KeyArmor 

A-11


A-12 







Smart Card. 



domain 




remote 




ColorCode 



logged in using PIN. 



OCSP. 

Authenticator Alerts 900161 User Failed To 

Login Using Self 

Help 


To Login Using One 

Time Password 




KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor





Smart Card 

Authenticator Alerts 900203 Authencticator failed 


domain 




Remote 


Authenticator Alerts 900205 Authenticator failed 


ColorCode 


Authenticator Alerts 900206 Authenticator failed 

to login using PIN. 



OCSP 


Renamed A File 


Changed A File 


Deleted A File 


Created A File 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

Certificate Alerts 104008 Certificate expired. Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-13


A-14 


Device Alerts 100001 PDA to Desktop 

Sync Authentication 

was unsuccessful. 

There was no 

device ID for this 

PDA found. 

Device Alerts 100012 Device is not in its 

own Password 

Authentication File. 

PAF corrupted? 

Device Alerts 100044 Lock Device Action 

Received 

Device Alerts 100071 Device Kill 

Confirmed 

Device Alerts 100072 Device Lock 

Confirmed 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

KeyArmor 

KeyArmor 

Device Alerts 100100 Install Started Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor 

Device Alerts 100101 Install Completed Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor 

Device Alerts 100462 Unable to connect 

to PolicyServer. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



Device Alerts 101001 The network 

connection is not 

working. Unable to 

get policy files from 

PolicyServer. 

Device Alerts 101002 Corrupted PAF 

(DAFolder.xml) file 

Device Alerts 105000 Unable to 

synchronize policies 

with client. Verify 

that there is a 

network connection 

and try again. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Device Alerts 200400 Device added PolicyServer 

Device Alerts 200401 Device deleted PolicyServer 

Device Alerts 200402 Device added to 

group 

Device Alerts 200403 Device removed 

from group 

PolicyServer 

PolicyServer 

Device Alerts 200404 Device modified PolicyServer 

Device Alerts 200405 Device status 

updated 

PolicyServer 

Device Alerts 200406 Device status reset PolicyServer 

Device Alerts 200407 Device Kill Issued Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-15


A-16 


Device Alerts 200408 Device Lock Issued Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Device Alerts 200409 Device 

Synchronized 

Device Alerts 904012 User Not Allowed 

To Register New 

Device 

PolicyServer 

PolicyServer 

Device Alerts 1000052 Uninstall of product Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor 

Device Alerts 1000053 Product Uninstall 

Denied By Policy 


FileArmor, 

DriveArmor, 

KeyArmor 

Error Alerts 100005 General Error Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Error Alerts 100006 Application Error Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

FileArmor Activity Alerts 700000 User Logged In 

Using One Time 

Password 


Using Fixed 

Password 


Earlier 


Earlier




using Smart Card 


using Windows 

Credentials 


Using Remote 


FileArmor Activity Alerts 700015 Administrator 


Windows 

Credentials 

FileArmor Activity Alerts 700018 User Failed log In 

Using One Time 

Password 


Using Fixed 

Password 


using Smart Card 


using Windows 

Credentials 

FileArmor Activity Alerts 700023 User Could not log 

In Using Remote 


FileArmor Activity Alerts 700033 Administrator Failed 

log In using 

Windows 

Credentials 

FileArmor Activity Alerts 700036 Failed Login 

Attempts Exceeded 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 

A-17


A-18 


FileArmor Activity Alerts 701000 Encrypted File 

Using User Key 


Using Group Key 


Using Static 

Password 

FileArmor Activity Alerts 701003 Self-extracting 

encypted file 

created using a 

static password. 


Using Cert 


encrypted file 

created using 

certificate. 


Using CD/DVD 

Burning 

FileArmor Activity Alerts 701007 Encrypted Directory 

Using Group Key 


Using Static 

Password 


encypted directory 

created using a 

static password. 


Using Cert 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier




encrypted directory 

created using 

certificate. 


Using CD/DVD 

Burning 

FileArmor Activity Alerts 701015 Removable Media 

was fully encrypted 


Blocked 


Created and 

Covered Folders 

FileArmor Activity Alerts 701018 File encrypted and 

moved to removable 

media. 

FileArmor Activity Alerts 701019 File deleted from 

removable media. 

