cp_es_fde_for_mac_3.2_adminguide.pdf

27 April, 2010

Administration Guide

Endpoint Security Full Disk Encryption for Mac

3.2

More Information

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10527

For additional technical information about Check Point visit Check Point Support Center (http://supportcenter.checkpoint.com).

Feedback

Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to us (mailto:[email protected]?subject=Feedback on Endpoint Security Full Disk Encryption for Mac 3.2 Administration Guide).

2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.
http://supportcontent.checkpoint.com/documentation_download?ID=10527http://supportcenter.checkpoint.com/mailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20Full%20Disk%20Encryption%20for%20Mac%203.2%20Administration%20Guidemailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20Full%20Disk%20Encryption%20for%20Mac%203.2%20Administration%20Guidehttp://www.checkpoint.com/copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.html

Contents

Preface ..................................................................................................................... 5 Who should read this guide? ............................................................................... 5 Related Documentation ....................................................................................... 5 Data Security Types ............................................................................................ 6

File Encryption ................................................................................................ 6 Full Disk Encryption ........................................................................................ 6

Full Disk Encryption Features and Benefits ......................................................... 7 Benefits for Administrators .............................................................................. 7 Deploying Full Disk Encryption on One or Many ............................................. 7 User Account Acquisition ................................................................................ 8

Deployment Overview ......................................................................................... 8 Getting Started .................................................................................................... 9

Full Disk Encryption Terminology .................................................................... 9 Roadmap ........................................................................................................ 9

An Administration Overview ................................................................................ 11 Authority Levels ..................................................................................................11

Administrator .................................................................................................11 User ...............................................................................................................12 Permissions for Roles ....................................................................................12 Overview of the Full Disk Encryption Management Console ..........................13 Full Disk Encryption Management Console Dialog Box ..................................13

Configuring System Settings ............................................................................... 14 Accessing Local Settings ....................................................................................14

Status Information ..........................................................................................15 Editing Local Settings .........................................................................................15

Install Settings ...............................................................................................16 Mount Points ..................................................................................................17 System Passwords Policy ..............................................................................19 User Account Acquisition ...............................................................................20 Wake on LAN ................................................................................................21 Logon ............................................................................................................23

Configuring Group and User Account Settings .................................................. 24 Local Settings for Groups and User Accounts ....................................................24 System Settings for Groups ................................................................................25

Group Settings ...............................................................................................26 Creating Group and User Accounts .................................................................... 35

Group and User Account Basics .........................................................................35 Creating Group Accounts ...................................................................................35

Default Values and How the Effective Values of Settings are Determined .....37 Adding a User Account to a Group .....................................................................38

Password Authentication ...............................................................................41 Dynamic Token Authentication ......................................................................42

Moving User Accounts ........................................................................................44 Working with Configuration Sets ......................................................................... 45

Set Basics ..........................................................................................................45 Root Directory Path ............................................................................................45

Directories .....................................................................................................45 Creating a New Set ............................................................................................46 Set Management ................................................................................................49

Working with Installation and Update Profiles ................................................... 51 Working with Profiles an Overview ..................................................................51 Full Disk Encryption Profile Basics .....................................................................52

........................................................................................52 Profile Types ..................................................................................................52 Preparing to Work With Profiles .....................................................................53 Basing a New Profile on Another Profile or Local Settings .............................53

Creating Installation Profiles ...............................................................................53 Sanity Checks ................................................................................................57

Working With Update Profiles .............................................................................59 Creating an Update Profile .............................................................................59 Configuring Update Profiles ...........................................................................59

Deploying Profiles ..............................................................................................61 Deploying an Install Profile.............................................................................61 Deploying Update Profiles .............................................................................63

Updating Full Disk Encryption Software ..............................................................63 Changing the Graphic Images Displayed in Preboot ......................................63

Remote Help .......................................................................................................... 65 webRH or Full Disk Encryption Management Console? ......................................65 Implementing a Remote Help Procedure ............................................................65

Remote Help Settings ....................................................................................66 Types of Remote Help ........................................................................................67 Verifying Users ...................................................................................................67 Providing Remote Help .......................................................................................67

Removing Full Disk Encryption ........................................................................... 70 Uninstall Profiles .................................................................................................70

Creating an Uninstall Profile ...........................................................................70 Deploying an Uninstall Profile ........................................................................72

Removing Full Disk Encryption Management Console .......................................72 Before You Remove Full Disk Encryption Management Console ...................72 Removal Procedure .......................................................................................73

Recovery Media .................................................................................................... 75 Full Disk Encryption Recovery File .....................................................................75 If the Recovery File Path is Not Found ...............................................................75 Creating a Recovery Media ................................................................................75

Before You Create a Recovery Media ............................................................76 Creating the Recovery Media with the Wizard ....................................................76 Creating the Recovery Media Manually ..............................................................78 Using a Recovery Media to Decrypt Volumes, Uninstall FDE, and Recover Information ...........................................................................................................................78 Mounting Encrypted Volumes .............................................................................79

Authenticating to Full Disk Encryption ............................................................... 81 About Authentication ..........................................................................................81

Navigating ......................................................................................................81 Authenticating for the First Time .........................................................................82

Using a Fixed Password ................................................................................82 Using a Dynamic Token .................................................................................83

What if I forget my password? ............................................................................84 What if I don't have access to my token? ............................................................85

Language Support ................................................................................................ 86 Languages Supported in the FDE Management Console ...................................86 Languages Supported on Clients........................................................................86 Specifying the Language Used in the FDEMC ....................................................87 Setting the Language Used on the Client ...........................................................87

Keyboard Layouts................................................................................................. 88 Introduction ........................................................................................................88 The Default Keyboard Layout .............................................................................88 Changing the Keyboard Layout ..........................................................................88 Keyboard Layouts Supported in Preboot ............................................................89

Index ...................................................................................................................... 91

Chapter 1

Preface This preface contains background information on Endpoint Security Full Disk Encryption for Mac benefits and features, as well as a general discussion of how the product is designed and how it should be deployed.

Endpoint Security Full Disk Encryption for Mac is also referred to as Full Disk Encryption or FDE throughout this document.

In This Chapter

Who should read this guide? 5

Related Documentation 5

Data Security Types 6

Full Disk Encryption Features and Benefits 7

Deployment Overview 8

Getting Started 9

Who should read this guide? Administrators who deploy and administer Full Disk Encryption and provide Remote Help within their organization should read this guide.

Related Documentation This release includes the following documentation:

Table 1-1 Endpoint Security Full Disk Encryption for Mac Documentation

Title This document contains...

Endpoint Security Full Disk Encryption for Mac Installation Guide

Instructions and information on how to install Full Disk Encryption for the first time, the so-called master installation.

Endpoint Security Full Disk Encryption for Mac Administration Guide (This document)

Instructions and information on how to configure, deploy, and administer Full Disk Encryption.

Endpoint Security Full Disk Encryption for Mac Release Notes

System requirements.

Current information about the product, such as:

New features and functions in the current

release,

Problems that have been fixed since the

previous release, and

Any known issues about the current

release.

