IronKey Workspace W700-SC User Manual
IRONKEY™ WORKSPACE W700-SC
User Guide
Copyright 2015 Imation Corp. All rights reserved.
Imation and Imation logo, IronKey and IronKey logo, and “PC on a Stick” are trademarks of
Imation Corp. All other trademarks are the property of their respective owners.
Imation Enterprises Corp.
1 Imation Way
Oakdale, MN 55128-3414 USA
www.imation.com
7/17/15
IK-W700SC-USR01-1.0
NOTE: Imation is not liable for technical or editorial errors and/or omissions contained herein;
nor for incidental or consequential damages resulting from the furnishing or use of this material.
The information provided herein is subject to change without notice.
The information contained in this document represents the current view of Imation on the issue
discussed as of the date of publication. Imation cannot guarantee the accuracy of any
information presented after the date of publication. This document is for information purposes
only. Imation makes no warranties, expressed or implied, in this document.
FCC Information
This device complies with part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must accept
any interference received, including interference that may cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference in a residential installation. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one or
more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is
connected.
• Consult the dealer or an experienced radio/ TV technician for help.
Note: Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
Industry Canada
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numerique de la classe B est conforme à la norme NMB-003 du Canada.
CONTENTS
About my IronKey Workspace W700-SC device 4
Features and benefits 4
Host computer requirements 5
Device management 5
Device security 6
Device specifications 7
Recommended best practices 8
Other resources 9
About IronKey Control Panel 10
Starting IronKey Control Panel 11
Booting from a USB drive 14
Running the Startup Assistant 14
Manually configuring the host computer 16
Performing a one-time boot operation 17
Booting your device on a Macintosh 18
Using my W700-SC device 20
Activating a managed device on first-time use 20
Starting Windows from the device 23
Unplugging the device 24
Managing your Smart Card and PIN 24
Updating device software 26
Changing the Unlock message 27
Viewing device information 28
Troubleshooting 29
Resolving boot issues 30
Appendix 1: Imation support for Macintosh 34
IronKey Workspace applications 34
Level of support for Mac models 34
Moving between Mac models 36
Installing Boot Camp support drivers 37
Downloading Boot Camp Support Software 40
Appendix 2: Admin users 41
Activating a managed device on first-time use 41
Managing my online account (managed devices only) 43
IronKey Workspace W700-SC User Guide
3
ABOUT MY IRONKEY WORKSPACE W700-SC
DEVICE
IronKey Workspace W700-SC is a trusted, FIPS 140-2 Level 3 certified, secure USB flash drive that features
XTS-AES 256-bit hardware encryption. Certified by Microsoft as a Windows To Go device, your W700-SC is a
secure, personal workspace. It is capable of using all host system resources on host computers that are
certified to run Microsoft Windows
supports device authentication using a smart card. When paired with your device, you can securely unlock
your workspace using your smart card and Personal Identification Number (PIN).
Figure 1: IronKey Workspace W700-SC device
Once you unlock your W700-SC device, you can safely boot a fully functional version of Microsoft Windows 8.1
Desktop. Use the Windows 8.1 workspace as you would any other Windows 8.1 computer. When your work is
finished, shut down the Windows 8.1 operating system and remove the device from the host computer. You’re
ready to bring your “PC on a Stick™” anywhere.
®
7.0 and higher, and qualified Mac computers. Additionally, the W700-SC
Use this guide to learn more about how to use your W700-SC device.
This chapter contains information about:
• Features and benefits
• Host computer requirements
• Device management
• Device security
• Device specifications
• Recommended best practices
• Other resources
FEATURES AND BENEFITS
FIPS 140-2 Level 3 certification—IronKey Workspace W700-SC is FIPS certified so you can feel confident that
you’re complying with regulatory requirements.
Section 508 compliant—W700-SC devices are fully compliant with section 508 accessibility requirements.
IronKey Workspace W700-SC User Guide
4
ABOUT MY IRONKEY WORKSPACE W700-SC DEVICE
Hardware Encryption—The IronKey Cryptochip protects your critical data, applications and networks by
keeping encryption key management on the device, where it’s safe and protected.
