Dell Data Protection | Encryption Enterprise Edition Administrator Guide DDP|E Encryption Client, SED, Advanced Authentication, BitLocker Manager, and Cloud Edition
© 2014 Dell Inc. Registered trademarks and trademarks used in the DDP|E, DDP|ST, and DDP|CE suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated.
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption Client SED Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Advanced Authentication Client . . . . . . . . . . . . . . . . . .
Extract the Child Installers from the Master Installer . . . . . . . . . . . . . . . 37 Commonly Used Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 DDP|E Client and Advanced Authentication SED Client (including Advanced Authentication) and External Media Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SED Client (including Advanced Authentication), External Media Edition, and Cloud Edition . . . . . . . . . . . .
Section II. Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Drivers Installation Tasks Install Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Installation Section III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 63 63 DDP|E Encryption Client . . . . . . . . . . . . . . . .
Troubleshooting HCA Recovery . Check the Recovery Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 When Escrow Cannot Be Completed during the WinPE Recovery (HCA) Reset TPM Security (HCA) . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Recover User Access to a Computer Equipped with HCA Self-Recovery . . . . . . . . . . . . . . . . 84 . . . . . . .
Uninstall SED Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Uninstallation SED and OS Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Self-Recovery, OS Logon . Self-Recovery, PBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 . .
Logging on to Trained Logon Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Filling in with Windows Credentials . Use Old Password . Password Change Password Manager Page . Settings Page . Section VI. . . . . . . . . . . . . . . . . . . . . . . . . .
Use Dropbox for Business Run Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Provide Temporary Folder Management Rights . . . . . . . . . . . . . . . . . . . . . . . 160 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pre-existing Folders with Unencrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . 171 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Access a Cloud Storage Provider Dropbox for Business Connect Cloud Edition and Dropbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use Dropbox for Business Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction This guide details how to install and configure the DDP|E encryption client, SED management client, Advanced Authentication (and its drivers), BitLocker Manager, and Cloud Edition. You can install all the clients together using the master installer user interface or individually by extracting the child installers out of the master installer and then installing them by command line (or user interface). The clients can be installed using any push technology available to your organization.
3 Deploy the appropriate client (or clients) to end users. 4 Learn how to monitor your Enterprise and issue commands. From the AdminHelp Table of Contents, go to Navigate the Enterprise Server > Monitor > Dashboard > Dashboard Tab > Protection Status > Endpoint Protection Status - Endpoints By Platform, Protected, Not Protected, and Total. Be sure to periodically check www.dell.com/support for updated documentation.
Requirements Encryption Client • The user account performing the installation must be a local or domain Admin user, which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE. A non-Admin user that has elevated privileges is not supported. • To successfully install DDP|E, the computer must have network connectivity.
Hardware Requirements The following table details supported hardware. Windows Hardware • Intel Pentium-class or AMD processor • 512 MB-1GB RAM • +-110 MB of free disk space plus •250 MB free space in Preboot Authentication partition Optional Embedded Hardware • Trusted Platform Module (TPM) chipset with TCG Software Stack (TSS) version 1.2.1.42 NOTE: TSS is a component that interfaces with the Trusted Platform Module (TPM).
Windows Hardware Precision M6700 Precision M4800 Precision M6800 Precision T3600 Precision T3610 Precision T5600 Precision T5610 Precision T7600 Precision T7610 Precision T1650 Precision T1700 OptiPlex 9010 AIO OptiPlex 9010 OptiPlex 7010 OptiPlex 7020 OptiPlex XE2 OptiPlex 9020 AIO OptiPlex 9020 OptiPlex 9020 Micro OptiPlex 9030 AIO Operating Systems The following table details supported operating systems.
Windows Operating Systems (32- and 64-bit) • Microsoft Windows 8 - Enterprise - Pro • Microsoft Windows 8.1 - Windows 8.1 Update 1 - Enterprise Edition - Pro Edition •Windows Embedded 8.1 - Industry Enterprise • VMware Workstation 5.5 and higher • Windows Embedded Standard 7 in Application Compatibility Mode Operating Systems for External Media Edition (EME) The following table details the operating systems supported when accessing media protected by EME.
Language Support The Encryption client is Multilingual User Interface (MUI) compliant and supports the following languages. Language Support • EN - English • JA - Japanese • ES - Spanish • KO - Korean • FR - French • PT-BR - Portuguese, Brazilian • IT - Italian • PT-PT - Portuguese, Portugal (Iberian) • DE - German SED Client • The user account performing the installation must be a local or domain Admin user, which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE.
Client Prerequisites The installer installs these components if not already installed on the computer. Prerequisites • Microsoft Visual C++ 2012 Update 3 or later Redistributable Package (x86 and x64) • Microsoft .NET Framework v4.0 BEST PRACTICE: Potential installation problems can be avoided if Microsoft .NET Framework is installed on the target computer prior to client installation.
Operating Systems The following table details the supported operating system. Windows Operating Systems (32- and 64-bit) • Microsoft Windows 7 SP0-SP1 - Enterprise - Professional • Microsoft Windows 8 - Enterprise - Professional - Windows 8 (Consumer) • Microsoft Windows 8.1 - Enterprise Edition - Pro Edition Language Support The SED client is Multilingual User Interface (MUI) compliant and supports the following languages.
Smart Cards • PKCS #11 Smart Cards using the ActivIdentity client NOTE: The ActivIdentity client is not pre-loaded and must be installed separately. • CSP Cards • Common Access Cards (CACs) NOTE: With CACs that have more than one certificate, at logon, the user selects the correct certificate from a list. Contactless Cards • Contactless Cards using Contactless Card Readers built in to Dell laptops Operating Systems The following table details supported operating systems.
BitLocker Manager Client • If Windows BitLocker is not yet deployed in your environment, consider reviewing BitLocker requirements. • The user account performing the installation must be a local or domain Admin user, which can be temporarily assigned by a deployment tool such as Microsoft SMS or KACE. • Ensure that the PBA partition is already set up. If BitLocker Manager is installed before the PBA partition is set up, BitLocker cannot be enabled and BitLocker Manager will not be operational.
Language Support BitLocker Manager is Multilingual User Interface (MUI) compliant and supports the following languages.
