ironkey enterprise admin guide

IRONKEY ADMIN GUIDE

Admin Guide

IronKey EnterpriseManagement Service

Last Updated October 7, 2010

IRONKEY ADMIN GUIDE

Thank you for choosing IronKey.

IronKey is committed to creating and developing the best security technologies and making them simple-to-use, affordable, and available to everyone. Years of research and millions of dollars of development have gone into bringing this technology to you in the IronKey.

We are very open to user feedback and would greatly appreciate hearing about your comments, suggestions, and experiences with the IronKey.

Standard Feedback: [email protected]

Anonymous Feedback: https://www.ironkey.com/feedback

User Forum: https://forum.ironkey.com

IRONKEY ADMIN GUIDE

CONTENTS

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Meet IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4IronKey Enterprise Administrative Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Setup and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Creating Your IronKey Enterprise Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Activation and Initialization of the 1st system Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Adding Standard Users to the Enterprise Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Activating IronKey Enterprise for Basic Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Updating Device Software (Windows Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Deploying IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deployment Method 1: Automated Distributed Deployment . . . . . . . . . . . . . . . . . . . . . 15The user is now active in the Enterprise Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deployment Method 2: Distributed Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deployment Method 3: Manual Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Best Practices for a Smooth Rollout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Using IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19System Elements and Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

IronKey Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21IronKey Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22IronKey Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Admin Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Events & System Auditability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Silver Bullet Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Password Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Using the Admin Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Accessing the Admin Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27The Enterprise Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Using the Silver Bullet Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

IRONKEY ADMIN GUIDE

Using Password Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Enterprise Support Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Using the System Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Update Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Using the Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Accessing the Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Using Secure Device Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Promoting a Standard User to be an Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Recommissioning Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Importing Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Importing RSA SecurID Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Importing a Digital Certificate into the IronKey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Administering the IronKey Anti-Malware Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Interpreting IronKey Malware Scanner Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Common Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Adding New Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Activating Devices for a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Adding New Admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Adding New Devices to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Disabling Lost Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Helping a User with Password Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using Non-Administrative Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Enterprise Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Technical Support for System Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Product Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

IRONKEY ADMIN GUIDE

OverviewMeet IronKey Enterprise The IronKey Enterprise Management Service gives you control over protecting your organization’s data, ensuring that security policies are enforced, and remotely managing IronKey Enterprise Secure Drives, the world’s most secure USB flash drives.

IronKey Enterprise consists of three interrelated elements that provide overall USB flash drive security and device management:

» The IronKey Secure Flash Drive hardware

» Applications bundled on the IronKey (based on policy configuration)

» The IronKey’s secure online services, which provide centralized administrative capabilities to IronKey Enterprise Admins

This guide informs you about how to get the most out of IronKey Enterprise, as well as best practices for deploying and managing IronKey devices in your enterprise environment.

IRONKEY ADMIN GUIDE

IronKey Enterprise Administrative Features

The Admin Console: Centralized Online Device Management

IronKey Enterprise includes a centralized management console for managing tens, hundreds or thousands of devices, reducing overall deployment times and maintenance requirements.

IronKey Policies: Enforcing Corporate Security Policies

Configure policies for device password strength, self-destruction settings, and enabling specific IronKey applications, services.

IronKey Groups: Organize Users Into Groups

Create groups to manage your users based on any criteria needed to keep you organized. Users can be easily added and removed from Groups and administrative tasks performed by group.

Silver Bullet Service: Protecting Against Malicious Users

IronKey’s Silver Bullet Service confirms that IronKey devices are authorized before allowing them to be unlocked. This real-time service allows Admins to completely disable and even remotely detonate devices, extending the control needed to protect important data.

Admin Tools: Onboard each Administrator’s IronKey

Admins have additional functionality enabled in their IronKey’s Control Panel, including Secure Device Recovery, Admin Approval, and Device Recommissioning.

Secure Device Recovery: Securely Unlocking Users’ Devices

Secure Device Recovery is IronKey’s patent-pending PKI mechanism for Admins to unlock another user’s IronKey device, such as in the case of employee termination, regulatory compliance, or forensic investigations. Unlike many other solutions, there is no central database of back-door passwords.

Admin Approval: Securely Promoting Users to Become Admins

When a new Admin is created, or a user is promoted to become an Admin, a verification procedure occurs not only on the service, but also on an existing Admin’s IronKey device. This ensures that the new user is cryptographically approved and able to become an Admin for your Enterprise Account.

Device Recommissioning: Securely Repurposing Users’ Devices

When employees leave the organization, their IronKey devices can be safely recommissioned to new users. This process requires Admin authentication and authorization using IronKey Enterprise’s secure online services.

IRONKEY ADMIN GUIDE

Setup and DeploymentGetting Started IMPORTANT—BEFORE YOU BEGINIronKey Enterprise is designed to protect your organization from the risks of data loss and data leakage by delivering world-class security. However, it is important to follow a few best practices when setting up your Enterprise Account to ensure that the proper levels of security and usability are met:

» Make sure the person setting up the Enterprise Account has a thorough knowledge of your organization’s security policies and is authorized to be the System Admin for all of your organization’s IronKey devices. That person will define the default policy for IronKey devices.

» Create more than one System Administrator. To ensure the highest security, even IronKey is unable to intervene in your Enterprise Account, in the event that a lone System Admin leaves the organization, loses his only IronKey device, or forgets that device’s password. Have multiple System Admins at all times, each with multiple active devices.

Please review “Deploying IronKey Enterprise” on page 15 for tips to ensure a smooth deployment.

CREATING YOUR IRONKEY ENTERPRISE ACCOUNTBefore you can begin deploying and managing IronKey Enterprise drives for end-users, you must create your IronKey Enterprise Account. To set up the account, you need:

» A computer running Microsoft Windows 2000 (SP4), XP (SP2), Vista, Windows 7, or Mac 10.4+.

» A USB 2.0 port for high-speed data transfer

» An Internet connection

» The email you received from IronKey with your Enterprise Account Number

IRONKEY ADMIN GUIDE

Step Description

1Enter your Account Number at:

https://my.ironkey.com/enterprise

This can also be done by clicking the link in the email you received from IronKey regarding setting up your IronKey Enterprise Account.

2

You must confirm that you are the appropriate authority for setting up your organization’s IronKey Enterprise Account.

Select the checkbox and click “Continue.”

3

The next several steps allow you to establish security policies for your drives.

To start, select the number of failed password attempts that a user may enter before the IronKey self-destructs and all the data on the IronKey is lost.

All policy items can be changed later.

4

Set the password policy options, including minimum password length allowed, the minimum number of required characters, and requirements for backing up device passwords.

IRONKEY ADMIN GUIDE

Step Description

5

Configure the set of software applications and services that your users will have on their IronKey devices.

Putting the mouse over the help icon for each item shows a brief description of what that item is.

See the section on Policy Items later in this document for more information.

6

Define a “Lost and Found” message that appears on the IronKey Unlocker screen when each device is plugged in.

For example, this may include contact information in case a lost device is found, or department information for easily distinguishing devices.

You may optionally choose to leave this blank or to allow users to define their own Lost and Found message.

IRONKEY ADMIN GUIDE

Step Description

7

Set up the 1st System Admin Online AccountThe next three steps guide you through creating your own my.ironkey.com account for accessing and managing your organization’s Enterprise Account.

This involves creating a username and password, confirming your email address, answering Secret Questions, and choosing a Secret Image and Phrase for anti-phishing protection.

8

Invite the 2nd System AdminEnter the username and email address of the 2nd System Admin.

This is will automatically send an email with an Activation Code to that user.

ACTIVATION AND INITIALIZATION OF THE 1ST SYSTEM ADMINAfter confirming your information, an email is sent to you containing the Activation Code for your first IronKey Enterprise Secure Flash Drive.

Step Description

1 Plug in any unactivated IronKey drive from the set you purchased.

Your IronKey must be activated on a Windows (2000, XP, Vista, 7) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port.

IRONKEY ADMIN GUIDE

Step Description

2The “Activate Your IronKey” screen appears.

The IronKey autoruns as a virtual CD-ROM. • Windows: This screen might not appear if your

computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in “My Computer” and double-clicking the “IronKey.exe” file.

• Mac: Double-click the IronKey drive on your desktop, and double-click the “IronKey” application.

NOTE: On a Mac you can install the IronKey Auto-Launch Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See “Preferences” in IronKey Control Panel Settings. (Mac only)

3 Retrieve the email with your Activation Code.

Enter your email address, then copy and paste your Activation Code into the fields provided on the IronKey window. Click “Continue” when you are ready.