FileArmor Activity Alerts 703000 File Armor 

Encrypted Folder 

Was Created 

FileArmor Activity Alerts 703001 Folder Was Created 

and Covered 

FileArmor Activity Alerts 703002 File Armor 

Encrypted Folder 

Was Deleted 


Folder was Created 

and Covered 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 

A-19


A-20 



Device Was Fully 

Encrypted 

FileArmor Activity Alerts 703006 File In Folder Was 

Created 

FileArmor Activity Alerts 703007 File in Folder Was 

Deleted 


Changed 


Accessed 


Last Written 

FileArmor Activity Alerts 703011 File Size Changed 

in Folder 

FileArmor Activity Alerts 703015 Folder Encryption 

Started 

FileArmor Activity Alerts 703016 Folder Decryption 

Started 

FileArmor Activity Alerts 703017 Folder Encryption 

Complete 

FileArmor Activity Alerts 703018 Folder Decryption 

Complete 

FileArmor Activity Alerts 703019 Folder Decryption In 

progress 

FileArmor Activity Alerts 703020 Folder Encryption In 

progress 

FileArmor Activity Alerts 704000 FileArmor Service 

Started 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier 


Earlier



FileArmor Activity Alerts 704001 FileArmor Service 

Shutdown 


Activity Alerts 























300700 Device log 

maximum size limit 

reached, event log 

truncated. 

400001 User has 

successfully logged 

in. 


Earlier 


or MobileSentinel 



400002 User login failed. Full Disk Encryption 


400003 Device decryption 

started. 

400004 Device Encryption 

Started. 

400005 Mounted encrypted 

partition. 

400006 Restored native OS 

MBR. 

400007 Restored 

Application MBR. 

400008 Device encryption 

complete 

400009 Device Decryption 

Completed 

400010 Device Encryption 

In Progress 

400011 System MBR 

Corrupt 



















A-21


A-22 




























400012 System Pre-boot 

Kernel Deleted 

401000 Recovery Console 

accessed 

401009 Recovery Console 

error 

401010 Decryption in place 

started 


stopped 


complete 

401013 Decryption of 

removable device 

started 

401014 Decryption to 


stopped 



complete 


error 



error 

401020 Encrypted files 

accessed 


modified 


























or MobileSentinel






























copied to removable 

device 


access error 

401030 Network 

administration 

accessed 

401031 PolicyServer 

address changed 

401032 PolicyServer port 

number changed 











401033 Switched to IPv6 Full Disk Encryption 


401034 Switched to IPv4 Full Disk Encryption 


401035 Switched to 

dynamic IP 

configuration 

401036 Switched to static IP 

configuration 

401037 DHCP port number 

changed 







401038 IP address changed Full Disk Encryption 


401039 NetMask changed Full Disk Encryption 


401040 Broadcast address 

changed 



A-23


A-24 
































401041 Gateway changed Full Disk Encryption 


401042 Domain name 

changed 

401043 Domain name 

servers changed 

401049 Network 

administration error 

401050 User administration 

accessed 









401051 User added Full Disk Encryption 


401052 User removed Full Disk Encryption 


401053 User modified Full Disk Encryption 


401069 User administration 

error 

401070 Locally stored logs 

accessed 

401079 Locally stored logs 

access error 

401080 Original MBR 

restored 

401089 Original MBR 

restoration error 

401090 Default theme 

restored 

401099 Default theme 

restoration error 














or MobileSentinel











402000 Application Startup Full Disk Encryption 


402001 Application 

Shutdown 

600001 Update was 

successful in the 

Pre-boot. 

600002 Pre-boot Update 

failed 





Installation Alerts 100004 Install Error Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Installation Alerts 100020 Successful 

Installation 

Installation Alerts 700037 Installation of 

FileArmor was 

successful 


FileArmor was 

unsuccessful: 

Enterprise name is 

not valid. 


FileArmor was 

unsuccessful: 

