Dell Data Protection | Endpoint Security Suite Enterprise

[Pages:152]Dell Data Protection | Endpoint Security Suite Enterprise

Advanced Installation Guide v1.4

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

? 2017 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. Registered trademarks and trademarks used in the Dell Data Protection Encryption, Endpoint Security Suite, Endpoint Security Suite Enterprise, and Dell Data Guardian suite of documents: DellTM and the Dell logo, Dell PrecisionTM, OptiPlexTM, ControlVaultTM, LatitudeTM, XPS?, and KACETM are trademarks of Dell Inc. Cylance?, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee? and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel?, Pentium?, Intel Core Inside Duo?, Itanium?, and Xeon? are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe?, Acrobat?, and Flash? are registered trademarks of Adobe Systems Incorporated. Authen Tec? and Eikon? are registered trademarks of Authen Tec. AMD? is a registered trademark of Advanced Micro Devices, Inc. Microsoft?, Windows?, and Windows Server?, Internet Explorer?, MS-DOS?, Windows Vista?, MSN?, ActiveX?, Active Directory?, Access?, ActiveSync?, BitLocker?, BitLocker To Go?, Excel?, Hyper-V?, Silverlight?, Outlook?, PowerPoint?, OneDrive?, SQL Server?, and Visual C++? are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. VMware? is a registered trademark or trademark of VMware, Inc. in the United States or other countries. Box? is a registered trademark of Box. DropboxSM is a service mark of Dropbox, Inc. GoogleTM, AndroidTM, GoogleTM ChromeTM, GmailTM, YouTube?, and GoogleTM Play are either trademarks or registered trademarks of Google Inc. in the United States and other countries. Apple?, Aperture?, App StoreSM, Apple Remote DesktopTM, Apple TV?, Boot CampTM, FileVaultTM, iCloud?SM, iPad?, iPhone?, iPhoto?, iTunes Music Store?, Macintosh?, Safari?, and Siri? are either servicemarks, trademarks, or registered trademarks of Apple, Inc. in the United States and/or other countries. GO ID?, RSA?, and SecurID? are registered trademarks of Dell EMC. EnCaseTM and Guidance Software? are either trademarks or registered trademarks of Guidance Software. Entrust? is a registered trademark of Entrust?, Inc. in the United States and other countries. InstallShield? is a registered trademark of Flexera Software in the United States, China, European Community, Hong Kong, Japan, Taiwan, and United Kingdom. Micron? and RealSSD? are registered trademarks of Micron Technology, Inc. in the United States and other countries. Mozilla? Firefox? is a registered trademark of Mozilla Foundation in the United States and/or other countries. iOS? is a trademark or registered trademark of Cisco Systems, Inc. in the United States and certain other countries and is used under license. Oracle? and Java? are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. SAMSUNGTM is a trademark of SAMSUNG in the United States or other countries. Seagate? is a registered trademark of Seagate Technology LLC in the United States and/or other countries. Travelstar? is a registered trademark of HGST, Inc. in the United States and other countries. UNIX? is a registered trademark of The Open Group. VALIDITYTM is a trademark of Validity Sensors, Inc. in the United States and other countries. VeriSign? and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. KVM on IP? is a registered trademark of Video Products. Yahoo!? is a registered trademark of Yahoo! Inc. This product uses parts of the 7-Zip program. The source code can be found at 7-. Licensing is under the GNU LGPL license + unRAR restrictions (license.txt).

