IronKey EMS-1R Quick Start Guide

IronKey™ EMS Cloud

Admin Guide

Last Updated March 2017

DataLocker is committed to creating and
developing the best security technologies and
making them simple-to-use and widely available.
Years of research and millions of dollars of
development have gone into bringing this
technology to you.

We are very open to user feedback and would
appreciate hearing about your comments,
suggestions, and experiences with this product.

Feedback:

support@datalocker.com

NOTE: DataLocker is not liable for technical or editorial errors and/or omissions contained herein; nor for incidental or
consequential damages resulting from the furnishing or use of this material. The information provided herein is subject to
change without notice.

The information contained in this document represents the current view of DataLocker on the issue discussed as of the date of publication. DataLocker
cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. DataLocker makes
no warranties, expressed or implied, in this document. DataLocker, and the DataLocker logo are trademarks of DataLocker Inc. and its subsidiaries. All other
trademarks are the property of their respective owners. Ironkey™ is a registered trade mark of Kingston Technologies, used under permission of Kingston
Technologies. All rights reserved.

© 2017 DataLocker Inc. All rights reserved. IK-EMS-ADM01-5.3

PAGE 1IRONKEY EMS CLOUD ADMIN GUIDE

CONTENTS

About IronKey EMS Cloud...................................5

What’s New?...........................................................5

Release history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Key Admin Concepts ....................................................8

Supported Device Models ................................................9

System requirements ..................................................10

Product specications ..................................................10

Product Overview......................................................10

Enterprise Support .....................................................12

For more information ..................................................12

Licensing .............................................................13

Setting up IronKey EMS Cloud ..............................14

IMPORTANT—BEFORE YOU BEGIN ......................................14

Creating the IronKey EMS Account ........................................14

Activating the 1st and 2nd System Admin online account.......................18

Accessing the Admin Console ............................................20

Deploying devices .........................................23

What’s involved? ......................................................23

Choosing a deployment strategy ..........................................23

Questions to ask before deploying devices:..................................24

Sample deployment.....................................................24

Requirements ........................................................25

The Deployment Solution ...............................................25

Results .............................................................26

Best practices for a smooth rollout ........................................26

For the Administrator ..................................................26

For the End-user......................................................27

Common administrator tasks.............................................28

Managing Policies .........................................29

Policy numbers and versions .............................................29

About policy settings ...................................................30

User Policy Settings ...................................................30

Device Policy Settings ..................................................32

Adding policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

PAGE 2IRONKEY EMS CLOUD ADMIN GUIDE

Editing policies ........................................................40

Deleting policies .......................................................40

Viewing policies........................................................41

Updating policies on devices..............................................41

User Policies .........................................................41

Device Policies .......................................................41

Managing Users and Groups ................................43

Viewing users and groups................................................43

Managing users ........................................................43

About Users .........................................................43

Administrative Tasks by Category and Role..................................44

Adding a user ........................................................46

Editing the User Activation Email .........................................48

Adding multiple users ..................................................49

Editing a user ........................................................51

Deleting a user.......................................................52

Viewing user information ...............................................52

Searching for a user ...................................................53

Managing groups .......................................................53

About groups ........................................................54

Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Moving users to a group................................................55

Deleting groups ......................................................55

Managing Devices .........................................56

Viewing device information ..............................................56

Downloading device information..........................................57

Activating devices ......................................................57

Editing the Device Activation Email........................................58

Activating a device for a user ............................................59

Adding new devices to users .............................................60

Editing device proles...................................................60

Deleting devices .......................................................61

Searching for a device...................................................61

Managing devices remotely with Silver Bullet ................................62

Resetting a device password (Admin-initiated) ...............................62

Pairing a new smart card with a device ....................................63

Recovering devices ....................................................63

Recommissioning devices ...............................................64

Disabling and enabling devices...........................................64

Detonating a device ...................................................65

PAGE 3IRONKEY EMS CLOUD ADMIN GUIDE

Forcing Read-Only mode ...............................................66

Updating devices ......................................................66

Forcing a software update ..............................................66

Selecting an approved update le ........................................67

Update testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Update removal ......................................................68