Cloud Sync Clients The following table details the latest tested sync clients. Sync clients release updates fairly frequently; later released versions may work properly with DDP|CE, but should be tested prior to rolling out in a production environment. Cloud Sync Clients • Dropbox 2.4-2.12 - Dropbox for Business requires Dropbox version 2.8 or later plus the DDP Enterprise Server - Virtual Edition (VE) v8.4 or later NOTE: With a pre-v8.
Operating Systems The following table details supported operating systems. Windows Operating Systems (32-bit and 64-bit) • Microsoft Windows 7 SP0-SP1 • Microsoft Windows 8 • Microsoft Windows 8.1 (Box and Dropbox only) Android Operating Systems • 4.0 Ice Cream Sandwich • 4.1 - 4.3 Jelly Bean • 4.4 KitKat iOS Operating Systems • iOS 5.x • iOS 6.x • iOS 7.
Interoperability Deprovision and Uninstall Dell Data Protection | Access If DDP|A is installed now or has been installed in the past on your computer, before installing the Encryption client, SED, or Advanced Authentication, you must deprovision the DDP|A-managed hardware and then uninstall DDP|A. If DDP|A has not been used, you may simply uninstall DDP|A and restart the installation process.
Enterprise Edition Administrator Guide
Pre-Installation Configuration to Enable DDP|HCA If the computer targeted for encryption is equipped with a Dell Data Protection | Hardware Crypto Accelerator (HCA) and you intend to use Hardware Crypto Accelerator (HCA) policies, you must first set up and activate the TPM. If using legacy HCA, you need to set up a System password. Follow the instructions detailed in this section to configure DDP|HCA prior to the Encryption client installation. NOTE: The features available as of v8.
Computer BIOS Needed OptiPlex XE2 A05 Precision M4800 A07 Precision M6800 A07 Precision T1700 A06 e Select Get drivers and downloads in the left menu. f Click View All Drivers. g Scroll down to Refine your results and expand the BIOS drop-down. Download and install the updated BIOS, following the prompts in the BIOS installer package. The following example displays a Latitude E7440. 5 Install the product using the DDPSetup.exe file. Using DDPSetup.
DDP|HCA Pre-Installation BIOS Configuration If the following hardware and BIOS instructions are not completed, are inaccurate, or are otherwise not met, the Encryption client ignores HCA policies and software encryption is implemented. 1 Boot into the BIOS Configuration: — Press F2 or F12 continuously during boot until a message in the upper right screen is similar to “preparing to enter setup” (F2) or “preparing one-time boot menu” (F12). Enter BIOS Administrator password if prompted.
Reset System Password If the computer is equipped with legacy HCA, and you forget your System password, log in with the BIOS Admin password and assign a new System password as described in DDP|HCA Pre-Installation BIOS Configuration. If the BIOS password is also unknown, you must contact Dell support to reset the passwords (refer to your Welcome Letter for contact information).
Pre-Installation Configuration to Set Up a BitLocker PBA Partition • You must create the PBA partition before installing BitLocker Manager. • Use the BdeHdCfg.exe command to create the PBA partition. The default parameter indicates that the command line tool will follow the same process as the BitLocker Setup Wizard: BdeHdCfg -target default For more options available for the BdeHdCfg command, see Microsoft’s BdeHdCfg.exe Parameter Reference. NOTE: You may need to partition the disk manually.
Enterprise Edition Administrator Guide
Set GPO on Domain Controller to Enable Entitlements • If your clients will be entitled from the factory or you purchase licenses from the factory, follow these instructions to set the GPO on the domain controller to enable entitlements (this may not be the same server running Enterprise Edition). • The workstation must be a member of the OU where the GPO is applied. NOTE: Ensure that outbound port 443 is available to communicate with the Server.
5 The Group Policy Management Editor loads. Access Computer Configuration > Preferences > Windows Settings > Registry. 6 Right-click the Registry and select New \ Registry Item.
7 Click OK. 8 Log out and then back into the workstation, or run gpupdate /force to apply the group policy.
Enterprise Edition Administrator Guide
Extract the Child Installers from the Master Installer To install each client individually, first extract the child executable files from the master installer. 1 From the Dell installation media, copy the master installer’s DDPSetup.exe file to the local computer. 2 Open a command prompt in the same location as the DDPSetup.exe file and enter: DDPSetup.exe /z"\"EXTRACT_INSTALLERS=C:\extracted\"" The extracted child installers are located at C:\extracted\.
Enterprise Edition Administrator Guide
Commonly Used Scenarios • To install each client individually, the child executable files must first be extracted from the master installer, as shown in Extract the Child Installers from the Master Installer. • The default location of log files is: C:\ProgramData\Dell\Dell Data Protection. • If your computer has DDP|A installed now or has had it installed in the past, be sure to follow the steps in Interoperability before you continue.
DDP|E Client and Advanced Authentication See Configure Credentials in the Security Console and Use the Authentication Applications to learn how to use the features of Advanced Authentication. NOTE: Drivers are needed for Advanced Authentication if installing on Dell hardware. These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers.
Then: DDP|E Encryption Client - C:\extracted\Encryption • The following example installs the client with default parameters (encryption client, Encrypt for Sharing, CREDActivate, no dialogue, no progress bar, no restart, logs at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection). If your DDP Server is pre-v7.7: DDPE_XXbit_setup.exe /s /v"SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.
Then: Advanced Authentication Client - C:\extracted\Security Tools\Authentication • The following example installs Advanced Authentication (silent installation, no reboot, log file at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection). DP_XXbit_setup.exe /s /v"/norestart /l*v DPinstall.
Drivers - C:\extracted\Drivers • The following example installs the drivers at the specified location, does not create an entry in the Control Panel Programs list, and suppresses the reboot. setup.
Cloud Client - C:\extracted\Cloud • The following example installs Cloud Edition (silent installation, no reboot, log file at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection). Cloud_XXbit_setup.exe /s /v"SERVER=securityserver.organization.com /norestart /l*v Cloudinstall.log /qn" DDP|E Client and Cloud Edition See Cloud Edition Activation and User Experience to learn how to use Cloud Edition.
BitLocker Manager and External Media Edition BitLocker Manager Client - C:\extracted\Security Tools • The following example installs BitLocker Manager (silent installation, no reboot, log file at the specified location, no entry in the Control Panel Programs list, installed in the default location of C:\Program Files\Dell\Dell Data Protection). EMAgent_XXbit_setup.exe /s /v"CM_EDITION=1 SERVERHOST=server.organization.com SERVERPORT=8888 SECURITYSERVERHOST=securityserver.organization.
