Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro, the Trend Micro t-ball logo, Endpoint Encryption,, Full Disk Encryption, FileArmor, and KeyArmor are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright Trend Micro Incorporated. All rights reserved. Document Part No.: APEM35670/ Release Date: Dec 2012 Protected by U.S. Patent No.: Patents pending.

3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at the Trend Micro website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Evaluate this documentation on the following site:

4

5 Table of Contents Preface Preface... ix Product Document Set... x Document Conventions... x Intended Audience... xi Terminology... xii About Trend Micro... xiv Chapter 1: Understanding Trend Micro Endpoint Encryption About Endpoint Encryption Endpoint Encryption Components System Requirements Key Features & Benefits Understanding Encryption File Encryption Full Disk Encryption Key Management About FIPS Management and Integration Account Roles and Authentication Account Roles Access Control by Application Authentication Options by Application Security Options Authentication Methods New Features in Endpoint Encryption Multi-language Support Active Directory Synchronization Enhancements i

6 Trend Micro Endpoint Encryption Administrator's Guide Full Disk Encryption Enhancements Chapter 2: Getting Started with Authenticating for the First Time Introducing MMC Interface Working with Groups and Users Defining Users and Groups Adding a Top Group Adding a New User to a Group Adding a New Enterprise User Adding an Existing User to a Group Understanding Policy Controls Visual Indicators for Policies Policy Fields and Buttons Modifying Policies Enabling Applications Chapter 3: Understanding Policies Working with Policies Policy Management Selecting a Policy for Modification Editing Policies with Ranges Editing Polices with True/False or Yes/ No Responses Editing Policies with Multiple-choice / Single-selection Editing Policies with Text String Arguments Editing Policies with Multiple Options Policies Admin Console Policies Administrator Policies Authenticator Policies Log Alert Policies PDA Policies Service Pack Download Policies ii

7 Table of Contents Welcome Message Policies Full Disk Encryption Policies Common Policies PC Policies PPC Policies FileArmor Policies Computer Policies Encryption Policies Login Policies Password Policies MobileSentinel Policies Common Policies PPC Policies KeyArmor Policies Antivirus Policies KeyArmor Security Policies Login Policies Notice Message Policies Connection Policies DriveArmor Policies Authentication Policies Communications Policies Device Policies Common Policies Agent Policy Authentication Policies Chapter 4: Working with Groups, Users, and Devices Working with Groups Adding a Top Group Adding a Subgroup Modifying a Group Removing a Group Working with Offline Groups Creating an Offline Group iii

8 Trend Micro Endpoint Encryption Administrator's Guide Updating an Offline Group Working with Users Add Users to Finding a User Modifying a User Viewing a User's Group Membership Adding a New User to a Group Adding an Existing User to a Group Changing a User s Default Group Allowing User to Install to a Group Removing Individual Users From a Group Removing All Users From a Group Restoring a Deleted User Working with Passwords Working with Devices Adding a Device to a Group Removing a Device from a Group Removing a Device from the Enterprise Viewing Directory Contents Viewing Device Attributes Viewing Directory Listing Killing a Device Locking a Device Rebooting a Device Restoring a Deleted Device Chapter 5: Working with Full Disk Encryption Endpoint Encryption Tools Full Disk Encryption Preboot Authentication Menu Options Network Connectivity On-Screen Keyboard Changing the Keyboard Layout Changing Authentication Methods Changing Passwords Remote Help iv

9 Table of Contents Smart Card Self Help Full Disk Encryption Connectivity Updating Full Disk Encryption Clients Full Disk Encryption Recovery Console Accessing Recovery Console Accessing Recovery Console from Windows Using Decrypt Disk Mount Partitions Restore Boot Manage Full Disk Encryption Users Manage Policies View Logs Network Setup Full Disk Encryption Recovery Methods Repair CD Recovering Data with Repair CD Chapter 6: Working with FileArmor FileArmor Authentication FileArmor First-time Authentication FileArmor Domain Authentication FileArmor Smart Card Authentication FileArmor ColorCode Authentication FileArmor PIN Authentication Changing Password in FileArmor Forced Password Reset FileArmor System Tray Icon Menu Syncing with Syncing with Offline Files Changing FileArmor Encryption FileArmor Local Key Encryption FileArmor Shared Key Encryption FileArmor Fixed Password Encryption v

10 Trend Micro Endpoint Encryption Administrator's Guide FileArmor Digital Certificate Encryption FileArmor Archive and Burn Burning an Archive with a Fixed Password Burning an Archive with a Certificate FileArmor Secure Delete Chapter 7: Working with KeyArmor KeyArmor Authentication Authenticating to KeyArmor for the First Time Changing Authentication Methods Fixed Password KeyArmor Features Device Components Protecting Files with KeyArmor No Information Left Behind KeyArmor Antivirus Updates and Activity KeyArmor Check Disk Notification Using KeyArmor Warning About Unencrypted Devices KeyArmor Taskbar KeyArmor Menu Protecting Files with KeyArmor KeyArmor Activity Logging Safely Removing KeyArmor KeyArmor Full Scan Reassigning a KeyArmor Device to Another User Adding a Deleted KeyArmor Back to the Enterprise Chapter 8: Working with Logs and Reports Log Events Managing Log Events Alerts Setting Alerts Enabling to relay SMS and Delivery vi

11 Table of Contents Reports Report Options Report Icons Report Types Displaying Reports Scheduling Reports Displaying Report Errors Chapter 9: Getting Support Trend Community Support Portal Contacting Technical Support Resolving Issues Faster TrendLabs Appendix A: Message IDs Index Index... IN-1 vii

12

13 Preface Preface Welcome to the Trend Micro Endpoint Encryption Administrator s Guide. This guide explains the major aspects of Endpoint Encryption: security architecture, encryption, authentication, and endpoint management. Topics include how to use server and endpoint client applications to support security objectives, how to provision users, groups and devices to implement policies, and how to use reports and logs to analyze enterprise security. This guide also includes information about troubleshooting configurations, using tools, and resolving issues. This preface covers the following topics: Product Document Set on page x Document Conventions on page x Intended Audience on page xi Terminology on page xii About Trend Micro on page xiv ix

14 Trend Micro Endpoint Encryption Administrator's Guide Product Document Set The documentation set for Trend Micro Endpoint Encryption includes the following: TABLE 1. Product Documentation DOCUMENT Installation Guide Administrator s Guide Readme file Knowledge Base DESCRIPTION The Installation Guide explains system requirements and contains detailed instructions about how to deploy, install, migrate, and upgrade and endpoint clients. The Administrator s Guide explains product concepts, features and detailed instructions about how to configure and manage and endpoint clients. The Readme file contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: Note All documentation is accessible from: docs.trendmicro.com Document Conventions The documentation uses the following conventions: x

15 Preface TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes Tip Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Intended Audience This guide is for IT Administrators deploying Trend Micro Endpoint Encryption in medium to large enterprises and Help Desk personnel who manage users, groups, policies, and devices. The documentation assumes basic device, networking and security knowledge, including: Device hardware setup and configuration xi

16 Trend Micro Endpoint Encryption Administrator's Guide Hard drive partitioning, formatting, and maintenance Client-server architecture Terminology The following table provides terminology used throughout the documentation: TABLE 3. Endpoint Encryption Terminology TERM Authentication ColorCode Command Line Helper Command Line Installer Helper Device Domain authentication DriveTrust Endpoint client FileArmor FIPS Fixed password Full Disk Encryption DESCRIPTION The process of identifying a user. A color-sequence password. Create encrypted values to secure credentials when creating an installation script. Create encrypted values to secure credentials when generating scripts for automated installations. Computer, laptop, or removal media (external drive, USB drive) hardware. Single sign-on (SSO) using Active Directory. Hardware-based encryption technology by Seagate. Any device with an Endpoint Encryption application installed. The Endpoint Encryption client for file and folder encryption on local drives and removable media. Federal Information Processing Standard. United States federal government computing standards. A standard user password consisting of letters and/or numbers and/or special characters. The Endpoint Encryption client for hardware and software encryption with preboot authentication. xii

17 Preface TERM KeyArmor OCSP OPAL Password SED Smart card PIN Recovery Console Remote Help Repair CD RSA SecurID Self Help DESCRIPTION The Endpoint Encryption client for a password-protected, encrypted USB drive. The Online Certificate Status Protocol (OCSP) is an Internet protocol used for X.509 digital certificates. Trusted Computing Group's Security Subsystem Class for client devices. Any type of authentication data, such as fixed, PIN, and ColorCode. The central management server that deploys encryption and authentication policies to the endpoint clients (Full Disk Encryption, FileArmor, KeyArmor). Secure Encrypted Device. A hard drive, or other device, which is encrypted. A physical card used in conjunction with a PIN or fixed password. A Personal Identification Number, commonly used for ATM transactions. Recover a device in the event of primary OS failure, troubleshoot network issues, and manage users, policies, and logs. Interactive authentication for users who forget their credentials or devices that have not synchronized policies within a pre-determined amount of time. Use this bootable CD to decrypt drive before removing Full Disk Encryption in the event that the disk becomes corrupted, A mechanism for performing two-factor authentication for a user to a network resource. Question and answer combinations that allow users to reset a forgotten password without contacting Support. xiii

18 Trend Micro Endpoint Encryption Administrator's Guide About Trend Micro As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtualized, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. xiv

19 Chapter 1 Understanding Trend Micro Endpoint Encryption Trend Micro Endpoint Encryption provides robust data protection and device control for a wide range of devices, including laptops, desktops, tablets, CDs, DVDs, USB drives, and other removable media. This chapter covers the following topics: About Endpoint Encryption on page 1-2 Key Features & Benefits on page 1-8 Understanding Encryption on page 1-9 System Requirements on page 1-4 Account Roles and Authentication on page 1-12 New Features in Endpoint Encryption on page

20 Trend Micro Endpoint Encryption Administrator's Guide About Endpoint Encryption Trend Micro Endpoint Encryption is a fully integrated hardware-based and softwarebased encryption solution to protect laptops and desktops, files and folders, removable media, and encrypted USB drives with embedded anti-malware/antivirus protection. With Endpoint Encryption, Administrators can use a single management console to flexibly manage a combination of hardware and software-based encryption with full transparency for end-users. Trend Micro Endpoint Encryption ensures end-to-end data protection by providing FIPS encryption of the data residing on the management server; all data transmitted to/from the server; all data stored on the endpoint device; and, all locally stored client logs. Using FIPS accredited cryptography, Endpoint Encryption offers the following benefits: Comprehensive data protection through fully integrated full disk, file, folder, USB drives, and removable media encryption. Centralized policy administration and key management through a single management server and console. Device management through device-specific information gathering and remote lock, reset, and the capability to wipe all endpoint data. Advanced real-time reporting and auditing to ensure security compliance. Endpoint Encryption Components Endpoint Encryption consists of one central management server ( Web Service) that manages the policy and log databases (MobileArmor DB), LDAP authentication with Active Directory, and all client-server activity. Endpoint Encryption clients cannot interface directly with and must connect through the Client Web Service. For an illustration of this architecture, see Figure 1-1: Endpoint Encryption Client-Server Architecture on page

21 Understanding Trend Micro Endpoint Encryption Note The port settings for all HTTP traffic is configurable at time of installation or through settings on the Endpoint Encryption client. FIGURE 1-1. Endpoint Encryption Client-Server Architecture The following table describes these components. 1-3

22 Trend Micro Endpoint Encryption Administrator's Guide TABLE 1-1. Endpoint Encryption Components COMPONENT Web Service MMC Endpoint Encryption client MobileArmorDB Active Directory DESCRIPTION The IIS web service that provides central management of policy administration, authentication, and reporting. The Microsoft Management Console (MMC) is the interface used to control. An Endpoint Encryption client is any device with either Full Disk Encryption, FileArmor, or KeyArmor installed. Full Disk Encryption provides hardware and software full disk encryption, and preboot authentication. FileArmor provides file and folder encryption for content on local drives and removable media. KeyArmor is a hardened, encrypted USB drive with integrated antivirus protection. The Microsoft SQL Server database storing all user, policy, and log details. The Web Service synchronizes user account information by communicating with Active Directory using LDAP. Account information is cached locally in the MobileArmorDB. Note Active Directory is optional. Client Web Service The IIS web service that Endpoint Encryption clients use to communicate with the Web Service. System Requirements The tables below outline the system requirements for Endpoint Encryption. 1-4

23 Understanding Trend Micro Endpoint Encryption TABLE 1-2. Hardware Requirements SEPARATE HOSTS SINGLE HOST Host (3,000 Users) 2GHz Dual Quad Core Core2 Intel Xeon Processors 4GB RAM 40GB hard disk space SQL Server Host (3,000 Users) 2GHz Dual Quad Core Core2 Intel Xeon Processors 8GB RAM 100GB hard disk space and SQL Server (1,500 Users) 2GHz Quad Core Core2 Intel Xeon Processors 8GB RAM 120GB hard disk space TABLE 1-3. Minimum Software Requirements FUNCTION REQUIREMENT Operating System Windows Server 2003 SP2 32/64-bit Windows Server 2008 or 2008 R2 64-bit Applications and Settings Application Server IIS Allow Active Server pages Allow ASP.NET.Net Framework 2.0 SP2 Note requires two IIS locations. The Administration Interface and the Client Application Interface should be installed on different IIS locations. Database Microsoft SQL 2005/2008/2008 R2 Microsoft SQL Express 2005(SP3)/2008 Mixed Mode Authentication (SA password) installed Reporting services installed 1-5

24 Trend Micro Endpoint Encryption Administrator's Guide TABLE 1-4. Full Disk Encryption System Requirements ITEM REQUIREMENT Processor Intel Core 2 or compatible processor. Memory Minimum: 1GB Disk space Minimum: 30GB Required: 20% free disk space Required: 256MB contiguous free space Network connectivity Communication with required for managed installations Operating Systems Windows 8 (32/64-bit) Windows 7 (32/64-bit) Windows Vista with SP1 (32/64-bit) Windows XP with SP3 (32-bit) Other software Additional requirements Windows 8: Microsoft.NET Framework 3.5 is enabled For devices with UEFI, see the Endpoint Encryption Installation Guide for instructions to change the boot priority. Additional requirements for Windows XP: Microsoft.NET Framework 2.0 SP1 or later Microsoft Windows Installer 3.1 Hard disk Seagate DriveTrust drives Seagate OPAL and OPAL 2 drives Note RAID and SCSI disks are not supported. Full Disk Encryption for Windows 8 does not support RAID, SCSI, edrive, or OPAL 2 drives. 1-6

25 Understanding Trend Micro Endpoint Encryption ITEM Other hardware REQUIREMENT ATA, AHCI, or IRRT hard disk controller TABLE 1-5. FileArmor System Requirements ITEM REQUIREMENT Processor Intel Core 2 or compatible processor. Memory Minimum: 512MB Recommended: 1GB Disk space Minimum: 2GB Required: 20% free disk space Network connectivity Communication with required for managed installations Operating Systems Windows 8 (32/64-bit) Windows 7 (32/64-bit) Windows Vista with SP1 (32/64-bit) Windows XP with SP3 (32-bit) Other software Additional requirements for Windows 8: Microsoft.NET Framework 3.5 is enabled For devices with UEFI, see the Endpoint Encryption Installation Guide for instructions to change the boot priority. Additional requirements for Windows XP: Microsoft.NET Framework 2.0 SP1 or later Microsoft Windows Installer 3.1 TABLE 1-6. KeyArmor System Requirements ITEM REQUIREMENT Hardware USB 2.0 port 1-7

26 Trend Micro Endpoint Encryption Administrator's Guide ITEM Network connectivity REQUIREMENT Communication with required for managed installations Operating Systems Windows 7 (32/64-bit) Windows Vista with SP1 (32/64-bit) Windows XP with SP3 (32-bit) Other software Additional software required when installing on Windows XP : Microsoft.NET Framework 2.0 SP1 or later Key Features & Benefits Endpoint Encryption includes the following key features and benefits: TABLE 1-7. Endpoint Encryption Key Features FEATURE BENEFITS Encryption Protection for the full disk, including the master boot record (MBR), operating system, and all system files. Hardware-based and software-based encryption for mixed environments. Authentication Flexible authentication methods, including both single and multi-factor. Policy updates before authentication and system boot. Configurable actions on failed password attempt threshold. Device management Policies to protect data on PCs, laptops, tablets, USB drives, CDs, and DVDs. Ability to remotely lock, wipe, or kill a device. 1-8

27 Understanding Trend Micro Endpoint Encryption FEATURE BENEFITS Central administration Full control over encryption, monitoring, and data protection. Automated policy enforcement with remediation of security events. Record keeping, reports, and auditing Analyze usage statistics with scheduled reports and alert notifications. Understanding Encryption Encryption is the process of making data unreadable unless there is access to the encryption key. Encryption can be performed via software or hardware (or a combination of the two) to ensure that data is protected locally on a device, on removable media, on specific files and folders, and on data in transit across networks or the Internet. Endpoint encryption is the most important way to assure data security and to ensure that regulatory compliance mandates for data protection are met. File Encryption FileArmor protects individual files and folders on local hard drives, and removable media devices (USB drives). Administrators can set policies specifying which folders and drives are encrypted on the device and policies about encrypted data on removable media. File and folder encryption is performed after authentication takes place. FileArmor can also protect different files with different keys, allowing Administrators to set access policies to a device and separate policies for access to certain files. This is useful in environments where multiple users access one endpoint. Full Disk Encryption Full disk encryption is the most common encryption solution deployed to endpoints today because it protects all drive data, including operating system, program, temporary, and end-user files. Many full disk encryption applications also enhance operating system 1-9

28 Trend Micro Endpoint Encryption Administrator's Guide security by requiring the user to authenticate before booting/unlocking the drive and providing access to the operating system. As an encryption solution, Trend Micro Full Disk Encryption offers both softwarebased and hardware-based encryption. While hardware-based encryption is simpler to deploy on new hardware, easier to maintain, and offers a higher level of performance, software-based encryption does not require any hardware and is cheaper to deploy to existing endpoints. Trend Micro is able to centrally administer Full Disk Encryption, providing organizations with flexibility to use either software-based or hardware-based encrypted devices as needed. Unique to Endpoint Encryption is a network-aware feature that updates policies in realtime prior to allowing authentication. Endpoint Encryption also enables administrators to lock or wipe a drive before the operating system (and any sensitive data) can be accessed. Key Management Unmanaged encryption products require Administrators or users to keep track of the encryption key on a USB device. Endpoint Encryption secures and escrows encryption keys transparently while enabling an Administrator to use a key to log on the protected device to recover protected data. KeyArmor USB drives secures data with always-on hardware encryption and embedded antivirus/anti-malware protection to meet regulatory compliance requirements and stringent government mandates. With KeyArmor, Administrators have complete visibility and control of who, when, where, and how USB drives are used in their organization. About FIPS The Federal Information Processing Standard (FIPS) Publication is a United States government device security standard that specifies the security requirements for encryption modules. FIPS includes four levels of security: 1-10

29 Understanding Trend Micro Endpoint Encryption TABLE 1-8. FIPS Security Levels LEVEL Level 1 Level 2 Level 3 Level 4 DESCRIPTION Requires all encryption components to be production grade, and absent of obvious security holes. Includes level 1 requirements and adds physical tamper-evidence and role-based authentication. Includes level 2 requirements and adds physical tamper-resistance and identity-based authentication. Includes level 3 requirements and adds additional physical security requirements. Endpoint Encryption ensures end-to-end data protection by providing FIPS level encryption of data residing on the ; all data transmitted between and endpoint clients; all data stored on the endpoint device; and, all locally stored client logs. Management and Integration When end-users require fortified data protection on multiple types of devices, which may require different encryption types, a centrally managed and integrated Endpoint Encryption solution reduces administration and maintenance costs. Endpoint Encryption is a centrally managed solution enabling the following data protection features: Centrally and transparently update the Endpoint Encryption clients when new versions are released Administer and leverage security policies to individuals and groups from a single policy server Control password strength and regularity for password changes Update security policies in real-time, before authentication, to revoke user credentials before booting the operating system 1-11

30 Trend Micro Endpoint Encryption Administrator's Guide Account Roles and Authentication Trend Micro Endpoint Encryption offers Administrators a number of account roles and authentication methods depending on their specific needs, including multi-factor authentication. Account Roles Endpoint Encryption includes several different account types intended for different roles within the enterprise. These roles determine how accounts access and perform various tasks. TABLE 1-9. Endpoint Encryption Account Roles ROLES Enterprise Administrator Group Administrator DESCRIPTION Controls entire enterprise and has administrative rights to all groups, users, devices, and policies regardless of where they reside within the enterprise. Administrative rights over any group and its subgroups that they are assigned. Note Rights do not apply to parent groups, groups at the same level in the hierarchy or their subgroups. Enterprise Authenticator Group Authenticator User Intended for Help Desk personnel to provide remote assistance. This can occur when a user must call the help desk because they forgot their password or have technical problem. Enterprise Authenticators have configurable privileges over the entire enterprise. Similar to Enterprise Authenticator, but limited to the group level only. For end-users who make use of the endpoint clients, but are not assigned administrative or authenticator responsibilities. 1-12

31 Understanding Trend Micro Endpoint Encryption Access Control by Application Authentication and access control are important in any enterprise. Full Disk Encryption limits system access at boot up and file and folder access once the user is logged on the operating system. FileArmor, KeyArmor, and provide the same level of security and access control by enabling two-factor authentication. Each Endpoint Encryption application offers unique characteristics and levels of control. TABLE Authentication Control by Application APPLICATION Full Disk Encryption FileArmor KeyArmor CONTROL Application access to the management console. Authentication control before booting into Windows. File and folder-level access control once in the operating system. Device control for access to encrypted content on removable devices. Authentication Options by Application TABLE Authentication Options Available to Endpoint Clients AUTHENTICATION OPTIONS PRODUCT FIXED PASSWORD DOMAIN PASSWORD SMART CARD PIN RSA COLORCODE Yes Yes Yes No No No Full Disk Encryption Yes Yes Yes Yes No Yes FileArmor Yes Yes Yes Yes No Yes KeyArmor Yes No Yes Yes Yes Yes 1-13

32 Trend Micro Endpoint Encryption Administrator's Guide Security Options If a user is unable to authenticate, he/she is prompted to re-enter the credentials. Depending on policy settings, too many consecutive unsuccessful authentication attempts will delay the next log on attempt, lock, or erase all data from the endpoint. TABLE Authentication Security Options SECURITY OPTION Time delay DESCRIPTION The device is locked and no authentication attempts can be made until the lockout time is passed. Ensure that the credentials are correct Use Self Help (if available) to avoid waiting for the time delay period. Remote authentication required The device is locked. Ensure that the credentials are correct. Contact the Administrator to use Remote Help and unlock the device. For details, see Remote Help on page Erase the device All data is removed from the device. Authentication Methods Endpoint Encryption offers several authentication methods. The specific methods available to the endpoint client are determined by. TABLE Supported Authentication Methods AUTHENTICATION TYPE Domain authentication Fixed password PIN ColorCode DESCRIPTION Single sign-on (SSO) using Active Directory. A string of characters, numbers, and symbols. A standard personal identification number. Use a sequence of colors as a password. 1-14

33 Understanding Trend Micro Endpoint Encryption AUTHENTICATION TYPE Smart card Self Help Remote Help DESCRIPTION A physical card used in conjunction with a PIN or fixed password. Question and answer combinations that allow users to reset a forgotten password without contacting Support. Interactive authentication for users who forget their credentials or devices that have not synchronized policies within a pre-determined amount of time. Domain Authentication Domain authentication using Active Directory permits single sign-on (SSO). Users only need to provide credentials once to authenticate to Full Disk Encryption, log on Windows, and access FileArmor. Prerequisites For seamless integration, ensure the following requirements are met: All devices are on the same domain as. The user name configured in Active Directory exactly matches the one in, including case. The user name is located within a group and the Domain Authentication policy is set to Yes. Common > Network Login policies (Host Name, Domain Name) are configured correctly based on the LDAP or Active Directory server settings. Note For details about configuring LDAP and Active Directory settings, see Active Directory Synchronization on page

