IronKey™ EMS Cloud
Admin Guide
Last Updated March 2017
DataLocker is committed to creating and
developing the best security technologies and
making them simple-to-use and widely available.
Years of research and millions of dollars of
development have gone into bringing this
technology to you.
We are very open to user feedback and would
appreciate hearing about your comments,
suggestions, and experiences with this product.
Feedback:
support@datalocker.com
NOTE: DataLocker is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or
consequential damages resulting from the furnishing or use of this material. The information provided herein is subject to
change without notice.
The information contained in this document represents the current view of DataLocker on the issue discussed as of the date of publication. DataLocker
cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. DataLocker makes
no warranties, expressed or implied, in this document. DataLocker, and the DataLocker logo are trademarks of DataLocker Inc. and its subsidiaries. All other
trademarks are the property of their respective owners. Ironkey™ is a registered trade mark of Kingston Technologies, used under permission of Kingston
Technologies. All rights reserved.
© 2017 DataLocker Inc. All rights reserved. IK-EMS-ADM01-5.3
PAGE 1IRONKEY EMS CLOUD ADMIN GUIDE
CONTENTS
About IronKey EMS Cloud...................................5
What’s New?...........................................................5
Release history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key Admin Concepts ....................................................8
Supported Device Models ................................................9
System requirements ..................................................10
Product specications ..................................................10
Product Overview......................................................10
Enterprise Support .....................................................12
For more information ..................................................12
Licensing .............................................................13
Setting up IronKey EMS Cloud ..............................14
IMPORTANT—BEFORE YOU BEGIN ......................................14
Creating the IronKey EMS Account ........................................14
Activating the 1st and 2nd System Admin online account.......................18
Accessing the Admin Console ............................................20
Deploying devices .........................................23
What’s involved? ......................................................23
Choosing a deployment strategy ..........................................23
Questions to ask before deploying devices:..................................24
Sample deployment.....................................................24
Requirements ........................................................25
The Deployment Solution ...............................................25
Results .............................................................26
Best practices for a smooth rollout ........................................26
For the Administrator ..................................................26
For the End-user......................................................27
Common administrator tasks.............................................28
Managing Policies .........................................29
Policy numbers and versions .............................................29
About policy settings ...................................................30
User Policy Settings ...................................................30
Device Policy Settings ..................................................32
Adding policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
PAGE 2IRONKEY EMS CLOUD ADMIN GUIDE
Editing policies ........................................................40
Deleting policies .......................................................40
Viewing policies........................................................41
Updating policies on devices..............................................41
User Policies .........................................................41
Device Policies .......................................................41
Managing Users and Groups ................................43
Viewing users and groups................................................43
Managing users ........................................................43
About Users .........................................................43
Administrative Tasks by Category and Role..................................44
Adding a user ........................................................46
Editing the User Activation Email .........................................48
Adding multiple users ..................................................49
Editing a user ........................................................51
Deleting a user.......................................................52
Viewing user information ...............................................52
Searching for a user ...................................................53
Managing groups .......................................................53
About groups ........................................................54
Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Moving users to a group................................................55
Deleting groups ......................................................55
Managing Devices .........................................56
Viewing device information ..............................................56
Downloading device information..........................................57
Activating devices ......................................................57
Editing the Device Activation Email........................................58
Activating a device for a user ............................................59
Adding new devices to users .............................................60
Editing device proles...................................................60
Deleting devices .......................................................61
Searching for a device...................................................61
Managing devices remotely with Silver Bullet ................................62
Resetting a device password (Admin-initiated) ...............................62
Pairing a new smart card with a device ....................................63
Recovering devices ....................................................63
Recommissioning devices ...............................................64
Disabling and enabling devices...........................................64
Detonating a device ...................................................65
PAGE 3IRONKEY EMS CLOUD ADMIN GUIDE
Forcing Read-Only mode ...............................................66
Updating devices ......................................................66
Forcing a software update ..............................................66
Selecting an approved update le ........................................67
Update testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Update removal ......................................................68
Upgrading Basic devices to Enterprise ......................................68
Importing authentication credentials .......................................69
Importing RSA SecurID tokens ...........................................69
Importing a digital certicate ............................................69
Managing S200 or D200 devices...........................................70
Admin Tools: Tasks according to User Role ..................................71
Assisting with passwords................................................71
Approving Admin users .................................................73
Recommissioning devices ...............................................73
Activating Basic devices ................................................74
Managing admin accounts ..................................75
Managing your online account ............................................75
Activating your online account ...........................................75
Resetting your password................................................76
Unlocking your online account ...........................................76
Editing device nicknames ...............................................77
Editing your online account settings .......................................77
Resetting an administrator’s account password...............................78
Monitoring security events .................................79
Using Enterprise Dashboard..............................................79
Dashboard maps and events table........................................79
Enterprise Dashboard charts ............................................80
Setting up email alerts for events ..........................................81
Interpreting malware scanner reports ......................................82
Glossary.................................................83
Index ...................................................85
PAGE 4IRONKEY EMS CLOUD ADMIN GUIDE
About IronKey EMS Cloud
IronKey™ EMS Cloud is an advanced, cloud-based, management service that lets you protect
your data, your mobile workforce, and your organization. You can quickly and easily establish
a secure command center for administering and policing the use of encrypted Workspace and
Storage drives.
This guide tells you how to set up, deploy, and manage devices in your enterprise environment.
What’s New?
SUPPORT FOR SENTRY EMS
IronKey EMS now supports the new DataLocker Sentry EMS device. Designed for business-
grade security, Sentry EMS is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and
TAA-compliant.
RECEIVE DOWNLOADED DEVICE AND USER DATA BY EMAIL
When you congure your online account settings to enable this feature, device and/or user data
will be available for download by email. For more information, see “Send downloaded data via
email” on page 77.
Release history
TWO DEFAULT ACTIVATION EMAIL TEMPLATES
There are now two device activation email templates, one for Storage devices and the other for
Workspace devices. You can customize the content in these templates according to company
requirements.
SUPPORT FOR IRONKEY D300M
IronKey EMS now supports the new IronKey D300M device. Designed for business-grade
security, the D300M is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-
compliant.
PAGE 5IRONKEY EMS CLOUD ADMIN GUIDE
WEB LOGIN TO MANAGEMENT CONSOLE USING ONLINE ACCOUNT
(ADMINS ONLY)
Administrators can log in directly to the management console Web application with Username
& Password only, no admin device is required.
CHANGES TO USER PROFILE PAGE
Recommissioned devices in the Devices list will be hidden by default. The “View” list includes
“Current Devices” (default setting) and “All Devices”. A current device still uses an active seat
license and can be in one of the following states: Disabled, Pending recommission, Awaiting
detonation. The “All Devices” view will also display Deleted, Recommissioned and Detonated
devices.
FORCE UPDATE FEATURE FOR S250/D250 DEVICES
A new Force Update feature is now available in Service for use with the latest release of the
250 device Series (version 3.5.0.0). Controlled by the device policy, you can now force users to
update their devices to the latest approved software release. For information about new Force
Update policy settings, see “” on page 32. For more information about using Force Update,
see “Forcing a software update” on page 65.
SUPPORT FOR H350 ENTERPRISE AND IRONKEY WORKSPACE W700-SC
DEVICES
H350 devices are FIPS 140-2 Level 3 certied, USB (Universal Serial Bus) 3.0 hard drives with
built-in password security and data encryption. For more information about the device, see the
DataLocker H300/H350 Enterprise User Guide.
IronKey Workspace W700-SC is a trusted, FIPS 140-2 Level 3 certied, secure USB ash drive
that features XTS-AES 256-bit hardware encryption. Additionally, the W700-SC supports device
authentication using a smart card. When paired with your device, you can securely unlock
your workspace using your smart card and Personal Identication Number (PIN). Certied
by Microsoft as a Windows To Go device, the W700-SC is a secure, personal workspace. It is
capable of using all host system resources on host computers that are certied to run Microsoft
Windows® 7.0 and higher, and qualied Mac computers.
SUPPORT FOR IRONKEY WORKSPACE 4.3
Admins are now able to use the device recovery Silver Bullet to unlock the secure operating
system (OS) partition on the device. If a user experiences issues with the Windows OS,
Administrators can now try to troubleshoot and repair these issues or recover les by
accessing the OS partition. See “Recovering devices” on page 62.
A new device update is available to upgrade the device rmware and software on devices
running IronKey Workspace version 4.2. Admins will also need to update the Control Panel
application in Windows To Go.
IronKey Workspace 4.3 devices also include the following features:
» Device activation on a Mac operating system.
PAGE 6IRONKEY EMS CLOUD ADMIN GUIDE
» Support for a multi-lingual keyboard layout in the Preboot environment when booting
Windows To Go.
» Updates to the IronKey Workspace Startup Assistant to increase the number of host
computers it can configure to boot from a USB device on startup. The application is available
on the device (W500/W700) or as a standalone application (available as a download from
the DataLocker Support site).
» Support for DataLocker and IronKey secure storage devices in Windows To Go; for
a complete list, see “Supported Device Models” on page 9. Users can save data to
the secure storage drive while booted in Windows To Go. When using a storage device
while booted in the secure Workspace, two Control Panel icons will display in the
Windows system tray, one to manage the secure storage device and the other for the
IronKey Workspace device.
UPDATES TO THE ADMIN CONSOLE
Enterprise Dashboard Events table
The Enterprise Dashboard Events table now includes a column for Devices. Admins can sort by
the Device column to view all events for a specic device. Also new is the custom date range
lter. You can now lter which events display in the table based on a start and end date.
Email notication for events
The Admin Console includes a new Alerts feature. If purchased and enabled for your EMS
Account, this feature provides email notications to Admin users about important events.
Admins can set up an alert to receive a daily message summarizing the events that have
occurred in the last 24 hours. See “Setting up email alerts for events” on page 76.
New group selector when adding a user
When you create a new user, you can now add the user to a group using the group selector.
System Admin users can add the user to any group. Admin users can only add users to a group
to which they are also a member. See “Adding a user” on page 45.
S1000 SUPPORT
IronKey EMS now supports the management of IronKey Enterprise S1000 devices. S1000
devices are secure USB (Universal Serial Bus) portable ash drives with built-in password
security and data encryption. For more information about the device, see the IronKey Enterprise
S1000 User Guide.
H300 SUPPORT
IronKey EMS now supports the management of H300 devices. H300 devices are USB portable
hard drives with built-in password security and data encryption. For more information about the
device, see the DataLocker H300/H350 Enterprise User Guide.
IRONKEY WORKSPACE SUPPORT
IronKey EMS now supports the management of IronKey Workspace Windows To Go
devices (W500 and W700). IronKey Workspace devices provide the same secure hardware
PAGE 7IRONKEY EMS CLOUD ADMIN GUIDE
encryption available with other devices. W700 goes one step further and has FIPS 140-2 Level 3
certication.
Devices can be activated and managed in the same way as other devices. However, they must
rst be provisioned with a Windows To Go image and congured for management. For more
information about IronKey Workspace devices or Windows To Go, see the following guides,
available on the Support site:
» User guides for IronKey Workspace W500 or W700
» IronKey Workspace IT Administrator Handbook
S250 & D250 RELEASE
The 250 series includes two new secure USB ash drives: S250 and D250. To manage these
devices, IronKey EMS provides the following new features:
» Remote device management using Silver Bullet
• Password Reset—Users can reset their passwords without administrator intervention.
Administrators can also help users who have forgotten their passwords by remotely
unlocking the device and forcing a password change.
• Device Recovery—Administrators can remotely unlock devices that can no longer be
accessed.
• Device Recommissioning—Administrators can remotely reset a device so that device
data is deleted and the device can be reused.
• Force Read-only—Allows Administrators to force a device to open in read-only mode.
» One central management console—S250 and D250 devices are completely managed
through the Admin Console. There is no Admin Tools application on S250 or D250
administrative devices.
» New device setup—Users and administrators can set up their devices with an easy-to-use
workflow that activates the device, sets up the online account, and initializes the device.
NOTE: Devices that are not running the latest rmware and software may not be able to use
the Silver Bullet Service or other new features. Updating old devices will allow them to use
these features. For information about updating devices, see “Updating devices” on page 65.
Key Admin Concepts
The Admin Console: Centralized, Online Device and User Management
IronKey EMS includes a centralized management console for managing tens, hundreds
or thousands of devices and users, reducing overall deployment times and maintenance
requirements. When a System Admin adds administrators to the EMS account, they must
specify how the administrator will authenticate to Admin Console, using either Web-based login
(username & password) or Device-based login (device & password) using the secure link to
Admin Console in the Control Panel application on the device.
PAGE 8IRONKEY EMS CLOUD ADMIN GUIDE
IronKey EMS Policies: Enforcing Corporate Security Policies
Congure policies for device password strength, self-destruction settings, and enabling specic
applications and services.
User Management: Organize Users Into Groups
Create groups to manage your users based on any criteria needed to keep you organized. Users
can be easily added and removed from Groups and administrative tasks performed by group.
Silver Bullet Service: Protecting Against Malicious Users
The Silver Bullet Service conrms that devices are authorized before allowing them to be
unlocked. This real-time service allows Admins to completely disable and even remotely
detonate devices, extending the control needed to protect important data.
Password Reset: Allowing users device access when they forget their passwords
Allow users to securely reset their own passwords, reducing the number of Help Desk calls
from users who cannot access their devices because they’ve forgotten their password.
Secure Device Recovery: Securely Unlocking Devices
Secure Device Recovery is a patented PKI mechanism that allows Admins to unlock another
user’s device, for example, in the case of employee termination, regulatory compliance, or
forensic investigations. Unlike many other solutions, there is no central database of back-door
passwords.
Device Recommissioning: Securely Repurposing Devices
When employees leave the organization, their devices can be safely recommissioned to new
users. This process requires Admin authentication and authorization using the secure online
services in IronKey EMS.
Supported Device Models
IronKey EMS supports the following list of devices.
» S100
» 200 Series (includes S200 & D200) Note: The term “x200”, when used in the product or
documentation, indicates that the feature or section applies to both device models in the
series. Some special conditions apply to S100 and x200 devices in order to manage these
devices using IronKey EMS. See”Managing S200 or D200 devices” on page 69.
» 250 Series (includes S250 & D250). Note: The term “x250”, when used in the product or
documentation, indicates that the feature or section applies to both device models in the
series.
» IronKey Workspace W500, IronKey Workspace W700, and IronKey Workspace W700-SC
» H300/H350
» S1000
PAGE 9IRONKEY EMS CLOUD ADMIN GUIDE
» D300M
» Sentry EMS
NOTE: For more information about devices, see “Managing Devices” on page 55.
SYSTEM REQUIREMENTS
» Windows
» Windows
» Windows
» Windows
» Windows
» Mac OS
®
8.1 or Windows® 10
®
8
®
7
®
Vista
®
XP (SP2+)
®
X (10.5+)
» Linux (2.6+)
For Super Speed, use USB 3.0 ports with the following devices, W500/W700/W700-SC, H300/
H350, S1000, D300M, and Sentry EMS. The computer must have a minimum USB 2.0 port for
high-speed data transfer. A USB 1.1 port or powered hub will also work, but will be slower.
PRODUCT SPECIFICATIONS
For details about your device, see “Device Info” in the Control Panel settings. Product
specications are also included in the User Guide for the device.
Product Overview
IronKey EMS allows you to manage secure storage drives and IronKey Workspace drives using
a cloud-based administrative service. Administrators can access the secure online services to
manage policies, users, and devices; users can access their online accounts (if available) to view
information about their devices and account settings, and reset their device password.
IronKey EMS
» The two management components of the service include:
• Admin Console—Allows Admins to set policies, add users and groups, manage devices
and more
• System Console—Allows Admins to control device updates and automated messages
that are sent to users through the service.
» The two user components of the service are:
• My Devices—Stores information about a user’s devices
• My Account—Contains online account information for the user.
The following image shows the management console and the user components of the online
account. The Admin Console tab is selected. The other tabs, including My Devices, My Account,
and System Console are also available. All users with an online account can access My Devices
and My Account tabs. Only administrators (System Admin, Admin, Custom Admin, Help Desk,
and Auditor) can access the Admin Console tab. Only System Admins can access the System
PAGE 10IRONKEY EMS CLOUD ADMIN GUIDE
Console tab. For more information about user roles, see “Administrative Tasks by Category and
Role” on page 44.
IronKey EMS Devices
DataLocker Sentry EMS—Designed for business-grade security, the Sentry EMS is an encrypted
USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see
the User Guide for Sentry EMS.
IronKey D300M—Designed for business-grade security, the D300M is an encrypted USB 3.0
drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see the User
Guide for IronKey D300M.
IronKey S200 & D200, S250 & D250, S1000—Designed to be the world’s most secure USB ash
drives, IronKey EMS devices allow users to safely carry their les and data with them wherever
they go. The Control Panel is the main application on the device that lets users access their data,
open onboard applications, and modify device settings.
For more information about IronKey EMS devices, see the User Guide.
IronKey Workspace W500, W700, W700-SC— Provide your users with an imaged and fully
functional version of Windows 8.1 – one that delivers a fast, full Windows desktop and can
be booted directly from a trusted IronKey Workspace drive. Distribute and manage mobile
work environments that mirror your corporate desktop, and ensure employees, partners and
contractors are using mobile workspaces created and managed by IT.