Smart card/PIN-Protected—Only after logging in with an authorized smart card and PIN will the drive unlock
the workspace so you can boot into Windows To Go. If a smart card is lost or expired, you can bind a new card
to the device.
Wat e r p roof and Tam p er -Re s i s ta nt —Designed to survive the extremes, IronKey Workspace W700-SC has a
rugged metal encasing that is injected with an epoxy compound that makes it not only tamper-resistant, but
waterproof to military specifications (MIL-STD-810F).
Device Management—Your device has built-in software that lets you manage device settings. Your company
may also configure your device for centralized management with an IronKey Enterprise Management System,
such as IronKey Enterprise Server or IronKey Enterprise Service. For more information, see “Device
management” on page 5.
Host computer requirements
HOST COMPUTER REQUIREMENTS
The host computer must allow you to boot from a USB device. Computers that are certified for use with
Windows 7 or higher can be configured to boot automatically from a USB device. Check with the hardware
manufacturer if you are not sure whether your computer can boot from a USB device. For more information,
see “Booting from a USB drive” on page 14.
®
• Windows computer that is certified to run Microsoft Windows
• Macintosh computer that supports Windows 8 or higher. Note: Your W700-SC device must also
ha
ve Boot Camp Support Software installed in Windows To Go. Your administrator may have
included this software when your device was provisioned. For more information, see “Booting yo
device on a Macintosh” on page 18.
• To use your W700-SC with a smart card, you must have HID Global’s ActiveID® ActivClient® software (version 6.2.0.50, 6.2.0.195, or 7.0.2.403) installed on the host computer so that it is available
when you activate the device in non-boot mode.
• USB 3.0 (Super-Speed) port is recommended or USB 2.0 port for high-speed data transfer. USB 3.0
por
ts are typically marked blue or display the “SS” (Super Speed) symbol. A USB 1.1 port or powere
hub
will also work, but will be slower.
7 or higher.
ur
d
DEVICE MANAGEMENT
There are two levels of device management: the administrative level and the user level. At the administrative
level, your organization can implement a device management system to control the policy on your device and
provide device updates as well as control access to the device. Devices controlled by an IronKey Enterprise
Management System are called “managed devices”. Your administrator will tell you if you have a managed
device.
User management refers to the device management options available to you, the user, to control your device.
Each device includes the IronKey Control Panel. An application that lets you view device information, change
device preferences, and run the Startup Assistant to configure the host computer.
Administrative management
An IronKey Enterprise Management System allows IT administrators to remotely manage your IronKey
Workspace W700-SC device. If you have a managed device, you must first activate it before you start
Windows To Go. Activation binds the device to your user account in the IronKey Enterprise Management
System and applies a device policy. Once activated, your device can receive policy and software updates, and
administrators can reset a forgotten PIN.
IronKey Workspace W700-SC User Guide
5
ABOUT MY IRONKEY WORKSPACE W700-SC DEVICE
Users with
managed
devices
Administrators manage devices
using the Admin Console in the
IronKey Enterprise
Management System
Figure 2: Devices managed by an IronKey Enterprise Management System
Device security
User management
Use the IronKey Control Panel application to manage your device preferences. If your device is managed by an
IronKey Enterprise Management System, the IronKey Control Panel allows the device to connect to the
management system. Using the Control Panel, you can activate your device with the management system and
download device software updates. For more information, see “About IronKey Control Panel” on page 10.
Figure 3: IronKey Control Panel application
DEVICE SECURITY
IronKey Workspace W700-SC devices have been designed from the ground up with security in mind. The
device uses a combination of advanced security technologies to ensure that only you can access your data.
Additionally, it is a physically secure device, to prevent hardware-level attacks and tampering, and to ensure
the device is rugged and long-lasting.