Username or 

password is 

incorrect. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


Earlier 


Earlier 


Earlier 

A-25


A-26 


KeyArmor Activity 

Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 

100034 Invalid Registry 

Setting Detected 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

500000 VirusDefense KeyArmor 

500001 Object Cleaned KeyArmor 

500002 Object Disinfected KeyArmor 

500003 Object Quarantined KeyArmor 

500004 Object Deleted KeyArmor 

500005 Virus Detected KeyArmor 

500006 Full Scan Started KeyArmor 

500007 Full Scan 

Completed 

KeyArmor 

500008 Object Suspicious KeyArmor 

500009 Object Scan 

Completed 

500010 Removable Media 

Scan Requested 


Scan Completed 

KeyArmor 

KeyArmor 

KeyArmor




Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 

500012 Folder Scan 

Requested 


Completed 

500014 Access Denied To 

Object 

KeyArmor 

KeyArmor 

KeyArmor 

500015 Object Corrupt KeyArmor 

500016 Object Clean KeyArmor 

500017 Full Scan Cancelled KeyArmor 


Cancelled 


Scan Cancelled 


Cancelled 

KeyArmor 

KeyArmor 

KeyArmor 

500021 Update Started KeyArmor 

500022 The update was 

unsuccessful. Try 

again. 

KeyArmor 

500023 Update Cancelled KeyArmor 

500024 Update Successful. KeyArmor 

500025 VirusDefense Up To 

Date 

KeyArmor 

A-27


A-28 



Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 

500026 PalmVirusDefense KeyArmor 


Requested 

KeyArmor 

500028 PPCVirusDefense KeyArmor 

900000 User logged in 

using one-time 

password. 


using fixed 

password. 


using Smart Card. 


using domain 



using remote 



using ColorCode 



using PIN. 


using OCSP 


using Self Help. 


using RSA 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor




Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 

900150 User Failed To 

Login Using One 

Time Password 


Login Using Fixed 

Password 


Login Using Smart 

Card 

900153 User failed to login 

using domain 



Login Using Remote 



using ColorCode 



using PIN. 


Login Using OCSP 

900158 User locked out 

after too many failed 

login attempts. 

900301 Failed Login 

Attempts Exceeded 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

900350 Key Wiped KeyArmor 

903000 User Renamed A 

File 

KeyArmor 

A-29


A-30 



Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 


Alerts 

903001 User Changed A 

File 

KeyArmor 

903002 User Deleted A File KeyArmor 

903003 User Created A File KeyArmor 

903100 Primary action 

enforced due to no 

PolicyServer 

connection. 

903101 Secondary action 

enforced due to no 

PolicyServer 

connection. 

903102 Policy updates 

applied 

904000 Repaired infected 

file 

904001 Unable to repair 

infected file. 

904002 Skipping infected 

file, repair 

unsupported 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

904003 Deleted infected file KeyArmor 

904004 Unable to delete 

infected file. 

904005 Killing device due to 

infected file 

904006 Error killing device 

due to infected file 

KeyArmor 

KeyArmor 

KeyArmor




Alerts 


Alerts 


Alerts 

904007 Invoking infected file 

fall-back action 

904010 AntiVirus files 

updated 

904011 Unable to update 

antivirus files. 

Login / Logout Alerts 100013 Failed Login 

Attempt 

KeyArmor 

KeyArmor 

KeyArmor 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Login / Logout Alerts 100014 Successful Login Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Login / Logout Alerts 100016 Unable to log in. 

Use Remote 

Authentication to 

provide the 

PolicyServer 

Administrator with a 

challenge code. 

Login / Logout Alerts 100021 Unsuccessful 

ColorCode Login 

Login / Logout Alerts 100022 Unsuccessful Fixed 

Password Login 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-31


A-32 


Login / Logout Alerts 100023 Unsuccessful PIN 

Login 

Login / Logout Alerts 100024 Unsuccessful X99 

Login 

Login / Logout Alerts 100028 Successful 

ColorCode Login 

Login / Logout Alerts 100031 Successful X9.9 

Login 

Login / Logout Alerts 100032 Successful Remote 

Login 

Login / Logout Alerts 100035 Successful 

WebToken Login 

Login / Logout Alerts 100036 Unsuccessful 

WebToken Login 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



Login / Logout Alerts 100050 Fixed Password 

login blocked due to 

lockout. 

Login / Logout Alerts 100051 User Login 

Successfully 

Unlocked 

Login / Logout Alerts 100057 LDAP User 


Succeeded 



Failed 


Password Change 

Succeeded 


Password Change 

Failed 

Login / Logout Alerts 100061 Access request 

aborted due to 

failed policy integrity 

check. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-33


A-34 


Login / Logout Alerts 100070 Successful Logout Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Login / Logout Alerts 100433 The ColorCodes do 

not match. 

Login / Logout Alerts 100434 Unable to change 

ColorCode. The 

new ColorCode 

must be different 

than the current 

one. 



new ColorCode 

must meet the 

minimum length 

requirements 

defined by 

PolicyServer. 



new ColorCode 


than any previous 

ColorCode used. 