If your DDP Server is pre-v7.7: DDPE_XXbit_setup.exe /s /v"EME=1 SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.com DEVICESERVERURL= https://server.organization.com:8081/xapi MANAGEDDOMAIN=ORGANIZATION /norestart /l*v EMEinstall.log /qn" If your DDP Server is v7.7 or later: DDPE_XXbit_setup.exe /s /v"EME=1 SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.com DEVICESERVERURL= https://server.organization.
EMAgent_XXbit_setup.exe /S /v"CM_EDITION=1 SERVERHOST=server.organization.com SERVERPORT=8888 SECURITYSERVERHOST=securityserver.organization.com SECURITYSERVERPORT=8443 ARPSYSTEMCOMPONENT=1 /l*v SEDinstall.
DDP|E Client and Advanced Authentication for Computers with HCA NOTE: Drivers are needed for Advanced Authentication if installing on Dell hardware. These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers. Installing these drivers should be omitted if using Advanced Authentication on non-Dell hardware, as they may interfere with other vendor’s drivers. Drivers are also needed if installing the encryption client.
Then: DDP|E Encryption Client - C:\extracted\Encryption • The following example installs the client with default parameters (encryption client, Encrypt for Sharing, CREDActivate, no dialogue, no progress bar, no restart, logs at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection). If your DDP Server is pre-v7.7: DDPE_XXbit_setup.exe /s /v"SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.
Enterprise Edition Administrator Guide
Section I.
Enterprise Edition Administrator Guide
Dell Data Protection Master Installer • The Dell Data Protection Master Installer is commonly known as the Master Installer, as it installs the Enterprise Edition suite of products. • The master installer does not support upgrades from pre-v8.0 components. For upgrade needs, extract the appropriate child installer from the master installer. See Extract the Child Installers from the Master Installer for extraction instructions.
Install DDP|E Interactively • Use these instructions to install DDP|Enterprise Edition interactively. This method can be used to install the Enterprise Edition suite of products on one computer at a time.This installer includes the components you need for either software encryption or hardware encryption for computers equipped with Hardware Crypto Accelerator (HCA). 1 Locate DDPSetup.exe in the Dell installation media. Copy it to the local computer. 2 Double-click DDPSetup.exe to launch the installer.
6 Click Next. 7 In the Dell Enterprise Server Name field, enter the fully qualified host name of the DDP Server that will manage the target user, such as server.organization.com. In the Dell Device Server URL field, enter the URL of the Device Server that the client will communicate with. If your DDP Server is pre-v7.7, the format is https://server.organization.com:8081/xapi. If your DDP Server is v7.7 or later, the format is https://server.organization.
8 Click Next. 9 Click Next to install the products in the default location of C:\Program Files\Dell\Dell Data Protection\. 10 Self-Encrypting Drive management (your SED must be supported by Dell to be managed) and Authentication are installed by default and cannot be deselected. This is listed as Dell Data Protection | Security Framework in the installer. Drivers are installed by default and cannot be deselected. Drivers installs smart card, fingerprint reader, and other necessary drivers.
11 Click Next. 12 Click Install to begin the installation.
A status window displays. This may take several minutes. 13 Select Yes, I want to restart my computer now and click Finish when the InstallShield Wizard Complete dialog displays. Installation of the selected products is complete.
Install DDP|E Using the Command Line • Command line options are case-sensitive. Switches The following table describes the switches that can be used with the master installer. Switch Meaning -y –gm2 Pre-extraction of master installer. The -y and -gm2 switches must be used together. Do not separate the switches. /S Silent installation /z Pass variables to the .msi inside the DDPSetup.exe Parameters The following table describes the parameters that can be used with the master installer.
Uninstallation Process To uninstall, each product must be uninstalled separately, in a specific order. 1 Extract the child installers, following the process in Extract the Child Installers from the Master Installer. 2 When complete, go to C:\extracted\ to obtain each client installed on the computer. 3 Uninstall the clients in the following order: DDP|E (DDPE_xxbit_setup.exe) Security Framework (EMAgent_xxbit_setup.exe) DDP|Authentication (DP_xxbit_setup.
Section II.
Enterprise Edition Administrator Guide
Drivers Installation Tasks • Drivers are needed for Advanced Authentication if installing on Dell hardware. These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers. Installing these drivers should be omitted if using Advanced Authentication on non-Dell hardware, as they may interfere with other vendor’s drivers. Drivers are also needed if installing the encryption client.
Options The following table details the display options that can be specified at the end of the argument passed to the /v switch, to achieve your expected behavior.
Section III.
Enterprise Edition Administrator Guide
Encryption Client Installation Tasks • You can install the Encryption client by itself by extracting the child installer out of the master installer. If you have not extracted the individual installer yet, follow the procedure in Extract the Child Installers from the Master Installer. The Encryption client can be installed using the user interface or by command line using any push technology available to your organization.
Command Line Installation For a command line installation, the switches must be specified first. The /v switch is required and takes an argument. Other parameters go inside an argument that is passed to the /v switch. Switches The following table details the switches available for the installation. Switch Meaning /v Pass variables to the .msi inside the DDPE_XXbit_setup.
Example Command Line Installation • The installation is performed using the DDPE_XXbit_setup.exe file located in the C:\extracted\Encryption folder. NOTE: Be sure to enclose a value that contains one or more special characters, such as a blank space, in escaped quotation marks. To specify a log location other than the default location where the executable is located, provide the complete path in the command. For example, “/l*v C:\Logs” will create install logs in a “C:\Logs” folder.
• The following example installs EME only (silent installation, no reboot, with logs at the specified location, installed in the default location of C:\Program Files\Dell\Dell Data Protection) If your DDP Server is pre-v7.7: DDPE_XXbit_setup.exe /s /v"EME=1 SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.com DEVICESERVERURL= https://server.organization.com:8081/xapi MANAGEDDOMAIN=ORGANIZATION /norestart /l*v EMEinstall.log /qn" If your DDP Server is v7.
2 In the Setup window, specify the network location where you want to store the extracted files, and click Install. 3 Consult the documentation of your specific transform tool to create the transform file to be used in the next step. 4 Use a command line similar to the following to pass the transform file to the DDPE_XXbit_setup.exe installer. DDPE_XXbit_setup.exe /v"PROPERTY1=\"value with spaces\" PROPERTY2= ValueWithoutSpaces INSTALLDIR=D:\Program Files\Destination TRANSFORMS= NewTransform1.