For more information about IronKey Workspace devices, see the User Guides for
IronKey Workspace W500, W700, or W700-SC.
PAGE 11IRONKEY EMS CLOUD ADMIN GUIDE
DataLocker H300/H350—Designed to provide a secure hard drive solution to users, the H300/
H350 can be formatted with the FAT32 or NTFS le system. H350 devices are FIPS 140-2 Level
3 certied. For more information, see the User Guide.
Enterprise Support
DataLocker is committed to providing world-class support to its enterprise customers.
DataLocker technical support solutions and resources are available through the DataLocker
Support Website, located at support.datalocker.com. See “For more information” on page 12.
Standard Users
Please have Standard Users contact your Help desk or System Administrator for assistance.
Due to the customized nature of each IronKey EMS Account, technical support for IronKey EMS
products and services is available for System Administrators only.
System Administrators
Administrators can contact DataLocker Support by:
» Filing a support request at http://support.datalocker.com.
» Sending an email to support@datalocker.com.
IMPORTANT: Always reference your EMS Account Number. The Account Number is located
on the Enterprise Support page of the Admin Console.
To access resources on the Enterprise Support page
• In the Admin Console, click Enterprise Support in the left sidebar.
NOTE: Resources available on this page include your Account number, video tutorials and
product documentation, an announcement history le that logs all previous DataLocker
announcements regarding IronKey EMS, and contact information for DataLocker Technical
Support.
FOR MORE INFORMATION
support.datalocker.com Support information, knowledge base and video tutorials
support@datalocker.com Product feedback and feature requests
http://www.datalocker.com General information
PAGE 12IRONKEY EMS CLOUD ADMIN GUIDE
Licensing
If you have licensed services with your EMS Account, you can view a list of the licenses that are
available with the service. To review the number of available license seats for your EMS Account,
do the following:
• In the Admin Console, click Manage Policies in the left sidebar.
Licenses are listed below the device policies and include the number of available seats, and
number of total seats.
NOTE: If you exceed the number of licensed seats, or if your license has expired, a message
prompts you to update or renew your license. You cannot add new users or devices until the
license is renewed.
PAGE 13IRONKEY EMS CLOUD ADMIN GUIDE
Setting up IronKey EMS Cloud
IMPORTANT—BEFORE YOU BEGIN
IronKey EMS Cloud is designed to protect your organization from the risks of data loss and data
leakage by delivering world-class security. However, it is important to follow a few best practices
when setting up your IronKey EMS Account to ensure that the proper levels of security and
usability are met:
» Make sure the person setting up the EMS Account has a thorough knowledge of your
organization’s security policies and is authorized to be the System Admin for all of your
organization’s devices. That person will define the default policy for these devices.
» Create more than one System Administrator. To ensure the highest security, even
DataLocker is unable to intervene in your EMS Account, in the event that a lone System
Admin leaves the organization. Have multiple System Admins at all times.
After you’ve completed these tasks, review “Next Steps” on page 18. You can also read
“Deploying devices” on page 29 for tips on how to ensure a smooth deployment.
Creating the IronKey EMS Account
During the account setup, you will congure settings for the default user policy and create the
rst two System Admin accounts. The user policy controls the password requirements and
access restrictions that will be applied to online accounts for Administrators.
To create the account
1. Go to the Website https://my.ironkey.com/enterprise or click the link in the email you received
from DataLocker regarding setting up your EMS Account. Enter your Account Number.
PAGE 14IRONKEY EMS CLOUD ADMIN GUIDE
2. Read the license agreement and select the check box to conrm that you are the
appropriate authority to set up the EMS Account, then click Continue.
3. On the Create an online account for the rst and second System Administrators
page, enter an email address and the First and Last name of the rst and second System
Administrator.
4. Click Continue.
5. On the Create the Default User Policy page, click Create Policy to open the policy
setup.
PAGE 15IRONKEY EMS CLOUD ADMIN GUIDE
NOTE: The Default User Policy will be applied to the 1st and 2nd System Admin when they
activate their online account.
6. On the Default User Policy page, scroll through and review each section. Congure the
settings that you want to be included in the Default User Policy for your EMS Account. Each
policy section displays the system default settings.
7. When you nish setting all user policy options, scroll to the end of the Default User Policy
and click OK to continue with the EMS Account setup.
PAGE 16IRONKEY EMS CLOUD ADMIN GUIDE
8. On the Review Default User Policy page, verify the policy settings and do one of the
following. If you are satised with the policy selections, click Finish to complete the EMS
Account Setup. If you need to change a setting, click Edit Policy.
9. A conrmation message will indicate that your EMS Account has been successfully created.
Each System Admin will receive an email message with instructions on how to activate their
online account.
PAGE 17IRONKEY EMS CLOUD ADMIN GUIDE
NOTE: It is recommended that you keep this conrmation page open until the System
Admin users have received the activation email. If they do not receive it, you can resend it by
clicking Resend Activation Email.
NEXT STEPS
It is strongly recommended that you read the chapter “Deploying devices” on page 29. This
section provides an overview about important deployment considerations before you begin
including:
• Customizing email templates
• Creating user groups
• Adding users
Activating the 1st and 2nd System Admin online account
After you set up the EMS Account, the rst and second System Admin users will receive an
email with instructions about how to activate their online account. The online account allows
administrators to log in to the management console to manage the IronKey EMS Account,
policies, users, and devices.
Activating an account involves creating login credentials for the management console. Make
sure that these users have received the activation email message before continuing. The email
addresses for the 1st and 2nd System Admin users were added during the EMS Account Setup.
After activating their online accounts, the rst System Admin to log in to the Admin Console
will automatically be prompted to create the Default Device Policy. The Default Device Policy
is the main policy that will be applied to managed devices upon device activation. The policy
determines the password requirements, applications, and other management options to apply to
a device.
To activate the online account
1. Open the activation email that was sent during the setup of the EMS Account. In the email
message, click the Activation link. See example below:
NOTE: If you did not receive an email, check your spam or bulk mail folder.
PAGE 18IRONKEY EMS CLOUD ADMIN GUIDE
The Online Account Setup page will open in a Web browser.
2. On the Online Account Setup page, do the following:
• In the Username text box, create a user name for your account.
• In the Password text box, create an account password and confirm the password.
Passwords are case-sensitive and must comply with the password policy defined during
the EMS Account setup.
• Select a question from the Secret Question list box or create your own secret
question.
• In the Answer to Secret Question text box, provide the response to the secret
question. The secret question will be used to verify your identity if you have to reset your
password.
3. Click the Create Account button.
A conrmation message will display to indicate that you have successfully activated your
online account.
4. Bookmark the Login page for quick access on subsequent logins.
5. Log in to Admin Console by typing your username and password in the elds provided and
click the Login button.
6. On the Access Code page, follow the instructions onscreen to retrieve and paste the
Access Code in the eld provided and click the Submit button.
A Welcome page will appear with information and instructions on next steps.
7. If you are the rst System Admin to activate your online account and access the Admin
Console, the Welcome page will prompt you to create the Default Device Policy. Click the
Create Default Device Policy button to continue.
PAGE 19IRONKEY EMS CLOUD ADMIN GUIDE
NOTE: If you are the second System Admin to activate your online account, you will not be
prompted to create the Default Device Policy. The management console will appear as soon
as you close the Welcome page.
8. On the Default Device Policy page, scroll through and review each section carefully.
Congure the settings and applications that you want to be included in the Default Device
Policy for your EMS Account.
Each policy section displays the system default settings and lists the devices to which these
settings apply.
IMPORTANT: In the Password Policy section, under General Password Settings,
congure the Max Failed Unlock Attempts setting with a balance of security and end-
user convenience in mind. If the user exceeds the maximum, the device will “self-destruct”
and all data will be permanently lost. The drive can no longer be used. D300M and Sentry
EMS devices do not self-destruct but will reset to a factory state, erasing all onboard data.
9. When you nish setting all device policy options, scroll to the end of the Default Device
Policy and click the Save button.
You will receive a notice that your Default Device Policy was added successfully.
Accessing the Admin Console
Admin Console is the Web-based interface that allows you to manage devices, users, and
policies. Most administrative tasks are performed using this interface. Once you complete
the setup process and successfully activate your online account, you can log in to the Admin
Console. If you have an activated device with IronKey EMS, you can also access the Admin
Console from the Control Panel (Admin Console is not available on D300M or Sentry EMS
devices). System Admins can specify how administrators access Admin Console when they add
new administrators to the EMS Account; either through Web-based login (username & password
authentication) or from their device (device & password authentication), or both. See “Adding a
user” on page 45.
PAGE 20IRONKEY EMS CLOUD ADMIN GUIDE
To access Admin Console using Web-based login
1. In a Web browser, open the URL for Admin Console page https://my.ironkey.com. You should
bookmark the page for quick reference.
2. On the IronKey EMS Credentials page, enter your username and password credentials
and click the Log in button.
3. An email with the Access Code is sent to the email address that is associated with your
online account. Open the email message and copy the Access Code. See the example below:
4. Return to the Access Code page. Paste the code in the box and click the Submit button.
The Access Code expires in 30 minutes. If you are unable to log in with the rst code, click
Request New Code to generate a new code.
To access Admin Console using Device-based login
1. Plug in and unlock your device.
PAGE 21IRONKEY EMS CLOUD ADMIN GUIDE
2. Do one of the following to securely log in to the Admin Console with mutual authentication
over SSL:
• If you have an S250, D250, H300/H350, or S1000 device, click the Applications button
on the menu bar of the Control Panel, and then click Admin Console.
• If you have a W500, W700, or W700-SC device, click the Settings button on the menu
bar, and then click Account from the left sidebar. Click the Manage Account Settings
button.
• If you have an S200 or D200 device, click Online Account on the main page of the
Control Panel, under Management.
3. If you are using a proxy, you may need to update the Network Settings for the device (S200
and D200 only) so that it knows how to connect to the Internet. Other devices use the
system settings.
4. Your browser will open to the Admin Console tab of IronKey EMS.
NOTE: You cannot open Admin Console from a D300M or Sentry EMS device. You must use
Web-based login to access the management console.
PAGE 22IRONKEY EMS CLOUD ADMIN GUIDE
Deploying devices
What’s involved?
By default, when a device is activated it is initialized with the applications and policy settings that
were dened in the “Default Device Policy” when you set up the IronKey EMS Account. You may
also want to create new policies before adding users to the system. For example, you can create
a separate policy for users who require a specic application, such as Identity Manager. You
should also create a separate policy for Linux users that disables Silver Bullet Services.
Before you can distribute devices to users, you must add users to the EMS Account. If you
have a large user base, you can import multiple users at once. To organize users, you can create
groups, for example by department or by role within the company.
Adding a user to IronKey EMS generates an Activation Code for that user. The code is required
to initialize the user’s device. You can choose to automatically email this code to users when
you add them or you can email or deliver it manually later. If necessary, you can customize the
default email template to add company-specic information.
Choosing a deployment strategy
The easiest and most cost-effective way to deploy devices is to:
1. Add users to the EMS Account,
2. Automatically email them the Activation Code and instructions, and then
3. Hand them an device.
IronKey EMS will take care of the rest.
NOTE: If you are deploying IronKey Workspace W500, W700, or W700-SC devices, you will
need to perform some additional steps to image devices with Windows To Go. For more
information, see the IronKey Workspace IT Administrators Handbook.
You must decide on a strategy that will best suit your organization. Often, companies use a
combination of methods based on security, privacy, and IT considerations. For example, to
minimize IT deployment time, you may want users to activate their own devices using the
PAGE 23IRONKEY EMS CLOUD ADMIN GUIDE
activation code in the automatic email you send them. However, for some users, you might
choose to manually activate their devices.
QUESTIONS TO ASK BEFORE DEPLOYING DEVICES:
Your answers to these questions will determine your next steps in deploying devices to users.
» Have I finalized the Default Device Policy to include new policy settings and created any new
policies that are needed for specific users or security requirements?
» How big is my user base? Do I want to add multiple users at once?
» Do I need to organize users by group?
» Do I need to ensure that some Admins cannot see the users and groups managed by other
Admins?
» Do I want all users to activate their own devices? Do I need to manually activate some
devices?
» Do I want to automatically email the Activation Code to users or will I email or give this
code to users manually after I create them?
» If sending an automatic email, do I want to customize the Default Activation Email templates?
» What operating systems will users typically be connecting their devices to? This is especially
important if you have users running the Linux operating system.
Next Steps:
If you want to... See...
Create new device policies or edit the
default policy
Customize the Default Activation Email • Editing the Device Activation Email
Create user groups • Adding a group
Add a user • Adding a user
Add multiple users • Adding multiple users
Manually activate devices for users • Activating a device for a user
Once you’ve successfully added the users and they have their Activation Codes, you can give
them devices. Users can then proceed with device set up.
• Adding policies
• Editing policies
Sample deployment
Company ABC, a medium-sized business with 50 employees who need secure storage drives.
Their task was to successfully deploy devices to all users in the company with minimal impact
on IT resources.
PAGE 24IRONKEY EMS CLOUD ADMIN GUIDE
REQUIREMENTS
» Number of users to add: 50 total
• General Knowledge Workers: 40
• Executive: 7
• IT Dept: 3
» Some departments needed different policies and applications on their devices to meet
corporate security requirements.
» General users were allowed to activate their own devices.
» Executive users were to receive devices activated by the IT person.
THE DEPLOYMENT SOLUTION
After considering their requirements, the IT department divided the task into the following
steps.
1. Created separate policies based on department requirements
• IT Policy—IT users needed access to all features, licensed services, and applications.
• Executive Policy—The company wanted a separate policy to allow increased security
features on some devices. Features included a higher self-destruct threshold, the AntiMalware Service and Identity Manager. This policy will be used only by Executives.
• Default Device Policy—General users were not required to have the Anti-malware
Service or Identity Manager so this policy did not include these items. New features, such
as Password Reset, were enabled. See “Adding policies” on page 38.
2. Customized the Default Email
The default template was modied to add Help Desk contact information that was specic
to Company ABC.
See “Editing the Device Activation Email” on page 57.
3. Created Groups for each geographic location
They did not need to limit the scope of which users and groups that Admins could view in
the Admin Console, so they structured their groups geographically for a logical organization
of users. Groups were created for Asia-Pacic, Europe, North America.
See “Adding a group” on page 54 for more information.
4. Imported General Users
The IT department added general users to IronKey EMS using a .CSV le with user data. The
IT manager assigned the administrator role to one person in each department group. The le
included the following information for each user:
Name, Email, Group, Role, Policy, Admin Code
See for more information.
5. Added Executive users
The IT manager added each executive to the system one user at a time. They did not send
an Activation email to these users. Instead, the IT person activated the devices for the users.
See “Activating a device for a user” on page 58 for more information.
6. Distributed devices to users
PAGE 25IRONKEY EMS CLOUD ADMIN GUIDE
• General users received their devices. They followed the setup procedure in the User
Guide to activate their devices and used the Activation Code that they received in an
email from the IT manager.
• Executive users received their activated devices. They were required to create a device
password and finish the device setup.
RESULTS
After following these steps, all users were successfully added to IronKey EMS, devices were
activated, and users were able to securely store data to their devices.
Best practices for a smooth rollout
This section provides suggestions about how to administer some features of IronKey EMS. It
also includes information to pass on to end users to ensure that they know how to properly
use their devices and where to go for help.
FOR THE ADMINISTRATOR
Use a 200 Series device to manage a mixed device environment
If administrators (System Admin or Admin) will be managing 200 Series devices (S200 or D200)
as well as other device types, they must use a 200 Series device. A 200 Series device can manage
all device types but can only be managed by another 200 Series device. Administrators who
use Web-based login can perform only those management tasks that are available with Admin
Console. For more information, see “Managing S200 or D200 devices” on page 69.
Use Silver Bullet Service Wisely
It is recommended not to set the Silver Bullet policy too strictly (e.g. deny if not online or from
a specic IP address) for remote or travelling employees; otherwise, they might not be able to
use their devices in some situations.
Create a Separate Policy for Linux Users
If you plan to leverage the Silver Bullet Service, create a separate policy for Linux users that
does not include Silver Bullet or that includes a large number of Silver Bullet attempts. The
Silver Bullet Service is not available for Linux systems and will result in disabling usage on Linux.
Password Reset by user
This feature, when enabled in the device or user policy, allows users to reset their passwords if
they forget them. If you do not want users to be able to reset a password, administrators can
still perform this function for devices that support using the Silver Bullet Remote Administrative
Controls policy option. For more information, see “Resetting a device password (Admininitiated)” on page 61.
PAGE 26IRONKEY EMS CLOUD ADMIN GUIDE
Update Password Policies Only When Needed
When you update the password settings in a policy, devices with that policy will update to the
latest version. However, since the password policy has changed, users will be required to change
their password so it conforms to the new password policy. Change the password policy items
only when needed so users do not have to change their device passwords too often.
Update devices
Ensure that all administrators update their devices with the latest rmware and software.
Admins who are not running the latest rmware and software may not be able to use the Silver
Bullet Service or other new features. Updating old devices allows them to use these features.
Request IronKey Assistance application—If you have users running Windows XP without Windows
administrative privileges, ask for the IronKey Assistance application from DataLocker Technical
Support to allow these users to update their devices.
FOR THE END-USER
Encouraging end users to follow these best practices will help them better understand the
product, prevent loss of data stored on the device, and keep their device up-to-date.
