Ironkey EMS Cloud Admin Guide DataLocker Inc. June, 2019 1 IronKeyEMSCloudAdminGuide Contents AboutIronkeyEMSCloud 4 What’sNew? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 SupportForIronkeyD300SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 NewActivationEmailTemplateVariable . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ReleaseHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 KeyAdminConcepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 SupportedDeviceModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 SupportedWebBrowsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 ProductSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 ProductOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 IronKeyEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 IronKeyEMSDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 EnterpriseSupport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 StandardUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 SystemAdministrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 ToAccessResourcesOnTheEnterpriseSupportPage . . . . . . . . . . . . . . . . . . . . 10 ForMoreInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 SettingUpIronKeyEMSCloud 11 Important-BeforeYouBegin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 CreatingTheIronKeyEMSAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 ToCreateTheAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 NextSteps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 ActivatingThe1stAnd2ndSystemAdminOnlineAccount . . . . . . . . . . . . . . . . . . . . 15 ToActivateTheOnlineAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 AccessingTheAdminConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ToAccessAdminConsoleUsingWeb-BasedLogin . . . . . . . . . . . . . . . . . . . . . . 18 ToAccessAdminConsoleUsingDevice-basedLogin . . . . . . . . . . . . . . . . . . . . 19 DeployingDevices 19 What’sInvolved? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ChoosingADeploymentStrategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 QuestionsToAskBeforeDeployingDevices: . . . . . . . . . . . . . . . . . . . . . . . . . . 20 NextSteps: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 SampleDeployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Requirements: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 TheDeploymentSolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 BestPracticesforaSmoothRollout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ForTheAdministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ForTheEndUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 CommonAdministratorTasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 ManagingPolicies 23 PolicyNumbersAndVersions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 AboutPolicySettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 UserPolicySettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 DevicePolicySettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 AddingPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 EditingPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 DeletingPolicies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 ©CopyrightDataLockerInc. 2 IronKeyEMSCloudAdminGuide ViewingPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 UpdatingPoliciesOnDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 UserPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 DevicePolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 ManagingUsersAndGroups 37 ViewingUsersAndGroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 ManagingUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 AboutUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 AdministrativeTasksByCategoryAndRole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 AddingAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 EditingTheUserActivationEmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 AddingMultipleUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 EditingAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 ChangingTheRoleOfAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 DeletingAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 ViewingUserInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 SearchingForAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 ManagingGroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 AboutGroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 AddingAGroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 MovingUsersToAGroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 DeletingGroups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 ManagingDevices 49 ViewingDeviceInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 DownloadingDeviceInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ActivatingDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 EditingTheDeviceActivationEmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 ActivatingADeviceForAUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 AddingNewDevicesToUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 EditingDeviceProfiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 DeletingDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 SearchingForADevice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 ManagingDevicesRemotelyWithSilverBullet . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 ResettingADevicePassword(AdminInitiated) . . . . . . . . . . . . . . . . . . . . . . . . 55 PairingANewSmartCardWithADevice . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 RecoveringDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 RecommissioningDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 DisablingAndEnablingDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 DetonatingADevice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 ForcingRead-OnlyMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 UpdatingDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ForcingASoftwareUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 SelectingAnApprovedUpdateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 UpdateTesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 UpdateRemoval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 UpgradingBasicDevicesToEnterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 ImportingAuthenticationCredentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ImportingRSASecurIDTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ImportingADigitalCertificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 ManagingS200OrD200Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 AdminTools: TasksAccordingToUserRole . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 AssistingWithPasswords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 ©CopyrightDataLockerInc. 3 IronKeyEMSCloudAdminGuide ApprovingAdminUsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 RecommissioningDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 ActivatingBasicDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 EMSDeviceMigration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 ManagingAdminAccounts 65 ManagingYourOnlineAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 ActivatingYourOnlineAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 ResettingYourPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 UnlockingYourOnlineAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 EditingDeviceNicknames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 EditingYourOnlineAccountSettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 ResettingAnAdministrator’sAccountPassword . . . . . . . . . . . . . . . . . . . . . . . . . . 