Endpoint Security Suite Enterprise Advanced Installation Guide 2017 - 05

Rev. A02

Contents

1 Introduction....................................................................................................................................................7 Before You Begin................................................................................................................................................................ 7 Using This Guide................................................................................................................................................................ 8 Contact Dell ProSupport................................................................................................................................................... 8

2 Requirements............................................................................................................................................... 10 All Clients........................................................................................................................................................................... 10 All Clients - Prerequisites........................................................................................................................................... 10 All Clients - Hardware.................................................................................................................................................10 All Clients - Language Support.................................................................................................................................. 11 Encryption Client............................................................................................................................................................... 11 Encryption Client Prerequisites................................................................................................................................. 12 Encryption Client Hardware.......................................................................................................................................12 Encryption Client Operating Systems...................................................................................................................... 12 External Media Shield (EMS) Operating Systems..................................................................................................12 Server Encryption Client..................................................................................................................................................13 Server Encryption Client Prerequisites.................................................................................................................... 14 Server Encryption Client Hardware..........................................................................................................................14 Server Encryption Client Operating Systems..........................................................................................................14 External Media Shield (EMS) Operating Systems..................................................................................................15 Advanced Threat Prevention Client............................................................................................................................... 16 Advanced Threat Prevention Operating Systems.................................................................................................. 16 Advanced Threat Prevention Ports.......................................................................................................................... 16 BIOS Image Integrity Verification..............................................................................................................................16 SED Client..........................................................................................................................................................................17 OPAL Drivers............................................................................................................................................................... 17 SED Client Prerequisites............................................................................................................................................ 18 SED Client Hardware..................................................................................................................................................18 SED Client Operating Systems................................................................................................................................. 19 Advanced Authentication Client..................................................................................................................................... 19 Advanced Authentication Client Hardware.............................................................................................................20 Advanced Authentication Client Operating Systems............................................................................................ 20 BitLocker Manager Client................................................................................................................................................ 21 BitLocker Manager Client Prerequisites...................................................................................................................21 BitLocker Manager Client Operating Systems........................................................................................................21 Authentication Options................................................................................................................................................... 22 Encryption Client........................................................................................................................................................22 SED Client................................................................................................................................................................... 23 BitLocker Manager.....................................................................................................................................................24

3 Registry Settings......................................................................................................................................... 25 Encryption Client Registry Settings...............................................................................................................................25 Advanced Threat Prevention Client Registry Settings................................................................................................28

Dell Data Protection | Endpoint Security Suite Enterprise

3

Contents

SED Client Registry Settings..........................................................................................................................................29 Advanced Authentication Client Registry Settings...................................................................................................... 31 BitLocker Manager Client Registry Settings................................................................................................................. 31

4 Install Using the ESSE Master Installer........................................................................................................ 33 Install Interactively Using the ESSE Master Installer................................................................................................... 33 Install by Command Line Using the ESSE Master Installer.........................................................................................36

5 Uninstall Using the ESSE Master Installer....................................................................................................39 Uninstall the ESSE Master Installer............................................................................................................................... 39 Command Line Uninstallation................................................................................................................................... 39

6 Install Using the Child Installers................................................................................................................... 40 Install Drivers..................................................................................................................................................................... 41 Install Encryption Client................................................................................................................................................... 41 Command Line Installation.........................................................................................................................................41 Install Server Encryption Client...................................................................................................................................... 43 Install Server Encryption Interactively..................................................................................................................... 44 Install Server Encryption Using the Command Line.............................................................................................. 47 Activate Server Encryption.......................................................................................................................................49 Install Advanced Threat Prevention Client.....................................................................................................................51 Command Line Installation........................................................................................................................................52 Install Web Protection and Firewall................................................................................................................................53 Command Line Installation........................................................................................................................................53 Install SED Management and Advanced Authentication Clients............................................................................... 54 Command Line Installation........................................................................................................................................55 Install BitLocker Manager Client.................................................................................................................................... 55 Command Line Installation........................................................................................................................................55

7 Uninstall Using the Child Installers............................................................................................................... 57 Uninstall Web Protection and Firewall........................................................................................................................... 58 Command Line Uninstallation................................................................................................................................... 58 Uninstall Encryption and Server Encryption Client......................................................................................................58 Process........................................................................................................................................................................58 Command Line Uninstallation................................................................................................................................... 59 Uninstall Advanced Threat Prevention..........................................................................................................................60 Command Line Uninstallation...................................................................................................................................60 Uninstall SED and Advanced Authentication Clients...................................................................................................60 Process........................................................................................................................................................................ 61 Deactivate the PBA.................................................................................................................................................... 61 Uninstall SED Client and Advanced Authentication Clients...................................................................................61 Uninstall BitLocker Manager Client............................................................................................................................... 62 Command Line Uninstallation................................................................................................................................... 62

