IronKey™ EMS Cloud
Admin Guide
Last Updated March 2017
DataLocker is committed to creating and
developing the best security technologies and
making them simple-to-use and widely available.
Years of research and millions of dollars of
development have gone into bringing this
technology to you.
We are very open to user feedback and would
appreciate hearing about your comments,
suggestions, and experiences with this product.
Feedback:
support@datalocker.com
NOTE: DataLocker is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or
consequential damages resulting from the furnishing or use of this material. The information provided herein is subject to
change without notice.
The information contained in this document represents the current view of DataLocker on the issue discussed as of the date of publication. DataLocker
cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. DataLocker makes
no warranties, expressed or implied, in this document. DataLocker, and the DataLocker logo are trademarks of DataLocker Inc. and its subsidiaries. All other
trademarks are the property of their respective owners. Ironkey™ is a registered trade mark of Kingston Technologies, used under permission of Kingston
Technologies. All rights reserved.
© 2017 DataLocker Inc. All rights reserved. IK-EMS-ADM01-5.3
PAGE 1IRONKEY EMS CLOUD ADMIN GUIDE
CONTENTS
About IronKey EMS Cloud...................................5
What’s New?...........................................................5
Release history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key Admin Concepts ....................................................8
Supported Device Models ................................................9
System requirements ...................................................9
Product specications ..................................................10
Product Overview......................................................10
Enterprise Support .....................................................12
For more information ..................................................12
Licensing .............................................................13
Setting up IronKey EMS Cloud ..............................14
IMPORTANT—BEFORE YOU BEGIN ......................................14
Creating the IronKey EMS Account ........................................14
Accessing the Admin Console ............................................20
Deploying devices .........................................22
What’s involved? ......................................................22
Choosing a deployment strategy ..........................................22
Questions to ask before deploying devices:..................................23
Sample deployment.....................................................23
Requirements ........................................................24
The Deployment Solution ...............................................24
Results .............................................................25
Best practices for a smooth rollout ........................................25
For the Administrator ..................................................25
For the End-user......................................................26
Common administrator tasks.............................................27
Managing Policies .........................................28
Policy numbers and versions .............................................28
About policy settings ...................................................29
Policy Settings Table ...................................................29
Adding policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Editing policies ........................................................37
Deleting policies .......................................................37
PAGE 2IRONKEY EMS CLOUD ADMIN GUIDE
Viewing policies........................................................38
Updating policies on devices..............................................38
Managing Users and Groups ................................39
Viewing users and groups................................................39
Managing users ........................................................39
About Users .........................................................39
Administrative Tasks by Category and Role..................................40
Adding a user ........................................................42
Adding multiple users ..................................................43
Editing a user ........................................................45
Deleting a user.......................................................46
Viewing user information ...............................................46
Searching for a user ...................................................47
Managing groups .......................................................47
About groups ........................................................47
Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Moving users to a group................................................49
Deleting groups ......................................................49
Managing Devices .........................................50
Viewing device information ..............................................50
Downloading device information..........................................51
Activating devices ......................................................51
Editing the Device Activation Email........................................52
Activating a device for a user ............................................53
Adding new devices to users .............................................54
Editing device proles...................................................54
Deleting devices .......................................................55
Searching for a device...................................................55
Managing devices remotely with Silver Bullet ................................56
Resetting a device password (Admin-initiated) ...............................56
Pairing a new smart card with a device ....................................57
Recovering devices ....................................................57
Recommissioning devices ...............................................58
Disabling and enabling devices...........................................58
Detonating a device ...................................................59
Forcing Read-Only mode ...............................................60
Updating devices ......................................................60
Forcing a software update ..............................................60
Selecting an approved update le ........................................61
Update testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
PAGE 3IRONKEY EMS CLOUD ADMIN GUIDE
Update removal ......................................................62
Upgrading Basic devices to Enterprise ......................................62
Importing authentication credentials .......................................63
Importing RSA SecurID tokens ...........................................63
Importing a digital certicate ............................................63
Managing S200 or D200 devices...........................................64
Admin Tools: Tasks according to User Role ..................................65
Assisting with passwords................................................65
Approving Admin users .................................................67
Recommissioning devices ...............................................67
Activating Basic devices ................................................68
Managing your admin account ..............................69
Managing your online account ............................................69
Editing device nicknames ...............................................69
Editing your online account settings .......................................69
Monitoring security events .................................71
Using Enterprise Dashboard..............................................71
Dashboard maps and events table........................................71
Enterprise Dashboard charts ............................................72
Setting up email alerts for events ..........................................73
Interpreting malware scanner reports ......................................74
Glossary.................................................75
Index ...................................................77
PAGE 4IRONKEY EMS CLOUD ADMIN GUIDE
About IronKey EMS Cloud
IronKey™ EMS Cloud is an advanced, cloud-based, management service that lets you protect
your data, your mobile workforce, and your organization. You can quickly and easily establish
a secure command center for administering and policing the use of encrypted Workspace and
Storage drives.
