Admin Guide IronKey Enterprise Management Service PAGE 1
Thank you for choosing IronKey. IronKey is committed to creating and developing the best security technologies and making them simple-to-use, affordable, and available to everyone. Years of research and millions of dollars of development have gone into bringing this technology to you in the IronKey. We are very open to user feedback and would greatly appreciate hearing about your comments, suggestions, and experiences with the IronKey. Standard Feedback: feedback@ironkey.com Anonymous Feedback: https://www.ironkey.com/feedback User Forum: https://forum.ironkey.com PAGE 1
CONTENTS Overview................................................. 4 Meet IronKey Enterprise................................................. 4 IronKey Enterprise Administrative Features................................... 5 Setup and Deployment..................................... 6 Getting Started........................................................ 6 Creating Your IronKey Enterprise Account.................................... 6 Activation and Initialization.............................................. 9 Adding Users to the Enterprise Account.................................... 10 Activating IronKey Enterprise for Basic Users................................ 11 Deploying IronKey Enterprise............................................ 12 Deployment Method 1: Automated Distributed Deployment.................... 12 Deployment Method 2: Distributed Deployment............................. 12 Deployment Method 3: Manual Deployment............................... 13 Updating Device Software............................................... 14 Best Practices for a Smooth Rollout....................................... 15 Deployment Checklist.................................................. 15 Using IronKey Enterprise................................... 16 System Elements and Terminology......................................... 16 IronKey Users........................................................ 16 IronKey Devices...................................................... 17 IronKey Policies....................................................... 18 Events and System Auditability........................................... 24 Understanding the Silver Bullet Service.................................... 24 Understanding Password Assistance....................................... 25 Using the Admin Console................................................ 27 Accessing the Admin Console............................................ 27 The Enterprise Dashboard.............................................. 27 Managing Users...................................................... 31 Managing Devices.................................................... 33 Using the Silver Bullet Service........................................... 34 Using Password Assistance.............................................. 35 Managing Policies..................................................... 35 Managing Licenses.................................................... 36 Enterprise Support Page................................................ 36 PAGE 2
Using the Admin Tools.................................................. 37 Accessing the Admin Tools............................................... 37 Using Secure Device Recovery........................................... 37 Promoting a Standard User to be an Admin................................. 38 Recommissioning Devices............................................... 39 Importing Authentication Credentials...................................... 40 Importing RSA SecurID Tokens........................................... 40 Importing a Digital Certificate into the IronKey.............................. 41 Administering the IronKey Anti-Malware Service............................. 43 Interpreting IronKey Malware Scanner Reports.............................. 43 Common Tasks........................................................ 44 Adding New Users.................................................... 44 Activating Devices for a User............................................ 44 Adding New Admins................................................... 45 Adding New Devices to Users........................................... 45 Disabling Lost Devices................................................. 46 Helping a User with Password Assistance................................... 46 Using Non-Administrative Features........................................ 46 Known Issues......................................................... 47 Enterprise Support........................................ 48 Product Specifications................................................... 49 Contact Information.................................................... 50 PAGE 3
Overview Meet IronKey Enterprise The IronKey Enterprise Secure Flash Drive, designed to be the world s most secure USB flash drive, tightly integrates with the IronKey Enterprise Management Service to give you control over protecting your organization s data, ensuring that security policies are enforced, and remotely managing IronKey devices. IronKey Enterprise consists of three interrelated elements that provide a robust solution to USB flash drive security and device management: The IronKey Secure Flash Drive hardware Applications bundled on the IronKey (based on policy configuration) The IronKey s secure online services, which provide centralized administrative capabilities to IronKey Enterprise Admins This guide informs you about how to get the most out of IronKey Enterprise, as well as best practices for deploying and managing IronKeys in your enterprise environment. PAGE 4
IronKey Enterprise Administrative Features The Admin Console: Centralized Online Device Management IronKey Enterprise includes a centralized management console for managing tens, hundreds or thousands of devices, reducing overall deployment times and maintenance requirements. IronKey Policies: Enforcing Corporate Security Policies IronKey Enterprise allows you to configure policies for device password strength, selfdestruction settings, and enabling specific IronKey applications, services and more. Policies are downloaded to a device during activation, and changes to policies are automatically updated on affected devices after each device is unlocked. Silver Bullet Service: Protecting Against Malicious Users IronKey s Silver Bullet Service will confirm that IronKey devices are authorized before allowing them to be unlocked. This real-time service allows Admins to completely disable and even remotely detonate devices, extending the control needed to protect important data. It also supports users who are not always online by allowing a predetermined number of unlock attempts before disabling the device. When enabled, each IronKey will quickly check with the Silver Bullet Service immediately after the user tries to unlock the device, but prior to allowing the device to be unlocked. Active users will be able to unlock their IronKeys and continue as normal. Disabled users will receive a Deny command preventing them from unlocking the device, while lost or stolen devices that have been marked for detonation will receive a Destroy command and will initiate a selfdestruct sequence on the device. Admin Tools: Onboard each Administrator s IronKey Admins have additional functionality enabled in their IronKey s Control Panel, including Secure Device Recovery, Admin Approval, and Device Recommissioning. Secure Device Recovery: Securely Unlocking Users Devices Secure Device Recovery is IronKey s patent-pending PKI mechanism for Admins to unlock another user s IronKey device, such as in the case of employee termination, regulatory compliance, or forensic investigations. Unlike many other solutions, there is no central database of back-door passwords. Device Recommissioning: Securely Repurposing Users Devices When employees leave the organization, their IronKeys can be safely recommissioned to new users. This process requires Admin authentication and authorization using IronKey Enterprise s secure online services. Admin Approval: Securely Promoting Users to Become Admins When a new Admin is created, or a user is promoted to become an Admin, a verification procedure occurs not only on the service, but also on an existing Admin s IronKey device. This ensures that the new user is cryptographically approved and able to become an Admin for your Enterprise Account. PAGE 5