34 Trend Micro Endpoint Encryption Administrator's Guide Fixed Passwords Fixed passwords are the most common authentication method. A fixed password is created by the user and can be almost anything. Administrators can place restrictions on fixed passwords to ensure that they are not easily compromised. PIN A Personal Identification Number (PIN) is another common identification method. Similar to a fixed password, a PIN is created by the user and can be almost anything. Like fixed passwords, Administrators may place restrictions on the PIN combination. ColorCode ColorCode is a unique authentication method designed to easily remembered and quickly provide. Instead of using numbers or letters for a password, ColorCode 1-16

35 Understanding Trend Micro Endpoint Encryption authentication consists of a user-created sequence of colors (for example: red, red, blue, yellow, blue, green). FIGURE 1-2. ColorCode Logon Smart Card Smart card authentication requires both a PIN and a physical card when confirming a user's identity. Insert the smart card before providing a PIN. Important To allow smart card authentication for all Endpoint Encryption clients, enable the following policy: Full Disk Encryption > PC > Login > Token Authentication. 1-17

36 Trend Micro Endpoint Encryption Administrator's Guide Self Help Use Self Help to authenticate when users have forgotten their credentials. Self Help requires users to respond with answers to predefined personal challenge questions. Self Help can also be used instead of fixed password or other authentication methods. Important must be configured to allow Self Help authentication. For more information, see Understanding Policies on page 3-1. WARNING! A maximum of six questions can display to endpoint clients. Do not create more than six questions in, or users will be unable to log on. Remote Help Use Remote Help when a user is locked out of an endpoint client after too many failed logon attempts or when the period between the last synchronization has been too long. Within each application s policies, set the action to Remote Authentication. TABLE Policies Affecting Remote Help Authentication POLICY Login > Account Lockout Period Login > Account Lockout Action Login > Failed Login Attempts Allowed DESCRIPTION The number of days that a device can not communicate with before Account Lockout Action is called. The action taken when the length of time in Account Lockout Actions include: erase, remote authentication. The number of failed login attempts allowed before executing the action defined in Device Locked 1-18

37 Understanding Trend Micro Endpoint Encryption POLICY Login > Device Locked Action DESCRIPTION The action taken when the Failed Attempts Allowed policy value has been exceeded. Actions include: time delay, erase, remote authentication. New Features in Endpoint Encryption Trend Micro Endpoint Encryption includes the following enhancements: Multi-language Support Endpoint Encryption now offers support for the following languages: TABLE Supported Languages PRODUCT LANGUAGES SPANISH FRENCH GERMAN Full Disk Encryption Yes Yes Yes FileArmor Yes Yes Yes Yes Yes Yes KeyArmor No No No Active Directory Synchronization Endpoint Encryption now supports account synchronization between Active Directory and. Active Directory can be leveraged for single-sign-on across all endpoint client applications. See the Endpoint Encryption Installation Guide for detailed instructions about how to configure for AD synchronization. The Installation Guide is available at: 1-19

38 Trend Micro Endpoint Encryption Administrator's Guide Enhancements The installer now allows for a trial license that expires after 30 days. The Enterprise name and Enterprise Administrator account are configured at time of installation. The port number for web services can now be set during installation. To improve security, now has a Client Web Service that allows all clients to connect to using this new interface. Improved policy lookup and naming. Improved audit logs. A new Recycle Bin node allows Administrators to recover deleted users and devices. Global policies now allow for policy changes to easily push to subgroups from the parent level. Full Disk Encryption Enhancements New Features OPAL 2 is now supported Windows 8 is now supported on non-uefi devices Policies now automatically synchronize with when a device loads the preboot logon Password sharing between devices in the same group (for password sharing devices) is now supported Unmanaged installations now fully support hardware and software based encryption Console-based preboot now works for unsupported display configurations 1-20

39 Understanding Trend Micro Endpoint Encryption Easier Installation There is now one installer for software and hardware based encryption (Seagate OPAL and DriveTrust). This same installer also supports 32 and 64-Bit OS installations Improved pre-install check and error/log reporting Full Disk Encryption can now install without encrypting and without a preboot (via policy setting). This provides better control of phased roll-out to distribute software, enable preboot authentication, and turn on encryption Improved Management and Administration Recovery Console access in Windows and preboot Easily update the information and re-assign a device to the original or a new More Robust Repair CD Scripted Uninstalls 1-21

40

41 Chapter 2 Getting Started with Before configuring to centrally manage endpoint clients, services, databases, and MMC should already be installed. See the Endpoint Encryption Installation Guide for detailed instructions about setting up services, databases, and MMC. The Installation Guide is available at: This chapter covers the following topics: Authenticating for the First Time on page 2-2 Introducing on page 2-2 Working with Groups and Users on page 2-4 Understanding Policy Controls on page 2-13 Enabling Applications on page

42 Trend Micro Endpoint Encryption Administrator's Guide Authenticating for the First Time The Enterprise name and Enterprise Administrator account were configured at the time of installation. functions normally with all client applications, unlimited devices, and 100 users available for a 30-day trial period. After 30 days, contact Technical Support to receive a license file. Users/devices can still log on after the trial period expires. This task explains how to import the license file and then log on. It is usually provided as a text file Procedure 1. Open MMC. 2. Go to File > Import License. 3. Provide the license file unlock code. 4. Browse to the license file and then click Update. 5. Provide the enterprise, user name, password and the IP address or hostname specified in the license file. 6. Click Login. Introducing utilizes a Microsoft Management Console (MMC). has a hierarchical structure that distributes administrative responsibility while maintaining centralized control when: Defining security policy parameters Managing users, devices, and groups (including offline groups) Enabling/Disabling endpoint applications 2-2

43 Getting Started with Use MMC auditing and reporting functions to monitor the security infrastructure and meet compliance requirements. MMC Interface MMC interface contains the following panes: TABLE 2-1. MMC Interface WINDOW Left pane (1) Right pane (2) DESCRIPTION Use the left pane to view users, groups, policies, devices, and applications. Expand the top level to manage nested elements within the tree structure. Open items will update the content in the results window. Use the right pane to modify policies, user information, and group information. The currently selected tree item is displayed in the results window. The exact format of the information shown in the results window depends on the item selected in the tree. FIGURE 2-1. MMC Interface 2-3

44 Trend Micro Endpoint Encryption Administrator's Guide Within the left pane tree structure, there are a number of different nodes. The following table describes each node: TABLE 2-2. MMC Tree Structure Hierarchy NODE Enterprise users Enterprise devices Enterprise policies Enterprise log events Enterprise reports Enterprise maintenance Recycle bin Groups PURPOSE View all Administrators, authenticators and users within the entire enterprise. To see group affiliation, open the group and click Users. View all instances of endpoint clients and which device they are connecting from. To see group affiliation, open the group and click Devices. Control whether endpoint applications can connect to. Also, manage all enterprise policies. Group policies override enterprise policies. View all log entries for the enterprise. Manage various reports and alerts. No group-only reports are available. Manage MMC application plug-ins. View deleted users and devices. Manage users, devices, policies and log events for a collection of users. Working with Groups and Users This section explains how to get started with Endpoint Encryption groups and users. First define the users and groups, and then assign users to groups. It is also possible to add new users directly to a group. At least one Top Group is required. User and group structure recommendations: Follow the Active Directory structure when configuring a group structure. 2-4

45 Getting Started with Create a new group whenever there is a policy difference between groups of users. If one group requires domain authentication and another requires fixed password, then two separate policy groups are required. Create multiple groups to minimize access to devices within a group. All members of a group are allowed access to any device in that group. Defining Users and Groups Define all roles and group affiliations before adding any users or groups to. 1. Identify Enterprise Administrators/Authenticators. 2. Create Enterprise Administrators/Authenticators. 3. Identify groups. 4. Create groups. 5. Identify Group Administrators/Authenticators. 6. Create Group Administrators/Authenticators. 7. Identify users to be assigned to each group. 8. Import or create new users each group. Adding a Top Group Groups simplify managing enabled applications, users, policies, subgroups, and devices. A Top Group is the highest level group. Note Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a Group Administrator, add a user and change his/her permissions within the group. Procedure 1. Right-click the enterprise name in the left pane, and click Add Top Group. 2-5

46 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 2-2. Adding a Top Group The Add New Group screen appears. 2. Provide the name and a description for the group. 3. Only select Support Legacy Devices if using legacy devices that do not support Unicode encoding. Some legacy devices may not be able to communicate with using Unicode. Assign Unicode and legacy devices to different groups. 2-6

47 Getting Started with FIGURE 2-3. Add New Group 4. Click Apply. 5. At the confirmation message, click OK. The new group is added to the tree structure in the left pane. Adding a New User to a Group Note Adding a user to the enterprise does not assign the user to any groups. Adding a user to a group adds the user to the group and to the enterprise. Procedure 1. Expand the Group and open Users. 2. Right-click whitespace in the right pane and select Add New User. 2-7

48 Trend Micro Endpoint Encryption Administrator's Guide The Add New User screen appears. FIGURE 2-4. Add New User Screen 3. Specify user information. User name, first name, and last name are required. 4. Only select Freeze if the account should be temporarily disabled. While frozen, the user is unable to log on devices. 5. Use the Group User Type field to set the privileges of the new account. Enterprise Administrators and Authenticators cannot be added to groups. 6. Select One Group to disable the user from multiple groups membership. 7. Select the Authentication Method. Note 8. Click OK. The default authentication method for users is None. 2-8

49 Getting Started with The new user is added to the selected group and to the Enterprise. The user can now log on a device. Adding a New Enterprise User Note Adding a user to the enterprise does not assign the user to any groups. Adding a user to a group adds the user to the group and to the enterprise. Procedure 1. Expand the Enterprise and open Users. 2. Right-click whitespace in the right pane and select Add User. The Add New User screen displays. 2-9

50 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 2-5. Add New User Screen 3. Specify user information. User name, first name, and last name are required. 4. Only select Freeze if the account should be temporarily disabled. While frozen, the user is unable to log on devices. 5. Use the User Type field to set the privileges of the new account. Enterprise Administrators and Authenticators cannot be added to groups. 6. Select One Group to disable the user from multiple groups membership. 7. Select the Authentication Method. Note 8. Click OK. The default authentication method for users is None. 2-10

51 Getting Started with The new user is added this Enterprise. The user cannot log on a device until he/she is added to a group. Adding an Existing User to a Group A user can be added to numerous groups. Procedure 1. Expand the group in the left pane and then click Users. 2. Right-click whitespace in the right pane, and select Add Existing User. The Add Users To Group screen appears. 2-11

52 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 2-6. Add Existing Users To Group Screen 3. Specify user details and then click Search. If there is a match, the Source field populates with accounts. 4. Select user accounts from the list and click the blue arrow to add them. See Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls. TABLE 2-3. Icons to Add/Remove Users CENTER ICONS DESCRIPTION Add a single selected user to Destination field. 2-12

53 Getting Started with CENTER ICONS DESCRIPTION Add all found users based on search criteria to Destination field. Delete a single select user from Destination field. Delete all users from Destination field. 5. To change a user s password: a. In the Destination field, highlight the user. b. Click Enter User Password located at the bottom of the window. c. In the window that appears, specify the user s authentication method. d. Click Apply. 6. Click Apply. The user is added to the group. If this is the only group that the user belongs to, then the user is now able to log on to the endpoint client. Understanding Policy Controls After setting up all users and groups in the enterprise, set policies for the enterprise or group. Each group in the left pane tree structure (whether a Top Group or subgroup) contains one or more endpoint application policy folders. For details about the interface, see MMC Interface on page

54 Trend Micro Endpoint Encryption Administrator's Guide Note Policies can be enabled or disabled at the enterprise or group level. See Working with Policies on page 3-2. Visual Indicators for Policies Colored circles beside each policy indicate the state of the policy. TABLE 2-4. Policy Indicators INDICATOR DESCRIPTION The policy value is inherited from the parent group or the Enterprise. A policy is modified for the group. The policy may have multiple arrays of values. The policy has one or more sub-policies. Policy Fields and Buttons Use the fields and buttons shown below to control policy elements. All modified values are propagated to a group's subgroups. Depending on what the policy controls, certain fields are not present. TABLE 2-5. Policy Fields and Buttons FIELD/BUTTON DESCRIPTION CHANGEABLE? OK Saves changes to the selected policy N/A Description Explains the selected policy No Policy Range Displays the value range that the selected policy can fall between Yes 2-14

55 Getting Started with FIELD/BUTTON DESCRIPTION CHANGEABLE? Policy Value Policy Multiple Value Depending on the policy, displays the actual value of the selected policy, whether it contains a string, number, or series of entries Specifies whether this policy can be used multiple times for different settings (multiple if found strings) Yes No Policy Name Displays the name of the selected policy No Policy Type Specifies the category for the selected policy No Enterprise controlled Save to subgroups Makes this policy mirror changes to the same policy at the Enterprise level Pushes policy settings to the same policy in all subgroups Yes Yes Modifying Policies has a common set of windows to modify policies. Different types of input is available depending on what the policy controls and which parameters are required. The steps required to edit one policy are different to modify another policy. This task gives a general overview about editing a policy. For more details about modifying policies, including explanations about configuring different policy types, see Policy Management on page 3-2. Procedure 1. Expand the Enterprise. 2. Choose which policy level to modify: a. For enterprise-level policies, expand Enterprise Policies. b. For group-level policies, expand the Group Name and then expand Policies. 3. Open the specific application or select Common. The policy list displays in the results windows. 2-15

56 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 2-7. Modifying a Policy 4. Go to a policy and double-click to open the editor window. For this example, Console Timeout is used. 2-16

57 Getting Started with FIGURE 2-8. Console Timeout Policy Editor Window 5. Specify changes appropriate for the policy, and then click OK. Enabling Applications Important To ensure proper communication and policy synchronization, the Endpoint Encryption application must be enabled in before installation. Procedure 1. Log on MMC. 2-17

58 Trend Micro Endpoint Encryption Administrator's Guide 2. Click Enterprise Policies. All applications appear in the right pane FIGURE 2-9. Enable Applications 3. Right-click the application and then select Enable. Note In order to use Full Disk Encryption, both Full Disk Encryption and MobileSentinel applications must be enabled. The application is enabled and managed by. 2-18

59 Chapter 3 Understanding Policies This chapter explains how to use policies and provides detailed information about individual policy setting values. For information about managing users, groups, and devices, see Working with Groups, Users, and Devices on page 4-1. This chapter explains the following topics: Working with Policies on page 3-2 Policy Management on page 3-2 Policies on page 3-12 Full Disk Encryption Policies on page 3-17 FileArmor Policies on page 3-23 MobileSentinel Policies on page 3-28 KeyArmor Policies on page 3-32 DriveArmor Policies on page 3-36 Common Policies on page

60 Trend Micro Endpoint Encryption Administrator's Guide Working with Policies This section explains how to use various windows to change a policy, but does not explain the process to modify every policy. All policies have default values. MMC has a common set of windows to use when modifying a policy. One policy will have an editor window available to edit the numbers, ranges and values associated with the policy while another policy will have a window to modify text strings. When managing policies, note the following: Policies are configurable by application within each group. Policy inheritance only occurs when a subgroup is created. For details about group permissions, see Working with Groups on page 4-2. Policy Management Every group in the left pane tree structure (whether a Top Group or subgroup) contains one or more endpoint application policy folders. The results window in the right pane displays controls to: Display a list of policies and their values. Modify a policy using the editor window. Run reports and other log events. Run enterprise maintenance. For a detailed explanation of the interface, see MMC Interface on page

61 Understanding Policies FIGURE 3-1. MMC Window Selecting a Policy for Modification Procedure 1. Go to Group Name > Policies > Application Name. Example: Group1 > Policies > Full Disk Encryption. 2. Go to the specific policy. Example: Common > Client > Allow User to Uninstall. 3. Right-click the policy and select Properties. 3-3

62 Trend Micro Endpoint Encryption Administrator's Guide Editing Policies with Ranges An example of editing policies with ranges is the Failed Login Attempts Allowed policy. Failed Login Attempts Allowed controls whether a device is locked when a user exceeds the number of failed authentication attempts allowed. FIGURE 3-2. Policy with Ranges Window Using the parameters defined in the Policy Range fields, an Administrator can indicate the number of failed authentication attempts allowed per user in the Policy Value field. Procedure 1. Right-click the policy to be modified and then click Properties. 3-4

63 Understanding Policies 2. In the Policy Range Minimum field, specify the lowest number of failed authentication attempts that can be made by a user in this group before the device is locked. Note The minimum and maximum values for the policy range can be the same as the parent's range, or they can be modified. The minimum and maximum values cannot be extended. 3. In the Policy Range Maximum field, specify the highest number of authentication attempts that can be made by a user in this group before authentication fails and the device is locked. 4. In the Policy Value field, specify the number of failed authentication attempts allowed for a user in this group before the device is locked. 5. Click OK to save any changes to this window. The policy change is activated once the endpoint client synchronizes with. Editing Polices with True/False or Yes/ No Responses Some policies only have True/False or Yes/No options. For this example, Preboot Bypass is used. A Group Administrator can define whether the Full Disk Encryption Preboot should display. If the Parent Group allows Yes and No, then the subgroup Authenticators have the right to set the range to Yes and No, just Yes, or just No. If the Parent Group has 3-5

64 Trend Micro Endpoint Encryption Administrator's Guide set the range to either Yes or No, then the subgroup Administrator can only select that same range. FIGURE 3-3. Policy with Yes/No Values Procedure 1. Right-click the policy to be modified and then click Properties. 2. The Policy Value field sets whether the policy is turned on. 3. The Range field sets whether this policy is available to other users or groups. For example, if this policy is set to No by an Enterprise Administrator in Enterprise Policies, then the policy will not be available to set to yes by other groups. 4. Click OK to save any changes to this window. 3-6

65 Understanding Policies The policy change is activated once the endpoint client synchronizes with. Editing Policies with Multiple-choice / Single-selection Some policies have multiple options available. The Device Locked Action policy is edited in a multiple-choice/single-selection window. Administrators can only select one Policy Value. In this example, the Group Administrator must define the action to take when a user exceeds the allowed number of authentication attempts. FIGURE 3-4. Policy with Multiple Choice/Single Selection 3-7

66 Trend Micro Endpoint Encryption Administrator's Guide Procedure 1. Right-click the policy to be modified and then click Properties. 2. Select the desired default setting for the Policy Value drop-down. 3. Select the available options for the Policy Range area. Note Removing an option removes the value from the Policy Value drop-down. 4. Click OK to save changes. The policy change is activated once the endpoint client synchronizes with. 3-8

67 Understanding Policies Editing Policies with Text String Arguments Some policies have an editable text string for single array arguments. The Dead Man Switch policy is an example of a policy that provides the capability to specify a string of text. FIGURE 3-5. Policy with Text String Argument Procedure 1. Right-click the policy to be modified and then click Properties. 3-9

68 Trend Micro Endpoint Encryption Administrator's Guide 2. For the Policy Value field, specify the sequence of characters for this policy. 3. Click OK to save any changes to this window. The policy change is activated once the endpoint client synchronizes with. Editing Policies with Multiple Options Some policies can have multiple options stored in sub-policies affecting that policy. Multiple option policies are designed to create separate lines in a text string; each subpolicy is a new line in the string. For example, the IF Found policy displays how to return a found device. A normal address format displays the name, street address, and city/state/zip on three separate lines. Note The number of sub-policies is limited to endpoint application capabilities which is generally no greater than six lines of text. Procedure 1. Right-click the policy to be modified and then click Add. 3-10

69 Understanding Policies FIGURE 3-6. If Found Policy: Adding a New Option 2. In the policy window that displays, specify details in the Policy Value field. Note Depending on the policy, a new policy might be added and then modified by rightclicking and selecting Properties. 3. Click OK to save any changes to this window and repeat if necessary. FIGURE 3-7. If Found Policy: Results After Adding Multiple Options 4. To make changes, right-click the child policy and then select Properties. The policy change is activated once the endpoint client synchronizes with. 3-11

70 Trend Micro Endpoint Encryption Administrator's Guide Policies This section explains the configurable options for all enterprise policies affecting. Admin Console Policies Policies governing the administration tools like Enterprise Security Manager and MMC. TABLE 3-1. Admin Console Policies POLICY NAME Console Timeout Failed Login Attempts Allowed Legal Notice DESCRIPTION Exit the administration tool after the Timeout (minutes) has expired with no activity. Lockout the admin logon after this number of consecutive failed log on attempts. Contains the legal notice that must be displayed before the Administrator or Authenticator can use the administration tools. VALUE RANGE AND DEFAULT 1-60 Default: Default: chars Default: N/A Administrator Policies Policies governing group Administrator privileges. TABLE 3-2. Administrator Policies POLICY NAME Add Devices Add Users DESCRIPTION Specify whether group administrators are allowed to add devices. Specify whether group administrators are allowed to add new users. VALUE RANGE AND DEFAULT Yes, No Default: Yes Yes, No Default: Yes 3-12

71 Understanding Policies POLICY NAME Add Users to Enterprise Add/Modify Groups Change Policies Copy/Paste Groups Remove Devices Remove Groups Remove Users Remove Users from Enterprise DESCRIPTION Specify whether group administrators are allowed to add new users to the enterprise. Specify whether group administrators are allowed to add/modify subgroups. Specify whether group administrators are allowed to change policies. Specify whether group administrators are allowed to copy and paste subgroups. Specify whether group administrators are allowed to remove devices. Specify whether group administrators are allowed to remove subgroups. Specify whether group administrators are allowed to remove users. Specify whether group administrators are allowed to remove users from the enterprise. VALUE RANGE AND DEFAULT Yes, No Default: No Yes, No Default: Yes Yes, No Default: Yes Yes, No Default: Yes Yes, No Default: Yes Yes, No Default: Yes Yes, No Default: Yes Yes, No Default: No Authenticator Policies Policies governing enterprise and group authenticator rights and privileges. TABLE 3-3. Authenticator Policies POLICY NAME Add Devices Add Users DESCRIPTION Specify whether authenticators are allowed to add devices. Specify whether authenticators are allowed to add new users. VALUE RANGE AND DEFAULT Yes, No Default: No Yes, No Default: No 3-13

72 Trend Micro Endpoint Encryption Administrator's Guide POLICY NAME Add Users to Enterprise Add/Modify Groups Copy/Paste Groups Remove Devices Remove Groups Remove Users Remove Users from Enterprise DESCRIPTION Specify whether authenticators are allowed to add new users to the enterprise. Specify whether authenticators are allowed to add/modify subgroups. Specify whether authenticators are allowed to copy and paste subgroups. Specify whether authenticators are allowed to remove devices. Specify whether authenticators are allowed to remove subgroups. Specify whether authenticators are allowed to remove users. Specify whether authenticators are allowed to remove users from the enterprise. VALUE RANGE AND DEFAULT Yes, No Default: No Yes, No Default: No Yes, No Default: No Yes, No Default: No Yes, No Default: No Yes, No Default: No Yes, No Default: No Log Alert Policies Policies governing messages sent for important log events. TABLE 3-4. Log Alerts Policies POLICY NAME From Address SMTP Server Name DESCRIPTION Specify the address that is used as the source address for the alerts message. Specify the SMTP server responsible for sending alert messages. VALUE RANGE AND DEFAULT characters Default: N/A characters Default: N/A 3-14

73 Understanding Policies PDA Policies Policies governing how PDA devices can communicate with. TABLE 3-5. PDA Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT PDA Cell Phone PDA Specify whether cell phone PDA devices are notified via SMS or the installation message. SMS, , None Default: None PDA settings used to send installation notification to the user. PDA > SMTP Server Name Specify the SMTP server responsible for sending messages characters PDA > Subject Specify the subject text that is displayed to the user in the Subject Line of the characters PDA SMS Specify whether devices are notified via SMS if policy/user settings have changed. Enable, Disable Default: Disable PDA > SMS Domain Specify the target domain characters PDA > SMS SMTP Server Name Specify the SMTP server responsible for sending SMS notifications characters PDA > SMS Source Specify the address that SMS and notifications are sent from. PDA Tethered PDA Specify whether wireless, BlueTooth, cradled, or cell phone PDA devices are notified via the installation message characters , None Default: None 3-15

74 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT PDA Welcome Message Contains the welcome message file whose contents are displayed to the user during the download process characters Service Pack Download Policies Policies governing automatic client service pack download times. TABLE 3-6. Service Pack Download Policies POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Service Pack Download Begin Hour Set the time to download service packs Default: 0 Service Pack Download End Hour Set the time to stop downloading any service pack Default: 0 Welcome Message Policies Policies governing whether to send a welcome message to users when they have been added to a group. TABLE 3-7. Welcome Message Policies POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Message Contains the welcome message file characters Default: N/A SMTP Server Name Specify the SMTP server responsible for sending welcome messages characters Default: N/A 3-16