68 MonitoringSecurityEvents 68 UsingEnterpriseDashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 DashboardMapsAndEventsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 EnterpriseDashboardCharts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 SettingUpEmailAlertsForEvents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 InterpretingMalwareScannerReports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Glossary 73 About Ironkey EMS Cloud IronKeyEMSCloudisanadvanced,cloud-based,managementservicethatletsyouprotectyour data,yourmobileworkforce,andyourorganization. Youcanquicklyandeasilyestablishasecure command center for administering and policing the use of encrypted Workspace and Storage drives. Thisguidetellsyouhowtosetup,deploy,andmanagedevicesinyourenterpriseenvironment. What’s New? SupportForIronkeyD300SM IronKeyEMSnowsupportsthenewIronKeyD300SMdevice. Designedforbusiness-gradesecurity, theD300SMisanencryptedUSB3.0drivethatisFIPS140-2Level3certifiedandTAAcompliant. NewActivationEmailTemplateVariable “PolicyName”variablehasbeenaddedtoactivationemailtemplates. Formoreinformationon howtocustomizeactivationemailtemplateseeEditingTheDeviceActivationEmail. Release History Email Notification For Events - Alerts feature is now available for all accounts. It provides email notificationstoadministratorusersaboutimportantevents. Administratorscansetupanalertto receiveadailymessagesummarizingtheeventsthathaveoccurredinthelast24hoursorreceive aselectedreport. FormoreinformationseeSettingUpEmailAlertsForEvents. SupportForSentryONE-IronKeyEMSnowsupportsthenewDataLockerSentryONEdevice. De- signedforbusinessgradesecurity,SentryONEisanencryptedUSB3.0drivethatisFIPS140-2Level3 certifiedandTAA-compliant. ©CopyrightDataLockerInc. 4 IronKeyEMSCloudAdminGuide ReceiveDownloadedDeviceAndUserData ByEmail-Whenyouconfigureyouronlineaccount settingstoenablethisfeature,deviceand/oruserdatawillbeavailablefordownloadbyemail. Formoreinformation,seeEditingYourOnlineAccountSettings. Two Default Activation Email Templates - There are now two device activation email templates, oneforStoragedevicesandtheotherforWorkspacedevices. Youcancustomizethecontentin thesetemplatesaccordingtocompanyrequirements. SupportForIronkeyD300M-IronKeyEMSnowsupportsthenewIronKeyD300Mdevice. Designed forbusiness-gradesecurity,theD300MisanencryptedUSB3.0drivethatisFIPS140-2Level3certified andTAAcompliant. WebLoginToManagementConsoleUsingOnlineAccount(AdminsOnly)-Administratorscanlog indirectlytothemanagementconsoleWebapplicationwithUsername&Passwordonly,noadmin deviceisrequired. ChangesToUserProfilePage-RecommissioneddevicesintheDeviceslistwillbehiddenbydefault. The“View”listincludes“CurrentDevices”(defaultsetting)and“AllDevices”. Acurrentdevicestill usesanactiveseatlicenseandcanbeinoneofthefollowingstates: Disabled,Pendingrecommis- sion,Awaitingdetonation. The“AllDevices”viewwillalsodisplayDeleted,Recommissionedand Detonateddevices. Force Update Feature For S250/D250 Devices - A new Force Update feature is now available in Serviceforusewiththelatestreleaseofthe250deviceSeries(version3.5.0.0). Controlledbythe devicepolicy,youcannowforceuserstoupdatetheirdevicestothelatestapprovedsoftware release. ForinformationaboutnewForceUpdatepolicysettings,seeDevicePolicySettings. For moreinformationaboutusingForceUpdate,seeUpdatingDevices. SupportForH350EnterpriseAndIronkeyWorkspaceW700-SCDevices-H350devicesareFIPS140-2 Level3certified,USB(UniversalSerialBus)3.0harddriveswithbuilt-inpasswordsecurityanddata encryption. Formoreinformationaboutthedevice,seetheDataLockerH300/H350EnterpriseUser Guide. IronKey Workspace W700-SC is a trusted, FIPS 140-2 Level 3 certified, secure USB flash drive that featuresXTS-AES256-bithardwareencryption. Additionally,theW700-SCsupportsdeviceauthenti- cationusingasmartcard. Whenpairedwithyourdevice,youcansecurelyunlockyourworkspace usingyoursmartcardandPersonalIdentificationNumber(PIN).CertifiedbyMicrosoftasaWindows ToGodevice,theW700-SCisasecure,personalworkspace. Itiscapableofusingallhostsystem resourcesonhostcomputersthatarecertifiedtorunMicrosoftWindows®7.0andhigher, and qualifiedMaccomputers. SupportForIronkeyWorkspace4.3-AdminsarenowabletousethedevicerecoverySilverBullet tounlockthesecureoperatingsystem(OS)partitiononthedevice. Ifauserexperiencesissueswith theWindowsOS,Administratorscannowtrytotroubleshootandrepairtheseissuesorrecoverfiles byaccessingtheOSpartition. See“Recoveringdevices”onpage62. Anewdeviceupdateisavailabletoupgradethedevicefirmwareandsoftwareondevicesrunning IronKeyWorkspaceversion4.2. AdminswillalsoneedtoupdatetheControlPanelapplicationin WindowsToGo. IronKeyWorkspace4.3devicesalsoincludethefollowingfeatures: • DeviceactivationonaMacoperatingsystem. • Supportforamulti-lingualkeyboardlayoutinthePrebootenvironmentwhenbootingWindows ToGo. • UpdatestotheIronKeyWorkspaceStartupAssistanttoincreasethenumberofhostcomputers it can configure to boot from a USB device on startup. The application is available on the device (W500/W700) or as a standalone application (available as a download from datalocker.com). ©CopyrightDataLockerInc. 