Setup and Deployment Getting Started IMPORTANT BEFORE YOU BEGIN IronKey Enterprise is designed to protect your organization from the risks of data loss and data leakage by delivering world-class security. However, it is important to follow a few best practices when setting up your Enterprise Account to ensure that the proper levels of security and usability are met: Make sure the person setting up the Enterprise Account has a thorough knowledge of your organization s security policies and is authorized to be the System Admin for all of your organization s IronKey devices. That person will define the default policy for IronKey devices. Make sure there are multiple System Admins. To ensure the highest security, even IronKey is unable to intervene in your Enterprise Account in the event that a lone System Admin leaves the organization, loses his only IronKey device, or forgets that device s password. Have multiple System Admins at all times, each with multiple active devices. Please review the Best Practices section in this document for a smooth deployment. CREATING YOUR IRONKEY ENTERPRISE ACCOUNT Before you can begin deploying and managing IronKey Enterprise drives for end-users, you must create your IronKey Enterprise Account. To set up the account, you need:» A PC running Microsoft Windows 2000 (SP4), XP (SP2), or Vista» A USB 2.0 port for high-speed data transfer» An Internet connection» The email you received from IronKey with your Enterprise Account Number PAGE 6
Step 1 Enter your Account Number at https://my.ironkey.com/enterprise 2 You must confirm that you are the appropriate authority for setting up your organization s IronKey Enterprise Account. Description This can also be done by clicking the link in the email you received from IronKey regarding setting up your IronKey Enterprise Account. Select the checkbox and click Continue. 3 The next several steps allow you to establish security policies for your drives. To start, select the number of failed password attempts that a user may enter before the IronKey self-destructs and all the data on the IronKey is lost. All policy items can be changed later. 4 Set the password policy options, including minimum password length allowed, the minimum number of required characters, and requirements for backing up device passwords. PAGE 7
5 Configure the set of software applications and services that your users will have on their IronKeys. Putting the mouse over the help icon for each item shows a brief description of what that item is. See the section on Policy Items later in this document for more information. 6 Define a Lost and Found message that appears on the IronKey Unlocker screen when each device is plugged in. For example, this may include contact information in case a lost device is found, or department information for easily distinguishing devices. You may optionally choose to leave this blank or to allow users to define their own Lost and Found message. 7 The next several steps guide you through creating your own my.ironkey.com account for how you individually will access your organization s Enterprise Account. This involves creating a username and password, confirming your email address, answering Secret Questions, and choosing a Secret Image and Phrase for antiphishing protection. PAGE 8
ACTIVATION AND INITIALIZATION After confirming your information, an email is sent to you containing the Activation Code for your first IronKey Enterprise Secure Flash Drive. Step 1 Plug in any unactivated IronKey drive from the set you purchased. 2 The Activate Your IronKey screen appears. 3 Retrieve the email with your Activation Code. Copy and paste the code into the IronKey window. Click Continue when you are ready. 4 Create a device password and a nickname for your IronKey. 5 Back up your password online to your my.ironkey.com account Description Your IronKey must be activated on a Windows (2000, XP, or Vista) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port. The IronKey autoruns as a virtual CD-ROM. Windows: This screen might not appear if your computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in My Computer and doubleclicking the IronKey.exe file. Mac: Double-click the IronKey drive on your desktop, and double-click the IronKey file. NOTE: You can install the IronKey Auto-Launch Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See Preferences in IronKey Control Panel Settings. (Mac only) Enter your email address and your Activation Code into the fields provided on the IronKey window. If your IronKey cannot connect to the Internet, click Edit Proxy Settings to adjust its network settings. Because you can have multiple IronKeys associated with one IronKey account, the nickname helps you distinguish between different IronKey devices. Your password is case-sensitive and must match your organization s password policy. If enabled, you have the option to back up your password online to your my.ironkey.com account. That way, if you ever forget your password, you can safely log into https://my.ironkey.com and recover it. 6 The IronKey initializes. During this process, it generates the AES encryption keys, creates the file system for the secure volume, copies secure applications and files to the secure volume, and configures the onboard Firefox browser. Depending on your configuration, this might take several minutes. After this device has been initialized, use the same steps to activate a second System Admin s device. IronKey Enterprise is ready for use. IMPORTANT: Label this drive now as the administrator drive or leave it unmarked based on your security preferences. Keep this drive in a safe place. It is essential for maintaining your IronKey Enterprise Account. PAGE 9
ADDING USERS TO THE ENTERPRISE ACCOUNT You can now begin adding users to your Enterprise Account. Step 1 Click the my.ironkey.com icon in the IronKey Control Panel to access the Admin Console. Description 2 Click Manage Users in the sidebar of the Admin Console tab. 3 Click the Add button in the top right. 4a To add a single user, enter the user s name (optional), email (optional), role, policy for the user s device, and if you want the system to send the user an email with the Activation Code for setting up his IronKey device (this requires that an email address be supplied). Then click Submit. The user will then be added to the Enterprise Account. PAGE 10
4b To add a list of multiple users, click the Add Multiple Users button at the top right. 5 Copy and paste a CSV file s contents into the textbox provided and click Continue. Use this format: Name,Email,Role,Policy The Role can be one of the following: System Admin Admin User Auditor Standard User Up to 100 users can be added in a single import. NOTE: All fields are optional and default to an anonymous Standard User with the Default Policy if not specified. Unless you are a System Admin, you can only add Standard Users. 6 You will be required to fix any errors before the data can be submitted. Once all data is verified and correct you will be allowed to submit it. Once all errors are fixed, click Submit, and the users will be added to the Enterprise Account. Watch the online demonstration for more information. An example of a row might be: John Doe,John_Doe@Organization.com,Auditor,IT Policy where the user s name is John Doe, email address is John_Doe@Organization.com, he will be an Auditor, and his device will use a policy with the name IT Policy. ACTIVATING IRONKEY ENTERPRISE FOR BASIC USERS To remotely manage users with IronKey Basic devices, you can ask them to activate IronKey Enterprise on their devices: 1. Add a new user in the Admin Console. 2. Send an activation code for the user to enter in the IronKey Basic Control Panel. 3. The user confirms the organization and its system administrator. The device binds to the organization s Enterprise account, receiving the Enterprise device policy. PAGE 11
Deploying IronKey Enterprise You are now ready to distribute IronKey Secure Flash Drives to your users. Inside the packaging is an IronKey device, a Quick Start Guide, and a lanyard. There are three basic ways of deploying IronKeys to your organization. You can decide which one is right for your organization based on your security, privacy, and IT considerations. DEPLOYMENT METHOD 1: AUTOMATED DISTRIBUTED DEPLOYMENT The simplest and most cost-effective way to deploy IronKeys to your userbase is to add users to the Enterprise Account and then hand them an IronKey device. IronKey Enterprise will take care of the rest. Step 1 Add a user to the Enterprise Account. Review the detailed instructions elsewhere in this document for more information. 2 Give the user an IronKey Enterprise Secure Flash Drive. 3 Have the user retrieve the email with his Activation Code and copy and paste it into the IronKey. Description Make sure to provide the user s email address and select the checkbox that will send the user an email with his Activation Code. Mass imports of up to 50 users will also have the users Activation Codes automatically emailed to them. Any purchased or recommissioned device will work. Instructions for this step are provided to the user in the Quick Start Guide and in the email. (NOTE: Requires a Windows or Mac computer.) The user is now active in the Enterprise Account. DEPLOYMENT METHOD 2: DISTRIBUTED DEPLOYMENT If you have a very large userbase, want to customize the invitation email, or your corporate privacy policy is such that you will not import your users email addresses into the Enterprise Account, you can import your users first and then email their setup information yourself. Step 1 Add users to the Enterprise Account. Review the detailed instructions elsewhere in this document for more information. Description Make sure to clear the checkbox that would send the user an email with his Activation Code. IMPORTANT: Even if you are performing a mass import and do not want the users emailed, we strongly recommend providing their email addresses to avoid problems during activation and online account setup. PAGE 12