Upgrading Basic devices to Enterprise ......................................68

Importing authentication credentials .......................................69

Importing RSA SecurID tokens ...........................................69

Importing a digital certicate ............................................69

Managing S200 or D200 devices...........................................70

Admin Tools: Tasks according to User Role ..................................71

Assisting with passwords................................................71

Approving Admin users .................................................73

Recommissioning devices ...............................................73

Activating Basic devices ................................................74

Managing admin accounts ..................................75

Managing your online account ............................................75

Activating your online account ...........................................75

Resetting your password................................................76

Unlocking your online account ...........................................76

Editing device nicknames ...............................................77

Editing your online account settings .......................................77

Resetting an administrator’s account password...............................78

Monitoring security events .................................79

Using Enterprise Dashboard..............................................79

Dashboard maps and events table........................................79

Enterprise Dashboard charts ............................................80

Setting up email alerts for events ..........................................81

Interpreting malware scanner reports ......................................82

Glossary.................................................83

Index ...................................................85

PAGE 4IRONKEY EMS CLOUD ADMIN GUIDE

About IronKey EMS Cloud

IronKey™ EMS Cloud is an advanced, cloud-based, management service that lets you protect
your data, your mobile workforce, and your organization. You can quickly and easily establish
a secure command center for administering and policing the use of encrypted Workspace and
Storage drives.

This guide tells you how to set up, deploy, and manage devices in your enterprise environment.

What’s New?

SUPPORT FOR SENTRY EMS

IronKey EMS now supports the new DataLocker Sentry EMS device. Designed for business-

grade security, Sentry EMS is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and

TAA-compliant.

RECEIVE DOWNLOADED DEVICE AND USER DATA BY EMAIL

When you congure your online account settings to enable this feature, device and/or user data

will be available for download by email. For more information, see “Send downloaded data via
email” on page 77.

Release history

TWO DEFAULT ACTIVATION EMAIL TEMPLATES

There are now two device activation email templates, one for Storage devices and the other for
Workspace devices. You can customize the content in these templates according to company
requirements.

SUPPORT FOR IRONKEY D300M

IronKey EMS now supports the new IronKey D300M device. Designed for business-grade

security, the D300M is an encrypted USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-

compliant.

PAGE 5IRONKEY EMS CLOUD ADMIN GUIDE

WEB LOGIN TO MANAGEMENT CONSOLE USING ONLINE ACCOUNT
(ADMINS ONLY)

Administrators can log in directly to the management console Web application with Username
& Password only, no admin device is required.

CHANGES TO USER PROFILE PAGE

Recommissioned devices in the Devices list will be hidden by default. The “View” list includes
“Current Devices” (default setting) and “All Devices”. A current device still uses an active seat
license and can be in one of the following states: Disabled, Pending recommission, Awaiting
detonation. The “All Devices” view will also display Deleted, Recommissioned and Detonated
devices.

FORCE UPDATE FEATURE FOR S250/D250 DEVICES

A new Force Update feature is now available in Service for use with the latest release of the
250 device Series (version 3.5.0.0). Controlled by the device policy, you can now force users to
update their devices to the latest approved software release. For information about new Force
Update policy settings, see “” on page 32. For more information about using Force Update,
see “Forcing a software update” on page 65.

SUPPORT FOR H350 ENTERPRISE AND IRONKEY WORKSPACE W700-SC
DEVICES

H350 devices are FIPS 140-2 Level 3 certied, USB (Universal Serial Bus) 3.0 hard drives with

built-in password security and data encryption. For more information about the device, see the
DataLocker H300/H350 Enterprise User Guide.

IronKey Workspace W700-SC is a trusted, FIPS 140-2 Level 3 certied, secure USB ash drive

that features XTS-AES 256-bit hardware encryption. Additionally, the W700-SC supports device
authentication using a smart card. When paired with your device, you can securely unlock

your workspace using your smart card and Personal Identication Number (PIN). Certied

by Microsoft as a Windows To Go device, the W700-SC is a secure, personal workspace. It is

capable of using all host system resources on host computers that are certied to run Microsoft

Windows® 7.0 and higher, and qualied Mac computers.

SUPPORT FOR IRONKEY WORKSPACE 4.3

Admins are now able to use the device recovery Silver Bullet to unlock the secure operating
system (OS) partition on the device. If a user experiences issues with the Windows OS,

Administrators can now try to troubleshoot and repair these issues or recover les by

accessing the OS partition. See “Recovering devices” on page 62.

A new device update is available to upgrade the device rmware and software on devices

running IronKey Workspace version 4.2. Admins will also need to update the Control Panel
application in Windows To Go.

IronKey Workspace 4.3 devices also include the following features:

» Device activation on a Mac operating system.