Review the User Guide
Encourage users to read the User Guide for their device. The guide explains how to use the
device and the features that are available (if enabled in policy), for example, backing up les,
resetting a forgotten password and more. The guide is located on the Applications page of the
Control Panel. Administrators can access the document from their device or on the Enterprise
Support page of the Admin Console.
NOTE: Ensure that users understand that storage devices (S200, D200, S250, D250, H300,
H350, S1000, D300, and Sentry EMS) mount as two drives. The rst one launches the Unlocker
and mounts as a virtual CD (200 Series), virtual DVD (250 Series, D300, Sentry EMS), or drive
(H300/H350, S1000). The second drive is the secure les volume (for storing data) and mounts
when the user unlocks the device. A W500, W700, or W700-SC device mounts as a drive when
used in the non-boot environment (that is, Windows To Go is not booted).
Back Up Onboard Data Regularly (applies to 200 and 250 Series of devices only)
Encourage users to use the onboard Secure Backup software for backing up their onboard data.
In the case that a device is lost or stolen, the data can later be recovered to a new device.
Update devices
Ensure that users have the latest software on their devices. For more information, see
“Downloading device information” on page 56. To ensure that Windows XP users can update
their devices, install the IronKey Assistant (see the IronKey Assistant Deployment Guide for
details).
PAGE 27IRONKEY EMS CLOUD ADMIN GUIDE
Common administrator tasks
Here is a list of common tasks that Help Desk operators and Administrators will be required to
complete.
» Adding a user
» Adding a group
» Activating a device for a user
» Resetting a device password (Admin-initiated)
» Adding new devices to users
» Managing devices remotely with Silver Bullet
» Editing policies
PAGE 28IRONKEY EMS CLOUD ADMIN GUIDE
Managing Policies
There are two types of policies: Device policies and User policies. Device policies control
how devices are congured during activation, including password requirements, software
to be loaded on the device, and device management settings. User policies apply only to
administrators who use Web-based login to access the management console; the policy is
applied to the online account of these administrators when they activate their account. User
policies control the password requirements for their login credentials and other account
management options, such as the ability to reset their online account password.
This chapter describes the following items:
» Policy identifiers
» Policy settings
» How to create, edit, and delete a policy
» How to update devices with new policies
Only the System Admin and Custom Admin (with policy privileges) role can manage policies. For
information about these roles, see “Administrative Tasks by Category and Role” on page 44.
Policy numbers and versions
Policies are identied by the following elements:
» Policy Name—A unique name you provide when you create a policy.
» Policy Number—The number is sequentially assigned to each policy created in IronKey
EMS.
» Policy Version—The version is updated each time the policy is updated.
You can create an unlimited number of new policies. Each new policy must have a unique
policy name, for example, Sales Policy, Classied, etc. The system automatically assigns the next
available number to that policy (for example, Policy 2.x, Policy 3.x, etc.). Every time you edit an
existing policy, a new version of that policy is created (for example, Policy 2.001, Policy 2.002,
Policy 2.003). The following screen shows several policies and policy versions.
PAGE 29IRONKEY EMS CLOUD ADMIN GUIDE
For information about versions and policy updates, see “Updating policies on devices” on page
41.
About policy settings
USER POLICY SETTINGS
The following categories are included in User policy settings.
» General Settings
» Password Policy
» Silver Bullet Services
For details about the policy settings in these categories, including which settings are active by
default when you create a new policy, see the following table.
POLICY CATEGORY DESCRIPTION
General Settings
General Settings (Required)
Policy Name Type a unique name in the text box.
Policy Type Allows you to choose whether the policy will be a Device or User
policy. Device policies apply to IronKey EMS devices. User policies apply
only to the online account of administrators who use Web-based login
(username & password) to access the management console. You cannot
change the policy type after you save the policy.
Default: Administrative Device
Password Policy (Required)
General Password Settings—Applies to the login credentials for an administrator’s online account.
Max Failed Unlock Attempts After too many consecutive invalid password attempts, the account will
become locked.
Range is from 2 to 200 attempts
Default: 3 attempts
Recommendation: 3 attempts
PAGE 30IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Minimum Password Length Only passwords with this many or more characters will be allowed.
• Range is from 4 to 20 characters
• Default: 8 characters
• Recommendation: 8
Required Lower Case Letters Only passwords with this many or more lowercase letters will be
allowed.
• Range is from 0 to 5 digits
• Default: 1
Required Upper Case Letters Only passwords with this many or more uppercase letters will be
allowed.
• Range is from 0 to 5 letters
• Default: 1
Required Numeric Characters Only passwords with this many or more numeric characters will be
allowed.
• Range is from 0 to 5 letters
• Default: 1
Required Special Characters Only passwords with this many or more special characters will be
allowed. The following are considered special characters:
` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ’ ” , < . > / ?
• Range is from 0 to 5 letters
• Default: 1
Whitespace in Password This setting determines whether or not spaces are permitted in online
account passwords.
• Default: Allowed
• Recommendation: Allowed
Password Reset Allows administrators with Web-based login privileges to reset the
password for their online account without System Admin or Help Desk
intervention.
• Default: Allowed
• Recommended: Allowed
Password Aging & Reuse (Inactive by default)
Password History Prevents administrators from setting their online account password to
the last “X” passwords, where X is the number you set.
Minimum Password Age Minimum time in minutes before the administrator can change the online
account password.
Maximum Password Age Maximum number of days that can elapse before the online account
password must be changed.
Silver Bullet Policy Services
Silver Bullet Access Controls (Inactive by default)
When active, allows you to use an IP whitelist to deny access to the management console when
administrators attempt to log in from an untrusted computer.
PAGE 31IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
IP Address Restrictions Can allow or deny access to the management console based on a Trusted
Network IP address whitelist. Administrators who attempt to log in from
an IP address on the whitelist (e.g. from the ofce) will be granted access,
while administrators attempting to log in from an untrusted network,
(e.g. home) will be denied.
Warning: Set this policy with caution as being too restrictive may
prevent trusted administrators from accessing their the management
console and their online account.
• Silver Bullet Access Controls must be active
• Feature does not apply to System Admins
• Do not use internal IP addresses
Examples of valid input:
• To allow a specic IP address, type it in:
From: 192.168.0.1
• To allow a block of IP addresses, use the * character:
From: 192.168.0.*
• To allow a range of IP addresses, use both the From and To elds:
From: 192.168.0.1 To: 192.186.0.12
• To add more IP addresses, click the “Add More” button.
• To delete an entry, click the “X” button next to the row.
Silver Bullet Remote Administrative Controls (Active by default)
Allows System Admin and Help Desk admins to remotely reset an administrator’s online account
password.
Password Reset When a System Admin or Help Desk admin resets the online account
password, the administrator who is requesting the reset will receive
an email message. The message contains a URL that will take them to a
Change Password page so that they can reset their password and log in
to the management console.
• Default: Allowed
DEVICE POLICY SETTINGS
The following categories are part of the policy settings.
» Password Policy
» Onboard software
» Silver Bullet Policy Services
» Control Panel
» Advanced
For details about each policy setting, including which settings are active by default when you
create a new policy, see the following table.
PAGE 32IRONKEY EMS CLOUD ADMIN GUIDE
NOTE: The terms “x200” or “x250”, used in the following Policy Settings table, indicate that the
policy applies to all device models in the 200 or 250 series.
POLICY CATEGORY DESCRIPTION
General Settings
General Settings (Required)
Policy Name Type a unique name in the text box.
Policy Type Allows you to choose whether the policy will be an Administrative User
or Administrative Device policy. User policies apply only to the online
accounts of administrators who use Web-based login (username &
password) to access the management console. See “User Policy Settings”
on page 30. You cannot change the policy type after you save the policy.
Password Policy (Required)
General Password Settings—Applies to S100, x200, x250, W500 and W700, H300, H350, S1000,
D300M, Sentry EMS devices
Max Failed Unlock Attempts After too many consecutive invalid password attempts, devices
initiate a self-destruct sequence, which renders the device unusable.
This hardware-level security protects against brute-force password
attacks. Congure this feature with a balance of security and end-user
convenience in mind.
NOTE: This setting cannot be modied for D300M or Sentry EMS
devices. These devices are always set to 10 attempts. When a D300M or
Sentry EMS device reaches the 10th failed unlock attempt, it does not
initiate a self-destruct sequence. Instead, it resets to factory settings and
is left in an uninitialized state; all on-board data is lost.
Range is from 2 to 200 attempts
Default: 10 attempts
Recommendation: 10 attempts
Minimum Password Length Only passwords with this many or more characters will be allowed.
D300M and Sentry EMS devices have a minimum password length of 8
characters.
• Range is from 4 to 20 characters
• Default: 8 characters
• Recommendation: 8 characters
Required Lower Case Letters Only passwords with this many or more lowercase letters will be
allowed.
• Range is from 0 to 5 letters
• Default: 0
Required Upper Case Letters Only passwords with this many or more uppercase letters will be
allowed.
• Range is from 0 to 5 letters
• Default: 0
PAGE 33IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Required Numeric Characters Only passwords with this many or more numeric characters will be
allowed.
• Range is from 0 to 5 characters
• Default: 0
Required Special Characters Only passwords with this many or more special characters will be
allowed. The following are considered special characters:
` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ’ ” , < . > / ?
• Range is from 0 to 5 characters
• Default: 0
Whitespace in Password This setting determines whether or not spaces are permitted in device
passwords.
• Default: Allowed
• Recommendation: Allowed
Backup Device Password Applies to S100 and x200 devices only. Allows users to back up device
passwords to their online account to allow remote password recovery.
• Default: Allowed
• Recommended: Allowed
Password Reset (Active by default for new policies)—Applies to x250, W500, W700, H300,
H350, S1000, D300M, and Sentry EMS devices. Allows users to reset
a forgotten password without admin intervention using the user’s
email address and online account. The user will receive an email with a
one-time URL link. The link allows the user to verify their identity by
answering the Secret Question for their online account. If successful, the
user is able to reset the password. Note: For D300M and Sentry EMS
devices, a code is provided after answering the Secret Question. Once
they enter the code they can reset the device password. If necessary,
Admins can give the Password Recovery Code to a user.
• Default: Allowed
• Recommended: Allowed
Password Aging & Reuse (Inactive by default) —Applies to x200, x250, W500 and W700, H300, H350,
S1000, D300M, and Sentry EMS devices
Password History Prevents the user from setting their password to the last “X” passwords,
where X is the number you set. NOTE: Does not apply to D300M or Sentry
EMS devices.
Minimum Password Age Minimum time in minutes before a user can change the device password.
Maximum Password Age Maximum number of days that can elapse before the device password
must be changed.
Onboard Software
PAGE 34IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Mozilla Firefox (Active by default) —Applies to S100, x200, and x250 devices
When Active, a Firefox Web browser will be included onboard each device. This onboard browser is
portable, so cookies, history les, bookmarks, add-ons and online passwords are not stored on the
local computer.
Anti-Malware Service (Inactive by default) — Applies to S100, x200, x250, H300, H350, S1000, D300M,
and Sentry EMS devices
If purchased and active, each device has an application that scans the device on each use, detecting and
cleaning malware from the device.
Secure Backup (Active by default) — Applies to S100, x200, and x250 devices
When active, Secure Backup software will be included on each device to allow users to back up an
encrypted copy of les from their device to their local computer. If the device is lost or stolen, users
can restore backed up data to another device.
Identity Manager (Active by default) — Applies to S100, x200, and x250 devices
When active, Identity Manager will be included on each device. It allows users to log into their
online accounts (using Internet Explorer 6 or later, including Internet Explorer version 10 and 11,
and onboard Firefox) and most applications that require username and password credentials. It can
also generate strong passwords and manage portable bookmarks. Not having to type out passwords
provides added protection from keyloggers and other crimeware. Additionally, Websites that support
VeriSign Identity Protection (VIP) can be locked down to the device for two-factor authentication.
Note: S100 devices running 1.3.5 and below cannot be activated; they must be updated to 2.0.8.0 to
activate.
Back Up Identity Manager
Data
RSA SecurID One-Time Passwords (Inactive by default) — Applies to S100, x200, and x250 devices
When Active, each device will include an application for generating RSA SecurID one-time passwords
for strong authentication. This feature is not available with devices running version 3.5.1.0 or higher.
Devices prior to version 2.0.6.0 require an imported .stdid le to use this application, while devices
with 2.0.6.0+ can use dynamic seed provisioning with the RSA Authentication Manager 7.1 (CT-KIP).
For more information, see the RSA documentation on the Enterprise Support page.
CT-KIP Server URL Enter the URL of the RSA CT-KIP Server. Requires the RSA
CT-KIP Activation Code Automatically deploys token seeds when code is set to “1” and the RSA
CRYPTOCard One-Time Passwords (Inactive by default) — Applies to S100, x200, and x250 devices
When Active, each device will include an application for generating CRYPTOCard one-time passwords
for strong authentication. A token le will need to be imported to use this application.
Allows users to back up their encrypted Identity Manager data to an
Online Security Vault. If the device is lost or stolen, they can restore their
passwords to a new device.
Identity Manager must be active to back up Identity Manager data.
• Default: Allowed
• Recommendation: Allowed
Authentication Manager 7.1
Authentication Server is congured for automatic deployment.
PAGE 35IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Silver Bullet Policy Services
Allows Admins to protect critical data by requiring devices to check for authorization prior to unlocking and to
control devices by remote administrative settings.
• This feature requires an Internet connection
• This feature is not available on Linux and disables Linux usage when enabled
Silver Bullet Access Controls (Inactive by default) — Applies to S100, x200, x250, H300, H350, S1000,
D300M, and Sentry EMS devices
When active, devices that have not contacted IronKey EMS within a specied limit, are automatically
disabled until they connect. An IP whitelist can also be used to deny access to devices attempting to
unlock on untrusted networks.
• This feature must be active on S100 and x200 devices to use Silver Bullet remote detonation.
Max Unlocks Without
Connection
IP Address Restrictions Can allow or deny access to a device based on a Trusted Network IP
Determines the number of times the device can be unlocked when not
connected to the Internet. Since users cannot always be online, set this
policy with a balance of security and user convenience in mind.
• Silver Bullet Access Controls must be active
• Range is from 1 to 200
• Default: 10
• Recommendation: Allow 10 times
address whitelist. Users coming from an IP address on the whitelist (e.g.
from the ofce) will be permitted to use their device, while users who
are coming from an untrusted network, (e.g. home) will be denied.
Warning: Set this policy with caution as being too restrictive may
prevent trusted users from accessing their data.
• Silver Bullet Access Controls must be active
• Feature does not apply to System Admins
• Do not use internal IP addresses
Examples of Valid Input:
• To allow a specic IP address, type it in:
From: 192.168.0.1
• To allow a block of IP addresses, use the * character:
From: 192.168.0.*
• To allow a range of IP addresses, use both the From and To elds:
From: 192.168.0.1 To: 192.186.0.12
• To add more IP addresses, click the “Add More” button.
• To delete an entry, click the “X” button next to the row.
Silver Bullet Remote Administrative Controls (Active by default) — Applies to x250, W500, W700,
W700-SC, H300, H350, S1000 devices.
Allows Admins to remotely manage devices to recover devices, reset passwords (does not apply to
W700-SC), and detonate devices. Other Silver Bullet commands—enable/disable, force read-only
mode (x250, H300, H350, S1000, D300M, and Sentry EMS only) and recommission device—are not
controlled by this policy section and are always available.
PAGE 36IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Device Recovery Admins can unlock a device that can no longer be accessed, for example,
the user has left the organization.
• Default: Allowed
Password Reset Admins can help users when they forget their password by forcing the
user to create a new password the next time the device is plugged in.
This setting is not available with W700-SC devices.
• Default: Allowed
Remote Detonation System Admins can destroy lost or stolen devices. All data is lost and the
device can no longer be used.
• Default: Allowed
Control Panel
Unlock Screen Message (Active by default) — Applies to S100, x200, x250, W500, W700, W700-SC,
H300, H350, S1000, D300M, and Sentry EMS devices
Allows you to control the message that appears on the Unlocker screen when a device is plugged in.
Providing contact information on this screen tells someone where to return a lost device. You can also
allow users to modify this text.
User May Change Message If allowed, enables users to edit the text that appears on the Unlocker
screen for their device.
• Default: Disallowed
Message Allows the Admin to create text to display on the Unlock Device screen
each time the device is plugged in.
• Range is 0 to 255 characters
• For best formatting, limit message to 6 lines of 27 characters per line.
Automatic Locking (Inactive by default) — Applies to S100, x200, x250, W500, W700, W700-SC, H300,
H350, S1000, D300M, and Sentry EMS devices
This feature automatically locks the device if it is left idle for a pre-dened period of time. Auto-locking
the device helps to ensure that the device remains secure even if a user forgets to lock the device
or leaves it unattended. If auto-lock is not visible, your primary System Administrator should contact
support@datalocker.com and request to have it turned on for your organization’s EMS Account.
Note: Automatic locking applies to IronKey Workspace devices only when the device is unlocked in a
host operating system. This setting does not apply when booted into Windows To Go.
Idle time in mins Type the number of minutes before auto-locking the device. The idle
time-out ranges from 5 to 180 minutes
Default: 30 mins
Force lock If enabled, forces the device to lock even if open les on the device are
not closed. This feature is not supported on W500, W700, W700-SC
devices.