Login / Logout Alerts 100437 ColorCode Change 

Failure - Internal 

Error 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



Login / Logout Alerts 100459 X9.9 Password 

Change Failure - 

Can Not Connect 

toPolicyServer Host 



Empty Serial 

Number 



Internal Error 

Login / Logout Alerts 101004 Unable to reset 

locked device. 

Login / Logout Alerts 104000 Smart Card login 

successful. 

Login / Logout Alerts 104001 Smart Card login 

unsuccessful. 

Check that the card 

is seated properly 

and that the Smart 

Card PIN is valid. 

Mobile Device Alert 100037 Palm Policy 

Database is missing 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-35


A-36 


Mobile Device Alert 100038 Palm Encryption 

Error 

Mobile Device Alert 100039 PPC Device 

Encryption Changed 

Mobile Device Alert 100040 PPC Encryption 

Error 

MobileFirewall Activity 

Alerts 

MobileFirewall Activity 

Alerts 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

300000 MobileFirewall MobileFirewall 

300001 DenialOfServiceAtta 

ck 

OCSP Alerts 104005 OCSP certificate 

status good. 


status revoked. 


status unknown. 

MobileFirewall 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



OTA Alerts 100041 OTA Object Missing 

or Corrupt. 

OTA Alerts 100042 OTA Sync 

Successful 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

OTA Alerts 100043 OTA Device Killed Full Disk Encryption, 

FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Password Alerts 100017 Change Password 

Error 

Password Alerts 100018 Password Attempts 

Exceeded 

Password Alerts 100025 Password Reset to 

ColorCode 


Fixed 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-37


A-38 



PIN 

Password Alerts 100029 Successful Fixed 


Password Alerts 100030 Successful PIN 


Password Alerts 100033 Unable to Reset 

Password 

Password Alerts 100432 Unable to change 

password. The new 

password must be 

different than the 

current password. 


password. The 

passwords do not 

match. 


password. The 

password field 

cannot be empty. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer




password. The 

password does not 

meet the minimum 

length requirements 

defined by 

PolicyServer. 


password. Numbers 

are not permitted. 


password. Letters 

are not permitted. 


password. Special 

characters are not 

permitted. 


password. The 

password cannot 

contain the user 

name. 


password. The 


contain enough 

special characters. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-39


A-40 



password. The 



numbers. 


password. The 



characters. 


password. The 

password contains 

too many 

consecutive 

characters. 


password. The new 

password must be 

different than any 

previous password 

used. 

Password Alerts 100452 Password Change 

Failure - Internal 

Error 

Password Alerts 101003 Successfully 

changed Fixed 

Password. 

Password Alerts 700100 Password reset to 

Fixed Password. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


Earlier




Smart Card 


Domain 

Authentication. 


password. 

Password Alerts 900160 Password changed 

successfully. 



Password Alerts 900303 Password reset To 

Smart Card 


domain 


PIN Change Alerts 100438 Unable to change 

PIN. The PINs do 

not match. 


PIN. One of the 

fields are empty. 


PIN. The PINs do 

not match. 


Earlier 


Earlier 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 

KeyArmor 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

A-41


A-42 


PIN Change Alerts 100454 able to change PIN. 

The new PIN cannot 

be the same as the 

old PIN. 


PIN. The new PIN 

does not meet the 

minimum length 

requirements 

defined by 

PolicyServer. 


PIN. The PIN 

cannot contain the 

user name. 


PIN. The new PIN 


than any previous 

PIN used. 

PIN Change Alerts 100458 PIN Change Failure 

- Internal Error 

Smart Card Alerts 104002 Registered 

SmartCard. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer



Smart Card Alerts 104004 Unable to register 

Smart Card. Check 

that the card is 

seated properly and 

that the Smart Card 

PIN is valid. 