This guide tells you how to set up, deploy, and manage devices in your enterprise environment.
What’s New?
SUPPORT FOR SENTRY EMS
IronKey EMS now supports the new DataLocker Sentry EMS device. Designed for business-
grade security, Sentry EMS is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and
TAA-compliant.
RECEIVE DOWNLOADED DEVICE AND USER DATA BY EMAIL
When you congure your online account settings to enable this feature, device and/or user data
will be available for download by email. For more information, see “Send downloaded data via
email” on page 70.
Release history
TWO DEFAULT ACTIVATION EMAIL TEMPLATES
There are now two device activation email templates, one for Storage devices and the other for
Workspace devices. You can customize the content in these templates according to company
requirements.
SUPPORT FOR IRONKEY D300M
IronKey EMS now supports the new IronKey D300M device. Designed for business-grade
security, the D300M is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-
compliant.
PAGE 5IRONKEY EMS CLOUD ADMIN GUIDE
CHANGES TO USER PROFILE PAGE
Recommissioned devices in the Devices list will be hidden by default. The “View” list includes
“Current Devices” (default setting) and “All Devices”. A current device still uses an active seat
license and can be in one of the following states: Disabled, Pending recommission, Awaiting
detonation. The “All Devices” view will also display Deleted, Recommissioned and Detonated
devices.
FORCE UPDATE FEATURE FOR S250/D250 DEVICES
A new Force Update feature is now available in Service for use with the latest release of the
250 device Series (version 3.5.0.0). Controlled by the device policy, you can now force users to
update their devices to the latest approved software release. For information about new Force
Update policy settings, see “” on page 32. For more information about using Force Update,
see “Forcing a software update” on page 65.
SUPPORT FOR H350 ENTERPRISE AND IRONKEY WORKSPACE W700-SC
DEVICES
H350 devices are FIPS 140-2 Level 3 certied, USB (Universal Serial Bus) 3.0 hard drives with
built-in password security and data encryption. For more information about the device, see the
DataLocker H300/H350 Enterprise User Guide.
IronKey Workspace W700-SC is a trusted, FIPS 140-2 Level 3 certied, secure USB ash drive
that features XTS-AES 256-bit hardware encryption. Additionally, the W700-SC supports device
authentication using a smart card. When paired with your device, you can securely unlock
your workspace using your smart card and Personal Identication Number (PIN). Certied
by Microsoft as a Windows To Go device, the W700-SC is a secure, personal workspace. It is
capable of using all host system resources on host computers that are certied to run Microsoft
Windows® 7.0 and higher, and qualied Mac computers.
SUPPORT FOR IRONKEY WORKSPACE 4.3
Admins are now able to use the device recovery Silver Bullet to unlock the secure operating
system (OS) partition on the device. If a user experiences issues with the Windows OS,
Administrators can now try to troubleshoot and repair these issues or recover les by
accessing the OS partition. See “Recovering devices” on page 62.
A new device update is available to upgrade the device rmware and software on devices
running IronKey Workspace version 4.2. Admins will also need to update the Control Panel
application in Windows To Go.
IronKey Workspace 4.3 devices also include the following features:
» Device activation on a Mac operating system.
» Support for a multi-lingual keyboard layout in the Preboot environment when booting
Windows To Go.
