How it Works
Lenovo
Loading...
A51
User Manual
44 pgs819.48 Kb0
Table of contents
Loading...

Lenovo A51 User Manual

Download
Page 1
FingerprintSoftwareDeploymentGuide
Updated:September,2010
Page 2
Page 3
FingerprintSoftwareDeploymentGuide
Updated:September,2010
Page 4
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixB
“Notices”onpage33.
FirstEdition(September2010)
©CopyrightLenovo2010.
LIMITEDANDRESTRICTEDRIGHTSNOTICE:Ifproducts,data,computersoftware,orservicesaredeliveredpursuant aGeneralServicesAdministration“GSA”contract,use,reproduction,ordisclosureissubjecttorestrictionssetforth inContractNo.GS-35F-05925.
Page 5
Contents
Preface.................v
Chapter1.Overview..........1
Chapter2.Installation.........3
Installationproceduresandcommand-line
parameters.................3
Usingmsiexec.exe..............4
StandardWindowsInstallerpublicproperties...7
Installationexamples.............7
InstallingThinkVantageFingerprintSoftware....8
Silentinstallation.............8
Options.................9
InstallingLenovoFingerprintSoftware.....11
Silentinstallation............11
Options................11
Chapter3.WorkingwithFingerprint
Software................15
Managementconsoletool..........15
User-speciccommands.........15
Globalsettingscommands........16
Securemodeandconvenientmode......17
Securemode-administrator.......17
Securemode-limiteduser........18
Convenientmode-administrator.....18
Convenientmode-limiteduser......19
Chapter4.Workingwith ThinkVantageFingerprintSoftware.21
UsingtheRSASecurIDsoftwaretoken.....21
ProvisioningtheThinkVantageFingerprint SoftwarefortheRSASecurIDsoftware
token................21
GeneratinganRSASecurIDtokencode...22 AuthenticatingtheRSASecurID-protected
applications..............22
UsingtheThinkVantageFingerprintSoftware
withRSASecurIDReadyVPNclients....22
Considerationsforusingtheexternal ngerprintreaderwiththeRSASecurID
softwaretoken.............23
UsingThinkVantageFingerprintSoftwarewith
NovellNetwareClient............23
Authenticating.............24
Congurablesettings............24
ThinkVantageFingerprintSoftwareservice....26
Chapter5.WorkingwithLenovo
FingerprintSoftware.........27
ActiveDirectorysupportforLenovoFingerprint
Software.................27
ConsiderationsforusingLenovoFingerprint
Software.................28
DeployingtheghostimagewithLenovo
FingerprintSoftware...........28
Erasingngerprintdata.........28
LenovoFingerprintSoftwareservice......28
AppendixA.Considerationsforthe
LenovoFingerprintKeyboard.....31
Congurationandsetup...........31
Pre-desktopauthentication..........31
Windowslogon..............31
AuthenticationwithClientSecuritySolution...32
AppendixB.Notices.........33
Trademarks................34
©CopyrightLenovo2010
iii
Page 6
ivFingerprintSoftwareDeploymentGuide
Page 7

Preface

InformationpresentedinthisguideistosupportLenovo
®
computersinstalledwitheithertheThinkVantage
orLenovoFingerprintSoftwareprogram.
Note:Inthisdeploymentguide,FingerprintSoftwarereferstobothThinkVantageFingerprintSoftwareand LenovoFingerprintSoftware.
ThegoalofFingerprintSoftwareistohelpcustomersaddresscorporateITregulatorycompliance,reduce thecostsassociatedwithmanagingpasswords,andenhancecomputingsecurity.
TheFingerprintSoftwareDeploymentGuideprovidestheinformationrequiredforinstallingFingerprint Softwareononeormorecomputers,andalsoprovidesinstructionsandscenariosontheadministrative toolsthatcanbecustomizedtosupportITandcorporatepolicies.
ThisguideisintendedforITadministrators,orthoseresponsiblefordeployingFingerprintSoftwareto computersthroughouttheirorganizations.Ifyouhavesuggestionsorcomments,communicatewith yourLenovoauthorizedrepresentative.Thisguideisupdatedperiodically,andyoucancheckthelatest publicationontheLenovoWebsiteathttp://www-307.ibm.com/pc/support/site.wss/TVAN-ADMIN.html.
ForquestionsandinformationaboutusingthevariouscomponentsinFingerprintSoftwareworkspaces, refertotheonlinehelpsystemanduserguidesthatcomewithFingerprintSoftware.
®
©CopyrightLenovo2010
v
Page 8
viFingerprintSoftwareDeploymentGuide
Page 9

Chapter1.Overview

TheobjectiveofbiometricngerprinttechnologiesofferedbyLenovoistohelpcustomersaddress corporateITregulatorycompliance,reducethecostsassociatedwithmanagingpasswords,and enhancecomputingsecurity.FingerprintSoftwareenablesngerprintauthenticationonindividual computersandnetworksbyworkingwiththeLenovongerprintreaders.Itcanbeintegratedwith ClientSecuritySolution8.3orPasswordManager.Formoreinformationabouttheintegrationwith thetwoprograms,refertotheClientSecuritySolution8.3DeploymentGuide.Y oucanndoutmore aboutLenovongerprinttechnologiesanddownloadFingerprintSoftwarefromtheLenovoWebsiteat: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-73583.
FingerprintSoftwareoffersthesefunctions:
Clientsoftwarecapabilities
Microsoft
®
Windows
easy,fast,andsecuresystemaccess.
BIOSpassword(alsoknownaspower-onpassword)andharddiskdrivepasswordsreplacement:
Replacepasswordswithyourngerprinttoenhancelogonsecurityandconvenience.
Pre-bootngerprintauthenticationforSafeGuardEnterprisefull-driveencryption:Utilize
ngerprintauthenticationtodecryptyourharddiskdrivebeforestartingtheWindowsoperatingsystem.
SingleswipetoaccesstheBIOSandtheWindowsoperatingsystem:Swipeyourngerprintat
startuptogainaccesstotheBIOSandtheWindowsoperatingsystem.
Singleswipetoturnonthecomputer:Swipeyourngerprinttoturnonthecomputer.
®
passwordreplacement:Replaceyourpasswordwithyourngerprintfor
Note:Thisfeaturehasthedependencyonthehardware;therefore,itissupportedbycertaincomputer
models.
FingerprintSoftwaresensorindicator:Indicatetheworkingstateofthesensor,andthesuccessin
swipingyourngerprintornot.
Note:Thisfeaturehasthedependencyonthehardware;therefore,itissupportedbycertaincomputer models.
IntegrationwithClientSecuritySolution:UsewiththeClientSecuritySolutionPasswordManager
andleveragetheTrustedPlatformModule.UserscanswipetheirngertoaccessWebsitesand selectapplications.
Administratorfeatures
Securitymodetoggle:Allowanadministratortotogglebetweensecureandconvenientmodesto
modifyaccessrightsoflimitedusers.
Securitycapabilities
Softwaresecurity:Protectusertemplatesthroughstrongencryptionwhenstoredonasystemand
whentransferredfromthereadertothesoftware.
Hardwaresecurity:Provideasecurityreaderwithaco-processorthatstoresandprotectsngerprint
templates,BIOSpasswords,andencryptionkeys.
©CopyrightLenovo2010
1
Page 10
2FingerprintSoftwareDeploymentGuide
Page 11

Chapter2.Installation

ThischaptercontainsinstructionsoninstallingFingerprintSoftware.