Enterprise Edition Administrator Guide
Encryption Client Uninstallation and Decryption Tasks When using System Data Encryption (SDE), User, or Common encryption, file decryption optionally occurs at uninstallation if you choose to install the Encryption Removal Agent. This enables you to decide whether or not to decrypt files. When using HCA encryption, all HCA-encrypted drives must be decrypted prior to uninstallation. The Encryption Removal Agent does not decrypt HCA encrypted drives.
• Optionally create an Encryption Removal Agent log file to aid in troubleshooting. See How to Create an Encryption Removal Agent Log File (Optional). If you do not intend to decrypt SDE, User, or Common encrypted files during the uninstall process, you do not need to create an Encryption Removal Agent log file. • You must have a local or domain Admin user account to perform the uninstallation. • Dell ControlVault is typically not uninstalled, as it is a driver for your fingerprint reader.
Parameters The following table details the parameters available for the uninstallation. Parameter Selection CMG_DECRYPT - Property for selecting the type of Encryption 1 - Download keys from the DDP Server Removal Agent installation 0 - Do not install Encryption Removal Agent CMGSILENTMODE - Property for silent uninstallation.
Example Command Line Uninstallation • The uninstallation is performed using the DDPE_XXbit_setup.exe file located in the C:\extracted\Encryption folder. NOTE: Be sure to enclose a value that contains one or more special characters, such as a blank space, in escaped quotation marks. To specify a log location other than the default location where the executable is located, provide the complete path in the command. For example, “/l C:\Logs” will create install logs in a “C:\Logs” folder.
How to Create an Encryption Removal Agent Log File (Optional) Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create an Encryption Removal Agent log file. Create the following Windows Registry entry on the computer targeted for decryption to create an Encryption Removal Agent log file.
All files could not be decrypted – The decryption sweep is complete, but all files could not be decrypted. This status means one of the following occurred: • The locked files could not be scheduled for decryption because they were too big, or an error occurred while making the request to unlock them. • An input/output error occurred while decrypting files. • The files could not be decrypted by policy. • The files are marked as should be encrypted. • An error occurred during the decryption sweep.
Encryption Client Data Recovery Situations such as operating system failure or hardware failure may cause encrypted data to become inaccessible. Data recovery allows you to regain access to encrypted data on computers encrypted by DDP|E software encryption or HCA encryption. Prerequisites • A recovery bundle is needed to recover data. The bundle is a recovery program that must be run with Administrative rights on the drive that it is recovering.
Recover Data using Current Computer These instructions restore access to encrypted files by forcing DDP|E to re-acquire its keys from the server. Follow these instructions when the computer is bootable, but you are having problems accessing encrypted files. 1 Locate the recovery bundle downloaded from the Remote Management Console. 2 Copy the recovery bundle to the target computer (the computer to recover data). 3 Right-click the file and select Run as Administrator to launch the recovery utility.
Prepare the Environment (or Slaved Drive) SDE Environment Prerequisite The computer must be booted into the appropriate recovery image or a slaved drive. HCA Decryption Environment Prerequisites The computer must be booted into any Windows-based alternate operating system environment on the computer to recover, with the hard drive you are trying to recover attached.
5 Cancel the recovery dialog box. Now you can use the LSARecovery file to run the recovery from a command line. Recover the Data 1 Locate the recovery file downloaded from the Remote Management Console. 2 Right-click the recovery file and select Run as administrator. Or (if you extracted the recovery file in the previous procedure) Run the LSARecovery executable from a command prompt: LSARecovery.exe –server [https://my.Dell Enterprise Server.com] * Or LSARecovery.
When the computer restarts, it downloads the updated HCA Critical Data to complete the recovery. It will attempt to download the HCA Critical Data on every login until it succeeds in obtaining the new data. Once this has happened, the drive’s device icon should be green again in the console. After the escrow takes place, the local console requests the updated data from the server the next time anyone logs in. If recovery fails, refer to Troubleshooting HCA Recovery for assistance.
Recover User Access to a Computer Equipped with HCA Self-Recovery This workflow enables end users to log on with provisioned recovery questions. Once the end user's recovery questions have been configured in the Security Console, then the option to use the recovery questions for self-recovery is available. See Configure Credentials in the Security Console for instructions on configuring recovery questions. 1 At the PBA login screen, the end user enters their user name and clicks the gear in lower left.
3 The end user enters the correct answers to the recovery questions and clicks Finish.
Recover Access using Challenge/Response Codes 1 As a Dell Administrator, open the Remote Management Console. 2 In the left pane, click Actions > Recover Data. 3 Select the SED tab on the top menu. 4 In the Recover SED User Access area, enter the Host Name of the computer to recover. Enter the Host Name as a fully qualified host name. You can find the Host Name on the Endpoint Detail page in the Endpoint Detail section. It is listed as the Unique ID. 5 Click Search.
Configure Dell Key Server This section explains how to configure components for use with Kerberos Authentication/Authorization when using a DDP Enterprise Server. The DDP Enterprise Server - VE does not use the Key Server. Dell Key Server is a Service that listens for clients to connect on a socket. Once a client connects, a secure connection is negotiated, authenticated, and encrypted using Kerberos APIs (if a secure connection cannot be negotiated, the client is disconnected).
4 Go to and change “epw” to “password”. Then change "" to the password of the user from Step 3. This password is re-encrypted when the DDP Enterprise Server restarts. If using “superadmin” in Step 3, and the superadmin password is not “changeit”, it must be changed here. Save and close the file. Sample Configuration File
Remote Management Console Instructions 1 If needed, log on to the Remote Management Console. 2 Click Domains and click the Detail icon. 3 Click Key Server. 4 In the Key Server account list, add the user that will be performing the Admin activities. The format is Domain\username. Click Add Account. 5 Click Users in the left menu. In the search box, search for the username added in Step 4. Click Search. 6 Once the correct user is located, click the Detail icon. 7 Select Admin. Click Update.
Enterprise Edition Administrator Guide
Use WSScan When uninstalling the Encryption client, follow your existing process for decrypting data, such as issuing a policy update. After decrypting data, but before performing a restart in preparation for uninstall, run WSScan to ensure that all data is decrypted. Administrator privileges are required to run this utility. 1 From the Dell installation media, copy WSScan.exe to the Windows device to scan. 2 Launch a command line at the location above. 3 At the command prompt, enter wsscan.exe.