PAGE 6IRONKEY EMS CLOUD ADMIN GUIDE

» Support for a multi-lingual keyboard layout in the Preboot environment when booting

Windows To Go.

» Updates to the IronKey Workspace Startup Assistant to increase the number of host

computers it can configure to boot from a USB device on startup. The application is available

on the device (W500/W700) or as a standalone application (available as a download from

the DataLocker Support site).

» Support for DataLocker and IronKey secure storage devices in Windows To Go; for

a complete list, see “Supported Device Models” on page 9. Users can save data to
the secure storage drive while booted in Windows To Go. When using a storage device
while booted in the secure Workspace, two Control Panel icons will display in the
Windows system tray, one to manage the secure storage device and the other for the
IronKey Workspace device.

UPDATES TO THE ADMIN CONSOLE

Enterprise Dashboard Events table

The Enterprise Dashboard Events table now includes a column for Devices. Admins can sort by

the Device column to view all events for a specic device. Also new is the custom date range
lter. You can now lter which events display in the table based on a start and end date.

Email notication for events

The Admin Console includes a new Alerts feature. If purchased and enabled for your EMS

Account, this feature provides email notications to Admin users about important events.

Admins can set up an alert to receive a daily message summarizing the events that have
occurred in the last 24 hours. See “Setting up email alerts for events” on page 76.

New group selector when adding a user

When you create a new user, you can now add the user to a group using the group selector.
System Admin users can add the user to any group. Admin users can only add users to a group
to which they are also a member. See “Adding a user” on page 45.

S1000 SUPPORT

IronKey EMS now supports the management of IronKey Enterprise S1000 devices. S1000

devices are secure USB (Universal Serial Bus) portable ash drives with built-in password

security and data encryption. For more information about the device, see the IronKey Enterprise
S1000 User Guide.

H300 SUPPORT

IronKey EMS now supports the management of H300 devices. H300 devices are USB portable
hard drives with built-in password security and data encryption. For more information about the
device, see the DataLocker H300/H350 Enterprise User Guide.

IRONKEY WORKSPACE SUPPORT

IronKey EMS now supports the management of IronKey Workspace Windows To Go
devices (W500 and W700). IronKey Workspace devices provide the same secure hardware

PAGE 7IRONKEY EMS CLOUD ADMIN GUIDE

encryption available with other devices. W700 goes one step further and has FIPS 140-2 Level 3

certication.

Devices can be activated and managed in the same way as other devices. However, they must

rst be provisioned with a Windows To Go image and congured for management. For more

information about IronKey Workspace devices or Windows To Go, see the following guides,
available on the Support site:

» User guides for IronKey Workspace W500 or W700
» IronKey Workspace IT Administrator Handbook

S250 & D250 RELEASE

The 250 series includes two new secure USB ash drives: S250 and D250. To manage these

devices, IronKey EMS provides the following new features:

» Remote device management using Silver Bullet

• Password Reset—Users can reset their passwords without administrator intervention.

Administrators can also help users who have forgotten their passwords by remotely
unlocking the device and forcing a password change.

• Device Recovery—Administrators can remotely unlock devices that can no longer be

accessed.

• Device Recommissioning—Administrators can remotely reset a device so that device

data is deleted and the device can be reused.

• Force Read-only—Allows Administrators to force a device to open in read-only mode.

» One central management console—S250 and D250 devices are completely managed

through the Admin Console. There is no Admin Tools application on S250 or D250
administrative devices.

» New device setup—Users and administrators can set up their devices with an easy-to-use

workflow that activates the device, sets up the online account, and initializes the device.

NOTE: Devices that are not running the latest rmware and software may not be able to use

the Silver Bullet Service or other new features. Updating old devices will allow them to use
these features. For information about updating devices, see “Updating devices” on page 65.

Key Admin Concepts

The Admin Console: Centralized, Online Device and User Management

IronKey EMS includes a centralized management console for managing tens, hundreds
or thousands of devices and users, reducing overall deployment times and maintenance
requirements. When a System Admin adds administrators to the EMS account, they must
specify how the administrator will authenticate to Admin Console, using either Web-based login
(username & password) or Device-based login (device & password) using the secure link to
Admin Console in the Control Panel application on the device.

PAGE 8IRONKEY EMS CLOUD ADMIN GUIDE

IronKey EMS Policies: Enforcing Corporate Security Policies

Congure policies for device password strength, self-destruction settings, and enabling specic

applications and services.