Installationproceduresandcommand-lineparameters

TheMicrosoftWindowsInstallerprovidesseveraladministrativefunctionsthroughcommand-line parameters.TheWindowsInstallercanperformanadministrativeinstallationofanapplicationorproductto anetworkforusebyaworkgrouporforcustomization.Command-lineoptionsthatrequireaparametermust bespeciedwithnospacebetweentheoptionanditsparameter.Forexample:
setup.exe/s/v"/qnREBOOT="R""
isvalid,while
setup.exe/s/v"/qnREBOOT="R""
isnot.
Note:Thedefaultbehavioroftheinstallationwhenexecutedalone(runningsetup.exewithoutany parameters)istoprompttheusertorebootattheendoftheinstallation.Arebootisrequiredfortheprogram tofunctionproperly.Therebootcanbedelayedthroughacommandlineparameterforasilentinstallation asdocumentedintheprecedingsectionandintheexamplesection.
FortheFingerprintSoftwareinstallationpackage,anadministrativeinstallationunpackstheinstallation sourcelestoaspeciedlocation.
Torunanadministrativeinstallation,runthesetuppackagefromthecommandlineusingthe/aparameter:
setup.exe/a
Anadministrativeinstallationpresentsawizardthatpromptstheadministrativeusertospecifythelocations forunpackingthesetuples.ThedefaultextractlocationisC:\.Youcanchooseanewlocationthatmay includedrivesotherthanC:\(forexample,otherlocaldrivesormappednetworkdrives).Youcanalso createnewdirectoriesduringthisstep.
Torunanadministrativeinstallationsilently,youcansetthepublicpropertyTARGETDIRonthecommand linetospecifytheextractlocation:
setup.exe/s/v"/qnTARGETDIR=F:\TVTRR"
or
msiexec.exe/i"setup.msi"/qnTARGERDIR=F:\FPR
Note:IfyouarenotusingthelatestversionofWindowsInstaller,thesetup.exelewillbeconguredto updatetheWindowsInstallerenginetothelatestversion.TheupdateoftheWindowsInstallerenginewill promptyoutorebootthesystemeveninanadministrativeextractinstallation.T opreventarebootinthis situation,youcanusetheREBOOTpropertyoftheWindowsInstaller.IftheWindowsInstalleristhelatest version,thesetup.exelewillnotattempttoupdatetheWindowsInstallerengine.
©CopyrightLenovo2010
3
Page 12
Onceandadministrativeinstallationhasbeencompleted,theadministrativeusercanmakecustomizations tothesourceles,suchasaddingsettingstotheregistry.
ThefollowingparametersanddescriptionsaredocumentedintheInstallShielddeveloperhelp documentation.ParametersthatdonotapplytoBasicMSIprojectswereremoved.
Table1.Parameters
ParameterDescription
/a:administrativeinstallationThe/aswitchcausessetup.exetoperforman
administrativeinstallation.Anadministrativeinstallation copies(anduncompresses)yourdatalestoadirectory speciedbytheuser,butdoesnotcreateshortcuts, registerCOMservers,orcreateanuninstallationlog.
/x:uninstallingmodeThe/xswitchcausessetup.exetouninstallapreviously
installedproduct.
/s:silentmodeThecommandsetup.exe/ssuppressesthesetup.exe
initializationwindowforaBasicMSIinstallationprogram, butdoesnotreadaresponsele.BasicMSIprojectsdo notcreateorusearesponseleforsilentinstallations. TorunaBasicMSIproductsilently,runthecommand linesetup.exe/s/v/qn.(T ospecifythevaluesof publicpropertiesforasilentBasicMSIinstallation, youcanuseacommandsuchassetup.exe/s/v"/qn INSTALLDIR=D:\Destination".)
/v:passargumentstoMsiexecThe/vargumentisusedtopasscommandlineswitches
andvaluesofpublicpropertiesthroughtoMsiexec.
/L:setuplanguageUserscanusethe/Lswitchwiththedecimallanguage
IDtospecifythelanguageusedbyamulti-language installationprogram.Forexample,thecommandto specifyGermanissetup.exe/L1031.
/w:waitForaBasicMSIproject,the/wargumentforcessetup.exe
towaituntiltheinstallationiscompletebeforeexiting.If youareusingthe/woptioninabatchle,youmaywant toprecedetheentiresetup.execommandlineargument withstart/WAIT.Aproperlyformattedexampleofthis usageisasfollows:
start/WAITsetup.exe/w