Default: Off
PAGE 37IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Users can congure these
settings
Allows users to congure these settings on their device.
Default: Disallowed
Advanced
Advanced Service Policies — Applies to S100, x200, x250, W500, W700, W700-SC H300, H350,
S1000 devices
Controls advanced service features including online account access. An online account gives Standard
Users basic management capabilities of their devices. This setting controls whether or not users will
have an online account that they can access. Administrators and Auditors must have online accounts to
access the Admin Console.
Online Account Access Controls if standard users have access to an online account. This feature
does not prevent users from backing up data or their device password to
their online security vault.
Note: D300M and Sentry EMS device users cannot access their online
account from the device. Also, administrators cannot access the Admin
Console from a D300M or Sentry EMS device.
• Default: All Users
• If set to “Admins Users Only”, administrator assistance is required for
password recovery.
Check for Device Updates (Requires devices running software version 2.5.0.0 or higher.)
Automatically checks for a new device update every seven days, two
minutes after the device is unlocked. When a new device update is
available, the Control Panel will display a dialog with a message indicating
that a device update is available. This dialog will be displayed for 60
minutes or until the user closes the window.
If the option “Check for Device Updates” is not visible, your primary
System Administrator should contact support@datalocker.com and
request to have it turned on for your organization’s account.
• Default: Enabled - Must be enabled to use Force Update feature.
• Recommendation: It is strongly recommended that this feature be enabled.
PAGE 38IRONKEY EMS CLOUD ADMIN GUIDE
POLICY CATEGORY DESCRIPTION
Force Update (Applies to x250 devices running version 3.5.0.0 or higher. The “Check For
Device Updates” setting must be set to “Automatic.”)
Forces users to update the device to the latest approved version after a
specied period of time (grace period). Users must have internet access
to download the update from IronKey EMS. The update can only be
installed from a host computer that is running Windows.
Default: Off
• Off: Force Update is not turned on. The device will automatically check
for updates according to the “Check For Device Updates” policy
setting, which checks for an update every seven days.
• Standard: When the grace period expires, users will have read-only
access to the les and applications on the secure partition until the
user updates the device. Users will have read-write access if they
are unable to update the device due to the following: 1) no internet
access to download the update, or 2) the operating system of the host
computer is not supported for device updates (such as Mac or Linux).
• Strong: When the grace period expires, access to the les and
applications on the secure partition will be read-only until the user
updates the device, regardless of internet access or the operating
system of the host computer.
You must also set the following parameters:
• Grace Period (in days): Range 0-100 days. Dened as the time period in
days beginning when the device rst detects an update and noties the
user, and ending when the time period has expired and the device must
be updated.
• Period Between Reminders: Range 0-100 days. The interval (in days) at
which users will receive a notication that reminds them to update
their device and indicates the number of days left in the grace period.
See also “Forcing a software update” on page 66 for more information.
Adding policies
Every time you create a new policy, it is assigned a unique policy number, the left-most digit. In
each policy section, device icons indicate which devices are supported by those policy settings.
1. In the Admin Console, click Manage Policies on the left sidebar.
2. In the Policy List menu bar, click the Add Policy button.
3. Type a name for the new policy in the Policy Name box under General Settings.
4. Select one of the following policy types from the list box:
• Administrative Device—Device policies control which settings and applications are
applied to and installed on devices.
PAGE 39IRONKEY EMS CLOUD ADMIN GUIDE
• Administrative User—User policies control settings for online accounts that are used
by Administrators to log in to the management console.
5. In the Password Policy section under General Password Settings, select the password
requirements.
6. If you want to add other items, such as onboard applications, Silver Bullet Services, and so
on, select them now. For more information about policy settings, see “About policy settings”
on page 30.
7. When you are nished choosing policy settings, click the Save As New button.
NOTE: Some policy items are dependent on others. Not all policy items are available with
every device.
Editing policies
Each time you edit a policy, a new Policy Version is created. You can save policy changes as a new
version of the same policy or as a new policy with a distinct policy name. Each Policy Version
displays the number of Active devices (for Device policies) or users (for User policies) currently
using that version. When you edit a policy, the status of the previous policy version changes to
“Out-of-date.”
NOTE: Multiple Out-of-date policy versions can exist for the same policy. For example, if
a Device policy changes several times while a device is not being used or while a device is
unlocked from a computer with no Internet access, there will be several out-of-date policies.
1. In the Admin Console, click Manage Policies on the left sidebar.
2. In the Policy List, click the name of the policy that you want to edit.
For example, if you want to edit the Default Device policy, click the name Default Device.
3. When the policy opens, edit the policy settings and do one of the following:
• Click the Save Version button to save a new version of the same policy.
• Click the Save As New button to save the version with a new policy name. You must
provide a new name for the policy.
• Click the Cancel button to discard any policy changes.
NOTE: When all devices have updated to the latest policy version, the status of the “Out-
of-date” policy automatically changes to “Retired”. A retired policy version is automatically
removed from the Active Policies List.
Deleting policies
You can only delete a policy if no Active devices or users are using the policy (or a version of it).
Deleting a policy cannot be reversed. All versions of the policy are deleted. You can view deleted
policies but you cannot create a new policy from a deleted one.
PAGE 40IRONKEY EMS CLOUD ADMIN GUIDE
NOTE: Only an administrator who has been granted privileges to “Manage Policies” can delete
a policy.
1. In the Admin Console, click Manage Policies on the left sidebar.
2. In the Policy List, click the name of the policy that you want to delete.
3. Click the Delete button in the bottom-left corner of the Policy screen.
NOTE: The policy number is permanently retired and cannot be reused.
Viewing policies
You can change which policies display in the list according to their status, for example “Active”.
You can also download a list of policies.
To change the policy list view
1. In the Admin Console, click Manage Policies on the left sidebar.
2. In the Policy List menu bar, select one of the following settings from the View list.
• Active Policies
• Retired & Deleted Policies
• All Policies
TIP: You can sort the policies by column heading. Click the column heading, for example “Policy
Name”, “Active Devices/Users”, or “Created On” date, to sort in ascending or descending order.
To download a list of policies
• In the Policy List menu bar, click the Download button.
Updating policies on devices
USER POLICIES
When you edit a User policy, the online accounts to which the policy is applied will be updated
automatically after the administrator logs in to the management console. If an administrator is
already logged in when the update is received, the policy change will be implemented at the next
login attempt. For example, if the password policy settings have changed and the administrator’s
password no longer meets the requirements, the admin will be required to change the account
password the next time they log in.
DEVICE POLICIES
All devices will update to the most current version of the policy assigned to that device.
Checking for policy updates and downloading the latest policy happens automatically shortly
PAGE 41IRONKEY EMS CLOUD ADMIN GUIDE
after the user unlocks the device. Policy changes are then enforced the next time the device is
unlocked.
For example, if company password requirements change, an Admin can update the appropriate
items in the policy. The policy status for the affected devices is now in a pending state. The next
time an affected device is unlocked, it will check to see if it has the latest policy. Since the policy
password requirements have changed, the device will automatically download the latest policy.
The next time the device is unlocked, the new policy password requirements will be enforced.
The user will be forced to change his device password before being able to access his les.
For information about updating device rmware and software, see “Updating devices” on page
66.
PAGE 42IRONKEY EMS CLOUD ADMIN GUIDE
Managing Users and Groups
Each member of your IronKey EMS Account is called a “User”. You can organize users by
creating groups. This chapter contains information about:
» Viewing users and groups
» Managing users
» Managing groups
Viewing users and groups
You can view users in the Admin Console in two ways:
» By Group
» By Users
1. In the Admin Console, click Manage Users in the left sidebar.
2. To switch views between Group and User List click the Group or List icons in the
Manage Users menu bar.
TIP: You can download the list of users by clicking the Options button in the Manage Users
menu bar, and clicking Download. To receive the download by email, you can change your
online account preferences. See “Send downloaded data via email” on page 77.
Managing users
ABOUT USERS
Users are organized according to roles. Roles are assigned to users when you add the user to
the system. There are six roles in IronKey EMS.
» System Admin: This is the only role that can manage all system settings for your EMS Account,
assign any of the six roles to a new user or change the role of an existing user, manage all
users (including all administrators) and policies, and provide user and device assistance to all
users.
PAGE 43IRONKEY EMS CLOUD ADMIN GUIDE
» Custom Admin: This role is configurable. Administrative privileges may be granted in any of the
following areas, managing Standard Users and devices, managing policies, and providing user
and device assistance to Standard Users.
» Admin: This role can only manage Standard Users and provide them with user and device
assistance.
» Help Desk Admin: Can provide user and device assistance. This role cannot manage users or
policies.
» Auditor: Can only view the Admin Console with read-only access.
» Standard User: Has no administrative capabilities.
Administrative tasks are organized into categories according to the type of access required
in Admin Console to complete the tasks. The table below outlines which categories are
permitted for each role. For a complete list of the administrative tasks in each category, see
“Administrative Tasks by Category and Role” on page 44.
Role Access Level Category
System Admin • Manage System Administration
• Manage Standard Users
• Manage Policies
• User & Device Assistance
• View Admin Console
Admin • Manage Standard Users
• User & Device Assistance
• View Admin Console
Custom Admin* • Manage Standard Users
• Manage Policies
• User & Device Assistance
• View Admin Console
Help Desk • User & Device Assistance
• View Admin Console
Auditor • View Admin Console (read-only access)
Standard User No administrative capabilities
* System Admins can select the categories to which a Custom Admin
requires access by editing the Access Level Summary list on the User
Prole page, see also “Editing a user” on page 51.
NOTE: All administrator roles (including Help Desk and Auditor) must have an online account
in order to access the Admin Console.
ADMINISTRATIVE TASKS BY CATEGORY AND ROLE
The following table lists the administrative tasks that are available with each Access Level
category. The table outlines which administrative roles can perform the tasks in each category.
PAGE 44IRONKEY EMS CLOUD ADMIN GUIDE
Tasks by Access Level Category System
Admin Custom
Admin
Manage System Administration
Manage all users and devices (including all
administrator roles and Standard Users)
System Console
Update Management: Approve and manage
device updates
Message Center: Add or Edit Activation Email
Templates, Edit Reply-To Address for activation
email messages
Manage Standard Users (includes groups and devices)
User
Add single, Add multiple, Rename, Enable/Disable,
Edit email address
Edit Role, Delete
Group
Add, Edit, Rename, Move, Delete
Device
Add, Rename, Enable/Disable, Change Device
Policy, Recommission, Reset Password, Pair New
Smart Card, Force Read-Only, Recover
Delete, Detonate
Manage Policies
Add New, Edit, Save Version, Delete
User & Device Assistance
(Note: Custom Admins and Admins can assist only the Standard Users that they manage)
Send Password to User (S100, S200 & D200)
Resend Activation Code to User
Regenerate Expired Activation Code
Resend Activation Email to administrator**
Reset Password for User
Recommission Device
Recover Device
View Admin Console
View Groups, User Proles, Devices, Policies,
History/Logs, Dashboards
•
•
•
• • •
•
• • •
• • •
•
• •
• • • •
• • • •
• • • •
• •
• • • •
• • • •
• • • •
• • • •
Admin*
Help
Desk
(Standard
Users
only)
(Standard
Users
only)
Auditor
•
(read-only)
PAGE 45IRONKEY EMS CLOUD ADMIN GUIDE
Tasks by Access Level Category System
Admin
* These privileges can be enabled for each Custom Admin user by editing the Access Level Summary list
on the User Prole page, see also “Editing a user” on page 51.
** Only applies to administrators who use Web-based login (username & password) to access Admin
Console.
Admin Custom
Admin*
Help
Desk
Auditor
ADDING A USER
When you add a user, you must set the options listed in the following table.
Option Description
Name Optional; Enter the rst and last name of the user.
Email The email address is required if you want to send an email message with the
device Activation Code or account Activation URL (for administrators who
use Web-based login); it is also required so the user can create an online
account and successfully activate a device.
Role Lets you specify the role of the user. Only System Admins can add
administrators. When you select a role, the “Access Level Summary” box lists
the privileges granted to that role. Privileges include:
• Manage System Administration
• Manage Standard Users*
• Manage Policies*
• User & Device Assistance*
• View Admin Console*
If you select specic privileges in the box, the corresponding role will change in
the list.
* The Custom Admin role may be granted any combination of these privileges.
For details about the tasks available with each privilege by Role, see
“Administrative Tasks by Category and Role” on page 44.
Authenticate to
management console
using
Policy Lets you choose the Device Policy to apply to the device during device
Applies to all roles except Standard Users. When adding an administrator
(System Admin, Admin, Custom Admin, Help Desk, or Auditor), this setting
determines how the administrator will log in to the management console.
• Device & password—This option requires the administrator to log in to
Admin Console using the application in the Control Panel on the device.
Note: Admin Console is not available on D300M or Sentry EMS devices.
• Username & Password—This option allows administrators to use a
Web-based login (URL) to access the Admin Console, no device is required.
activation. For administrators who use Web-based login to access the Admin
Console, this is the User Policy to apply to the user’s online account during
account activation. For more information, see “Device Policy Settings” on page
32 or “User Policy Settings” on page 30.
PAGE 46IRONKEY EMS CLOUD ADMIN GUIDE
Option Description
Group Type the name of the group to which you want to add the user. When you
start typing, a dynamic list of groups that begin with the letters typed will
display; you can select the group from this list. Admin and Custom Admin users
will see only those groups to which they belong; you must be a member of
the group in order to add a user to it. System Admins, or Admins who belong
to the main “Default Group” for your organization can see all groups and add
users to any group. To view the entire group tree, type a forward slash “/” after
the group name, for example “Default Group/”.
Select Device This section applies to device users only and allows you to select the device
type the user will receive: Secure Storage or Workspace.
You cannot select a device for administrators who will use Web-based login
to access the management console; if required, you can add a device for these
users after they activate their account.
Send Activation Email
to User
Determines whether to send an activation email to the user. For users
who will activate a device, the message contains the Activation Code for
their device. For administrators who will use Web-based login to access the
management console, the message contains the Activation URL for their online
account. To customize the activation email message, see “Editing the Device
Activation Email” on page 58 or “Editing the User Activation Email” on page
48.
You can choose not to send an automated email to device users. However, you
cannot disable this option for administrators using Web-based login. If you do
not send an automated email to device users, make sure that you give them
the device activation code either manually or through another email system, or
activate the device for the user. See “Activating a device for a user” on page
59.
To add a user
1. In the Admin Console, click Manage Users from the sidebar.
2. Click the Add button in the top right and click Add User.
If you want to add more than one user at once, see “Adding multiple users” on page 49.
3. Enter the following user information:
• Name
• Email
• Role
• Authenticate to Management Console using—Choose from the following options:
• Device & Password—Administrators can log in using only the Admin Console
link on the device. Note: Admin Console is not available on D300M or Sentry
EMS devices.
• Username & Password—Administrator can log in to the Admin Console
application from a Web URL. No device is required.
• Policy
• Group
4. Under Select device, choose the type of device the user will receive. You can only choose
PAGE 47IRONKEY EMS CLOUD ADMIN GUIDE
one device type. If required, you can add other devices after the user activates this device.
See “Adding new devices to users” on page 60.
• Secure Storage: S100, X200 (S200, D200), X250 (S250, D250), H300, H350,
S1000, D300M, Sentry EMS
• Workspace: W500, W700, W700-SC
• Type the Admin Code in the text box and then re-type to confirm the code in
the Confirm text box.
• This code must be the same as the code that is set by an Admin on the user’s
device during initialization. The code unlocks the operating system partition so
that an Admin can install Windows To Go. For more information about deploying
Workspace devices, see the IronKey Workspace IT Administrator Handbook.
5. Make sure the Send Activation Email to User check box is enabled and select the email
message template that you want the user to receive from the list.
6. Click the Save button. The user is added to the EMS Account and, if applicable, an automated
email with activation instructions is sent to the user.
TIP: If you are in Group mode, you can also add a user by right-clicking anywhere in the Group
Mode dialog box, and clicking Add User.
NOTE: For information about activating a device, see “Activating a device for a user” on page
59. For information about activating an online account, see “Activating your online account”
on page 75.
EDITING THE USER ACTIVATION EMAIL
IronKey EMS provides a Default User Activation Email template. The email is sent when you
add a new administrator with Web-based login access to the Admin Console. The message must
contain a verication URL that opens the online account activation page so administrators can
create their online account. Only System Admins can customize the message. For example,
you can include organization-specic support, help desk, and other information. Follow these
guidelines when editing the message:
» The message body supports 10,000 total characters. Refer to the counter that appears
under the message body to determine how many characters remain.
» Only text is supported; if you enter HTML-formatted source, recipients will see the message
as raw HTML source code.
» The “Insert Verfication URL” variable is mandatory.
You can also set the “reply to” address so end users can reply directly to the Admin who sent
them the email or to an alias, such as an IT help desk.
To edit the Default User Activation Email template
1. In the management console, click the System Console tab.
2. Click Message Center from the left sidebar.
3. From the Email Template Name list, select Default User Activation Email.
PAGE 48IRONKEY EMS CLOUD ADMIN GUIDE
If you want to create a new template, click Add Email Template.
4. Add your changes in the email and click Save.
• If you want to insert variables, such as User Name, Admin’s name and email address, place
the cursor where the variable should appear in the Subject or Body, click the Insert
Variable list and select the variable.