Data Security Types

Preface Page 6

Data Security Types There are two general types of protection for data at rest: file encryption and full disk encryption.

The following graphic illustrates the difference between unprotected data, standard file encryption, and Full Disk Encryption protection:

File Encryption File encryption enables users to protect vital data. Organizations often find file encryption insufficient, however, because it is subject to user discretion regarding what to secure and the willingness of users to consistently follow security procedures.

Full Disk Encryption Unlike file encryption, which leaves security holes, Full Disk Encryption provides boot protection and sector-by-sector disk encryption.

Boot protection means authenticating users before a computer is booted.

volume keys. The disk volume keys encrypt the Mac disk volumes.

This prevents unauthorized persons from accessing the operating system using authentication bypass tools at the operating system level or alternative boot media to bypass boot protection.

Disk encryption includes the system files, temp files, and even deleted files. Encryption is user-transparent and automatic, so there is no need for user intervention or user training. There is no user downtime because encryption occurs in the background without noticeable performance loss. This provides enforceable security that users cannot bypass. Because the data on the disk is encrypted, it is inaccessible to any unauthorized person.

Full Disk Encryption Features and Benefits

Preface Page 7

Full Disk Encryption Features and Benefits Full Disk Encryption secures desktop and laptop computers from unauthorized physical access by using both boot protection and full disk encryption. Full Disk Encryption provides the following security functions:

Strong user authentication

Support for user identification using dynamic tokens

Secure Remote Help for users who have forgotten their passwords

Central configuration and administration

Keyboard lock and screen saver

Limited number of failed logon attempts with automatic locking

Audit logging of events such as successful and failed logon attempts

With Full Disk Encryption, all logical partitions/volumes are boot protected and encrypted, even if the disk is removed and loaded into a controlled machine.

The integration of boot protection and automatic encryption provides a high degree of security with minimal impact on users. This allows an organization to determine the security level instead of leaving it up to the user to encrypt information.

Boot protection prevents subversion of the operating system or the introduction of rogue programs, while sector-by-sector encryption makes it impossible to copy individual files for brute force attacks.

Full Disk Encryption guarantees that unauthorized users cannot access or manipulate information on a protected computer, from either available, erased or temporary files. Full Disk Encryption safeguards the operating system and the important system files (which often contain clues to passwords), shared devices, and the network.

r account information, keys, and other data to protect the Mac. This means there is no central user database or key repository to manage.

Benefits for Administrators As a Full Disk Encryption administrator, you have centralized control of a decentralized system where you can perform:

Configuration and deployment of a wide range of security and policy sett

Modification of security policy settings to suit the needs of the entire user population, selected groups of users, or individual users.

The daily administration of the system.

Deploying Full Disk Encryption on One or Many Using just one installation profile, you can deploy Full Disk Encryption to anywhere from 1 to thousands of users from a central location.

You do not need to know the details of which users are using which computers when you deploy Full Disk Encryption, that is, you do not need to create individual user accounts manually or migrate user accounts to a central database. User accounts, no matter how many, are established without your intervention on the individual Macs to which Full Disk Encryption is deployed.

Full Disk Encryption has two methods for creating user accounts for large-scale deployments: Temporary User Accounts and User Account Acquisition.

Temporary User Accounts

Users receive the installation profile via a generic temporary user account. The user logs on for the first time to this account using generic user credentials provided by the administrator. The user is then forced to

Deployment Overview

Preface Page 8

create a new user name and password. This deletes the temporary account, and the user is established as a normal user in the system.

User Account Acquisition User account acquisition is an alternative and preferred method of creating user accounts.

The administrator deploys a profile to targeted groups of users. The first time the user logs on to the machine tFull Disk Encryption credentials.

When a profile with user account acquisition enabled is deployed, the machine goes directly to the Mac OSX logon dialog box after the first reboot. The user then enters his Mac user credentials. When the machine is booted again, the Full Disk Encryption preboot logon dialog box displays, and the user can log on using the same Mac user credentials.

This method has several advantages over using temporary user accounts to create Full Disk Encryption users:

User account acquisition is transparent to the user, who continues to use the same user credentials he had before Full Disk Encryption was deployed.

With user account acquisition, the administrator does not need to convey a generic username and password to the users and then rely on them to create their own credentials, as is the case with temporary user accounts.

When user account acquisition and single sign-on are both enabled, passwords can be managed centrally, and users log on one time with one password to gain access to the Mac, Full Disk Encryption, and network resources.

For instructions on enabling user account acquisition, see "User Account Acquisition" on page 20. For instructions on enabling single sign-on, see "Single Sign-On (SSO) Settings" on page 31.

Deployment Overview You can think of Full Disk Encryption deployment in three major steps:

1. The Full Disk Encryption program is first installed and configured on a Full Disk Encryption s workstation. This is called the master installation.

2. The administrator then configures a Full Disk Encryption installation profile containing all the information and software necessary to install and manage Full Disk Encryption on the Macs in the network.

3. The administrator uses the installation profile to deploy Full Disk Encryption to users.

The following graphic provides an overview of the deployment process via profiles:

Getting Started

Preface Page 9

Each of the three major steps are broken down into more detail in this guide. The following is a more detailed overview of the steps you take to deploy Full Disk Encryption.

Getting Started The following information is intended to prepare you to begin working with Full Disk Encryption.

Full Disk Encryption Terminology You may find it helpful to familiarize yourself with the following Full Disk Encryption terms.

Group

A group is a collection of user accounts. Each user account must belong to a group.

Fact: The System group is created automatically when you install Full Disk Encryption. You must create at least one other group, however, to store user accounts you create that do not belong to the System group.

Set

A set is a share point from which you carry out your remote management tasks for groups and users. Such tasks are carried out via profiles, which are collected in the set. Sets help to keep you organized by allowing you to create separate sets for each type of configuration profile. For instance, you can create a set named Accounting which can be the share point for configuration profiles you want to deploy to the Accounting department.

Profile

A profile contains all the settings, account information, and software to install Full Disk Encryption on a client Mac, update settings on a machine with Full Disk Encryption already installed, or uninstall Full Disk Encryption. Profiles must belong to a set.

Fact: You must create a set before you create profiles.

Roadmap This summary provides a birdEncryption.

Prepare the Master Installation

Install Full Disk Encryption on your workstation

See the Endpoint Security Full Disk Encryption for Mac Installation Guide, which describes how to do a first-time so-called master installation FDE installation on your Mac.

Configure Full Disk Encryption system settings on your workstation

Configure the settings for your FDE installation. See "An Administration Overview" on page 11 and "Configuring System Settings" on page 14.

Prepare Your Groups and User Accountss

Configure settings

Configure the settings that control authentication and permission rights for the group and user accounts you create. See "Configuring Group and User Account Settings" on page 24.

Create group and user accounts

Getting Started

Preface Page 10

A group is a collection of users. Every user must belong to a group. Therefore, you must create a group or groups before you create user accounts.

Best practice is to create a temporary user account for every group you create. This generic account facilitates large-scale deployment by allowing Full Disk Encryption to deployed to many users without the need to create user accounts for each user prior to deployment. After Full Disk Encryption is installed on the

temporary account, at which time he or she is forced to change the user name and password, thus creating his or her own user account. See "Creating Group and User Accounts" on page 35.