Usingmsiexec.exe

Toinstallfromtheunpackedsourceaftermakingcustomizations,theusercallsmsiexec.exefromthe commandline,passingthenameoftheunpacked*.MSIle.msiexec.exeistheexecutableprogramofthe WindowsInstallerusedtointerpretinstallationpackagesandinstallproductsontargetsystems.
msiexec/i"C:\WindowsFolder\Proles\UserName\ Personal\MySetups\projectname\productconguration\releasename\ DiskImages\Disk1\productname.msi"
Note:Entertheprecedingcommandasasinglelinewithnospacesfollowingtheslashes.
Thefollowingtabledescribestheavailablecommandlineparametersthatcanbeusedwithmsiexec.exe andexamplesofhowtouseit.
4FingerprintSoftwareDeploymentGuide
Page 13
Table2.Commandlineparameters
ParameterDescription
/Ipackageorproductcode
Usethisformattoinstalltheproduct:
Othello:msiexec/i"C:\WindowsFolder\Proles\
UserName\Personal\MySetups
\Othello\TrialVersion\
Release\DiskImages\Disk1\
OthelloBeta.msi"
ProductcodereferstotheGloballyUniqueIdentier(GUID)thatis automaticallygeneratedintheproductcodepropertyofyourproduct's projectview.
/apackageThe/aoptionallowsuserswithadministratorprivilegestoinstallaproduct
ontothenetwork.
/xpackageorproductcodeThe/xoptionuninstallsaproduct.
/L[i|w|e|a|r|u|c|m|p|v|+]logle
Buildingwiththe/Loptionspeciesthepathtothelogle;theseagsindicate whichinformationtorecordinthelogle:
•ilogsstatusmessages
•wlogsnon-fatalwarningmessages
•elogsanyerrormessages
•alogsthecommencementofactionsequences
•rlogsaction-specicrecords
•ulogsuserrequests
•clogsinitialuserinterfaceparameters
•mlogsout-of-memorymessages
•plogsterminalsettings
•vlogstheverboseoutputsetting
•+appendstoanexistingle
•*isawildcardcharacterthatallowsyoutologallinformation(excluding theverboseoutputsetting)
/q[n|b|r|f]
The/qoptionisusedtosettheuserinterfacelevelinconjunctionwiththe followingags:
•qorqncreatesnouserinterface
•qbcreatesabasicuserinterface
/?or/h
Theuserinterfacesettingsbelowdisplayamodaldialogboxattheendof installation:
•qrdisplaysareduceduserinterface
•qfdisplaysafulluserinterface
•qn+displaysnouserinterface
•qb+displaysabasicuserinterface
EithercommanddisplaysWindowsInstallercopyrightinformation
Chapter2.Installation5
Page 14
Table2.Commandlineparameters(continued)
ParameterDescription
TRANSFORMSTheTRANSFORMScommandlineparameterspeciesanytransformsthat
youwouldlikeappliedtoyourbasepackage.
msiexec/i"C:\WindowsFolder\
Proles\UserName\Personal \MySetups\
YourProjectName\TrialVersion\
MyRelease-1 \DiskImages\Disk1\
ProductName.msi"TRANSFORMS="NewTransf orm1.mst"
Youcanseparatemultipletransformswithasemicolon.Donotusesemicolons inthenameofyourtransform,astheWindowsInstallerservicewillinterpret thoseincorrectly.
Properties
Allpublicpropertiescanbesetormodiedfromthecommandline.Public propertiesaredistinguishedfromprivatepropertiesandareallcapitalletters. Forexample,COMPANYNAMEisapublicproperty.
Tosetapropertyfromthecommandline,usethefollowingsyntax:
PROPERTY=VALUE
IfyouwantedtochangethevalueofCOMPANYNAME,youwouldenterthe following:
msiexec/i"C:\WindowsFolder\
Proles\UserName\Personal\
MySetups\YourProjectName\
TrialVersion\MyRelease-1\
DiskImages\Disk1\ProductName.msi"
COMPANYNAME="InstallShield"
6FingerprintSoftwareDeploymentGuide
Page 15