» Updates to the IronKey Workspace Startup Assistant to increase the number of host
computers it can configure to boot from a USB device on startup. The application is available
on the device (W500/W700) or as a standalone application (available as a download from
the DataLocker Support site).
PAGE 6IRONKEY EMS CLOUD ADMIN GUIDE
» Support for DataLocker and IronKey secure storage devices in Windows To Go; for
a complete list, see “Supported Device Models” on page 9. Users can save data to
the secure storage drive while booted in Windows To Go. When using a storage device
while booted in the secure Workspace, two Control Panel icons will display in the
Windows system tray, one to manage the secure storage device and the other for the
IronKey Workspace device.
UPDATES TO THE ADMIN CONSOLE
Enterprise Dashboard Events table
The Enterprise Dashboard Events table now includes a column for Devices. Admins can sort by
the Device column to view all events for a specic device. Also new is the custom date range
lter. You can now lter which events display in the table based on a start and end date.
Email notication for events
The Admin Console includes a new Alerts feature. If purchased and enabled for your EMS
Account, this feature provides email notications to Admin users about important events.
Admins can set up an alert to receive a daily message summarizing the events that have
occurred in the last 24 hours. See “Setting up email alerts for events” on page 76.
New group selector when adding a user
When you create a new user, you can now add the user to a group using the group selector.
System Admin users can add the user to any group. Admin users can only add users to a group
to which they are also a member. See “Adding a user” on page 45.
S1000 SUPPORT
IronKey EMS now supports the management of IronKey Enterprise S1000 devices. S1000
devices are secure USB (Universal Serial Bus) portable ash drives with built-in password
security and data encryption. For more information about the device, see the IronKey Enterprise
S1000 User Guide.
H300 SUPPORT
IronKey EMS now supports the management of H300 devices. H300 devices are USB portable
hard drives with built-in password security and data encryption. For more information about the
device, see the DataLocker H300/H350 Enterprise User Guide.
IRONKEY WORKSPACE SUPPORT
IronKey EMS now supports the management of IronKey Workspace Windows To Go
devices (W500 and W700). IronKey Workspace devices provide the same secure hardware
encryption available with other devices. W700 goes one step further and has FIPS 140-2 Level 3
certication.
Devices can be activated and managed in the same way as other devices. However, they must
rst be provisioned with a Windows To Go image and congured for management. For more
PAGE 7IRONKEY EMS CLOUD ADMIN GUIDE
information about IronKey Workspace devices or Windows To Go, see the following guides,
available on the Support site:
» User guides for IronKey Workspace W500 or W700
» IronKey Workspace IT Administrator Handbook
S250 & D250 RELEASE
The 250 series includes two new secure USB ash drives: S250 and D250. To manage these
devices, IronKey EMS provides the following new features:
» Remote device management using Silver Bullet
• Password Reset—Users can reset their passwords without administrator intervention.
Administrators can also help users who have forgotten their passwords by remotely
unlocking the device and forcing a password change.
• Device Recovery—Administrators can remotely unlock devices that can no longer be
accessed.
• Device Recommissioning—Administrators can remotely reset a device so that device
data is deleted and the device can be reused.
• Force Read-only—Allows Administrators to force a device to open in read-only mode.
» One central management console—S250 and D250 devices are completely managed
through the Admin Console. There is no Admin Tools application on S250 or D250
administrative devices.
» New device setup—Users and administrators can set up their devices with an easy-to-use
workflow that activates the device, sets up the online account, and initializes the device.
NOTE: Devices that are not running the latest rmware and software may not be able to use
the Silver Bullet Service or other new features. Updating old devices will allow them to use
these features. For information about updating devices, see “Updating devices” on page 65.
Key Admin Concepts
The Admin Console: Centralized, Online Device and User Management
IronKey EMS includes a centralized management console for managing tens, hundreds
or thousands of devices and users, reducing overall deployment times and maintenance
requirements.
IronKey EMS Policies: Enforcing Corporate Security Policies
Congure policies for device password strength, self-destruction settings, and enabling specic
applications and services.
User Management: Organize Users Into Groups
Create groups to manage your users based on any criteria needed to keep you organized. Users
can be easily added and removed from Groups and administrative tasks performed by group.