2 The setup information for that user s device is presented on the screen (or in the case of a mass import, in a downloadable CSV file). 3 Email each user his IronKey setup information. 4 Give the user an IronKey Enterprise Secure Flash Drive. 5 Have the user retrieve the email with his Activation Code and copy and paste it into the IronKey. This can be done manually for small numbers of users. Any purchased or recommissioned device will work. Instructions for this step are provided to the user in the Quick Start Guide and in the email. DEPLOYMENT METHOD 3: MANUAL DEPLOYMENT If you do not want your users to be involved in the activation process, you can manually set up each IronKey and then hand it to the user. This method is simpler to the end-users, though requires a little more effort from those deploying the devices. Step 1 Add a user to the Enterprise Account. Review the detailed instruction earlier in this document for more information. 2 The setup information for that user s device is presented on the screen (or if for a mass import, in a downloadable CSV file). 3 Activate an IronKey Enterprise Secure Flash Drive, but stop before creating the device password. 4 Give the device to the appropriate user. Description Make sure to clear the checkbox that would send the user an email with his Activation Code. IMPORTANT: Even if you do not want the user emailed, we strongly recommend providing their email address to avoid problems during activation and online account setup. Any purchased or recommissioned device will do. Enter your email address and the Activation Code. (NOTE: Your email address will not be associated with the device after Activation.) When you get to the next screen, where you can create the device password, exit the setup process and unplug the device. Make sure not to mix up your users devices. Use the serial number on the back of the device as a reference. PAGE 13
Updating Device Software You can get software updates for devices via download. Step 1 In the IronKey Control Panel, click Settings and then click the Check for Updates button. Description The IronKey can securely update its software and firmware through signed updates that are verified in hardware. This allows users to keep their devices up-to-date and protect themselves from future malware and online threats. 2 Click the Download Update button to download the updates and install them on the device. 3 After the installation is completed, you can check that the device is updated to the latest version: a. Lock and unplug the device, and then reinsert it. b. In the IronKey Control Panel, click Settings and then click About IronKey to view version information. Windows: If an update is available, you can download and install it by clicking the Download Update button. Mac: You can check for and download policy updates. However, you must download software updates on a Windows computer. You can view details about your device, including model number, serial number, software and firmware version, secure files drive, and OS. You can also click the copy button (CTRL+C) to copy device details to the clipboard for your forum posting or support request; visit the website (CTRL+W); or view legal notices (CTRL+N) and certifications (CTRL+?). PAGE 14
Best Practices for a Smooth Rollout UPDATE PASSWORD POLICIES ONLY WHEN NEEDED When you update the password policy items in a policy, devices with that policy will update to the latest version. However, since the password policy has changed, users will be required to change their password so it conforms to the new password policy. Change the password policy items only when needed so users do not have to excessively change their device passwords. CREATE A SEPARATE POLICY FOR LINUX USERS If you plan to leverage IronKey s Silver Bullet Service, create a separate policy for Linux users that does not include Silver Bullet or that includes a large number of Silver Bullet attempts. The Silver Bullet Service is not available for Linux systems. On Linux computers, device usage is disabled. HAVE USERS BACK UP THEIR PASSWORDS FOR PASSWORD ASSISTANCE You can mandate through policy that each user back up his/her device password online. This will allow Admins to use Password Assistance to email users a temporary link that reminds them of their password in case they ever forget it. If your policy is to not have users back up their device password, you can use Secure Device Recovery to change their password for them. BACK UP YOUR DATA REGULARLY Encourage users to use the onboard Secure Backup software for backing up their onboard data. In the case that an IronKey is lost or stolen, that data can later be recovered to a new IronKey. KEEP ADMIN AND USER DEVICES UP-TO-DATE Ensure that Admin devices have the latest IronKey software. You can do this by clicking the Check for Updates button in the IronKey Control Panel (under Settings ). To ensure that Windows XP users can update their devices, install the IronKey Assistant (see the IronKey Assistant Deployment Guide for details). USE SILVER BULLET WISELY It is recommended not to set the Silver Bullet policy too strict (e.g. deny if not online or from a specific IP address) for remote or travelling employees; otherwise, sometimes they might not be able to use their IronKey. Deployment Checklist IronKey Enterprise Account successfully created and Default Policy defined First IronKey device activated confirmed access to Admin Console Redundant System Admin added confirmed access to Admin Console Users added/imported into Enterprise Account Deployment Methods 1 and 2 Emails with Activation Code sent IronKey devices distributed to users Deployment Method 3 IronKey devices manually activated IronKey devices distributed to users PAGE 15
Using IronKey Enterprise System Elements and Terminology IRONKEY USERS Each member of your IronKey Enterprise Account is called a User. Only System Admins can add Admin users, delete users and change user roles. User Roles There are five separate user roles, differentiated by the user s privileges:» System Admin: Can modify all users and system settings, including adding Admins, approving Admins, changing user roles, and deleting users.» Admin User: Can manage users and add Standard Users» Custom Admin: Has a mixture of privileges, such as policy management» Auditor: Can view the Admin Console with read-only access» Standard User: An IronKey user who cannot view the Admin Console All Admins and Auditors will have online IronKey accounts, as this is needed to access the Admin Console. Standard Users do not have online IronKey accounts. PAGE 16
User Statuses The current status of a user signifies what state his account is in. There are several user statuses, including:» Pending: System is waiting for user to activate his IronKey» Active: User has activated at least one IronKey and has set up his online IronKey account» Active (without online account): User has activated at least one IronKey but does not have an online IronKey account» Locked: User s account has been locked after three incorrect answers to challenge questions» Disabled: User s account has been temporarily disabled by an Admin» Disabled (without online account): A user who does not have an online IronKey account has been temporarily disabled by an Admin» Deleted: User s name has been deleted by a System Admin, but can be re-used (NOTE: A user s online account name cannot be used twice even if the user is deleted.) Other User Properties For purposes of organization and smooth deployment, you can set a name and email address for each user. These fields are optional, and if left blank users will be displayed as User1, User2, User3... in the Admin Console. IRONKEY DEVICES Users can have more than one IronKey device Every IronKey Enterprise Secure Flash Drive in your Enterprise Account is associated with a user. Users can have one or many IronKey devices. Device Properties IronKey devices include the following properties:» Device Name, useful for inventorying the Case ID» Device Status, similar to user statuses» The capacity of the drive (in GB)» The unique serial number of the IronKey Cryptochip inside the device Consistent, unique serial numbers for enhanced asset inventory management and endpoint security control are in these locations: Lasered onto the device, including a barcode Printed on the product packaging On the About IronKey pane of the IronKey Control Panel On the IronKey Admin Console, with the device s model number Integrated into the USB standard field name, so that it is available to Windows and other operating systems for security whitelisting and inventory management by other products For large-scale deployments, you can export IronKey Admin Console information including the serial number to a.csv file for electronic transfer to another system. PAGE 17