StandardWindowsInstallerpublicproperties

TheWindowsInstallerhasasetofstandardbuiltinpublicpropertiesthatcanbesetonthecommand linetospecifycertainbehaviorduringtheinstallation.Thefollowingtableprovidesmostcommonpublic propertiesusedinthecommandline.
Foradditionalinformation,refertotheMicrosoftWebsiteat: http://msdn2.microsoft.com/en-us/library/aa367437.aspx.
ThefollowingtableshowsthecommonlyusedWindowsInstallerproperties:
Table3.WindowsInstallerproperties
PropertyDescription
TARGETDIRSpeciestherootdestinationdirectoryfortheinstallation.
Duringanadministrativeinstallationthispropertyisthe locationtocopytheinstallationpackage.
ARPAUTHORIZEDCDFPREFIX
ARPCOMMENTSProvidesCommentsfortheAddorRemovePrograms
ARPCONTACTProvidesContactfortheAddorRemoveProgramson
ARPINSTALLLOCA TION
ARPNOMODIFY
ARPNOREMOVE
ARPNOREPAIR
ARPPRODUCTICONSpeciestheprimaryiconfortheinstallationpackage.
ARPREADME
ARPSIZE
ARPSYSTEMCOMPONENT
ARPURLINFOABOUT
ARPURLUPDA TEINFO
REBOOTTheREBOOTpropertysuppressescertainpromptsfor
URLoftheupdatechannelfortheapplication.
onControlPanel.
ControlPanel.
Fullyqualiedpathtotheapplication'sprimaryfolder.
Disablesfunctionalitythatwouldmodifytheproduct.
Disablesfunctionalitythatwouldremovetheproduct.
DisablestheRepairbuttonintheProgramswizard.
ProvidesaReadMefortheAddorRemoveProgramson ControlPanel.
Estimatedsizeoftheapplicationinkilobytes.
PreventsdisplayofapplicationintheAddorRemove Programslist.
URLforanapplication'shomepage.
URLforapplication-updateinformation.
arebootofthesystem.Anadministratortypicallyuses thispropertywithaseriesofinstallationstoinstallseveral productsatthesametimewithonlyonerebootatthe end.SetREBOOT="R"todisableanyrebootsattheend ofaninstall.

Installationexamples

Thefollowingtableprovidestheinstallationexamplesusingthesetup.exele.
Chapter2.Installation7
Page 16
Table4.Installationexamplesusingthesetup.exele
DescriptionExample
Silentinstallationwithnoreboot
setup.exe/s/v"/qnREBOOT="R""
Administrativeinstallation
Silentadministrativeinstallationspecifyingtheextract location
Silentuninstallation
setup.exe/a
setup.exe/a/s/v"/qnTARGETDIR="F:\fpr""
setup.exe/s/x/v/qn
Thefollowingtableprovidestheinstallationexamplesusingthesetup.msile.
Table5.Installationexamplesusingthesetup.msile
DescriptionExample
Installation
Silentinstallationwithno reboot
Silentuninstallation
msiexec/isetup.msi
msiexec/isetup.msi/qnREBOOT="R"
msiexec/xsetup.msi/qn

InstallingThinkVantageFingerprintSoftware

Thesetup.exeleofThinkVantageFingerprintSoftwareprogramcanbeinstalledthroughthefollowing methods:

Silentinstallation

TosilentlyinstallThinkVantageFingerprintSoftware,runthesetup.exelelocatedintheinstallationdirectory onyourCD-ROMdrive.
Usethefollowingsyntax:
Setup.exePROPERTY=VALUE/q/i
whereqisforsilentinstallationandiisforinstallation.Forexample:
setup.exeINSTALLDIR="C:\ProgramFiles\ThinkVantagengerprintsoftware"/q/i
Touninstallthesoftware,usethe/xparameterinsteadof/i:
setup.exeINSTALLDIR="C:\ProgramFiles\ThinkVantagengerprintsoftware"/q/x
8FingerprintSoftwareDeploymentGuide
Page 17