PAGE 8IRONKEY EMS CLOUD ADMIN GUIDE
Silver Bullet Service: Protecting Against Malicious Users
The Silver Bullet Service conrms that devices are authorized before allowing them to be
unlocked. This real-time service allows Admins to completely disable and even remotely
detonate devices, extending the control needed to protect important data.
Password Reset: Allowing users device access when they forget their passwords
Allow users to securely reset their own passwords, reducing the number of Help Desk calls
from users who cannot access their devices because they’ve forgotten their password.
Secure Device Recovery: Securely Unlocking Devices
Secure Device Recovery is a patented PKI mechanism that allows Admins to unlock another
user’s device, for example, in the case of employee termination, regulatory compliance, or
forensic investigations. Unlike many other solutions, there is no central database of back-door
passwords.
Device Recommissioning: Securely Repurposing Devices
When employees leave the organization, their devices can be safely recommissioned to new
users. This process requires Admin authentication and authorization using the secure online
services in IronKey EMS.
Supported Device Models
IronKey EMS supports the following list of devices.
» S100
» 200 Series (includes S200 & D200) Note: The term “x200”, when used in the product or
documentation, indicates that the feature or section applies to both device models in the
series. Some special conditions apply to S100 and x200 devices in order to manage these
devices using IronKey EMS. See”Managing S200 or D200 devices” on page 69.
» 250 Series (includes S250 & D250). Note: The term “x250”, when used in the product or
documentation, indicates that the feature or section applies to both device models in the
series.
» IronKey Workspace W500, IronKey Workspace W700, and IronKey Workspace W700-SC
» H300/H350
» S1000
» D300M
» Sentry EMS
NOTE: For more information about devices, see “Managing Devices” on page 55.
SYSTEM REQUIREMENTS
» Windows
» Windows
®
8.1 or Windows® 10
®
8
PAGE 9IRONKEY EMS CLOUD ADMIN GUIDE
» Windows
» Windows
» Windows
» Mac OS
®
7
®
Vista
®
XP (SP2+)
®
X (10.5+)
» Linux (2.6+)
For Super Speed, use USB 3.0 ports with the following devices, W500/W700/W700-SC, H300/
H350, S1000, D300M, and Sentry EMS. The computer must have a minimum USB 2.0 port for
high-speed data transfer. A USB 1.1 port or powered hub will also work, but will be slower.
PRODUCT SPECIFICATIONS
For details about your device, see “Device Info” in the Control Panel settings. Product
specications are also included in the User Guide for the device.
Product Overview
IronKey EMS allows you to manage secure storage drives and IronKey Workspace drives using
a cloud-based administrative service. Administrators can access the secure online services to
manage policies, users, and devices; users can access their online accounts (if available) to view
information about their devices and account settings, and reset their device password.
IronKey EMS
» The two management components of the service include:
• Admin Console—Allows Admins to set policies, add users and groups, manage devices
and more
• System Console—Allows Admins to control device updates and automated messages
that are sent to users through the service.
» The two user components of the service are:
• My Devices—Stores information about a user’s devices
• My Account—Contains online account information for the user.
The following image shows the management console and the user components of the online
account. The Admin Console tab is selected. The other tabs, including My Devices, My Account,
and System Console are also available. All users with an online account can access My Devices
and My Account tabs. Only administrators (System Admin, Admin, Custom Admin, Help Desk,
and Auditor) can access the Admin Console tab. Only System Admins can access the System
Console tab. For more information about user roles, see “Administrative Tasks by Category and
Role” on page 40.
PAGE 10IRONKEY EMS CLOUD ADMIN GUIDE
IronKey EMS Devices
DataLocker Sentry EMS—Designed for business-grade security, the Sentry EMS is an encrypted
USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see
the User Guide for Sentry EMS.
IronKey D300M—Designed for business-grade security, the D300M is an encrypted USB 3.0
drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see the User
Guide for IronKey D300M.
IronKey S200 & D200, S250 & D250, S1000—Designed to be the world’s most secure USB ash
drives, IronKey EMS devices allow users to safely carry their les and data with them wherever
they go. The Control Panel is the main application on the device that lets users access their data,
open onboard applications, and modify device settings.
For more information about IronKey EMS devices, see the User Guide.