If your IronKey cannot connect to the Internet, click “Edit Proxy Settings” to adjust its network settings.

4 Create a device password, then

Your password is case-sensitive and must match your organization’s password policy.

5

Back up your password online to your my.ironkey.com account

If enabled, you have the option to back up your password online to your my.ironkey.com account. That way, if you ever forget your password, you can safely recover it by logging into: https://my.ironkey.com

IRONKEY ADMIN GUIDE

Step Description

6 The IronKey initializes.

During this process, it generates the AES encryption keys, creates the file system for the secure volume, copies secure applications and files to the secure volume, and configures the device to the policy you defined. Depending on your configuration, this might take several minutes.

IMPORTANT: After this device has been initialized, it is very important that you activate a second System Admin device, otherwise there is no way to manage your Enterprise account if something happens to the 1st System Admin device.

NOTE: The process for activating the 2nd System Admin device and all addition Admin devices is slightly different than the process used to activate the 1st System Admin device.

ADDING STANDARD USERS TO THE ENTERPRISE ACCOUNTYou can now begin adding users to your Enterprise Account.

Step Description

1Click the my.ironkey.com icon in the IronKey Control Panel to access the Admin Console.

2Click “Manage Users” in the sidebar of the Admin Console tab.

IRONKEY ADMIN GUIDE

3

Click the “Add” button in the top right and select:

“Add User” OR “Add Multiple Users”

4a

Add a single user

Enter user’s:• Name (optional)• Email (highly recommended)

Select:• Role* • Access Level Summary**• Policy for the user’s device• If Activation Code should be

emailed to user

Click on the “Save” button. The user will then be added to the Enterprise Account.

* NOTE: Only System Admins can change Role. Default is Standard User.

** NOTE: When Role is set to “Custom Admin”, any combination of these privileges can be granted:

• Manage Standard Users• Manage Policies• User & Device Assistance

IRONKEY ADMIN GUIDE

4b

Add multiple users

Copy and paste a CSV file’s contents into the textbox provided and click “Continue”.

Use this format: Name,Email,Group,Role,Policy

Role can be one of the following:• System Admin• Admin• Help Desk• Auditor• Standard User

Up to 250 users can be added in a single import.

NOTE: All fields are optional and default to an anonymous Standard User with the Default Policy in the current selected group if not specified. Unless you are a System Admin, you can only add Standard Users

.

Watch the online demonstration for more information.

An example of a row might be:

John Doe,[email protected],IT Group, Auditor,IT Policy

The resulting user would be:

User Name: John Doe” Email Address: “[email protected]” Role: “Auditor” Device Policy: “IT Policy”.

ACTIVATING IRONKEY ENTERPRISE FOR BASIC USERSTo remotely manage users with IronKey Basic devices, you can ask them to activate IronKey Enterprise on their devices:

1a. Admin: If the User doesn’t have an Enterprise account, add them in the Admin Console and email them an Activation Code

1b. Admin: If the user has an Enterprise account, add a device to the user and email them an Activation Code

2 . User: Insert and unlock the Basic device

3 . User: In the IronKey Control Panel, go to “Settings: IronKey Enterprise

4 . User: Click the “Start Activation” button

5 . User: Enter the Activation code, click “Continue”

6 . User: Verifies the organization and system administrator information, then clicks “Continue”

7 . User: Enters their password to complete Enterprise Activation.

IRONKEY ADMIN GUIDE

UPDATING DEVICE SOFTWARE (WINDOWS ONLY)You can update your IronKey through the IronKey Control Panel on Windows.

Step Description

1

In the IronKey Control Panel, click “Settings” and then click the “Check for Updates” button. The IronKey can securely update its software and firmware

through signed updates that are verified in hardware. This allows users to keep their devices up-to-date and protect themselves from future malware and online threats.

2

Click the “Download Update” button to download the updates and install them on the device.

• Windows: If an update is available, you can download and install it by clicking the “Download Update” button

• Mac: You can check for and download policy updates. However, you must download software updates on a Windows computer.

3

After the installation is completed, you can check that the device is updated to the latest version:

8. Lock and unplug the device, and then reinsert it.

9. In the IronKey Control Panel, click “Settings” and then click “About IronKey” to view version information.

You can view details about your device, including model number, serial number, software and firmware version, secure files drive, and OS. You can also click the copy button (CTRL+C) to copy device details to the clipboard for your forum posting or support request; visit the website (CTRL+W); or view legal notices (CTRL+N) and certifications (CTRL+?).

IRONKEY ADMIN GUIDE

Deploying IronKey EnterpriseYou are now ready to distribute IronKey Secure Drives to your users. Inside the packaging is an IronKey device and a Quick Start Guide.

There are three basic ways of deploying IronKey devices to your organization. You can decide which one is right for your organization based on your security, privacy, and IT considerations.

DEPLOYMENT METHOD 1: AUTOMATED DISTRIBUTED DEPLOYMENTThe simplest and most cost-effective way to deploy IronKey devices is to add users to the Enterprise Account and then hand them an IronKey device. IronKey Enterprise will take care of the rest.

Step Description

1

Add a user to the Enterprise Account. Review the detailed instructions elsewhere in this document for more information.

Make sure to provide the user’s email address and select the checkbox that will send the user an email with his Activation Code.

Mass imports of up to 50 users at a time will also have the users Activation Codes automatically emailed to them.

2Give the user an IronKey Enterprise Secure Drive.

Any purchased or recommissioned device will work.

3

Have the user retrieve the email with his Activation Code and copy and paste it into the IronKey.

Instructions for this step are provided to the user in the Quick Start Guide and in the email.

NOTE: Requires a Windows or Mac computer.

The user is now active in the Enterprise Account.

DEPLOYMENT METHOD 2: DISTRIBUTED DEPLOYMENTIf you have a very large user base, want to customize the invitation email, or your corporate privacy policy is such that you will not import your users’ email addresses into the Enterprise Account, you can import your users first and then email their setup information yourself.

Step Description

1

Add users to the Enterprise

Account. Review the detailed instructions elsewhere in this document for more information.

Make sure to clear the checkbox that would send the user an email with his Activation Code.

IMPORTANT: Even if you are performing a mass import and do not want the users emailed, we strongly recommend providing their email addresses to avoid problems during activation and online account setup.

IRONKEY ADMIN GUIDE

2

The setup information for that user’s device is presented on the screen (or in the case of a mass import, in a downloadable CSV file).

3Email each user his IronKey setup information. This can be done manually for small numbers of users.

4Give the user an IronKey Enterprise Secure Drive.

Any purchased or recommissioned device will work.

5Have the user retrieve the email with his Activation Code and copy and paste it into the IronKey.

Instructions for this step are provided to the user in the Quick Start Guide and in the email.

DEPLOYMENT METHOD 3: MANUAL DEPLOYMENTIf you do not want your users to be involved in the activation process, you can manually set up each IronKey and then hand it to the user. This method is simpler for the end-users, though requires a little more effort from those deploying the devices.

Step Description

1

Add a user to the Enterprise Account. Review the detailed instruction earlier in this document for more information.

Make sure to clear the checkbox that would send the user an email with his Activation Code.

IMPORTANT: Even if you do not want the user emailed, we strongly recommend providing their email address to avoid problems during activation and online account setup.

2

The setup information for that user’s device is presented on the screen (or if for a mass import, in a downloadable CSV file).

3Activate an IronKey Enterprise Secure Drive, but stop before creating the device password.

Any purchased or recommissioned device will do. Enter your email address and the Activation Code.

NOTE: Your email address will not be associated with the device after Activation.

When you get to the next screen, where you can create the device password, exit the setup process and unplug the device.

4 Give the device to the appropriate user.

Make sure not to mix up your users’ devices. Use the serial number on the back of the device as a reference.

IRONKEY ADMIN GUIDE

Best Practices for a Smooth RolloutUpdate Password Polices Only When NeededWhen you update the password policy items in a policy, devices with that policy will update to the latest version. However, since the password policy has changed, users will be required to change their password so it conforms to the new password policy. Change the password policy items only when needed so users do not have to excessively change their device passwords.

Create Separate Policy for Linux UsersIf you plan to leverage IronKey’s Silver Bullet Service, create a separate policy for Linux users that does not include Silver Bullet or that includes a large number of Silver Bullet attempts. The Silver Bullet Service is not available for Linux systems and will result in disabling usage on Linux.