5. Click the Send Test Email to send yourself a test copy of the message.
TIP: You can reset the template to the default version by clicking the Revert to Default
button in the template.
NOTE: If the required variable is not part of the message body, an inline error message is
displayed. You cannot save the email message until you add the required variable.
NOTE: Changes to the Activation Email are effective immediately after you save the le. The
next Activation Email that is sent will use the updated message.
To set the “reply-to” address
1. In the management console, click the System Console tab.
2. Click Message Center from the left sidebar.
3. In the Message Center, click the Edit button under Email Settings.
4. In the Reply-To Address list, choose one of the following options:
• Admin’s Email (default address)
• Email Alias
• Do-Not-Reply
5. Click the Save button.
NOTE: For S200 and D200 devices, when you add a new Admin user, you must approve the
Admin before he will receive administrative privileges. Once the user activates the device, you
will receive a reminder by email to approve the new Admin user. For more information, see
“Approving Admin users” on page 73.
ADDING MULTIPLE USERS
You add multiple users by creating a comma-separated value (CSV) list that contains the
following user information:
» Name—user name
» Email—email address for user’s online account
» Group—must be an existing group name
» Role—System Admin, Admin, Help Desk, Auditor, Standard User
» Policy Name—must be an active policy
» Admin Code— applies only to Workspace devices (W500, W700, W700-SC) and must be
included or devices will not activate properly
You can add up to 250 users at a time. All users must have a device; you cannot add
administrators who use Web-based login (username & password) to authenticate to the Admin
Console. The CSV le must use this format:
PAGE 49IRONKEY EMS CLOUD ADMIN GUIDE
Name,Email,Group,Role,Policy Name,Admin Code
For example:
1. Adding a user with a Workspace device: W500, W700, or W700-SC device
John Doe,John_Doe@organization.com,IT Group,Auditor,IT Policy,
AC5sr83$s
The resulting user would be:
• User Name: “John Doe”
• Email Address: “John_Doe@organization.com”
• Group: “IT Group”
• Role: “Auditor”
• Device Policy: “IT Policy”
• Admin Code: “AC5sr83$s”
2. Adding a user with a Storage device: S200/D200, S250/D250, H300, H350, S1000, D300M, or
Sentry EMS device
Ann Jones,Ann_Jones@organization.com,Finance,Standard User,User
Policy
The resulting user would be:
• User Name: “Ann Jones”
• Email Address: “Ann_Jones@organization.com”
• Group: “Finance”
• Role: “Standard User”
• Device Policy: “User Policy”
NOTE: All elds are optional except the Admin Code (Workspace devices only). If a eld is
not specied, the following default values are used: Role—Standard User, Policy—Default Policy,
Group—currently selected group. Unless you are a System Admin, you can only add Standard
Users.
When you add users, you can also send them the device activation codes by email using one of
the Activation Email templates listed. There are two Default Activation Email templates, one for
Storage devices and one for Workspace devices. If the devices assigned to these users include
a mix of Storage and Workspace devices, choose the “Default By Device Type” option when
selecting which email template to use. This option will send the appropriate Default activation
email message according to the device type that is assigned to the user. For example, in the
above examples, John Doe will receive the Default Workspace Activation Email message because
he has been assigned a Workspace device. Similarly, Ann Jones will receive the Default Storage
Activation Email message because she has been assigned a Storage device.
To add multiple users
1. In the Admin Console, click Manage Users from the sidebar.
2. Click the Add button in the top right and choose Add Multiple Users.
3. Copy and paste the content of a CSV le into the text box provided.
PAGE 50IRONKEY EMS CLOUD ADMIN GUIDE
4. If you want to email activation codes to new users, make sure to enable the Send
Activation Email... check box. The CSV list must include email addresses for all users
listed in the le. Select an email template from the list. Choose the Default by device type
option to send either the Default Storage Activation Email template or Default Workspace
Activation Email template depending on the device type assigned to the user. For information
about how to edit the default templates, see “Editing the Device Activation Email” on page
58.
5. Click Continue.
6. If there are errors in the data you entered, correct them, and then click the Submit button.
7. If the user data is valid, click the Submit button to upload the information.
8. The users are added to the EMS Account and, if applicable, automated emails with device
activation instructions are sent to the users.
9. If you want to save a copy of the Activation codes, click the Download Activation Codes
button.
You can now distribute devices to these users.
IMPORTANT: Even if you do not want the users to receive an email, we strongly recommend
providing their email addresses to avoid problems during activation and online account setup.
NOTE: When adding 50 or more users at a time, you will be emailed a Perl script to send
the activation emails from your internal mail server. This ensures that all users receive their
activation codes.
EDITING A USER
When you edit a user, you can enable or disable the user, you can also change settings in the
user’s prole, such as the user’s Name, Email Address, Group, and Role (System Admins only).
NOTE: For information about adding a device for a user or deleting users, see “Adding new
devices to users” on page 60 and “Deleting a user” on page 52.
1. In the Admin Console, click Manage Users from the sidebar.
2. In List mode, click the check box for the user you want to edit.
3. Click the Edit button in the menu bar then choose one of the following actions:
• Rename—Type a name in the box
• View User Profile—Opens the User Profile page. Click the Edit button and then make
your changes to the user’s settings (Name, Email Address, Group, and Role).
• Enable/Disable—Blocks access to all of the user’s devices. For administrators who use
Web-based login to access the Admin Console, this operation will disable or enable their
online account.
• Change User Policy—Applies only to administrators who use Web-based login to
access the Admin Console.
TIP: If you are in Group mode, right-click the name of the user and choose the action from
the list. You can also click the user name and click the Edit button on the menu bar.
NOTE: Some actions may appear grayed out if they are not available for that user.
PAGE 51IRONKEY EMS CLOUD ADMIN GUIDE
Changing the role of a user
Only System Admins can edit the “Role” setting. When a System Admin promotes a Standard
User to an Admin, the following conditions apply:
» For S200 and D200 devices, a System Admin must first approve the role change. For more
information, see, “Approving Admin users” on page 73.
» Admin privileges take effect when the user unlocks the device and accesses their online
account from the Control Panel. The Admin Console or Admin Tools application (S200/D200
devices only) will appear in the Control Panel.
Note: Admin Console and online account access is not available with a D300M or Sentry
EMS device. The promoted administrator must activate another device to use as their Admin
device.
» Promoted administrators cannot use Web-based login to access the Admin Console and
must start the application from their device.
NOTE: If a Standard User does not have an online account when promoted to an Admin, you
must update the policy that is applied to the user’s device. Once the device is updated with the
new policy, the user can set up and access their online account. Not available with D300M or
Sentry EMS devices.
DELETING A USER
Only System Admins can delete users. When you delete users, all of their devices are disabled.
You can recommission a disabled device to activate it for another user. The system maintains all
the Account & Device activity of deleted users for auditing purposes. You cannot delete multiple
users if one of the users selected is a System Admin.
IMPORTANT: Deleting users is not reversible. There is no “Undo” operation.
1. In the Admin Console, click Manage Users from the sidebar.
2. In List mode, click the check box for the user to delete. To delete multiple users, select the
check box for each user to delete.
3. Click the Edit button in the menu bar then click Delete.
TIP: If you are in Group mode, right-click the name of the user and click Delete.
VIEWING USER INFORMATION
You can view information about each user in the Users List. As part of the user prole, a status
is associated with each user to indicate the state of their user account.
To view a user’s prole
1. In the Admin Console, click Manage Users from the sidebar.
2. Click the name of the user from the Name list.
PAGE 52IRONKEY EMS CLOUD ADMIN GUIDE
If you are in Group mode, right-click the name of the user and click View User Prole.
TIP: Click the Edit button to change user settings in the prole, such as the user’s Name, Email
address, Group, and Role (System Admins only), and Policy (applies to administrators who use
Web-based login). For more information, see “Editing a user” on page 51.
NOTE: Only System Admins and Help Desk admins can view the “Username” of administrators
who use Web-based login to access Admin Console. Admins and Custom Admins cannot view
this information on the “View User Prole” page.
User Status List
The following list describes possible user states.
» Pending: System is waiting for user to activate their device or online account if the user is an
administrator who does not have a device and uses Web-based login to access the Admin
Console.
» Active: User has activated at least one device and has set up the online account.
» Active (without online account): User has activated at least one device but does not have an
online account.
» Locked: User’s online account has been locked after three incorrect answers to challenge
questions. Does not apply to D300M or Sentry EMS devices.
» Disabled: User’s account has been temporarily disabled by an Admin.
» Disabled (without online account): A user who does not have an online account has been
temporarily disabled by an Admin.
» Deleted: User’s name has been deleted by a System Admin. Devices assigned to the user can
be recommissioned.
SEARCHING FOR A USER
You can search for a user name; suggested matches appear as you type.
• In the Admin Console, type the name of the user in the search box, located in the upperright corner of the header, and then click the Search button.
TIP: You can also click the Options icon in the search box to include searching comment elds
or deleted users.
Managing groups
By default, all users are created as members of a single group. Admins can manage users more
effectively by organizing users into different groups. Every user, including administrators, can be a
member of only one group.
NOTE: For information about switching between user and group mode, see “Viewing users and
groups” on page 43.
PAGE 53IRONKEY EMS CLOUD ADMIN GUIDE
ABOUT GROUPS
Groups are created using a tree-based structure, where every group has a parent or higher
level group, and every group may have children or lower level groups. Every child group can
have its own children. This enables delegated administration by creating sets of users that can be
managed by specic admins.
Admins can manage Standard Users in their group and in any child groups. Admins can also
manage any child groups within their group. System Admins can manage any Standard User or
Admin User regardless of the group to which the System Admin user belongs.
When you add a new user, you can also add them to a group. Admins can only add users to a
group to which the Admin is also a member.
Example
If your company uses a central Help desk to support a global user base, you should add the
Help desk admins to the Default Group (root) so that they can see all users. If other Admins are
responsible for a select group of users, you can add each Admin to a specic group of users; the
Admin can also manage any child groups within that group. The following diagram outlines a
sample group conguration.
» Company ABC created three main parent groups under the Default Group (root) group:
Asia-Pacific, Europe, and North America.
» Child groups were added to each parent group for countries in each region.
» A main Help desk Admin was added to the Default Group (root). This Admin can view and
add users to any child group under the Default Group (root).
» An administrator was added to each region group to manage the users and child groups in
that region. An administrator who belongs to a specific region group can only add new users
to that group. For example, an administrator from the group “Asia-Pacific” cannot add a new
user to the “Europe” group because the administrator is not a member of the “Europe”
group.
ADDING A GROUP
1. In the Admin Console, click Manage Users from the sidebar.
PAGE 54IRONKEY EMS CLOUD ADMIN GUIDE
2. In Group Mode, click the Add button in the menu bar and click Add Group.
3. Type a name for the group.
TIP: You can also add a group by right-clicking anywhere in the Group mode dialog box and
clicking Add Group.
TIP: You can rename a group by right-clicking the group name and clicking Rename Group.
MOVING USERS TO A GROUP
• In Group mode, select the users to move from the user list (right side of page) and drag
them to a group.
NOTE: All users (except System Admins) can be part of only one group.
DELETING GROUPS
You can only delete groups that do not have users.
• In Group mode, right-click the group to delete from the list of groups (left side of page) and
click Delete Group.
PAGE 55IRONKEY EMS CLOUD ADMIN GUIDE
Managing Devices
Users can have one or more devices. Device behavior is managed through policies that are
dened in the Admin Console. For more information about policies, see “Managing Policies” on
page 29.
Viewing device information
Devices include the following properties listed in Admin Console. You can also download this
information.
• In the Admin Console, click Manage Devices from the sidebar.
A list of devices will appear. If you want to see details about a specic device, click the device
name.
TIP: To change which devices display in the list, click the View list from the menu bar and
select either Current Devices or All Devices.
NOTE: “Disabled” and “Recommissioned” devices do not display in the Current list.
Property Description
Device Name Useful for taking inventory of the Case ID
User Name of user added to device
Status Similar to user status, describes actions that affect the device
Policy Name of policy associated with the device
Model Hardware model number of the device, for example D250
Capacity Amount of storage on the drive (in GB)
Version Version of software running on device
PAGE 56IRONKEY EMS CLOUD ADMIN GUIDE
Property Description
Serial number Consistent, unique serial numbers for enhanced asset inventory management
and endpoint security control. The device serial number is listed on the “Device
Prole” page in Admin Console or on the device in the “Device Info” section of
the Control Panel. Some devices also list the serial number in the one or more
of the following places:
• As a matching barcode on the outer case of the device
• As the USB serial number visible to the host computer operating system
(for security white listing and inventory management by other products)
• Laser etched onto the device with the barcode
• Printed on product packaging
For S100 devices only, it displays the eight right-most digits of the Cryptochip
inside the device.
Activated On Date on which device was activated.
DOWNLOADING DEVICE INFORMATION
For large-scale deployments, you can download information about all devices in the system to
a .CSV le for electronic transfer to another system. You can also download the activity history
for a specic device on the device’s prole page.
To download all device data
1. In the Admin Console, click Manage Devices from the sidebar.
2. On the Device List menu bar, click the Download button.
To download the activity history for a device
1. In the Admin Console, click Manage Devices from the sidebar.
2. Click the name of the device for which you want to review the activity history.
3. On the Device Prole page, under Activity History, click the Download button.
TIP: You can view events based on a specic time period by clicking the View list and selecting
the time frame.
TIP: To receive the download by email, you can change your online account preferences. See
“Editing your online account settings” on page 69.
Activating devices
Devices are typically activated by the end user using instructions they receive in an email
from an administrator. The email contains the Activation Code for the device. You can edit the
activation email that is sent to users. You can also manually activate a device for a user.
NOTE: Information about activating devices is also found in the device User Guide.
PAGE 57IRONKEY EMS CLOUD ADMIN GUIDE
EDITING THE DEVICE ACTIVATION EMAIL
IronKey EMS provides two Default Activation Email templates, one template for Storage
devices and one for Workspace devices. You can send an Activation Email when adding a new
user, adding a device to an existing user, or when a user has misplaced the original email. You
can customize the message to include organization-specic support, help desk, and other
information. Follow these guidelines when editing the Activation Email:
» The message body supports 10,000 total characters. Refer to the counter that appears
under the message body to determine how many characters remain.
» Only text is supported; if you enter HTML-formatted source, recipients will see the message
as raw HTML source code.
» Some variables, such as “Activation Code” and “User’s Email” (S200 and D200 only) are
mandatory.
You can also set the “reply to” address so end users can reply directly to the Admin who sent
them the email or to an alias, such as an IT help desk.
To edit the Default Device Activation Email template
1. Plug in and unlock your device.
2. Click the Applications button on the menu bar, and then click Admin Console.
3. After your online account opens, click the System Console tab and click Message
Center from the left sidebar.
4. From the Email Template Name list, select one of the following Default Activation Email
templates:
• Default Storage Activation Email
• Default Workspace Activation Email
If you want to create a new template, click Add Email Template.
5. Type your changes in the email and click Save.
• If you want to insert variables, such as User Name, Activation Code, Admin’s name and
email address, place the cursor where the variable should appear in the Subject or Body,
click the Insert Variable list and select the variable.
6. Click the Send Test Email to send yourself a test copy of the message.
TIP: You can revert back to the default template by clicking the Revert to Default button in
the template.
NOTE: If the required variables are not part of the message body, an inline error message is
displayed. You cannot save the email message until you add the required variables.
NOTE: Changes to the Activation Email are effective immediately after you save the le. The
next Activation Email that you send will use the changed message.
To set the “reply-to” address
1. Follow the rst three steps in the “To edit the Default Device Activation Email template”
procedure.
PAGE 58IRONKEY EMS CLOUD ADMIN GUIDE
2. In the Message Center, click the Edit button under Email Settings.
3. In the Reply-To Address list, choose one of the following options:
• Admin’s Email
• Email Alias
• Do-Not-Reply (default)
4. Click the Save button.
NOTE: The default address is set to Admin’s Email.
ACTIVATING A DEVICE FOR A USER
In some circumstances, you may not want users to be involved in device activation. You can
manually set up the devices for these users.
1. Add the user (see page 46) to IronKey EMS and make sure to clear the check box that
would send the user an activation email.
We strongly recommend that you add the email address even if you are not sending a
message to the user to avoid problems during account setup.
2. Capture the setup information when it is presented on the screen, including the Activation
Code for the user’s device.
3. Plug the device into your computer’s USB port. The Device Setup screen appears.
The setup software runs automatically from a virtual CD (200 Series), virtual DVD (250
Series, D300M, Sentry EMS). This screen may not appear if your computer does not allow
devices to autorun or if you are activating a W500, W700, W700-SC, H300, H350, S1000,
which mounts as a drive. You can start it manually by doing one of the following:
• WINDOWS: In a file manager, open the IronKey or Unlocker drive and double-click
IronKey.exe or Unlocker.exe.
• MAC: In Finder, open the IronKey or Unlocker drive and double-click the IronKey or
Unlocker application.
4. Copy and paste the Activation Code for the user.
5. If prompted, select a default language preference, agree to the end-user license agreement,
and then click the Activate button.
By default, device software will use the same language as your computer’s operating system.
6. When the device password screen (or smart card PIN screen for W700-SC devices) appears,
exit the setup process and unplug the device.