User Management: Organize Users Into Groups

Create groups to manage your users based on any criteria needed to keep you organized. Users
can be easily added and removed from Groups and administrative tasks performed by group.

Silver Bullet Service: Protecting Against Malicious Users

The Silver Bullet Service conrms that devices are authorized before allowing them to be

unlocked. This real-time service allows Admins to completely disable and even remotely
detonate devices, extending the control needed to protect important data.

Password Reset: Allowing users device access when they forget their passwords

Allow users to securely reset their own passwords, reducing the number of Help Desk calls
from users who cannot access their devices because they’ve forgotten their password.

Secure Device Recovery: Securely Unlocking Devices

Secure Device Recovery is a patented PKI mechanism that allows Admins to unlock another
user’s device, for example, in the case of employee termination, regulatory compliance, or
forensic investigations. Unlike many other solutions, there is no central database of back-door
passwords.

Device Recommissioning: Securely Repurposing Devices

When employees leave the organization, their devices can be safely recommissioned to new
users. This process requires Admin authentication and authorization using the secure online
services in IronKey EMS.

Supported Device Models

IronKey EMS supports the following list of devices.

» S100
» 200 Series (includes S200 & D200) Note: The term “x200”, when used in the product or

documentation, indicates that the feature or section applies to both device models in the
series. Some special conditions apply to S100 and x200 devices in order to manage these
devices using IronKey EMS. See”Managing S200 or D200 devices” on page 69.

» 250 Series (includes S250 & D250). Note: The term “x250”, when used in the product or

documentation, indicates that the feature or section applies to both device models in the
series.

» IronKey Workspace W500, IronKey Workspace W700, and IronKey Workspace W700-SC
» H300/H350
» S1000

PAGE 9IRONKEY EMS CLOUD ADMIN GUIDE

» D300M
» Sentry EMS

NOTE: For more information about devices, see “Managing Devices” on page 55.

SYSTEM REQUIREMENTS

» Windows
» Windows
» Windows
» Windows
» Windows
» Mac OS

®

8.1 or Windows® 10

®

8

®

7

®

Vista

®

XP (SP2+)

®

X (10.5+)

» Linux (2.6+)

For Super Speed, use USB 3.0 ports with the following devices, W500/W700/W700-SC, H300/

H350, S1000, D300M, and Sentry EMS. The computer must have a minimum USB 2.0 port for
high-speed data transfer. A USB 1.1 port or powered hub will also work, but will be slower.

PRODUCT SPECIFICATIONS

For details about your device, see “Device Info” in the Control Panel settings. Product

specications are also included in the User Guide for the device.

Product Overview

IronKey EMS allows you to manage secure storage drives and IronKey Workspace drives using
a cloud-based administrative service. Administrators can access the secure online services to
manage policies, users, and devices; users can access their online accounts (if available) to view
information about their devices and account settings, and reset their device password.

IronKey EMS

» The two management components of the service include:

• Admin Console—Allows Admins to set policies, add users and groups, manage devices

and more

• System Console—Allows Admins to control device updates and automated messages

that are sent to users through the service.

» The two user components of the service are:

• My Devices—Stores information about a user’s devices

• My Account—Contains online account information for the user.

The following image shows the management console and the user components of the online
account. The Admin Console tab is selected. The other tabs, including My Devices, My Account,
and System Console are also available. All users with an online account can access My Devices
and My Account tabs. Only administrators (System Admin, Admin, Custom Admin, Help Desk,
and Auditor) can access the Admin Console tab. Only System Admins can access the System

PAGE 10IRONKEY EMS CLOUD ADMIN GUIDE

Console tab. For more information about user roles, see “Administrative Tasks by Category and
Role” on page 44.

IronKey EMS Devices

DataLocker Sentry EMS—Designed for business-grade security, the Sentry EMS is an encrypted

USB 3.0 drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see

the User Guide for Sentry EMS.

IronKey D300M—Designed for business-grade security, the D300M is an encrypted USB 3.0

drive that is FIPS 140-2 Level 3 certied and TAA-compliant. For more information, see the User

Guide for IronKey D300M.

IronKey S200 & D200, S250 & D250, S1000—Designed to be the world’s most secure USB ash
drives, IronKey EMS devices allow users to safely carry their les and data with them wherever

they go. The Control Panel is the main application on the device that lets users access their data,
open onboard applications, and modify device settings.