WSScan Output WSScan information about encrypted files contains the following information. Example Output: [2010-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: “c:\temp\Dell - test.log” is still AES256 encrypted Output Meaning Date/time stamp The date and time the file was scanned. Encryption type The type of encryption used to encrypt the file. SysData: SDE Encryption Key. User: User Encryption Key. Common: Common Encryption Key. WSScan does not report files encrypted using Encrypt for Sharing.
Section IV.
Enterprise Edition Administrator Guide
SED Management and Advanced Authentication Installation Tasks • You can install the SED management client and Advanced Authentication clients by themselves by extracting the child installers out of the master installer. If you have not extracted the individual installers yet, follow the procedure in Extract the Child Installers from the Master Installer.
Command Line Installation For a command line installation, the switches must be specified first. The /v switch is required and takes an argument. Other parameters go inside an argument that is passed to the /v switch. Switches The following table details the switches available for the installation. Switch Meaning /v Pass variables to the .
Example Command Line Installation • Special drivers are needed for Advanced Authentication if installing on Dell hardware. These are the drivers for the various smart cards and fingerprint readers for which Dell supplies drivers. Installing these drivers should be omitted if using Advanced Authentication on non-Dell hardware, as they may interfere with other vendor’s drivers. • Additional drivers and software stack are required for supporting Hardware Crypto Accelerator (HCA).
Enterprise Edition Administrator Guide
SED and Advanced Authentication Deactivation and Uninstallation Tasks These instructions detail the process of: • Deactivating the PBA, which removes all PBA data from the computer and unlocks the SED key. • Uninstalling the SED client software. • Uninstalling the Advanced Authentication client software. Prerequisites • You must have an Administrator account to perform the uninstallation. • Network connection to the DDP Server is required for PBA deactivation.
Uninstall SED Client • The uninstallation is performed using the EMAgent_XXbit_setup.exe, DP_XXbit_setup.exe, and Dell_CV_SW_Update_xXX.exe files located in the C:\extracted\Security Tools, C:\extracted\Security Tools\Authentication, and C:\extracted\UshCvReset (Dell ControlVault Software Update) Child Installer folders. Command Line Uninstallation For a command line uninstallation, the switches must be specified first. The /v switch is required and takes an argument.
Example Command Line Uninstallation NOTE: Be sure to enclose a value that contains one or more special characters, such as a blank space, in escaped quotation marks. To specify a log location other than the default location where the executable is located, provide the complete path in the command. For example, “/l C:\Logs” will create install logs in a “C:\Logs” folder. EMAgent_XXbit_setup.exe /x /s /v"/l Uninstall.log /qn" Shut down and restart the computer. Then: DP_XXbit_setup.
Enterprise Edition Administrator Guide
SED and OS Recovery Self-Recovery, OS Logon This workflow enables an end user to log on with provisioned recovery questions. Once the end user's recovery questions have been set up, and if the Allow recovery questions for Windows logon setting is allowed by policy, then the option to use the recovery questions for Windows logon is available from the Windows Start screen. 1 The end user clicks Can't access your account? to use the Recovery Questions.
2 Clicking the link displays the questions selected by the end user during their initial setup in the Security Console. The end user enters the answers and clicks OK. 3 Upon successful entry of the answers to the questions, the end user is in Access Recovery mode.
The end user selects one option and clicks Next. NOTE: If none of the options are selected within the Windows timeout period, the end user is automatically logged into Windows without further action.
Self-Recovery, PBA This workflow enables end users to log on with provisioned recovery questions. Once the end user's recovery questions have been set up, then the option to use the recovery questions for PBA self-recovery is available. 1 At the PBA login screen, the end user enters their user name and clicks the gear in lower left. 2 The end user selects Forgot Password.
3 The end user enters the correct answers to the recovery questions and clicks Finish.
Assisted Recovery, PBA • Assisted recovery will be needed if you cannot gain access to the computer using any commands or policies and you need to bypass the PBA login. Some examples include: — You need to remove SED management because it is malfunctioning and you need to get to the Windows login screen. — You need to deactivate the computer, but cannot because: a PBA failure has occurred. the operating system has been accidentally re-imaged so there effectively is not an SED client.
How to Turn Off Manager SSL Trust Validation When using SED or BitLocker Manager and you want to turn off Manager SSL trust validation, follow the steps below. Dell Enterprise Server NOTE: The Server Configuration Tool and the Remote Management Console cannot run simultaneously. Close the Remote Management Console before opening the Server Configuration Tool. 1 In the Server Configuration Tool on the Settings tab, check the box for Disable Trust Chain Check.
Enterprise Edition Administrator Guide
How to Use the Initial Access Code Policy This policy is used to log on to a computer when network access is unavailable. Meaning, access to the DDP Server and AD are both unavailable. Only use the Initial Access Code policy if absolutely necessary. Dell does not recommend this method to log in. Using the Initial Access Code policy does not provide the same level of security as the usual method of logging in using User Name, Domain, and Password.
How to Create a PBA Log File for Troubleshooting There may be cases when a PBA log file is needed for troubleshooting PBA issues, such as: • You are unable to see the network connection icon, yet you know there is network connectivity. The log file contains DHCP information to track down the issue. • You are unable to see the Server connection icon. The log file contains information to help diagnose Server connectivity issues. • Authentication fails even when entering correct credentials.
Section V.
Enterprise Edition Administrator Guide
Configure Credentials in the Security Console • The Security Console is the centralized user interface for all end users of the computer. The Security Console is used to set up and manage users’ credentials, view the enrollment status of their credentials, back up and restore program data as well as Password Manager logons and credentials for Windows. The Security Console provides a wizard-driven user interface to enable end users to configure their credentials and self-recovery questions.
The end user enters their Windows password to verify their identity and clicks Next. 5 Recovery Questions A question and answer-based method of authentication is provided for end users to access their Windows account if other credentials are unavailable (for example, if they forgot their password).
6 Choose Credentials On the Choose Credentials page, the end user can select which additional credentials to enroll at this time.By default, all credentials permitted by the Administrator and supported by the computer’s hardware and software are listed on this page. Disconnected peripherals are not displayed until they are reconnected. The end user clicks Next to continue to enroll the selected credentials. NOTE: Credentials may be enrolled at any time by re-launching the Setup Wizard.