8 Commonly Used Scenarios.......................................................................................................................... 63 Encryption Client, Advanced Threat Prevention, and Advanced Authentication.................................................... 64 SED Client (including Advanced Authentication) and External Media Shield.......................................................... 65

4

Dell Data Protection | Endpoint Security Suite Enterprise

Contents

BitLocker Manager and External Media Shield............................................................................................................ 65 BitLocker Manager and Advanced Threat Prevention................................................................................................ 66

9 Provision a Tenant for Advanced Threat Prevention..................................................................................... 67 Provision a Tenant............................................................................................................................................................ 67

10 Configure Advanced Threat Prevention Agent Auto Update........................................................................ 71

11 Pre-Installation Configuration for One-time Password, SED UEFI, and BitLocker........................................72 Initialize the TPM..............................................................................................................................................................72 Pre-Installation Configuration for UEFI Computers..................................................................................................... 72 Enable Network Connectivity During UEFI Preboot Authentication................................................................... 72 Disable Legacy Option ROMs................................................................................................................................... 73 Pre-Installation Configuration to Set Up a BitLocker PBA Partition.......................................................................... 73

12 Set GPO on Domain Controller to Enable Entitlements............................................................................... 74

13 Extract the Child Installers from the ESSE Master Installer........................................................................ 77

14 Configure Key Server for Uninstallation of Encryption Client Activated Against EE Server.........................78 Services Panel - Add Domain Account User.................................................................................................................78 Key Server Config File - Add User for EE Server Communication............................................................................ 79 Sample Configuration File......................................................................................................................................... 80 Services Panel - Restart Key Server Service............................................................................................................... 80 Remote Management Console - Add Forensic Administrator....................................................................................80

15 Use the Administrative Download Utility (CMGAd).................................................................................... 82 Use the Administrative Download Utility in Forensic Mode........................................................................................82 Use the Administrative Download Utility in Admin Mode........................................................................................... 84

16 Configure Server Encryption...................................................................................................................... 86 Enable Server Encryption............................................................................................................................................... 86 Customize Activation Logon Dialog............................................................................................................................... 86 Set Server Encryption EMS Policies..............................................................................................................................87 Suspend an Encrypted Server Instance........................................................................................................................ 87

17 Troubleshooting.......................................................................................................................................... 89 All Clients - Troubleshooting........................................................................................................................................... 89 Encryption and Server Encryption Client Troubleshooting......................................................................................... 89 Upgrade to the Windows 10 Anniversary Update..................................................................................................89 Activation on a Server Operating System...............................................................................................................89 (Optional) Create an Encryption Removal Agent Log File.................................................................................... 92 Find TSS Version........................................................................................................................................................93 EMS and PCS Interactions....................................................................................................................................... 93 Use WSScan...............................................................................................................................................................93 Use WSProbe............................................................................................................................................................. 97 Check Encryption Removal Agent Status...............................................................................................................98 Advanced Threat Prevention Client Troubleshooting..................................................................................................99

Dell Data Protection | Endpoint Security Suite Enterprise

5

Contents

Find the Product Code with Windows PowerShell............................................................................................... 99 Advanced Threat Prevention Provisioning and Agent Communication.............................................................100 BIOS Image Integrity Verification Process............................................................................................................ 102 SED Client Troubleshooting...........................................................................................................................................103 Use the Initial Access Code Policy......................................................................................................................... 103 Create a PBA Log File for Troubleshooting........................................................................................................... 104 Dell ControlVault Drivers................................................................................................................................................105 Update Dell ControlVault Drivers and Firmware................................................................................................... 105 UEFI Computers.............................................................................................................................................................. 119 Troubleshoot Network Connection......................................................................................................................... 119 TPM and BitLocker......................................................................................................................................................... 119 TPM and BitLocker Error Codes............................................................................................................................. 119

18 Glossary....................................................................................................................................................150

6

Dell Data Protection | Endpoint Security Suite Enterprise

Contents

1

Introduction

This guide details how to install and configure Advanced Threat Prevention, the Encryption client, SED management client, Advanced Authentication, and BitLocker Manager. All policy information, and their descriptions are found in the AdminHelp.