Prepare Your Remote Administration Points (Sets)

Create Configuration Sets

A configuration set is a distribution point and storage place from which you carry out your remote management tasks for groups and users in the Full Disk Encryption system. Remote management tasks include installing/uninstalling Full Disk Encryption on remote clients and updating configuration on remote clients. See "Working with Configuration Sets" on page 45.

Prepare to Install FDE on Client Machines

Create installation profiles

A profile contains all the settings and account information that you configured for groups and users, as well as the software to install Full Disk Encryption on a client machine. You also use profiles to update settings or remove Full Disk Encryption on machines where Full Disk Encryption is already installed. Profiles can exist only in a set. See "Working with Installation and Update Profiles" on page 51.

Install Full Disk Encryption on Client Machines

Deploy the installation profile to install Full Disk Encryption on client Macs and create user accounts. See "Working with Installation and Update Profiles" on page 51.

Perform Administration Tasks

Once you install Full Disk Encryption on client Macs, you can perform administration tasks, such as:

Configuring and deploying update profiles. See "Working with Installation and Update Profiles" on page 51.

Providing Remote Help to locked out users. See "Remote Help" on page 65.

Uninstalling Full Disk Encryption. See "Removing Full Disk Encryption" on page 70.

Recovering a Full Disk Encryption Mac. See "Recovery Media" on page 75.

Chapter 2

An Administration Overview Full Disk Encryption is managed from the Full Disk Encryption Management Console on any computer that has Full Disk Encryption installed. This gives administrators control over and easy access to higher-level functionality without being tied to any one machine.

This chapter explains authority levels, how to access administration functions from any computer, and how to establish the initial system settings.

In This Chapter

Authority Levels 11

Authority Levels There are two authority levels in Full Disk Encryption: an administrator, who has full authority, and users whose authority is limited to logging on, viewing his or her settings, and receiving Remote Help. The user can also change his or her password if the administrator has allowed it.

Administrator Administrators have centralized control of the creation of the profiles that are used to install, update, and uninstall Full Disk Encryption on client computers while simultaneously allowing local control of the deployment of those profiles.

In the example below, administrators can perform the following tasks:

Create and manage profiles

Configure system settings

Add and remove user accounts

Configure settings foruser accounts

Give Remote Help to users who are locked out or have forgotten their passwords.

Authority Levels

An Administration Overview Page 12

At least two competent individuals must be designated as administrators to manage Full Disk Encryption and the security of the information it contains.

It is imperative that Full Disk Encryption administrators receive adequate training and are not careless, willfully negligent, or hostile. Full Disk Encryption administrative personnel should follow the instructions provided in this guide and keep their authentication data private.

User Users have limited authority, according to what has been defined by the administrator in the system settings. Each user is assigned an account with a unique user identity and password that together authorize access to the entire hard disk.

Authorized Full Disk Encryption users must keep their authentication data private.

Permissions for Roles The following tables list the Privileged Permissions, Permissions, and Remote Help settings structure for Full Disk Encryption user accounts and administrators.

Table 2-2 Privileged Permissions

Privileged Permissions User Administrator

Authority Level X

Table 2-3 Permissions

Permissions User Administrator

Change Password X

A user can change his own password if the Change Password setting for his account is set to Yes. The administrator can change authentication for every user.

Table 2-4 Privileged Permissions

Permissions User Administrators

Provide 'Remote Password Change'

X

Provide 'One Time Logon' X

Authority Levels

An Administration Overview Page 13

Permissions User Administrators

Receive 'Remote Password Change'

X

Receive 'One Time Logon' X

For more information, see "Configuring Group and User Account Settings" on page 24.

Overview of the Full Disk Encryption Management Console

The Full Disk Encryption Management Console gives you quick and easy access to all Full Disk Encryption functions.

To start the Full Disk Encryption Management Console:

Click Applications, navigate to the FDEMC icon and double-click it.

The Full Disk Encryption Management Console program starts:

Full Disk Encryption Management Console Dialog Box In the Full Disk Encryption Management Console dialog box, you can select an option either in the folder tree to the left or by clicking the active link in the relevant dialog box image in the pane to the right, for example, Go to Local.

The Full Disk Encryption Management Console dialog box contains the following options:

Option Description

Local Installation Select to manage the local installation of the Full Disk Encryption.

Remote Installation Select to manage profiles, sets, and recovery files for remote installations

Remote Help Select to help locked-out users change the account password or temporarily log on.

Chapter 3

Configuring System Settings System settings are related to aspects of the product such as installation, logon, and required path specifications. You use system settings to configure Full Disk Encryption.

Other settings - those for Groups and User Accounts - are relevant for volume access, logging on, authentication, permissions, and Remote Help. These settings are described in "Configuring Group and User Account Settings" on page 24.

In This Chapter

Accessing Local Settings 14

Editing Local Settings 15

Accessing Local Settings The Full Disk Encryption Management Console, shown below, allows you to work with system, local, and remote settings. It provides wizards for defining, among other things, sets, groups, and users accounts.

Local settings are settings for the machine on which you are logged on, usually the machine on which Full Disk Encryption is first installed and from which the installation of Full Disk Encryption is deployed to all clients.

To access the local settings:

Start Full Disk Encryption and select one of the following:

Local in the folder tree to the left

Go To Local under Local Installation in the main panel

Editing Local Settings

Configuring System Settings Page 15

The Local dialog box is displayed:

Status Information The following Status information is displayed in the main panel:

Table 3-5 Status Information

Status field Explanation

Locally installed version The version of Full Disk Encryption currently installed on this machine.

Full Disk Encryption User The name of the user account currently logged on to Full Disk Encryption Management Console.

Editing Local Settings To edit Local settings:

1. In the main panel under Actions, click Edit Settings.

The folder tree is displayed in the left panel.

2. Click the folder for the settings you wish to edit.

See the following for descriptions and editing details of the various system settings.



Install Settings Install contains the following settings:

Setting Description

Set Update Validation Password

The administrator uses Set Update Validation Password to set the password clients use to validate update profiles they pull from a shared folder. This password is crucial to the update or uninstall process and has a maximum length of 31 bytes.

The update validation password (UVP) on the client is initially set by the installation profile, or manually on the client machine via System Settings > Install > Set Update Validation Password.

Set Update Validation Password (continued)

Example:

The UVP on the admin machine is changed to B.

The admin machine deploys an update profile to the clients. This update profile is saved on the admin machine after the UVP is changed to B (The profile must be saved if the UVP in the profile is to be updated to the current UVP of the admin machine).

This profile actually contains both UVPs A and B, and when clients pull the profile, they accept it because it contains A.

In addition, they recognize that the UVP is set to B in this profile, so they change their UVPs to B.

Now, if a client changed its UVP to C and this client deploys a UVP (containing UVPs B and C) to all other clients, the clients that pull the profile will have UVP C.

After they have UVP C, none of these clients will accept an update profile deployed from the admin machine that still has UVP B.

Product License Check Point license for the Full Disk Encryption product.