IronKey Workspace W700-SC User Guide
6
ABOUT MY IRONKEY WORKSPACE W700-SC DEVICE
The IronKey Workspace W700-SC adds an extra security factor when authenticating, a smart card. Instead of
a device password like other IronKey Workspace devices, you can use your smart card to unlock the device.
The encryption key from the smart card is paired with the device and bound to the device authentication
method.
The IronKey Cryptochip is hardened against physical attacks such as power attacks and bus sniffing. It is
physically impossible to tamper with its protected data or reset the password counter. If the Cryptochip
detects a physical attack, it destroys the Cryptochip, making the stored encrypted files inaccessible.
We strive to be very open about the security architecture and technology that we use in designing and
building this product. We use established cryptographic algorithms, we develop threat models, and we
perform security analyses (internal and third party) of our systems all the way through design, development
and deployment.
Note: The W700-SC “device password” referred to in this section is the smart card encryption certificate that
is protected by the smart card PIN.
Data Encryption Keys
• AES key generated by onboard Random Number Generator
• AES key is generated at initialization time and encrypted with a hash of the device password
• No back-doors: AES key cannot be decrypted without the device password
• AES key never leaves the hardware and is not stored in NAND flash
Device specifications
Data Protection
• Windows To Go partition is not accessible until the device password is verified in hardware
• Device password retry-counter implemented in tamper-resistant hardware
• If you exceed the smart card PIN retry-count, the smart card will lock and an administrator will have
to unlock the card.
• Sensitive data and settings are stored in hardware
Device Password Protection
• USB command channel encryption to protect device communications
• Password-in-memory protection to protect against cold-boot and other attacks
The device password is hashed using salted SHA-256 before being transmitted to the device firmware over a
secure USB channel. It is stored in an extremely inaccessible location in the protected Cryptochip hardware.
The hashed password is validated in hardware (there is no “getPassword” function that can retrieve the hashed
password), and only after the password is validated is the AES encryption key decrypted. The password trycounter is also implemented in hardware to prevent memory rewind attacks.
DEVICE SPECIFICATIONS
The following table provides details about your W700-SC device.
Tab l e 1 : Device specifications
Specification Details
Capacity* 32GB, 64GB, 128GB
Dimensions 82mm X 21.1mm X 9.1mm
IronKey Workspace W700-SC User Guide
7
ABOUT MY IRONKEY WORKSPACE W700-SC DEVICE
Tab l e 1 : Device specifications
Specification Details
Wei ght 1.12 oz (32 g rams)
Recommended best practices
Operating
Te mp e ra t u re
Operating Shock 16G rms
Certification FIPS-140-2 Level 3
Hardware
Encryption
Hardware • USB 3.0 (Super speed)
Host computer
compatibility
Accessibility The IronKey Control Panel application is Section 508 compliant. Users with disabilities
Designed and Assembled in the U.S.A.
0C, 70C
Data: 256-bit AES (XTS mode)
Hardware: 256-bit AES
Hashing: 256-bit SHA
• Water-resistant MIL-STD-810F
•Dust-resistant
• Shock-resistant
• Ruggedized
PC certified to run Microsoft Windows 7 or higher operating systems
Mac computer that supports Windows 8.1
have keyboard navigation and screen reader support.
* Some space is required for Windows To Go software. Windows 8.1 Enterprise is not included or preloaded on
the device.
RECOMMENDED BEST PRACTICES
The following list provides tips on how to use your device to maximize safety and security.
• Never unplug the device when the LED is on or while booted in Windows To Go. This can result in
loss of data or possibly cause irreparable damage to the operating system on the device.
• Never share your device smart card PIN.
• If Windows To Go is in Hibernate mode, do not unplug the device and move it to another computer.
Windows To Go does not support roaming between computers using hibernate.
• Recovering data stored in Windows on a lost or damaged drive is difficult and often not possible. It
is recommended that you store files and data using an alternate storage method. If your company
has purchased IronKey secure storage devices, you can save your data to the IronKey storage device
while booted in Windows To Go. You can also use folder redirection or offline files, or back up your
data to a network drive or cloud-based storage space.