5 IronKeyEMSCloudAdminGuide • SupportforDataLockerandIronKeysecurestoragedevicesinWindowsToGo;foracomplete list, see Supported Device Models. Users can save data to the secure storage drive while bootedinWindowsToGo. WhenusingastoragedevicewhilebootedinthesecureWorkspace, twoControlPaneliconswilldisplayintheWindowssystemtray,onetomanagethesecure storagedeviceandtheotherfortheIronKeyWorkspacedevice. UpdatesToTheAdminConsole • Enterprise Dashboard Events table - The Enterprise Dashboard Events table now includes a columnforDevices. AdminscansortbytheDevicecolumntoviewalleventsforaspecific device. Alsonewisthecustomdaterangefilter. Youcannowfilterwhicheventsdisplayinthe tablebasedonastartandenddate. • EmailNotificationForEvents-TheAdminConsoleincludesanewAlertsfeature. Ifpurchased andenabledforyourEMSAccount,thisfeatureprovidesemailnotificationstoAdminusers aboutimportantevents. Adminscansetupanalerttoreceiveadailymessagesummarizing theeventsthathaveoccurredinthelast24hours. SeeSettingUpEmailAlertsForEvents. • NewGroupSelectorWhenAddingAUser-Whenyoucreateanewuser,youcannowadd the user to a group using the group selector. System Admin users can add the user to any group. Admin users can only add users to a group to which they are also a member. See AddingAUser. S1000Support-IronKeyEMSnowsupportsthemanagementofIronKeyEnterpriseS1000devices. S1000 devices are secure USB (Universal Serial Bus) portable flash drives with built-in password securityanddataencryption. Formoreinformationaboutthedevice,seetheIronKeyEnterprise S1000UserGuide. H300Support-IronKeyEMSnowsupportsthemanagementofH300devices. H300devicesareUSB portable hard drives with built-in password security and data encryption. For more information aboutthedevice,seetheDataLockerH300/H350EnterpriseUserGuide. IronKeyWorkspaceSupport-IronKeyEMSnowsupportsthemanagementofIronKeyWorkspace WindowsToGodevices(W500andW700). IronKeyWorkspacedevicesprovidethesamesecure hardwareencryptionavailablewithotherdevices. W700goesonestepfurtherandhasFIPS140-2 Level3certification. Devicescanbeactivatedandmanagedinthesamewayasotherdevices. However,theymustfirst beprovisionedwithaWindowsToGoimageandconfiguredformanagement. Formoreinformation aboutIronKeyWorkspacedevicesorWindowsToGo,[email protected]. S250&D250Release-The250seriesincludestwonewsecureUSBflashdrives: S250andD250. To managethesedevices,IronKeyEMSprovidesthefollowingnewfeatures: • RemotedevicemanagementusingSilverBullet – PasswordReset-Userscanresettheirpasswordswithoutadministratorintervention. Admin- istratorscanalsohelpuserswhohaveforgottentheirpasswordsbyremotelyunlocking thedeviceandforcingapasswordchange. – Device Recovery-Administrators can remotely unlock devices that can no longer be accessed. – DeviceRecommissioning-Administratorscanremotelyresetadevicesothatdevicedata isdeletedandthedevicecanbereused. – ForceRead-only-AllowsAdministratorstoforceadevicetoopeninread-onlymode. • Onecentralmanagementconsole-S250andD250devicesarecompletelymanagedthrough the Admin Console. There is no Admin Tools application on S250 or D250 administrative devices. • New device setup-Users and administrators can set up their devices with an easy-to-use workflowthatactivatesthedevice,setsuptheonlineaccount,andinitializesthedevice. ©CopyrightDataLockerInc. 