75 Understanding Policies POLICY NAME Source DESCRIPTION Specify the address that is used as the source address for welcome message. VALUE RANGE AND DEFAULT characters Default: N/A Subject The Welcome message subject line characters Default: N/A Full Disk Encryption Policies This section explains the configurable options for all policies affecting Full Disk Encryption clients. Common Policies Common policies affecting Full Disk Encryption, including logging in, uninstalling Full Disk Encryption, and locking devices. TABLE 3-8. Full Disk Encryption Common Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Client Allow User to Uninstall Specify whether user can uninstall Full Disk Encryption. Yes, No Default: No 3-17

76 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Login Account Lockout Action Specify the action to be taken when the device has failed to communicate with the as specified in the policy Account Lockout Period. Erase, Remote Authentication Default: Remote Authentication Erase: All content on the device is wiped. Remote Authentication: Require user to perform remote authentication. Login Account Lockout Period Specify the number of days that the client may be out of communication with the Default: 360 Login Dead Man Switch Specify a sequence of characters, when entered will erase all contents on the device characters Default: N/A Login Device Locked Action Specify the action to be taken when the device locks. Time Delay: The amount of time that must elapse before the user can retry logging on. Time Delay, Erase, Remote Authentication Default: Time Delay Erase: All content on the device is wiped. Remote Authentication: Require user to perform remote authentication. Login Failed Login Attempts Allowed Specify the number of failed Login attempts before using Lock Device Time Delay Default: 5 Login > If Found If Found Specify information to be displayed characters Default: N/A 3-18

77 Understanding Policies CATEGORY POLICY NAME DESCRIPTION Login Legal Notice Specify whether a legal notice should be displayed. VALUE RANGE AND DEFAULT Enable/Disable Default: Disabled Login > Legal Notice Legal Notice Display Time Specify when the configured legal notice should be displayed to the user. Installation, Startup Default: Startup Login > Legal Notice Legal Notice Text Specify the body of the legal notice. Insert File Default: N/A Login Lock Device Time Display Lock device for X minutes if user exceeds Failed Attempts Allowed ,999 Default: 1 Login Preboot Bypass Specify if the preboot should be bypassed. Yes, No Default: No Login > Support Info Support Info Display Help Desk information or administrator contact. Default: N/A PC Policies Policies governing devices or laptops running Full Disk Encryption. TABLE 3-9. Full Disk Encryption PC Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Client Allow User Recovery Specify if users are allowed to access system recovery utilities on the device. Yes, No Default: No Encryption Encrypt Device Specify whether the device should be encrypted. Yes, No Default: Yes 3-19

78 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Login Token Authentication Policy related to physical tokens including smart cards and USB tokens. All subpolicies are visible only when Token Authentication is enabled. Enable, Disable Default: Disable Login > Token Authentication OCSP Validation Verifying certificates via OCSP allows for the revocation of invalid certificates via the CA. Enable, Disable Default: Disable Note All sub-policies are visible only when OCSP Validation is Enabled. Login > Token Authentication > OCSP Validation OCSP CA Certificates Certificate Authority certificates bytes Default: N/A Login > Token Authentication > OCSP Validation OCSP Expired Certificate Status Action Defines the action to take if the OCSP certificate status is expired. Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access Default: Denial of Login Login > Token Authentication > OCSP Validation OCSP Grace A grace period in days that allows authentication to occur even if the OCSP server has not verified the certificate in this number of days Default: 7 Login > Token Authentication > OCSP Validation OCSP Responders Certificate Authority certificates. Yes, No Default: Yes 3-20

79 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Login > Token Authentication > OCSP Validation > OCSP Responders OCSP Responder Certificate Certificate Authority Certificate bytes Default: N/A Login > Token Authentication > OCSP Validation > OCSP Responders OCSP Responder URL Certificate Authority certificates bytes Default: N/A Login > Token Authentication > OCSP Validation OCSP Revoked Certificate Status Action Defines the action to take if the OCSP certificate status is revoked. Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access Default: Denial of Login Login > Token Authentication > OCSP Validation OCSP Show Success Whether success of OCSP reply should be displayed. Yes, No Default: Yes Login > Token Authentication > OCSP Validation OCSP Unknown Certificate Status Action Specify the action when an OCSP certificate status is unknown. Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access Default: Denial of Login Login Token Passthru Pass the token to the desktop GINA for further processing during the boot process. Yes, No Default: No Password Authentication Methods Allowed Specify the allowed type(s) of authentication methods that can be used. Fixed, ColorCode, Pin, Remote, RSA Default: Fixed 3-21

80 Trend Micro Endpoint Encryption Administrator's Guide PPC Policies Policies governing pocket Full Disk Encryption PPC devices. TABLE Full Disk Encryption PPC Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Encryption PPC Encrypt Appointments Specify whether the Appointments database should be encrypted on the PPC device. Yes, No Default: Yes Encryption PPC Encrypt Contacts Specify whether the Contacts database should be encrypted on the PPC device. Yes, No Default: Yes Encryption PPC Encrypt Device Specify whether all external media and internal storage on the PPC device is encrypted. Yes, No Default: Yes Encryption PPC Encrypt Specify whether the database is encrypted on the PPC device. Yes, No Default: Yes Encryption PPC Encrypt Other Databases Specify a list of databases to be encrypted on the PPC device characters Default: N/A Encryption > PPC Encrypt Other Databases PPC Encrypt Tasks Specify whether the Tasks database should be encrypted on the PPC device. Yes, No Default: Yes PPC Logging Policies defining the log file on the PPC device. Logging PPC Log File Size Specify the size of the log file on the PPC device (measured in kilobytes) Default: 512 Login Allow Emergency Call Specify whether the user may make emergency phone calls from their device. Yes, No Default: No 3-22

81 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Login PPC Account Lockout Action Specify the action to be taken when the device has failed to communicate with the as specified in the policy Account Lockout Period. Erase, Remote Authentication Default: Remote Authentication Actions are: Erase: All content on the device is wiped. Remote Authentication: Require user to perform remote authentication. Login PPC Device Timeout Specify the number of minutes that the authentication screen appears while inactive Default: 1 Login PPC Launch After logon Specify an application to be launched on the device after a successful authentication characters Default: N/A Password PPC Authentication Methods Specify the allowed authentication methods on the PPC device. Fixed, Colorcode, Pin, Remote Default: Fixed PPC PPC Erase Media on Wipe Device wipe erases data on mounted media. Yes, No Default: No FileArmor Policies This section explains the configurable options for all enterprise policies affecting FileArmor clients. Computer Policies Policies governing installation privileges on devices with FileArmor installed. 3-23

82 Trend Micro Endpoint Encryption Administrator's Guide TABLE FileArmor Computer Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Computer Allow User to Uninstall This policy specifies whether a user other than an Administrator can uninstall the endpoint application. Yes, No Default: Yes Encryption Policies Polices governing how encryption is handled on FileArmor devices. TABLE FileArmor Encryption Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Allow Secure Delete Disable Optical Drive Encryption Key Used Specify whether to allow the user to delete files. Disable access to CD or DVD drives. User Key: choose a key unique to the user. Group Key: choose a key unique to the group, so all users in the group will also have access to files. Enterprise Key: choose a key unique to the enterprise, so all users in the enterprise will also have access to files. Yes, No Default: Yes Yes, No Default: No User Key, Group Key, Enterprise Key Default: Group Key 3-24

83 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Encryption Method Allowed Choose which allowable ways to encrypt files are allowed: 1. User Key 2. Group Key 3. User-created password 4. Digital Certificates User s Unique Key, Group Unique Key, Encrypt With Static Password, Encrypt With Certificate Default: All Removable Media Fully Encrypt Device Specify whether all files/folders on removable media are encrypted. Yes, No Default: No Removable Media Allow USB Devices Specify permitted USB devices. Any, KeyArmor Default: Any Removable Media Disable USB Drive Disable the USB drive when not logged in, always disable, and never disable drive. Always, Logged Out, Never Default: Logged Out Removable Media Folders to Encrypt on Removable Media The drive letter is given and the policy value corresponds to a valid removable media device. Nonexistent folders are created. If no drive letter is given then all removable media devices attached to the device at login will use the policy values characters Default: N/A Removable Media Fully Encrypt Device Specify whether all files/folders on removable media are encrypted Yes, No Default: No 3-25

84 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Specify Folders to Encrypt List the folders that will be encrypted on the hard drive. Nonexistent folders are created. A valid drive letter to the hard drive must also be supplied. A valid policy value is: C:\EncryptedFolder characters Default: %DESKTOP%\ FileArmor Encrypted Login Policies Security policies governing logging on FileArmor. TABLE FileArmor Login Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Authentication Methods Allowed Device Locked Action Failed Login Attempts Allowed Specify the allowed type(s) of authentication that can be used Action to be taken when the device is locked. Number of failed logon attempts before using Lock Device Time Delay. 0 allows for unlimited attempts. Fixed, ColorCode, Pin, Smart Card, RSA Default: Fixed Time Delay, Remote Authentication Default: Time Delay Default:

85 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Legal Notice Legal Notice Display Time Specify when the configured legal notice is displayed to the user. Note Installation, Startup Default: Startup Policy is only available for (or newer) and a legal notice will not display to endpoints running FileArmor or earlier. Legal Notice Legal Notice Text Specify the body of the legal notice. Insert File Default: N/A Note Policy is only available for (or newer) and a legal notice will not display to endpoints running FileArmor or earlier. Lock Device Time Delay Lock device for X minutes if user exceeds Failed Attempts Allowed ,999 Default: 1 Password Policies Policies governing FileArmor passwords. TABLE FileArmor Password Policies POLICY NAME Force Talking to Server DESCRIPTION Makes FileArmor talk to the server after X amount of days. 0 will make FileArmor standalone VALUE RANGE AND DEFAULT Default:

86 Trend Micro Endpoint Encryption Administrator's Guide POLICY NAME Physical Token Required DESCRIPTION Make users use a physical token (smart cards) to log on. VALUE RANGE AND DEFAULT Yes, No Default: No MobileSentinel Policies This section explains the configurable options for MobileSentinel. Full Disk Encryption uses MobileSentinel policies. Common Policies Policies for all devices using MobileSentinel. TABLE MobileSentinel Common Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Common Compliance Compliance policies for all devices. Common > Compliance Synchronization Timeout Specify the number of days that allows a wireless device not to synchronize with the. The device will be forced to communicate to the for synchronization when the specified number of days has been reached. 0-65,535 days Default: 1 Common Network Compliance Specify access to corporate network resources by ensuring that devices comply with company policy. 3-28

87 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Common > Network Compliance Compliance Network Address Specify the IP address of the network that allows the device to resynchronize with when out of compliance. When a device is out of compliance this will be the only network that the device can access until the device has been brought back into compliance characters Default: N/A Common > Network Compliance Compliance Network NetMask Specify the netmask address for the compliance network address (Compliance Network Address policy). This mask and the address will be used to limit devices from accessing network resources outside of the entered values until the device has been brought into compliance characters Default: N/A Common > Network Compliance Compliance Server Address Specify the address of the that will be used as the host for the wireless devices in this group. The server address for wireless devices is the server that devices call back; when a synchronization request is received by the device or when the device detects that it must synchronize with the server to ensure that policies have been updated characters Default: N/A PPC Policies Policies specific to the MobileSentinel PC device. 3-29

88 Trend Micro Endpoint Encryption Administrator's Guide TABLE MobileSentinel PPC Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT PPC Compliance Specific policies for the PPC device. PPC > Compliance PPC Compliance Object List Specify objects required on the PPC device. Network routing will be limited to the compliance network if these objects are not present on the device. Enable, Disable Default: Disable PPC > PPC Compliance Object List PPC Compliance Network Restriction Determines whether to restrict network access if the device is found to be out of compliance. Yes, No Default: Yes PPC > PPC Compliance Object List PPC Object Auto-Restore Set policy value to Yes for automatic restoration of the object that is missing on the device. Set policy value to No to direct the user to the URL address specified in the policy PPC Remediation URL. PPC > PPC Compliance Object List > PPC Object Auto-Restore PPC Auto- Restore Object Specify the object to be restored to the PPC device if the policy PPC Auto Restore has been enabled. PPC > PPC Compliance Object List > PPC Object Auto-Restore PPC Auto- Restore Object Run Flag Specify the actions to be taken on the remediation object. Copy, Run Default: Copy PPC > PPC Compliance Object List PPC Object Compliance Info Specify information for users if the specified object is found to be out of compliance characters Default: N/A 3-30

89 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT PPC > PPC Compliance Object List PPC Object Name Specify the fully qualified path name for the compliance object characters Default: N/A PPC > PPC Compliance Object List PPC Object Version Specify the minimum version number for the compliance object. If this policy value is left blank, the object version will not be checked for compliance characters Default: N/A PPC > PPC Compliance Object List PPC Remediation URL Specify the Remediation URL address to be shown if the policy PPC Object Auto Restore is set to false characters Default: N/A PPC Device Management Policies specific to collecting device data. PPC > Device Management Collect Device Attributes Interval Collect key pieces of information on hardware and software every X days; 0 = off days Default: 30 PPC > Device Management Collect Directory Info Interval Perform a snapshot of files and directories every X days; 0 = off days Default: 7 PPC Disable Bluetooth Disable/enable use of the BlueTooth radio. Yes, No Default: No PPC PPC Disable New Applications Disable /enable the addition of new applications via Windows Mobile installers. Yes, No Default: No PPC PPC Disable New Applications Disable/enable the addition of new applications via Windows Mobile installers. Yes, No Default: No PPC PPC Disable OBEX Disable/enable incoming Object Exchange via IR and BlueTooth. Yes, No Default: No 3-31

90 Trend Micro Endpoint Encryption Administrator's Guide KeyArmor Policies This section explains the configurable options for all enterprise policies governing KeyArmor devices. Antivirus Policies Security policies for antivirus control on KeyArmor devices. TABLE KeyArmor Antivirus Policies POLICY NAME Infected File Action Repair Infected File First Update Frequency Update Source DESCRIPTION Indicates what remediation action to take with any infected file found. Indicates whether or not to attempt to repair any infected files found before taking the action dictated by the Infected File Action policy. Sets the antivirus update frequency, in hours. A value of 0 means that updates will never be requested. A list of vendor server URLs to contact for updates, specified in order. If the list is empty, then the application-defined default location will be used. VALUE RANGE AND DEFAULT Delete File, Kill Device Default: Delete File Yes, No Default: Yes 0-9,999 hours Default: characters Default: N/A KeyArmor Security Policies Security policies to control KeyArmor. 3-32

91 Understanding Policies TABLE KeyArmor policies POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Dead Man Switch Inactivity Timeout Specify a sequence of characters which will erase all contents of the device when entered. If the KeyArmor device is not accessed within X minutes, then log out of device characters Default: N/A Default:15 Login Policies Security policies governing logging on KeyArmor. TABLE KeyArmor Login Policies POLICY NAME Allow Only One User Per Device DESCRIPTION This policy determines whether a single user or multiple users may access a device. A policy value of YES dictates only one user may have access to the device at a given time. VALUE RANGE AND DEFAULT Yes, No Default: No Authentication Methods Allowed Note This policy does not impact Administrator or Authenticator roles. Specify the allowed type(s) of authentication that can be used. Fixed, ColorCode, Pin, Smart Card, RSA Default: Fixed 3-33

92 Trend Micro Endpoint Encryption Administrator's Guide POLICY NAME Device Locked Action Failed Login Attempts Allowed Lock Device Time Delay Password Synchronization DESCRIPTION Specify the action to be taken when the device has failed to communicate with the as specified in the policy Lock Device Time Delay. Number of failed logon attempts before using Lock Device Time Delay. 0 allows for unlimited attempts. Lock device for X minutes if user exceeds Failed Attempts Allowed. This policy determines whether users of a group may establish a password and use it on other devices without the need to register via an one time password. This policy only impacts passwords of type Fixed, PIN, ColorCode, and Certificates. Third party password schemas such as Microsoft Windows domain passwords and RSA SecurID are not affected. VALUE RANGE AND DEFAULT Erase, Remote Authentication, Time Delay Default: Remote Authentication Default: ,999 Default: 5 Yes, No Default: No Notice Message Policies Messages to be displayed to KeyArmor device users. TABLE KeyArmor Notice Messages Policies If Found POLICY NAME DESCRIPTION Specify information to be displayed on the device during the device lock out. VALUE RANGE AND DEFAULT characters Default: N/A Legal Notice Legal Notice(s) to display to user. Insert File with characters Default: N/A 3-34

93 Understanding Policies POLICY NAME Show Legal Notice on Insertion Support Info DESCRIPTION Select whether a notice is displayed to the user as the first screen when the KeyArmor device is inserted in a device. Display Help Desk information or Administrator contact information. VALUE RANGE AND Yes, No Default: No DEFAULT characters Default: N/A Connection Policies Policies for connecting to with KeyArmor devices. TABLE Connection Policies POLICY NAME Action Due to No Contract Must Be Connected to Offline Time Before Forced Connection Secondary Action Due to No Contract Secondary Action Period DESCRIPTION Action to perform when KeyArmor device has not connected to the within the time specified by Offline Time Before Forced Connection. Force User to Connect to to access files on USB. The amount of time in days before user must connect to. 0 indicates KeyArmor device does not need to connect to the. Action to perform when KeyArmor device has not authenticated against the and has passed the Secondary Action Period. Secondary Time Period in X amount of Days, before the Secondary Action is Enforced. VALUE RANGE AND DEFAULT Time Delay, Remote Authentication, Wipe Default: Remote Authentication Yes, No Default: No Default: 360 Wipe, Remote Authentication, None Default: None Default:

94 Trend Micro Endpoint Encryption Administrator's Guide DriveArmor Policies This section explains the configurable options for all enterprise policies affecting Full Disk Encryption clients. Important DriveArmor policies are only available in if was upgraded from a previous version which had DriveArmor policies configured. Authentication Policies Policies that govern authentication on DriveArmor devices. TABLE DriveArmor Authentication Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Local Login Allowed Authentication Methods Specify the allowed type(s) of authentication methods that can be used. Fixed, Colorcode, PIN Default: All Local Login Device Locked Action Specify the action to be taken when the device locks. Actions are: Erase: All content on the device is wiped. Time Delay, Erase, Remote Authentication Default: Time Delay Remote Authentication: require user to perform a remote authentication. Time Delay: take the Lock Device Time Delay policy action. Local Login Failed Attempts Allowed Specify the number of failed logon attempts before using Lock Device Time Delay Default:

95 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Local Login Lock Device Time Delay Lock device for X minutes if user exceeds Failed Attempts Allowed policy rules Default: 1 Authentication Network Login Specify policies regarding Authentication to the device that may include the network. Network Login RSA Authentication Specify if users will be verified against an RSA ACE server using SecurID. Yes, No Default: No Authentication Token Authentication Verifying certificates via OCSP allows for the revocation of invalid certificates via the CA. sub-policies are only visible when this policy is enabled. Yes, No Default: N/A Token Authentication OCSP Validation Verifying certificates via OCSP allows for the revocation of invalid certificates via the CA. sub-policies are only visible when this policy is enabled. Yes, No Default: N/A Token Authentication > OCSP Validation OCSP CA Certificates Certificate Authority certificates Default: N/A Token Authentication > OCSP Validation OCSP Responders Certificate Authority certificates. Yes, No Default: Yes OCSP Validation > OCSP Responders OCSP Responder Certificate Certificate Authority certificates Default: N/A 3-37

96 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT OCSP Validation > OCSP Responders OCSP Responder URL Certificate Authority certificates Default: N/A Token Authentication Token Passthru Pass the token to the desktop GINA for further processing during the boot process. Yes, No Default: No Note OCSP stands for Online Certificate Status Protocol. Communications Policies Specify policies that govern DriveArmor communication and information. TABLE DriveArmor Communications Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Communications Account Lockout Action Specify the action to be taken when the device has failed to communicate with the as specified in the policy Account Lockout Period. Erase, Remote Authentication, Ignore Default: Ignore Erase: all contents on the device will be wiped Remote Authentication: require the user to perform a remote authentication Ignore: do not take any action 3-38

97 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Communications Account Lockout Period Specify the number of days that the client may be out of communication with the Default: 360 Communications Information Specify policies that provide information to the user. Information IF Found Specify information to be displayed on the device during the device lock out characters Default: N/A Information Legal Notice Specify whether a legal notice should be displayed. Information > Legal Notice Legal Notice Display Time Specify when the configured legal notice should be displayed to the user. Installation, Startup Default: Startup Information > Legal Notice Legal Notice Text Specify the body of the legal notice. Insert File Default: N/A Information Support Info Display Help Desk information or Administrator contact information. Communications Sync Interval Specify how often (in minutes) DriveArmor attempts to communicate to the from the device to receive updated information characters Default: N/A Default: 120 Device Policies Specify policies that govern generic actions to the device with DriveArmor installed. 3-39

98 Trend Micro Endpoint Encryption Administrator's Guide TABLE DriveArmor Device Policies POLICY NAME Allow User Administration Access Allow User To Uninstall Dead Man Switch Preboot Bypass DESCRIPTION Specify if users are allowed to access system administration utilities on the device. Specify whether a standard DriveArmor user can uninstall DriveArmor. Specify a sequence of characters, when entered will destroy the device. Specify if the preboot should be bypassed. VALUE RANGE AND DEFAULT Yes, No Default: No Yes, No Default: No characters Default: N/A Yes, No Default: No Common Policies This section explains the configurable options for all enterprise policies affecting all Endpoint Encryption products. Agent Policy TABLE Common Agent Policies POLICY NAME Sync Interval DESCRIPTION Specify how often (in minutes) the application communicates to from the device to receive updated information. VALUE RANGE AND DEFAULT Default:

99 Understanding Policies Authentication Policies Specify policies that govern authentication on devices from all Endpoint Encryption applications. TABLE Common Authentication Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Local Login Admin Password Specify policies regarding Authentication local to the device only. Local Login > Admin Password Allowed Character Types Specify whether passwords can contain alpha, numeric, special or a combination. Alpha, Numeric, Special Default: All Local Login > Admin Password Can Contain User Name Specify if the user name can be contained in the password. Yes, No Default: Yes Local Login > Admin Password Consecutive Characters Allowed Specify the number of consecutive characters allowed in a password Default: 3 Local Login > Admin Password Minimum Length Specify the minimum length allowed for passwords Default: 6 Local Login > Admin Password Password History Retention Specify the number of past passwords the user is not allowed to use Default: 0 Local Login > Admin Password Require How Many Characters Specify the number of alpha characters that must be used in a password Default: 0 Local Login > Admin Password Require How Many Lower Case Characters Specify the number of lower case characters that must be used in a password Default:

100 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Local Login > Admin Password Require How Many Numbers Specify the number of numeric characters that must be used in a password Default: 0 Local Login > Admin Password Require How Many Special Characters Specify the number of special characters that must be used in a password Default: 0 Local Login > Admin Password Require How Many Upper Case Characters Specify the number of upper case characters that must be used in a password Default: 0 Local Login Self Help Specify the policies that are used for Self Help. Local Login > Self Help Number of Questions Specify the number of questions required to be answered correctly to authenticate the user. 1-6 Default: 1 Local Login > Self Help Personal Challenge Specify the personal challenge question(s) used for Self Help Default: N/A Local Login User Password Specify the policies that are used for User Passwords. Local Login > User Password Allow Offline Password Change Specify if users can change their password when not connected to the. Yes, No Default: No Local Login > User Password Allowed Character Types Specify whether passwords can contain alpha, numeric, special or a combination. Alpha, Numeric, Special Default: All Local Login > User Password Can Contain User Name Specify if the user name can be contained in the password. Yes, No Default: Yes Local Login > User Password Change Password Every Specify (in days) when to force a user to change their password Default:

101 Understanding Policies CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Local Login > User Password Consecutive Characters Allowed Specify the number of consecutive characters allowed in a password Default: 3 Local Login > User Password Minimum Length Specify the minimum length allowed for passwords Default: 6 Local Login > User Password Password History Retention Specify the number of past passwords the user is not allowed to use Default: 0 Local Login > User Password Require How Many Characters Specify the number of alpha characters that must be used in a password Default: 0 Local Login > User Password Require How Many Lower Case Characters Specify the number of lower case characters that must be used in a password Default: 0 Local Login > User Password Require How Many Numbers Specify the number of numeric characters that must be used in a password Default: 0 Local Login > User Password Require How Many Special Characters Specify the number of special characters that must be used in a password Default: 0 Local Login > User Password Require How Many Upper Case Characters Specify the number of upper case characters that must be used in a password Default: 0 Local Login > User Password User Name Case Sensitive Specify if the user name is case sensitive Yes, No Default: No 3-43

102 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY POLICY NAME DESCRIPTION VALUE RANGE AND DEFAULT Network Login Distinguished Name Optional: Specify the distinguished name of the authentication server. If no Distinguished Name is specified, this will default to the LDAP server Default Naming Convention Default: N/A Network Login Domain Authentication Specifies if the Windows credentials should be used to authenticate. Yes, No Default: No Network Login Domain Name NetBIOS name of the domain for Single Sign On. Default is NetBIOS value used by the. Network Login Host Name Specify the hostname. The hostname can be a domain name. Network Login Port Number Optional: 0 = use default. Specifies the port to be used for the connection. If no port number is specified, the LDAP provider uses the default port number. Network Login Server Type Type of server used to authenticate client user requests Default: N/A Default: N/A Default: 0 LDAP, LDAProxy Default: LDAP Authentication Remember User Between Login Remember last used user name and display it in the authentication screen. Yes, No Default: Yes 3-44

103 Chapter 4 Working with Groups, Users, and Devices Endpoint Encryption utilizes both role-based and identity-based authentication to secure the data on endpoints. Configuring users, groups, and devices correctly ensures that data remains encrypted for unauthorized users, thus preventing data loss risk from accidental information release or deliberate sabotage. This chapter covers the following topics: Working with Groups on page 4-2 Working with Offline Groups on page 4-5 Working with Users on page 4-10 Working with Passwords on page 4-22 Working with Devices on page

104 Trend Micro Endpoint Encryption Administrator's Guide Working with Groups Groups are managed in the MMC, and consist of the following types: TABLE 4-1. Group Types Top Groups Subgroups GROUP DESCRIPTION The highest level of groups under the enterprise. Each top group has a unique node underneath the enterprise. Groups created within a top group. A subgroup will inherit the policies of its parent group. Policy inheritance only occurs when a subgroup is created. Policy changes to a top level group do not filter down to existing subgroups. Subgroup policies cannot be more permissive than the parent groups. Note Subgroups inherit all existing policies of the parent group. However, Administrators must add users and devices separately. Adding a user to a subgroup does not automatically add the user to the top group. However, you can add a user to both the top group and subgroup. Adding a Top Group Groups simplify managing enabled applications, users, policies, subgroups, and devices. A Top Group is the highest level group. Note Enterprise Administrator/Authenticator accounts cannot be added to groups. To create a Group Administrator, add a user and change his/her permissions within the group. 4-2

105 Working with Groups, Users, and Devices Procedure 1. Right-click the enterprise name in the left pane, and click Add Top Group. FIGURE 4-1. Adding a Top Group The Add New Group screen appears. 2. Provide the name and a description for the group. 3. Only select Support Legacy Devices if using legacy devices that do not support Unicode encoding. Some legacy devices may not be able to communicate with using Unicode. Assign Unicode and legacy devices to different groups. 4-3

106 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 4-2. Add New Group 4. Click Apply. 5. At the confirmation message, click OK. The new group is added to the tree structure in the left pane. Adding a Subgroup Subgroups inherit all existing policies of the parent group. However, Administrators must add users and devices separately. Procedure 1. Right-click a group in the left pane tree structure, and then click Add. The Add New Group window appears. 2. Follow the steps in Adding a Top Group on page 2-5, but in the first step. 4-4

107 Working with Groups, Users, and Devices The new group is added to the tree structure inside the Top Group s hierarchy. Modifying a Group Procedure 1. Right-click a group in the left pane tree structure, and then click Modify. The Modify Group screen appears. 2. Specify changes and click Apply. Removing a Group Use the tree structure to remove a group. Removing a Top Group will also remove all subgroups. Procedure 1. Right-click a group in the left pane tree structure, and then click Remove. A Warning message appears. 2. Click Yes to remove the group. The selected group no longer appears in the tree structure. Working with Offline Groups An offline group is a group of endpoint clients that did not connect to during installation. The group s policies, users, and devices can be exported to a file and delivered to the offline clients. When the group requires changes, the changes must be exported to a new file and again delivered to the offline endpoint client. 4-5

108 Trend Micro Endpoint Encryption Administrator's Guide Policies are automatically updated when an offline endpoint client connects to. WARNING! For Full Disk Encryption clients that will never connect to, perform an unmanaged installation instead. No offline group is required because policies are managed using Recovery Console. Creating an Offline Group Groups can be exported to allow for Full Disk Encryption and FileArmor installation on devices that do not need to or cannot communicate with. The client application installation files must be available from the server that is installed. Note Exported groups must contain at least one user. The group name must also be alphanumeric only. WARNING! Offline groups only work for DataArmor SP7 and below. For Full Disk Encryption clients that will not connect to, perform an unmanaged installation instead. Policies are managed using Recovery Console. Procedure 1. From the left pane, right-click the group and then select Export. The Export Group Wizard appears. 4-6

109 Working with Groups, Users, and Devices FIGURE 4-3. Exporting Group Wizard 2. Select Create off-line devices, specify export location and export password, and then click Next. Note The export password is used to authenticate the executable on the endpoint client. 3. Click Add... to browse to and upload Endpoint Encryption client installers. 4-7

110 Trend Micro Endpoint Encryption Administrator's Guide TABLE 4-2. Endpoint Encryption Installation Filenames INSTALLATION FILE DataArmorInstaller.exe TMFDEInstall.exe FASetup.msi FASetup(x64).msi PURPOSE Installs older versions of Full Disk Encryption client application: DataArmor. DataArmor or below will work with off-line groups. For details about managed installations, see the Installation Guide. Installs the Full Disk Encryption client application. This will not work for off-line devices. For details about managed installations, see the Installation Guide. Installs the FileArmor client application for 32-bit operating systems. FileArmor client application for 64-bit operating systems. Add as many installers as needed. For example, a group might require both Full Disk Encryption and FileArmor. 4. Click Next. 5. Depending on the license type, specify the number of devices to be installed on. The number of license available is reduced with every device. 6. Optionally specify a Device Name Prefix. uses the device prefix number to generate a unique Device ID and device encryption key for each device in this group. 7. Click Next. The offline group build begins. 8. Click Done to generate the export file at the specified location. A generated executable file named Export is created on the desktop. Use this to distribute group changes to offline clients. 4-8

111 Working with Groups, Users, and Devices Updating an Offline Group Follow these steps to create an update for an offline group. WARNING! For Full Disk Encryption clients that will not connect to, perform an unmanaged installation instead. Policies are managed using Recovery Console. Procedure 1. From the left pane, right-click the group, and then select Export. The Export Group Wizard displays. 2. Select Create off-line devices. 3. Specify the export password. Note The export password is used to authenticate the executable on the endpoint client. 4. Click Browse to specify a location to store the 5. Click Next The offline group build begins. 6. Click Done. The export file is generated at the specified location. 7. Install the software on the device using the generated executable or script. For details, see the Endpoint Encryption Installation Guide. 4-9

112 Trend Micro Endpoint Encryption Administrator's Guide Working with Users To provide identity-based authentication, Endpoint Encryption offers a number of different user levels, adding or importing users, assigning users to groups, managing users, and removing users. Add Users to Use the following methods to add users to Endpoint Encryption: Add users manually, one at a time Bulk import numerous users with a CSV file Use an External Directory Browser with Active Directory Adding a New Enterprise User Note Adding a user to the enterprise does not assign the user to any groups. Adding a user to a group adds the user to the group and to the enterprise. Procedure 1. Expand the Enterprise and open Users. 2. Right-click whitespace in the right pane and select Add User. The Add New User screen displays. 4-10

113 Working with Groups, Users, and Devices FIGURE 4-4. Add New User Screen 3. Specify user information. User name, first name, and last name are required. 4. Only select Freeze if the account should be temporarily disabled. While frozen, the user is unable to log on devices. 5. Use the User Type field to set the privileges of the new account. Enterprise Administrators and Authenticators cannot be added to groups. 6. Select One Group to disable the user from multiple groups membership. 7. Select the Authentication Method. Note 8. Click OK. The default authentication method for users is None. 4-11

114 Trend Micro Endpoint Encryption Administrator's Guide The new user is added this Enterprise. The user cannot log on a device until he/she is added to a group. Importing Users from a CSV File Use a Comma Separated Values (CSV) file to import multiple users simultaneously. Use the following format: user name (required), first name, last name, employee ID, address. Include a comma for fields with no data. Note When using the Bulk Import Users function, all users in the file are added to the same group. Create a file for each group of users to import. Procedure 1. Expand the group in the left pane and then click Users. 2. Right-click whitespace in the right pane, and select Bulk Import Add Users. The open file window appears. 3. Go to the CSV file and click Open. 4. At the confirmation, click OK. The users in your file are added to the group and the Enterprise. Importing Active Directory Users Add Active Directory users to existing groups using the External Directory Browser. maintains a user directory separate from the Active Directory database. This allows to provide absolute security over access to all devices, user rights, and authentication methods. 4-12

115 Working with Groups, Users, and Devices For information about configuring Active Directory integration, see the Endpoint Encryption Installation Guide. Procedure 1. From the left pane, open Enterprise Users, right-click the right pane (whitespace) and then select External Directory Browser. The Active Directory User Import window displays. 2. Click Edit > Connect to Domain. 3. Specify the Active Directory LDAP server hostname. 4. Specify a user name and password with access to the Active Directory domain. 5. Click OK. The user accounts load in the right pane. 6. Click File and then select Add to Enterprise or Add to Group, depending on where the users are to be added. 7. Click OK to add the users to the specified location. A confirmation window displays. 8. Click OK to confirm. An import status message displays. 9. Click OK. Finding a User It is faster to search for users at the group level; however, this is at the cost of searching the entire enterprise. Procedure 1. From the left pane, click Enterprise Users or expand the group and click Users. 4-13

116 Trend Micro Endpoint Encryption Administrator's Guide 2. At the upper corner of right pane, click Search. The User Search Filter window appears. FIGURE 4-5. User Search Filter window 3. Specify search details and then click Search. All accounts matching the search criteria display. Note If there are many users, use Page Counter to go from one page to another or click Clear to remove all results. Modifying a User Any Group Administrator can change a user's profile information. 4-14

117 Working with Groups, Users, and Devices Note Enterprise-level changes are applied to the user universally, but group-level changes apply only to that group. Procedure 1. Open Enterprise Users. 2. In the right pane, right-click the user and select Modify User. The Modify User screen appears. 3. Make the necessary changes. If the authentication method changes to Fixed Password, provide the default user password. 4. Click OK. 5. At the confirmation message, click OK. Viewing a User's Group Membership Administrators can view a user's groups - if the user belongs to multiple groups. Procedure 1. Open Enterprise Users. 2. Right-click the user and select List Groups. The Group Membership list appears. 4-15

118 Trend Micro Endpoint Encryption Administrator's Guide Adding a New User to a Group Note Adding a user to the enterprise does not assign the user to any groups. Adding a user to a group adds the user to the group and to the enterprise. Procedure 1. Expand the Group and open Users. 2. Right-click whitespace in the right pane and select Add New User. The Add New User screen appears. FIGURE 4-6. Add New User Screen 3. Specify user information. User name, first name, and last name are required. 4-16

119 Working with Groups, Users, and Devices 4. Only select Freeze if the account should be temporarily disabled. While frozen, the user is unable to log on devices. 5. Use the Group User Type field to set the privileges of the new account. Enterprise Administrators and Authenticators cannot be added to groups. 6. Select One Group to disable the user from multiple groups membership. 7. Select the Authentication Method. Note 8. Click OK. The default authentication method for users is None. The new user is added to the selected group and to the Enterprise. The user can now log on a device. Adding an Existing User to a Group A user can be added to numerous groups. Procedure 1. Expand the group in the left pane and then click Users. 2. Right-click whitespace in the right pane, and select Add Existing User. The Add Users To Group screen appears. 4-17

120 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 4-7. Add Existing Users To Group Screen 3. Specify user details and then click Search. If there is a match, the Source field populates with accounts. 4. Select user accounts from the list and click the blue arrow to add them. See Chapter 2, Table 2-3: Icons to Add/Remove Users on page 2-12 for additional controls. TABLE 4-3. Icons to Add/Remove Users CENTER ICONS DESCRIPTION Add a single selected user to Destination field. 4-18

121 Working with Groups, Users, and Devices CENTER ICONS DESCRIPTION Add all found users based on search criteria to Destination field. Delete a single select user from Destination field. Delete all users from Destination field. 5. To change a user s password: a. In the Destination field, highlight the user. b. Click Enter User Password located at the bottom of the window. c. In the window that appears, specify the user s authentication method. d. Click Apply. 6. Click Apply. The user is added to the group. If this is the only group that the user belongs to, then the user is now able to log on to the endpoint client. Changing a User s Default Group The first group listed is the default group for the user. Note The user must be allowed to install to their default group. For details, see Allowing User to Install to a Group on page

122 Trend Micro Endpoint Encryption Administrator's Guide Procedure 1. Open Enterprise Users. 2. Right-click the user and then select List Groups. The Group Membership list appears. 3. Right-click the user and then select Move to top. The User s default groups has been changed. Allowing User to Install to a Group This option allows users to install Endpoint Encryption devices to a group that they are a member of, without requiring Administrator approval. Note The default setting is Disallow User To Install To This Group. Procedure 1. Open Enterprise Users. 2. Right-click the user and then select List Groups. The Group Membership list appears. 3. Right-click the user and then select Allow User To Install To This Group. The user can now install devices to this group. 4-20

123 Working with Groups, Users, and Devices Removing Individual Users From a Group WARNING! Before removing a Group Administrator or authenticator account, reassign this role to another user. Otherwise, only enterprise-level Administrators or authenticators can make group-level changes. Procedure 1. Expand the group and click Users. 2. In the right pane, right-click the user and select Remove User. A warning message displays. 3. To remove the user from the enterprise as well, enable Remove from Enterprise. Note 4. Click Yes. Removing a user from the enterprise also removes that user from all groups and subgroups. The user is removed. Removing All Users From a Group WARNING! Before removing a Group Administrator or Authenticator account, reassign this role to another user. Otherwise, only Enterprise Administrators/Authenticators can make grouplevel changes. Procedure 1. Expand the group and then click Users. 4-21

124 Trend Micro Endpoint Encryption Administrator's Guide 2. In the right pane, right-click the user and select Remove All Users. A warning message displays. 3. To remove all users from the enterprise as well, enable Remove from Enterprise. Note 4. Click Yes. Removing a user from the enterprise also removes that user from all groups and subgroups. Restoring a Deleted User All deleted users are stored in the Recycle Bin at the Enterprise level. Groups do not have a Recycle Bin. Restoring a user does not add the user back to previously assigned groups. Procedure 1. Expand the Recycle Bin. 2. Open Deleted Users. The right pane load all deleted users. 3. Right-click the user and select Restore User. The user is added back the Enterprise, but does not belong to any groups. Working with Passwords When an user forgets his/her password or misplaces a device, the user can be reset their password using methods defined by enterprise or group policies. The following password reset methods are available: Microsoft Windows Active Directory 4-22

125 Working with Groups, Users, and Devices MMC Remote Help Self Help All of these options involve setting the policy at the enterprise level and then at the group level whenever necessary. Use the Support Information policy to provide support-related information to users about password resets. Resetting an Enterprise Administrator/Authenticator Password Only Enterprise Administrators can reset an Enterprise Administrator passwords. An Authenticator within the same group permissions or higher, can reset an Administrator or Authenticator password within that group. Tip Trend Micro recommends having at least three Enterprise Administrator accounts at all times as a safeguard against password loss. If an Enterprise Administrator account password is lost, it is possible to reset the password by using Self Help. Procedure 1. Log on MMC using an Enterprise Administrator account. 2. Open Enterprise Users. 3. Right-click the Enterprise Administrator or Authenticator account with the lost password, and then select Change Password. The Change Password window appears. 4. Select an authentication method. 5. Specify the password (if requested). 6. Click Apply. The account password is reset. 4-23

126 Trend Micro Endpoint Encryption Administrator's Guide Note The User must change password at next logon option is only available after the endpoint client updates policies. Resetting a Group Administrator/Authenticator Password All passwords changes are for the group only. If an Administrator wants to have just one password, then he/she should only belong to one Top Group. Procedure 1. Log on MMC using an Group Administrator account. 2. Expand the group and open Users. 3. Right-click the Group Administrator or Authenticator account with the lost password, and then select Change Password. The Change Password window appears. 4. Select an authentication method. 5. Specify and confirm the password (if requested). 6. Click Apply. The account password is reset. Note The User must change password at next logon option is only available after the client updates. Resetting a User's Password When resetting a user s password, select the User must change password at next logon check box to require a user to change his/her password at next log on. Once the 4-24

127 Working with Groups, Users, and Devices user logs on and changes the password, he/she must also change the password for all devices. Note Trend Micro recommends using the domain authentication. Resetting to a Fixed Password Procedure 1. Open Enterprise Users or expand the group and open Users. 2. Select users from the right pane. Hold SHIFT to select multiple users. Multiple selection is only available at the group level. 3. Right-click and select Change Password. The Change Password window appears. 4. For the Authentication Method, select Fixed Password. 5. Specify and confirm the password. 6. Click Apply. The user is required to change his/her password at next time log on. Resetting a User Password with Active Directory Trend Micro recommends using Active Directory to reset the user password, especially if the user has access to the company Help Desk, has network connectivity, or if Windows Single Sign-on (SSO) is enabled. Refer to the appropriate Windows Operating System Guide for more information about resetting a domain user password using Active Directory. 4-25

128 Trend Micro Endpoint Encryption Administrator's Guide Using Self Help Password Support This task explains how to configure policies for Self Help. Users who have forgotten their passwords can use Self Help to authenticate without Help Desk assistance. Use the Number of Questions and the Personal Challenge policies to set the number of personal challenge questions and the questions that the user must answer, respectively. Self Help questions are answered during the initial user authentication and when users change their passwords. For details about using Self Help, see Self Help on page Note Self Help requires network connectivity to. Procedure 1. Expand Enterprise Policies or expand the group and then expand Policies. 2. Go to Common > Authentication > Local Login > Self Help. FIGURE 4-8. Self Help Policy 3. Open Number of Questions to set the required number of questions that users must answer. 4-26

129 Working with Groups, Users, and Devices WARNING! Do not set Number of Questions greater than six. Otherwise, users will be unable to log on. 4. Right-click Personal Challenge and select Add to set a question that the user must answer. Repeat until all personal challenge questions are defined. The next time users log on, they will be prompted to set their personal challenge question answers. Remote Help Password Support Reset forgotten passwords with Remote Help. A user who has a locked account or forgets their password has to reset their password before logging in with the new password. Remote Help requires that the user contact the Help Desk for a Challenge Response. Remote help does not require network connectivity to. Procedure 1. Log on MMC with an Enterprise Administrator account or a Group Administrator/Authenticator account within the same policy group as the user. 2. Ask the user to click Help > Remote Help from his/her endpoint client. 3. Ask the user for the Device ID displayed. 4-27

130 Trend Micro Endpoint Encryption Administrator's Guide FIGURE 4-9. Remote Help Assistance 4. In MMC, open Enterprise Devices or expand the user s group and open Devices, icon in the user's group. 5. In the right pane, right-click the user device and then select Soft Token. The Software Token window appears. 6. Ask the user to read the16-digit Challenge field, and type it into the Challenge field of the Software Token window. 7. Click Get Response. 4-28

131 Working with Groups, Users, and Devices The Response field loads with an 8-character string. 8. Tell the user the 8-character string from the Response field. 9. The user inputs the string in the Response field on the endpoint and clicks Login. 10. The user is prompted to provide a new password. Support Information Setup The Support Information policy specifies information about an organization s Support Help Desk. The Support Information policy can be configured uniquely for each group. Procedure 1. Log on MMC with either an Enterprise Administrator account or a Group Administrator/Authenticator account within the same policy group as the user. 2. Expand the user s group and go to Policies > Full Disk Encryption > Common > Login. 3. Right-click the Support Info policy and select Add. 4. Specify support information (phone number, location). 4-29

132 Trend Micro Endpoint Encryption Administrator's Guide 5. Click OK. Working with Devices Devices are computers, laptops, smartphones, and any other endpoint with Full Disk Encryption, FileArmor, or KeyArmor installed. Devices are automatically added to the Enterprise when any Endpoint Encryption application is installed. Note Each device can only be a part of one group. Adding a Device to a Group Procedure 1. In the left pane, expand the desired policy group and click Devices. 2. In the right pane, right-click the whitespace and select Add Device. 4-30

133 Working with Groups, Users, and Devices The Add Devices to Group screen appears. FIGURE Add Devices to Group Screen 3. Type the device details and then click Search. If there is a match, the Source field populates with accounts. 4. Select the device from the list and click the blue arrow to add them. See table for additional controls. TABLE 4-4. Icons to Add/Remove Devices CENTER ICONS DESCRIPTION Add a single selected device to Destination field. Add all found devices based on search criteria to Destination field. 4-31

134 Trend Micro Endpoint Encryption Administrator's Guide CENTER ICONS DESCRIPTION Delete a single selected device from Destination field. Delete all devices from Destination field. 5. Click Apply to add the device to the selected group. The device is added to the group. Removing a Device from a Group Removing a device from a group removes the device from the selected group only. WARNING! To remove a device from all groups, remove it from the Enterprise. Before deleting a device from the Enterprise, verify that the device has been unencrypted and all Trend Microproducts were uninstalled. Failure to do so may result in irreversible data loss. Procedure 1. Expand the group and open Devices. 2. In the right pane, right-click the device and select Remove Device. A warning message appears. 3. Click Yes. The device is removed. 4-32

135 Working with Groups, Users, and Devices Removing a Device from the Enterprise Deleting a device from the Enterprise removes the device from all groups and the Enterprise. The device will continue to function as long as connectivity and password policies are current on the device. Files cannot be recovered if the device fails in this state. To mitigate this risk, decrypt the device immediately, uninstall Full Disk Encryption, and then reinstall Full Disk Encryption as an unmanaged client. WARNING! Verify that the device has been unencrypted and all Trend Micro applications are uninstalled before deleting a device from the Enterprise. Failure to do so may result in irreversible data loss. For information about removing a device from a specific group, but not the Enterprise, see Removing a Device from a Group on page Note Go to the Recycle Bin to add a removed device back to the Enterprise again. Procedure 1. Uninstall the endpoint client application from the device. For information about endpoint client uninstallation, see the Endpoint Encryption Installation Guide. 2. Open Enterprise Devices. 3. In the right pane, right-click the device and select Remove Device. Locate and click on the selected device. A warning message displays. 4. Click Yes. The device is removed. 4-33

136 Trend Micro Endpoint Encryption Administrator's Guide Viewing Directory Contents Use the directory listing option to view a snapshot of all applications downloaded to the selected device. Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Directory Listing. The Device Directory Snapshot window displays all applications downloaded to the device. Viewing Device Attributes Use Device Attributes (memory, operating system, battery life, etc.) option to view a current snapshot of the selected device. Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Directory Listing. 4-34

137 Working with Groups, Users, and Devices The Device Attributes window displays. FIGURE Device Attributes List Viewing Directory Listing Use directory listing to view the directory structure of KeyArmor devices only. Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Directory Listing. The Device Directory Snapshot window displays. Killing a Device Killing a device completely deletes all data. For DriveArmor, Full Disk Encryption, and KeyArmor, the kill command is issued when the device communicates with. 4-35

138 Trend Micro Endpoint Encryption Administrator's Guide WARNING! Killing a device cannot be undone. Back up all the data before performing this action. Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Kill Device. 3. At the warning message, click Yes. 4. At the confirmation message, click OK. Locking a Device Locking a device reboots the device and forces it into a state that requires Remote Help. For DriveArmor, Full Disk Encryption, and KeyArmor, the lock command is issued when the device communicates with the. Lock a device to prevent a user from authenticating to the device until a successful Remote Help authentication is performed. Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Lock Device. 3. At the warning message, click Yes. 4. At the confirmation message, click OK. Rebooting a Device Use Soft Reset to reboot a device. For DriveArmor, Full Disk Encryption and KeyArmor, the soft reset command is issued when the device communicates with. 4-36