7. Give the device to the appropriate user. Make sure that you do not mix up devices. Use the
serial number on the back of the device as a reference.
NOTE: New Sentry EMS devices are, by default, unmanaged devices when rst set up. To
activate these devices with IronKey EMS, open the Control Panel on the device. In Tools, under
Device Management, click Manage with EMS. For more information, see the Sentry EMS
User Guide. Once a Sentry EMS device has been activated with IronKey EMS, any subsequent
activations, for example if the device is recommissioned and given to another user, will follow
the procedure described above for IronKey EMS devices.
PAGE 59IRONKEY EMS CLOUD ADMIN GUIDE
Adding new devices to users
Devices are automatically added to the system when they are activated for a new user. You can
add another device to a user. When you add the device, the device status is set to “pending”
until the device is activated. Only System Admins can add devices to Admin users.
1. In the Admin Console, click Manage Users from the sidebar.
2. In List Mode, click the name of the user from the Name column.
3. On the User Prole page, under Devices, click the Add Device button.
4. Select the device policy.
5. Under Select Device, choose the type of device the user will receive. Note: The term
“x200” or “x250” refers to all device models in the 200 or 250 series.
• Secure Storage: S100, X200 (S200, D200), X250 (S250, D250), H300, H350,
S1000, D300M, Sentry EMS
• Workspace: W500, W700, W700-SC
6. If you selected a Workspace device, type the Admin Code in the text box and then re-type
to conrm the code in the Conrm text box. This code must be the same as the code that is
set by an Admin on the user’s device during provisioning. For more information about W500,
W700, or W700-SC device deployment, see the IronKey Workspace IT Administrator Handbook.
7. If you want to send an automated Activation Code email to the user, click the Email
Activation Code to User check box and select the email template from the list.
8. Click the Submit button.
TIP: If you are in Groups Mode, select the group, and then select the user. Click the Add
button, and then click Add Device.
NOTE: For information about modifying Default Activation Email templates, see “Editing the
Device Activation Email” on page 58.
Editing device proles
You can change the device name and policy by editing the device prole. Devices also include
a comments section, where you can write information specic to that device. For example,
you can track inventory data, the serial ID, or information regarding the use or purpose of this
device.
To edit device prole data
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name.
3. Click the Edit button on the Device Prole page and do one of the following:
• To change the device name—type a new name in the box
• To change the device policy—select a policy from the list
PAGE 60IRONKEY EMS CLOUD ADMIN GUIDE
TIP: You can edit the device policy for multiple devices at once. In the Device list on the
Manage Devices page, click the check box for the devices you want to edit and click the Edit
button.
To edit device comments
1. On the Device Prole page, in the Comments section, click the Edit button.
2. Type the comments in the text box and click the Save button.
Deleting devices
Only System Admins can delete devices. Once deleted, the device status in Admin Console
immediately changes to “Deleted” and the device no longer uses a device license. You
cannot undo a Delete operation. You can only recover the device (to retrieve data on it) or
recommission and activate it for another user.
If a user tries to unlock a deleted device (S100, S200/D200, S250/D250, H300, H350, S1000,
D300M, or Sentry EMS), IronKey EMS will permanently disable the device and prevent the
user from unlocking it. If the device cannot connect to IronKey EMS, for example the host
system has no Internet access, the device policy setting for Silver Bullet Access Controls (Max
Unlocks Without Connection) is applied. When a user exceeds the maximum number of unlock
attempts without connecting to IronKey EMS, the user is prevented from unlocking the device.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name.
3. Click the check box in the All column for the devices that you want to delete, and then click
the Delete Device button on the Action menu bar at the bottom of the list.
TIP: You can also delete a device from the Manage Users page. In Group Mode, expand the user,
right-click the device, and then click Delete. You can also select the device, click Edit and then
click Delete.
CAUTION: With W500, W700, or W700-SC devices, if the user is currently not using the
device, deleting a device will cause the operating system to stop responding the next time the
device contacts IronKey EMS.
Searching for a device
You can search for a device by name or serial number. Suggested matches appear as you type.
• In the Admin Console, type a device name or serial number in the search box, located in the
upper-right corner of the header, and then click the Search button.
TIP: You can also click the options icon in the search box to include searching within comments
elds or deleted devices.
PAGE 61IRONKEY EMS CLOUD ADMIN GUIDE
Managing devices remotely with Silver Bullet
The Silver Bullet Service provides two main areas of administrative control:
» Allows you to remotely manage devices by:
• Resetting a device password (Admin-initiated) (S250/D250, W500/W700, H300, H350,
and S1000 devices only)
• Pairing a new smart card with a device (W700-SC devices only)
• Recovering devices (S250/D250, W500/W700/W700-SC, H300, H350, and S1000 devices
only)
• Recommissioning devices (S250/D250, W500/W700/W700-SC, H300, H350, S1000,
D300M, and Sentry EMS devices only)
• Disabling and enabling devices
• Detonating a device (Not available for D300M or Sentry EMS devices)
• Forcing Read-Only mode (S250/D250, H300, H350, S1000, D300M, and Sentry EMS
devices only)
» Protects critical data by requiring devices to check for authorization prior to unlocking.
Applies to storage devices only (S100, S200/D200, S250/D250, H300, H350, S1000, D300M,
and Sentry EMS).
• When a user unlocks a device, the device quickly checks with the Silver Bullet Service to
ensure that the device is in good standing and coming from a Trusted Network IP address
(if enabled in policy).
• If the user is not connected to the Internet, the device cannot check for authorization.
The device policy controls how many unlock procedures it will allow before disabling the
device until contact to IronKey EMS is restored.
Devices that you want to manage using Silver Bullet Services must use a policy that has Silver
Bullet enabled. For more information about Silver Bullet policy settings, see “Silver Bullet Policy
Services” on page 31.
RESETTING A DEVICE PASSWORD (ADMIN-INITIATED)
If a user forgets the device password, Admins can remotely force a password reset. The user
cannot access les or applications until the password is changed. You must enable the Silver
Bullet Password Reset feature (available with S250/D250, W500/W700, H300, H350, and S1000
devices only) in the device policy to reset a user’s device password. For S200/D200 device users,
see “Assisting with passwords” on page 71.
Resetting a device password does not affect device policy settings or commands, such as the
Force Update policy setting or the Force Read-Only Mode command, that may force a device to
unlock in Read-Only mode. Once the user changes the password, devices that are required to
unlock in Read-Only mode will unlock with read-only access.
Password Reset (Admin-initiated) is not available with D300M or Sentry EMS devices; however,
if Password Reset (User-initated) is enabled in the password policy of the device, users can
reset their password. Admins can provide users with the Recovery Code (located on the Device
PAGE 62IRONKEY EMS CLOUD ADMIN GUIDE
Prole page of Admin Console) if necessary; the code is typically sent through email when a
user initiates a password reset procedure.
For more information about Silver Bullet policy settings, see “Silver Bullet Policy Services” on
page 31.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name. The Device Prole page opens.
3. In the Silver Bullet section, click the Reset Password button.
4. Read the message and click OK.
5. Plug the device into a computer within 30 minutes of initiating a Password Reset command.
TIP: If the policy allows, users can also reset their password by inserting the device and clicking
the Password Help button on the login screen.
PAIRING A NEW SMART CARD WITH A DEVICE
This applies to W700-SC devices only. You can force a user to pair a new smart card with the
device if the current smart card is expired, lost or stolen. The user will be prompted to pair a
new card on next use.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the W700-SC device name. The Device Prole page opens.
3. In the Silver Bullet section, click the Pair New Smart Card button.
4. Read the message and click OK.
5. Plug the device into a computer within 30 minutes of initiating the command.
RECOVERING DEVICES
You can remotely recover secure storage devices (S250/D250, H300, H350, or S1000) to access
critical les on the secure storage partition, for example if an employee has left the organization
or is under investigation and authorities need to audit the device, Trusted Computer, or
Network. Once the device receives the Silver Bullet, it will unlock the secure partition so that
you can access the data on it.
A recovered device will unlock with read-write access even if the device policy should enforce
Read-Only mode. For example, with Force Update, the device policy can force a device to
unlock in Read-Only mode if the grace period for updating the device has expired. If you
recover a device in this scenario, you will have read-write access to the device until you lock or
unplug the device. Read-Only mode will be enforced the next time the device is unlocked.
With Workspace devices (W500, W700, or W700-SC), the Recover command unlocks the
secure operating system (OS) partition on the device. This command should be used only when
other methods to recover or repair the OS have failed. Once unlocked, you must assign a drive
letter to the OS partition using the Microsoft Windows Disk Management Tool before you can
PAGE 63IRONKEY EMS CLOUD ADMIN GUIDE
attempt to repair or recover les on the drive. The device recovery operation is a one-time
event only. When you unplug the device, the OS partition will automatically lock.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name. The Device Prole page opens.
3. In the Silver Bullet section, click the Recover Device button.
If you have not already plugged in the device, do so now (there is a 30 minute time limit).
NOTE: You can recover S100, S200, or D200 devices using the Admin Tools on a 200 Series
administrative device. For more information, see “To recover an S200 or D200 device” on page
72.
RECOMMISSIONING DEVICES
Remotely recommissioning an S250/D250, W500, W700, W700-SC, H300, H350, S1000,
D300M, or Sentry EMS device permanently deletes all device data and returns the device to an
uninitialized state. The device status will change to ‘Recommissioned’ in Admin Console. You can
recommission a device to give to another user, for example, if an employee leaves the company.
The device status will change to “Active” when you re-activate a recommissioned device.
NOTE: With D300M and Sentry EMS devices, Admin Console will also list the device status as
“Recommissioned” if it has been re-activated from an uninitialized state. For example, if a user
enters the password incorrectly 10 times, the device will reset to an uninitialized state. Admin
Console will list the device status as “Active” until it is re-activated. Once re-activated, the
status of the old instance of the device will change to “Recommissioned”.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name. The Device Prole page opens.
3. In the Silver Bullet section, click the Recommission Device button.
4. Plug the device into a computer.
NOTE: You can recommission S100, S200, or D200 devices using the Admin Tools on a 200
Series administrative device. For more information, see “Recommissioning devices” on page
73.
CAUTION: With W500, W700, or W700-SC devices, if the device is currently booted in
Windows To Go, the user will receive a warning and then the device will stop responding.
DISABLING AND ENABLING DEVICES
When a device is lost or stolen, you can disable the device in the Admin Console. Disabling
a device deactivates its services and ensures access control protection. Using Silver Bullet
Services, when a device checks with IronKey EMS, it receives a “Deny” command and the user is
prevented from unlocking the device.
Unlike recommissioning or detonating devices, you can re-enable a device if the device is found.
PAGE 64IRONKEY EMS CLOUD ADMIN GUIDE
CAUTION: With W500, W700, or W700-SC devices, if a user is currently booted into the
Windows To Go operating system, disabling the device will cause the operating system to stop
responding when the device contacts IronKey EMS to receive the Silver Bullet. This could cause
permanent damage to the operating system and loss of data.
To disable a device
1. In the Admin Console, click Manage Devices from the left sidebar.
2. In the Device List, click the check box in the All column next to the device you want to
disable.
If you want to disable multiple devices at once, select the check boxes for each device that
you want to disable.
3. Click the Disable Device button in the Action menu bar at the bottom of the page.
TIP: You can also disable a device by clicking the device name. On the Device Prole page,
click the Disable Device button. If you are on the Manage Users page (in Group mode),
right-click the user’s device and click Disable Device or select the device, click the Edit
button, and then click Disable.
NOTE: You cannot disable the device you are currently using.
To enable a device
1. In the Admin Console, click Manage Devices from the left sidebar.
2. On the Manage Devices page, change the view to All Devices.
3. Locate the disabled device.
4. Click the device name to open the Device Prole page.
5. Click the Re-Enable button.
TIP: You can also enable a device from the Manage Users page (in Group Mode). Locate the
user with the disabled device. Right-click the device and click Enable Device.
DETONATING A DEVICE
If a device has been lost or stolen and the data must be protected at all costs, the Admin can
mark the device for remote detonation. The device status will be “Active (Pending Detonation)”.
The next time the device is plugged into a network-enabled computer, it will receive a
“Detonate” command and immediately self-destruct. A detonated device cannot be used again.
NOTE: D300M and Sentry EMS devices cannot be remotely detonated.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name. The Device Prole page opens.
3. In the Silver Bullet section, click the Detonate Device button.
NOTE: You can only cancel a Detonate device command if the device has not yet connected
to IronKey EMS.
PAGE 65IRONKEY EMS CLOUD ADMIN GUIDE
FORCING READ-ONLY MODE
If an employee is working in an untrusted environment you can remotely force the S250/D250,
H300, H350, S1000, D300M, or Sentry EMS device to open in Read-only mode.
1. In the Admin Console, click Manage Devices from the sidebar.
2. In the Device column, click the device name. The Device Prole page opens.
3. In the top right of the page, click the Force Read-Only button.
Updating devices
When set in policy, devices will automatically check for software updates after seven days, two
minutes after the device is unlocked. Users can also manually check for updates at any time
from the Control Panel. When a new update is detected, users are prompted to download and
install the update. If the policy is set to automatically check for updates, you can also force users
to update their devices by enabling the Force Update feature. See “Forcing a software update”
on page 66.
NOTE: Not available with D300M or Sentry EMS devices.
To check for and install updates immediately
1. Plug in and unlock the device then click the Check for Updates button in the Control
Panel. The device must have access to IronKey EMS to download the update.
2. Click Download and follow the instructions in the Device Updater.
NOTE: Updates can be performed in Windows only.
FORCING A SOFTWARE UPDATE
When set in policy by a System Admin, the Force Update feature forces users to update
their devices (S250 or D250 running version 3.5.0.0 or higher) to the latest approved
software version. The Force Update feature lets you to control the number of days, or grace
period, before users must update the device. You can also congure how often users will
receive reminders to update. Users must have internet access to download the update from
IronKey EMS. Updates must be installed from a host computer running Windows.
When users receive a reminder, they can choose to ignore the update request or install
the update. After the last reminder, when the grace period ends, the device will apply the
enforcement level that is set in the device policy, either Standard or Strong.
With Standard enforcement, once the grace period ends, users will have read-only access to les
and applications on the secure partition of the device until they update. Users will only have
read-write access if they cannot update the device due to the following:
1. No internet access to download the update.
PAGE 66IRONKEY EMS CLOUD ADMIN GUIDE
2. The operating system of the host computer is not supported for device updates (for
example Mac or Linux).
With Strong enforcement, once the grace period ends, users will have read-only access to les
and applications on the secure partition until they update the device.
After the grace period starts, if you remove the device update from IronKey EMS, the
countdown will reset to zero. If you post a new update during the grace period, the countdown
does not reset. When the user updates the device, it will download and install the latest version
approved in IronKey EMS. If you change the grace period in the policy after a device detects an
update and starts the countdown, the start date will not change; the device will adjust the end
date to adhere to the new policy settings.
Example:
A System Admin sets the Force Update feature in the device policy to Strong, the grace period
to 10 days and the period between reminders to 5 days. With these settings, users will receive
up to 3 notications during the grace period. The rst notication appears when the device
detects an update. This starts the grace period. If the user ignores the reminder, the second one
will appear on Day 5. If the user ignores the second reminder, the nal notication will appear
on Day 10, at which time the grace period is over. When the grace period ends, the reminder
will only allow the user to download the update. If the user locks or unplugs the device without
updating, the user will have read-only access to their les on any subsequent login until they
update the device.
SELECTING AN APPROVED UPDATE FILE
A System Admin must approve the update le that is available to users. Updates may contain
new rmware and/or software for the device. The default settings make the most recent device
update available to all users, which maintains the traditional behavior of the update capability.
» You can approve different Device Update versions for Admins and Standard users, so that
you can update administrators first to give them time to prepare for questions from users.
» The Update Version approved for Admins must be greater than or equal to the version
approved for Standard Users. All Admin devices should use the most recent version of
device firmware and/or software.
To select an approved device update le
1. In the System Console, click Update Management in the left sidebar.
2. In the Approved Device Updates section, click the Edit button.
3. Select the update version to apply to Admins and Standard Users for their devices.
TIP: As a convenience to admins, the release notes for each update are displayed.
NOTE: All device updates available to IronKey EMS customers are listed on this page.
NOTE: Updating a device on Windows XP (SP2+) requires Windows administrative privileges.
Users should install the IronKey Assistant to update a device in non-administrative mode.
PAGE 67IRONKEY EMS CLOUD ADMIN GUIDE
UPDATE TESTING
It is possible to test the latest device update on a limited set of devices before generally
approving it for all Standard or Admin Users. Testing can be accomplished by assigning a policy
as the Update Testing policy. Any device using that policy, either Standard User or Admin User
bypasses the approval list and is able to update to the last update.
1. In the System Console, click Update Management in the left sidebar.
2. In the Update Testing section, click the Edit button.
3. In the Policy for Update Testing list, select the policy and click the Save button.
4. Test the update on several devices and when you are satised that it meets approval, change
the Policy for Update Testing to None.
UPDATE REMOVAL
At some point the Approved Device Update may be removed from IronKey EMS. If a Device
Update is removed, it will still appear in the list with the sufx (No longer available). Users will
no longer be able to update until a newer Device Update is selected as the Approved update.