Encourage Users to Backup Passwords for Password AssistanceYou can mandate through policy that each user back up his device password online. This will allow Admins to use Password Assistance to email users a temporary link that reminds them of their password in case they ever forget it. If your policy is to not have users back up their device password, you can still use Secure Device Recovery to change their password for them.

Back Up Onboard Data RegularlyEncourage users to use the onboard Secure Backup software for backing up their onboard data. In the case that an IronKey is lost or stolen, that data can later be recovered to a new IronKey.

Keep Admin and User Devices Up-To-DateEnsure that Admin devices have the latest IronKey software. You can do this by clicking the “Check for Updates” button in the IronKey Control Panel (under “Settings”). To ensure that Windows XP users can update their devices, install the IronKey Assistant (see the IronKey Assistant Deployment Guide for details).

Use Silver Bullet Wisely

It is recommended not to set the Silver Bullet policy too strictly (e.g. deny if not online or from a specific IP address) for remote or travelling employees; otherwise, sometimes they might not be able to use their IronKey devices.

IRONKEY ADMIN GUIDE

Deployment Checklist

IronKey Enterprise Account activation email received by the 1st System Admin user

IronKey Enterprise Account successfully created and Default Policy defined

First IronKey device activated—confirmed access to Admin Console

Second System Admin added—confirmed access to Admin Console

Users added/imported into Enterprise Account

Deployment Methods 1 and 2

Emails with Activation Code sent

IronKey devices distributed to users

Deployment Method 3

IronKey devices manually activated

IronKey devices distributed to users

IRONKEY ADMIN GUIDE

Using IronKey EnterpriseSystem Elements and Terminology

IRONKEY USERSEach member of your IronKey Enterprise Account is called a “User”.

User Roles

There are six user roles, differentiated by the user’s privileges:

» System Admin: Can manage all users and system settings, including adding Admins, approving Admins, changing user roles, and deleting users.

» Custom Admin: Has a assignable privileges, such as User or Policy management

» Admin: Can manage Standard Users

» Help Desk Admin: Can assist existing users with devices.

» Auditor: Can view the Admin Console with read-only access

» Standard User: A normal end user without administrative capabilities.

All Admins and Auditors will have online IronKey accounts, as this is needed to access the web-based Admin Console.

Only System Admins can add Admin users, delete users and change user roles.

IRONKEY ADMIN GUIDE

User Privileges by Role in Admin Console

Privilege System Admin

Custom Admin

Admin Help Desk

Admin

Auditor

Manage System ConsoleDevice Update Management XManage Standard Users (Includes Groups, & Devices)

Users: Add Single, Add Multiple, Rename, Edit, Enable, Disable

X * X

Users: Delete XGroups: Add, Rename, Move, Delete, X * XDevices: Add, Rename, Enable, Disable, Change Policy, Cancel Device Activation

X * X

Devices: Silver Bullet, Detonate Device XManage Admin UsersAll actions possible on Standard Users & Devices X

Set Role XSet Custom Admin Privileges XManage PoliciesAdd New, Edit &Save Version X *Delete XUser & Device AssistanceEmail Device Password to User X * X XResend Activation Code to User X * X XRegenerate Expired Activation Code X * X XView Admin Console “Tab” X X X XView Groups, User Profiles, Devices, Policies, History/Logs, Dashboards X X X X X

* These privileges can be enabled for each Custom Admin user

User Privileges by Role in IronKey Control Panel Admin Tools

Privilege System Admin

Custom Admin

Admin Help Desk

Admin

Auditor

Device Recovery: Unlock Devices & Change Device Password X X X X

Recommission: Recommission Device X * X XRecommission: Delete User Account from Server during Device Recommission X *

Admin Approval X

IRONKEY ADMIN GUIDE

User Status

The current status of a user signifies what state their account is in. There are several user statuses, including:

» Pending: System is waiting for user to activate their 1st IronKey device

» Active: User has activated at least one IronKey and has set up his online IronKey account

» Active (without online account): User has activated at least one IronKey but does not have an online IronKey account

» Locked: User’s online account has been locked after three incorrect answers to challenge questions

» Disabled: User’s account has been temporarily disabled by an Admin

» Disabled (without online account): A user who does not have an online IronKey account has been temporarily disabled by an Admin

» Deleted: User’s name has been deleted by a System Admin, but can be re-used

NOTE: A user’s online account username cannot be used twice even if the user is deleted.

Other User Properties

For purposes of organization and smooth deployment, you can set a name and email address for each user. These fields are optional, and if left blank users will be displayed User1, User2, User3, in the Admin Console.

GROUPSBy default, all users are created as members of a single group. Admins can manage users more effectively by organizing users into different groups. Every user, including administrators, can be a member of only one group.

Groups are created using a tree-based structure, where every group has a parent / higher level group, and every group may have children / lower level groups. Every child group can have its own children. This enables delegated administration by creating sets of users that can be managed by specific admins.

Admins can manage Standard Users in their group and in any child Groups . Admins can also manage any child Groups.

System Admins can manage any Standard User or Admin User regardless of which Group System Admin belongs.

IRONKEY ADMIN GUIDE

IRONKEY DEVICESEvery IronKey Enterprise Secure Drive in your Enterprise Account is associated with a user. Users can have one or more IronKey devices.

Device Properties

IronKey devices include the following properties that are visible in Admin Console:

» Device Name, useful for inventorying the Case ID

» Device Status, similar to user statuses

» The Policy the device is using

» The hardware model number of the device

» The capacity of the drive (in GB)

» The version of software it is running

» The serial number. For x200 devices and higher, this matches the barcode on the outer case of the IronKey device. It also appears as the USB serial number visible to host computer operating systems. For S100 devices, it displays the eight right most digits of the Cryptochip inside the device.

Consistent, unique serial numbers for enhanced asset inventory management and endpoint security control are in these locations:

» Laser etched onto the device, including a barcode

» Printed on the product packaging

» On the “About IronKey” pane of the IronKey Control Panel

» On the IronKey Admin Console, with the device’s model number

» Integrated into the USB standard field name, so that it is available to Windows and other operating systems for security white listing and inventory management by other products

For large-scale deployments, you can export IronKey Admin Console information including the serial number to a .CSV file for electronic transfer to another system.

» Product identification numbers (PIDs) for S200 and D200 models are useful for inventory management and security control (Basic: 0×0201; Personal: 0×0202; Enterprise: 0×0203).

» The policy to which this device is adhering

» The date on which this device was activated

» The date and user for when the device was created and last modified

Devices also include a comments section, in which you may write information as needed. For example, you could enter information regarding your own inventory data, the device’s case serial ID, or information regarding the use or purpose of this device.

Users can have more than one IronKey device

IRONKEY ADMIN GUIDE

IRONKEY POLICIESThe behavior of IronKey Enterprise devices is managed through policies defined in the Admin Console. The following categories of items can be managed:

» IronKey hardware device settings (examples: Password Policy or Silver Bullet)

» IronKey software settings (examples: Unlock Screen Message or Automatic Locking)

» Software available on the IronKey device (examples: Identity Manager, Anti-Malware, RSA SecurID)

See “Managing Policies” on page 36 for additional information about IronKey Policies.

ADMIN CONSOLEThe Admin Console is a web-based interface for overall administration of the IronKey Enterprise Management Service (EMS).

Access: my.ironkey.comFeatures: » Managing users, groups, & devices

» Managing policies

» Managing updates

» Monitoring events

» Enterprise Support materials

ADMIN TOOLSThe Admin Tools enable Admin management of IronKey Enterprise devices:

Access: IronKey Control Panel: Admin ToolsFeatures: » Admin Approval of new IronKey

Administrators

» Secure Device Recovery • Unlocking users’ devices• Resetting users’ device passwords

» Device Recommissioning - Wipes a device so it can be transferred to a new user

NOTE: Using the Admin Tools require a network connection to my.ironkey.com

IRONKEY ADMIN GUIDE

EVENTS & SYSTEM AUDITABILITYImportant security events and user activities involving the Enterprise Management Service are logged into the system to provide a clear audit trail for compliance or investigations. Details such as which user, which device, when the event occurred, at which IP address, and a description of what occurred are provided for each event when applicable.