» Product identification numbers (PIDs) for S200 and D200 models are useful for inventory management and security control (Basic: 0 0201; Personal: 0 0202; Enterprise: 0 0203).» The policy to which this device is adhering» The date on which this device was activated» The date and user for when the device was created and last modified Devices also include a comments section, in which you may write information as needed. For example, you could enter information regarding your own inventory data, the device s case serial ID, or information regarding the use or purpose of this device. IRONKEY POLICIES IronKey Enterprise devices comply with the policies you define in the Admin Console. Policy items you can control include: PASSWORD SECURITY POLICIES» The number of invalid password attempts before self-destruction After too many consecutive invalid password attempts, IronKey devices initiate a selfdestruct sequence with advanced flash-trash technology. This hardware-level security protects against brute-force password attacks. Configure this feature with a balance of security and end-user convenience in mind. Range is from 2 to 200 attempts Default: 10 attempts Recommendation: 10 attempts» The minimum password length for device passwords Only passwords with this many or more characters will be allowed. Range is from 4 to 20 characters Default: 4 characters Recommendation: Depends on self-destruct limit» The minimum number of uppercase letters in device passwords Only passwords with this many or more uppercase letters will be allowed. Range is from 0 to 5 letters Default: 0» The minimum number of lowercase letters in device passwords Only passwords with this many or more lowercase letters will be allowed. Range is from 0 to 5 letters Default: 0» The minimum number of digits in device passwords Only passwords with this many or more digits will be allowed. Range is from 0 to 5 digits Default: 0 PAGE 18
» The minimum number of special characters in device passwords Only passwords with this many or more special characters will be allowed. Range is from 0 to 5 characters Default: 0» Whether whitespaces are allowed in device passwords This setting determines whether or not spaces are permitted in IronKey device passwords. Default: Yes Recommendation: Yes APPLICATION POLICIES» Whether Mozilla Firefox is available on the device If enabled, a Firefox web browser will be included onboard each IronKey device. This onboard browser is portable, so cookies, history files, bookmarks, add-ons and online passwords are not stored on the local computer. Default: Enabled» Whether the IronKey Identity Manager is available on the device If enabled, the IronKey Identity Manager will be included on each IronKey device. It allows users to seamlessly log into their online accounts (using IE6, IE7, IE8 and the onboard Firefox) and most applications that require username and password credentials, as well as generate strong passwords and manage portable bookmarks. Not having to type out passwords provides added protection from keyloggers and other crimeware. Additionally, websites that support VeriSign Identity Protection (VIP) can be locked down to the IronKey for two-factor authentication. IronKey devices using a version prior to 1.3.5 are using the IronKey Password Manager. This policy is compatible with the IronKey Password Manager. Default: Enabled» Whether IronKey s Secure Backup software is available on the device If enabled, IronKey s Secure Backup software will be included on each IronKey device. This software allows users to back up an encrypted copy of files from their IronKey device to their local computer. If the IronKey device is lost or stolen, backed up data can be restored to another IronKey. Default: Enabled Recommendation: Enabled» Whether RSA SecurID is available on the device If enabled, each IronKey will include an application for generating RSA SecurID one-time passwords for strong authentication. A.stdid file will need to be imported to use this application. Default: Disabled» Whether CRYPTOCard is available on the device If enabled, each IronKey will include an application for generating CRYPTOCard one-time passwords for strong authentication. A token file will need to be imported to use this application. Default: Disabled PAGE 19
» Whether the IronKey Malware Scanner is available on the device If purchased and enabled, each IronKey will include an application that scans the IronKey on each use, detecting and cleaning malware from the device. Default: Disabled SERVICE POLICIES» Whether the device automatically locks after a specified period of inactivity (i.e. without keyboard or mouse activity) Whether to force lock the device if open files cannot be closed Whether users can configure these settings The idle time-out ranges from 5 to 180 minutes» Whether the device must be authorized before being able to be unlocked (Silver Bullet Service) The Silver Bullet Service will confirm that IronKey devices are authorized and in good standing before allowing them to be unlocked. This real-time service allows Administrators to completely disable and even remotely detonate devices, extending the control needed to protect important data. This feature requires an Internet connection This feature is not available on Linux and disables Linux usage when enabled Default: Disabled» Whether the device may or may not be unlocked if it is not connected to the Internet or able to be authorized Since users are not always able to be online, this setting defines a predetermined number of unlock attempts ( Silver Bullet attempts ) before disabling the device. IronKeys will be able to be unlocked this many times when not able to connect to the service. Set this policy with a balance of security and user convenience in mind. This feature depends on Silver Bullet being enabled The number of times the device can be unlocked while not connected to the Internet ranges from 1 to 200 Default: Allow 10 times Recommendation: Allow 10 times» Trusted Networks: Whether the device may or may not be unlocked based on where the user is (i.e. which IP address the device is coming from) The Silver Bullet Service can be configured to allow or deny access to a device based on a Trusted Network IP address whitelist. Users coming from an IP address on the whitelist (e.g. from the office) will be permitted to use their device, while users who are coming from an untrusted network, (e.g. home) will be denied. WARNING: Set this policy with caution as being too restrictive may prevent trusted users from being able to access their data. This feature depends on Silver Bullet being enabled This feature does not apply to System Admins. Default: Disabled PAGE 20
Examples of Valid Input (Internal IP Addresses should not be used): To allow a specific IP address, just enter it in: From: 192.168.0.1 To allow a block of IP addresses, use the * character: From: 192.168.0.* To allow a range of IP addresses, use both the From and To fields: From: 192.168.0.1 To: 192.186.0.12 To add additional IP addresses, click the Add More button. To delete an entry, click the X button next to that row.» Whether the user may, must, or may not back up his device password online If enabled, users can back up their device password to their Online Security Vault. If users have access to their online account, they can recover their device password without Admin intervention by manually logging into Safe Mode and viewing their password in a CAPTCHA. Default: May Recommended: Must (to ensure availability of Password Assistance)» Whether the user may or may not back up his Identity Manager data This setting allows users to back up their encrypted Identity Manager data to an Online Security Vault. That way, if their device is ever lost or stolen, they can restore their passwords to a new IronKey. This feature depends on the Identity Manager being enabled Default: Yes (may) Recommendation: Yes (may)» Whether IronKey s Secure Sessions Service is available for the device If enabled, IronKey s Secure Sessions Service will create an encrypted tunnel directly from the user s IronKey out to a secured IronKey web server, where the traffic is then decrypted and sent out to the destination site. This security feature provides anti-phishing and antipharming protection (for example, IronKey does its own DNS checking), as well as enhanced privacy protection (for example the IP address will not be available to other websites and ISPs). This feature depends on Mozilla Firefox being enabled Default: Enabled» Whether Standard Users have an online my.ironkey.com account Having an online account gives a Standard User basic management capabilities of his IronKey devices. This setting controls whether or not users have an online IronKey account they can access. Administrators and Auditors must have online accounts to access the Admin Console. Disabling this feature will not prevent users from backing up data to their Online Security Vault, but it will prevent them from recovering their backed up device password without Administrator intervention. Default: Yes (have) Recommendation: Yes (to ensure availability of Password Self-Recovery) PAGE 21