If necessary, this can be changed by clicking on the Check Point license. A dialog opens where you can click the Browse button to import a Check Point license (.lic) file.

Note - Full Disk Encryption supports only one single license, not multiple licenses.



Setting Description

Set Update Profile Path Path to the directory or directories from which the installation downloads update profiles.

Enter the path(s) to the directory or directories where Full Disk Encryption is to look for update profiles to use when updating system and user information. Best practice is to specify the path in the format /var/share.

Full Disk Encryption downloads these profiles according to the predefined update interval. Default is every third hour or at the next restart, i.e. when the Full Disk Encryption Dock program is loaded next. See "Working with Installation and Update Profiles" on page 51 for more information.

Set Recovery Path Path to the directory or directories in which the installation stores recovery data. Best practice is to specify the path in

the format /var/share/.

Encrypt everything Set Encrypt everything to Yes when you want to encrypt the entire disk of the client Macs on which an install profile is deployed. This setting is displayed only when you are configuring settings in an install profile.

Mount Points Mount Points contains the following settings:

You can click on a drive in the Mount Points folder to obtain information about how a drive is encrypted and the status of the encryption process.

If drives are encrypted, no drives are listed in the Mount Points folder and the Mount Points settings are not visible.

Table 3-6 Mount Points

Setting Description

Algorithm Algorithm used to encrypt the drive.



Setting Description

Key Length Strength of the key used to encrypt the drive.

Device name Identification information of the drive.

Mount point Name of the mount point

Device encryption status Status of the encryption process. In the example above, this field shows that the device is encrypting.

You can also view encryption progress by either

Rolling your mouse over the Full Disk

Encryption icon in the upper taskbar

or

Clicking the Full Disk Encryption icon and

selecting Encryption status

or

Running the remote status indication command

line utility. See "External Status Indication

Command Line Utility" on page 18 for

instructions.

Device encryption progress Shows how far along encryption is in percent.

External Status Indication Command Line Utility

The External Status Indication Command Line Utility retrieves encryption status from each mounted volume for the attributes Volume, GUID, and Status.

Volume

The volume name is always displayed, for example, / .

GUID

If the volume is encrypted by Full Disk Encryption, the GUID for the volume is displayed. If the volume is not encrypted, this information is not displayed.

Status

The attribute Status displays the current action (Encrypted, Encrypting, Decrypting, Decrypted) and its percentage of completion for FDE-encrypted volumes.

Example of output for an FDE-encrypted volume:

Volume: / GUID: XXXXXXX - XXXX- XXXX- XXXX- XXXXXXX Status: Encrypted 100.00

Example of output for a non FDE-encrypted volume:

Volume: /Volumes/prodop Status: Volume is not encrypted with Check Point Endpoint

Security.

To run the External Status Indication Command Line Utility:

1. Open a terminal.

2. Run the command

Cd /usr/local/ppc - - /bin/

3. Run the command ./FDEEncStatus .



System Passwords Policy System Passwords Policy contains the following settings:

Table 3-7 System Passwords Policy

Setting Description

Require Letters and Digits If set to Yes, both letters and digits must be used in passwords.

Enable Case Sensitivity Accept uppercase and lowercase letters in passwords. If the check box is cleared, all letters are interpreted as uppercase regardless of their case when entered. This setting cannot be changed if the setting Require Upper and Lower Case is set to Yes.

Allow Special Characters Allow the use of the following special characters in passwords:

- . / : ; < = > ? @ { }

Allow Consecutive, Identical Characters

Accept passwords having more than two consecutive, identical characters.

Require Upper and Lower Case

Passwords must contain both upper- and lowercase characters. This setting cannot be changed if the setting Enable Case Sensitivity is set to Yes.

Allow Embedded Space Characters

Passwords may contain embedded space characters.

Allow Leading or Trailing Characters

Passwords may contain leading or trailing characters, or both.

Allow Password of Adjoining Characters

Passwords may consist of a series of characters from adjoining keys on a keyboard.

Set Minimum Length Set the minimum length for passwords. Setting this value to 0 means there is no minimum length restriction.



User Account Acquisition User Account Acquisition contains the following setting:

Table 3-8 User Account Acquisition

Setting Description

Enable User Account Acquisition

Enables Full Disk Encryption to automatically acquire Macintosh user accounts and use them to set up Full Disk Encryption user accounts.

Note - The first user who logs on to a machine on which user account acquisition is enabled is the user whose Mac credentials are acquired for use as Full Disk Encryption credentials. If the user already exists in Full Disk Encryption, then User Account Acquisition is disabled on that machine when the user logs on.

The user account acquisition functionality is an alternative and preferred method of creating user accounts. For an explanation of the two methods of user account creation, temporary user accounts and user account acquisition, see Deploying Full Disk Encryption to One or Many.

For maximum transparency for the user, enable both the User Account Acquisition setting and Single Sign-On. See "Single Sign-On (SSO) Settings" on page 31.

If you set Enable User Account Acquisition to Yes, you must select a Full Disk Encryption group in which to place the Full Disk Encryption user accounts that are created through the user account acquisition function. See "Select Group" on page 21 for instructions.



Select Group

Select Group contains the following setting:

Setting Description

Select Group Here you select the group of users whose Mac user accounts you want to acquire to make Full Disk Encryption user accounts.

Wake on LAN Full Disk Encryption can be used together with Wake-on-LAN (WOL) network cards, which can be configured to start the system in Wake-on-LAN mode. The FDE Wake-on-LAN functionality will automatically log on to the computer after the computer has booted with the help of WOL network cards. This allows the operating system to start and remote updates to be performed.

Wake on Lan Example

The following is an example of working with Full Disk Encryption WOL. In this example, the number of permitted WOL logons is five.

1. The Full Disk Encryption profile is deployed to the Full Disk Encryption-protected computer and the WOL settings are implemented.

2. The computer is booted, and WOL logs on and boots the machine. The WOL logon process is now started, and WOL will log on as many times as specified in the profile.

3. The computer is rebooted four times, and WOL logs on and boots the computer.

4. The computer is rebooted. Now, all the WOL logons specified have been used and WOL is disabled on the computer.

The Wake-on-LAN settings are located under Full Disk Encryption > System Settings > Wake on LAN. The following settings are available for Wake on LAN:



Setting Description

Enable Wake on LAN Enables Wake-on-LAN functionality. This setting will cause the computer to automatically boots the operating system.

Note - On a machine on which Wake on LAN is enabled, successfully logging on to the management console will disable Wake on LAN.

After being diabled, Wake on LAN must again be enabled via this setting. An example of this is when an administrator is deploying updates to remote machines, updates that require reboot and restart, and thus require that Wake on LAN be enabled. But a logon to the management console indicates that a user is currently using the machine, so Wake on LAN is automatically disabled so the user can carry on working and not be disrupted by the update. To re-enable Wake on LAN, use this setting.

Set Max Number of Logons Allowed

Sets the maximum number of Wake-on-LAN logons allowed, if any.

Note - This setting and Set Expiration Date must be specified for Wake on LAN to start.

Set Expiration Date Sets the date on which the Wake-on-LAN functionality will be disabled.