Events are shown in the Enterprise Dashboard of the Admin Console. Examples of some of the logged events include:

» When Secure Device Recovery is performed

» When a device is recommissioned

» When a policy is created or modified

» When a user is added into the IronKey Enterprise Account

» When a device is added to a user

» When a user is deleted or a device is disabled

» When a device has detonated using the Silver Bullet Service

» When a user or device profile has been modified

» When an Admin is approved

» Login activities, such as when Admins log into the Admin Console

IRONKEY ADMIN GUIDE

SILVER BULLET SERVICEIronKey’s Silver Bullet Service extends the control Admins need to remotely manage IronKey devices and protect critical data by requiring IronKey devices to check for authorization prior to unlocking.

The Silver Bullet Service works as follows:

» The Silver Bullet policy items are enabled via policy by an Admin User.

» When a user enters his device password and clicks “Unlock” on a device that have Silver Bullet enabled, the device will quickly check with IronKey’s Silver Bullet Service to ensure that it is in good standing and coming from a Trusted Network IP address.

» If the device is active and in good standing, it will receive an “Allow” command, the device will unlock, and the user will continue his work.

» If the device or user has been disabled in the Admin Console, the device will receive a “Deny” command and will not unlock.

» If the device has been lost or stolen and the data must be protected at all costs, the Admin can mark the device for remote detonation. The device status will be Active (Pending Detonation), and the next time the device is used it will receive a “Detonate” command and immediately self-destruct. A detonated device cannot be used again.

If the user is not connected to the Internet, the device will not be able to check for authorization. In this case, it will abide by the maximum threshold of permitted Silver Bullet attempts. This number, pre-defined in policy, may be 0 (Deny) through 200, meaning that the device would allow up to 200 unlock attempts before disabling itself until it can connect to the Internet and check for authorization.

IRONKEY ADMIN GUIDE

PASSWORD ASSISTANCEA common helpdesk task is to assist users with forgotten passwords. IronKey Enterprise includes three ways Admins can assist users with forgotten passwords:

Method Recommended For . . .

Requirements

PASSWORD SELF-RECOVERYUsers log into my.ironkey.com with email and online password

Allowing users to recover passwords without helpdesk intervention.

• Users must have an online account • Device passwords must be backed up

online• Admin intervention is NOT required

PASSWORD ASSISTANCEOne-time URL is emailed to user, linking to page display-ing forgotten password

Allowing Admins to assist users who may be remote or who would not use Password Self-Recovery

• Device passwords must be backed up online

• Users must have valid email addresses in the system

• Standard Users do NOT have to have an online account

SECURE DEVICE RECOVERYAdmin plugs in his and user’s device, uses Admin Tools to unlock device or change password

Ensuring the most secure procedures are used to recover devices and manage passwords.

• Admin must have physical possession of the user’s device

• Device passwords do NOT have to be backed up online

• Standard Users do NOT have to have an online account

IRONKEY ADMIN GUIDE

Using the Admin Console

ACCESSING THE ADMIN CONSOLEThe Admin Console is available for all approved Admins, and it can be accessed by clicking the my.ironkey.com button in the IronKey Control Panel. This will securely log you in with mutual authentication over a secure channel.

Step Description

1Ensure that you have completed the Setup Process detailed elsewhere in this document.

Review the section on Getting Started for more information.

2

Click the my.ironkey.com icon in the IronKey Control Panel.

This will securely log you in with mutual authentication over SSL.

If you are using a proxy, you may need to update your IronKey’s Network Settings so that it knows how to connect to the Internet.

3After your browser opens to the welcome page, click the Admin Console tab.

IRONKEY ADMIN GUIDE

THE ENTERPRISE DASHBOARDThe Enterprise Dashboard shows you the latest security events and user activities in your Enterprise Account, statistics on how many active users and devices there currently are, as well as important notifications, such as lists of pending users and devices awaiting detonation (if any).

IRONKEY ADMIN GUIDE

DASHBOARD MAPS AND EVENTS

Details regarding the IronKey World Map and Events Table on the Enterprise Dashboard:

•Security events, such as remote detonation of devices, are marked in red

• Important events, such as Admin activities, are marked in yellow

•Common user events are marked in green

Additionally:

• You can select which events to view in the map by clicking the + menu icon on the right

• Hovering over an event will bring up details on the event• Clicking an item in the table will center and zoom in on the event in the map,

displaying additional data on the event• You can zoom on the map by clicking the +/- icons on the left or dragging the

zoom sidebar• You can move the geographic areas being viewed by dragging the map with

your mouse• Columns can be sorted by clicking the column title• You can change the time period for events using the “View” dropdown menu• You can download the list of events by clicking the “Download” icon

• You can change the number of items listed per page and which page you are viewing

• If there are pending users in your Enterprise Account, a list of their information and Activation Codes can be downloaded from using the “Download List” button

Dashboard Charts

Details regarding the IronKey Charts on the Enterprise Dashboard:

» IronKey Charts use the Adobe Flash Player. If Flash Player is not installed on your computer, you will see text-based versions of the charts.

» You can download the data in the chart by clicking the Download icon

» Each chart is interactive. Moving your mouse over the chart will bring up contextual data.

» Right-click the chart to for additional options, including viewing a Full Screen version of the chart and printing the chart.

» Chart data can be updated approximately every five minutes.

IRONKEY ADMIN GUIDE

GENERAL STATISTICS

This chart displays a number of important general statistics about your Enterprise Account, including:• Total current users by status• Total current users by role• Total devices by status• Total devices by capacity

DEVICES BY VERSION

This chart displays the devices in your Enterprise Account (vertical axis) by the software version they are running (horizontal axis). This allows you to determine how many devices are running an out-of-date version of the IronKey software.

ADMIN ACTIVITIES

This chart displays a timeline of important Admin activities, including Secure Device Recovery, Password Assistance, and Admin Approval. The vertical axis is the frequency of events, while the horizontal axis is the timeline.

DEVICE ACTIVITIES

This chart displays how long it has been since:» A device’s password was last backed up» The last recorded device activityThe vertical axis is the number of devices, while the horizontal axis is the number of weeks since the specific event has occurred for each device.

NOTE: To change the default time zone from GMT, click “Account Settings” in the left sidebar. You can also change time and date formats.

IRONKEY ADMIN GUIDE

MANAGING USERSThe Managing Users screen can be viewed in two modes:

» IronKey Users by Group

» IronKey Users List

Toggle between Group and List view by clicking the Group or List Icons.

IronKey Users by GroupClick the Group icon to view your IronKey Users by Group.

Details about IronKey User by Group:

» You can “Add”, “Rename”, and “Delete” groups (only empty Groups can be deleted)

» Add users to a group by dragging and dropping them on a group’s icon

» Organize the users into logical groups

» Left-click on the user name to select a user

» Right-click on the user name, to perform actions on that user:

» Add Device (Note: Only System Admins can add devices to Admin users)

» Rename User

» View User Profile

» Enable/Disable User

» Delete User (Note: Only System Admins can delete users)

» Left-click on the expand button to view a user’s Device(s)

» Left-click on a device to perform actions on that device:

» Rename Device

» View Device Profile

» Enable/Disable Device

» Change Device Policy

» Cancel Device Activation

IRONKEY ADMIN GUIDE

IronKey Users List

» Download the list of users by clicking the “Download” button

» To add a user, click the “Add” button

» To add a device to a user, select the checkbox in that user’s row and click the “Add Device” button (Note: Only System Admins can add devices to Admin users)

» To delete a user, select the checkbox in that user’s row and click the “Delete User” button (Note: Only System Admins can delete users)

»

Other User Management ActionsSearch

» To find a user, enter a username or email address in the search box in the upper-right of the header, and click the search button. Suggested matches appear as you type.

» Click the options icon in the search box to include searching within comments fields or for deleted users.

View

» User Management displays only “Current” users, which filters out those with an Account Status is Disabled(Inactive) or Deleted. Filtering is not applied based on Device Status

» To view Disabled and Deleted users, click on the User Options button and change the “View” pulldown menu to “All Users”.

IRONKEY ADMIN GUIDE

UserProfilePageClicking a user will bring up the User Profile page.

Details regarding the User Profile Page

» To edit a user, click the “Edit” button

» To add a device to a user, click the “Add Device” button

» You can download the list of that user’s services activities by clicking the “Download” button

» To view that user’s devices in detail, click the device name in the IronKey Devices section

User Deletion

» To Delete the user, click the “Delete User” button (available for System Admins only)

» When a user is deleted all of their devices are disabled, however the devices can be Recommissioned then activated by another user.