For more information about IronKey EMS devices, see the User Guide.

IronKey Workspace W500, W700, W700-SC— Provide your users with an imaged and fully
functional version of Windows 8.1 – one that delivers a fast, full Windows desktop and can
be booted directly from a trusted IronKey Workspace drive. Distribute and manage mobile
work environments that mirror your corporate desktop, and ensure employees, partners and
contractors are using mobile workspaces created and managed by IT.

For more information about IronKey Workspace devices, see the User Guides for
IronKey Workspace W500, W700, or W700-SC.

PAGE 11IRONKEY EMS CLOUD ADMIN GUIDE

DataLocker H300/H350—Designed to provide a secure hard drive solution to users, the H300/
H350 can be formatted with the FAT32 or NTFS le system. H350 devices are FIPS 140-2 Level
3 certied. For more information, see the User Guide.

Enterprise Support

DataLocker is committed to providing world-class support to its enterprise customers.
DataLocker technical support solutions and resources are available through the DataLocker
Support Website, located at support.datalocker.com. See “For more information” on page 12.

Standard Users

Please have Standard Users contact your Help desk or System Administrator for assistance.
Due to the customized nature of each IronKey EMS Account, technical support for IronKey EMS
products and services is available for System Administrators only.

System Administrators

Administrators can contact DataLocker Support by:

» Filing a support request at http://support.datalocker.com.
» Sending an email to support@datalocker.com.

IMPORTANT: Always reference your EMS Account Number. The Account Number is located

on the Enterprise Support page of the Admin Console.

To access resources on the Enterprise Support page

• In the Admin Console, click Enterprise Support in the left sidebar.

NOTE: Resources available on this page include your Account number, video tutorials and

product documentation, an announcement history le that logs all previous DataLocker

announcements regarding IronKey EMS, and contact information for DataLocker Technical
Support.

FOR MORE INFORMATION

support.datalocker.com Support information, knowledge base and video tutorials
support@datalocker.com Product feedback and feature requests
http://www.datalocker.com General information

PAGE 12IRONKEY EMS CLOUD ADMIN GUIDE

Licensing

If you have licensed services with your EMS Account, you can view a list of the licenses that are
available with the service. To review the number of available license seats for your EMS Account,
do the following:

• In the Admin Console, click Manage Policies in the left sidebar.

Licenses are listed below the device policies and include the number of available seats, and
number of total seats.

NOTE: If you exceed the number of licensed seats, or if your license has expired, a message

prompts you to update or renew your license. You cannot add new users or devices until the
license is renewed.

PAGE 13IRONKEY EMS CLOUD ADMIN GUIDE

Setting up IronKey EMS Cloud

IMPORTANT—BEFORE YOU BEGIN

IronKey EMS Cloud is designed to protect your organization from the risks of data loss and data
leakage by delivering world-class security. However, it is important to follow a few best practices
when setting up your IronKey EMS Account to ensure that the proper levels of security and
usability are met:

» Make sure the person setting up the EMS Account has a thorough knowledge of your

organization’s security policies and is authorized to be the System Admin for all of your
organization’s devices. That person will define the default policy for these devices.

» Create more than one System Administrator. To ensure the highest security, even

DataLocker is unable to intervene in your EMS Account, in the event that a lone System
Admin leaves the organization. Have multiple System Admins at all times.

After you’ve completed these tasks, review “Next Steps” on page 18. You can also read
“Deploying devices” on page 29 for tips on how to ensure a smooth deployment.

Creating the IronKey EMS Account

During the account setup, you will congure settings for the default user policy and create the
rst two System Admin accounts. The user policy controls the password requirements and

access restrictions that will be applied to online accounts for Administrators.

To create the account

1. Go to the Website https://my.ironkey.com/enterprise or click the link in the email you received
from DataLocker regarding setting up your EMS Account. Enter your Account Number.

PAGE 14IRONKEY EMS CLOUD ADMIN GUIDE

2. Read the license agreement and select the check box to conrm that you are the
appropriate authority to set up the EMS Account, then click Continue.

3. On the Create an online account for the rst and second System Administrators

page, enter an email address and the First and Last name of the rst and second System

Administrator.

4. Click Continue.

5. On the Create the Default User Policy page, click Create Policy to open the policy
setup.

PAGE 15IRONKEY EMS CLOUD ADMIN GUIDE

NOTE: The Default User Policy will be applied to the 1st and 2nd System Admin when they
activate their online account.