Note - This setting and Set Max Number of Logons Allowed must be specified for Wake on LAN to start.



Logon The Logon settings apply to the Full Disk Encryption preboot logon. The Logon settings are located under Full Disk Encryption > System Settings > Logon. The following settings are available for Logon:

Setting Description

Set Logon Verification Time Sets the number of seconds that the verification text for a successful logon is displayed, or disable the display of the logon verification text.

Set Max Failed Logons Before Reboot

Sets the maximum number of failed logons allowed before a reboot is invoked or disables this function.

Chapter 4

Configuring Group and User Account Settings

This chapter introduces the configurable settings for both groups and user accounts, which you will create later. These settings are related to logging on, authentication, and permissions.

Each setting has a default value, but a value that you set (specify) always overrides a default value. Thus, for certain important settings, for example, those related to password policy, you may want to set the values rather than relying on the defaults.

In This Chapter

Local Settings for Groups and User Accounts 24

System Settings for Groups 25

Local Settings for Groups and User Accounts

To open the Local Settings:

1. Start Full Disk Encryption and select one of the following:

Local in the folder tree to the left

Go To Local under Local Installation in the main panel

System Settings for Groups

Configuring Group and User Account Settings Page 25

The Local dialog box is displayed:

2. Click Edit Settings to display the Local folder tree in the left panel.

These settings can be specified for both groups and user accounts.

3. Do one of the following:

For group settings Under Groups, expand the System folder to see the folders that contain Group Settings.

For user account settings Under User Accounts, expand the tree for a user (admin1 in the example below) and then expand the Account Settings folder that is displayed. You see the folders containing the account settings. Notice that the same settings exist for both groups and user accounts:

System Settings for Groups Click System under Groups.



The following settings are displayed:

Table 4-9 System Settings for Groups

Setting Description

GUID (Globally Unique Identifier) The GUID is a unique reference number that identifies each group and user account. GUIDs are used internally by Full Disk Encryption to guarantee each group

Expiration Date This is where you specify an expiry date for user accounts.

Group Settings Click Group Settings.

The folders containing group settings are displayed:



Logon Settings

Click Logon under Group Settings.


Table 4-10 Logon Settings

Setting Description

Set Max Failed Logons Set the maximum number of failed logons allowed before the account is locked.

Authentication Settings

Fixed Password

Click Fixed Password.




Table 4-11 Fixed Password Settings

Setting Description

Require Letters and Digits If set to Yes, both letters and digits must be used in passwords.

Enable Case Sensitivity Accept uppercase and lowercase letters in passwords. If the check box is cleared, all letters are interpreted as uppercase regardless of their case when entered.

Allow Special Characters Allow the use of the following special characters in passwords:

- . / : ; < = > ? @ { }


Accept passwords having more than two consecutive, identical characters.


Passwords must contain both upper- and lowercase characters.


Passwords may contain embedded space characters.

Allow Leading or Trailing Characters

Passwords may contain leading or trailing characters, or both.


Passwords may consist of a series of characters from adjoining keys on a keyboard.

Set Minimum Length Set the minimum length for passwords.



Setting Description

Set Maximum Age Set the maximum allowed age of a password in days.

Note - If you specified a maximum age at the group level, and later decide you want it set at the user account level, do the following:

To clear the setting, set the value to 0 (unlimited).

(Do not use "Disable", which disables only this feature.)

Password History Number of passwords that must be used before a previously used password may be used again. If password settings are changed in Fixed Password, the changes appear the next time the password is changed in Full Disk Encryption Management Console.

Note - If you specify that a group of accounts must use fixed passwords, you must ensure that the settings for the passwords meet strict security standards:

Always specify complex passwords that require letters, numbers, special characters and spaces. Do not include repeating characters.

Use a mix of uppercase and lowercase letters.

Use non-alphanumeric symbols such as the dollar sign ($) and percentage symbol (%).

Make sure the password does not include any word that can be found in a dictionary you can use parts of words.

Make sure the password can be remembered without having to be written down.

When deploying Full Disk Encryption, create a policy to go with the password, including end-user education and enforcement as well as a procedure for action if someone forgets their password or simply cannot get it to work.

Dynamic Token

Full Disk Encryption supports dynamic tokens.

Click Dynamic Token.




Table 4-12 Dynamic Token Settings

Setting Description

Challenge length Set the number of digits contained in the challenge.

Response length Set the number of digits contained in the response.

Privileged Permissions Settings

Click Privileged Permissions.




Table 4-13 Privileged Permissions Settings

Setting Description

Authority Level Specify the authority level of the account to Administrator or User.

Permissions Settings

Click Permissions.


Table 4-14 Permissions Settings

Setting Description

Change Password Set whether the account(s) are allowed to change their own fixed passwords and/or credentials.

Change Single Sign-On When set to Yes, the SSO Active checkbox is activated in the preboot logon dialog box. This allows the user to choose to disable SSO temporarily while logging into preboot by clearing the checkbox before continuing to boot up in the Mac OS X.

Single Sign-On (SSO) Settings

When single sign-on (SSO) is enabled for a Full Disk Encryption user account, the user must authenticate only during preboot. The user is then logged in automatically to the Mac OS X. For SSO to work, the user account name and password used to authenticate in preboot must be the username and password used in Mac OS X. (Thus, when a temp user account is used to create an FDE for Mac user account that will use SSO, the user must specify his/her Mac OS X username. Otherwise, SSO will be disabled for that user.)

To enable SSO, select Yes in the Enable SSO dialog box in the FDEMC (Group Settings > Single Sign-On > Enable SSO).

After enabling SSO for a Full Disk Encryption account on a computer, Full Disk Encryption learns the



usual. Full Disk Encryption stores this information securely and uses it on subsequent logons where SSO has been enabled. When the option is not selected, no credentials are passed to the network. This permits a different network account to be used.

When SSO is turned off, no network credentials are reis turned back on, the previous credentials must be specified again for SSO to function.

Note - When Remote Help is used to authenticate a user account that uses single sign-on (SSO), the recorded SSO credentials for that user account are invalidated. This is to prevent a Remote Help administrator from leveragin

Single Sign-On and Network Password Changes

s network password. Full Disk Encryption looks for Change Password dialog boxes to record the changes. At the next reboot, SSO works as usual because the new password has already been stored.

Single Sign-On and Mac Password Changes

SSO ensures that the Full Disk Encryption password is always set to the Mac password. After they are synchronized, changing the Mac password automatically changes the Full Disk Encryption password to the new Mac password.

Single Sign-On

Click Single Sign-On.

The following setting is displayed:

Table 4-15 Single Sign-On Setting

Setting Description

Enable SSO Set whether single sign-on functionality is to be enabled for the account(s).



Remote Help

Click Remote Help.


Note - For Remote Help to function, both the user account of the Remote Help provider and of the Remote Help recipient must exist on

authority level must be equal to or higher than the group authority level of the Remote Help recipient.

Table 4-16 Remote Help Settings

Setting Description

Set whether or not the account(s) are allowed to provide Remote Password Change for other user accounts.