Before You Begin

1 Install the EE Server/VE Server before deploying clients. Locate the correct guide as shown below, follow the instructions, and then return to this guide. ? DDP Enterprise Server Installation and Migration Guide ? DDP Enterprise Server - Virtual Edition Quick Start Guide and Installation Guide Verify that polices are set as desired. Browse through the AdminHelp, available from the ? at the far right of the screen. The AdminHelp is page-level help designed to help you set and modify policy and understand your options with your EE Server/VE Server.

Dell Data Protection | Endpoint Security Suite Enterprise

7

Introduction

2 Provision a Tenant for Advanced Threat Prevention. A tenant must be provisioned in the DDP Server before Advanced Threat Prevention enforcement of policies becomes active.

3 Thoroughly read the Requirements chapter of this document. 4 Deploy clients to end users.

Using This Guide

Use this guide in the following order.

? See Requirements for client prerequisites, computer hardware and software information, limitations, and special registry modifications needed for features.

? If needed, see Pre-Installation Configuration for One-time Password, SED UEFI, and BitLocker. ? If your clients will be entitled using Dell Digital Delivery (DDD), see Set GPO on Domain Controller to Enable Entitlements. ? If installing clients using the ESSE master installer, see:

? Install Interactively Using the ESSE Master Installer

or ? Install by Command Line Using the ESSE Master Installer ? If installing clients using the child installers, the child installer executable files must be extracted from the ESSE master installer. See Extract the Child Installers from the ESSE Master Installer, then return here.

? Install Child Installers by Command line:

? Install Drivers - Download the appropriate drivers and firmware based on your authentication hardware. ? Install Encryption Client - use these instructions to install the Encryption client, which is the component that enforces security

policy, whether a computer is connected to the network, disconnected from the network, lost, or stolen. ? Install Advanced Threat Prevention Client - use these instructions to install the Advanced Threat Prevention client, which is

next-generation antivirus protection that uses algorithmic science and machine learning to identify, classify, and prevent both known and unknown cyberthreats from executing or harming endpoints. ? Install Web Protection and Firewall - use these instructions to install the optional Web Protection and Firewall features. The Client Firewall is a stateful firewall that checks all incoming and outgoing traffic against its list of rules. Web Protection monitors web browsing and downloads to identify threats and enforce action set by policy when a threat is detected, based on ratings for websites. ? Install SED Management and Advanced Authentication Clients - use these instructions to install encryption software for SEDs. Although SEDs provide their own encryption, they lack a platform to manage their encryption and policies. With SED management, all policies, storage, and retrieval of encryption keys are available from a single console, reducing the risk that computers are unprotected in the event of loss or unauthorized access.

The Advanced Authentication client manages multiple authentication methods, including PBA for SEDs, Single Sign-on (SSO), and user credentials such as fingerprints and passwords. In addition, it provides Advanced Authentication capabilities to access websites and applications. ? Install BitLocker Manager Client - use these instructions to install the BitLocker Manager client, designed to improve the security of BitLocker deployments and to simplify and reduce the cost of ownership.

NOTE: Most child installers can be installed interactively, but installations are not described in this guide. However, the Advanced Threat Prevention client child installer can be installed by command line only.

? See Commonly Used Scenarios for scripts of our most commonly used scenarios.

Contact Dell ProSupport

Call 877-459-7304, extension 4310039 for 24x7 phone support for your Dell Data Protection product.

8

Dell Data Protection | Endpoint Security Suite Enterprise

Introduction

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download