6. On the Default User Policy page, scroll through and review each section. Congure the
settings that you want to be included in the Default User Policy for your EMS Account. Each
policy section displays the system default settings.

7. When you nish setting all user policy options, scroll to the end of the Default User Policy
and click OK to continue with the EMS Account setup.

PAGE 16IRONKEY EMS CLOUD ADMIN GUIDE

8. On the Review Default User Policy page, verify the policy settings and do one of the
following. If you are satised with the policy selections, click Finish to complete the EMS
Account Setup. If you need to change a setting, click Edit Policy.

9. A conrmation message will indicate that your EMS Account has been successfully created.
Each System Admin will receive an email message with instructions on how to activate their
online account.

PAGE 17IRONKEY EMS CLOUD ADMIN GUIDE

NOTE: It is recommended that you keep this conrmation page open until the System

Admin users have received the activation email. If they do not receive it, you can resend it by
clicking Resend Activation Email.

NEXT STEPS

It is strongly recommended that you read the chapter “Deploying devices” on page 29. This
section provides an overview about important deployment considerations before you begin
including:

• Customizing email templates

• Creating user groups

• Adding users

Activating the 1st and 2nd System Admin online account

After you set up the EMS Account, the rst and second System Admin users will receive an

email with instructions about how to activate their online account. The online account allows
administrators to log in to the management console to manage the IronKey EMS Account,
policies, users, and devices.

Activating an account involves creating login credentials for the management console. Make
sure that these users have received the activation email message before continuing. The email
addresses for the 1st and 2nd System Admin users were added during the EMS Account Setup.

After activating their online accounts, the rst System Admin to log in to the Admin Console

will automatically be prompted to create the Default Device Policy. The Default Device Policy
is the main policy that will be applied to managed devices upon device activation. The policy
determines the password requirements, applications, and other management options to apply to
a device.

To activate the online account

1. Open the activation email that was sent during the setup of the EMS Account. In the email
message, click the Activation link. See example below:

NOTE: If you did not receive an email, check your spam or bulk mail folder.

PAGE 18IRONKEY EMS CLOUD ADMIN GUIDE

The Online Account Setup page will open in a Web browser.

2. On the Online Account Setup page, do the following:

• In the Username text box, create a user name for your account.

• In the Password text box, create an account password and confirm the password.

Passwords are case-sensitive and must comply with the password policy defined during
the EMS Account setup.

• Select a question from the Secret Question list box or create your own secret

question.

• In the Answer to Secret Question text box, provide the response to the secret

question. The secret question will be used to verify your identity if you have to reset your
password.

3. Click the Create Account button.

A conrmation message will display to indicate that you have successfully activated your

online account.

4. Bookmark the Login page for quick access on subsequent logins.

5. Log in to Admin Console by typing your username and password in the elds provided and
click the Login button.

6. On the Access Code page, follow the instructions onscreen to retrieve and paste the
Access Code in the eld provided and click the Submit button.

A Welcome page will appear with information and instructions on next steps.

7. If you are the rst System Admin to activate your online account and access the Admin
Console, the Welcome page will prompt you to create the Default Device Policy. Click the
Create Default Device Policy button to continue.

PAGE 19IRONKEY EMS CLOUD ADMIN GUIDE

NOTE: If you are the second System Admin to activate your online account, you will not be
prompted to create the Default Device Policy. The management console will appear as soon
as you close the Welcome page.

8. On the Default Device Policy page, scroll through and review each section carefully.

Congure the settings and applications that you want to be included in the Default Device

Policy for your EMS Account.
Each policy section displays the system default settings and lists the devices to which these

settings apply.
IMPORTANT: In the Password Policy section, under General Password Settings,

congure the Max Failed Unlock Attempts setting with a balance of security and end-
user convenience in mind. If the user exceeds the maximum, the device will “self-destruct”
and all data will be permanently lost. The drive can no longer be used. D300M and Sentry
EMS devices do not self-destruct but will reset to a factory state, erasing all onboard data.

9. When you nish setting all device policy options, scroll to the end of the Default Device
Policy and click the Save button.

You will receive a notice that your Default Device Policy was added successfully.