IronKey Workspace W500, W700, W700-SC— Provide your users with an imaged and fully
functional version of Windows 8.1 – one that delivers a fast, full Windows desktop and can
be booted directly from a trusted IronKey Workspace drive. Distribute and manage mobile
work environments that mirror your corporate desktop, and ensure employees, partners and
contractors are using mobile workspaces created and managed by IT.
For more information about IronKey Workspace devices, see the User Guides for
IronKey Workspace W500, W700, or W700-SC.
PAGE 11IRONKEY EMS CLOUD ADMIN GUIDE
DataLocker H300/H350—Designed to provide a secure hard drive solution to users, the H300/
H350 can be formatted with the FAT32 or NTFS le system. H350 devices are FIPS 140-2 Level
3 certied. For more information, see the User Guide.
Enterprise Support
DataLocker is committed to providing world-class support to its enterprise customers.
DataLocker technical support solutions and resources are available through the DataLocker
Support Website, located at support.datalocker.com. See “For more information” on page 12.
Standard Users
Please have Standard Users contact your Help desk or System Administrator for assistance.
Due to the customized nature of each IronKey EMS Account, technical support for IronKey EMS
products and services is available for System Administrators only.
System Administrators
Administrators can contact DataLocker Support by:
» Filing a support request at http://support.datalocker.com.
» Sending an email to support@datalocker.com.
IMPORTANT: Always reference your EMS Account Number. The Account Number is located
on the Enterprise Support page of the Admin Console.
To access resources on the Enterprise Support page
• In the Admin Console, click Enterprise Support in the left sidebar.
NOTE: Resources available on this page include your Account number, video tutorials and
product documentation, an announcement history le that logs all previous DataLocker
announcements regarding IronKey EMS, and contact information for DataLocker Technical
Support.
FOR MORE INFORMATION
support.datalocker.com Support information, knowledge base and video tutorials
support@datalocker.com Product feedback and feature requests
http://www.datalocker.com General information
PAGE 12IRONKEY EMS CLOUD ADMIN GUIDE
Licensing
If you have licensed services with your EMS Account, you can view a list of the licenses that are
available with the service. To review the number of available license seats for your EMS Account,
do the following:
• In the Admin Console, click Manage Policies in the left sidebar.
Licenses are listed below the device policies and include the number of available seats, and
number of total seats.
NOTE: If you exceed the number of licensed seats, or if your license has expired, a message
prompts you to update or renew your license. You cannot add new users or devices until the
license is renewed.
PAGE 13IRONKEY EMS CLOUD ADMIN GUIDE
Setting up IronKey EMS Cloud
IMPORTANT—BEFORE YOU BEGIN
IronKey EMS Cloud is designed to protect your organization from the risks of data loss and data
leakage by delivering world-class security. However, it is important to follow a few best practices
when setting up your IronKey EMS Account to ensure that the proper levels of security and
usability are met:
» Make sure the person setting up the EMS Account has a thorough knowledge of your
organization’s security policies and is authorized to be the System Admin for all of your
organization’s devices. That person will define the default policy for these devices.
» Create more than one System Administrator. To ensure the highest security, even
DataLocker is unable to intervene in your EMS Account, in the event that a lone System
Admin leaves the organization, loses his only device, or forgets the device password. Have
multiple System Admins at all times, each with multiple active devices.
There are two main tasks involved in setting up your account:
» Creating the IronKey EMS Account
» “Next Steps” on page 20
After you’ve completed these tasks, review “Next Steps” on page 20. You can also read
“Deploying devices” on page 29 for tips on how to ensure a smooth deployment.
Creating the IronKey EMS Account
Before you can begin deploying and managing IronKey EMS Cloud devices for end-users, you
must create your IronKey EMS Cloud Account. Creating the account involves:
» Establishing a default security policy for devices—these include password settings, software and
services to load on the device, and controls for remotely managing devices.
» Setting up the online account for the first and second System Admin user
PAGE 14IRONKEY EMS CLOUD ADMIN GUIDE
Account setup pre-requisites:
• A computer running Microsoft Windows XP (SP2+), Windows Vista, Windows 7,
Windows 8 (or higher) , or Mac 10.5+.