» They system maintains all the Account & Device activity of Deleted users for audit purposes.

IMPORTANT: Deletion of a user is not reversible.

IRONKEY ADMIN GUIDE

MANAGING DEVICES

Click “Manage Devices” in the left sidebar to view the IronKey Device List.

Details regarding the Manage Devices page:

» You can change the list between “Current” and “All Devices” using the “View” dropdown menu. “Disabled” and “Recommissioned” devices are not displayed in the “Current” list.

» You can download the list of devices by clicking the “Download” button .csv

» To edit multiple devices at once, select the checkbox in the appropriate devices’ rows and click the “Edit” button. Currently, changing the devices policy is supported.

» To disable multiple devices at once, select the checkbox in the appropriate devices’ rows and click the “Disable Device” button

NOTE: You cannot disable the device you are currently using

NOTE: Disabled devices can only be re-enabled from the “Device Profile” page.

» To find a device, enter a device name or serial number in the search box in the upper-right of the header, and click the search button. Suggested matches appear as you type. You can also click the options icon in the search box to include searching within comments fields or for deleted devices.

NOTE: You can also manage devices from the “Groups” view.

» Click a device to view the device’s profile page.

IRONKEY ADMIN GUIDE

Details regarding the Device Profile page:

» To disable/enable a device, click the “Disable” button

» To add comments for a device, click the “Edit” button in the Comments section

» You can download a list of that device’s service activities by clicking the “Download” button

» To view that device’s user in detail, click the user’s name

USING THE SILVER BULLET SERVICE » To disable/re-enable a device using Silver Bullet, click the “Disable” / “Re-Enable” button.

» To detonate and permanently destroy a device that has Silver Bullet enabled, click the “Detonate” button.

• A confirmation will appear, after which the device will be pending detonation• You can cancel a pending detonation by clicking the “Cancel Detonation” button

» When the device has detonated, you can review a Silver Bullet Report on the device profile page, including where and when the device detonated.

NOTE: Only a System Admin can Detonate a device or cancel a pending detonation.

USING PASSWORD ASSISTANCE » To assist a user who has forgotten his device password, click the “Send Password to User”

button. This button will only appear for users how have an email address and who have backed up their device password online.

» An email will automatically be sent to the user. In that email is a one-time URL that will take the user to a page that displays his password in a CAPTCHA. The user must click the link as soon as he gets the email, as the link expires in approximately 24 hours,

IRONKEY ADMIN GUIDE

MANAGING POLICIESPolicy Numbers & Versions

IronKey policies are identified by the following elements:

» Policy Name - A unique name you provide when you create a policy.

» Policy Number - The number is sequentially assigned to each policy created in an Enterprise account.

» Policy Version - The version is updated for each time the policy is updated.

Your organization can have an unlimited number of new policies. When a new policy is created, you must choose a unique name for that policy (e.g. Sales Policy, Classified, etc.). The system will automatically assign the next available number to that policy (e.g. Policy 2.x, Policy 3.x, etc.)

Every time an existing policy is modified, a new version of that policy is created (e.g. Policy 2.001, Policy 2.002, Policy 2.003).

All devices will update to the most current version of the policy assigned to that device. Checking for policy updates and downloading the latest policy happens automatically shortly after the device is unlocked. Policy changes are then enforced the next time the device is unlocked. Clicking the “Check for Updates” button in the IronKey Control Panel will check for policy updates immediately.

For example, if the password requirements for the organization change, an Admin can update the appropriate items in an IronKey policy. The policy status for the affected devices is now in a pending state. The next time the affected devices are unlocked, they will check to see if they have the latest policy. In this case they do not, so they will automatically download the latest policy. The next time the device is unlocked, the new policy will be enforced. Since the password policy has changed, the user will be forced to change his device password before being able to access his files.

In the example below, the Default policy is assigned version number 1.000. The next policy created is named Sales and its version number is 2.000. The policy named Testing, has been updated once. Notice this version number is updated to 3.001.

Manage Policies Page

Click “Manage Policies” in the left sidebar to view the IronKey Policies List.

IRONKEY ADMIN GUIDE

Details regarding the Manage Policies page:

» Add a new policy by clicking the “Add Policy” button.

» Every time a new policy is created, it is assigned a unique policy number, the leftmost digit.

» Clicking the Policy Name will bring up the “Edit Policy” page.

» Every time a policy is modified, a new Policy Version is created.

» Each Policy Version displays how many Active devices are using that Version.

» Creating a new Policy Version changes the previous version Status to “Out-of-date”.

» It’s possible for multiple “Out-of-date” Policy Versions to exist for the same Policy. This can occur when a device is either not being used at all or is being unlocked from a computer that is not connected to the internet.

» When devices update to the latest version of a policy and there are no Active devices using an “Out-of-date” version, its Status automatically changes to “Retired”. Retired Policy Versions are automatically removed from the Active Policies List.

» A Policy can be Deleted if none of the Policy Versions is being used by an Active device.

» The displayed list of policies can be changed between “Active Policies”, “Retired & Deleted Policies”, and “All Policies” via the “View” dropdown menu.

» Download the list of policies by clicking the “Download” button.

Edit Policy PageDetails regarding the Edit Policy page: » Some items are dependent on others. Review the IronKey Policies section below in this

document for more information.

» Clicking the “Save Version” button will save the policy as a new version, if you have made changes to it.

» While in edit mode, clicking the “Save As New” button will save the policy as a new policy, if you change the policy name.

» While in edit mode, clicking the “Cancel” button will not save any changes to the policy

» Editing the Policy Name will require the policy to be saved as a new policy

» It is possible to delete a policy, if it is not being used by any Active devices. Deleting a Policy cannot be undone, and deletes all Policy Versions. Deleted policies are still visible and can be viewed, but its not possible to create a new Policy from a deleted Policy.

NOTE: Only a System Admin can delete a Policy.

IRONKEY ADMIN GUIDE

General Settings - Edit Policy name, display version & status.

Password Policy - Set the number of failed password entry attempts before the device self-destructs. Configure password strength and syntax.

Onboard Software - Choose which software is available to users.

Silver Bullet Services - Remotely disable, enable, or destroy an IronKey. Also support restricting unlocking to White Listed IP ranges.

Control Panel - Configure IronKey Control Panel behavior such as a custom Unlock Screen Message and Automatic Device Locking.

Advanced - Enable online accounts for all users, configure automatic or manual device policy updates.

IRONKEY ADMIN GUIDE

Policy Item Description

GENERAL SETTINGS• Edit Policy Name

The Policy Name can be edited. Doing so requires saving as a new policy and you will be unable to save as a Version.

Password PolicyPolicy Item Description

PASSWORD POLICY• Set the number of failed

password entry attempts before the device self-destructs

• Configure password syntax options

The number of invalid password attempts before self-destruction

After too many consecutive invalid password attempts, IronKey devices initiate a self-destruct sequence with advanced “flash-trash” technology. This hardware-level security protects against brute-force password attacks. Configure this feature with a balance of security and end-user convenience in mind.

» Range is from 2 to 200 attempts

» Default: 10 attempts

» Recommendation: 10 attempts

The minimum password length for device passwords

Only passwords with this many or more characters will be allowed.

» Range is from 4 to 20 characters

» Default: 4 characters

» Recommendation: Depends on self-destruct limit

IRONKEY ADMIN GUIDE

The minimum number of uppercase letters in device passwords

Only passwords with this many or more uppercase letters will be allowed.

» Range is from 0 to 5 letters

» Default: 0

The minimum number of lowercase letters in device passwords

Only passwords with this many or more lowercase letters will be allowed.

» Range is from 0 to 5 letters

» Default: 0

The minimum number of digits in device passwords

Only passwords with this many or more digits will be allowed.

» Range is from 0 to 5 digits

» Default: 0

The minimum number of special characters in device passwords

Only passwords with this many or more special characters will be allowed.

» Range is from 0 to 5 characters

» Default: 0

Determine if whitespace is allowed in device passwords

This setting determines whether or not spaces are permitted in IronKey device passwords.

» Default: Yes

» Recommendation: Yes

If the user may, must, or may not back up his device password online

If enabled, users can back up their device password to their Online Security Vault. If users have access to their online account, they can recover their device password without Admin intervention by manually logging into Safe Mode and viewing their password in a CAPTCHA.