Accessing the Admin Console

Admin Console is the Web-based interface that allows you to manage devices, users, and
policies. Most administrative tasks are performed using this interface. Once you complete
the setup process and successfully activate your online account, you can log in to the Admin
Console. If you have an activated device with IronKey EMS, you can also access the Admin
Console from the Control Panel (Admin Console is not available on D300M or Sentry EMS
devices). System Admins can specify how administrators access Admin Console when they add
new administrators to the EMS Account; either through Web-based login (username & password
authentication) or from their device (device & password authentication), or both. See “Adding a
user” on page 45.

PAGE 20IRONKEY EMS CLOUD ADMIN GUIDE

To access Admin Console using Web-based login

1. In a Web browser, open the URL for Admin Console page https://my.ironkey.com. You should
bookmark the page for quick reference.

2. On the IronKey EMS Credentials page, enter your username and password credentials
and click the Log in button.

3. An email with the Access Code is sent to the email address that is associated with your
online account. Open the email message and copy the Access Code. See the example below:

4. Return to the Access Code page. Paste the code in the box and click the Submit button.

The Access Code expires in 30 minutes. If you are unable to log in with the rst code, click

Request New Code to generate a new code.

To access Admin Console using Device-based login

1. Plug in and unlock your device.

PAGE 21IRONKEY EMS CLOUD ADMIN GUIDE

2. Do one of the following to securely log in to the Admin Console with mutual authentication
over SSL:

• If you have an S250, D250, H300/H350, or S1000 device, click the Applications button

on the menu bar of the Control Panel, and then click Admin Console.

• If you have a W500, W700, or W700-SC device, click the Settings button on the menu

bar, and then click Account from the left sidebar. Click the Manage Account Settings
button.

• If you have an S200 or D200 device, click Online Account on the main page of the

Control Panel, under Management.

3. If you are using a proxy, you may need to update the Network Settings for the device (S200
and D200 only) so that it knows how to connect to the Internet. Other devices use the
system settings.

4. Your browser will open to the Admin Console tab of IronKey EMS.

NOTE: You cannot open Admin Console from a D300M or Sentry EMS device. You must use

Web-based login to access the management console.

PAGE 22IRONKEY EMS CLOUD ADMIN GUIDE

Deploying devices

What’s involved?

By default, when a device is activated it is initialized with the applications and policy settings that

were dened in the “Default Device Policy” when you set up the IronKey EMS Account. You may

also want to create new policies before adding users to the system. For example, you can create

a separate policy for users who require a specic application, such as Identity Manager. You

should also create a separate policy for Linux users that disables Silver Bullet Services.

Before you can distribute devices to users, you must add users to the EMS Account. If you
have a large user base, you can import multiple users at once. To organize users, you can create
groups, for example by department or by role within the company.

Adding a user to IronKey EMS generates an Activation Code for that user. The code is required
to initialize the user’s device. You can choose to automatically email this code to users when
you add them or you can email or deliver it manually later. If necessary, you can customize the

default email template to add company-specic information.

Choosing a deployment strategy

The easiest and most cost-effective way to deploy devices is to:

1. Add users to the EMS Account,

2. Automatically email them the Activation Code and instructions, and then

3. Hand them an device.

IronKey EMS will take care of the rest.

NOTE: If you are deploying IronKey Workspace W500, W700, or W700-SC devices, you will

need to perform some additional steps to image devices with Windows To Go. For more
information, see the IronKey Workspace IT Administrators Handbook.

You must decide on a strategy that will best suit your organization. Often, companies use a
combination of methods based on security, privacy, and IT considerations. For example, to
minimize IT deployment time, you may want users to activate their own devices using the

PAGE 23IRONKEY EMS CLOUD ADMIN GUIDE

activation code in the automatic email you send them. However, for some users, you might
choose to manually activate their devices.

QUESTIONS TO ASK BEFORE DEPLOYING DEVICES:

Your answers to these questions will determine your next steps in deploying devices to users.

» Have I finalized the Default Device Policy to include new policy settings and created any new

policies that are needed for specific users or security requirements?

» How big is my user base? Do I want to add multiple users at once?
» Do I need to organize users by group?
» Do I need to ensure that some Admins cannot see the users and groups managed by other

Admins?

» Do I want all users to activate their own devices? Do I need to manually activate some

devices?

» Do I want to automatically email the Activation Code to users or will I email or give this

code to users manually after I create them?

» If sending an automatic email, do I want to customize the Default Activation Email templates?
» What operating systems will users typically be connecting their devices to? This is especially

important if you have users running the Linux operating system.