139 Working with Groups, Users, and Devices Procedure 1. Open Enterprise Devices or expand a group and open Devices. 2. In the right pane, right-click the device and select Soft Reset. 3. At the warning message, click Yes. 4. At the confirmation message, click OK. Restoring a Deleted Device All deleted devices are stored in the Recycle Bin at the Enterprise level. Groups do not have a Recycle Bin. Restoring a device does not add the device back to previously assigned groups. Procedure 1. Expand the Recycle Bin. 2. Open Deleted Devices. The right pane load all deleted users. 3. Right-click the device and select Restore Device. The device is added back the Enterprise, but does not belong to any groups. 4-37

140

141 Chapter 5 Working with Full Disk Encryption Full Disk Encryption provides comprehensive endpoint data security using mandatory strong authentication and full disk encryption. Full Disk Encryption secures not only the data files, but also all applications, registry settings, temporary files, swap files, print spoolers, and deleted files. Until the user is validated, strong preboot authentication restricts access to the vulnerable host operating system. This chapter covers the following topics: Endpoint Encryption Tools on page 5-2 Full Disk Encryption Preboot Authentication on page 5-2 Full Disk Encryption Connectivity on page 5-13 Full Disk Encryption Recovery Console on page 5-15 Full Disk Encryption Recovery Methods on page 5-24 Repair CD on page

142 Trend Micro Endpoint Encryption Administrator's Guide Endpoint Encryption Tools TABLE 5-1. Endpoint Encryption Tools TOOL PURPOSE Recovery Console Recover a device in the event of primary OS failure. Troubleshoot network issues. Manage users and logs. Command Line Helper Create encrypted values to secure credentials when creating an installation script. Command Line Installer Helper Generate scripts for automatic installations. Create encrypted values to secure credentials when creating an installation script. DAAutoLogin Used for Windows patching. DAAutoLogin allows for a one-time bypass of Endpoint Encryption Preboot. Repair CD Use this bootable CD to decrypt drive before removing Full Disk Encryption in the event that the disk becomes corrupted, Only use the Repair CD if standard removal methods are not possible. A typical symptom of a corrupted disk is a black screen. Full Disk Encryption Preboot Authentication After installing Full Disk Encryption, Full Disk Encryption Preboot now appears before Windows loads. Full Disk Encryption Preboot plays an important role in ensuring only authorized users are able to access devices, and for updating local security policies when connected to. From this screen, you can perform a number of tasks: Authenticating to an endpoint Changing passwords Logging on to the Recovery Console 5-2

143 Working with Full Disk Encryption FIGURE 5-1. The Full Disk Encryption Preboot screen Menu Options There are several options available in the top-left menu of Full Disk Encryption Preboot. TABLE 5-2. Full Disk Encryption Preboot Menu Options MENU ITEM Authentication Communication DESCRIPTION Change the authentication method used to log on. Manually synchronize with. Note Unmanaged endpoints display a null value. Computer View information about Full Disk Encryption, change the keyboard layout, access the on-screen keyboard, or restart/shutdown the device. 5-3

144 Trend Micro Endpoint Encryption Administrator's Guide Network Connectivity The network connection icon ( ) appears in the top-right corner when Full Disk Encryption is installed as a managed client. The icon is only highlighted when the device is connected to the network and has communication with. When Full Disk Encryption is unmanaged, the network icon never displays. On-Screen Keyboard Access the on-screen keyboard from Full Disk Encryption Preboot by navigating to: Menu > Computer > On-Screen Keyboard To insert the cursor in the desired field when the keyboard is displayed, click Focus on the bottom-right corner of the keyboard. Changing the Keyboard Layout Changing the keyboard layout affects both keystrokes and the on-screen keyboard. Once Windows boots, the keyboard layout is set by the Windows operating system. Procedure 1. Navigate to Menu > Computer > Change Keyboard Layout. The Select the keyboard language (layout) screen appears. 2. Select a keyboard layout. 3. Click OK. Changing Authentication Methods Procedure 1. At Full Disk Encryption Preboot, select Change Password After Login. 5-4

145 Working with Full Disk Encryption 2. Specify the user name and password. 3. Click Login. The Change Password window appears. 4. From the top-left menu, select Authentication, and choose the desired authentication method. The New Password window for the chosen authentication method appears. 5. Provide and confirm the new password, and then click Next. The device boots into Windows. Changing Passwords Procedure 1. At Full Disk Encryption Preboot, select Change Password After Login. 2. Specify the user name and password 3. Click Login. The Change Password window appears. 4. Provide and confirm the new password, and click Next. The device boots into Windows. ColorCode ColorCode is a unique authentication method designed to easily remembered and quickly provide. Instead of using numbers or letters for a password, ColorCode 5-5

146 Trend Micro Endpoint Encryption Administrator's Guide authentication consists of a user-created sequence of colors (for example: red, red, blue, yellow, blue, green). FIGURE 5-2. ColorCode Logon Creating a ColorCode Password The total count (total number of steps in the ColorCode) is defined by. The default count is six. Procedure 1. Change the authentication method to ColorCode. 5-6

147 Working with Full Disk Encryption Note For details about changing authentication methods, see Changing Authentication Methods on page 5-4. The ColorCode Change Password screen appears. FIGURE 5-3. ColorCode Change Password Screen 2. Choose the first color by clicking it using the square to the left. The count increases by one. 3. Click additional colors in the sequence. Tip If there was a mistake, click Back to delete the last color clicked, or click Clear to start over. 5-7

148 Trend Micro Endpoint Encryption Administrator's Guide 4. After the sequence is complete, confirm the ColorCode password using the square to the right. 5. Click Next to finish. Remote Help Use Remote Help when a user is locked out of an endpoint client after too many failed logon attempts or when the period between the last synchronization has been too long. Within each application s policies, set the action to Remote Authentication. TABLE 5-3. Policies Affecting Remote Help Authentication POLICY Login > Account Lockout Period Login > Account Lockout Action Login > Failed Login Attempts Allowed Login > Device Locked Action DESCRIPTION The number of days that a device can not communicate with before Account Lockout Action is called. The action taken when the length of time in Account Lockout Actions include: erase, remote authentication. The number of failed login attempts allowed before executing the action defined in Device Locked The action taken when the Failed Attempts Allowed policy value has been exceeded. Actions include: time delay, erase, remote authentication. 5-8

149 Working with Full Disk Encryption Using Remote Help to Unlock Full Disk Encryption Important Restarting the endpoint device resets the challenge code. Manually synchronizing policies with also resets the challenge code. The Challenge Code and Response Code are case not sensitive. Procedure 1. From Full Disk Encryption Preboot, go to Menu > Authentication > Remote Help. 2. Provide the Challenge Code to the Administrator. 3. Type the Response Code provided by the Administrator. 4. Click Login. The Change Password window appears. Note If the account uses domain authentication, the device will boot directly into Windows. 5. Specify and confirm new password, then click Next. The device boots into Windows. Smart Card Smart card authentication requires both a PIN and a physical card when confirming a user's identity. Insert the smart card before providing a PIN. 5-9

150 Trend Micro Endpoint Encryption Administrator's Guide Important To allow smart card authentication for all Endpoint Encryption clients, enable the following policy: Full Disk Encryption > PC > Login > Token Authentication. Supported Smart Cards CARD MANUFACTURER Axalto PRODUCT NAME Axalto Cyberflex Access 64k v1 soft mask 4 version 1 Axalto Cyberflex Access 64k v1 soft mask 4 version 2 LASER ENGRAVING ON BACK OF CARD Axalto Access 64KV2 Axalto Access 64KV2 Gemalto Cyberflex Access v2c 64K Gemalto Access 64KV2 GemaltoGemCombiXpresso R4 dual interface Gemalto TOP DL GX4 144K Gemalto GCX4 72K DI Gemalto TOP DL GX4 144K Gemplus GemXpresso (GXP) PRO 64 K Gemplus GXP3 64V2N Oberthur CosmopollC v4 32K Oberthur CosmopollC v4 Galactic v1 32K OCS Gal 2.1 ID-One Cosmo v5.2d 64k Oberthur C.S. Cosmo64 V5.2D ID-One Cosmo v5.2 72k Oberthur ID One V5.2 ID-One Cosmo v5.2d 72k Oberthur ID One V5.2 Dual RSA RSA 5100 RSA 5200 RSA 6100 RSA SID

151 Working with Full Disk Encryption CARD MANUFACTURER Schlumberger (Axalto) PRODUCT NAME Cyberflex 32k v2 card with Softmask 7 Version 2 LASER ENGRAVING ON BACK OF CARD Schlumberger Access 32K V2 Authenticating with a Smart Card Procedure 1. Insert the smart card in the reader. 2. Connect the reader to the device. 3. Provide the user name and fixed password,. 4. Click Continue A message window appears. 5. Click Continue. 6. At the Register Token window: a. Type the new PIN provided by the Administrator. b. Confirm the new PIN. c. Select the smart card type from the Token drop-down list. d. Click Continue to finish registering the token, and access the PC. Self Help Use Self Help to authenticate when users have forgotten their credentials. Self Help requires users to respond with answers to predefined personal challenge questions. Self Help can also be used instead of fixed password or other authentication methods. 5-11

152 Trend Micro Endpoint Encryption Administrator's Guide Important must be configured to allow Self Help authentication. For more information, see Understanding Policies on page 3-1. WARNING! A maximum of six questions can display to endpoint clients. Do not create more than six questions in, or users will be unable to log on. Setting Up Self Help If the Self Help policy is enabled, the user is prompted to define answers for the Self Help questions after his/her first login. If the user changes their password, they must define Self Help question answers again. Note Self Help answers are stored on the device. If a user logs on another Full Disk Encryption device, the user must define Self Help answers for that device. Procedure 1. Provide the user name and password. 2. Click Login. The Self Help window appears. 3. Define answers for all of the Self Help questions. 4. Click Next. The device boots into Windows. 5-12

153 Working with Full Disk Encryption Using Self Help Procedure 1. From the top-left menu of Full Disk Encryption Preboot, go to Menu > Authentication > Self Help. The Self Help window appears. 2. Answer all of the Self Help questions. 3. Click Login. 4. Define a new password, and then click Next. The device boots into Windows. Changing Self Help Answers Procedure 1. At Full Disk Encryption Preboot, provide your credentials, select Change Password After Login, then click Login. The Change Password window appears. 2. Provide and confirm the new password, and then click Next. The Self Help window appears. 3. Define new answers for all of the Self Help questions, and then click Next. The device boots into Windows. Full Disk Encryption Connectivity Endpoint Encryption uses a FIPS approved encryption process for data passed between Full Disk Encryption Preboot and. Full Disk Encryption clients 5-13

154 Trend Micro Endpoint Encryption Administrator's Guide that have network connectivity to can receive policy updates and upload audit data from the endpoint client. All client-server communications are internally encrypted and can be sent over insecure connections such as the Internet. System Administrators have flexibility in determining connectivity options for their organization. Administrators can place within a DMZ (Demilitarized Zone) for access to both internal networks and the Internet. TABLE 5-4. Full Disk Encryption Connectivity Requirements RESOURCE TCP/IP Access Port 80 FUNCTION Updated security policies from can be sent to Full Disk Encryption Preboot or using connectivity established within Windows, LAN, VPN, etc. Network connectivity for PC devices requires full TCP/IP network access; dial-up or telephone access cannot be used to provide connectivity with during preboot authentication. Full Disk Encryption communications use port 80 by default. To change the default port number, go to Recovery Console and update the. Updating Full Disk Encryption Clients Full Disk Encryption clients automatically receive policy updated from at intervals determined by policy. Do the following to manually synchronize policies: Procedure 1. From the top-left menu of Full Disk Encryption Preboot, go to Communications > Synchronize policies. 2. Go to Computer > About Full Disk Encryption. The timestamp of the latest policy synchronization displays. 5-14

155 Working with Full Disk Encryption Full Disk Encryption Recovery Console Recovery Console helps Administrators recover a device in the event of primary OS failure, troubleshoot network connectivity issues, and manage policies for unmanaged clients. WARNING! Use Recovery Console before running standard Windows diagnostic and repair utilities. TABLE 5-5. Recovery Console Functions CONSOLE ITEM Decrypt Disk Mount Partitions DESCRIPTION Remove encryption from the disk drive. Use the Full Disk Encryption Preboot Recovery Console to access Decrypt Disk. Provide access to the encrypted partitions for file management. Use the Full Disk Encryption Preboot Recovery Console to access Mount Partitions. Note Mount Partitions is only accessible on devices with software encryption. This option is grayed-out if a device has hardware encryption. Restore Boot Roll back the MBR to a state before Full Disk Encryption installation. Use the Full Disk Encryption Preboot Recovery Console to access Restore Boot. Note Restore Boot is only accessible on devices with software encryption. This option is grayed-out if a device has hardware encryption. Manage Users Add or remove users from the device when not connected to. 5-15

156 Trend Micro Endpoint Encryption Administrator's Guide CONSOLE ITEM Manage Policies View Logs DESCRIPTION Modify policies for devices that are either not managed by or are managed but are temporarily not connected to. If the device is managed, policy changes are overwritten the next time that the device communicates with. View and search the various Full Disk Encryption logs. Note Logs are available only when the Recovery Console is accessed from Windows. Network Setup Exit Verify, test, and modify network settings. Exit the Recovery Console. Accessing Recovery Console Only Group Administrator/Authenticator accounts can access Recovery Console. To allow users to access Recovery Console, set PC > Client > Allow User Recovery to Yes. Procedure 1. Reboot the device. 2. When Full Disk Encryption Preboot appears, provide the user name and password. 3. Select the Recovery Console option, and then log on. Recovery Console displays. 5-16

157 Working with Full Disk Encryption Accessing Recovery Console from Windows Procedure 1. In Windows, go to the Full Disk Encryption installation directory. The default location is C:\Program Files\Trend Micro\Full Disk Encryption\ 2. Open RecoveryConsole.exe. The Recovery Console window appears. 3. Provide the user name and password, and then click Login. Recovery Console opens to the Decrypt Disk page. Using Decrypt Disk Selecting Decrypt Disk decrypts an encrypted Full Disk Encryption hard disk, but does not remove any of the encryption drivers. If using Decrypt Drive, disable DrAService before booting into Windows. WARNING! Read this procedure before using Decrypt Disk. Data loss can occur if performed incorrectly. Do not use Decrypt Disk to remove Full Disk Encryption from a device that is functioning normally. Use TMFDEUninstall.exe instead. Procedure 1. At Full Disk Encryption Preboot, select Recovery Console, provide credentials, and then click Login. Recovery Console opens to the Decrypt Disk page. 2. Click Decrypt to begin decrypting the drive. Decryption begins immediately and the Decrypt Disk page displays the decryption progress. 5-17

158 Trend Micro Endpoint Encryption Administrator's Guide 3. When decryption is finished, click Exit to reboot the device. 4. If booting a repair tool CD, DVD, or USB key: a. After exiting Full Disk Encryption, press F12 (or the appropriate button to enter the boot options). b. Insert the repair tool CD / DVD and select CD/DVD drive from the boot options screen. c. Proceed with established recovery actions. 5. If booting into Windows: a. Hold F8 and select Safe Mode before system begins booting into Windows. WARNING! If the Windows boot options screen is missed, immediately turn off the device. If Windows boots normally (not in Safe Mode), DrAService will immediately start encrypting the drive again. Any recovery actions taken at this point will risk irreparable damage to data on the drive. 6. Open Device Management and navigate to Services and Applications > Services. The Device Management window appears. 7. Locate and double-click DrAService to open the DrAService Properties window. 8. On the General tab, change Startup type to Disabled. 9. Click Apply, and then click OK. 10. Reboot the device. 11. Log on Full Disk Encryption Preboot, and then Windows. What to do next After all recovery actions are complete, set DrAService to Automatic. The device automatically re-encrypts the hard disk after the next reboot. 5-18

159 Working with Full Disk Encryption Mount Partitions Use Mount Partitions to copy files between the encrypted hard disk and a storage device before imaging or reformatting the drive. The encrypted contents on the drive are displayed in the left pane and an unencrypted device can be mounted in the right pane. Use copy and past to move file between panes. Files copied to the encrypted drive will be encrypted. Files copied out of the encrypted drive will be unencrypted. Restore Boot The Restore Boot option restores the original boot on the device, when the device is fully decrypted and is only available from Full Disk Encryption Preboot. Decrypt the disk before restoring the Master Boot Record (MBR). WARNING! Do not use Decrypt Disk before reading through the instructions. Data loss can occur. Procedure 1. Log on Recovery Console. 2. Click Decrypt Disk and then click Decrypt. 3. Switch to the Restore Boot option. A Replace MBR confirmation window displays. 4. Click Yes to replace the MBR. A message confirming the MBR replacement displays. 5. Click Exit. The device boots into Windows. 5-19

160 Trend Micro Endpoint Encryption Administrator's Guide Manage Full Disk Encryption Users Add or remove users from the preboot cache or to change a user's cached password. This option is useful when Full Disk Encryption cannot connect to. Both the Full Disk Encryption Preboot and Windows Recovery Console can use this option. Note Manage Users is only available when not connected to. Changes made to users through Recovery Console are overridden when Full Disk Encryption connects to. Some considerations for passwords: Assigned passwords, whether on a new account or for an existing one, are fixed password. The user password expiration can be specified directly using the Password Expiration calendar. The default setting for a new user is the date as determined by the Change Password Every policy located at: Common > Authentication > User Password. Note Set the date to the current date or older to force an immediate password change, while setting it to the future will specify a change on that date. Editing Users Editing users in the Recovery Console has all rules as in. For details about rules, see Add Users to on page Procedure 1. Select the user from the user list. 5-20

161 Working with Full Disk Encryption 2. Update the desired information. 3. Select the user type: Administrator, authenticator, or user. 4. Set the password expiration date. 5. Click Save. The user is updated. Adding Users Procedure 1. Click Add User. 2. Provide the user name and password, and confirm the password. 3. Select the authentication method from the Authentication Type drop-down list. 4. Set the password expiration date. 5. Click Save. The new user appears in the User List. A confirmation window appears. 6. Click OK to close the confirmation window. The new user is added. Deleting Users Procedure 1. Select a user from the user list. 2. Click Delete User. A delete user confirmation window appears. 5-21

162 Trend Micro Endpoint Encryption Administrator's Guide 3. Click Yes. The user is deleted from the user list. Manage Policies Use Manage Policies to set various policies for Full Disk Encryption Recovery Console. For an explanation of these polices, see Understanding Policies on page 3-1 for details. Note The Manage Policies option is only available when not connected to and any changes will be overridden the next time Full Disk Encryption connects to. View Logs View Logs provides the capability for an Administrator to search for and display logs based on specific criteria. View Logs is only available from Recovery Console using Windows. It is unavailable from the Full Disk Encryption Preboot. For information about viewing Full Disk Encryption logs, see Accessing Recovery Console from Windows on page Network Setup Use Network Setup to verify, test, and/or change the network settings that are used by Full Disk Encryption Preboot. There are three tabs: IPv4, IPv6, and. Note New in Full Disk Encryption is the ability to change or Enterprise without having to remove and reinstall Full Disk Encryption. 5-22

163 Working with Full Disk Encryption Managing Network Configuration By default, Get setting from Windows is selected for both IPv4 and IPv6. Deselect this control to manually configure the network settings. Choosing DHCP (IPv4) or Automatically get address (IPv6) uses the dynamically assigned IP address. Choosing Static IP enables all fields in that section. In the IPv6 tab, choosing Static IP when the IP Address field is empty creates a unique IP address based on the hardware address of the machine. Managing Settings Procedure 1. Open the tab. There are two text fields: Current Server and Current Enterprise. To change the current enterprise: a. Click Change Enterprise. b. At the warning message appears, click Yes. c. Specify the new server user name, password, enterprise and server name, then click Save. WARNING! Changing the enterprise requires configuring policies again, recreating groups, and deletes any cached passwords, password history, and audit logs. To change the current server: a. Click Change Server. b. At the warning message, click Yes. c. Specify the new server address and click Save. 5-23

164 Trend Micro Endpoint Encryption Administrator's Guide 2. Click Cancel to return to the Recovery Console menu options screen. Full Disk Encryption Recovery Methods Once a device is fully encrypted with Full Disk Encryption, scenarios may exist where an Administrator needs to accomplish system restore actions: The local Administrator password is lost The Windows environment is corrupted Important For software encryption, standard data recovery tools (Windows Recovery Disk, ERD Commander, UBCD) cannot access a Full Disk Encryption encrypted system; therefore, the system must be decrypted before any recovery actions are performed. Data recovery methods are available to Endpoint Encryption Administrators/ Authenticators to recover data when the device is not functioning properly. Full Disk Encryption must be installed. TABLE 5-6. Recovery Methods for Full Disk Encryption-protected devices RECOVERY METHOD DESCRIPTION WHEN TO USE Full Disk Encryption Uninstall Full Disk Encryption Uninstall removes Full Disk Encryption from the device. Once the uninstall is complete, you may proceed with established recovery action within Windows. Windows environment is working normally. 5-24

165 Working with Full Disk Encryption RECOVERY METHOD DESCRIPTION WHEN TO USE Recovery Console Selecting the Full Disk Encryption Recovery Console > Decrypt Disk option allows Administrators to decrypt the selected hard disk on-the-fly or save the image of the decrypted hard disk to removable media. Full Disk Encryption Preboot loads, but Windows does not. Repair CD Note This method is not recommended if Windows is functioning normally. The Repair CD is a bootable CD that is used to decrypt a corrupt drive when the device cannot be booted to Full Disk Encryption. A typical symptom of a corrupted disk is a black screen. Full Disk Encryption Preboot does not load. Full Disk Encryption cannot authenticate. WARNING! Do not use if Windows is functioning normally. Note To decrypt drive, the user must have Endpoint Encryption Enterprise or Group Administrator rights and Windows Administrator rights. Repair CD The Full Disk Encryption Repair CD is a bootable disk used to fully decrypt a device if the device is unable to boot. 5-25

166 Trend Micro Endpoint Encryption Administrator's Guide Note If physical damage (bad sectors) has occurred to the hard disk drive, the drive may not decrypt completely or may become unusable. Verify that the hard-disk drive cable is properly connected. Several options are available after booting from Repair CD: TABLE 5-7. Repair CD Options Recovery Unlock OPTION DESCRIPTION Launches Recovery Console. Unlock a device that has been locked because: too many unsuccessful login attempts no communication with for a specified duration Note Unlock option is only available when the policy Remote Authentication is set to Lock Out. Reboot Advanced Options Restarts the device. Provides access to advanced options: Remove Full Disk Encryption Preboot Erase Force Decryption 5-26

167 Working with Full Disk Encryption TABLE 5-8. Repair CD Advanced Options ADVANCED OPTION Remove Full Disk Encryption Preboot DESCRIPTION Removes the Full Disk Encryption Preboot authentication screen from the device. WARNING! This action cannot be undone, and does not decrypt the drive. Use the Decrypt Disk to remove encryption. Erase Return to the Main Force Decryption Removes all data from the drive. Return to the standard CD options. Allows an Administrator to decrypt the drive when Full Disk Encryption will not boot. WARNING! Data loss can occur if the Advanced Options are used incorrectly. Recovering Data with Repair CD Use Repair CD to attempt to recover data from an encrypted device. However, there are a number of considerations to keep in mind before trying to decrypt the disk: Only use Repair CD if the device is encrypted, or has begun encryption. If the device contains important data, make a backup image before continuing. For instructions, go to Do not attempt to decrypt a laptop unless it is connected to AC power. If the Repair CD does not boot, verify that the device has the latest BIOS version installed. Upgrade the system BIOS if necessary. Drive decryption using this method takes at least as long as the initial encryption process. 5-27