FileArmor, 

DriveArmor, 

KeyArmor, or 

PolicyServer 

Windows Mobile Alerts 800000 OTA Install started Full Disk Encryption 

for Windows Mobile 

Windows Mobile Alerts 800001 OTA Install 

completed 

Windows Mobile Alerts 800100 OTA SMS message 

sent 

Windows Mobile Alerts 800200 OTA Directory 

Listing Received 

Windows Mobile Alerts 800300 OTA Device 

Attributes Received 









Windows Mobile Alerts 800400 OTA Device Backup Full Disk Encryption 


Windows Mobile Alerts 800500 OTA Device 

Restore 



A-43

Index 

A 

about 

account types, 1-12 

client-server architecture, 1-2 

Endpoint Encryption, 1-2 

FileArmor, 6-1 

KeyArmor, 7-1 

PolicyServer, 2-1, 2-2 

users and groups, 2-4 

Accessibility 

on-screen keyboard, 5-4 

accounts 

types, 1-12 

Active Directory, 1-15, 1-19, 4-22 

resetting password, 4-25 

alerts, 8-3 

authentication, 1-8 

about, 1-12 

access control, 1-13 

account types, 1-12 

application comparision, 1-13 

change method, 5-4, 5-6 

changing password, 6-6 

ColorCode, 1-14, 1-16, 5-5, 6-5 

create ColorCode, 5-6 

domain, 1-15 

domain authentication, 1-14 


first-time, 6-2 

fixed password, 1-14, 1-16, 7-3 

Full Disk Encryption Preboot, 5-2 

KeyArmor, 7-2 

first time, 7-2 

LDAP, 1-15 

methods, 1-14 

options, 1-13 

PIN, 1-14, 1-16, 6-5 

prerequisites, 1-15 

remote help, 1-14, 5-9 

Remote Help, 1-18, 5-8 

security options, 1-14 

self help 

using, 5-13 

Self Help, 1-14, 1-18, 4-26, 5-11 

answers, 5-13 

setup requirements, 1-15 

single sign-on, 6-2 

smart card, 1-17, 5-9, 6-4 

B 

burning discs, 6-14 

C 

central administration, 1-8 

central management, 1-11 

changing passwords, 5-5 

changing PolicyServers, 5-23 

client-server architecture, 1-2 

ColorCode, 1-16, 5-5 

Command Line Helper, 5-2 

Command Line Helper Installer, 5-2 

community, 9-2 

cryptography, 1-2 

csv, 4-12 

D 

DAAutoLogin, 5-2 

database requirements, 1-5 

data protection, 1-2 

IN-1


data recovery, 5-27 

Decrypt Disk, 5-17 

decryption 

Recovery Console, 5-17 

demilitarized zone, 5-14 

device management, 1-8 

devices, 4-1, 4-30 

add to group, 4-30 

directory listing, 4-35 

kill command, 4-35 

locking, 4-36 

reboot, 4-36 

remove from group, 4-32 

view attributes, 4-34 

view directory, 4-34 

domain authentication, 1-15 


E 

encryption, 1-9, 3-24 

archiving, 6-14 

digital certificate, 6-13 

features, 1-8 

file and folder, 1-9 

FileArmor 

archive and burn, 6-10 

file encryption, 6-1 

FIPS, 1-10, 7-11 

fixed password key, 6-12 

full disk, 1-9 

hardware-based, 1-9 

KeyArmor, 7-5 

keys 

shared, 6-12 

local key, 6-11 

self-extracting, 6-12 

software-based, 1-9 

IN-2 

Endpoint Encryption 

about, 1-2 

tools, 5-2 

error messages 


F 



archive, 6-10 

archive and burn, 6-10, 6-14 


domain, 6-3 

options, 1-13 

PIN, 6-5 

burn archive with certificate, 6-15 

burn archive with fixed password, 6-14 

change PolicyServer, 6-10 


changing PolicyServer, 6-10 

ColorCode, 6-5 

digital certificate, 6-13 

creating, 6-14 

encryption, 6-10 


first-time use, 6-2 

fixed password key 


local key, 6-11 

PolicyServer sync, 6-8 

Remote Help, 6-6, 6-8 

reset password, 6-6, 6-8 

secure delete, 6-15 

shared key, 6-12 


single sign-on, 6-2 

smart cards, 6-4

supported operating systems, 1-7 

syncing with PolicyServer, 6-9 

sync offile files, 6-9 

system requirements, 1-7 

system tray icon, 6-8 

time delay, 6-8 

tray icon 

about, 6-8 