• A USB 3.0 port (recommended), USB 2.0 port (minimum) for high-speed data transfer
• An Internet connection
• The email you received from DataLocker with your EMS Account Number.
To create the account
1. Go to the website https://my.ironkey.com/enterprise or click the link in the email you received
from DataLocker regarding setting up your IronKey EMS Cloud Account. On the Welcome
page, enter your Account Number.
2. Read the license agreement, select the check box to conrm that you are the appropriate
authority to set up your organization’s IronKey EMS Cloud Account, and then click
Continue.
3. On the Create an online account for the rst and second System Administrators
page, enter an email address and assign a user name for the rst and second System
Administrator. Click Continue. User names can contain letters, numbers, and underscore
characters.
PAGE 15IRONKEY EMS CLOUD ADMIN GUIDE
4. On the Create the Default Device Policy page, click Create Policy to open the policy
setup.
NOTE: The Default device policy will be applied to the 1st and 2nd System Admin devices
during device activation.
5. On the Default Device Policy page, scroll through and review each section. Congure the
settings and applications that you want to be included in the Default device policy for your
EMS Account. Each policy section displays the system default settings and lists the devices to
which these settings apply.
IMPORTANT: In the Password Policy section, under General Password Settings,
congure the Max Failed Unlock Attempts setting with a balance of security and end-
user convenience in mind. If the user exceeds the maximum, the device will “self-destruct”
and all data will be permanently lost. The drive can no longer be used. D300M and Sentry
EMS devices do not self-destruct but will reset to a factory state, erasing all onboard data.
PAGE 16IRONKEY EMS CLOUD ADMIN GUIDE
6. When you nish setting all device policy options, scroll to the end of the Default Device
Policy and click OK to continue with the EMS Account Setup.
7. On the Review Default Device Policy page, verify the policy settings and do one of the
following.
• If you are satisfied with the policy selections, click Finish to complete the EMS Account
Setup.
• If you need to change a setting, click Edit Policy.
PAGE 17IRONKEY EMS CLOUD ADMIN GUIDE
8. A conrmation message will indicate that your EMS Account has been successfully created.
Each System Admin will receive an email message with an Activation Code for their device,
sent to the address provided during the Account setup.
NOTE: It is recommended that you keep this conrmation page open until the System Admins
have received the conrmation email. If they do not receive it, you can resend it by clicking
Resend Activation Email.
Activating the 1st and 2nd System Admin device
After you set up the EMS Account, the rst and second System Admin users will receive an
email with the Activation Code that is used to activate the rst and second System Admin
devices. The username and email address for the rst and second System Admin users was
added during the Account Setup. Make sure that the users have received the email message
before continuing.
PAGE 18IRONKEY EMS CLOUD ADMIN GUIDE
You can use any of the following inactivated IronKey EMS Cloud devices from the set you
purchased as the 1st and 2nd System Admin device: 250 series, H300/H350, or S1000. If you
have a Basic device (H300/H350 or S1000), you must upgrade the device to Enterprise before
it can be used as a System Admin device. See “System requirements” on page 9 for details
about which operating systems are supported.
It is very important to set up a 2nd System Admin device; without a second System Admin
device, there is no way to manage your IronKey EMS account if anything happens to the 1st
System Admin device.
NOTE: W500, W700, or W700-SC devices cannot be used as the 1st or 2nd System Admin
device.
IMPORTANT: Always maintain multiple active System Admin devices for your EMS Account
as a precaution against loss. Keep all System Admin devices in safe places. They are essential
components for maintaining your EMS Account.
You must activate your device on a Windows or Mac computer. To use the full speed of the
device, plug it into a USB 2.0 port (USB 3.0 is recommended for H300, H350, and S1000
devices).
To activate the 1st System Admin device
1. Plug the inactivated device into your computer’s USB port. The Device Setup screen appears.
The setup software runs automatically from a virtual DVD (250 series). This screen may not
appear if your computer does not allow devices to autorun or if you are using an H300/
H350 or S1000 device, which mounts as a drive. You can start it manually by doing one of the
following:
• WINDOWS: In a file manager, open the IronKey or Unlocker drive and double-click
IronKey.exe or Unlocker.exe.