168 Trend Micro Endpoint Encryption Administrator's Guide If a bad sector is encountered, visible progress may slow down. Allow the CD to continue decryption and contact Trend Micro Support before interrupting the process. WARNING! Do not interrupt the process once you initiate decryption from the Repair CD. Otherwise, irreversible data loss may occur. Decrypting a Disk using the Repair CD Procedure 1. Power on the networked system. a. Immediately press F12 (or the appropriate button to enter the boot options). b. Insert the Repair CD and select the CD/DVD drive from the boot options screen. The device boots into the Repair CD environment. 2. At Full Disk Encryption Preboot, select Recovery Console. 3. Provide the user name and password. 4. Click Login. Recovery Console displays. 5. Select Decrypt Disk(s) to begin fully decrypting the device. 6. When decryption completes, click Exit to return to Repair CD menu. 7. Click Reboot to restart the device. Note Remove the CD in order to start the device normally. 8. Log on Full Disk Encryption Preboot. 5-28

169 Working with Full Disk Encryption 9. Log on Windows and proceed with the preferred recovery method. Cleaning Up Full Disk Encryption Files Decrypting a drive removes MBR changes and other essential elements used to protect the device. For software encryption, decrypt the disk completely before uninstalling Full Disk Encryption. Otherwise, the OS may crash. WARNING! If the MSI is executed to uninstall on non-drivetrust machine, the OS will not be found after the client is restarted. Procedure 1. From a command line: a. Run msiexec.exe /X{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA} 2. From Windows: a. Open regedit within Windows and browse to the following key: HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ \{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}. b. Browse to the UninstallString key: msiexec.exe /x {17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}. c. Copy the string. d. Open Run... and paste the string in the Open field. e. Click OK. The Windows Installer window appears. f. At the uninstall confirmation, click Yes. Note If the User Account Control window appears, click Allow. 5-29

170 Trend Micro Endpoint Encryption Administrator's Guide g. When prompted to turn off the DrAService, select the second radio button option Do not close applications, and then click OK. 3. If prompted to reboot the device, click Yes. Otherwise, restart the device manually. 5-30

171 Chapter 6 Working with FileArmor FileArmor protects individual files and folders on local hard drives, and removable media devices (USB drives). Administrators can set policies specifying which folders and drives are encrypted on the device and policies about encrypted data on removable media. Encryption is performed after authentication takes place. FileArmor can also protect different files with different keys, allowing Administrators to set access policies to a device and separate policies for access to certain files. This is useful in environments where multiple users access one endpoint. This chapter covers the following topics: FileArmor System Tray Icon Menu on page 6-8 FileArmor Authentication on page 6-2 FileArmor Encryption on page 6-10 FileArmor Secure Delete on page

172 Trend Micro Endpoint Encryption Administrator's Guide FileArmor Authentication This section explains how to authenticate using FileArmor and aspects particular to using FileArmor. All authentication methods for Endpoint Encryption are available in FileArmor. See Account Roles and Authentication on page 1-12 for details about authentication methods. FileArmor First-time Authentication When FileArmor is launched for the first time, an initial registration is required to identify. The fixed password authentication method is default. Other options are available depending on policy settings. Procedure 1. Right-click the FileArmor tray icon, and then select Register. 2. Provide the user name and password. 3. Specify the IP address (or host name) and the enterprise. 4. Click OK The Change Password screen appears 5. Select desired authentication from the drop-down. 6. Specify and confirm new password, and then click OK. Note Without authenticating to FileArmor, access to files and removable media is denied. FileArmor Domain Authentication For seamless integration and use of the FileArmor domain authentication/single Sign- On (SSO) process, ensure the following requirements are met: 6-2

173 Working with FileArmor The user belongs to a group with the policy Common > Authentication > Domain Authentication set to Yes At the group level, go to Common > Authentication > Network Login policies and set Host Name and Domain Name. and all devices using domain authentication are on the same domain. The user account is configured in both Active Directory and. The user name is case sensitive and must match exactly. Note FileArmor SSO requires the following policy enabled: Common > Authentication > Network Login > Domain Authentication. Authenticating with Domain Authentication Enable domain authentication at: Group Name > Policies > Common > Authentication > Network Login > Domain Authentication. Procedure 1. Choose Domain Authentication as the authentication type. 2. Provide the user name and password for the domain account. 3. Click OK. 6-3

174 Trend Micro Endpoint Encryption Administrator's Guide Note Changing passwords is not available for domain users and FileArmor cannot change a Windows domain password. That functionality is controlled by Active Directory. Domain authentication cannot be used with a Smart Card PIN. Remote Help is available to domain users. However, the domain password must be reset in Active Directory if it is forgotten. FileArmor Smart Card Authentication To use smart card authentication, ensure that the following requirements are met: FileArmor policy Login > Password > Physical Token Required = Yes. The smart card reader is connected and the smart card is inserted. Note FileArmor only supports CASC and PIC smart cards ActivClient 6.1 with all service packs and updates must be installed. Specify the smart card PIN in the password field. WARNING! Failure to provide a correct password will send a password error and can result in locking the smart card. Authenticating with a Smart Card FileArmor smart card authentication is only available if enabled by policy. In, mark Smart Card as an authentication option in FileArmor > Login > Authentication Methods Allowed. 6-4

175 Working with FileArmor Procedure 1. In FileArmor, open FileArmor and select Smart Card from the authentication drop-down. 2. Provide the user name. 3. Provide the smart card PIN or fixed password (if applicable). 4. Click OK. FileArmor ColorCode Authentication FileArmor ColorCode authentication is only available if enabled by policy. The policy is available at: Group Name > Policies > FileArmor > Login > Authentication Methods Allowed Procedure 1. Select ColorCode from the authentication drop-down. 2. Input unique ColorCode combination. 3. Click OK. FileArmor PIN Authentication FileArmor PIN authentication is only available if enabled by policy. The policy is available at: Group Name > Policies > FileArmor > Login > Authentication Methods Allowed. Procedure 1. Select PIN from the authentication drop-down. 2. Specify the PIN combination. 6-5

176 Trend Micro Endpoint Encryption Administrator's Guide 3. Click OK. Changing Password in FileArmor To change the password, a user must authenticate to FileArmor with a User account. Administrator and Authenticator accounts cannot change password. The password can be changed to any method that is allowed by policies. Procedure 1. Right-click the FileArmor tray icon and then select Change Password 2. Specify the password and then click Next 3. Select any available authentication method, provide and confirm the new password, and then click OK. The new password is updated and a confirmation displays. Forced Password Reset FileArmor prevents unauthorized access to encrypted files and folders by locking protected files if there are too many invalid authentication attempts or if the endpoint has not communicated with for a specified duration. Depending on a policy, FileArmor locks a user from access or enacts a time delay before authentication attempts can be made. Unlocking a Device If a user has exceeded the number of authentication attempts and policies are set to enact Remote Authentication, FileArmor locks Endpoint Encryption folders and notifies the user that Remote Help is required. Remote Help is used to unlock FileArmor and requires Enterprise/Group Authenticator assistance. 6-6

177 Working with FileArmor Procedure 1. Right-click the FileArmor tray icon and select Remote Help. The Remote Help window appears. FIGURE 6-1. FileArmor Remote Help 2. Specify the user name. 3. Click Get Challenge. 4. Type the Response provided by the Enterprise/Group Authenticator. 5. Click Log In. The user is authenticated to FileArmor and a notification displays. 6-7

178 Trend Micro Endpoint Encryption Administrator's Guide Time Delay If a user exceeds the number of authentication attempts and the policy is set to enact a temporary time delay that cannot be bypassed and must expire before authentication is permitted. After exceeding the allowed number of failed authentication attempts, FileArmor locks the device and notifies the user that the device is locked. The ability to log on or reset the password is disabled during the time delay. The duration of the time delay is determined by policy. Once the time delay has elapsed, the user may authenticate. FileArmor System Tray Icon Menu After FileArmor is installed, an icon ( ) is displayed in the system tray. The icon provides access to numerous FileArmor functions. Right-click the icon to display the menu items. TABLE 6-1. FileArmor system tray icon options MENU ITEM Register Log In / Log Out Change Password Remote Help Sync with FUNCTION First-time user registration of FileArmor with the. For details, see FileArmor First-time Authentication on page 6-2. Authenticate with. Permits non-domain authenticated users to change their password. For details, see Changing Password in FileArmor on page 6-6. Unlock FileArmor using Remote Help to authenticate if the password is forgotten, there were too many failed authentication attempts, or the device has not communicated with the for a specified duration. For details, see Forced Password Reset on page 6-6. Manually download policy updates from. Useful for testing connectivity to. For details, see Syncing with on page

179 Working with FileArmor MENU ITEM Sync with Offline Files Hide Notification About FileArmor Close Tray FUNCTION See Syncing with Offline Files on page 6-9 for details. Silences all FileArmor notifications. Displays FileArmor information including version, last sync time, and authenticated user. For details, see FileArmor System Tray Icon Menu on page 6-8. Temporarily removes the FileArmor tray icon. Syncing with Endpoint clients can manually download new FileArmor policies by opening the FileArmor tray icon and selecting Sync with. Note Clients do not need to be authenticated to synchronize policies. If a network connection or is unavailable, a Failed to sync with server error displays. Syncing with Offline Files Offline updates work with the FileArmor or higher and now work on x64 installs of FileArmor. If the update is generated, the offline update will replace any existing user password with the new fixed password. Synchronized passwords will not replace a user password on update to maintain the same functionality of managed devices. A fixed password is required to add a user to an offline endpoint client. The offline process will generate two files: The first file with the.exe extension is used for updating existing Full Disk Encryption devices 6-9

180 Trend Micro Endpoint Encryption Administrator's Guide The second file with the policy update extension is used to update FileArmor. Note Blackberry policies are removed from all new offline installs where Blackberry was not enabled by the license file. This will significantly decrease the size of the file. Changing The that FileArmor connects to can be updated from the About window. Procedure 1. Right-click the FileArmor tray icon and select About FileArmor. The About windows displays. 2. Click Edit. 3. Specify the new hostname or IP address. 4. Click OK. FileArmor is now managed by the new. FileArmor Encryption Files can be encrypted with FileArmor policies defined locally or from policies defined by. The method used depends on enterprise and endpoint user needs for file access and the level of security desired. Files can be encrypted automatically by saving files in several locations: A folder on the device A folder that resides on removable media A fully encrypted removable media device 6-10

181 Working with FileArmor Files can also be encrypted by right-clicking the file and selecting one of the following from the FileArmor context menu: TABLE 6-2. FileArmor context menu items Archive MENU ITEM Archive and Burn DESCRIPTION Create an encrypted copy of the specified file. Create an encrypted copy of the specified file and write it to CD/DVD. FileArmor Local Key Encryption Selecting the Local Key function allows a user to encrypt files for view strictly by that user. Note Set FileArmor > Encryption > Encryption Method Allowed to User s Unique Key. Local Key files can only be accessed on a FileArmor device by the user who created them. When a file is encrypted, FileArmor creates a new file. The original file remains unencrypted in its original location. WARNING! Depending on the Windows operating system a user may view folder contents if switching from one user to a separate user without restarting Windows. While file names and folder content may be viewed, the file contents are not available. This is due to Windows operating system caching the file structure for quick search capability. Creating a Local Key Procedure 1. Right-click the desired file and select FileArmor > Archive > Local Key. 6-11

182 Trend Micro Endpoint Encryption Administrator's Guide The original files or folders are unchanged and can be kept or deleted. FileArmor Shared Key Encryption Files can be encrypted strictly for viewing by members of a policy group using the Shared Key function. Local Key files can only be accessed on a FileArmor device by the user who created them. Set two policies: Allowed Encryption Methods to Group Unique Key and Encryption Key Used to Group Key. To allow encrypted files to viewed by an FileArmor user within the Enterprise, set Encryption Key Used to Enterprise Key. When a file is encrypted, FileArmor creates a new file. The original file is left in its original location unencrypted. WARNING! Depending on how Windows permissions are configured, a user can view encrypted folder contents if switching between users without restarting Windows. While the file names and folder content may be viewed, the file contents are not available. This is due to Windows Operating system caching the file structure for quick search capability. Creating a Shared Key Right-click the desired file and select FileArmor > Archive > Shared Key. The original files or folders are unchanged and can be kept or deleted. FileArmor Fixed Password Encryption FileArmor can create encrypted files using a fixed password. The encrypted file can optionally be self-extracting, meaning that the recipient does not need FileArmor to decrypt the file. Note the following: 6-12

183 Working with FileArmor There is no functionality available for password recovery with self-extracting files. If a password is forgotten, the encrypted file cannot be recovered. Due to a Windows limitation, executable (self-extracting) files cannot be larger than 2GB. Creating a Fixed Password Key Procedure 1. Right-click the desired file and then select FileArmor > Archive > Fixed Password. 2. Provide the fixed password and confirm. Note 3. Click OK. Mark Output encrypted data as a self-extracting archive if necessary. The file is encrypted. 4. To unencrypt the file, double-click the file, provide the archive password, and then click OK. 5. For self-extracting archives, double-click the file, provide the archive password, choose the extraction location, choose whether to open destination after extraction or to overwrite existing files, and then click Continue. The original files or folders are unchanged and can be kept or deleted. FileArmor Digital Certificate Encryption FileArmor can encrypt files with digital certificates (smart cards) from the Windows certificate store. 6-13

184 Trend Micro Endpoint Encryption Administrator's Guide Creating a Digital Certificate Key Procedure 1. Right-click the desired file and select FileArmor > Archive > Certificate. 2. Select a Certificate Store and then click Gather Certificates. 3. Select one or more certificates and then click OK. Note Certificates are gathered from the Windows certificate store. 4. Select an optical drive with a blank CD/DVD inserted in the drive. 5. Click OK. The original files or folders are unchanged and can be kept or deleted. FileArmor Archive and Burn The FileArmor Archive and Burn function can be used to write encrypted files to CD/ DVD. Files are self-extracting and can be encrypted using a Fixed Password or Digital Certificate. Burning an Archive with a Fixed Password Procedure 1. Right-click the file to select and select FileArmor > Archive and Burn > Fixed Password from the FileArmor context menu. 2. Provide a password and confirm. 3. Select a drive with a writeable disk inserted in the drive. 4. Click OK. 6-14

185 Working with FileArmor The self-extracting file is burned to CD/DVD. Burning an Archive with a Certificate Procedure 1. Right-click the file to select and select FileArmor > Archive and Burn > Certificate from the FileArmor context menu 2. Select a Certificate Store and click Gather Certificates. 3. Select one or more certificates and click OK. 4. Select an optical drive with a black CD/DVD inserted. 5. Click OK. The self-extracting file is burned to CD/DVD. FileArmor Secure Delete FileArmor provides a secure delete function that wipes, erases, and cleans the selected files and the file history from your device. Procedure 1. Right-click the file and go to FileArmor > Secure Delete. 2. Click Yes to permanently delete the file. 6-15

186

187 Chapter 7 Working with KeyArmor KeyArmor USB drives secure data with always-on hardware encryption and embedded antivirus/anti-malware protection to meet regulatory compliance requirements and stringent government mandates. With KeyArmor, Administrators have complete visibility and control of who, when, where, and how USB drives are used in their organization. This chapter covers the following topics: KeyArmor Features on page 7-4 KeyArmor Authentication on page 7-2 Using KeyArmor on page

188 Trend Micro Endpoint Encryption Administrator's Guide KeyArmor Authentication KeyArmor Authentication has the capability to provide users with a variety of identification methods. These choices offer flexibility that can be targeted to meet the security requirements of the enterprise. A successful authentication allows a user access to the device. For details about Endpoint Encryption authentication, see Account Roles and Authentication on page Authenticating to KeyArmor for the First Time Procedure 1. Insert the KeyArmor flash device into a USB port to launch the software. If KeyArmor auto launches, the status bar displays and the KeyArmor icon is added to the tray. If KeyArmor does not auto launch, go to My Device and open the KeyArmor drive. 2. Specify the user name and password. 3. Specify the in the Host Name or IP Address field. 4. Specify the enterprise name in the Enterprise Name field. 5. Click Login. 7-2

189 Working with KeyArmor Changing Authentication Methods Note Only one authentication method is valid for any particular user at any given time. A user can change his/her authentication method only after successfully logging on a KeyArmor device. Procedure 1. Right-click the KeyArmor icon from the tray and select Change Password. The Loading window appears and is followed by the Change Password screen for the user s current authentication method. 2. Click Authentication. 3. Select a new authentication method. 4. Specify current password. 5. Click Change to display new authentication method screens. The Completed Authentication Method Change screen appears. Fixed Password Fixed passwords are the most common user identification method. The password is chosen by the user. To configure policy restrictions on passwords, go to KeyArmor > Login at the group or Enterprise level. Note Fixed password is always used as the initial authentication to KeyArmor. 7-3

190 Trend Micro Endpoint Encryption Administrator's Guide Procedure 1. Specify and confirm the new fixed password. 2. Do one of the following: To complete the password change, Click Change. To remove any content from the fields, click Clear. The user is authenticated to KeyArmor and can now save data to the SECURE DATA folder; the KeyArmor icon displays in the system tray. KeyArmor Features This section explains the key features of KeyArmor. Device Components KeyArmor mounts two drives when the device is inserted in a USB port. FIGURE 7-1. KeyArmor Devices KeyArmor (E:) contains the KeyArmor program files. SECURE DATA (F:) is KeyArmor user storage. KeyArmor encrypts all files stored in this drive. 7-4

191 Working with KeyArmor Protecting Files with KeyArmor To safeguard files using KeyArmor, copy or drag the selected folder, file, or document to the KeyArmor SECURE DATA drive. Files saved to KeyArmor are automatically encrypted and accessible with valid Endpoint Encryption credentials. Files remain encrypted as long as they are stored on KeyArmor. Note To ensure current antivirus definitions, do not copy any files to the KeyArmor device until the initial antivirus updates complete. No Information Left Behind There are several ways that KeyArmor avoids leaving any information on the local device: Browsing files on the KeyArmor device copies no data to the host device. Opening and editing documents using applications on the host device may store temporary or recovery file data on the host device. Most software applications can be configured to store their temporary or recovery file data on the KeyArmor device. KeyArmor Antivirus Updates and Activity After authenticating, KeyArmor antivirus definitions will attempt to update. KeyArmor presents warnings about antivirus update activity. WARNING! Do not log off or remove a KeyArmor device from the endpoint client while the antivirus update is in process. Copying files or opening files from KeyArmor is an end-user initiated activity. Files are scanned as they are saved or copied to KeyArmor. If a virus is found, the system 7-5

192 Trend Micro Endpoint Encryption Administrator's Guide Administrator controls the resulting action including an attempt to repair or delete the file; or to wipe the KeyArmor device completely. Users may have the ability to initiate a full scan of their KeyArmor device once authenticated. KeyArmor Check Disk Notification Improperly removing a KeyArmor device without safe removal can cause file system corruption. Always log off KeyArmor before physically removing the device. In the event of an improper shutdown, unsafe removal, or other unforeseen circumstance, you may be prompted to check the disk next time the key is inserted. It is safe to ignore and move past this prompt; KeyArmor will check the disk for you and correct any errors. Using KeyArmor This section explains how to use KeyArmor. Warning About Unencrypted Devices KeyArmor users should follow their organization's policy related to transporting data beyond an individual's assigned work device. KeyArmor encrypts all files stored to it. KeyArmor software runs from the device and at no time does the KeyArmor software copy data to the host device. Browsing files on the device also does not copy data to the host device. Copying files to a host device is a user initiated action which can only be executed after proper authentication to a device. Some software applications running on the host may store temporary or recovery file data on the host device. 7-6

193 Working with KeyArmor Most software applications can be configured to store temporary or recovery file data on the KeyArmor device. This action is recommended if the device will be permitted to travel outside the boundaries of the trusted/secure network. KeyArmor Taskbar Several options are available from opening KeyArmor from the taskbar: TABLE 7-1. KeyArmor Taskbar MENU ITEM Start Full Scan Download Policy Updates Change Password Open Secure Data About KeyArmor Logout FUNCTION Scans the KeyArmor device for threats. Downloads the most current policy updates. For example, if the Administrator makes a change to add an authentication method and removes the existing authentication methods, the user might be directed to download policy updates and immediately begin using the new authentication method. Permits non-domain authenticated users to change their password. Opens the SECURE DATA drive. Displays KeyArmor information including version, last sync time, and authenticated user. Logs off KeyArmor. KeyArmor Menu Several options are available by opening the KeyArmor menu: TABLE 7-2. KeyArmor menu items MENU ITEM Authentication DESCRIPTION See KeyArmor Authentication on page 7-2 for details. 7-7

194 Trend Micro Endpoint Encryption Administrator's Guide MENU ITEM Download Policy Updates Help DESCRIPTION Download the most current policy updates. For example, if the Administrator makes a change to add an authentication method and removes the existing authentication methods, the user might be directed to download policy updates and immediately begin using the new authentication method. See KeyArmor Menu Help on page 7-8 for details. KeyArmor Menu Help The KeyArmor Help menu has several user-assistance options. If Found When a KeyArmor device is lost and then found by a person other than the device owner, the If Found option provides contact information that will assist the finder in returning the device to its rightful owner. This option can be accessed by anyone without entering the proper credentials. The If Found message is created as a policy in the. Procedure 1. To create an If Found message, go to KeyArmor > Notice Messages. 2. Right-click If Found and then select Properties. 7-8

195 Working with KeyArmor The Edit Policy Value window appears. FIGURE 7-2. Editing If Found Policy 3. Specify the If Found message in the Policy Value field. 4. Click Apply. 7-9

196 Trend Micro Endpoint Encryption Administrator's Guide Q/A Password Reset Self Help allows users to respond to one or more predefined questions. The Self Help questions are created as policies in the. To define the questions: Procedure 1. Go to Common > Authentication > Local Login > Self Help. 2. Right-click Number Of Questions and select Properties. 3. In the Policy Value field, specify the number of questions that must be answered correctly. 4. Click Apply. 5. Right-click Personal Challenge and click Add. 6. Open the Personal Challenge policy that displays and specify one question in the Policy Value field, and then click Apply. Note Any user assigned to the group where the questions are created will be prompted to provide a response to each question the first time the user logs in subsequent to the new policy setting. Remote Password Reset Remote Help is a process that allows a user who has forgotten their password to have it reset remotely. When using Remote Help, the user must be able to (1) contact his/her Help Desk and (2) have access to the Remote Password Reset option in the KeyArmor Help menu. Procedure 1. The user selects Remote Password Reset from the Help menu. 7-10

197 Working with KeyArmor 2. The user contacts the Administrator. 3. The user reads the Device ID to the support person. 4. Support locates the Device ID in the MMC and right-clicks the device to display the menu options and then selects Soft Token. 5. The user reads the Challenge to the Administrator. 6. The Administrator enters the challenge in the Challenge field, clicks Get Response and reads the Response to the user. 7. The user types the response in the Response field, and then clicks Login. The user is presented with a Change Password screen based on the current authentication method. 8. The user must specify and confirm the new password. Support Information The Support Information screen generally provides the contact information for the company Help Desk. About KeyArmor The KeyArmor About screen is automatically populated and provides the following information: Software version User name address Enterprise Device name Last policy synchronization FIPS version 7-11

198 Trend Micro Endpoint Encryption Administrator's Guide Protecting Files with KeyArmor Safeguarding your files is easy with KeyArmor. All you do is copy or drag the selected file/document to the KeyArmor drive. Any files or folders saved to KeyArmor is automatically encrypted and is accessible only by a person who logs on the device with a valid user name and password. All files and folders saved to KeyArmor are automatically encrypted. Files remain encrypted as long as they are stored on KeyArmor. FIGURE 7-3. Copying Files to KeyArmor KeyArmor Activity Logging All KeyArmor activity is logged and transparently uploaded to over the network. The MMC provides access to standard reports and detailed log activity. Administrators can drill to a specific device, file and end-user activity. For details about KeyArmor policies, see KeyArmor Policies on page

199 Working with KeyArmor Safely Removing KeyArmor As with any USB storage device, safely remove a KeyArmor device before unplugging it from the USB port WARNING! Data and/or device corruption can occur if KeyArmor is improperly removed from a machine. Select one of the following options to safely remove an authenticated KeyArmor device. Choosing Log out from either the KeyArmor interface (application window or right-click the tray) safely ejects the device. Right-click the KeyArmor tray icon and select Log out. After logging off, KeyArmor will no longer be available from the Windows Safely Remove Hardware application and it is safe to remove the device from PC USB port. To safely eject an unauthenticated KeyArmor device, close the authentication dialog box before submitting credentials. KeyArmor Full Scan After authenticating, KeyArmor attempts to update antivirus definitions. KeyArmor presents warnings about antivirus update activity. Do not log off or remove a KeyArmor device from your host PC while the antivirus update is in progress. As files are saved or copied to KeyArmor, they are scanned for viruses. If a virus is found, policies control the resulting action including an attempt to repair or delete the file; or to wipe the KeyArmor device completely. The client also has the ability to initiate a full scan of their KeyArmor device. 7-13