Upgrading Basic devices to Enterprise
H300/H350 Basic, S1000 Basic, and Sentry EMS devices can be upgraded to an Enterprise
device and managed with IronKey EMS. For information about changing an unmanaged IronKey
Workspace device to be managed by IronKey EMS, see the IronKey Workspace IT Administrator
Handbook. For information about upgrading Basic S200 and D200 devices, see “Activating Basic
devices” on page 74.
Before users can upgrade their devices, an administrator must generate an activation code for
the device and provide the code to the user. The activation code is required during the upgrade
process. The host computer used by the device (Windows or Macintosh only) must also have
network access to IronKey EMS.
To generate an activation code for a Basic device (Admin task)
1. In the Admin Console, do one of the following:
• If the user does not have an existing account, add an EMS user account for the user and
select the H300/H350/S1000/Sentry EMS device type. See “Adding a user” on page 46.
• If the user has an account in EMS, add an H300/H350/S1000/Sentry EMS device to the
user’s account. See “Adding new devices to users” on page 60.
2. Email the Activation Code to the user if IronKey EMS is not set up to send it automatically.
To upgrade a device from Basic to Enterprise (User task)
1. Once the activation code is received, insert and unlock the Basic device.
2. In the Control Panel, click the Settings button on the menu bar.
3. In the left sidebar, click Tools, and then click Upgrade to Enterprise.
PAGE 68IRONKEY EMS CLOUD ADMIN GUIDE
If you are activating a Sentry EMS device, click Tools and under Device Management, click
the Manage with EMS button.
4. Paste the Activation Code in the Enterprise Activation (Activation Code for Sentry
EMS devices) text box (Windows and Mac systems only).
5. Click the Activate button and then follow the on-screen instructions.
Importing authentication credentials
IMPORTING RSA SECURID TOKENS
If enabled through your policy, devices can provide additional strong authentication capabilities
for users by generating RSA SecurID one-time passwords. Devices prior to version 2.0.6.0
require an imported .stdid le to use this application, while devices with 2.0.6.0+ can use
dynamic seed provisioning with the RSA Authentication Manager 7.1 Server (CT-KIP). Dynamic
seed provisioning allows end-users to paste a URL and activation code to load a seed token on
the device. This prevents user issues and reduces the security risk associated with distributing
actual seed les for each user to manually import. For more information, see the RSA
documentation on the Enterprise Support page.
NOTE: Does not apply to Sentry EMS, D300M, S1000, H300, H350, W500, W700, or W700-SC
devices. This feature is not available with S250/D250 devices running version 3.5.1.0.
To import a token
1. Plug in the user’s device and unlock it.
2. Click the Applications button on the menu bar of the Control Panel and then click RSA
SecurID.
3. Click the Import from le link to browse to the location of the .stdid le. This may
be exported from your RSA Server. For more information, see the RSA SecurID server
documentation. You may require a password to unlock the le.
The tokens will be added to the device.
4. Alternatively, you can import the token from the Web by clicking Import from Web and
pasting the URL for RSA activation in the appropriate eld.
5. If you want to rename the tokens, select the token and click the Rename button.
6. If you need to delete a token, in the Options window, click the Delete or Delete All
button. Use caution when deleting tokens as this operation cannot be undone.
IMPORTING A DIGITAL CERTIFICATE
The Cryptochip includes a limited amount of extremely secure hardware storage space, which
can be used for storing the private key associated with a digital certicate. This provides your
users with additional strong authentication capabilities. For example, you can store a self-signed
PAGE 69IRONKEY EMS CLOUD ADMIN GUIDE
certicate used for internal systems that will allow users to automatically log in when using the
onboard Firefox Web browser.
The import process uses the IronKey PKCS#11 interface and requires Mozilla Firefox to be
enabled in policy.
NOTE: Does not apply to Sentry EMS, D300M, S1000, H300, H350, W500, W700, or W700-SC
devices.
NOTE: The Cryptochip has enough space for 5 additional private keys; these keys will receive
the security benets of the tamper-proof hardware and self-destruct mechanisms of the
Cryptochip.
1. Plug in and unlock the device.
2. Start onboard Firefox by clicking the Applications button on the menu bar of the Control
Panel, and then click the Mozilla Firefox application.
3. Click the Firefox menu, and then click Options.
4. In the Options window, click the Advanced icon, and then click the Encryption tab.
5. Click the View Certicates button to open the Firefox Certicate Manager.
6. The IronKey certicate is available here. To add your own, click the Import button.
7. Browse to the PKCS#12-format certicate le and open it.
You will be prompted for the location of the PKCS#12-format certicate le (the le
extension is .p12 in UNIX/Linux, .pfx in Windows).
8. A window appears asking you to conrm where to store the certicate. Choose IronKey
PKCS#11.
9. Enter the password that was used to protect the certicate. If no password was used, simply
leave the text eld blank.
10. Your certicate is now stored securely in the Cryptochip and is available for use in the
onboard Mozilla Firefox.
NOTE: When deleting certicates, you must restart Firefox for the action to take effect. You
cannot delete the IronKey certicate that was pre-packaged with the device.
Managing S200 or D200 devices
Managing an S200 or D200 device is done using the Admin Console. However, some additional
administrative functionality is onboard each approved, active Admin 200 Series device. The
Admin Tools feature on the 200 Series device allows you to:
» Recover a device
» Approve new Admin users
» Recommission a device
When you click the Admin Tools icon, the device will do a real-time check with your EMS
Account to authenticate the Admin and ensure that the Admin is still authorized to use the
PAGE 70IRONKEY EMS CLOUD ADMIN GUIDE
Admin Tools. Revoked Admins, for example, will not be able to continue. You must be connected
to the Internet to use the Admin Tools.
NOTE: Administrators who use Web-based login can manage S200/D200 using only the
management tasks that are available in Admin Console.
NOTE: This section also applies to S100 devices. You can manage S250/D250, H300, H350,
W500, W700, W700-SC, S1000, D300M, and Sentry EMS devices using the Admin Console
interface exclusively.
ADMIN TOOLS: TASKS ACCORDING TO USER ROLE
The tasks listed in the following table are performed using the Admin Tools on the device. Tasks
are available only to users with appropriate privileges as outlined below.
NOTE: The Admin Tools application is available only to Admin users with S200, D200, or S100
devices. All administrative tasks for S250/D250, H300, H350, W500, W700, W700-SC, S1000,
D300M, and Sentry EMS devices are performed using the Admin Console.
Task System
Admin
Device Recovery: Unlock Devices &
Change Device Password
Recommission: Recommission
device
Recommission: Delete User
Account from EMS during Device
Recommission
Admin Approval (200 Series of devices
only)
* Custom Admin, Admin, and Help Desk Admin roles can recover or recommission devices for
Standard users only. Only a System Admin user can recover/recommission devices for any user role,
including other System Admins.
X X* X* X*
X X* X* X*
X
X
Custom
Admin
Admin Help Desk
Admin
Auditor
ASSISTING WITH PASSWORDS
A common help desk task is to assist users with forgotten passwords. IronKey EMS includes
three ways Admins can assist users with S200 or D200 devices who have forgotten their
passwords:
1. User recovers the password without help desk intervention
• Users log into my.ironkey.com with email and online password.
• Users must have an online account.
• Device passwords must be backed up online
• Admin intervention is NOT required
2. Use Password Assistance to send password to user
PAGE 71IRONKEY EMS CLOUD ADMIN GUIDE
• One-time URL is emailed to user with a link to a page that displays the forgotten
password.
• Allows Admins to assist remote users or users who cannot use Password Self-Recovery.
• Device passwords must be backed up online.
• Users must have valid email addresses in the system.
• Standard Users do NOT have to have an online account.
3. Recover the device for the user
• Admin uses Admin Tools on the Admin device to unlock and change the password on the
user’s device. This method ensures that the most secure procedures are used to recover
devices and manage passwords.
• Admin must have physical possession of the user’s device.
• Device passwords do NOT have to be backed up online.
• Standard Users do NOT have to have an online account.
To use Password Assistance to send device password to user
1. In Admin Console, click Manage Users and select the name of the user who has forgotten
his password.
2. Under Devices, click the user’s device name, and then click the Send Password to User
button.
This button will only appear for users who have an email address and who have backed up
their device password online.
3. An email will automatically be sent to the user. In that email is a one-time URL that will take
the user to a page that displays his password in a CAPTCHA. The user must click the link as
soon as he gets the email, as the link expires in approximately 5 hours.
To recover an S200 or D200 device
Secure Device Recovery allows an Admin to unlock your organization’s devices:
• Without knowing the user’s device password
• Without using a password database
• Without using a backdoor/redundant password
• With admin authentication (protection against stolen admin devices)
• With admin authorization (protection against rogue admins)
• With a proper audit-trail of the event
You must use a 200 Series device with administrative privileges to recover another 200
Series device.
1. Click the Admin Tools icon in the Control Panel.
The device will perform real-time authentication and authorization.
2. Insert the device that you want to access into the computer’s USB port. Wait a few
moments so the device can enumerate then click the Refresh Device List button.
The Admin device will search for the other device.
3. Do one of the following actions:
4. If you want to unlock the user’s device, click the Unlock Device button; a progress bar will
appear when the device is unlocked and Windows Explorer will auto-launch to the device’s
secure volume.
PAGE 72IRONKEY EMS CLOUD ADMIN GUIDE
5. If you want to change the password on the device, type a new password, conrm it, and
then click the Change button; a progress bar will appear and then a conrmation that the
password has been reset successfully.
NOTE: Also, devices that are not part of the EMS Account, not yet activated and initialized, or
that are not a supported IronKey EMS secure drive cannot be recovered; an error message will
result.
APPROVING ADMIN USERS
With S200 and D200 devices, when you add a new Admin user or promote a Standard user
to an Admin, a System Admin must approve the change before the user will receive Admin
privileges. You can only approve active users (those with an activated device); this is part of the
underlying security technology. When a device is activated for a new Admin user, you will receive
a reminder by email to approve the Admin user.
NOTE: Administrators must use a 200 Series device to approve Admin users.
1. In the Admin Tools sidebar, click Admin Approval.
2. Click the Check for Admins button.
This will perform an online check for users awaiting Admin Approval.
3. Check all devices that you approve for administrative functionality, then click the Approve
button.
A table of devices that are awaiting approval will be displayed.
4. The next time the approved user unlocks the device and clicks the Online Account button
in the Control Panel, the user will receive administrative privileges and have access to the
Admin Console and Admin Tools.
NOTE: With S250/D250, W500, W700, W700-SC, H300, H350, S1000, D300M, and Sentry EMS
devices, no admin approval is required. System Admins simply add the new Admin user or edit
an existing user’s role to promote the user to an Admin. For more information, see “Changing
the role of a user” on page 52.
RECOMMISSIONING DEVICES
When employees leave the organization, you can recommission an S200 or D200 device to new
users using secure online services for Admin authentication and authorization.
NOTE: To recommission a 200 Series device, you must use another 200 Series device with
administrative privileges. You cannot recommission the rst System Admin device.
1. In the Admin Tools sidebar, click Recommission Device.
2. Insert the device that you want to recommission into the computer’s USB port. Wait a few
moments so the device can enumerate, then click the Refresh Device List button.
The device will search for the other device.
3. Click the Recommission Device button. A progress bar shows your progress throughout
the recommissioning process.
PAGE 73IRONKEY EMS CLOUD ADMIN GUIDE
4. Selecting the Also delete user from the system check box will delete the user as well as
the device. This feature is only available for System Admins.
NOTE: Recommissioning cannot be undone. All data on the device will be permanently lost.
ACTIVATING BASIC DEVICES
You can remotely manage users with IronKey Basic S200 or D200 devices by asking them to
activate their devices to IronKey EMS:
1. Admin: Do one of the following actions:
• If the User doesn’t have a user account in EMS, add them in the Admin Console and email
them an Activation Code.
• If the user has a user account, add a device to the user and email them an Activation
Code.
2. User: Insert and unlock the Basic device.
3. User: In the Control Panel, go to Settings: IronKey Enterprise.
4. User: Click the Start Activation button.
5. User: Enter the Activation code, click Continue.
6. User: Verify the organization and system administrator information, then click Continue.
7. User: Enter your password to complete IronKey EMS Activation.
PAGE 74IRONKEY EMS CLOUD ADMIN GUIDE
Managing admin accounts
This chapter provides information about managing your online account. It also describes how to
reset an account password for an administrator who cannot access their account or does not
have password reset privileges.
Managing your online account
This section describes how to activate and manage your online account. Your online account
gives you access to the management console: Admin Console (all administrators) and System
Console (System Admins only). Your account also has information about any devices activated
for your account.
ACTIVATING YOUR ONLINE ACCOUNT
Administrators with Web-based login authenticate to the management console Web application
using two factors: 1) username and password and 2) Access Code. You set up your username
and password when you activate your online account. The Access Code will change each time
you log in to your account. A new code will be sent by email.
You will receive an activation email with a link to the account setup page. Once set up, you
can manage your online account and credentials or reset your password. If you are the rst or
second System Admin, you activated and set up your online account as part of the EMS Account
setup.
NOTE: Some administrators may not have Web-based login privileges and must access Admin
Console from their device.
1. Open the activation email that was sent from your System Admin.
2. In the email message, click the Activation link. The Online Account Setup screen will
open in a Web browser.
3. On the Online Account Setup screen, do the following:
• In the Username text box, create a user name for your account.
• In the Password text box, create an account password and conrm the password.
Passwords are case-sensitive and must comply with the password policy dened in the
User policy applied to your account.
PAGE 75IRONKEY EMS CLOUD ADMIN GUIDE
• Select a question from the Secret Question list box or create your own secret
question.
• In the Answer to Secret Question text box, provide the response to the secret
question. The secret question will be used to verify your identity if you have to reset your
password.
4. Click Create Account.
A conrmation message will display to indicate that you have successfully created your
online account. Type your login credentials to log in to your online account and access Admin
Console.
TIP: For quick access, you should bookmark the URL for the Login page of your EMS Account.
RESETTING YOUR PASSWORD
You can reset a forgotten account password if the User policy for your account allows selfpassword reset. If you cannot reset your password, contact your System Admin to initiate a
password reset request.
1. On the Login page of your EMS Account, click Reset Your Password.
2. On the Reset Password page, type your username or email address for your online
account.
3. Enter the captcha text that you see on the screen and click Continue.
An email with a one-time URL will be sent to your email address.
4. Sign in to your email account and click the link in the Online Account Password Reset
email message.
5. On the Password Reset page, in the Answer to Secret Question text box, type the
correct response and click Continue.
6. On the Change Password page, type a new password and conrm it, and then click the
Change Password button.
Once you see the conrmation message that your password has been successfully changed,
you can log in to your account with your new password.
UNLOCKING YOUR ONLINE ACCOUNT
If you are an administrator with Web-based login, your account may become locked if you, or
another user trying to access your account, exceeds the number of unsuccessful login attempts
allowed. An email will be sent to you with an Unlock Code. The code will unlock your account
and allow you to log in with your password.
1. Sign in to your email account and copy the Unlock Code from the Your IronKey EMS
Account Has Been Locked message.
2. In a Web browser, open the Login page for your online account.
3. Type your username or email address in the text box.
4. Paste the Unlock Code in the text box and click the Unlock button.
PAGE 76IRONKEY EMS CLOUD ADMIN GUIDE
The account is now unlocked.
5. Enter your username/email address and account password and click the Log in button.
TIP: If you need to generate a new Unlock Code, click the Get a New Code button.
EDITING DEVICE NICKNAMES
Your online account lets you view the devices that are bound to your user account. If you have
multiple devices, you can create nicknames for each device. Names help you tell the devices
apart from each other when viewed online in the management console.
1. Log in to your online account.
2. Click the My Devices tab, and then click the Edit button beside the device whose
nickname you want to change.
3. Type a new nickname in the box and click the Save button.
EDITING YOUR ONLINE ACCOUNT SETTINGS
You can also view and/or edit online account settings, such as your account activity log, Secret
Question settings, and account prole. The following table describes tasks that you can perform
in your online account. Online account settings are on the “My Account” tab of the management
console.
Task Steps
Review account activity Click Account Dashboard to monitor recent events such as
login and failed password attempts.
Set up e-mail alerts Click Account Alerts, and then click the Edit button. Click
to enable e-mail alerts. An alert notice will be sent to you when
specic activities occur, such as an incorrect secret question
attempt.
Edit Secret Questions and Answers Click Account Settings, and then click the Edit button
to modify your responses to the Secret Question that you
answered during the setup of your online account. You can also
edit time zone data.
Send downloaded data via email Click Account Settings and in the section Send downloaded
data via email for, click the Edit button and click to select the
check box for the list you want to receive, for example Device
List. Click the Save button.
When you download data from IronKey EMS, you will receive an
email with a one-time URL link to the information for download.
You will be required to answer the Secret Question for your
online account. (If you are a System Admin with an x200 device,
you might be required to log in with a username and password
instead of answering a Secret Question.) Once successful, the
download will start automatically. The link to the download will
expire after 24 hours.
PAGE 77IRONKEY EMS CLOUD ADMIN GUIDE
Task Steps
Update Prole information Click Update Prole, and then click the Edit button to change
your prole information, such as your email address or online
account password.
Resetting an administrator’s account password
System Admins and Help Desk administrators can reset the online account password for an
administrator who uses Web-based login who has forgotten their password.