» Automatically update device policy every time device is unlocked Once an IronKey is unlocked, it can automatically check for and download the latest policy for that device. This ensures that changes to security policies are enforced as soon as possible. Default: Enabled Recommendation: It is strongly recommended that this feature be enabled OTHER POLICY ITEMS» The Lost and Found Message that appears on device insertion This message will appear on the IronKey Unlocker screen whenever the device is plugged into a computer. In the event that the IronKey is lost, someone can return it to the contact information in the Lost and Found Message. Range is 0 to 255 characters and up to 6 six lines of text Default: Blank» Whether the user can modify the Lost and Found Message This setting determines whether or not users can edit or create their own Lost and Found Message. Default: No Policy Properties IronKey policies include the following properties:» Policy Name, unique name that is non-editable» Policy Status» The user who created this policy» The date on which this policy was created The current status of a policy signifies if the policy is current and if devices are using that policy. There are several policy statuses, including:» Active: Policy version is the most current version and available for use» Out-of-date: Policy version is not current, but has devices still using it» Retired: Policy version is not current and no devices are still using it How Device Policies Work Your organization can have an unlimited number of new policies. When a new policy is created, you must choose a unique name for that policy (e.g. Sales Policy, Classified, etc.) and the system will automatically generate an ordinal number for that policy (e.g. Policy 2.000, Policy 3.000, etc.). PAGE 22
Every time an existing policy is modified, a new version of that policy is created (e.g. Policy 2.001, Policy 2.002). All devices will update to the most current version of the policy assigned to that device. Checking for policy updates and downloading the latest policy happens automatically when the device is unlocked. Policy changes are then enforced the next time the device is unlocked. Clicking the Check for Updates button in the IronKey Control Panel will also check for policy updates. For example, if the password requirements for the organization change, an Admin can update the appropriate items in an IronKey policy. The policy status for the affected devices is now in a pending state. The next time the affected devices are unlocked, they will check to see if they have the latest policy. In this case they do not, so they will automatically download the latest policy. The next time the device is unlocked, the new policy will be enforced. Since the password policy has changed, the user will be forced to change his device password before being able to access his files. The Make-Up of Policy Numbers and Versions Policy 4.012 The policy number, used for distinguishing separate policies. The policy version, used to distinguish edits to an existing policy. PAGE 23
EVENTS AND SYSTEM AUDITABILITY Important security events and user activities involving the Enterprise Management Service are logged into the system to provide a clear audit trail for compliance or investigations. Details such as which user, which device, when the event occurred, at which IP address, and a description of what occurred are provided for each event when applicable. Events are shown in the Enterprise Dashboard of the Admin Console. Examples of some of the logged events include:» When Secure Device Recovery is performed» When a device is recommissioned» When a policy is modified» When a user is invited into the IronKey Enterprise Account» When a device is added to a user» When a user is deleted or device(s) disabled» When a device has detonated using the Silver Bullet Service» When a user or device profile has been modified» When an Admin is approved» Login activities, such as when Admins log into the Admin Console UNDERSTANDING THE SILVER BULLET SERVICE IronKey s Silver Bullet Service extends the control Admins need to remotely manage IronKey devices and protect critical data by requiring IronKeys to check for authorization prior to unlocking. The Silver Bullet Service works as follows: The Silver Bullet policy items are enabled via policy by an Admin User. When a user enters his device password and clicks Unlock on a device that have Silver Bullet enabled, the device will quickly check with IronKey s Silver Bullet Service to ensure that it is in good standing and coming from a Trusted Network IP address. If the device is active and in good standing, it will receive an Allow command, the device will unlock, and the user will continue his work. If the device or user has been disabled in the Admin Console, the device will receive a Deny command and will not unlock. If the device has been lost or stolen and the data must be protected at all costs, the Admin can mark the device for remote detonation. The device status will be Active (Pending Detonation), and the next time the device is used it will receive a Detonate command and immediately self-destruct. A detonated device cannot be used again. PAGE 24
If the user is not connected to the Internet, the device will not be able to check for authorization. In this case, it will abide by the maximum threshold of permitted Silver Bullet attempts. This number, pre-defined in policy, may be 0 (Deny) through 200, meaning that the device would allow up to 200 unlock attempts before disabling itself until it can connect to the Internet and check for authorization. UNDERSTANDING PASSWORD ASSISTANCE A common helpdesk task is to assist users with forgotten passwords. IronKey Enterprise includes three ways Admins can assist users with forgotten passwords: Method Password Self-Recovery Users log into my.ironkey.com with email and online password Recommended For... Requirements Allowing users to Users must have an recover passwords online account without helpdesk Device passwords must intervention. be backed up online Admin intervention is NOT required PAGE 25
Password Assistance One-time URL is emailed to user, linking to page displaying forgotten password Secure Device Recovery Admin plugs in his and user s device, uses Admin Tools to unlock device or change password Allowing Admins to assist users who may be remote or who would not use Password Self- Recovery Ensuring the most secure procedures are used to recover devices and manage passwords. Device passwords must be backed up online Users must have valid email addresses in the system Standard Users do NOT have to have an online account Admin must have physical possession of the user s device Device passwords do NOT have to be backed up online Standard Users do NOT have to have an online account Admin Tools Onboard Admin Devices Admin Console Online at my.ironkey.com Access: Via IronKey Control Panel Availability: Approved Admins only Features:» Secure Device Recovery Unlocking users devices Resetting users passwords» Device Recommissioning» Admin Approval Access: Via IronKey Control Panel Availability: Approved Admins only Features:» Managing users» Managing devices» Managing policies» Monitoring events» Enterprise Support materials PAGE 26
Using the Admin Console ACCESSING THE ADMIN CONSOLE The Admin Console is available for all approved Admins, and it can be accessed by clicking the my.ironkey.com button in the IronKey Control Panel. This will securely log you in with mutual authentication over a secure channel. Step 1 Ensure that you have completed the Setup Process detailed elsewhere in this document. 2 Click the my.ironkey.com icon in the IronKey Control Panel. Description Review the section on Getting Started for more information. This will securely log you in with mutual authentication over SSL. If you are using a proxy, you may need to update your IronKey s Network Settings so that it knows how to connect to the Internet. 3 After your browser opens to the welcome page, click the Admin Console tab. THE ENTERPRISE DASHBOARD The Enterprise Dashboard shows you the latest security events and user activities in your Enterprise Account, statistics on how many active users and devices there currently are, as well as important notifications, such as lists of pending users and devices awaiting detonation (if any). PAGE 27
PAGE 28
Details regarding the IronKey World Map and Events Table on the Enterprise Dashboard:» Security events, such as remote detonation of devices, are marked in red» Important events, such as Admin activities, are marked in yellow» Common user events are marked in green» You can select which events to view in the map by clicking the + menu icon on the right» Hovering over an event will bring up details on the event» Clicking an item in the table will center and zoom in on the event in the map, displaying additional data on the event» You can zoom on the map by clicking the +/- icons on the left or dragging the zoom sidebar» You can move the geographic areas being viewed by dragging the map with your mouse» Columns can be sorted by clicking the column title» You can change the time period for events using the View dropdown menu» You can download the list of events by clicking the Download icon» You can change the number of items listed per page and which page you are viewing» If there are pending users in your Enterprise Account, a list of their information and Activation Codes can be downloaded from using the Download List button Details regarding the IronKey Charts on the Enterprise Dashboard:» IronKey Charts use the Adobe Flash Player. If Flash Player is not installed on your computer, you will see text-based versions of the charts.» You can download the data in the chart by clicking the Download icon» Each chart is interactive. Moving your mouse over the chart will bring up contextual data.» Right-click the chart to for additional options, including viewing a Full Screen version of the chart and printing the chart.» Chart data can be updated approximately every five minutes. NOTE: To change the default time zone from GMT, click Account Settings in the left sidebar. You can also change time and date formats. PAGE 29
