Install Guide
Glossary
Activate - Activation occurs when the computer has been registered with the Dell Server and has received at least an initial set
of policies.
Active Directory (AD) - A directory service created by Microsoft for Windows domain networks.
Advanced Threat Prevention - The Advanced Threat Prevention product is next-generation antivirus protection that uses
algorithmic science and machine learning to identify, classify, and prevent both known and unknown cyberthreats from
executing or harming endpoints. The optional Client Firewall feature monitors communication between the computer and
resources on the network and the Internet and intercepts potentially malicious communications. The optional Web Protection
feature blocks unsafe websites and downloads from those websites during online browsing and searching, based on safety
ratings and reports for websites.
Application Data Encryption - Application Data Encryption encrypts any file written by a protected application, using a category
2 override. This means that any directory that has a category 2 protection or better, or any location that has specific extensions
protected with category 2 or better, cause ADE to not encrypt those files.
BitLocker Manager - Windows BitLocker is designed to help protect Windows computers by encrypting both data and operating
system files. To improve the security of BitLocker deployments and to simplify and reduce the cost of ownership, Dell provides a
single, central management console that addresses many security concerns and offers an integrated approach to managing
encryption across other non-BitLocker platforms, whether physical, virtual, or cloud-based. BitLocker Manager supports
BitLocker encryption for operating systems, fixed drives, and BitLocker To Go. BitLocker Manager enables you to seamlessly
integrate BitLocker into your existing encryption needs and to manage BitLocker with the minimum effort while streamlining
security and compliance. BitLocker Manager provides integrated management for key recovery, policy management and
enforcement, automated TPM management, FIPS compliance, and compliance reporting.
Cached Credentials - Cached credentials are credentials that are added to the PBA database when a user successfully
authenticates with Active Directory. This information about the user is retained so that a user can log in when they do not have
a connection to Active Directory (for example, when taking their laptop home).
Common Encryption – The Common key makes encrypted files accessible to all managed users on the device where they were
created.
Deactivate - Deactivation occurs when SED Manager is turned OFF in the Management Console. Once the computer is
deactivated, the PBA database is deleted and there is no longer any record of cached users.
Encryption External Media - This service within Encryption protects removable media and external storage devices.
Encryption External Media Access Code - This service allows for recovery of Encryption External Media protected devices
where the user forgets their password and can no longer login. Completing this process allows the user to reset the password
set on the media.
Encryption - On-device component that enforces security policies, whether an endpoint is connected to the network,
disconnected from the network, lost, or stolen. Creating a trusted computing environment for endpoints, Encryption operates as
a layer on top of the device operating system, and provides consistently-enforced authentication, encryption, and authorization
to maximize the protection of sensitive information.
Endpoint - Depending on context, a computer, mobile device, or external media..
Encryption Keys - In most cases, the Encryption client uses the User key plus two additional encryption keys. However, there
are exceptions: All SDE policies and the Secure Windows Credentials policy use the SDE key. The Encrypt Windows Paging File
policy and Secure Windows Hibernation File policy use their own key, the General Purpose Key (GPK). The Common key makes
files accessible to all managed users on the device where they were created. The User key makes files accessible only to the
user who created them, only on the device where they were created. The User Roaming key makes files accessible only to the
user who created them, on any Shielded Windows (or Mac) device.
Encryption sweep - The process of scanning folders to be encrypted to ensure the contained files are in the proper encryption
state. Ordinary file creation and rename operations do not trigger an encryption sweep. It is important to understand when an
encryption sweep may happen and what may affect the resulting sweep times, as follows: - An encryption sweep occurs upon
initial receipt of a policy that has encryption enabled. This can occur immediately after activation if your policy has encryption
enabled. - If the Scan Workstation on Logon policy is enabled, folders specified for encryption are swept on each user logon. - A
sweep can be re-triggered under certain subsequent policy changes. Any policy change related to the definition of the
encryption folders, encryption algorithms, encryption key usage (common verses user), triggers a sweep. In addition, toggling
between encryption enabled and disabled triggers an encryption sweep.
20
160 Glossary