The end user clicks the desired finger to enroll and clicks Save. The end user may also click Skip fingerprint enrollment to bypass this page at this time. NOTE: The minimum and maximum number fingerprints to enroll is Administrator-configured in the Remote Management Console. The number of swipes needed to complete fingerprint enrollment depends on the quality of the fingerprint scan. The end user clicks Save when finished with each finger.
To delete an enrolled fingerprint, click the highlighted fingerprint. A confirmation dialog displays, which ensures that the end user intends to delete the fingerprint. The end user clicks Save when finished.
b Card Enrollment To set up a built-in contactless card, place the card very close to the reader. Once the contactless card communicates with the reader, the end user is prompted to verify their identity. The end user enters their Windows password and clicks Authenticate. If authenticating with a CAC that has more than one certificate, the user selects the correct certificate from a list. The end user is prompted to Save the credential information after authentication of the card.
8 The Encryption tab displays the protection status of the computer. Once provisioned (encrypted), the status updates to Protected.
Enterprise Edition Administrator Guide
Use the Authentication Applications The Security Console provides access to three applications through the tiles located on the Authentication tab.
Credentials The Credentials application provides a way to enroll end user credentials. By default, end users enroll and modify their own credentials. However, Administrators may limit the ability of the end user to enroll or manage credentials. Enrollment Status The Enrollment Status page is the default page shown when you click the Credentials tile. This page displays a list of all supported credentials and specifies their status: Required, Optional, or Disabled.
Windows Password The Windows Password page allows end users to easily change their Windows password from within the Security Console. Password changes are effective immediately after clicking Change. NOTE: End users should be instructed to change their Windows password only in the Security Console, rather than in Windows. If the Windows password is changed outside of the Security Console, a password mismatch will occur, requiring a recovery operation.
Backup and Restore The Backup and Restore Wizard helps end users securely back up passwords managed by Password Manager. This data can be restored on any computer protected by Password Manager. 1 Click the Backup and Restore tile on the Authentication page. 2 Click either Back up data or Restore data to launch the Backup and Restore Wizard.
Back up Data 1 Click Back up data to launch the Backup and Restore Wizard. The first page of the wizard allows the end user to select the application data to back up. By default, Password Manager is selected. 2 The end user clicks Next. 3 On the second page of the wizard, the end user types the location and name of the file to be created or navigates to the desired location by clicking Browse.
5 On the third page of the wizard, the end user must enter and confirm a password to protect the data in the backup file. 6 The end user clicks Next. 7 The final page of the wizard informs the end user that the backup has been completed and lists the applications that have had their data backed up. The end user clicks View Details to view a text log of the backup operations performed. The end user clicks Finish to close the dialog.
Restore Data 1 Click Restore data to launch the Backup and Restore Wizard and to restore the data that was previously backed up using Back up Data. 2 The end user enters the name and location of the backup file or clicks Browse to navigate to the file and then enters the password for the file. The end user clicks Next. 3 On the next page of the wizard, the end user is asked to select the data to restore. By default, all data that is managed is restored.
The end user clicks Finish to close the dialog.
Password Manager Password Manager allows an end user to automatically fill in and submit data required to log on to websites, Windows applications, and network resources. Password Manager also provides the capability for an end user to change their logon passwords through the application, ensuring that logon passwords maintained by Password Manager are kept in sync with those of the targeted resource.
• After performing one of the above-listed actions, the Add Logon to Password Manager dialog displays. Add Logon • The end user adds their logon information for the website or program in the Add Logon dialog. • The end user can add or subtract logon fields or edit the field labels through the More fields button. • For password fields, a password strength indicator is shown below the password field in the dialog. The indicator bar changes from red (weak) to yellow (medium) to green (strong).
NOTE: If there are several editable fields on the logon screen, the software may not choose the desired editable fields automatically. To specify which fields to include, the end user can click the More fields button. The More Fields dialog box is displayed and the end user can specify the desired fields. When the end user navigates to a field in the More Fields dialog, the corresponding field on the logon screen is highlighted.
• For logon to applications, Submit changes. A drop-down list of available options displays. • When saving the entered logon data, the end user is required to authenticate according to the Session Authentication policy in force (configured in the Remote Management Console). • The Add logon dialog box can also be launched by clicking the Password Manager icon on the white arrow of the blue circle and selecting the first menu item.
Web Domain Support • If an end user has trained a logon screen for a specific web domain but then wants to access his account on that web domain from a different logon screen, the end user can navigate to the new logon screen. The end user is then prompted to use an existing logon or to add a new one to Password Manager. • If the end user clicks Use logon, they are logged on to the previously created account.
• The end user must authenticate according to the Session Logon authentication policy in force, which is configurable in the Remote Management Console. Upon a successful authentication, the logon data is filled in on the logon screen. The end user is prompted to choose the account to use if more than one logon for the logon screen exists. • Additional options are available through the context menu upon successful authentication.
For the password, the end user can use their Windows password. All options above are hard-coded and cannot be modified. Use Old Password • It is possible that an end user may modify a password in Password Manager and then have the password rejected by the application. In this case, the application allows the end user to use a previous password (a password previously entered for this logon page) instead of the most recent one.
Password Change • Password Manager provides a change password functionality that helps the end user create stronger passwords. When the application detects a password change screen, a dedicated Password Manager icon is shown on the password screen. • Upon authentication, the end user can change their password from a dedicated change password dialog. Generate password functionality is supported. The end user can also choose the complexity criteria to be used in generating a password.
Password Manager Page • The Password Manager page allows an end user to launch their trained logons and to add, remove, and edit logon data. Until the end user has created a logon, instructional text is shown on the user interface to help the end user understand the password management functionality offered by the program. After the end user has created a logon, the regular user interface displays.
• Logons are grouped by domain. If an end user has multiple logons for the same web domain, the logons will be listed, indented, under their domain. • If the end user clicks the Manage command next to a logon, a drop-down menu shows a subset of the following commands, depending on whether a domain or a logon is selected. Open (default - also triggered if the end user double-clicks the logon) Edit Add Delete • 140 The logons show a password strength indicator bar for each account added.