Options

ThefollowingoptionsaresupportedbytheThinkVantageFingerprintSoftware.
Table6.OptionssupportedbytheThinkVantageFingerprintSoftware
ParameterDescription
OTP•0=DisabletheRSASecurIDsupportfeature.
•1=EnabletheRSASecurIDsupportfeature.
Thedefaultvalueis0.
CTRLONCEDisplaystheControlCenteronlyonce.Thedefaultvalue
is0.
CTLCNTR•0=DonotdisplayControlCenteratstartup.
•1=DisplayControlCenteratstartup.
Thedefaultvalueis1.
DEFFUS•0=DonotuseFastUserSwitching(FUS)settings.
•1=UseFUSsettings.
Thedefaultvalueis0.
DEVICEBIOConguresthedevicetypethatwillbeusedbytheuser.
•DEVICEBIO=#3-Usethedevicesensortosavethe rstenrollment.
•DEVICEBIO=#0-Usetheharddiskdrivetosavethe enrollment.
•DEVICEBIO=#1-UsetheCompanionChiptosavethe enrollment.
INSTALLDIRSettheinstallationdirectory.
OEM
PASSPORTSetthedefaultpassporttype.
POSSSO
PSLOGON
REBOOTSuppressesallrebootsincludingpromptsduring
SECURITY
•0=Installwithsupporttoserverpassportsorserver authentication.
•1=Installonlystandalone-computermodewithlocal passports.
Thedefaultvalueis1.
•1=Localpassport
•2=Serverpassport
Thedefaultvalueis1.
•1=Enablesinglesign-on.
•0=Disablesinglesign-on.
Thedefaultvalueis1.
•0=Disablethengerprintlogon.
•1=Enablethengerprintlogon.
Thedefaultvalueis0.
installationbysettingtoReallySuppress.
•1=Installinthesecuremode.
•0=Installintheconvenientmode.
Chapter2.Installation9
Page 18
Table6.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)
ParameterDescription
SHORTCUT•0=DonotdisplayControlCentershortcutatstartup.
•1=EnablethedisplayofControlCentershortcutat startup.
Thedefaultvalueis0.
SHORTCUTFOLDERSetthedefaultnameoftheshortcutfolderintheStart
menu.
Non-administratoruserprivileges
DELETESELF
ENROLLSELF
ENROLLTBX
IMPORTSELF•1=Enablethengerprintimport/exportfor
REVEALPWD•1=EnabletheWindowspasswordrecovery.
Anti-hammeringprotection(LockoutSettings)
LOCKOUT
LOCKOUTCOUNT
LOCKOUTTIME
Authenticationtimeout(InactivitySettings)
GUITMENABLE
GUITMTIME
•1=Enablethengerprintdeletion.
•0=Disablethengerprintdeletion.
Thedefaultvalueis1.
•1=Enablethengerprintenrollment.
•0=Disablethengerprintenrollment.
Thedefaultvalueis1.
•1=Enabletheselectionofngerprintforpower-on.
•0=Disabletheselectionofngerprintforpower-on.
Thedefaultvalueis1.
non-administratorusers.
•0=Disablethengerprintimport/exportfor non-administratorusers.
Thedefaultvalueis1.
•0=DisabletheWindowspasswordrecovery.
Thedefaultvalueis1.
•1=Enabletheanti-hammeringprotection.
•0=Disabletheanti-hammeringprotection.
Thedefaultvalueis1.
Maximumretries.Thedefaultvalueis5,andyoucanuse anyvalue.
Timeoutinmilliseconds.Thedefaultvalueis120000,and youcanuseanyvalueupto360000.
•1=Enabletheauthenticationtimeoutinmilliseconds.
•0=Disabletheauthenticationtimeoutinmilliseconds.
Thedefaultvalueis1.
Authenticationtimeoutduration.Thedefaultvalueis120 000,andyoucanuseanyvalueupto360000.
10FingerprintSoftwareDeploymentGuide
Page 19
Table6.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)
ParameterDescription
PWDLOGON
NOPOPPAPCHECK
CSS•0=AssumethatClientSecuritySolutionhasnotbeen
•1=Enablethengerprint-onlylogonfor
non-administratorusers.
•0=Disablethengerprint-onlylogonfor
non-administratorusers.
Thedefaultvalueis1.
•0=Donotshowthepower-onsecurityoptions.
•1=Alwaysshowthepower-onsecurityoptions.
Thedefaultvalueis0.
installed.
•1=AssumethatClientSecuritySolutionhasbeen
installed.
Thedefaultvalueis0.
Note:Alloptionsareoptional.
TouninstalltheFingerprintSoftware,usethe/xparameterinsteadof/i.Duringthestandarduninstallfrom theuserinterface,dialogsforselectingwhethertodeleteexistingpassportsanddisablethebootsecurity featurearedisplayed.Inthesilentuninstallmode,youcanusetheDELPASparameter.SettheDELPAS valueto"1"todeleteexistingpassports.Iftheseoptionsarenotdened,orhaveanyothervalue,passports areleftonthecomputerandthebootsecurityremainsenabled.Ifyouleavethebootsecurityon,youwill notbeabletoeditngerprintsinthebootsecuritymemoryunlessyoure-installtheproduct.Forexample, runningthefollowingsyntax:
msiexec/iSetup.msiDELPAS="1"/q
woulduninstalltheproduct,deleteallexistingpassports,andleavethebootsecurityonthecomputer.