» Default: May

» Recommended: Must (to ensure availability of Password Assistance)

IRONKEY ADMIN GUIDE

Onboard Software PoliciesPolicy Item Description

ONBOARD SOFTWAREChoose from the available onboard software applications.

Make Mozilla Firefox available on the device

If enabled, a Firefox web browser will be included onboard each IronKey device. This onboard browser is portable, so cookies, history files, bookmarks, add-ons and online passwords are not stored on the local computer.

» Default: Enabled

If IronKey’s Secure Sessions Service is available for the device

If enabled, IronKey’s Secure Sessions Service will create an encrypted tunnel directly from the user’s IronKey out to a secured IronKey web server, where the traffic is then decrypted and sent out to the destination site. This security feature provides anti-phishing and anti-pharming protection (for example, IronKey does its own DNS checking), as well as enhanced privacy protection (for example the IP address will not be available to other websites and ISPs).

» This feature depends on Mozilla Firefox being enabled

» Default: Enabled

If the IronKey Identity Manager is available on the device

If enabled, the IronKey Identity Manager will be included on each IronKey device. It allows users to easily log into their online accounts (using IE6, IE7, IE8 and the onboard Firefox) and most applications that require username and password credentials, as well as generate strong passwords and manage portable bookmarks. Not having to type out passwords provides added protection from keyloggers and other crimeware. Additionally, websites that support VeriSign Identity Protection (VIP) can be locked down to the IronKey for two-factor authentication.

» IronKey devices using a version prior to 1.3.5 are using the IronKey Password Manager. This policy is compatible with the IronKey Password Manager.

» Default: Enabled

If the user may or may not back up his Identity Manager data

This setting allows users to back up their encrypted Identity Manager data to an Online Security Vault. That way, if their device is ever lost or stolen, they can restore their passwords to a new IronKey.

» This feature depends on the Identity Manager being enabled

» Default: Yes (may)

» Recommendation: Yes (may)

IRONKEY ADMIN GUIDE

Make IronKey Secure Backup software available on the device

If enabled, IronKey’s Secure Backup software will be included on each IronKey device. This software allows users to back up an encrypted copy of files from their IronKey device to their local computer. If the IronKey device is lost or stolen, backed up data can be restored to another IronKey.

» Default: Enabled

» Recommendation: Enabled

Make RSA SecurID is available on the device

If enabled, each IronKey will include an application for generating RSA SecurID one-time passwords for strong authentication. Devices prior to IronKey Enterprise 2.0.6.0 require a .stdid file will need to be imported to use this application, while device with 2.0.6.0+ can use dynamic seed provisioning with the RSA Authentication Manager 7.1 (CT-KIP).

» Default: Disabled

Make CRYPTOCard available on the device

If enabled, each IronKey will include an application for generating CRYPTOCard one-time passwords for strong authentication. A token file will need to be imported to use this application.


Make the IronKey Malware Scanner available on the device

If purchased and enabled, each IronKey will include an application that scans the IronKey on each use, detecting and cleaning malware from the device.


Silver Bullet Access ControlsPolicy Item Description

SILVER BULLETEnables remote disabling / destruction of IronKey. Devices that have not contacted the server within a specified limit, are automatically disabled until they connect. An IP whitelist can also be used to deny access to devices attempting to unlock on untrusted networks.

Whether the device must be authorized before being unlocked

The Silver Bullet Service will confirm that IronKey devices are authorized and in good standing before allowing them to be unlocked. This real-time service allows Administrators

IRONKEY ADMIN GUIDE

to completely disable and even remotely detonate devices, extending the control needed to protect important data.

» This feature requires an Internet connection

» This feature is not available on Linux and disables Linux usage when enabled


Whether the device may be unlocked if it is not connected to the Internet or able to be authorized

Since users are not always able to be online, this setting defines a predetermined number of unlock attempts (“Silver Bullet attempts”) before disabling the device. IronKey devices are able to be unlocked this many times when not able to connect to the service. Set this policy with a balance of security and user convenience in mind.

» This feature depends on Silver Bullet being enabled

» The number of times the device can be unlocked while not connected to the Internet ranges from 1 to 200

» Default: Allow 10 times

» Recommendation: Allow 10 times

Trusted Networks: Whether the device may or may not be unlocked based on where the user is (i.e. which IP address the device is coming from)

The Silver Bullet Service can be configured to allow or deny access to a device based on a Trusted Network IP address whitelist. Users coming from an IP address on the whitelist (e.g. from the office) will be permitted to use their device, while users who are coming from an untrusted network, (e.g. home) will be denied.

WARNING: Set this policy with caution as being too restrictive may prevent trusted users from being able to access their data.

» This feature depends on Silver Bullet being enabled

» This feature does not apply to System Admins.


» Examples of Valid Input (Internal IP Addresses should not be used):• To allow a specific IP address, just enter it in:

From: 192.168.0.1• To allow a block of IP addresses, use the * character:

From: 192.168.0.*• To allow a range of IP addresses, use both the From and To fields:

From: 192.168.0.1 To: 192.186.0.12• To add additional IP addresses, click the “Add More” button.• To delete an entry, click the “X” button next to that row.

IRONKEY ADMIN GUIDE

IronKey Control PanelPolicy Item Description

IK CONTROL PANEL• Unlock Screen Message -

Display a custom message on the IronKey Unlock screen.

• Automatic Locking - If the IronKey is idle a period of time.

The Unlock Screen Message that appears on device insertion

This message will appear on the IronKey Unlocker screen whenever the device is plugged into a computer. In the event that the IronKey is lost, someone can return it to the contact information in the Unlock Screen Message.

» Range is 0 to 255 characters and up to 6 six lines of text

» Default: Blank

If the user can modify the Lost and Found Message

This setting determines whether or not users can edit or create their own Lost and Found Message.

» Default: No

If the device automatically locks after a specified period of inactivity (i.e. without keyboard or mouse activity)

» Should force lock be enabled on the device if open files cannot be closed

» If users can configure these settings

» The idle time-out ranges from 5 to 180 minutes

Advanced SettingsIf Standard Users have an online my.ironkey.com account

Having an online account gives a Standard User basic management capabilities of his IronKey devices. This setting controls whether or not users have an online IronKey account they can access. Administrators and Auditors must have online accounts to access the Admin Console. Disabling this feature will not prevent users from backing up data to their Online Security Vault, but it will prevent them from recovering their backed up device password without Administrator intervention.

» Default: Yes (have)

» Recommendation: Yes (to ensure availability of Password Self-Recovery)

IRONKEY ADMIN GUIDE

Automatically update device policy every time device is unlocked

Once an IronKey is unlocked, it can automatically check for and download the latest policy for that device. This ensures that changes to security policies are enforced as soon as possible.

» Default: Enabled

» Recommendation: It is strongly recommended that this feature be enabled

MANAGING LICENSESClick “Manage Policies” in the left sidebar. Below the IronKey Policy list, you can view your IronKey Licenses list. Services must be enabled for the list to appear.

» You can view a list of enabled services, number of available seats, and number of total seats

» If you try to add a new user or device that exceeds the number of licensed seats, or if your license has expired, a message prompts you to update or renew your license

ENTERPRISE SUPPORT PAGEA number of online support resources are available for you on the Enterprise Support page, including video tutorials and product documentation. It also contains information for contacting IronKey Technical Support, including your Account Number.

IRONKEY ADMIN GUIDE

Using the System ConsoleThe System Console tab contains system-wide management features that are only available to System Admins

UPDATE MANAGEMENTUpdate Management enables a System Admin to approve which Device Update is available when a user checks for updates from the IronKey Control Panel. All device Updates available to Enterprise customers are listed on this page. As a convenience to admins, the release notes for each update are available inline.

Each IronKey device update may contain newer firmware and/or software run from an IronKey device’s CD-ROM volume.

The default settings make the most recent device update available to all users, which maintains the traditional behavior the IronKey update capability.

» Different Device Update versions can be approved for Admins and Standard users, which allows administrators to be updated first so they can be prepared to answer questions.

» The Update Version approved for Admins must be greater than or equal to the version approved for Standard Users.

IRONKEY ADMIN GUIDE

At some point the Approved Device Update may be removed from the server. If an Device Update is removed, it will still appear in the drop down list, with the suffix (No longer available). Users will no longer be able to update until a newer Device Update is selected as the Approved update.