• MAC: In Finder, open the IronKey or Unlocker drive and double-click the IronKey or
Unlocker application.
2. Do the following:
• Copy and paste the Activation Code. You should have received the code in an email
message sent from DataLocker. If you did not receive an email, check your spam or bulk
mail folder.
• Select a default language preference and agree to the end-user license agreement.
• Click the Activate button. By default, IronKey EMS software will use the same language
as your computer’s operating system.
3. Type a device password and conrm it, and then click the Continue button.
Your password is case-sensitive and must comply with the password policy you set when you
created the Default device policy during EMS Account setup.
4. If using an S250, D250, H300/H350, or S1000, a message prompt will appear indicating that
an e-mail has been sent to you. Follow the instructions in the e-mail to set up your online
account; this includes setting up a “secret question” and “answer”. Your online account is
required for accessing the Admin Console and resetting a forgotten password. S250 and
PAGE 19IRONKEY EMS CLOUD ADMIN GUIDE
D250 devices also require the account for backing up Identity Manager. Once you set up
your online account, click OK in the message prompt to proceed with the device activation.
The device initializes. During this process, it generates the AES encryption key, creates the
le system for the secure volume, and copies secure applications and les to the secure
volume.
When the initialization is complete, the Control Panel appears. Your device is now ready to
protect your data and can be used on a Windows, Mac or Linux computer.
5. Log in to the Admin Console by clicking the Admin Console button on the Applications page
of the Control Panel.
6. A “Welcome Screen” will appear with some information about documentation, technical
support and Next Steps to get you started adding users to your EMS Account, customizing
email templates, and more.
It is also recommended that you read the chapter “Deploying devices” on page 29.
To activate the 2nd System Admin device
1. Retrieve the Activation Email that was sent during the Account setup.
2. Complete steps 1 through 7 in the previous procedure.
NEXT STEPS
Once you have created the account and activated System Admin devices, you are ready to
plan your deployment of devices to users. It is strongly recommended that you read the
chapter “Deploying devices” on page 29. This section provides an overview about important
deployment considerations before you begin including:
• Customizing email templates
• Creating user groups
• Adding users
Accessing the Admin Console
Admin Console is the Web-based interface that allows you to manage devices, users, and
policies. Most administrative tasks are performed using this interface. Once you complete the
setup process and successfully activate your Admin device, you can log in to the Admin Console.
To access Admin Console
1. Plug in and unlock your device.
PAGE 20IRONKEY EMS CLOUD ADMIN GUIDE
2. Do one of the following to securely log in to the Admin Console with mutual authentication
over SSL:
• If you have an S250, D250, H300/H350, or S1000 device, click the Applications button
on the menu bar of the Control Panel, and then click Admin Console.
• If you have a W500, W700, or W700-SC device, click the Settings button on the menu
bar, and then click Account from the left sidebar. Click the Manage Account Settings
button.
• If you have an S200 or D200 device, click Online Account on the main page of the
Control Panel, under Management.
3. If you are using a proxy, you may need to update the Network Settings for the device (S200
and D200 only) so that it knows how to connect to the Internet. Other devices use the
system settings.
4. Your browser will open to the Admin Console tab of IronKey EMS.
NOTE: Every administrator will need an IronKey EMS device to access the Admin Console.
NOTE: You cannot open Admin Console from a D300M or Sentry EMS device.
PAGE 21IRONKEY EMS CLOUD ADMIN GUIDE
Deploying devices
What’s involved?
By default, when a device is activated it is initialized with the applications and policy settings that
were dened in the “Default Device Policy” when you set up the IronKey EMS Account. You may
also want to create new policies before adding users to the system. For example, you can create
a separate policy for users who require a specic application, such as Identity Manager. You
should also create a separate policy for Linux users that disables Silver Bullet Services.
Before you can distribute devices to users, you must add users to the EMS Account. If you
have a large user base, you can import multiple users at once. To organize users, you can create
groups, for example by department or by role within the company.
Adding a user to IronKey EMS generates an Activation Code for that user. The code is required
to initialize the user’s device. You can choose to automatically email this code to users when
you add them or you can email or deliver it manually later. If necessary, you can customize the
default email template to add company-specic information.