200 Trend Micro Endpoint Encryption Administrator's Guide TABLE 7-3. FileArmor Antivirus Activities ACTIVITY Antivirus Updates File Scanning Activity Full Device Scanning DESCRIPTION After antivirus definitions are loaded, KeyArmor updates definitions as defined by policy. Files are scanned for viruses as they are copied to KeyArmor. Files with viruses are not copied to the protected device. A full scan can be initiated from the KeyArmor Icon in the system tray by navigating to KeyArmor > Start Full Scan. Changing Default Antivirus Update Location Aside from the default update source, you can set another HTTP or FTP location where KeyArmor can download update for its antivirus components. Note By default, KeyArmor policy is configured to obtain updates automatically from the following location: FTP://download.trendmicro.com/products/pattern/ Administrators may opt to change this policy to have KeyArmor obtain antivirus updates from other remote host locations or from a local source using HTTP or FTP conventions detailed below. Procedure 1. To set an HTTP source: a. From the Trend Micro FTP server, copy any.zip files that begin with the characters LPT and the opr.ini file to the HTTP host location you have selected. b. Direct your KeyArmor devices to download the antivirus definitions from your HTTP web folder by specifying the full URL for the updates in the KeyArmor > Antivirus > Update Source policy value. For example, host these files on your machine by placing them in the main web directory: c:\inetpub\wwwroot\mawebservice2\ 7-14

201 Working with KeyArmor 2. To set an FTP source: a. Install the Microsoft IIS FTP Service or other FTP server software and configure an FTP folder for use by network clients. b. Copy any.zip files that begin with lpt and the opr.ini file from the Trend Micro download location to the configured FTP server directory (for example c:\inetpub\ftpsvc\) c. Direct your KeyArmor devices to download the antivirus definitions from your FTP folder by specifying the full URL in the KeyArmor > Antivirus > Update Source policy value. What to do next Trend Micro recommends testing this configuration change by synchronizing policies on a registered KeyArmor device and verifying whether: 1. Antivirus updates complete successfully. 2. Antivirus definitions are updated on the key. 3. log entries are made showing the new policy defined URL. Reassigning a KeyArmor Device to Another User KeyArmor can be configured to allow all users in a group or a single user to access a device. To change this policy, set KeyArmor > Login > Allow Only One User Per Device. When set to Yes, only one user can access the device at a given time. Note This policy does not affect Administrator or Authenticator roles. Procedure 1. Log on MMC and go to the group that the device is assigned. 2. Remove the device by right-clicking the Device ID and selecting Remove Device. 7-15

202 Trend Micro Endpoint Encryption Administrator's Guide Note Do not remove the KeyArmor Device ID from your Enterprise - doing so will make the device unmanageable. Security provisions are in place to prevent re-binding KeyArmor to an Enterprise once it has been tied to your Enterprise. This same logic prevents re-adding KeyArmor to your enterprise should you inadvertently delete the Device ID from your. 3. Insert the KeyArmor device into a PC and sync policies. 4. Return to the MMC and add the device to the required group. 5. Ensure the new user is a member of the required group. 6. Assign the new user a fixed password. 7. Distribute the device to the new user and provide him/her their user name and password. 8. The device will now be tied to the new individual. WARNING! Any data that remained on the device from the previous user will be accessible to the new user. Administrators should follow their internal guidelines for reformatting or re-provisioning a device prior to assigning KeyArmor to a new user. Adding a Deleted KeyArmor Back to the Enterprise If a device is mistakenly deleted, it can be re-added to the enterprise in one of two ways: Procedure 1. Automatically - when a user is logged into a device connected to, it will automatically be added back to the enterprise during the next device synchronization. 7-16

203 Working with KeyArmor a. An Enterprise Administrator must still manually move the device into the correct group to ensure ongoing user access to the device. Note Best practice recommends locking or erasing a device prior to deletion. A device deleted from the enterprise will lock if policies require communication with. 2. Manually - an Administrator may complete the following: Note Connectivity to the new Enterprise is required. a. Log on the device with a valid Enterprise Administrator ID and password. b. Right click the KeyArmor icon from the tray menu and select About KeyArmor. c. Click Edit next to the Enterprise name box. d. Verify the Enterprise name is correct. e. Select OK. f. Select Close. g. The Enterprise Administrator will now need to add the device back into a group to make the device available for users. 7-17

204

205 Chapter 8 Working with Logs and Reports Endpoint Encryption keeps comprehensive logs and generates reports about events and updates. Use these logs and reports to assess your organization's policies and to verify that component updates were successful. This chapter covers the following topics: Log Events on page 8-2 Reports on page

206 Trend Micro Endpoint Encryption Administrator's Guide Log Events records log events using predefined criteria that are built into the system such as access attempts, system errors, modifications to users or groups, policy changes, and compliance issues. This powerful tool can be used to report all aspects of server and client security. Managing log events allows a Group or Enterprise Administrator to select specific search criteria and then display the information on the screen. Managing Log Events Only messages within the last 7 days are displayed automatically. Use the filter function to view older messages. It is useful to search the logs using the Message ID. For example, searching for the Message ID will display all Device Encryption Complete messages. See Message IDs on page A-1 for more details. Procedure 1. There are two levels of log events: For enterprise-level logs, expand Enterprise Log Events. For group-level logs, go to Group Name > Log Events. The log window appears. All log events for the past 7 days are automatically displayed. 2. Double-click any log to view details. 3. Click Filter to search the log file: a. Provide the search criteria. b. Select the date range. c. Click Search. 4. Click Refresh to update log data. 5. Click Previous or Next to navigate through log data. 8-2

207 Working with Logs and Reports Alerts Administrators can customize alert criteria using predefined security levels to help categorize alerts. Send log events to individual or multiple recipients by setting alerts at the enterprise or group. Note For details about message IDs, see Message IDs on page A-1. Setting Alerts Procedure 1. From the MMC select Enterprise (or group) Log Events from the left hand navigation screen. 2. Click Alerts. 3. Right-click and select Add. The Edit Alert window appears. 4. Provide an Alert Name. 5. Select the severity of logs that trigger alerts. 6. Select the message IDs trigger alerts. 7. Provide an address receive alerts, one per line. 8. Choose whether to send alerts based on the number of events in a set time. 9. Click Done. Enabling to relay SMS and Delivery This function only works for s running on Windows Server 2008 or Windows Server 2008 R2. 8-3

208 Trend Micro Endpoint Encryption Administrator's Guide Procedure 1. Open Server Manager. 2. Go to Features > Add Features. 3. Mark SMTP Server. The Add role services and features required for SMTP Server window appears. 4. Click Add Required Role Services. 5. Click Next, Next, and then Install. The web Server IIS and SMTP Server installs 6. Click Close. 7. Go to Start > Administrative Tools > Internet Information Services (IIS) 6.0 Manager. IIS 6.0 Manager opens 8. Expand ServerName (local device). 9. Right-click [SMTP Virtual Server #1] and click Properties. Note Mark Enable logging for future troubleshooting. 10. Go to Access > Connection... and select Only the list below, and then click Add Specify for IP address and click OK. Note 12. Click OK. Repeat to specify all IP addresses on local server 13. Go to Delivery > Advanced... and specify the Masquerade domain in the following format: psproxy.<yourdomain>.<com/org>. 8-4

209 Working with Logs and Reports 14. Click OK twice to close the SMTP Virtual Server #1 Properties window. 15. Go to Enterprise Policies > > PDA > Open SMTP ServerName, specify , and then click Apply. Configuring Advanced Premise For best results, create a Sender Policy Framework (SPF) DNS entry. To create an SPF record in other DNS Servers (BIND), consult the vendor documentation. Procedure 1. On a Windows DNS Server, open DNS Management Console. 2. Right-click the forward lookup zone for domain, and select Other New Records. 3. Scroll down and select TEXT (TXT). 4. Leave Record Name blank, and specify: v=spf1 ip4:<your external IP> -all 5. Click OK. Reports records system activities (changes made to policies, successful authentication attempts, devices locked due to too many unsuccessful logon attempts) and maintains those records as log events. Administrators can generate reports on an asneeded or scheduled basis. has a variety of built-in reports to verify device encryption status, user/ device activity, and integrity. 8-5

210 Trend Micro Endpoint Encryption Administrator's Guide Note Only Enterprise Administrators can use reports. Report Options Different reports have different options. Right-click a report for options. TABLE 8-1. Options for reports REPORT OPTION Clear Display Error Display Report Next Page Previous Page Refresh Remove Report Schedule Report Submit Report OPTION DESCRIPTION Removes all information displayed in the results window; it does not delete the information. View a description of the error causing the report to be invalid; available to Administrators only. View the report; available to Administrators only. Move to the next page of the search items. Return to the previous page of the search items. Update the status of a submitted report. Deletes the report. Set up a schedule for the report to be run on a specific day or time. Generate the selected report. Report Icons TABLE 8-2. Report icons ICON DESCRIPTION Standard reports can be submitted on an as-needed basis to view statistics and other usage metrics. 8-6

211 Working with Logs and Reports ICON DESCRIPTION Alert reports are used to notify Administrators of potential security issues. Report Types Reports are designed to make information about logs easily understood. Running Standard Reports Standard reports can be submitted on an as-needed basis. Reporting functions are only available to Enterprise Administrators. Procedure 1. Right-click the desired report and select Submit Report. 2. Specify report parameters if required and then click Apply. 3. To view the report, go to Enterprise Reports > Enterprise Submitted Reports. Standard Reports TABLE 8-3. List of Standard Reports REPORT NAME Device Encryption Status Device Operating System Count Device Version Count DESCRIPTION Reports the encryption status for all devices in the enterprise. Reports all device operating systems and the count for each. Reports all Full Disk Encryption versions and the count for each. 8-7

212 Trend Micro Endpoint Encryption Administrator's Guide REPORT NAME Devices By Last Sync Date Devices Not Communicating Devices with Last Logged in User Enterprise Available License Enterprise User Activity Full Disk Encryption Device Not 100% Encrypted User Activity By Day Users Added Users Never Logged into a Device DESCRIPTION Reports all devices that synchronized with in the last x amount of days. Reports the devices that have not communicated in the last x days. Reports all devices and the last user to have authenticated to it. Reports the days left in the license, available devices and users, and count of used devices and users. Reports total devices, total users, and the MMC user count along with device activity. Reports all devices in the last x days that started encrypting but did not finish. Reports the user activity within x amount of days for the given user. Reports all users added within the last x days. Reports all users that have never authenticated to any device. Running Alert Reports Reporting functions are only available to Enterprise Administrators. To view the report, go to Enterprise Reports > Enterprise Submitted Reports. Procedure 1. Right-click the desired alert report and select Configure Alerts. The Alerts Configuration window appears. 2. Provide the SMTP Server Address and the Sender that will process the outgoing

213 Working with Logs and Reports 3. Click Apply. 4. Right-click the desired report and select Submit Alert Alert Reports TABLE 8-4. List of Alert Reports ALERT NAME Consecutive Failed Logon Attempts on a Single Device Log Integrity Policy Tampering Primary and Secondary Action Enforced DESCRIPTION An alert is sent when multiple, consecutive authentication attempts to an individual device have all failed. An alert is sent when there is an indication that the logs have been tampered with. An alert is sent when detects that policies have been tampered with. An alert is sent when the has had no connection, and the primary or secondary action has been enforced. Displaying Reports Reporting functions are only available to Enterprise Administrators. Procedure 1. Go to Enterprise Reports > Enterprise Submitted Reports 2. Right-click desired report and select Display Report... The report displays. Note To export the report, click the Save icon and select Excel or Acrobat (PDF) file. 8-9

214 Trend Micro Endpoint Encryption Administrator's Guide Scheduling Reports These steps allow reports to be run at any specific date and time. Procedure 1. Open Enterprise Reports. 2. Right-click the desired report and select Schedule Report. The Report Parameters window displays. 3. Specify report parameters and click Apply. The Report Scheduler displays. 4. Specify the report interval, date and time, and then click Apply. To view scheduled reports: 5. Go to Enterprise Reports > Enterprise Scheduled Reports. Displaying Report Errors Sometimes an error prevents a report from running correctly. Follow these steps to view the error. Procedure 1. Go to Enterprise Reports > Enterprise Submitted Reports. 2. Right-click the report with an error and select Display Error... The report error message displays. 8-10

215 Chapter 9 Getting Support Depending on the type of support needed, there are various places to get help. This chapter covers the following topics: Trend Community on page 9-2 Support Portal on page 9-2 Contacting Technical Support on page 9-3 TrendLabs on page

216 Trend Micro Endpoint Encryption Administrator's Guide Trend Community Get help, share experiences, ask questions, and discuss security concerns with other fellow users, enthusiasts, and security experts. Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains thousands of helpful and easy to use technical support procedures for Trend Micro products and services. New solutions are added daily. Procedure 1. Go to 2. Select a product or service from the appropriate drop-down menu and specify any other related information, if prompted. The Technical Support product page displays. 3. Specify any search criteria, for example an error message, and then click the search icon. A list of solutions displays. 4. If the solution cannot be found, submit a case and a Trend Micro support engineer will investigate the issue. Response time is typically 24 hours or less. Submit a support case online at: 9-2

217 Getting Support Contacting Technical Support Technical support, pattern downloads, and product/service updates are available for one year with all product licenses. After one year, renew the license to continue receiving Trend Micro support. In the United States, reach Trend Micro representatives by phone, fax, or Address Trend Micro, Inc North De Anza Blvd., Cupertino, CA Phone Toll free: +1 (800) (sales) Voice: +1 (408) (main) Fax +1 (408) Website address Get a list of the worldwide support offices at: Get the latest Trend Micro documentation at: Resolving Issues Faster To speed up problem resolution, have the following information available: Steps to reproduce the problem Appliance or network information Computer brand, model, and any additional hardware connected to the endpoint Amount of memory and free hard disk space Operating system and service pack version Endpoint client version Serial number or activation code 9-3

218 Trend Micro Endpoint Encryption Administrator's Guide Detailed description of install environment Exact text of any error message received TrendLabs TrendLabs is a global network of research, development, and action centers committed to 24/7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts are shared with customers through frequent virus pattern file updates and scan engine refinements. Learn more about TrendLabs at: index.html#trendlabs 9-4

219 Appendix A Message IDs This appendix lists the different message IDs and their meaning. TABLE A-1. Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Identifying Device Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts Security Violation Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts Critical Severity Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-1

220 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Policy Change Unsuccessful Administrator Alerts Unsupported configuration Administrator Alerts Enterprise Pool created Administrator Alerts Enterprise Pool deleted Administrator Alerts Enterprise Pool modified Administrator Alerts Admin User locked due to too many failed logins. Administrator Alerts Policy Value Integrity Check Failed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-2

221 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Policy request aborted due to failed policy integrity check. Administrator Alerts File request aborted due to failed policy integrity check. Administrator Alerts Admin Authentication Succeeded Administrator Alerts Admin Authentication Failed Administrator Alerts Admin Password Reset Administrator Alerts Unable to remove user. Try again. Administrator Alerts Unable to unable user. Try again. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-3

222 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Unable to change Self Help password. A response to one of the personal challenge questions was incorrect. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts Enterprise Added Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts Enterprise Deleted Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts Enterprise Modified Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Administrator Alerts The number of users has exceeded the maximum allowed by this license. Reduce the number of existing users to restore this user account. Administrator Alerts Administrator updated policy Administrator Alerts Administrator added policy Administrator Alerts Administrator deleted policy A-4

223 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Administrator enabled application Administrator Alerts Administrator disabled application Administrator Alerts Administrator added user Administrator Alerts Administrator deleted user Administrator Alerts Administrator updated user Administrator Alerts Administrator added user to group Administrator Alerts Administrator removed user from group Administrator Alerts User added Administrator Alerts User deleted Administrator Alerts User added to group Administrator Alerts User removed from group Administrator Alerts User updated Administrator Alerts Administrator deleted device Administrator Alerts Administrator added device to group Administrator Alerts Administrator removed device from group A-5

224 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Administrator added group Administrator Alerts Administrator deleted group Administrator Alerts Administrator updated group Administrator Alerts Administrator copy/ pasted group Administrator Alerts update applied. Administrator Alerts User added to device Administrator Alerts User removed from device Administrator Alerts Event executed successfully Administrator Alerts Failed event execution Administrator Alerts Event installed successfully Administrator Alerts Failed to install event Administrator Alerts Administrator Logged In Using One Time Password Administrator Alerts Administrator Logged In Using Fixed Password FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-6

225 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Administrator Logged In using Smart Card Administrator Alerts Administrator Logged In Using Remote Authentication Administrator Alerts Administrator Failed log In Using One Time Password Administrator Alerts Administrator Failed log In Using Fixed Password Administrator Alerts Administrator Failed log In using Smart Card Administrator Alerts Administrator Failed log In Using Remote Authentication Administrator Alerts Administrator logged in using onetime password. Administrator Alerts Administrator logged in using fixed password. Administrator Alerts Administrator logged in using Smart Card. Administrator Alerts Administrator logged in using domain authentication. FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier KeyArmor KeyArmor KeyArmor KeyArmor A-7

226 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Administrator logged in using remote authentication. Administrator Alerts Administrator logged in using ColorCode authentication. Administrator Alerts Administrator logged in using PIN. Administrator Alerts Administrator logged in using OCSP. Administrator Alerts Administrator Failed To Login Using One Time Password Administrator Alerts Administrator Failed To Login Using Fixed Password Administrator Alerts Administrator Failed To Login Using Smart Card Administrator Alerts Administrator failed to login using domain authentication. Administrator Alerts Administrator Failed To Login Using Remote Authentication Administrator Alerts Administrator failed to login using ColorCode authentication. KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor A-8

227 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Administrator Alerts Administrator failed to login using PIN. Administrator Alerts Administrator Failed To Login Using OCSP Administrator Alerts Administrator Failed log In Using Remote Authentication Administrator Alerts Administrator Renamed A File Administrator Alerts Administrator Changed A File Administrator Alerts Administrator Deleted A File Administrator Alerts Administrator Created A File KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor Audit Log Alerts Log Message Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Audit Log Alerts Audit Log Connection Opened Audit Log Alerts Audit Log Connection Closed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-9

228 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Audit Log Alerts Audit Log Record Missing Audit Log Alerts Audit Log Record Integrity Missing Audit Log Alerts Audit Log Record Integrity Compromised Audit Log Alerts Audit Log Record Integrity Validation Started Audit Log Alerts Authentication method set to SmartCard. Audit Log Alerts Unable To Send Log Alert Authenticator Alerts Authenticator Logged In Using One Time Password Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or FileArmor SP6 or Earlier A-10

229 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Authenticator Alerts Authenticator Logged In Using Fixed Password Authenticator Alerts Authenticator Logged In using Smart Card Authenticator Alerts Authenticator Logged In using Windows Credentials Authenticator Alerts Authenticator Logged In Using Remote Authentication Authenticator Alerts Authenticator Failed log In Using One Time Password Authenticator Alerts Authenticator Failed log In Using Fixed Password Authenticator Alerts Authenticator Failed log In using Smart Card Authenticator Alerts Authenticator Failed log In using Windows Credentials Authenticator Alerts Authenticator Failed log In Using Remote Authentication Authenticator Alerts Authenticator logged in using onetime password. FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier KeyArmor A-11

230 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Authenticator Alerts Authenticator logged in using fixed password. Authenticator Alerts Authenticator logged in using Smart Card. Authenticator Alerts Authenticator logged in using domain authentication. Authenticator Alerts Authenticator logged in using remote authentication. Authenticator Alerts Authenticator logged in using ColorCode authentication. Authenticator Alerts Authenticator logged in using PIN. Authenticator Alerts Authenticator logged in using OCSP. Authenticator Alerts User Failed To Login Using Self Help Authenticator Alerts Authenticator Failed To Login Using One Time Password Authenticator Alerts Authenticator Failed To Login Using Fixed Password KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor A-12

231 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Authenticator Alerts Authenticator Failed To Login Using Smart Card Authenticator Alerts Authencticator failed to login using domain authentication. Authenticator Alerts Authenticator Failed To Login Using Remote Authentication Authenticator Alerts Authenticator failed to login using ColorCode authentication. Authenticator Alerts Authenticator failed to login using PIN. Authenticator Alerts Authenticator Failed To Login Using OCSP Authenticator Alerts Authenticator Renamed A File Authenticator Alerts Authenticator Changed A File Authenticator Alerts Authenticator Deleted A File Authenticator Alerts Authenticator Created A File KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor Certificate Alerts Certificate expired. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-13

232 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Device Alerts PDA to Desktop Sync Authentication was unsuccessful. There was no device ID for this PDA found. Device Alerts Device is not in its own Password Authentication File. PAF corrupted? Device Alerts Lock Device Action Received Device Alerts Device Kill Confirmed Device Alerts Device Lock Confirmed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or KeyArmor KeyArmor Device Alerts Install Started Full Disk Encryption, FileArmor, DriveArmor, KeyArmor Device Alerts Install Completed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor Device Alerts Unable to connect to. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-14

233 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Device Alerts The network connection is not working. Unable to get policy files from. Device Alerts Corrupted PAF (DAFolder.xml) file Device Alerts Unable to synchronize policies with client. Verify that there is a network connection and try again. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Device Alerts Device added Device Alerts Device deleted Device Alerts Device added to group Device Alerts Device removed from group Device Alerts Device modified Device Alerts Device status updated Device Alerts Device status reset Device Alerts Device Kill Issued Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-15

234 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Device Alerts Device Lock Issued Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Device Alerts Device Synchronized Device Alerts User Not Allowed To Register New Device Device Alerts Uninstall of product Full Disk Encryption, FileArmor, DriveArmor, KeyArmor Device Alerts Product Uninstall Denied By Policy Full Disk Encryption, FileArmor, DriveArmor, KeyArmor Error Alerts General Error Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Error Alerts Application Error Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or FileArmor Activity Alerts User Logged In Using One Time Password FileArmor Activity Alerts User Logged In Using Fixed Password FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-16

235 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS FileArmor Activity Alerts User Logged In using Smart Card FileArmor Activity Alerts User Logged In using Windows Credentials FileArmor Activity Alerts User Logged In Using Remote Authentication FileArmor Activity Alerts Administrator Logged In using Windows Credentials FileArmor Activity Alerts User Failed log In Using One Time Password FileArmor Activity Alerts User Failed log In Using Fixed Password FileArmor Activity Alerts User Failed log In using Smart Card FileArmor Activity Alerts User Failed log In using Windows Credentials FileArmor Activity Alerts User Could not log In Using Remote Authentication FileArmor Activity Alerts Administrator Failed log In using Windows Credentials FileArmor Activity Alerts Failed Login Attempts Exceeded FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-17

236 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS FileArmor Activity Alerts Encrypted File Using User Key FileArmor Activity Alerts Encrypted File Using Group Key FileArmor Activity Alerts Encrypted File Using Static Password FileArmor Activity Alerts Self-extracting encypted file created using a static password. FileArmor Activity Alerts Encrypted File Using Cert FileArmor Activity Alerts Self-extracting encrypted file created using certificate. FileArmor Activity Alerts Encrypted File Using CD/DVD Burning FileArmor Activity Alerts Encrypted Directory Using Group Key FileArmor Activity Alerts Encrypted Directory Using Static Password FileArmor Activity Alerts Self-extracting encypted directory created using a static password. FileArmor Activity Alerts Encrypted Directory Using Cert FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-18

237 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS FileArmor Activity Alerts Self-extracting encrypted directory created using certificate. FileArmor Activity Alerts Encrypted Directory Using CD/DVD Burning FileArmor Activity Alerts Removable Media was fully encrypted FileArmor Activity Alerts Removable Media Blocked FileArmor Activity Alerts Removable Media Created and Covered Folders FileArmor Activity Alerts File encrypted and moved to removable media. FileArmor Activity Alerts File deleted from removable media. FileArmor Activity Alerts File Armor Encrypted Folder Was Created FileArmor Activity Alerts Folder Was Created and Covered FileArmor Activity Alerts File Armor Encrypted Folder Was Deleted FileArmor Activity Alerts Removable Media Folder was Created and Covered FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-19