unlock device, 6-6 

FIPS, 1-2 

about, 1-10 

FIPS 140-2, 1-2, 1-10 

KeyArmor, 7-11 

security levels, 1-10 

FIPS 140-2, 1-2 

fixed password, 1-16 

Full Disk Encryption, 5-1 

3.1.3 enhancements, 1-20 


authentication, 1-18, 5-11 


options, 1-13 

change enterprise, 5-23 

change PolicyServer, 5-23 

clean up files, 5-29 

connectivity, 5-13 


manage policies, 5-22 

manage users, 5-20 

menu options, 5-3 

network configuration, 5-23 

network setup, 5-22 

PolicyServer settings, 5-13 

port settings, 5-13 


Windows, 5-17 

recovery methods, 5-24 

remote help, 5-9 

remove device, 4-33 

Self Help, 5-12 

smart cards, 1-17, 5-9 

supported operating systems, 1-6 

synchronize policies, 5-14 


TCP/IP access, 5-13 

tools, 5-2 

uninstall, 5-24 

unmanaged install 

users, 5-20 

Full Disk Encryption Preboot, 5-2 


keyboard layout, 5-4 

menu options, 5-3 

network connectivity, 5-4 


G 

groups, 4-1 

creating offline groups, 4-6 

install to group, 4-20 

modifying, 4-5 

offline groups, 4-5 

remove device, 4-32, 4-33 

removing, 4-5 

subgroups, 4-2 

types, 4-2 

H 

hardware based encryption, 1-6 

help desk policies, 4-29 

I 

importing users, 4-12 

Index 

IN-3


K 

KeyArmor, 7-1 

about, 7-7 


activity logging, 7-12 

antivirus, 7-13 

change update location, 7-14 

antivirus updates, 7-5 


first time, 7-2 

fixed password, 7-3 

methods, 7-3 

options, 1-13 

cached files, 7-6 

change password, 7-7 

check disk, 7-6 

deleted device, 7-16 

device components, 7-4 


FIPS, 7-11 

full scan, 7-13 

help 

if found, 7-8 

Remote Password Reset, 7-10 


Support Info, 7-11 

key management, 1-10 

log off, 7-7 

menu, 7-7 

menu help, 7-8 

no information left behind, 7-5 

PolicyServer, 7-12 

policy updates, 7-7 

protecting files, 7-12 

reassign, 7-15 

safe removal, 7-6, 7-13 

IN-4 

secure data, 7-7 

SECURE DRIVE, 7-4 


taskbar, 7-7 

temporary, 7-6 

unencrypted devices, 7-6 

using, 7-6 

warning, 7-6 

key features, 1-8 


L 

LDAP, 1-15 

LDAP Proxy, 1-19, 4-10 

log events, 8-2 

logs, 5-22, 8-1 

alerts, 8-3 

managing events, 8-2 

setting alerts, 8-3 

M 

managing groups, 2-4 

managing users, 2-4 

MBR 

replacing, 5-19 

Mount Partitions, 5-19 

N 

Network Setup, 5-22 

O 

online 

community, 9-2 


OPAL, 1-6 

P 

password


passwords, 1-11, 4-22 

Remote Help, 4-27 

resetting, 4-24 

resetting Active Directory password, 

4-25 

resetting Admin/Authenticator, 4-23 

resetting enterprise authenticator 

password, 4-23 

resetting group Admin/Authenticator, 

4-24 

resetting to fixed password, 4-25 

resetting user password, 4-24 

Personal Identification Number (PIN), 1-16 

policies, 1-11 

allow user recovery, 5-16 

common, 3-40 

agent, 3-40 


DriveArmor, 3-36 


communications, 3-38 

device, 3-39 

FileArmor 

computer, 3-23 


password, 3-27 


common, 3-17 

PC, 3-19 

PPC, 3-22 


antivirus, 3-32 

login, 3-33 

notice message, 3-34 

PolicyServer connection, 3-35 

security, 3-32 

MobileSentinel, 3-28 

common, 3-28 

PPC, 3-29 


admin console, 3-12 

Administrator, 3-12 

Authenticator, 3-13, 3-14 

log alerts, 3-14 

PDA, 3-15 

service pack download, 3-16 

welcome message, 3-16 


synchronization, 1-9 

synchronizing clients, 5-14 

policy control, 1-9, 6-1 

PolicyServer 

3.1.3 enhancements, 1-20 


add enterprise user, 2-9, 4-10 

add top group, 2-5, 4-2 

advanced premise, 8-5 


options, 1-13 

changing, 5-23 

client web service, 1-2 

