This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stand-alone client configuration of POA users

Hello everyone!
I need to use Safeguard encryption 5.60.3 on stand-alone clients.
The configuration shall be installed once on the computer. So it needs to be prepared before in a safeguard management environment.
Afterwards an Admin (without access to a safeguard management environment) shall be able to manage (create/modify) users on the computer.
Is there any possibility to add the newly created users to the POA for authentication even on stand-alone clients?
Or do they always have to be created in the management environment and afterwards installed on the stand-alone computer?
Eventually the users shall use smartcards for authentication but I am still stuck on this first part, because newly created users are always logged off automatically.
Maybe you can recommend a slightly different approach, if the desired solution is not possible.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hello Florian,

    Is this SafeGuard Easy or a SafeGuard Enterprise client running in standalone mode?

    Depending on the policy settings / version of SafeGuard, any SafeGuard user (or just the owner of the machine) will be able to add new users.

    Is there a reason these machines will be running in standalone mode but still need administration?

  • Hello Toby,

    I know that the use case is not a standard one. But we have several standalone computers for which we try to build some kind of automatic setup (as far as possible). As the hardware is not high end and other software needs most of the resources, we did not want to install SQL Server and the Management Console.

    We use SafeGuard Enterprise 5.60.3 and installed it on one machine. There we generated the configuration setup.
    For the clients we have the preinstall (SGxClientPreinstall.msi), Client installer (SGNClient.msi) and generated Configuration, which are automatically installed with additional software. The encryption is started and then an administrator shall be able to configure the machine for the current needs, which is out of our scope.

    I tried to set the rule for import of new users to everyone, but the documentation in the management states, that this only has an effect for managed clients.

  • FormerMember
    0 FormerMember in reply to FlorianOtt

    Hi Florian,

    SQL Server and the Management Console are the backbones of this system, where did you get a configuration package from is these aren't installed?

  • SafeGuard Enterprise including SQL Server and the Management Console are installed on one machine, which only we use to create a configuration package. Then we create a setup, which installs and configures the basic settings for the machine, including encryption. This setup is provided to our customers.

    We do not have access to the stand-alone machines of our customers. An administrator starts the automatic setup and when this basic setup and configuration is finished, customizes the machines, e.g. creates new users.

    Now we have the following problems:

    1) new users, which are created, are not added to the POA. Import of new users only works for managed clients. Guest authentication is not sufficient as this only works for Windows and not the POA.

    2) we need to authenticate the users using smartcards with customer certificates. I think those certificates need to be part of the configuration package. So if the customer changes/updates certificates, a new configuration package must be provided.

    The other option is to somehow automatically install the Management Console, but this might be tricky and I am still not sure, if we can solve all our problems this way.

  • FormerMember
    0 FormerMember in reply to FlorianOtt

    Hello Florian,

    Many thanks for the clarification.

    Regarding the first point, where are the new users being imported from? Providing the new users already have a Windows account on the machine they need to be added to you should just be able to grant them access to that machine. Just get a regular user of that machine to login past POA without the "Passthrough to Windows" tickbox enabled. When you get to Windows just click "Switch User" and there will be a login for "SafeGuard Other". The new user should be able to login here and access the machine. As the user has now logged onto the machine they'll be added to the UMA (User Machine Assignment), therefore when the machine reboots they'll be able to login at POA and at Windows. There shouldn't be any difference if the machines are standalone as this process happens locally.

    Regarding the second point, many tokens and certificates are assigned to users via the Management Console, not put in the Configuration Package.
    You could install a second copy of the Management Centre on a client machine and remotely point it to your server if that's of any use?

    In terms of supported smartcards I would take a look at the below for the one you want to use. If a smartcard or token is not listed in this information it has not been tested by QA and is therefore considered unsupported. However, a smartcard/token may work without being in the list (e.g. if it was supported in previous versions of the product or is working with one of the supported middlewares).

    Supported Middlewares

    Smartcard Middleware tested in SafeGuard Device Encryption

    Vendor

    Middleware

    Version

      Windows 7

     32bit

    64bit 

    ActiveIdentity

    ActivClient PKI

    6.2

    x

    x

    Gemalto

    IdGO 800

    1.2.3

    x

    x

    Atos

    CardOS API

    5.3

    x

    x

    T-Systems

    NetKey

    1.7.0.8, PKCS11: 1.7.0

    x

    x

    Nexus

    Nexus Middleware

     4.24.9

    x

    x

    Supported Smartcards

    Supported Smartcards in SafeGuard Device Encryption Power-on Authentication (POA) and SafeGuard Credential Provider