GENERAL STATISTICS This chart displays a number of important general statistics about your Enterprise Account, including:» Total current users by status» Total current users by role» Total devices by status» Total devices by capacity DEVICES BY VERSION This chart displays the devices in your Enterprise Account (vertical axis) by the software version they are running (horizontal axis). This allows you to determine how many devices are running an out-of-date version of the IronKey software. ADMIN ACTIVITIES This chart displays a timeline of important Admin activities, including Secure Device Recovery, Password Assistance, and Admin Approval. The vertical axis is the frequency of events, while the horizontal axis is the timeline. DEVICE ACTIVITIES This chart displays how long it has been since:» A device s password was last backed up» The last recorded device activity The vertical axis is the number of devices, while the horizontal axis is the number of weeks since the specific event has occurred for each device. PAGE 30
MANAGING USERS Click Manage Users in the left sidebar to view your IronKey User List. Details regarding the Manage Users page:» You can change the list between current and all users via the View dropdown menu» You can download the list of users by clicking the Download button» To add a user, click the Add button» To add a device to a user, select the checkbox in that user s row and click the Add Device button (Note: Only System Admins can add devices to Admin users)» To delete a user, select the checkbox in that user s row and click the Delete User button (Note: Only System Admins can delete users)» To find a user, enter a username or email address in the search box in the upper-right of the header, and click the search button. Suggested matches appear as you type. You can also click the options icon in the search box to include searching within comments fields or for deleted users. PAGE 31
User Profile Pages Clicking a user will bring up the user s profile page. Details regarding the User Profile page:» To edit a user, click the Edit button» To delete the user, click the Delete User button (available for System Admins only)» To add a device to a user, click the Add Device button» You can download the list of that user s service activities by clicking the Download button» To view that user s devices in detail, click the device name in the IronKey Devices section PAGE 32
MANAGING DEVICES Click Manage Devices in the left sidebar to view your IronKey Device List. Details regarding the Manage Devices page:» You can change the list between current and all devices using the View dropdown menu» You can download the list of devices by clicking the Download button» To edit multiple devices at once, select the checkbox in the appropriate devices rows and click the Edit button» To disable multiple devices at once, select the checkbox in the appropriate devices rows and click the Disable Device button (Note: You cannot disable the device you are currently using)» To find a device, enter a device name or serial number in the search box in the upper-right of the header, and click the search button. Suggested matches appear as you type. You can also click the options icon in the search box to include searching within comments fields or for deleted devices. PAGE 33
Device Profile Pages Click a device to view the device s profile page. Details regarding the Device Profile page:» To disable/enable a device, click the Disable button» To add comments for a device, click the Edit button in the Comments section» You can download a list of that device s service activities by clicking the Download button» To view that device s user in detail, click the user s name USING THE SILVER BULLET SERVICE» To disable a device that has Silver Bullet enabled, click the Disable button» To detonate a device that has Silver Bullet enabled, click the Detonate button.» A confirmation will appear, after which the device will be pending detonation» You can cancel a pending detonation by clicking the Cancel Detonation button» When the device has detonated, you can review a Silver Bullet Report on the device profile page, including where and when the device detonated PAGE 34
USING PASSWORD ASSISTANCE To assist a user who has forgotten his device password, click the Send Password to User button. This button will only appear for users how have an email address and who have backed up their device password online. An email will automatically be sent to the user. In that email is a one-time URL that will take the user to a page that displays his password in a CAPTCHA. The user must click the link as soon as he gets the email, as the link expires in approximately 24 hours, MANAGING POLICIES Click Manage Policies in the left sidebar to view your IronKey Policies List. Details regarding the Manage Policies page:» You can change the list between current and all policies via the View dropdown menu» You can add a new policy by clicking the Add Policy button» You can download the list of policies by clicking the Download button» Every time you create a new policy, a new ordinal policy number is automatically created» Every time you modify a policy, a new version is created» Service policy: During account setup, you can specify whether devices automatically lock after a specified period of inactivity (i.e. without keyboard or mouse activity). Whether to force lock the device if open files cannot be closed Whether users can configure these settings The idle time-out ranges from 5 to 180 minutes. A reminder appears 30 seconds before time-out, and the timer resets if activity occurs. PAGE 35
Policy Profile Pages Click a policy to view the policy s profile page. Details regarding the Policy Profile page:» To view the description, default setting, value range, and supported device models and software versions for a policy, hover over the? help button that follows each policy item.» To edit the policy, click the Edit button. You can then edit the items in-line.» Some items are dependent on others. Review the IronKey Policies section earlier in this document for more information.» While in edit mode, clicking the Save Version button will save the policy as a new version» While in edit mode, clicking the Save As New button will save the policy as a new policy» While in edit mode, clicking the Cancel button will not save any changes to the policy» Editing the Policy Name will require the policy to be saved as a new policy MANAGING LICENSES Click Manage Policies in the left sidebar. Below the IronKey Policy list, you can view your IronKey Licenses list. Services must be enabled for the list to appear.» You can view a list of enabled services, number of available seats, and number of total seats» If you try to add a new user or device that exceeds the number of licensed seats, or if your license has expired, a message prompts you to update or renew your license» You can update your IronKey licenses by emailing the text from Box 1 to IronKey Customer Service, pasting the new license information from the reply email in Box 2, and then clicking the Enter button NOTE: To use Anti-Malware Service, you must open port 443 on your firewall to allow outbound communication from your server and devices to McAfee. ENTERPRISE SUPPORT PAGE A number of online support resources are available for you on the Enterprise Support page, including video tutorials and product documentation. It also contains information for contacting IronKey Technical Support, including your Account Number. PAGE 36
Using the Admin Tools ACCESSING THE ADMIN TOOLS Some additional administrative functionality is available onboard each approved, active Admin s IronKey device. When you click the Admin Tools icon, the device will do a real-time check with your Enterprise Account to authenticate the Admin and ensure that the Admin is still authorized to use the Admin Tools. Revoked Admins, for example, will not be able to continue. You must be connected to the Internet to use the Admin Tools. USING SECURE DEVICE RECOVERY IronKey s Secure Device Recovery allows Admins to unlock your organization s IronKeys:» Without knowing the user s device password» Without using a password database» Without using a backdoor/redundant password» With admin authentication (protection against stolen admin devices)» With admin authorization (protection against rogue admins)» With a proper audit-trail of the event Step 1 Click the Admin Tools icon in the IronKey Control Panel. Description The device will perform real-time authentication and authorization. PAGE 37