It is possible to test the latest device update on a limited set of devices before generally approving it for all Standard or Admin Users. Testing can be accomplished by assigning a policy as the Update Testing policy. Any device using that policy, either Standard User or Admin User bypasses the approval list and is able to update to the laster update.

IRONKEY ADMIN GUIDE

Using the Admin Tools

ACCESSING THE ADMIN TOOLSSome additional administrative functionality is available onboard each approved, active Admin’s IronKey device. When you click the Admin Tools icon, the device will do a real-time check with your Enterprise Account to authenticate the Admin and ensure that the Admin is still authorized to use the Admin Tools. Revoked Admins, for example, will not be able to continue. You must be connected to the Internet to use the Admin Tools.

USING SECURE DEVICE RECOVERYIronKey’s Secure Device Recovery allows Admins to unlock your organization’s IronKey devices:

» Without knowing the user’s device password» Without using a password database» Without using a backdoor/redundant password» With admin authentication (protection against stolen admin devices)» With admin authorization (protection against rogue admins)» With a proper audit-trail of the event

Step Description

1

Click the Admin Tools icon in the IronKey Control Panel.

The device will perform real-time authentication and authorization.

IRONKEY ADMIN GUIDE

Step Description

2

Insert the device that you want to access into the computer’s USB port. Wait a few moments so the device can enumerate.

Then click the “Refresh Device List” button.

The device will search for the other IronKey.

3

You can either choose to unlock the user’s device or change that device’s password.

To unlock the device, click the “Unlock Device” button. A progress bar will appear and when the device is unlocked, Windows Explorer will auto-launch to that device’s secure volume.

To change the device’s password, enter in the new password for that device, confirm it, and click the “Change” button. A progress bar will appear and then a confirmation that the password has been reset successfully.

NOTE: Recovering a device that is not from your Enterprise Account, not yet activated, or not an IronKey Enterprise Secure Drive is not possible. If an error appears, check if this is the issue.

IRONKEY ADMIN GUIDE

PROMOTING A STANDARD USER TO BE AN ADMINA System Admin can modify user roles and permissions in the Admin Console. When a user is invited to be an Admin, or when a Standard user is promoted to become an Admin, an existing Admin must approve the process using Admin Approval.

Step Description

1In the Admin Tools sidebar, click “Admin Approval.”

2

Click the “Check for Admins” button.

This will perform an online check for users awaiting Admin

Approval.

3

Check all devices that you approve for having administrative functionality. Then click the “Approve” button.

A table of devices that are awaiting approval will be displayed.

4

The next time that user clicks the my.ironkey.com button in the IronKey Control Panel, he receives administrative privileges and have access to the Admin Console.

IRONKEY ADMIN GUIDE

RECOMMISSIONING DEVICESWhen employees leave the organization, their IronKey can be recommissioned to new users using IronKey secure online services for Admin authentication and authorization.

Step Description

1In the Admin Tools sidebar, click “Recommission Device.”

2

Insert the device that you want to recommission into the computer’s USB port. Wait a few moments so the device can enumerate.

Then click the “Refresh Device List” button.

The device will search for the other IronKey.

3

Click the “Recommission Device” button. A progress bar shows your progress throughout the recommissioning process.

Selecting the “Also delete user from the system” checkbox will delete the user as well as the device. This feature is only available for System Admins.

NOTE: Recommissioning cannot be undone. All data on the device will be permanently lost.

IRONKEY ADMIN GUIDE

Importing Authentication Credentials

IMPORTING RSA SECURID TOKENSIf enabled through your policy, your users’ IronKey devices can provide additional strong authentication capabilities by generating RSA SecurID one-time passwords. You must provide a .stdid file to your users for importing tokens.

Step Description

1 Open the RSA SecurID applicationClick the icon in the IronKey Control Panel’s application list on your user’s device.

2

Import a .stdid file. This may be exported by your RSA server. For information on that procedure, see your RSA SecurID server documentation.

10. Click the “Options” button.

11. Click the “Add” button.

12. Browse to the location of the .stdid file.

13. A password might be required to unlock the file.

The tokens will be added.

3 If you prefer, you can rename the tokens.

Click the “Rename” button to create a name for the selected token.

4 In the Options window you can also delete tokens by clicking the “Delete” or “Delete All” button.

Be careful when deleting tokens, as this operation cannot be undone.

IMPORTING A DIGITAL CERTIFICATE INTO THE IRONKEYThe IronKey Cryptochip includes a limited amount of extremely secure hardware storage space, which can be used for storing the private key associated with a digital certificate. This provides your users additional strong authentication capabilities. For example, you could store a self-signed certificate used for internal systems that will allow users to automatically log in when using the IronKey’s onboard Firefox web browser.

The import process uses IronKey’s PKCS#11 interface and requires Mozilla Firefox.

NOTE: Space for only one additional private key exists in the IronKey Cryptochip, though it will receive the benefits of the Cryptochip’s tamper proof hardware and self-destruct mechanisms.

IRONKEY ADMIN GUIDE

Step Description

1 Open the onboard Firefox.Click the icon in the IronKey Control Panel’s application list on your user’s device.

2 Open Firefox’s Options menu to the Encryption tab.

1. Click “Tools” in the menu bar.

2. Click “Options.”

3. Click the “Advanced” icon.

4. Click the “Encryption” tab.

3

Click the “View Certificates” button.

This opens the Firefox Certificate Manager.

4IronKey’s certificate is available here. To add your ow click the “Import” button.

IRONKEY ADMIN GUIDE

5Browse to the PKCS#12-format certificate file and open it.

You will be prompted for the location of the PKCS#12-format certificate file (the file extension will be .p12 in UNIX/Linux, .pfx in Windows).

6

A window appears asking you to confirm where to store the certificate.

Choose “IronKey PKCS#11”

7

Enter the password that was used to protect the certificate.

If no password was used, simply leave the text field blank.

8

Your certificate is now stored securely in the IronKey Cryptochip and is available for use in the onboard Mozilla Firefox.

NOTE: When deleting certificates, you must restart Firefox for the action to take effect. You cannot delete the IronKey certificate that was pre-packaged with your device.

IRONKEY ADMIN GUIDE

Administering the IronKey Anti-Malware ServiceIf purchased and enabled, your organization can protect its IronKey devices from the latest malware threats with the IronKey Anti-Malware Service and IronKey Malware Scanner. See the User Guide for more information on how the IronKey Malware Scanner works. As an Admin, you will want to be familiar with how to interpret Malware Scanner reports.

INTERPRETING IRONKEY MALWARE SCANNER REPORTSThe IronKey Malware Scanner on each user’s device maintains detailed logging of important events, such as checking for updates, downloading updates, scanning for malware, and malware detections, as well as vital status information such as the version of the software and the signature file database being used. The location of this file is at:

F:\IronKey-System-Files\Reports\IKMalwareScanner_Report.txt

Where “F” is the IronKey’s Secure Files volume (where the user stores his data). Malware Scanner Reports are written in Apache Common Log format with tab-delimited data:

[ip address] [timestamp] [event] [status code] [data size or file count]

In the event of an infection, users are instructed to send the report to their administrator to diagnose and resolve the issue. Here are some details on interpreting important events:

EVENT DESCRIPTION

INFECTION

Infection events include

» The name of the malware

» The type of malware (e.g. virus, trojan, etc.)

» The location the malware was found

» The result of trying to repair or delete the infected file. Usually the file will be repaired or deleted, though in rare cases the file cannot be altered and is left on the device. The status in that case is “Unresolved”.

UPDATE

» The Malware Scanner will attempt to update before each scan. The most common failure is when the device cannot connect to the Internet.

» Some users may experience issues installing the update if they do not have enough space available on their IronKey. It is recommended that users allocate 135 MBs of space for the signature file database.

IRONKEY ADMIN GUIDE

Common Tasks

ADDING NEW USERSStep Description

1Access the Admin Console by clicking the my.ironkey.com icon in the IronKey Control Panel.

2 Navigate to the Manage Users page.

3In the Manage Users page, click

.

•Add User - Click “Add User” to add a single user.

•Add Multiple Users - Click “Add Multiple Users” to enter several users at one time.

IRONKEY ADMIN GUIDE

Add Multiple Users

Use .csv format to add each user’s information as follows:

» Name

» Email address

» Group

» Role

» Policy

Add a User

Enter the following user information:”

» Name

» Email

» Role

» Policy

Activate the checkbox to notify the user via email and activate the appropriate Access Level Checkbox.