IronKey Workspace W700-SC User Guide
8
ABOUT MY IRONKEY WORKSPACE W700-SC DEVICE
Other resources
OTHER RESOURCES
IronKey devices
http://support.ironkey.com Support information, knowledge base and video tutorials
securityfeedback@imation.com Product feedback and feature requests
http://www.ironkey.com General information
Windows To Go
http://www.ironkey.com/en-US/windows-to-go-drives/windows-to-go.html
Reference documentation from Apple
The following table provides links to documentation from Apple about Boot Camp 5.1 and Windows 8 and 8.1
support on Mac computers.
Tab l e 2 : Reference information from Apple
Top ic Reference
Main Boot Camp Support page http://www.apple.com/support/boot
Boot Camp 5.1: Frequently Asked Questions http://support.apple.com/kb/HT5639
Boot Camp: Frequently Asked Questions
about Ins
Boot Camp: System requirements for
M
icrosoft Windows operating systems
Boot Camp 5.1 download http://support.apple.com/downloads/#maco
About Startup Manager http://support.apple.com/kb/HT1310
talling Windows 8
http://support.apple.com/kb/HT5628
http://support.apple.com/kb/HT5634
Note: Mak
Mac model that will be used to boot the device.
e sure you download the version that supports the
camp/
Contact support
For support, please contact your Help desk or System Administrator.
scomponents
IronKey Workspace W700-SC User Guide
9
ABOUT IRONKEY CONTROL PANEL
The IronKey Control Panel is software that lets you manage your device. You can run the Control Panel when
you are booted into the host operating system or when booted in Windows To Go. The Control Panel lets you
edit your device preferences and view device information, such as the software or firmware version. For
managed devices, IronKey Control Panel also lets you activate the device (on first-time use) and download and
install device software updates. Users with administrative privileges can also use the Control Panel to connect
to the management console in the IronKey Enterprise Management System. If you are an Administrative User,
see Appendix A for further information.
You can access the Control Panel when the host operating system is running (this is called non-boot mode) or
when you boot into Windows To Go (this is called Windows To Go mode). Some tasks can only be completed
when you run the Control Panel in non-boot mode, for example, installing device updates.
The following table outlines IronKey Control Panel operations available in non-boot and Windows To Go mode.
Tab l e 3 : IronKey Control Panel operations
IronKey Control Panel operation Non-boot mode Windows To Go mode
Pair device with new smart card Yes —
Unlock/Lock the device Yes
Change unlock message
Auto-lock preferences
Activate the device (managed devices
1
Yes
Yes
1
Yes
Yes —
—
only)
Check for device updates (managed
Yes Yes
devices only)
Download and install device updates
Yes —
(managed devices only)
View device information Yes Yes
Access online account (Admin users
Yes Yes
only)
1
For managed devices, this is only available if enabled in policy.
1
IronKey Workspace W700-SC User Guide
10
ABOUT IRONKEY CONTROL PANEL
Starting IronKey Control Panel
STARTING IRONKEY CONTROL PANEL
For managed devices, you can start IronKey Control Panel from the application partition in non-boot mode or
from the taskbar when booted in Windows To Go.
Non-boot mode
Make sure that you have HID Global’s ActiveID® ActivClient® software installed on the host computer so that it
is available when you start the Control Panel in non-boot mode. In non-boot mode, when the host operating
system is running, IronKey Control Panel opens after you unlock the device. Entering the wrong PIN a
consecutive number of times will lock the smart card.
You should always lock the device before you unplug it or if the device is not in use while working in non-boot
mode. You can manually lock the device or set the device to automatically lock after a period of inactivity. For
managed devices, auto-lock settings are available in IronKey Control Panel if enabled in the device policy. The
device policy is applied to the device during activation.
For a list of operations that are available with IronKey Control Panel in non-boot mode, see “IronKey Control
Panel operations” on page 10.
Note: If y
be required to activate the device. See “Activating a managed device on first-time use” on page 20.