2 Insert the device that you want to access into the computer s USB port. Wait a few moments so the device can enumerate. Then click the Refresh Device List button. The device will search for the other IronKey. 3 You can either choose to unlock the user s device or change that device s password. To unlock the device, click the Unlock Device button. A progress bar will appear and when the device is unlocked, Windows Explorer will auto-launch to that device s secure volume. To change the device s password, enter in the new password for that device, confirm it, and click the Change button. A progress bar will appear and then a confirmation that the password has been reset successfully. NOTE: Recovering a device that is not from your Enterprise Account, not yet activated, or not an IronKey Enterprise Secure Flash Drive is not possible. If an error appears, check if this is the issue. PROMOTING A STANDARD USER TO BE AN ADMIN A System Admin can modify user roles and permissions in the Admin Console. When a user is invited to be an Admin, or when a Standard user is promoted to become an Admin, an existing Admin must approve the process using Admin Approval. Step 1 In the Admin Tools sidebar, click Admin Approval. Description PAGE 38
2 Click the Check for Admins button. This will perform an online check for users awaiting Admin Approval. 3 Check all devices that you approve for having administrative functionality. Then click the Approve button. 4 The next time that user clicks the my.ironkey.com button in the IronKey Control Panel, he receives administrative privileges and have access to the Admin Console. A table of devices that are awaiting approval will be displayed. RECOMMISSIONING DEVICES When employees leave the organization, their IronKeys can be recommissioned to new users using IronKey secure online services for Admin authentication and authorization. Step Description 1 In the Admin Tools sidebar, click Recommission Device. 2 Insert the device that you want to recommission into the computer s USB port. Wait a few moments so the device can enumerate. Then click the Refresh Device List button. The device will search for the other IronKey. PAGE 39
3 Click the Recommission Device button. A progress bar shows your progress throughout the recommissioning process. Selecting the Also delete user from the system checkbox will delete the user as well as the device. This feature is only available for System Admins. NOTE: Recommissioning cannot be undone. All data on the device will be permanently lost. Importing Authentication Credentials IMPORTING RSA SECURID TOKENS If enabled through your policy, your users IronKey devices can provide additional strong authentication capabilities by generating RSA SecurID one-time passwords. You must provide a.stdid file to your users for importing tokens. Step Description 1 Open the RSA SecurID application Click the icon in the IronKey Control Panel s application list on your user s device. 2 Import a.stdid file. This may be exported by your RSA server. For information on that procedure, see your RSA SecurID server documentation. 3 If you prefer, you can rename the tokens. 4 In the Options window you can also delete tokens by clicking the Delete or Delete All button. 1. Click the Options button. 2. Click the Add button. 3. Browse to the location of the.stdid file. 4. A password might be required to unlock the file. The tokens will be added. Click the Rename button to create a name for the selected token. Be careful when deleting tokens, as this operation cannot be undone. PAGE 40
IMPORTING A DIGITAL CERTIFICATE INTO THE IRONKEY The IronKey Cryptochip includes a limited amount of extremely secure hardware storage space, which can be used for storing the private key associated with a digital certificate. This provides your users additional strong authentication capabilities. For example, you could store a selfsigned certificate used for internal systems that will allow users to automatically log in when using the IronKey s onboard Firefox web browser. The import process uses IronKey s PKCS#11 interface and requires Mozilla Firefox. NOTE: Space for only one additional private key exists in the IronKey Cryptochip, though it will receive the benefits of the Cryptochip s tamperproof hardware and self-destruct mechanisms. Step Description 1 Open the onboard Firefox. Click the icon in the IronKey Control Panel s application list on your user s device. 2 Open Firefox s Options menu to the Encryption tab. 3 Click the View Certificates button. 1. Click Tools in the menu bar. 2. Click Options. 3. Click the Advanced icon. 4. Click the Encryption tab. This opens the Firefox Certificate Manager. PAGE 41
4 IronKey s certificate is available here. Now you can add your own. Click the Import button. 5 Browse to the PKCS#12- format certificate file and open it. 6 A window appears asking you to confirm where to store the certificate. Choose IronKey PKCS#11 You will be prompted for the location of the PKCS#12- format certificate file (file extension will be.p12 in UNIX/ Linux,.pfx in Windows). 7 Enter the password that was used to protect the certificate. If no password was used, simply leave the text field blank. 8 Your certificate is now stored securely in the IronKey Cryptochip and is available for use in the onboard Mozilla Firefox. NOTE: When deleting certificates, you must restart Firefox for the action to take effect. You cannot delete the IronKey certificate that was pre-packaged with your device. PAGE 42
Administering the IronKey Anti-Malware Service If purchased and enabled, your organization can protect its IronKeys from the latest malware threats with the IronKey Anti-Malware Service and IronKey Malware Scanner. See the User Guide for more information on how the IronKey Malware Scanner works. As an Admin, you will want to be familiar with how to interpret Malware Scanner reports. INTERPRETING IRONKEY MALWARE SCANNER REPORTS The IronKey Malware Scanner on each user s device maintains detailed logging of important events, such as checking for updates, downloading updates, scanning for malware, and malware detections, as well as vital status information such as the version of the software and the signature file database being used. The location of this file is at: F:\IronKey-System-Files\Reports\IKMalwareScanner_Report.txt Where F is the IronKey s Secure Files volume (where the user stores his data). Malware Scanner Reports are written in Apache Common Log format with tab-delimited data: [ip address] [timestamp] [event] [status code] [data size or file count] In the event of an infection, users are instructed to send the report to their administrator to diagnose and resolve the issue. Here are some details on interpreting important events: EVENT DESCRIPTION INFECTION Infection events include The name of the malware The type of malware (e.g. virus, trojan, etc.) The location the malware was found The result of trying to repair or delete the infected file. Usually the file will be repaired or deleted, though in rare cases the file cannot be altered and is left on the device. The status in that case is Unresolved. UPDATE The Malware Scanner will attempt to update before each scan. The most common failure is when the device cannot connect to the Internet. Some users may experience issues installing the update if they do not have enough space available on their IronKey. It is recommended that users allocate 135 MBs of space for the signature file database. PAGE 43
Common Tasks ADDING NEW USERS Step 1 Access the Admin Console by clicking the my.ironkey.com icon in the IronKey Control Panel. 2 In the Manage Users page, click the Add button. 3 In the box that appears, enter in the user s name (optional), email (optional), role, policy for the user s device, and if you want the system to send the user an email with the information for setting up his IronKey device (requires an email address). Then click Submit. 4 Information for setting up the user s IronKey device is displayed on the screen, namely the Activation Code and email address that should be entered into an IronKey Enterprise Secure Flash Drive. Description If a name is not provided, the system will default to an ordinal anonymous user naming scheme of User1, User2, User3, etc. If an email address is not supplied, then the Admin s email address should be used for the one-time device activation. Only System Admins can add new Admins. The new user is now a part of your IronKey Enterprise Account and will be in a pending status until he activates his IronKey device. ACTIVATING DEVICES FOR A USER When you plug a new IronKey Enterprise Secure Flash Drive into your computer, it prompts you for an email address and an Activation Code. An Internet connection is required. Step Description 1 Plug a new IronKey Enterprise Secure Flash Drive into your computer s USB port. Your IronKey must be activated on a Windows (2000, XP, or Vista) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port. 2 The Activate Your IronKey screen appears. The IronKey autoruns as a virtual CD-ROM. Windows: This screen might not appear if your computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in My Computer and doubleclicking the IronKey.exe file. Mac: Double-click the IronKey drive on your desktop, and double-click the IronKey file. NOTE: You can install the IronKey Auto-Launch Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See Preferences in IronKey Control Panel Settings. (Mac only) PAGE 44