Note: Only System Admins can add new Admins.

IRONKEY ADMIN GUIDE

ACTIVATING DEVICES FOR A USERWhen you plug a new IronKey Enterprise Secure Flash Drive into your computer, it prompts you for an email address and an Activation Code. An Internet connection is required.

Step Description

1Plug a new IronKey Enterprise Secure Flash Drive into the computer USB port.

Your IronKey must be activated on a Windows (2000, XP, or Vista) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port.

2 The “Activate Your IronKey” screen appears.

The IronKey autoruns as a virtual CD-ROM.

• Windows: This screen might not appear if your computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in “My Computer” and double-clicking the “IronKey.exe” file.

• Mac: Double-click the IronKey drive on your desktop, and double-click the “IronKey” file.

NOTE: You can install the IronKey Auto-Launch Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See “Preferences” in IronKey Control Panel Settings. (Mac only)

3

Retrieve the email with your

Activation Code. Copy and paste it into the IronKey window.

Click “Continue” when you are ready.

The information presented to you when you added the user in the Admin Console (and emailed to the user, if that checkbox was selected) is needed here.• If you did not provide an email address for your user,

you must enter your email address. This is used for authentication purposes and is not associated with the user after activation.

• If your IronKey cannot connect to the Internet, click “Edit Proxy Settings” to adjust its network settings.

4At this point, the device is ready to be initialized with a password and continue the setup process.

You can either continue with initialization, or hand the device to the user for him to complete the setup process.

IRONKEY ADMIN GUIDE

ADDING NEW ADMINSStep Description

1 Add the new user and set the role to be an administrative role.

This process can only be performed by a System

Admin.

2An email will go out to the user (optional) with his setup information.

3The user activates a new IronKey Enterprise Secure Flash Drive.

4Once activated, the device must be approved by an Admin before it can access the Admin Console.

An email will be sent to the inviting System Admin as a reminder to perform the Admin Approval.

5

The next time the new Admin clicks the my.ironkey.com icon in his IronKey Control Panel, he will receive administrative privileges.

ADDING NEW DEVICES TO USERSWhen you add a user, a device will automatically be added to the system upon activation. To add additional devices to a user, follow the directions below.

Step Description

1

In the Admin Console, go to the user profile page for the user for whom you want to add an additional device.

See “Using the Admin Console” for more information.

2 Click the “Add Device” button.

3A new device with a pending status is added. The Activation Code for that device appears.

IRONKEY ADMIN GUIDE

DISABLING LOST DEVICESWhen a device is lost or stolen, disable the device in the Admin Console. This will disable its services and ensure access control protection. For devices that are Silver Bullet-enabled, it will also prevent the user from unlocking the device.

Step Description1 In the Admin Console, go to the

Manage Devices page.2 Select the checkbox next to the

device you want to disable.3 Click the “Disable Device” button

at the bottom of the page.Unlike recommissioning devices, disabling devices can be undone. If the device is found, it can be re-enabled.

HELPING A USER WITH PASSWORD ASSISTANCEWhen a user forgets his device password, he may call the helpdesk for assistance in unlocking his device. The simplest way to remotely help such a user is with Password Assistance.

Step Description1 In the Admin Console, go to the

Manage Users page and select the user from the User List.

2 On the User’s Profile page, select the device that the user wants to unlock.

3 Click the “Password Assistance” button on the Device Profile page. A confirmation message notifies you that an email was sent to the user.

An email is sent to the user with a one-time URL in it. That URL links to a web page that reminds the user of his device password. If left unused, the URL expires in approximately 24 hours.

This feature requires that the user has backed up his password to my.ironkey.com. If he has not, then the button is not available.

Using Non-Administrative FeaturesFor information on how to use the various features of the IronKey available to all of your users through policy (such as Secure Backup, the IronKey Password Manager, and Secure Sessions), review the IronKey Enterprise User Guide, available on the Enterprise Support page of the Admin Console and on the virtual CD of each IronKey Enterprise Secure Flash Drive.

IRONKEY ADMIN GUIDE

Known IssuesHere are a few important caveats to be aware of while using IronKey Enterprise:

» The very first IronKey in your Enterprise Account cannot be recovered through Secure Device Recovery. That device should be put in a safe place for emergency access to the system.

» In approving Admins, the user to be approved must be active in the system (i.e. activate a device) before being able to be approved. This is part of the underlying security technology.

» IronKey devices that are not running the latest firmware and software may not be able to use the Silver Bullet Service or certain other new features. Updating old devices will allow them to use these features.

» Admins must update their older devices with the latest software to use Admin Tools to manage newer devices.

» In some cases, recommissioned devices will not auto-launch. They can be manually launched.

» Updating an IronKey on Windows 2000 (SP4) and Windows XP requires Windows administrative privileges. Windows administrative privileges are not required when updating an IronKey on Vista.

» Some users might have difficulty understanding that the IronKey mounts as two drives: a virtual CD that launches the IronKey Unlocker, and the secure files volume that mounts when the device is unlocked. Point users to IronKey’s video tutorials at support.ironkey.com for visual instructions of the most common IronKey tasks.

» See the release notes at support.ironkey.com for known issues specific to a release..

IRONKEY ADMIN GUIDE

Enterprise SupportIronKey is committed to providing world-class support to its enterprise customers.

IronKey technical support solutions and resources are available around the clock through the IronKey Support website (located at https://support.ironkey.com). These resources include video tutorials, a Knowledgebase of frequently asked questions and technical notes, the IronKey Troubleshooter, product documentation, and the ability to submit your inquiries to the IronKey Support team.

IronKey also maintains customer forum (located at https://forum.ironkey.com) where our community members share their product knowledge, exchange ideas, help each other with encountered problems, and interact with IronKey employees.

TECHNICAL SUPPORT FOR SYSTEM ADMINISTRATORSThe IronKey Support team is available to answer questions that IronKey Enterprise administrators may have about their product implementation. IronKey Support can be contacted by filing a support request (https://support.ironkey.com/supportrequest) or by emailing [email protected]. Please always reference your Account Number when contacting us. It can be located on the Enterprise Support page of the Admin Console. Our support team is available to assist you Monday through Friday 6AM-5PM Pacific Time.

A number of materials, including a copy of this document, can be found on the Enterprise Support page of the Admin Console. There you will find the most specific information regarding using IronKey Enterprise. Please have your Standard Users contact your help desk for assistance, or have them review the support materials on support.ironkey.com. Due to the customized nature of each IronKey Enterprise Account, technical support for IronKey’s enterprise products and services is available for System Administrators only.

IRONKEY ADMIN GUIDE

Product SpecificationsFor details about your device, see “About IronKey” in IronKey Control Panel Settings.

CAPACITY*Up to 32GB, depending on the model

DIMENSIONS75mm X 19mm X 9mm

WEIGHT0.8 oz

WATERPROOFMIL-STD-810F

OPERATING TEMPERATURE0C, 70C

OPERATING SHOCK16G rms

ENCRYPTIONHardware: 256-bit AES (Models S200, D200), 128-bit AES (Model S100)Hashing: 256-bit SHAPKI: 2048-bit RSA

FIPS CERTIFICATIONSSee www.ironkey.com for details.

HARDWAREUSB 2.0 (High-Speed) port recommended, USB 1.1

OS COMPATIBILITYWindows 2000 (SP4), XP (SP2+), Vista, or Windows 7IronKey Unlocker for Linux (2.6+, x86) IronKey Unlocker for Mac (10.4+, Intel)

IRONKEY ADMIN GUIDE

Contact InformationProduct Feedback Feature [email protected] [email protected]

IronKey Online Support https://my.ironkey.com End-Users: please contact yourhttps://support.ironkey.com Helpdesk or System Admin.https://forum.ironkey.com Admins: email [email protected]://store.ironkey.com and reference your Enterprise Account Number

Note: IronKey is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing or use of this material. The information provided herein is subject to change without notice.

The information contained in this document represents the current view of IronKey on the issue discussed as of the date of publication. IronKey cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. IronKey makes no warranties, expressed or implied, in this document. IronKey and the IronKey logo are trademarks of IronKey, Inc. in the United States and other countries. All other trademarks are the properties of their respective owners. © 2010 IronKey, Inc. All rights reserved. IK0900196

ironkey enterprise admin guide

Documents