238 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS FileArmor Activity Alerts Removable Media Device Was Fully Encrypted FileArmor Activity Alerts File In Folder Was Created FileArmor Activity Alerts File in Folder Was Deleted FileArmor Activity Alerts File in Folder Was Changed FileArmor Activity Alerts File in Folder Was Accessed FileArmor Activity Alerts File in Folder Was Last Written FileArmor Activity Alerts File Size Changed in Folder FileArmor Activity Alerts Folder Encryption Started FileArmor Activity Alerts Folder Decryption Started FileArmor Activity Alerts Folder Encryption Complete FileArmor Activity Alerts Folder Decryption Complete FileArmor Activity Alerts Folder Decryption In progress FileArmor Activity Alerts Folder Encryption In progress FileArmor Activity Alerts FileArmor Service Started FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-20

239 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS FileArmor Activity Alerts FileArmor Service Shutdown FileArmor SP6 or Earlier Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Device log maximum size limit reached, event log truncated User has successfully logged in. Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts User login failed. Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Device decryption started Device Encryption Started Mounted encrypted partition Restored native OS MBR Restored Application MBR Device encryption complete Device Decryption Completed Device Encryption In Progress System MBR Corrupt Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel A-21

240 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts System Pre-boot Kernel Deleted Recovery Console accessed Recovery Console error Decryption in place started Decryption in place stopped Decryption in place complete Decryption of removable device started Decryption to removable device stopped Decryption to removable device complete Decryption in place error Decryption to removable device error Encrypted files accessed Encrypted files modified Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel A-22

241 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Encrypted files copied to removable device Encrypted files access error Network administration accessed address changed port number changed Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Switched to IPv6 Full Disk Encryption or MobileSentinel Switched to IPv4 Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Switched to dynamic IP configuration Switched to static IP configuration DHCP port number changed Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts IP address changed Full Disk Encryption or MobileSentinel NetMask changed Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Broadcast address changed Full Disk Encryption or MobileSentinel A-23

242 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Full Disk Encryption Activity Alerts Gateway changed Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Domain name changed Domain name servers changed Network administration error User administration accessed Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts User added Full Disk Encryption or MobileSentinel User removed Full Disk Encryption or MobileSentinel User modified Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts User administration error Locally stored logs accessed Locally stored logs access error Original MBR restored Original MBR restoration error Default theme restored Default theme restoration error Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel Full Disk Encryption or MobileSentinel A-24

243 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Full Disk Encryption Activity Alerts Application Startup Full Disk Encryption or MobileSentinel Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Full Disk Encryption Activity Alerts Application Shutdown Update was successful in the Pre-boot Pre-boot Update failed Full Disk Encryption or MobileSentinel Full Disk Encryption Full Disk Encryption Installation Alerts Install Error Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Installation Alerts Successful Installation Installation Alerts Installation of FileArmor was successful Installation Alerts Installation of FileArmor was unsuccessful: Enterprise name is not valid. Installation Alerts Installation of FileArmor was unsuccessful: Username or password is incorrect. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or FileArmor SP6 or Earlier FileArmor SP6 or Earlier FileArmor SP6 or Earlier A-25

244 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts Invalid Registry Setting Detected Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts VirusDefense KeyArmor Object Cleaned KeyArmor Object Disinfected KeyArmor Object Quarantined KeyArmor Object Deleted KeyArmor Virus Detected KeyArmor Full Scan Started KeyArmor KeyArmor Activity Alerts Full Scan Completed KeyArmor KeyArmor Activity Alerts Object Suspicious KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Object Scan Completed Removable Media Scan Requested Removable Media Scan Completed KeyArmor KeyArmor KeyArmor A-26

245 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Folder Scan Requested Folder Scan Completed Access Denied To Object KeyArmor KeyArmor KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Object Corrupt KeyArmor Object Clean KeyArmor Full Scan Cancelled KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Object Scan Cancelled Removable Media Scan Cancelled Folder Scan Cancelled KeyArmor KeyArmor KeyArmor KeyArmor Activity Alerts Update Started KeyArmor KeyArmor Activity Alerts The update was unsuccessful. Try again. KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts Update Cancelled KeyArmor Update Successful. KeyArmor KeyArmor Activity Alerts VirusDefense Up To Date KeyArmor A-27

246 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts PalmVirusDefense KeyArmor KeyArmor Activity Alerts Object Scan Requested KeyArmor KeyArmor Activity Alerts PPCVirusDefense KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts User logged in using one-time password User logged in using fixed password User logged in using Smart Card User logged in using domain authentication User logged in using remote authentication User logged in using ColorCode authentication User logged in using PIN User logged in using OCSP User logged in using Self Help User logged in using RSA KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor A-28

247 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts User Failed To Login Using One Time Password User Failed To Login Using Fixed Password User Failed To Login Using Smart Card User failed to login using domain authentication User Failed To Login Using Remote Authentication User failed to login using ColorCode authentication User failed to login using PIN User Failed To Login Using OCSP User locked out after too many failed login attempts Failed Login Attempts Exceeded KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor Activity Alerts Key Wiped KeyArmor KeyArmor Activity Alerts User Renamed A File KeyArmor A-29

248 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts User Changed A File KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts User Deleted A File KeyArmor User Created A File KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Primary action enforced due to no connection Secondary action enforced due to no connection Policy updates applied Repaired infected file Unable to repair infected file Skipping infected file, repair unsupported KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor Activity Alerts Deleted infected file KeyArmor KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Unable to delete infected file Killing device due to infected file Error killing device due to infected file KeyArmor KeyArmor KeyArmor A-30

249 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS KeyArmor Activity Alerts KeyArmor Activity Alerts KeyArmor Activity Alerts Invoking infected file fall-back action AntiVirus files updated Unable to update antivirus files. KeyArmor KeyArmor KeyArmor Login / Logout Alerts Failed Login Attempt Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Login / Logout Alerts Successful Login Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Login / Logout Alerts Unable to log in. Use Remote Authentication to provide the Administrator with a challenge code. Login / Logout Alerts Unsuccessful ColorCode Login Login / Logout Alerts Unsuccessful Fixed Password Login Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-31

250 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Login / Logout Alerts Unsuccessful PIN Login Login / Logout Alerts Unsuccessful X99 Login Login / Logout Alerts Successful ColorCode Login Login / Logout Alerts Successful X9.9 Login Login / Logout Alerts Successful Remote Login Login / Logout Alerts Successful WebToken Login Login / Logout Alerts Unsuccessful WebToken Login Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-32

251 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Login / Logout Alerts Fixed Password login blocked due to lockout. Login / Logout Alerts User Login Successfully Unlocked Login / Logout Alerts LDAP User Authentication Succeeded Login / Logout Alerts LDAP User Authentication Failed Login / Logout Alerts LDAP User Password Change Succeeded Login / Logout Alerts LDAP User Password Change Failed Login / Logout Alerts Access request aborted due to failed policy integrity check. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-33

252 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Login / Logout Alerts Successful Logout Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Login / Logout Alerts The ColorCodes do not match. Login / Logout Alerts Unable to change ColorCode. The new ColorCode must be different than the current one. Login / Logout Alerts Unable to change ColorCode. The new ColorCode must meet the minimum length requirements defined by. Login / Logout Alerts Unable to change ColorCode. The new ColorCode must be different than any previous ColorCode used. Login / Logout Alerts ColorCode Change Failure - Internal Error Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-34

253 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Login / Logout Alerts X9.9 Password Change Failure - Can Not Connect to Host Login / Logout Alerts X9.9 Password Change Failure - Empty Serial Number Login / Logout Alerts X9.9 Password Change Failure - Internal Error Login / Logout Alerts Unable to reset locked device. Login / Logout Alerts Smart Card login successful. Login / Logout Alerts Smart Card login unsuccessful. Check that the card is seated properly and that the Smart Card PIN is valid. Mobile Device Alert Palm Policy Database is missing Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-35

254 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Mobile Device Alert Palm Encryption Error Mobile Device Alert PPC Device Encryption Changed Mobile Device Alert PPC Encryption Error Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or MobileFirewall Activity Alerts MobileFirewall MobileFirewall MobileFirewall Activity Alerts DenialOfServiceAtta ck MobileFirewall OCSP Alerts OCSP certificate status good. OCSP Alerts OCSP certificate status revoked. OCSP Alerts OCSP certificate status unknown. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-36

255 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS OTA Alerts OTA Object Missing or Corrupt. OTA Alerts OTA Sync Successful Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or OTA Alerts OTA Device Killed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Password Alerts Change Password Error Password Alerts Password Attempts Exceeded Password Alerts Password Reset to ColorCode Password Alerts Password Reset to Fixed Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-37

256 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Password Alerts Password Reset to PIN Password Alerts Successful Fixed Password Login Password Alerts Successful PIN Password Login Password Alerts Unable to Reset Password Password Alerts Unable to change password. The new password must be different than the current password. Password Alerts Unable to change password. The passwords do not match. Password Alerts Unable to change password. The password field cannot be empty. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-38

257 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Password Alerts Unable to change password. The password does not meet the minimum length requirements defined by. Password Alerts Unable to change password. Numbers are not permitted. Password Alerts Unable to change password. Letters are not permitted. Password Alerts Unable to change password. Special characters are not permitted. Password Alerts Unable to change password. The password cannot contain the user name. Password Alerts Unable to change password. The password does not contain enough special characters. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-39

258 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Password Alerts Unable to change password. The password does not contain enough numbers. Password Alerts Unable to change password. The password does not contain enough characters. Password Alerts Unable to change password. The password contains too many consecutive characters. Password Alerts Unable to change password. The new password must be different than any previous password used. Password Alerts Password Change Failure - Internal Error Password Alerts Successfully changed Fixed Password. Password Alerts Password reset to Fixed Password. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or FileArmor SP6 or Earlier A-40

259 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Password Alerts Password reset to Smart Card Password Alerts Password reset to Domain Authentication. Password Alerts Unable to change password. Password Alerts Password changed successfully. Password Alerts Password reset to fixed password. Password Alerts Password reset To Smart Card Password Alerts Password reset to domain authentication. PIN Change Alerts Unable to change PIN. The PINs do not match. PIN Change Alerts Unable to change PIN. One of the fields are empty. PIN Change Alerts Unable to change PIN. The PINs do not match. FileArmor SP6 or Earlier FileArmor SP6 or Earlier KeyArmor KeyArmor KeyArmor KeyArmor KeyArmor Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-41

260 Trend Micro Endpoint Encryption Administrator's Guide CATEGORY MESSAGE ID DESCRIPTION PRODUCTS PIN Change Alerts able to change PIN. The new PIN cannot be the same as the old PIN. PIN Change Alerts Unable to change PIN. The new PIN does not meet the minimum length requirements defined by. PIN Change Alerts Unable to change PIN. The PIN cannot contain the user name. PIN Change Alerts Unable to change PIN. The new PIN must be different than any previous PIN used. PIN Change Alerts PIN Change Failure - Internal Error Smart Card Alerts Registered SmartCard. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or A-42

261 Message IDs CATEGORY MESSAGE ID DESCRIPTION PRODUCTS Smart Card Alerts Unable to register Smart Card. Check that the card is seated properly and that the Smart Card PIN is valid. Full Disk Encryption, FileArmor, DriveArmor, KeyArmor, or Windows Mobile Alerts OTA Install started Full Disk Encryption for Windows Mobile Windows Mobile Alerts OTA Install completed Windows Mobile Alerts OTA SMS message sent Windows Mobile Alerts OTA Directory Listing Received Windows Mobile Alerts OTA Device Attributes Received Full Disk Encryption for Windows Mobile Full Disk Encryption for Windows Mobile Full Disk Encryption for Windows Mobile Full Disk Encryption for Windows Mobile Windows Mobile Alerts OTA Device Backup Full Disk Encryption for Windows Mobile Windows Mobile Alerts OTA Device Restore Full Disk Encryption for Windows Mobile A-43

262

263 Index A about account types, 1-12 client-server architecture, 1-2 Endpoint Encryption, 1-2 FileArmor, 6-1 KeyArmor, 7-1, 2-1, 2-2 users and groups, 2-4 Accessibility on-screen keyboard, 5-4 accounts types, 1-12 Active Directory, 1-15, 1-19, 4-22 resetting password, 4-25 alerts, 8-3 authentication, 1-8 about, 1-12 access control, 1-13 account types, 1-12 application comparision, 1-13 change method, 5-4, 5-6 changing password, 6-6 ColorCode, 1-14, 1-16, 5-5, 6-5 create ColorCode, 5-6 domain, 1-15 domain authentication, 1-14 FileArmor, 6-2 first-time, 6-2 fixed password, 1-14, 1-16, 7-3 Full Disk Encryption Preboot, 5-2 KeyArmor, 7-2 first time, 7-2 LDAP, 1-15 methods, 1-14 options, 1-13 PIN, 1-14, 1-16, 6-5 prerequisites, 1-15 remote help, 1-14, 5-9 Remote Help, 1-18, 5-8 security options, 1-14 self help using, 5-13 Self Help, 1-14, 1-18, 4-26, 5-11 answers, 5-13 setup requirements, 1-15 single sign-on, 6-2 smart card, 1-17, 5-9, 6-4 B burning discs, 6-14 C central administration, 1-8 central management, 1-11 changing passwords, 5-5 changing s, 5-23 client-server architecture, 1-2 ColorCode, 1-16, 5-5 Command Line Helper, 5-2 Command Line Helper Installer, 5-2 community, 9-2 cryptography, 1-2 csv, 4-12 D DAAutoLogin, 5-2 database requirements, 1-5 data protection, 1-2 IN-1

264 Trend Micro Endpoint Encryption Administrator's Guide data recovery, 5-27 Decrypt Disk, 5-17 decryption Recovery Console, 5-17 demilitarized zone, 5-14 device management, 1-8 devices, 4-1, 4-30 add to group, 4-30 directory listing, 4-35 kill command, 4-35 locking, 4-36 reboot, 4-36 remove from group, 4-32 view attributes, 4-34 view directory, 4-34 domain authentication, 1-15 FileArmor, 6-2 E encryption, 1-9, 3-24 archiving, 6-14 digital certificate, 6-13 features, 1-8 file and folder, 1-9 FileArmor archive and burn, 6-10 file encryption, 6-1 FIPS, 1-10, 7-11 fixed password key, 6-12 full disk, 1-9 hardware-based, 1-9 KeyArmor, 7-5 keys shared, 6-12 local key, 6-11 self-extracting, 6-12 software-based, 1-9 Endpoint Encryption about, 1-2 tools, 5-2 error messages authentication, 1-14 F FileArmor, 6-1 access control, 1-13 archive, 6-10 archive and burn, 6-10, 6-14 authentication, 6-2 domain, 6-3 options, 1-13 PIN, 6-5 burn archive with certificate, 6-15 burn archive with fixed password, 6-14 change, 6-10 changing password, 6-6 changing, 6-10 ColorCode, 6-5 digital certificate, 6-13 creating, 6-14 encryption, 6-10 file encryption, 1-9 first-time use, 6-2 fixed password key creating, 6-13 local key, 6-11 sync, 6-8 Remote Help, 6-6, 6-8 reset password, 6-6, 6-8 secure delete, 6-15 shared key, 6-12 creating, 6-12 single sign-on, 6-2 smart cards, 6-4 IN-2

265 Index supported operating systems, 1-7 syncing with, 6-9 sync offile files, 6-9 system requirements, 1-7 system tray icon, 6-8 time delay, 6-8 tray icon about, 6-8 unlock device, 6-6 FIPS, 1-2 about, 1-10 FIPS 140-2, 1-2, 1-10 KeyArmor, 7-11 security levels, 1-10 FIPS 140-2, 1-2 fixed password, 1-16 Full Disk Encryption, enhancements, 1-20 access control, 1-13 authentication, 1-18, 5-11 changing password, 5-5 options, 1-13 change enterprise, 5-23 change, 5-23 clean up files, 5-29 connectivity, 5-13 Decrypt Disk, 5-17 manage policies, 5-22 manage users, 5-20 menu options, 5-3 network configuration, 5-23 network setup, 5-22 settings, 5-13 port settings, 5-13 Recovery Console, 5-16 Windows, 5-17 recovery methods, 5-24 remote help, 5-9 remove device, 4-33 Self Help, 5-12 smart cards, 1-17, 5-9 supported operating systems, 1-6 synchronize policies, 5-14 system requirements, 1-6 TCP/IP access, 5-13 tools, 5-2 uninstall, 5-24 unmanaged install users, 5-20 Full Disk Encryption Preboot, 5-2 authentication, 5-4 keyboard layout, 5-4 menu options, 5-3 network connectivity, 5-4 on-screen keyboard, 5-4 G groups, 4-1 creating offline groups, 4-6 install to group, 4-20 modifying, 4-5 offline groups, 4-5 remove device, 4-32, 4-33 removing, 4-5 subgroups, 4-2 types, 4-2 H hardware based encryption, 1-6 help desk policies, 4-29 I importing users, 4-12 IN-3

266 Trend Micro Endpoint Encryption Administrator's Guide K KeyArmor, 7-1 about, 7-7 access control, 1-13 activity logging, 7-12 antivirus, 7-13 change update location, 7-14 antivirus updates, 7-5 authentication, 7-2 first time, 7-2 fixed password, 7-3 methods, 7-3 options, 1-13 cached files, 7-6 change password, 7-7 check disk, 7-6 deleted device, 7-16 device components, 7-4 encryption, 7-5 FIPS, 7-11 full scan, 7-13 help if found, 7-8 Remote Password Reset, 7-10 Self Help, 7-10 Support Info, 7-11 key management, 1-10 log off, 7-7 menu, 7-7 menu help, 7-8 no information left behind, 7-5, 7-12 policy updates, 7-7 protecting files, 7-12 reassign, 7-15 safe removal, 7-6, 7-13 secure data, 7-7 SECURE DRIVE, 7-4 system requirements, 1-7 taskbar, 7-7 temporary, 7-6 unencrypted devices, 7-6 using, 7-6 warning, 7-6 key features, 1-8 key management, 1-10 L LDAP, 1-15 LDAP Proxy, 1-19, 4-10 log events, 8-2 logs, 5-22, 8-1 alerts, 8-3 managing events, 8-2 setting alerts, 8-3 M managing groups, 2-4 managing users, 2-4 MBR replacing, 5-19 Mount Partitions, 5-19 N Network Setup, 5-22 O online community, 9-2 on-screen keyboard, 5-4 OPAL, 1-6 P password IN-4

267 Index Self Help, 4-26 passwords, 1-11, 4-22 Remote Help, 4-27 resetting, 4-24 resetting Active Directory password, 4-25 resetting Admin/Authenticator, 4-23 resetting enterprise authenticator password, 4-23 resetting group Admin/Authenticator, 4-24 resetting to fixed password, 4-25 resetting user password, 4-24 Personal Identification Number (PIN), 1-16 policies, 1-11 allow user recovery, 5-16 common, 3-40 agent, 3-40 authentication, 3-41 DriveArmor, 3-36 authentication, 3-36 communications, 3-38 device, 3-39 FileArmor computer, 3-23 encryption, 3-24 password, 3-27 Full Disk Encryption, 3-17 common, 3-17 PC, 3-19 PPC, 3-22 KeyArmor, 3-32 antivirus, 3-32 login, 3-33 notice message, 3-34 connection, 3-35 security, 3-32 MobileSentinel, 3-28 common, 3-28 PPC, 3-29, 3-12 admin console, 3-12 Administrator, 3-12 Authenticator, 3-13, 3-14 log alerts, 3-14 PDA, 3-15 service pack download, 3-16 welcome message, 3-16 Support Info, 4-29 synchronization, 1-9 synchronizing clients, 5-14 policy control, 1-9, enhancements, 1-20 access control, 1-13 add enterprise user, 2-9, 4-10 add top group, 2-5, 4-2 advanced premise, 8-5 authentication, 2-2 options, 1-13 changing, 5-23 client web service, 1-2 devices, 4-30 enabling applications, 2-17 enhancements, 1-19 fields and buttons, 2-14 first time use, 2-2 getting started, 2-1 groups, 2-4 adding users, 2-7, 4-16 interface, 2-3 introduction, 2-2 IN-5

268 Trend Micro Endpoint Encryption Administrator's Guide license file, 2-2 log events, 8-2 logs, 8-1 MMC hierarchy, 2-4 MMC window, 3-2 modifying policies, 2-15 offline groups, 4-5 creating, 4-6 updating, 4-9 policies, 2-13, 3-1, 3-2 Common, 3-40 DriveArmor, 3-36 editing, 3-3 multiple choice, 3-7 multiple option, 3-10 policies with ranges, 3-4 text string, 3-9 True/False, Yes/No, 3-5 FileArmor, 3-23 Full Disk Encryption, 3-17 KeyArmor, 3-32 MobileSentinel, 3-28 policies, 3-12 Support Info, 4-29 relay SMS/ delivery, 8-3 Remote Help, 4-27 reports, 8-1, 8-5 requirements SQL, 1-5 setting log alerts, 8-3 software requirements, 1-5 SQL requirements, 1-5 subgroups, 4-4 Support Info, 4-29 system requirements hardware, 1-5 users, 2-4, 4-10 add enterprise user, 2-7, 4-16 add to group, 2-7, 2-11, 4-16, 4-17 users and groups, 2-5 web service, 1-2 MMC, 1-2 product components, 1-2 product definitions, xii, xiii R recovery clean up files, 5-29 recovery console log on, 5-17 Recovery Console, 5-15 access, 5-16 Windows, 5-17 changing enterprise or server, 5-23 Decrypt Disk, 5-17 functions, 5-15 log on, 5-16 manage policies, 5-22 manage users, 5-20 Mount Partitions, 5-19 network configuration, 5-23 Network Setup, 5-22 recovery methods, 5-24 repair cd, 5-28 Restore Boot, 5-19 users add, 5-21 delete, 5-21 edit, 5-20 view logs, 5-22 recovery methods, 5-24 Remote Help, 1-18, 4-22, 4-27, 4-36, 5-8 Repair CD, 5-2, 5-24, 5-25 IN-6

269 Index data recovery, 5-27 decryption, 5-28 reporting, 1-2, 1-8 reports, 8-1, 8-5 alert, 8-8, 8-9 display errors, 8-10 displaying reports, 8-9 icons, 8-6, 8-7 options, 8-6 schedue reports, 8-10 standard, 8-7, 8-8 types of, 8-7 Restore Boot, 5-19 S Seagate DriveTrust drives, 1-6 security account lock, 1-18, 5-8 account lockout action, 1-18, 5-8 account lockout period, 1-18, 5-8 anti-malware/antivirus protection, 1-2 device lock, 1-18, 5-8 erase device, 1-14 failed login attempts allowed, 1-18, 5-8 remote authentication required, 1-14 time delay, 1-14 Self Help, 1-18, 4-22, 5-11 answers, 5-13 defining answers, 5-12 password support, 4-26 smart card, 1-17, 5-9 software, 1-5 support knowledge base, 9-2 resolve issues faster, 9-3 TrendLabs, 9-4 supported languages, 1-19 synchronization FileArmor, 6-9 synchronizing policies, 5-14 system architecture, 1-2 system requirements FileArmor, 1-7 Full Disk Encryption, 1-6 KeyArmor, 1-7, 1-5 system tray icon, 6-8 T terminology, xii, xiii tokens, 5-11 tools Repair CD, 5-25 top group, 2-5, 4-2 TrendLabs, 9-4 U understanding Endpoint Encryption, 1-1 file encryption, 1-9 FIPS, 1-10 full disk encryption, 1-9 key management, 1-10 users, 4-1, 4-10 Active Directory passwords, 4-25 adding, 4-10 adding existing user to group, 2-11, 4-17 adding new user to group, 2-7, 4-16 add new enterprise user, 2-9, 4-10 change default group, 4-19 external directory browser, 4-12 finding, 4-13 group membership, 4-15 group vs enterprise changes, 4-14 IN-7

270 Trend Micro Endpoint Encryption Administrator's Guide importing AD users, 4-12 importing with CSV, 4-12 install to group, 4-20 modifying, 4-14 passwords, 4-22 remove from group, 4-21 users and groups, 2-5 V VMware Virtual Infrastructure, 1-5 W Windows 8, 1-6 Windows Server 2008 considerations, 1-5 IN-8

271