devices, 4-30 

enabling applications, 2-17 

enhancements, 1-19 

fields and buttons, 2-14 

first time use, 2-2 

getting started, 2-1 

groups, 2-4 

adding users, 2-7, 4-16 

interface, 2-3 

introduction, 2-2 

Index 

IN-5


IN-6 

license file, 2-2 

log events, 8-2 

logs, 8-1 

MMC hierarchy, 2-4 

MMC window, 3-2 

modifying policies, 2-15 

offline groups, 4-5 

creating, 4-6 

updating, 4-9 

policies, 2-13, 3-1, 3-2 

Common, 3-40 

DriveArmor, 3-36 

editing, 3-3 

multiple choice, 3-7 

multiple option, 3-10 

policies with ranges, 3-4 

text string, 3-9 

True/False, Yes/No, 3-5 




MobileSentinel, 3-28 

PolicyServer policies, 3-12 


relay SMS/email delivery, 8-3 

Remote Help, 4-27 

reports, 8-1, 8-5 

requirements 

SQL, 1-5 

setting log alerts, 8-3 

software requirements, 1-5 

SQL requirements, 1-5 

subgroups, 4-4 


system requirements 

hardware, 1-5 

users, 2-4, 4-10 

add enterprise user, 2-7, 4-16 

add to group, 2-7, 2-11, 4-16, 4-17 


web service, 1-2 

PolicyServer MMC, 1-2 

product components, 1-2 

product definitions, xii, xiii 

R 

recovery 

clean up files, 5-29 

recovery console 

log on, 5-17 


access, 5-16 

Windows, 5-17 

changing enterprise or server, 5-23 


functions, 5-15 

log on, 5-16 

manage policies, 5-22 

manage users, 5-20 

Mount Partitions, 5-19 

network configuration, 5-23 

Network Setup, 5-22 


repair cd, 5-28 

Restore Boot, 5-19 

users 

add, 5-21 

delete, 5-21 

edit, 5-20 

view logs, 5-22 


Remote Help, 1-18, 4-22, 4-27, 4-36, 5-8 

Repair CD, 5-2, 5-24, 5-25

data recovery, 5-27 

decryption, 5-28 

reporting, 1-2, 1-8 

reports, 8-1, 8-5 

alert, 8-8, 8-9 

display errors, 8-10 

displaying reports, 8-9 

icons, 8-6, 8-7 

options, 8-6 

schedue reports, 8-10 

standard, 8-7, 8-8 

types of, 8-7 

Restore Boot, 5-19 

S 

Seagate DriveTrust drives, 1-6 

security 

account lock, 1-18, 5-8 

account lockout action, 1-18, 5-8 

account lockout period, 1-18, 5-8 

anti-malware/antivirus protection, 1-2 

device lock, 1-18, 5-8 

erase device, 1-14 

failed login attempts allowed, 1-18, 5-8 

remote authentication required, 1-14 

time delay, 1-14 

Self Help, 1-18, 4-22, 5-11 

answers, 5-13 

defining answers, 5-12 

password support, 4-26 

smart card, 1-17, 5-9 

software, 1-5 

support 

knowledge base, 9-2 

resolve issues faster, 9-3 

TrendLabs, 9-4 

supported languages, 1-19 

synchronization 


synchronizing policies, 5-14 

system architecture, 1-2 

system requirements 



KeyArmor, 1-7 


system tray icon, 6-8 

T 

terminology, xii, xiii 

tokens, 5-11 

tools 

Repair CD, 5-25 

top group, 2-5, 4-2 

TrendLabs, 9-4 

Index 

U 

understanding 

Endpoint Encryption, 1-1 


FIPS, 1-10 

full disk encryption, 1-9 


users, 4-1, 4-10 

Active Directory passwords, 4-25 

adding, 4-10 

adding existing user to group, 2-11, 4-17 

adding new user to group, 2-7, 4-16 

add new enterprise user, 2-9, 4-10 

change default group, 4-19 

external directory browser, 4-12 

finding, 4-13 

group membership, 4-15 

group vs enterprise changes, 4-14 

IN-7


importing AD users, 4-12 

importing with CSV, 4-12 

install to group, 4-20 

modifying, 4-14 

passwords, 4-22 

remove from group, 4-21 


V 

VMware Virtual Infrastructure, 1-5 

W 

Windows 8, 1-6 

Windows Server 2008 considerations, 1-5 

IN-8

Full Disk Encryption Policies - Online Help Home - Trend Micro

Create successful ePaper yourself

Delete template?

Save as template?