For a user account to be able to provide Remote

account settings and the setting must be enabled in the

Rec

Set whether or not the account(s) are allowed to receive Remote Password Change.

For a user account to be able to receive Remote

account settings and the P setting must be enabled in the

- Set whether or not the account(s) are allowed to provide One Time Logon for other user accounts.

For a user account to be able to provide One-Time

user account settings and the -Time

user account settings.



Setting Description

- Set whether or not the account(s) are allowed to receive One Time Logon.

For a user account to be able to receive One-Time

user account settings and the -Time

user account settings.

Chapter 5

Creating Group and User Accounts This chapter explains how to create and manage Full Disk Encryption groups and user accounts on the computer on which you installed Full Disk Encryption.

In This Chapter

Group and User Account Basics 35

Creating Group Accounts 35

Adding a User Account to a Group 38

Moving User Accounts 44

Group and User Account Basics In Full Disk Encryption, a user account always belongs to one (and only one) group. This means that before you create any user accounts, you must first create one or more groups to contain user accounts.

Best practice is to create groups that contain user accounts with similar rights, access needs, and controls. Each group you create can have completely different settings than other groups. For example, You can create a group called Accounting, where all user accounts in the Accounting department reside. This group can have different settings than a group you might create for Development.

Creating Group Accounts After Full Disk Encryption is installed and you have opened the Full Disk Encryption Management Console, you can see that a group called System has already been created. Under the System group folder, there is a tree of User Accounts where you find the two users you defined during installation (in this example, admin1 and admin2).

You can now create new group accounts.

To create a new group account:

1. Secondary click Groups.

Creating Group Accounts

Creating Group and User Accounts Page 36

The New Group button is displayed:

2. Click the New Group button and enter a group name in the New Group dialog box:

3. Click OK. The new group is now listed in the tree under Groups (in this example, it is ABC Group).

There are currently no user accounts in the User Accounts folder in ABC Group:

4. In the Group Settings folder for the new group you created, configure the relevant group settings. See "Configuring Group and User Account Settings" on page 24.

5. Click on the group name (in this example, it is ABC Group), to display the following setting:

Creating Group Accounts


Table 5-17 Group Settings

Setting Description

Expiration Date Date this group expires.

6. Expand the Group Settings folder tree for the new group, and you see the folders as described in "Configuring Group and User Account Settings" on page 24:

Default Values and How the Effective Values of Settings are Determined

If no value has been specified for a setting in either the group or user account, the default value for that setting prevails. See the Default column in the tables below.

When the values set for a group and a user account in that group differ, Full Disk Encryption sets an effective value, which is the most secure value for the setting. The tables below list the effective values.

Table 5-18 Password Effective Values and Default Settings

Password Settings Effective Value if Group and User Account Differ

Default (if no value specified)

Require Letter and Digits

Enabled Disabled

Enable Case Sensitivity Disabled Disabled

Allow Special Characters

Enabled Disabled


Disabled Disabled


Enabled Disabled


Disabled Disabled

Allow Leading or Trailing Space Characters

Disabled Disabled

Adding a User Account to a Group


Password Settings Effective Value if Group and User Account Differ

Default (if no value specified)


Disabled Disabled

Set Minimum Length The larger of the two values Six characters

Set Maximum Age The smaller of the two values Disabled

Password History The larger of the two values Disabled

Table 5-19 Logon Effective Values and Default Settings

Logon Settings Effective Value if Group and User Account Differ

Default

Set Max Failed Logons The smaller of the two values Disabled

Table 5-20 Privileged Permissions Effective Values and Default Settings

Privileged Permissions Settings

Effective Value if Group and User Account Differ

Default

Authority Level Administrator Administrator

Table 5-21 Remote Help Effective Values and Default Settings

Remote Help Settings Effective Value if Group and User Account Differ

Default

Disabled Disabled

- Disabled Disabled

Disabled Disabled

- Disabled Disabled

Adding a User Account to a Group hen you open the Full Disk Encryption Management Console, you can see that a group called System has already been created.



Under the System group folder is a tree of User Accounts where you find the two user accounts you defined during installation.

These Privileged Permissions is set to Administrator and the Permissions are set to Yes. Almost all other user accounts you define are assigned significantly more restricted privileges than those of an administrator.

To add another user account to the group:

1. Secondary click User Accounts.

The Add User Account button becomes active:

2. Click Add User Account to activate the User Account wizard:



Table 5-22 User Account Dialog Fields

User account name The name must be 1-31 characters long. See Endpoint Security Full Disk Encryption for Mac Release Notes for the keyboards (locale codes) supported.

Type of user account The type of user account can be:

Normal A regular user account is usually created for users of the computer on which you are working. This account can also be used as an administrator account and be included in a profile when you deploy Full Disk Encryption.

Temporary This account is used in a profile to create user accounts for large-scale deployment of Full Disk Encryption, without the need to create individual user accounts manually.

When someone logs in using a temporary user account when Full Disk Encryption is deployed to a computer, she is prompted for a new user account name and password.

Based on the new user account name and password, Full Disk Encryption creates a new user account and deletes the temporary account. This makes large-scale deployment of Full Disk Encryption easy, as one Full Disk Encryption profile can be used for all computers and you do not need to know exactly which user is on what computer.

A temporary account can also be created to limit the time the user can access the computer.

For more information on profiles, see "Working with Installation and Update Profiles" on page 51.

Note - As an alternative and preferred method to creating new user accounts with a temporary user account, you can use the User Account Acquisition setting. This setting enables Full Disk Encryption to acquire Macintosh user accounts automatically and use them to set up Full Disk Encryption user accounts. For more information, see "User Account Acquisition" on page 20.

Authentication method Authentication for this user account is done via:

Password

Dynamic Token

3. After specifying the logon name, type and password authentication method, click OK.

A temporary user account is defined in the same way as a normal user account.



Password Authentication 1. Fill in the password details:

Table 5-23 Password Fields

Field Description

Password protection The password must meet the criteria you specified for fixed passwords in Group Settings. While you enter the password and confirm it in the Confirm Password text box, the label Password Match displays a red icon until the password is matched. The red icon displays until the password meets all the configured criteria for passwords. When criteria are met, a green icon displays.

Confirm Password Enter the password you entered in the Password text box.

Force change of password at next logon

Selecting this option forces the user to specify a new user account password at the next logon.

Password Rules Password rules shown here are according to the password policy set for the user account. If the user account is new, that is, not an existing account that you are editing, the following default password rules apply.

Length -

Adjoining Characters -

Retype Match -

A red icon displays next to each of the labels until a password meeting all password criteria is entered. The icons then turn green and the user can proceed to the next page.

2. Click Next, and after viewing the result do one of the following:

If you are satisfied, click Finish.



If you want to make changes, click Back, make the changes and click Finish.

Use the above procedure to define any other user accounts that will use password authentication.

Dynamic Token Authentication To use dynamic token authentication:

1. Enter logon name and type of account, and select Dynamic Token:

2. Click Next.



3. Enter the required information:

Table 5-24 Dynamic Token Dialog Fields

Field Description

Dynamic Token Key Enter the token key you received with the token from Check Point.