3 Retrieve the email with your Activation Code. Copy and paste it into the IronKey window. Click Continue when you are ready. 4 At this point, the device is ready to be initialized with a password and continue the setup process. The information presented to you when you added the user in the Admin Console (and emailed to the user, if that checkbox was selected) is needed here. If you did not provide an email address for your user, you must enter your email address. This is used for authentication purposes and is not associated with the user after activation. If your IronKey cannot connect to the Internet, click Edit Proxy Settings to adjust its network settings. You can either continue with initialization, or hand the device to the user for him to complete the setup process. ADDING NEW ADMINS Step 1 Add the new user and set the role to be an administrative role. 2 An email will go out to the user (optional) with his setup information. 3 The user activates a new IronKey Enterprise Secure Flash Drive. 4 Once activated, the device must be approved by an Admin before it can access the Admin Console. 5 The next time the new Admin clicks the my.ironkey.com icon in his IronKey Control Panel, he will receive administrative privileges. Description This process can only be performed by a System Admin. An email will be sent to the inviting System Admin as a reminder to perform the Admin Approval. ADDING NEW DEVICES TO USERS When you add a user, a device will automatically be added to the system upon activation. To add additional devices to a user, follow the directions below. Step Description 1 In the Admin Console, go to the See Using the Admin Console for more information. user profile page for the user for whom you want to add an additional device. 2 Click the Add Device button. 3 A new device with a pending status is added. The Activation Code for that device appears. PAGE 45
DISABLING LOST DEVICES When a device is lost or stolen, disable the device in the Admin Console. This will disable its services and ensure access control protection. For devices that are Silver Bullet-enabled, it will also prevent the user from unlocking the device. Step Description 1 In the Admin Console, go to the Manage Devices page. 2 Select the checkbox next to the device you want to disable. 3 Click the Disable Device button at the bottom of the page. Unlike recommissioning devices, disabling devices can be undone. If the device is found, it can be re-enabled. HELPING A USER WITH PASSWORD ASSISTANCE When a user forgets his device password, he may call the helpdesk for assistance in unlocking his device. The simplest way to remotely help such a user is with Password Assistance. Step Description 1 In the Admin Console, go to the Manage Users page and select the user from the User List. 2 On the User s Profile page, select the device that the user wants to unlock. 3 Click the Password Assistance An email is sent to the user with a one-time URL in it. button on the Device Profile page. That URL links to a webpage that reminds the user of A confirmation message notifies you that an email was sent to the his device password. If left unused, the URL expires in approximately 24 hours. user. This feature requires that the user has backed up his password to my.ironkey.com. If he has not, then the button is not available. Using Non-Administrative Features For information on how to use the various features of the IronKey available to all of your users through policy (such as Secure Backup, the IronKey Password Manager, and Secure Sessions), review the IronKey Enterprise User Guide, available on the Enterprise Support page of the Admin Console and on the virtual CD of each IronKey Enterprise Secure Flash Drive. PAGE 46
Known Issues Here are a few important caveats to be aware of while using IronKey Enterprise: The very first IronKey in your Enterprise Account cannot be recovered through Secure Device Recovery. That device should be put in a safe place for emergency access to the system. In approving Admins, the user to be approved must be active in the system (i.e. activate a device) before being able to be approved. This is part of the underlying security technology. IronKeys that are not running the latest firmware and software may not be able to use the Silver Bullet Service or certain other new features. Updating old devices will allow them to use these features. Admins must update their older devices with the latest software to use Admin Tools to manage newer devices. In some cases, recommissioned devices will not auto-launch. They can be manually launched. Updating IronKeys on Windows 2000 (SP4) and Windows XP requires Windows administrative privileges. Windows administrative privileges are not required when updating an IronKey on Vista. Some users might have difficulty understanding that the IronKey mounts as two drives: a virtual CD that launches the IronKey Unlocker, and the secure files volume that mounts when the device is unlocked. Point users to IronKey s video tutorials at support.ironkey.com for visual instructions of the most common IronKey tasks. See the release notes at support.ironkey.com for known issues specific to a release. PAGE 47
Enterprise Support IronKey is committed to providing world-class support to its enterprise customers. IronKey technical support solutions and resources are available around the clock through the IronKey Support website (located at https://support.ironkey. com). These resources include video tutorials, a Knowledgebase of frequently asked questions and technical notes, the IronKey Troubleshooter, product documentation, and the ability to submit your inquiries to the IronKey Support team. IronKey also maintains customer forum (located at https://forum.ironkey.com) where our community members share their product knowledge, exchange ideas, help each other with encountered problems, and interact with IronKey employees. TECHNICAL SUPPORT FOR SYSTEM ADMINISTRATORS The IronKey Support team is available to answer questions that IronKey Enterprise administrators may have about their product implementation. IronKey Support can be contacted by filing a support request (https://support.ironkey.com/supportrequest) or by emailing support@ironkey.com. Please always reference your Account Number when contacting us. It can be located on the Enterprise Support page of the Admin Console. Our support team is available to assist you Monday through Friday 6AM-5PM Pacific Time. A number of materials, including a copy of this document, can be found on the Enterprise Support page of the Admin Console. There you will find the most specific information regarding using IronKey Enterprise. Please have your Standard Users contact your help desk for assistance, or have them review the support materials on support.ironkey.com. Due to the customized nature of each IronKey Enterprise Account, technical support for IronKey s enterprise products and services is available for System Administrators only. PAGE 48
Product Specifications For details about your device, see About IronKey in IronKey Control Panel Settings. CAPACITY* Up to 32GB, depending on the model DIMENSIONS 75mm X 19mm X 9mm WEIGHT 0.8 oz WATERPROOF MIL-STD-810F OPERATING TEMPERATURE 0C, 70C OPERATING SHOCK 16G rms ENCRYPTION Hardware: 256-bit AES (Models S200, D200), 128-bit AES (Model S100) Hashing: 256-bit SHA PKI: 2048-bit RSA FIPS CERTIFICATIONS See www.ironkey.com for details. HARDWARE USB 2.0 (High-Speed) port recommended, USB 1.1 OS COMPATIBILITY Windows 2000 (SP4), XP (SP2+), Vista IronKey Unlocker for Linux (2.6+, x86) IronKey Unlocker for Mac (10.4+, Intel) IronKey devices do not require any software or drivers to be installed. * Advertised capacity is approximate and not all of it will be available for storage. Some space is required for onboard software. PAGE 49
Contact Information Product Feedback Feature Requests feedback@ironkey.com featurerequest@ironkey.com IronKey Online https://my.ironkey.com https://learn.ironkey.com https://support.ironkey.com https://forum.ironkey.com https://store.ironkey.com Support End-Users: please contact your Helpdesk or System Admin. Admins: email support@ironkey.com and reference your Enterprise Account Number Note: IronKey is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing or use of this material. The information provided herein is subject to change without notice. The information contained in this document represents the current view of IronKey on the issue discussed as of the date of publication. IronKey cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. IronKey makes no warranties, expressed or implied, in this document. IronKey and the IronKey logo are trademarks of IronKey, Inc. in the United States and other countries. All other trademarks are the properties of their respective owners. 2009 IronKey, Inc. All rights reserved. IK0010680 PAGE 50