6 IronKeyEMSCloudAdminGuide Note: Devicesthatarenotrunningthelatestfirmwareandsoftwaremaynotbeabletousethe SilverBulletServiceorothernewfeatures. Updatingolddeviceswillallowthemtousethesefeatures. Forinformationaboutupdatingdevices,seeUpdatingDevices. Key Admin Concepts The Admin Console: Centralized, Online Device And User Management - IronKey EMS includes a centralized management console for managing tens, hundreds or thousands of devices and users,reducingoveralldeploymenttimesandmaintenancerequirements. WhenaSystemAdmin addsadministratorstotheEMSaccount,theymustspecifyhowtheadministratorwillauthenticate toAdminConsole,usingeitherWeb-basedlogin(username&password)orDevice-basedlogin (device&password)usingthesecurelinktoAdminConsoleintheControlPanelapplicationonthe device. IronKeyEMSPolicies: EnforcingCorporateSecurityPolicies-Configurepoliciesfordevicepassword strength,self-destructionsettings,andenablingspecificapplicationsandservices. User Management: Organize Users Into Groups - Create groups to manage your users based on anycriterianeededtokeepyouorganized. UserscanbeeasilyaddedandremovedfromGroups andadministrativetasksperformedbygroup. Silver Bullet Service: Protecting Against Malicious Users - The Silver Bullet Service confirms that devicesareauthorizedbeforeallowingthemtobeunlocked. Thisreal-timeserviceallowsAdmins to completely disable and even remotely detonate devices, extending the control needed to protectimportantdata. Password Reset: Allowing Users Device Access When They Forget Their Passwords - Allow users to securelyresettheirownpasswords,reducingthenumberofHelpDeskcallsfromuserswhocannot accesstheirdevicesbecausethey’veforgottentheirpassword. Secure Device Recovery: Securely Unlocking Devices - Secure Device Recovery is a patented PKI mechanism that allows Admins to unlock another user’s device, for example, in the case of employee termination, regulatory compliance, or forensic investigations. Unlike many other solutions,thereisnocentraldatabaseofback-doorpasswords. Device Recommissioning: Securely Repurposing Devices - When employees leave the organi- zation, their devices can be safely recommissioned to new users. This process requires Admin authenticationandauthorizationusingthesecureonlineservicesinIronKeyEMS. Supported Device Models IronKeyEMSsupportsthefollowinglistofdevices. • S100 • 200Series(includesS200&D200)Note: Theterm“x200”,whenusedintheproductordocu- mentation,indicatesthatthefeatureorsectionappliestobothdevicemodelsintheseries. SomespecialconditionsapplytoS100andx200devicesinordertomanagethesedevices usingIronKeyEMS.SeeManagingS200OrD200Devices. • 250 Series (includes S250 & D250). Note: The term “x250”, when used in the product or documentation,indicatesthatthefeatureorsectionappliestobothdevicemodelsinthe series. • IronKeyWorkspaceW500,IronKeyWorkspaceW700,andIronKeyWorkspaceW700-SC • H300/H350 • S1000 • D300 (includes D300M & D300SM) Note: The term “D300”, when used in the product or documentation,indicatesthatthefeatureorsectionappliestobothdevicemodelsinthe series. ©CopyrightDataLockerInc. 7 IronKeyEMSCloudAdminGuide • Sentry (includesSentry ONE,SentryONE Managed, & SentryEMS) Note: The term“Sentry”, whenusedintheproductordocumentation,indicatesthatthefeatureorsectionappliesto alldevicemodelsintheseries. Note: Formoreinformationaboutdevices,seeManagingDevices. Supported Web Browsers Toincreasebrowsersecurity,SSL3.0isnolongersupported. Withthischange,encryptedcommuni- cationswillnowoccurwithTLS.CustomerswhoareusingMicrosoftInternetExplorerv6.0willneed toenableTLSmanually. Allotherbrowserssupportthisbydefault. UsersorAdministratorsusinga browserthatdoesnotsupportTLS,orhasTLSdisabled,willnotbeabletoconnecttoIronKeyEMS. If TLS has been disabled, it must be enabled so that users can access their online account and AdministratorscanaccesstheAdminConsole. Product Specifications Fordetailsaboutyourdevice,see“DeviceInfo”intheControlPanelsettings. Productspecifications arealsoincludedintheUserGuideforthedevice. Product Overview IronKey EMS allows you to manage secure storage drives and IronKey Workspace drives using a cloud-based administrative service. Administrators can access the secure online services to managepolicies,users,anddevices;userscanaccesstheironlineaccounts(ifavailable)toview informationabouttheirdevicesandaccountsettings,andresettheirdevicepassword. IronKeyEMS • Thetwomanagementcomponentsoftheserviceinclude: – Admin Console-Allows Admins to set policies, add users and groups, manage devices andmore – SystemConsole-AllowsAdminstocontroldeviceupdatesandautomatedmessagesthat