Challenge Length Must be 4 or 8 characters in length.

Response Length Must be 4 or 8 characters in length.

Challenge Format Choose either Hexadecimal or Ascii.

Response Format Choose either Friendly or Decimal.

4. Click Next, and do one of the following:

If you are satisfied, click Finish.

If you want to make changes, click Back, make the changes and click Finish.

Use the above procedure to define any other user accounts that will use dynamic token authentication.

Moving User Accounts


Moving User Accounts You cannot move a user account from one group to another. You must delete the user account from its current group and then redefine it in the other group.

Chapter 6

Working with Configuration Sets This chapter explains configuration sets and how to create, use, and manage them.

In This Chapter

Set Basics 45

Root Directory Path 45

Creating a New Set 46

Set Management 49

Set Basics Configuration sets, hereafter referred to as sets, are share (or collection) points where you store the profiles you use to carry out your remote management tasks. Typical remote management tasks include installing (and uninstalling) Full Disk Encryption on remote clients and updating the configuration on remote clients, and so on.

Best practice is to create sets to collect logical groupings of profiles. For example, you can create Set_Accounting to house the profiles for the Accounting department, Set_Development for profiles belonging to the Development department, and so on.

Root Directory Path When you define a set, one of the things you do is specify a root directory path, for example, /var/share/fde. This path serves as the central repository for the Full Disk Encryption deployment. The root directory path points to shared directories on a server. The shared directories are created automatically when you create a set, but you may have already created the recovery directory manually when you performed the master installation. These directories are described below.

Directories

Storage

The Storage directory is where you store profiles while you edit them in the Full Disk Encryption Management Console prior to publishing them. As long as the profiles are in this directory, they cannot be pulled by clients. It is a dedicated share for profile development.

Install

The Install directory is where you publish installation packages, installation profiles, and other configuration

files that clients need to access to install Full Disk Encryption, for example, the Full Disk Encryption

Install.pkg file.

Recovery

The Recovery directory in where Full Disk Encryption stores recovery files and serves as the target directory

Creating a New Set

Working with Configuration Sets Page 46

Encryption-protected computer. You normally create the recovery path during the master installation. For more information on recovery, see "Recovery Media" on page 75.

In a profile, this path is referred to as the Recovery Path. Set by editing the profile and specifying the path to use in System Settings > Install > Set Recovery Path.

Update

The Update Profile directory is where update and uninstall profiles are published so they can be pulled by the clients.

In a profile, this path is referred to as the Update Profile Path. Set it by editing the profile and specifying the path to use in System Settings > Install > Set Update Profile Path.

Creating a New Set

Note - Profiles in a storage directory display in all sets that share that same profile storage directory. Therefore, to keep your profiles organized, define a separate profile storage directory for each set.

To create a new set:

1. Start the Full Disk Encryption Management Console (FDEMC) and select Remote:

2. Click New Set.

The Create New Set Wizard opens:

Creating a New Set


3. Enter a name that makes clear what the configurations and profiles belong to, for example "Set_Accounting" for a set that contains the configuration and profiles for the accounting department, "Set_Development", etc.

You can select Automatically create a directory structure if you want Full Disk Encryption to create folders. This requires that you have previously configured a root directory on which to create the directory structure. This root directory must be a shared folder on the network, for example: /var/share/

You must also have the required permissions to create the directories. If these conditions are met, and you specify the shared folder under Enter the root directory in which the directories will be created, the Full Disk Encryption Management Console automatically creates the following subfolders in the shared folder and displays them in the relevant fields of the wizard:

\ storage

\ install

\ recovery

\ update

4. Click Next.

The Name dialog box opens:

5. Specify a storage path, the path to a directory that holds the profiles while you edit them.

The profiles you are working on are stored in this directory until you publish them. As long as they are in the storage directory, you can edit them, and they cannot be pulled by remote clients. You must click Add for the path to be included in the set.

Creating a New Set


6. When no more paths are to be added, click Next:

7. Specify an Install path, the path to a directory containing the Full Disk Encryption installation package.

You must click Add for the path to be included in the set.

8. Specify the recovery path, which clients copy their recovery files.

This path must also be set in the profiles that are put in this directory; in the profile, this path is referred to as the update profile path, and is set by editing the profile and setting this path in System Settings > Install > Recovery Path. You must click Add for the path to be included in the set.

Set Management


9. Create the set by clicking Finish.

The set is created. The set configuration is saved when the set is created.

Set Management After you create a set, Full Disk Encryption provides a dialog box where you can manage the set and view information about it.

To manage a set:

Click the set name in the Full Disk Encryption Management Console.

The following dialog box is displayed:

Table 6-25 Set Management Dialog Box

Label Description

Set name Name of the set you selected.

Created Date and time the set was created.

Profile Storage Path Path where profiles for this set are stored.

Set Management


Label Description

Update Profiles Path(s)

Path where update profiles for this set are stored.

Installation Profiles Path(s)

Path where installation profiles for this set are stored.

Actions The links in the Action section allow you to edit set properties and open wizards to help you to create a new profile, publish a new profile, and create recovery media.

Last Published Profile Publication date and time of the profile most recently published to this set.

Notes A free text area where you can enter information or notes about the set.

Chapter 7

Working with Installation and Update Profiles

This chapter explains how to create Full Disk Encryption profiles that you can use to:

Install Full Disk Encryption on the computers (client machines) in your networks

Uninstall/remove Full Disk Encryption from client machines

Manage the user accounts, groups and other settings on client machines

In This Chapter

Working with Profiles an Overview 51

Full Disk Encryption Profile Basics 52

Creating Installation Profiles 53

Working With Update Profiles 59

Deploying Profiles 61

Updating Full Disk Encryption Software 63

Working with Profiles an Overview

administrator creates a profile and, depending upon the deployment method, either places it in a directory where users can access it or sends it out to users silently or interactively.

Full Disk Encryption Profile Basics

Working with Installation and Update Profiles Page 52

Full Disk Encryption Profile Basics Full Disk Encryption profiles contain user and group account information, the settings which control which volumes are to be encrypted, who can access the drives, privilege levels, and update settings.

All profiles contain system settings. They can also contain group settings and user account settings, however, these settings are optional.

System Information

System information includes paths to the central server where recovery files, update profiles and software updates are stored. It also includes settings related to, for example, installation and Remote Help.

In addition, installation profiles also contain information on which disk volumes are to be protected by Full Disk Encryption, the encryption algorithms to be used, and the type of security (encryption and boot protection, or boot protection only) to be used.

Group Information

Group information contains the system settings for local groups and their authorization rights, including the user's right to receive Remote Help and security settings. Group information also contains the privileges for administrators and user accounts at the group level.

User Account Information

for different volumes, Remote Help and security settings. User account information also contains the privileges for administrators and user accounts.

Profile Types There are three types of Full Disk Encryption profiles:

Installation profiles

Update profiles

Uninstall profiles

Installation Profiles

An installation profile, which is called an install profile in Full Disk Encryption Management Console, contains the group and user account information and system settings you configured. You deploy the install

profile together with the Full Disk Encryption Install.pkg file to install Full Disk Encryption on one

or many clients.