InstallingLenovoFingerprintSoftware

Thesetup32.exeleoftheLenovoFingerprintSoftwareprogramcanbeinstalledbyusingthefollowing procedure.

Silentinstallation

TosilentlyinstalltheFingerprintSoftware,runthesetup32.exelelocatedintheinstallationdirectory onyourCD-ROMdrive.
Usethefollowingsyntax:
setup32.exe/s/v"/qnREBOOT="R""
Touninstallthesoftware,usethefollowingsyntax:
setup32.exe/x/s/v"/qnREBOOT="R""

Options

ThefollowingoptionsaresupportedbyLenovoFingerprintSoftware.
Chapter2.Installation11
Page 20
Table7.OptionssupportedbytheLenovoFingerprintSoftware
ParameterDescription
SHORTCUTDisplaysControlCentershortcutintheStartmenu.
•0=DonotdisplaytheControlCentershortcut.
•1=DisplaytheControlCentershortcut.
Thedefaultvalueis0.
SWAUTOSTART
SWFPLOGON•0=Donotusethengerprintlogon(GINAorCredential
SWPOPP
SWSSO
SWALLOWENROLL
SWALLOWDELETE
SWALLOWIMEXPORT•0=Disablethengerprintimport/exportfor
SWALLOWSELECT
SWALLOWPWRECOVERY
•0=Donotstartngerprintsoftwareatstartup.
•1=Startngerprintsoftwareatstartup.
Thedefaultvalueis1.
Provider).
•1=Usethengerprintlogon(GINAorCredential Provider).
Thedefaultvalueis0.
•0=Disablepower-onpasswordprotection.
•1=Enablepower-onpasswordprotection.
Thedefaultvalueis0.
•0=Disablethesinglesign-onfunction.
•1=Enablethesinglesign-onfunction.
Thedefaultvalueis0.
•0=Disablethengerprintenrollmentfor non-administratorusers.
•1=Enablethengerprintenrollmentfor non-administratorusers.
Thedefaultvalueis1.
•0=Disablethengerprintdeletionfornon-administrator users.
•1=Enablethengerprintdeletionfornon-administrator users.
Thedefaultvalueis1.
non-administratorusers.
•1=Enablethengerprintimport/exportfor non-administratorusers.
Thedefaultvalueis1.
•0=Disabletheselectionofusingngerprinttoreplace power-onpasswordfornon-administratorusers.
•1=Enabletheselectionofusingngerprinttoreplace power-onpasswordfornon-administratorusers.
Thedefaultvalueis1.
•0=DisabletheWindowspasswordrecovery.
•1=EnabletheWindowspasswordrecovery.
Thedefaultvalueis1.
12FingerprintSoftwareDeploymentGuide
Page 21
Table7.OptionssupportedbytheLenovoFingerprintSoftware(continued)
ParameterDescription
SWANTIHAMMER
•0=Disabletheanti-hammeringprotection.
•1=Enabletheanti-hammeringprotection.
Thedefaultvalueis1.
SWANTIHAMMERRETRIESSpeciesthemaximumretries.Thedefaultvalueis5.
Note:ThissettingworksonlywhenSWANTIHAMMERis enabled.
SWANTIHAMMERTIMEOUTSpeciesthetimeoutdurationinseconds.Thedefault
valueis120. Note:ThissettingworksonlywhenSWANTIHAMMERis enabled.
SWAUTHTIMEOUT
•0=Disabletheauthenticationtimeout.
•1=Enabletheauthenticationtimeout.
Thedefaultvalueis1.
SWAUTHTIMEOUTVALUESpeciestheperiodofinactivitybeforeauthentication
timeoutinseconds.Thedefaultvalueis120. Note:ThissettingworksonlywhenSWAUTHTIMEOUTis enabled.
SWNONADMIFPLOGONONLY
•0=Disablethengerprint-onlylogonfor
non-Administratorusers.
•1=Enablethengerprint-onlylogonfor
non-Administratorusers.
Thedefaultvalueis1.
SWSHOWPOWERON
•0=Donotshowthepower-onsecurityoptions.
•1=Alwaysshowthepower-onsecurityoptions.
Thedefaultvalueis0.
CSS•0=AssumethatClientSecuritySolutionhasnotbeen
installed.
•1=AssumethatClientSecuritySolutionhasbeen
installed.
Thedefaultvalueis0.
Chapter2.Installation13
Page 22
14FingerprintSoftwareDeploymentGuide
Page 23