Next Steps:

If you want to... See...

Create new device policies or edit the
default policy

Customize the Default Activation Email • Editing the Device Activation Email
Create user groups • Adding a group
Add a user • Adding a user
Add multiple users • Adding multiple users

Manually activate devices for users • Activating a device for a user

Once you’ve successfully added the users and they have their Activation Codes, you can give
them devices. Users can then proceed with device set up.

• Adding policies

• Editing policies

Sample deployment

Company ABC, a medium-sized business with 50 employees who need secure storage drives.
Their task was to successfully deploy devices to all users in the company with minimal impact
on IT resources.

PAGE 24IRONKEY EMS CLOUD ADMIN GUIDE

REQUIREMENTS

» Number of users to add: 50 total

• General Knowledge Workers: 40

• Executive: 7

• IT Dept: 3

» Some departments needed different policies and applications on their devices to meet

corporate security requirements.

» General users were allowed to activate their own devices.
» Executive users were to receive devices activated by the IT person.

THE DEPLOYMENT SOLUTION

After considering their requirements, the IT department divided the task into the following
steps.

1. Created separate policies based on department requirements

• IT Policy—IT users needed access to all features, licensed services, and applications.

• Executive Policy—The company wanted a separate policy to allow increased security

features on some devices. Features included a higher self-destruct threshold, the Anti­Malware Service and Identity Manager. This policy will be used only by Executives.

• Default Device Policy—General users were not required to have the Anti-malware

Service or Identity Manager so this policy did not include these items. New features, such
as Password Reset, were enabled. See “Adding policies” on page 38.

2. Customized the Default Email

The default template was modied to add Help Desk contact information that was specic

to Company ABC.
See “Editing the Device Activation Email” on page 57.

3. Created Groups for each geographic location

They did not need to limit the scope of which users and groups that Admins could view in
the Admin Console, so they structured their groups geographically for a logical organization

of users. Groups were created for Asia-Pacic, Europe, North America.

See “Adding a group” on page 54 for more information.

4. Imported General Users

The IT department added general users to IronKey EMS using a .CSV le with user data. The
IT manager assigned the administrator role to one person in each department group. The le

included the following information for each user:

Name, Email, Group, Role, Policy, Admin Code

See for more information.

5. Added Executive users

The IT manager added each executive to the system one user at a time. They did not send
an Activation email to these users. Instead, the IT person activated the devices for the users.

See “Activating a device for a user” on page 58 for more information.

6. Distributed devices to users

PAGE 25IRONKEY EMS CLOUD ADMIN GUIDE

• General users received their devices. They followed the setup procedure in the User

Guide to activate their devices and used the Activation Code that they received in an

email from the IT manager.

• Executive users received their activated devices. They were required to create a device

password and finish the device setup.

RESULTS

After following these steps, all users were successfully added to IronKey EMS, devices were
activated, and users were able to securely store data to their devices.

Best practices for a smooth rollout

This section provides suggestions about how to administer some features of IronKey EMS. It
also includes information to pass on to end users to ensure that they know how to properly
use their devices and where to go for help.

FOR THE ADMINISTRATOR

Use a 200 Series device to manage a mixed device environment

If administrators (System Admin or Admin) will be managing 200 Series devices (S200 or D200)
as well as other device types, they must use a 200 Series device. A 200 Series device can manage
all device types but can only be managed by another 200 Series device. Administrators who
use Web-based login can perform only those management tasks that are available with Admin
Console. For more information, see “Managing S200 or D200 devices” on page 69.

Use Silver Bullet Service Wisely

It is recommended not to set the Silver Bullet policy too strictly (e.g. deny if not online or from

a specic IP address) for remote or travelling employees; otherwise, they might not be able to

use their devices in some situations.

Create a Separate Policy for Linux Users

If you plan to leverage the Silver Bullet Service, create a separate policy for Linux users that
does not include Silver Bullet or that includes a large number of Silver Bullet attempts. The
Silver Bullet Service is not available for Linux systems and will result in disabling usage on Linux.

Password Reset by user

This feature, when enabled in the device or user policy, allows users to reset their passwords if
they forget them. If you do not want users to be able to reset a password, administrators can
still perform this function for devices that support using the Silver Bullet Remote Administrative
Controls policy option. For more information, see “Resetting a device password (Admin­initiated)” on page 61.

PAGE 26IRONKEY EMS CLOUD ADMIN GUIDE