To start IronKey Control Panel in non-boot mode
1. Mak
2. Insert
3. Insert
4. In a file manager
ou have a managed device, the first time you start IronKey Control Panel in non-boot mode, you will
e sure that the host computer is turned on and the host operating system is running.
the W700-SC device into the USB port of the host computer.
your smart card into the card reader.
, double-click the IronKey.exe file from the IronKey Workspace drive.
IronKey Workspace W700-SC User Guide
11
ABOUT IRONKEY CONTROL PANEL
5. Type your SmartCard PIN and click Unlock.
The IronKey Control Panel will open automatically.
Starting IronKey Control Panel
Note: If the device loses power, for example if it is unplugged from a USB hub, it will lock.
To l o c k t h e d e v ice
• In Ir
onKey Control Panel, click Lock from the bottom left corner of the application. You can also use the
keyboard shortcut: CTRL + L.
Note: O
nce the device is locked, you can safely unplug it.
To set the device to automatically lock
1. In Ir
2. Click P
3. Cli
onKey Control Panel, click the Settings button in the menu bar.
references in the left sidebar.
ck the check box for auto-locking the device and set the time-out for either 5, 15, 30, 60, 120, or 180
minutes.
Note: F
or managed devices, if auto-lock preferences have been disabled by the administrator, you will not be
able to modify this setting.
IronKey Workspace W700-SC User Guide
12
ABOUT IRONKEY CONTROL PANEL
Starting IronKey Control Panel
Windows To Go mode
In Windows To Go mode, IronKey Control Panel runs automatically when you boot Windows from the device.
You do not have to unlock the device to start the application. The device unlocks when you authenticate in the
IronKey Workspace Preboot environment. Locking the device does not apply in Windows To Go mode; instead,
you must shutdown the Windows operating system. For more information, see “Unplugging the device” on
page 24.
To start IronKey Control Panel in Windows To Go
• When boot
Control Panel.
ed in Windows, on the Windows taskbar, right-click the IronKey icon and choose IronKey
IronKey Workspace W700-SC User Guide
13
BOOTING FROM A USB DRIVE
It is recommended that you configure the host computer (PC) to always boot from a USB drive (if present).
The IronKey Workspace Startup Assistant, available in the Control Panel on your device, will automatically
configure a qualified host computer to boot from your device on startup. The tool sets the boot order of the
host computer so that it will boot first from a USB drive if one is present.
If the host computer is not supported by the Startup Assistant, you will have to manually configure it to boot
from a USB drive. If you do not want to configure the host computer, you can do a one-time boot procedure to
start Windows To Go.
Important: Once configured, your computer will try to boot any USB device connected to it on startup,
including malicious devices. Do not insert a bootable USB device unless you are sure the device is safe for use.
You cannot configure Mac computers to always boot from a USB drive. See “Booting your device on a
Macintosh” on page 18.
This chapter contains information about:
• Running the Startup Assistant
• Manually configuring the host computer
• Performing a one-time boot operation
• Booting your device on a Macintosh
RUNNING THE STARTUP ASSISTANT
Run the IronKey Workspace Startup Assistant first before you try booting Windows To Go from the device.
The Startup Assistant runs on Windows computers only and will not configure Mac systems. The tool can
configure host computers with either a 32-bit or 64-bit processor architecture that also meet the following
configurations:
• UEFI firmware and Windows 8 or Windows 8.1 operating system
• BIOS firmware from DELL and Windows operating system
• BIOS firmware from HP and Windows operating system
• BIOS firmware from Lenovo and Windows operating system
Other configurations are not supported. If your system is not supported, see “Manually configuring the host
computer” on page 8. Once configured, you will have to manually edit the boot order in the BIOS settings if
you want to remove USB as the first boot priority.
Tip: For the most up-to-date list of DELL, HP, and Lenovo systems that will work with the Startup Assistant,
see the
Note: You cannot run the Startup Assistant if your system setup is protected with a password.
Startup Assistant page on the IronKey Support site.
IronKey Workspace W700-SC User Guide
14
Loading...