• If the end user clicks the Add category, the Add Category dialog displays. Settings Page • On the Settings page, the end user can configure the following: • The display of the Password Manager icon on the logon screens that can be trained for automatic data fill in. Clearing the Prompt to add logons for logon screens check box disables the Password Manager. • The key combination that can be pressed to display the Logons menu. The default key combination is “Ctl+Alt+H”.
Enterprise Edition Administrator Guide
Section VI.
Enterprise Edition Administrator Guide
BitLocker Manager Installation Tasks • You can install BitLocker Manager by itself by extracting the child installer out of the master installer. If you have not extracted the individual installer yet, follow the procedure in Extract the Child Installers from the Master Installer. BitLocker Manager can be installed by command line using any push technology available to your organization. Best Practices IT best practices should be followed during deployment.
Parameters The following table details the parameters available for the installation. Log File Parameters /l*v [fullpath][filename].log CM_EDITION=1 INSTALLDIR= SERVERHOST= SERVERPORT=8888 SECURITYSERVERHOST=
BitLocker Manager Uninstallation Tasks These instructions detail the process of uninstalling BitLocker Manager client software. Prerequisites • You must have a local or domain Administrator account to uninstall BitLocker Manager. • Use the same EMAgent_XXbit_setup.exe file to uninstall that was used to install. Uninstall BitLocker Manager Command Line Uninstallation For a command line uninstallation, the switches must be specified first. The /v switch is required, and takes an argument.
Options The following table details the display options that can be specified at the end of the argument passed to the /v switch, to achieve your expected behavior.
BitLocker Manager Recovery To recover data, you obtain a recovery password or key package from the Remote Management Console, which then allows you to unlock data on the computer. Recover Data 1 As a Dell Administrator, log in to the Remote Management Console. 2 In the left pane, click Actions > Recover Data. 3 Click the Manager tab. 4 For BitLocker: Enter the Recovery ID received from BitLocker. Click Get Recovery Password or Create Key Package.
Enterprise Edition Administrator Guide
How to Turn Off Manager SSL Trust Validation When using SED or BitLocker Manager and you want to turn off Manager SSL trust validation, follow the steps below. Dell Enterprise Server NOTE: The Server Configuration Tool and the Remote Management Console cannot run simultaneously. Close the Remote Management Console before opening the Server Configuration Tool. 1 In the Server Configuration Tool on the Settings tab, check the box for Disable Trust Chain Check.
Enterprise Edition Administrator Guide
Section VII.
Enterprise Edition Administrator Guide
Cloud Edition Installation Tasks Before you begin installing Cloud Edition, you must first complete a few tasks on the DDP Server. DDP Server Tasks Configure DDP Enterprise Server - VE for Cloud Edition To configure VE to support Cloud Edition, in the VE Remote Management Console, set the Cloud Storage Protection Enabled protection policy to True.
Set Up the Server for Automatic Downloads of the Windows Cloud Client (Optional) 1 On the server hosting your Dell Enterprise Server, go to C:\inetpub\wwwroot\. NOTE: This web server must have a trusted certificate. 2 Create a folder under wwwroot named CloudUpdate (C:\inetpub\wwwroot\CloudUpdate). NOTE: CloudUpdate is used in this example, but you can choose any name. 3 Place the updated executables in the CloudUpdate folder. 4 Place the updated versions.xml file in the CloudUpdate folder.
Whitelist The whitelist allows specific users or groups of users to register with the DDP Server and to use Cloud Edition. To allow external users, they must be placed on the whitelist to allow registration. However, in order for the blacklist to be used, if you have used a wildcard in the whitelist, it must be removed. See the following examples: *@organization.com Allows all organization.com email addresses to register with the DDP Server.
Use Dropbox for Business Cloud Edition with Dropbox for Business offers additional functionality: • Remote Wipe a Team Member Account • With a DDP Enterprise Server - Virtual Edition v8.4 or later, you can set policies to control how business and personal Dropbox folders are protected. If your enterprise allows both business and personal accounts, end users should understand encryption of each type of account. See Policy for Business and Personal Accounts.
Remote Wipe a Team Member Account If your enterprise has Dropbox for Business, you can remotely remove a team member from the corporate Dropbox for Business team account if, for example, a user leaves the company. Files and folders associated with the team member's account will be removed from all devices used by the account. This revokes that user’s access to those files.
Run Reports Reports about your Cloud Edition environment are available through Dell Compliance Reporter, a component of the Dell Enterprise Server and DDP Enterprise Server - VE. For example, you can run reports that detail the following: • User activations • Applied policy on a device • Actions performed on encrypted files • Dropbox for Business file encryption status For more information on running reports, see Compliance Reporter Help.
Client Tasks You can install the Cloud Edition client by itself by extracting the child installer out of the master installer. If you have not extracted the individual installer yet, follow the procedure in Extract the Child Installers from the Master Installer. The Cloud Edition client can be installed using the user interface or by command line using any push technology available to your organization. Activation by the end user is still required.
Options The following table details the display options that can be specified at the end of the argument passed to the /v switch, to achieve your expected behavior.
Cloud Edition Uninstallation Tasks If an end user has a local Administrator account, they can uninstall Cloud Edition themselves. See Cloud Edition User Guide. This section describes the Administrator process for uninstalling Cloud Edition. These instructions detail the process of: • Removing protected files • Uninstalling Cloud Edition client software. Prerequisites • You must have a local or domain Administrator account to perform the uninstallation. • Use the same Cloud_XXbit_setup.
Box 1 In the system tray, right-click the Box icon and select Open Box web site 2 In the Box web site, right-click a file or folder and select Synced > Unsync. 3 In the Disable Sync window, click Unsync Folder. 4 The system tray icon indicates settings are being applied. This may take several minutes. 5 When complete, navigate to Windows Explorer > Box. If any files or folders were not removed, manually delete them. OneDrive 1 In the system tray, right-click the OneDrive icon, and click Settings.
Options Meaning /qb Progress dialog with Cancel button, prompts for Restart /qb- Progress dialog with Cancel button, restarts itself after process completion /qb! Progress dialog without Cancel button, prompts for restart /qb!- Progress dialog without Cancel button, restarts itself after process completion /qn No user interface NOTE: Do not use both /q and /qn in the same command line. Only use ! and - after /qb.
Enterprise Edition Administrator Guide
Section VIII.