    Supported Smartcards

    Vendor

    Card

    Version

    Nexus

    CardOS

    5.0

    Gemalto

    IDPrime

    MD 3840

    Atos

    CardOS

    5.0

    T-Systems

    TCOS

    3.0.2

    Charismatics

    Oberthur IDOne Cosmo

    V7

    Supported Smartcard Readers

    Readers tested in SafeGuard Device Encryption Power-on Authentication (POA) and SafeGuard Credential Provider. USB-CCID readers are supported on USB 1.x, USB 2.0 and on standard USB 3.0 ports, which are backward compatible according to the specification

    Supported Smartcard Readers

    Card Reader

    Comment

    HP KCC-REM-E8H-KUS1206

    card reader + keyboard

    Gemalto IDBridge CT30

     

    Identiv Cloud 2700

     

    Cherry Keyboard KC 1000 SC

     

    Cherry TC 1100

     

    Cherry TC 1300

     

    Omnikey 3021 

    PID 3022

    SCM SDI010

     

    Alcor Micro 9540 

    e.g. in HP Probook 

    Broadcom Smartcrad Reader  

    e.g. in Dell Latitude

    HID 6121 V3

     

    HID 3121 V3

     

    By the way Florian, if more than one smartcard reader is present on a client, it is recommended to disable the ones that are not used to avoid unwanted side effects. For internal readers it can be necessary to disable the device in the BIOS.

Reply
  • FormerMember
    0 FormerMember in reply to FlorianOtt

    Hello Florian,

    Many thanks for the clarification.

    Regarding the first point, where are the new users being imported from? Providing the new users already have a Windows account on the machine they need to be added to you should just be able to grant them access to that machine. Just get a regular user of that machine to login past POA without the "Passthrough to Windows" tickbox enabled. When you get to Windows just click "Switch User" and there will be a login for "SafeGuard Other". The new user should be able to login here and access the machine. As the user has now logged onto the machine they'll be added to the UMA (User Machine Assignment), therefore when the machine reboots they'll be able to login at POA and at Windows. There shouldn't be any difference if the machines are standalone as this process happens locally.

    Regarding the second point, many tokens and certificates are assigned to users via the Management Console, not put in the Configuration Package.
    You could install a second copy of the Management Centre on a client machine and remotely point it to your server if that's of any use?

    In terms of supported smartcards I would take a look at the below for the one you want to use. If a smartcard or token is not listed in this information it has not been tested by QA and is therefore considered unsupported. However, a smartcard/token may work without being in the list (e.g. if it was supported in previous versions of the product or is working with one of the supported middlewares).

    Supported Middlewares

    Smartcard Middleware tested in SafeGuard Device Encryption

    Vendor

    Middleware

    Version

      Windows 7

     32bit

    64bit 

    ActiveIdentity

    ActivClient PKI

    6.2

    x

    x

    Gemalto

    IdGO 800

    1.2.3

    x

    x

    Atos

    CardOS API

    5.3

    x

    x

    T-Systems

    NetKey

    1.7.0.8, PKCS11: 1.7.0

    x

    x

    Nexus

    Nexus Middleware

     4.24.9

    x

    x

    Supported Smartcards

    Supported Smartcards in SafeGuard Device Encryption Power-on Authentication (POA) and SafeGuard Credential Provider

    Supported Smartcards

    Vendor

    Card

    Version

    Nexus

    CardOS

    5.0

    Gemalto

    IDPrime

    MD 3840

    Atos

    CardOS

    5.0

    T-Systems

    TCOS

    3.0.2

    Charismatics

    Oberthur IDOne Cosmo

    V7

    Supported Smartcard Readers

    Readers tested in SafeGuard Device Encryption Power-on Authentication (POA) and SafeGuard Credential Provider. USB-CCID readers are supported on USB 1.x, USB 2.0 and on standard USB 3.0 ports, which are backward compatible according to the specification

    Supported Smartcard Readers

    Card Reader

    Comment

    HP KCC-REM-E8H-KUS1206

    card reader + keyboard

    Gemalto IDBridge CT30

     

    Identiv Cloud 2700

     

    Cherry Keyboard KC 1000 SC

     

    Cherry TC 1100

     

    Cherry TC 1300

     

    Omnikey 3021 

    PID 3022

    SCM SDI010

     

    Alcor Micro 9540 

    e.g. in HP Probook 

    Broadcom Smartcrad Reader  

    e.g. in Dell Latitude

    HID 6121 V3

     

    HID 3121 V3

     

    By the way Florian, if more than one smartcard reader is present on a client, it is recommended to disable the ones that are not used to avoid unwanted side effects. For internal readers it can be necessary to disable the device in the BIOS.

Children