aresenttousersthroughtheservice. • Thetwousercomponentsoftheserviceare: – MyDevices-Storesinformationaboutauser’sdevices – MyAccount-Containsonlineaccountinformationfortheuser. The following image shows the management console and the user components of the online account. TheAdminConsoletabisselected. Theothertabs,includingMyDevices,MyAccount, andSystemConsolearealsoavailable. AlluserswithanonlineaccountcanaccessMyDevices andMyAccounttabs. Onlyadministrators(SystemAdmin,Admin,CustomAdmin,HelpDesk,and Auditor)canaccesstheAdminConsoletab. OnlySystemAdminscanaccesstheSystemConsole tab. Formoreinformationaboutuserroles,seeAdministrativeTasksByCategoryAndRole. ©CopyrightDataLockerInc. 8 IronKeyEMSCloudAdminGuide IronKeyEMSDevices DataLockerSentryONE-DesignedtobecompatiblewithbothIronKeyEMSandDataLockerSafe- Console, the Sentry ONE is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certified and TAA-compliant. Formoreinformation,seetheUserGuideforSentryONE. DataLockerSentryEMS-Designedforbusiness-gradesecurity,theSentryEMSisanencryptedUSB 3.0drivethatisFIPS140-2Level3certifiedandTAA-compliant. Formoreinformation,seetheUser GuideforSentryEMS. IronKeyD300M&D300SM-Designedforbusiness-gradesecurity. AnencryptedUSB3.0drivethatis FIPS140-2Level3certifiedandTAA-compliant. Formoreinformation,seetheUserGuideforIronKey D300M&D300SM. IronKeyS200&D200,S250&D250,S1000-Designedtobetheworld’smostsecureUSBflashdrives, IronKeyEMSdevicesallowuserstosafelycarrytheirfilesanddatawiththemwherevertheygo. The ControlPanelisthemainapplicationonthedevicethatletsusersaccesstheirdata,openonboard applications,andmodifydevicesettings. Note: FormoreinformationaboutIronKeyEMSdevices,seetheUserGuide. IronKeyWorkspaceW500,W700,W700-SC-Provideyouruserswithanimagedandfullyfunctional versionofWindows8.1-onethatdeliversafast,fullWindowsdesktopandcanbebooteddirectly fromatrustedIronKeyWorkspacedrive. Distributeandmanagemobileworkenvironmentsthat mirroryourcorporatedesktop,andensureemployees,partnersandcontractorsareusingmobile workspacescreatedandmanagedbyIT. Note: For more information about IronKey Workspace devices, see the User Guides for IronKey WorkspaceW500,W700,orW700-SC. DataLockerH300/H350-Designedtoprovideasecureharddrivesolutiontousers,theH300/H350 ©CopyrightDataLockerInc. 9 IronKeyEMSCloudAdminGuide canbeformattedwiththeFAT32orNTFSfilesystem. H350devicesareFIPS140-2Level3certified. Formoreinformation,seetheUserGuide. Enterprise Support DataLockeriscommittedtoprovidingworld-classsupporttoitsenterprisecustomers. DataLocker technicalsupportsolutionsandresourcesareavailablethroughtheDataLockerSupportWebsite, locatedatsupport.datalocker.com. SeeForMoreInformation. StandardUsers PleasehaveStandardUserscontactyourHelpdeskorSystemAdministratorforassistance. Dueto thecustomizednatureofeachIronKeyEMSAccount,technicalsupportforIronKeyEMSproducts andservicesisavailableforSystemAdministratorsonly. SystemAdministrators AdministratorscancontactDataLockerSupportby: • Filingasupportrequestatsupport.datalocker.com. • [email protected]. Important: AlwaysreferenceyourEMSAccountNumber. TheAccountNumberislocatedonthe EnterpriseSupportpageoftheAdminConsole. ToAccessResourcesOnTheEnterpriseSupportPage IntheAdminConsole,clickEnterpriseSupportintheleftsidebar. Note: ResourcesavailableonthispageincludeyourAccountnumber,videotutorialsandproduct documentation,anannouncementhistoryfilethatlogsallpreviousDataLockerannouncements regardingIronKeyEMS,andcontactinformationforDataLockerTechnicalSupport. ForMoreInformation • support.datalocker.com-Supportinformation,knowledgebaseandvideotutorials • [email protected] • datalocker.com-Generalinformation Licensing IfyouhavelicensedserviceswithyourEMSAccount, youcanviewalistofthelicensesthatare availablewiththeservice. ToreviewthenumberofavailablelicenseseatsforyourEMSAccount, dothefollowing: • IntheAdminConsole,clickManagePoliciesintheleftsidebar. Licensesarelistedbelowthe devicepoliciesandincludethenumberofavailableseats,andnumberoftotalseats. Note: Ifyouexceedthenumberoflicensedseats,orifyourlicensehasexpired,amessageprompts you to update or renew your license. You cannot add new users or devices until the license is renewed. ©CopyrightDataLockerInc. 10