1. In Admin Console, click Manage Users from the sidebar.
2. In List mode, click the check box for the user you want to edit, and then click the Edit
button and select View User Prole.
If you are in Group mode, right-click the name of the user and click View Prole from the
list.
3. On the User Prole page, in the Silver Bullet section, click the Reset Password button.
4. Click OK to conrm the password reset request.
An email message will be sent to the user that includes a one-time password reset link.
When the user clicks the link, the user will be prompted to change the password. The user
must change the password within 30 minutes of sending the password reset request or the
request will be cancelled.
PAGE 78IRONKEY EMS CLOUD ADMIN GUIDE
Monitoring security events
Using Enterprise Dashboard
The Enterprise Dashboard shows you the latest security events and user activities in your
EMS Account, statistics on how many active users and devices there currently are, as well as
important notications, such as lists of pending users and devices awaiting detonation (if any). An
information banner at the top of the page will display when there are new announcements from
DataLocker regarding IronKey EMS.
DASHBOARD MAPS AND EVENTS TABLE
The World Map area and Events table in the Enterprise Dashboard tells you about:
Events table
» Security events, such as remote detonation of devices (marked in red)
» Important events, such as Admin activities, (marked in yellow)
» Common user events (marked in green)
Custom date
lter
Download
button
Page view
PAGE 79IRONKEY EMS CLOUD ADMIN GUIDE
The following table lists actions you can perform in the Map area and Events table:
Map area
To... Action required
Select events to view in the map • Click the + menu icon on the right
View event details • Hover over an event
Zoom on the map • Click the +/- icons on the left or drag the zoom sidebar
Move geographic areas in view • Drag the map
Zoom in on an event and view
additional event data
Events table
To . . Action required
Sort columns in ascending or
descending order
Filter the list based on time of the event • Click the View drop list and select a time period.
Create a custom lter for events within
a specic time period.
Download the list of events • Click the Download icon beside the View list.
Change the page view • Click the Page drop list to view a specic page.
Download “pending users” list (includes
user information and Activation Codes)
• Click an item in the table
• Click the column title. The arrows beside the column title
indicate which order by which the column is sorted. The
newly added Device column lets you lter the list to view
events by device name.
• Click the View drop list and choose Custom. Enter the
start and end date, or select the dates from the calendar, and
then click Submit.
• Click the Items Per Page drop list to set the number of
items on each page
Click the Download List button beside the Dashboard Charts
NOTE: To change the default time zone from GMT, click the My Accounts tab in IronKey EMS,
and then click Account Settings in the left sidebar. You can also change time and date formats.
ENTERPRISE DASHBOARD CHARTS
Charts use the Adobe Flash Player. If Flash Player is not installed on your computer, you will see
text-based versions of the charts.
The following table lists actions you can perform in the chart area:
To... Action required
Download data in the chart
View contextual data in the chart
Chart data is updated approximately every ve minutes.
• Click the Download icon beside the chart title.
• Move your mouse over the chart. Each chart is interactive.
General User Statistics
This chart displays important statistics about users in your EMS Account, including:
• Total current users by status
• Total current users by role
PAGE 80IRONKEY EMS CLOUD ADMIN GUIDE
General Device Statistics
This chart displays important statistics about devices in your EMS Account, including:
• Total devices by status
• Total devices by version—helps to identify devices running out-of-date IronKey EMS
software
• Total devices by size
Admin Activity
This chart displays a time line of important Admin activities, including Secure Device Recovery,
Password Assistance, and Recommissioning. The vertical axis is the frequency of events, while
the horizontal axis is the time line.
Device Activities
This chart displays how long it has been since:
• A device’s password was last backed up
• The last recorded device activity
The vertical axis is the number of devices, while the horizontal axis is the number of weeks
since the specic event has occurred for each device.
Setting up email alerts for events
The Alerts feature lets you know about important events even when you’re not logged into the
Admin Console. Administrators can now receive email notications about events, such as an
updated policy, successful device recovery, recommission, or detonation operations, and more.
When you create the alert, you can choose which events you would like notication about.
Alerts will be sent as a daily event log. System Admins, or Admins who are part of the main
Default Group (root), will receive alerts for all users in the organization. All other Admin users
will only see events for users who are in their group. The email notication will be sent to the
email address that is listed in your user account.
NOTE: This feature must be purchased separately and enabled by DataLocker Customer
Service for your EMS account.
To set up an alert
1. In the Admin Console, click Alerts from the left side-bar.
2. Click the Edit button.
3. Under Log Alerts, enable the Send Events by Email check box. Daily is enabled by de-
fault. The email notication will include a summary of the selected events that have occurred
in the last 24 hours. The email will go out at midnight (GMT). It includes events from 12 AM
to 11:59 PM.
4. Select the check boxes for all events for which you want to receive notication.
5. Click the Save button.
PAGE 81IRONKEY EMS CLOUD ADMIN GUIDE
Interpreting malware scanner reports
If purchased and enabled, your organization can protect its devices from the latest malware
threats with the Anti-Malware Service and Malware Scanner. See the Enterprise User Guide for
your device for more information about how the Malware Scanner operates. The Malware
Scanner is not available with IronKey Workspace (W500, W700, W700-SC) devices.
As an Admin, it is important to understand how to interpret Malware Scanner reports. The
Malware Scanner on each user’s device logs details about important events, such as checking for
updates, downloading updates, scanning for malware and malware detections. The log le also
includes vital status information, such as the software version and the signature le database
being used. The location of the log le is:
For S200 and D200 devices:
F:\IronKey-System-Files\Reports\IKMalwareScanner_Report.txt
For S250, D250, H300, H350, S1000, D300M, and Sentry EMS devices:
F:\Device-System-Files\Reports\IKMalwareScanner_Report.txt
NOTE: For H300/H350 devices running version 5.2.0.0 or higher, the lename of the malware
scanner report is named MalwareScanner_Report.txt.
Where “F” is the Secure Files volume on the device (where the user stores his data). Malware
Scanner Reports are written in Apache Common Log format with tab-delimited data:
[ip address] [timestamp] [event] [status code] [data size or le
count]
In the event of an infection on the device, users are instructed to send the report to their
administrator to diagnose and resolve the issue. Malware reports will display online for devices
with version 2.5.1.0 or greater. Below are details on how to interpret important events:
Event Description
Infection Infection events include
• The name of the malware
• The type of malware (for example, virus, trojan, etc.)
• The location where the malware was found
• The result of trying to repair or delete the infected le. Usually the le will be
repaired or deleted, though in rare cases the le cannot be altered and is left on
the device. The status in that case is “Unresolved”.
Update • The Malware Scanner will attempt to update before each scan. The most common
failure is when the device cannot connect to the Internet.
• Some users may experience issues installing the update if they do not have enough
space available on their device. It is recommended that users allocate 135 MBs of
space for the signature le database.
PAGE 82IRONKEY EMS CLOUD ADMIN GUIDE
Glossary
Accounts DAshboArD Allows
administrators to view events and control
account settings, such as changing the time zone.
ADmin A user who can manage Standard
Users, groups, and devices. See also, “Administrative
Tasks by Category and Role” on page 44.
ADmin console Central Web-based
management tool that lets administrators manage
users, policies, and devices.
ADmin tools Management tool for
administrators, available on S200 and D200
devices. This tool is required for managing
S200, D200, and S100 devices to recover and
recommission devices, and allow System Admins
to approve Admin users.
AuDitor A user who can access the Admin
Console in IronKey EMS for review and auditing
purposes. Has no editing privileges.
binDing The process of binding a user to an
online account in IronKey EMS. See online account.
DefAult user ActivAtion emAil
templAte A template email message that is
sent automatically to administrators who will
use Web-based login (username & password) to
access Admin Console. The template contains the
URL for the account activation page.
DefAult user policy A set of parameters
that determines the password and usage settings
to apply to the online accounts of administrators
who use Web-based login (username & password)
to access Admin Console.
grAce perioD Relates to updating device
software. Dened as the time period in days
beginning when the device rst detects an update
and noties the user, and ending when the time
period has expired and the device must be
updated.
help Desk ADmin A user who can reset
device or online account passwords for users
and re-send device activation codes or account
activation emails to users.
custom ADmin Can manage policies as well
as groups, Standard Users, and devices. See also
“Administrative Tasks by Category and Role” on page
44.
DAshboArD events Logs security events
and user activities to provide an audit trail
for compliance and investigations. See, “Using
Enterprise Dashboard” on page 79.
DefAult Device ActivAtion emAil
templAtes A template email message that
can be sent automatically to users when you add
them to the system or add a device to an existing
user. There are two default email templates, a
Storage device template and a Workspace device
template. You can customize the messages in each
of these templates.
DefAult Device policy A set of parameters
that determines the security settings, services,
and applications to be congured on the device
during device activation.
messAge center Part of System Console
where System Admins can customize the Default
Activation Email templates and set the “reply-to”
address.
my Account Contains online account
information for users and Admins. Administrators
can view the Account Dashboard which contains
information specic to their account.
my Devices Online storage location that
contains details about devices associated with
your username.
online Account An online account
is required by Standard Users to use some
applications and features, such as resetting a
password, updating device software and creating
online backups of Identity Manager data.
Administrators also require an online account to
access Admin Console.
pAssworD AssistAnce Feature that applies
to S200, D200, and S100 devices. Users can
PAGE 83IRONKEY EMS CLOUD ADMIN GUIDE
back up device passwords for self-recovery or
password recovery with administrative assistance.
pAssworD reset (user initiAteD) Feature
for S250/D250, W500/W700, H300/H350, S1000,
D300M, and Sentry EMS devices or for the online
account of administrators who use Web-based
login (username & password) to access Admin
Console. When enabled in policy, users can reset
a forgotten password without admin assistance.
pAssworD reset (ADmin initiAteD)
Feature for S250/D250, W500, W700, H300/H350,
and S1000 devices or for the online account
of administrators who use Web-based login
(username & password) to access Admin Console.
Admins can reset passwords for users.
pAir new smArt cArD W700-SC devices
can be paired with a new smart card when the
card has expired or is lost or stolen.
silver bullet service When enabled
in policy, allows System Admins to remotely
manage devices and automatically checks for
authorization before unlocking devices. Also
allows System Admins to reset the online account
password for administrators who use Web-based
login (username & password) to access Admin
Console.
stAnDArD user A general user in
IronKey EMS who has no administrative privileges.
system ADmin Top-level administrator with
management privileges for all system settings,
policies, groups, users, and devices. This is the only
user who can add administrators, delete users,
and change user roles.
system console Web-based interface in
IronKey EMS where System Admins can modify
the Default Activation Email templates and
approve device update les.
web-bAseD login Refers to administrators
who have Web-based login privileges to the
management console. These users do not require
an Admin device to access their online account
and perform administrative operations in Admin
Console.
PAGE 84IRONKEY EMS CLOUD ADMIN GUIDE
INDEX
Symbols
.CSV le 49
.stdid 69
A
account history 57
Accounts Dashboard
denition 83
activating devices
1st System Admin 18
Basic 200 series 74
for users 57
Activation Email 58
glossary denition 83
adding
devices to users 60
groups 54
policies 39
users to groups 55
address
setting reply-to 49
Admin
about 43
approving for 200 series 71
glossary denition 83
Admin Activity chart 81
Admin approval
200 series devices 73
Admin Console 20
accessing 20
Enterprise support 12
glossary term 83
tasks by user role 44
administrators
about 43
best deployment practices 26
common tasks 28
Admin Tools 70
glossary denition 83
tasks by role 71
Advanced Service Options
policy settings 38
Anti-Malware Service 35
applications
onboard device 34
approving Admin users with 200 series devices 73
Auditor
glossary denition 83
authentication credentials 69
automatic locking
policy option 37
B
Basic devices
activating 200 series for Enterprise 74
upgrading H300/H350, S1000, Sentry EMS to Enter-
prise 68
binding online account
glossary denition 83
C
certicates
importing 69
changing
default activation email templates 58
charts
Enterprise Dashboard 80
comments
editing for devices 61
creating
.CSV le 49
EMS Account 14
groups 54
multiple users 49
policies 39
users 46
CRYPTOCard One-Time Passwords 35
Cryptochip
storing private keys 69
CSV le 49
Custom Admin
about 43
glossary denition 83
customizing
PAGE 85IRONKEY EMS CLOUD ADMIN GUIDE
Default Activation Email templates 58
Default Policy 39
D
Dashboard
glossary denition 83
data
about devices 56
Default Activation Email 58
editing 58
glossary denition 83
Default Policy
editing 40
glossary denition 83
deleting
devices 61
device update le 68
groups 55
policies 40
users 52
deploying devices 23
Example 24
questions to ask 24
tasks involved 24
detonating a device 65
Device Activities chart 81
Device Recovery
Silver Bullet Services 36
devices
about activating 57
account history 57
activating 1st System Admin 18
activating for users 59
adding to users 60
deleting 61
deploying 23
detonating 65
downloading device info 57
editing proles 60
managing 200 series 70
product specications 10
recommissioning 64
recovering 63
resetting password 62
supported 9
testing update le 68
updating rmware 66
viewing information 56
Devices by Version chart 80
digital certicates 69
disabling
devices 64
users 51
downloading device info 57
E
editing
default activation email templates 58
device proles 60
policies 40
users 51
email
editing activation message 57
setting reply address 49
EMS Account
creating 14
enabling
devices 64
users 51
Enterprise Dashboard 79
charts 80
glossary denition 83
using map 80
Enterprise Support 12
erasing
groups 55
policies 40
users 52
events
download device activities 57
Enterprise Dashboard 79
F
nding
devices 61
users 53
Force software update 66
forcing read-only 66
G
generating
one-time passwords 69
Group mode 43
groups
about 54
PAGE 86IRONKEY EMS CLOUD ADMIN GUIDE
adding 54
deleting 55
viewing properties of 43
H
H300/H350 about 12
hardware storage 69
Help Desk Admin
about 43
glossary denition 83
I
Mozilla Firefox
include in policy 35
multiple users 49
My Account
glossary denition 83
My Devices
glossary denition 83
N
new devices
adding to users 60
Identity Manager
onboard software 35
importing
authentication credentials 69
digital certicates 69
information
about devices 56
IP Address Restrictions 32, 36
IronKey EMS
Administrative Features 8
licensing 13
setting up 14
What’s New 5
L
licensing 13
List mode 43
M
malware scanner
interpreting reports 82
managing
200 series devices 70
maps
Enterprise Dashboard 79
Message Center
glossary denition 83
mode 43
read-only 66
modifying
default activation email 58
users 51
moving
users to a group 55
O
onboard applications
Anti-Malware Service 35
CRYPTOCard One-Time Passwords 35
Identity Manager 35
policy options 34
RSA SecurID 35
one-time passwords
generating 69
online account
glossary denition 83
policy settings 38
online account binding
glossary denition 83
opening
Admin Console 20
P
password
aging and reuse policy option 31, 34
policy settings 30–31, 33–34
reset policy option 34
resetting for user 62
Password Assistance (S200, D200)
about 71
glossary denition 83
resending to users 72
Password Reset
glossary denition 84
Silver Bullet Services 36
PKCS#11 69
policies
about settings 30
adding to Enterprise system 39
Advanced Service Options 38
PAGE 87IRONKEY EMS CLOUD ADMIN GUIDE
check for updates option 38
Control Panel options 37
deleting 40
editing 40
enable Secure Backup 35
glossary denition 83
number and version 29
onboard software 34
online account access 38
Silver Bullet Service 31, 36
updating 41
viewing 41
private keys
storing 69
product specications 10
proles
editing for devices 60
promoting admins
200 series devices 73
R
read-only mode 66
recommissioning devices 64
S200 & D200 procedure 73
recovering devices
S200 & D200 procedure 72
Remote Detonation
Silver Bullet Services 36
removing update les
68
renaming users
51
reports
malware scanner 82
resetting
device password 62
device password 200 series 71
RSA SecurID
importing tokens 69
RSA SecurID One-Time Passwords
policy option 35
S
S200 and D200 devices
administrative tasks 71
managing 70
recommissioning devices 73
scanner reports 82
searching
for a user 53
for devices 61
Secure Backup 35
setting
device update le 66
reply-to address 49
Silver Bullet Services
about 9
Access Controls 31, 36
detonating devices 65
glossary denition 84
managing devices 62
policy settings 31, 36
read-only 66
remote administrative controls 36
software
Identity Manager 35
policy options 34
update 66
Standard User
glossary denition 84
starting
Admin Console 20
status
user 53
stolen device 65
supported devices 9
System Admin
about 43
activating device 1st System Admin 18
glossary denition 84
T
tasks
by user roles 44
Time zone 80
tokens
importing 69
U
Unlock Screen Message
policy settings 37
update le
removing 68
PAGE 88IRONKEY EMS CLOUD ADMIN GUIDE
selecting for devices 67
testing 68
updating
device rmware 66
device software 66
policies 41
upgrading Basic devices to Enterprise 68
users
about 43
activating a device for 59
adding multiple 49
adding single 46
deleting 52
editing 51
enabling/disabling 51
moving to a group 55
renaming 51
searching for 53
tasks by role 44
viewing information about 43
View User Prole 51
user status 53
V
version of policy 29
viewing
device information 56
User Prole 51
W
W500/W700 device 7, 47
W700-SC device 6
PAGE 89IRONKEY EMS CLOUD ADMIN GUIDE
Loading...