Choosing a deployment strategy
The easiest and most cost-effective way to deploy devices is to:
1. Add users to the EMS Account,
2. Automatically email them the Activation Code and instructions, and then
3. Hand them an device.
IronKey EMS will take care of the rest.
NOTE: If you are deploying IronKey Workspace W500, W700, or W700-SC devices, you will
need to perform some additional steps to image devices with Windows To Go. For more
information, see the IronKey Workspace IT Administrators Handbook.
You must decide on a strategy that will best suit your organization. Often, companies use a
combination of methods based on security, privacy, and IT considerations. For example, to
minimize IT deployment time, you may want users to activate their own devices using the
PAGE 22IRONKEY EMS CLOUD ADMIN GUIDE
activation code in the automatic email you send them. However, for some users, you might
choose to manually activate their devices.
QUESTIONS TO ASK BEFORE DEPLOYING DEVICES:
Your answers to these questions will determine your next steps in deploying devices to users.
» Have I finalized the Default Device Policy to include new policy settings and created any new
policies that are needed for specific users or security requirements?
» How big is my user base? Do I want to add multiple users at once?
» Do I need to organize users by group?
» Do I need to ensure that some Admins cannot see the users and groups managed by other
Admins?
» Do I want all users to activate their own devices? Do I need to manually activate some
devices?
» Do I want to automatically email the Activation Code to users or will I email or give this
code to users manually after I create them?
» If sending an automatic email, do I want to customize the Default Activation Email templates?
» What operating systems will users typically be connecting their devices to? This is especially
important if you have users running the Linux operating system.
Next Steps:
If you want to... See...
Create new device policies or edit the
default policy
Customize the Default Activation Email • Editing the Device Activation Email
Create user groups • Adding a group
Add a user • Adding a user
Add multiple users • Adding multiple users
Manually activate devices for users • Activating a device for a user
Once you’ve successfully added the users and they have their Activation Codes, you can give
them devices. Users can then proceed with device set up.
• Adding policies
• Editing policies
Sample deployment
Company ABC, a medium-sized business with 50 employees who need secure storage drives.
Their task was to successfully deploy devices to all users in the company with minimal impact
on IT resources.
PAGE 23IRONKEY EMS CLOUD ADMIN GUIDE
REQUIREMENTS
» Number of users to add: 50 total
• General Knowledge Workers: 40
• Executive: 7
• IT Dept: 3
» Some departments needed different policies and applications on their devices to meet
corporate security requirements.
» General users were allowed to activate their own devices.
» Executive users were to receive devices activated by the IT person.
THE DEPLOYMENT SOLUTION
After considering their requirements, the IT department divided the task into the following
steps.
1. Created separate policies based on department requirements
• IT Policy—IT users needed access to all features, licensed services, and applications.
• Executive Policy—The company wanted a separate policy to allow increased security
features on some devices. Features included a higher self-destruct threshold, the AntiMalware Service and Identity Manager. This policy will be used only by Executives.
• Default Device Policy—General users were not required to have the Anti-malware
Service or Identity Manager so this policy did not include these items. New features, such
as Password Reset, were enabled. See “Adding policies” on page 38.
2. Customized the Default Email
The default template was modied to add Help Desk contact information that was specic
to Company ABC.
See “Editing the Device Activation Email” on page 57.
3. Created Groups for each geographic location
They did not need to limit the scope of which users and groups that Admins could view in
the Admin Console, so they structured their groups geographically for a logical organization
of users. Groups were created for Asia-Pacic, Europe, North America.
See “Adding a group” on page 54 for more information.
4. Imported General Users
The IT department added general users to IronKey EMS using a .CSV le with user data. The
IT manager assigned the administrator role to one person in each department group. The le
included the following information for each user:
Name, Email, Group, Role, Policy, Admin Code
See for more information.
5. Added Executive users
The IT manager added each executive to the system one user at a time. They did not send
an Activation email to these users. Instead, the IT person activated the devices for the users.
See “Activating a device for a user” on page 58 for more information.
6. Distributed devices to users
PAGE 24IRONKEY EMS CLOUD ADMIN GUIDE
Loading...