You can be deploy an installation profile in the following ways:

Interactive installation: You create and save an install profile on a secure workstation. You then move the

install profile and the .pkg file to the install directory, a secure shared directory on the network. The install

profile can be started from any device that can map a drive and install a .pkg file from that location. The

installation proceeds in much the same way as a master installation, except the client user is not prompted to create administrator accounts or insert the Check Point license. See "Publishing an Install Profile" on page 61.

Silent installation: You write a command that causes Full Disk Encryption to be installed on the client without any interaction with the user. See "Deploying an Install Profile Silently" on page 62 for details.

Creating Installation Profiles


Update Profiles

As changes in security requirements and personnel occur, you deploy update profiles, which contain new or changed settings, to Full Disk Encryption-protected computers.

You do this by creating and placing an update profile in the Update directory on the designated file server.

Full Disk Encryption-protected computers regularly check this directory for new update profiles. When they find a new update profile they download it automatically and implement the changes. For more information, see "Creating an Update Profile" on page 59.

Uninstall Profiles

An uninstall profile contains the settings needed to remove Full Disk Encryption from a Mac. If, for any reason, you need to remove Full Disk Encryption from computers in your network, you can do so by placing an uninstall profile in the Update directory. See "Removing Full Disk Encryption" on page 70 for more information.

Preparing to Work With Profiles

Create Configuration Sets

Each profile must belong to a set, which help you locate and organize your profiles. Therefore, you must first create a set or sets before you create profiles. For example, you might want to have a set for each

See "Working with Configuration Sets" on page 45 for more information.

Basing a New Profile on Another Profile or Local Settings To make it easier to specify system settings, group settings, and user account settings in a new profile, you can base the new profile on

An existing profile, or

The local settings of the computer on which you create the profile.

When you base a new profile on local settings or an existing profile, you can select which settings you want to use (if you do not choose to base it on Group Settings, the User Account Settings choice is grayed out and cannot be selected).

Note - A new installation or upgrade profile inherits the Check Point license number of the computer on which it is created even if Base new profile on Existing profile or existing settings is not selected.

Creating Installation Profiles The process of creating and deploying an installation profile involves:

Creating the profile.

Adding group and user accounts.

Configuring the profile settings.

Deploying the profile to computers in the network; see "Deploying Profiles" on page 61.



Note - Before you can create any profiles, ensure the Update Validation Password (Local > Edit Settings > System Settings > Install) is set.

In addition, you should already have the appropriate set or sets in place. For the purposes of the following instructions, we created three sets: Set Accounting, Set Development and Set Sales. See "Working with Configuration Sets" on page 45 for instructions on creating sets.

To create an installation profile:

1. Start the Full Disk Encryption Management Console and do one of the following:

Click Remote > > New Profile

Click Remote > New Profile:

The New Profile Wizard is displayed:

2. Click Next.



3. Select the set in which you want to include the installation profile, and click Next:

4. Select Install, and click Next:

5. Enter the name of the new profile (in this example, it is install_accounting).

Note - n profile names. For example,

update profile.upp is a valid profile name, but update

profile/admin.upp is not.

6. Enter and confirm the password, which is required when you edit the profile.

Note - The password policy applied to the password specified here is the default policy for the profiles. It consists of the three rules shown in the Password Rules section of the New Profile dialog box.

7. Click Next:



8. Select Existing profile or local settings to base the profile on the local settings of the computer on which you are creating the profile or on an existing profile:

9. You can either click Next or select to base the profile on Existing profile or local settings, and then click Next.

If you click Next without choosing to base the profile on an existing profile or local settings, the profile is based on default system settings only.

10. If you select to base the profile on Existing profile or local settings, you must then either browse to an existing profile, or

Double-click on a set that contains a profile you want to base the new profile on and then select the profile, or

Specify which local settings the new profile is to be based on (System, Group, or User Account).

11. Make your choice, and click Next.

12. View the information and, if satisfied, complete the creation of the profile by clicking Finish:



You are returned to the Full Disk Encryption Management Console.

13. Click the OK button at the lower right of the console.

The installation profile created in this example is displayed under Set Accounting:

Sanity Checks The profile you just created contains system settings that are installed on the client machines when you deploy the profile.

When you click OK, save it. The Settings That Might Have Undesirable Effects window displays the results of the sanity checks, for example:



You must fix the problems listed in the sanity check dialog box before the profile can be created.

Are there any accounts in the profile for which no type of authentication has been defined?

This warning occuauthentication:

1. Secondary click each user in the tree structure.

2. Select Name and Authentication.

3. Define the authentication details.

Is at least one user account defined in this installation profile?

If no user accounts are defined in the profile, no user account can log on to the machine on which Full Disk Encryption is installed with this profile.

Do at least two user accounts in the profile have authority level set to administrator?

Recovery media cannot be created, and the system cannot be recovered unless at least two user accounts have administrator authority on the machine on which Full Disk Encryption is installed with this profile.

You cannot remove Full Disk Encryption from the machine on which it has been installed with this profile unless the profile contains at least two user accounts that have administrator authority.

Has an expiration date been set for each temp user account in the profile?

You should define an expiration date for each temp user account. If you do not, you are warned about each temp user account that does not have an expiration date defined.

To make changes to settings that have caused a warning in the Settings That Might Have Undesirable Effects window:

Click OK to acknowledge the sanity check dialog box and then alter the relevant setting or settings.

Each time you make corrections and click OK to create the profile, the sanity checks are performed, and any warnings of problematic settings are displayed. If none of the sanity checks produce a warning, the profile is created.

The new profile is prepopulated with the local System Settings of the machine on which the profile was created. If any of these values have not been set on the local machine, the Full Disk Encryption default values are used. It is good practice to examine the System Settings in the profile and make any required changes.

Creating Groups and User Accounts in the Profile

The next step is to create groups and user accounts in the profile you created.

To create groups and user accounts:

1. At the profile symbol in FDEMC Remote, double click the profile, create groups and user accounts.

2. Define a group that contains at least two administrator user accounts.

Note - Best practice: Create another group in which you define a temporary user account. It is preferable to work with group settings rather than with individual user account settings

There are two reasons a specific group should be created for the temporary user:

The settings should be completely separate from those of the administrator accounts.

This group can be used to delete user accounts created with a temporary user account. For instructions on doing this, see "Deleting user accounts created with a temporary user account" on page 61.

3. Examine the default settings in the installation profile and decide if they are to your satisfaction:

System Settings: If necessary, change the settings to the desired values. See "Configuring System Settings" on page 14 for a description of these settings.

Working With Update Profiles


Group settings for the Administrator group: Set the permissions for the group that contains the administrators. Administrators usually have stricter rules for passwords than normal user accounts. See "Configuring Group and User Account Settings" on page 24 for a description of these settings.

Group settings for the group containing the temp user.

The profile is now ready for deployment. See "Deploying Profiles" on page 61 for instructions.

Working With Update Profi

cp_es_fde_for_mac_3.2_adminguide.pdf

Documents

disk encryption features

feedback check point

file encryption

related documentation

copyright page http

data security types

administration guidemailto

administration guidehttp