Enterprise Edition Administrator Guide
Cloud Edition Activation and User Experience Activate Cloud Edition After Dell Data Protection | Cloud Edition is installed and the computer reboots, follow these steps: 1 Log in to Windows. 2 From the Cloud Edition system tray icon, select User Activation. 3 Enter your domain email address and domain password, and click Activate. After activation finishes, a green check displays on the Cloud Edition system tray icon. 4 Confirm your user mode status.
Authenticate Dropbox for Business If you install Dropbox for Business, Cloud Edition prompts for authentication. 1 After you install Cloud Edition, an Authentication window may open, or click the Cloud Edition icon and then select Dropbox > Connect. The Authentication window notifies you that Cloud Edition must have access to your Dropbox account and may give instructions about business and personal accounts. 2 At the Authentication window, click Next.
Box To sync folders: 1 In the system tray, right-click the Box icon and select Open Box web site. 2 In the cloud, right-click a folder and select Sync Folder to Computer. 3 In the Sync folder window, click Sync Folder. 4 The system tray icon indicates settings are being applied. This may take several minutes. 5 When complete, navigate to Windows Explorer > Box Sync. The synced folders display with a check mark.
Access a Cloud Storage Provider Dropbox In the system tray, click the Dropbox icon and select Dropbox.com. NOTE: If you use Chrome or Firefox to open Dropbox.com, be sure to close it after you finish working with files and folders. Even if you open another tab in the browser, the content will be encrypted. This could include email, an attachment, or uploads using the browser. Box In the system tray, right-click the Box icon and select Open Box web site.
Dropbox for Business Dropbox for Business has specific requirements. See Cloud Sync Clients. Connect Cloud Edition and Dropbox If your company uses Dropbox for Business, you must allow Cloud Edition to stay connected. To connect: 1 In the system tray, click the Cloud Edition icon and then select Dropbox > Connect. 2 At the Dropbox Authentication window, read the information and then click Next. 3 If you have linked your Dropbox business and personal accounts, you will be prompted to select one now.
Understand the Cloud Edition System Tray Menu Items Details Screen You can use the Details screen for troubleshooting or support issues. For example: • If a user creates a folder but it's not encrypting, select Details > Files > Folder State. • Check Cloud Edition Policy Settings. • View logs for troubleshooting. The Details screen has a basic view and an enhanced view with additional details. Basic Details Screen Click the Cloud Edition system tray icon, and then click Details...
Audit: Lists modules, user ID, and event type. Information is in queue in this audit log and then sent to the server at specified intervals. The Administrator can use Compliance Reporter to create reports for auditing. See Compliance Reporter Help. Policy: Lists the policy names and values for your enterprise. To view log files, from the bottom-left corner of the Details screen, click View Log. NOTE: Log files can be also be found at C:\ProgramData\Dell\Dell Data Protection\Cloud Edition.
Using Cloud Edition with iOS or Android This section describes basic information on installing Cloud Edition on iOS or Android devices as well as a few tips. When using Cloud Edition on an iOS or Android client, if you open files directly through Dropbox, Box, or OneDrive, the file names and file contents are encrypted and unreadable. NOTE: Be aware that Windows has more options for sync clients than some other devices.
Share Files With External Users An external user is one with a non-domain email address. If an internal user wants to work on or share files protected by Cloud Edition with an external user, they must coordinate this with the Administrator. Administrator Tasks The enterprise determines the extent to which internal users can share business-sensitive files and folders with external users. For example: • An internal user can send a request to any external user to register with and install Cloud Edition.
Cloud Edition Frequently Asked Questions (FAQs) Administrator FAQs Question I changed the Obfuscate Filenames cloud policy from GUID to Extension only. However, the folders I had previously been syncing are still encrypting those files to the other format with GUID filenames. Answer When a policy is changed on the DDP Server, DDP|CE maintains the previous policy for that folder. Any new folders created will have the new policy applied and will encrypt to the Extension only format.
Folder Management FAQs NOTE: To use the Manage Folders option, you may need to request permission from your Administrator. Question I have a folder with files that I have shared with another user. In the system tray, I used the Cloud Edition > Manage Folders utility to unprotect that folder's contents. Recently, my files have become encrypted in the cloud again. That folder no longer displays in the Manage Folders utility, so I can no longer get those files to become unprotected in the cloud.
Solution To remove the old sync client option from the Manage Folders utility, delete the folder that houses those protected files. The best practice is to move any wanted folders/files out of the default Sync folder prior to deleting it. After you remove it, that file or folder is no longer listed in the Folder Management utility. Dropbox FAQs Question My Dropbox account has many conflicted files. When I delete them from the cloud, they keep being created.
Miscellaneous FAQs Question I moved the cloud provider’s sync folder to Program Files, and now I cannot decrypt the files that are being downloaded to my sync folder from the cloud. Answer By design, the Program Files folder or other excluded folders are unprotected, based on policy. DDP|CE will not decrypt any files downloaded to this folder or its subfolders. Solution Unlink or uninstall the sync client and move the sync folder back to its default location or to an alternate managed location.
Enterprise Edition Administrator Guide
A Change Secure Boot/UEFI to Legacy Boot Mode in BIOS The features available as of v8.3 with HCA are supported on legacy BIOS non-UEFI systems. If running Windows 8 or Windows 8.1, follow these instructions prior to client installation. 1 Turn on the power to your Dell computer. If the computer is already running, reboot it. 2 Press F2 or F12 continuously during boot until a message in the upper right screen says something similar to “preparing to enter setup” (F2) or “preparing one-time boot menu” (F12).
5 In Settings > Secure Boot > Secure Boot Enable, ensure that the Secure Boot Enable selection is Disabled. 6 Apply the changes. 7 Now that the computer BIOS has been changed to a legacy boot mode, the computer must be re-imaged.
Glossary Activate(d) - Activation occurs when the computer has been registered with the Server and has received at least an initial set of policies. Active Directory (AD) - A directory service created by Microsoft for Windows domain networks. Cached Credentials - Cached credentials are credentials that are added to the PBA database when a user successfully authenticates with Active Directory.
System Data Encryption (SDE) – SDE policies encrypt the System Drive, the Fixed Drives, or both - depending on the policy template chosen. SDE policies do not encrypt the files needed by the operating system to start the boot process. SDE policies do not require preboot authentication or interfere with the Master Boot Record in any way. When the computer starts, the encrypted files are available before user login (to enable patch management, SMS, backup and recovery tools).
0XXXXXA0X