Chapter3.WorkingwithFingerprintSoftware

ThischapterprovidestheinformationyouwillneedtocongureFingerprintSoftware.Withinthischapter, youmayndthefollowingtopics:
“Managementconsoletool”onpage15
“Securemodeandconvenientmode”onpage17
ThinkVantageFingerprintSoftwareandLenovoFingerprintSoftwaregowithtwodifferentkindsofngerprint readers.ThinkVantageFingerprintSoftware5.8.5.XXXXor5.9.3.XXXXgoeswiththeUpekngerprintreader; LenovoFingerprintSoftware3.3.2.XXXXgoeswiththeAuthenticngerprintreader.Y oucancheckthe ngerprintreadertypeintheBiometricsectionofDeviceManager.
•ForthedetailedinformationaboutThinkVantageFingerprintSoftware,gotoChapter4“Workingwith ThinkVantageFingerprintSoftware”onpage21
•ForthedetailedinformationaboutLenovoFingerprintSoftware,gotoChapter5“WorkingwithLenovo FingerprintSoftware”onpage27.

Managementconsoletool

ThemanagementconsoletoolisfortheadministratortocongureFingerprintSoftwarethroughcommand lines.Thissectionprovidesinformationaboutuser-speciccommandsandglobalsettingcommands.
Note:TheManagementconsoletooldoesnotcomewiththeinstallationpackageofFingerprintSoftware. Foranydetailedinformationaboutthemanagementconsoletool,contactLenovoSupport.
.
User-speciccommands
Toenrolloreditusers,theUSERsectionisused.Whenthecurrentuserdoesnothaveadministrator rights,theconsolebehaviordependsonthesecuritymodeoftheFingerprintSoftware.Securemode:no commandsareallowed.Convenientmode:ADD,EDITandDELETEcommandsarepossibleforstandard user.However,theusercanmodifyonlyhisownpassport(enrolledwithhisusername).Thefollowingis thesyntax:
FPRCONSOLEUSERcommand
wherecommandisoneofthefollowingcommands:ADD,EDIT,DELETE,LIST,IMPORT,EXPORT.
Table8.User-speciccommands
CommandSyntaxDescription
Enrollnewuser
Example:
fprconsoleuseradd domain0\testuser
fprconsoleuseradd testuser
ADD[username[|domain\
username]]
Iftheusernameisnotspecied,then thecurrentusernameisused.
©CopyrightLenovo2010
15
Page 24
Table8.User-speciccommands(continued)
CommandSyntaxDescription
Editenrolleduser
Example:
fprconsoleuseredit domain0\testuser
fprconsoleuseredit testuser
EDIT[username[|domain\
username]]
Iftheusernameisnotspecied,then thecurrentusernameisused. Note:Theenrolledusermustverifyhis ngerprintrst.
Deleteauser
Example:
fprconsoleuserdelete domain0\testuser
fprconsoleuserdelete testuser
fprconsoleuserdelete /ALL
Enumerateenrolledusers
Exportenrolledusertoale
Importenrolleduser
DELETE[username[|domain\ username|/ALL]]
List
Syntax:EXPORTusername [|domain\username]le
Syntax:IMPORTle
The/ALLagwilldeleteallusers enrolledonthiscomputer.Iftheuser nameisnotspeciedthenthecurrent usernameisused.
Liststheenrolledusers.
Thiscommandwillexportanenrolled usertoaleontheharddiskdrive.The userthencanbeimportedusingthe IMPORTcommandonothercomputer oronthesamecomputer,iftheuser isdeleted.
Thecommandwillimporttheuserfrom thespeciedle. Note:Iftheuserintheleisalready enrolledonthesamecomputerusing thesamengerprintsthenitisnot guaranteedwhichuserwillhave aprecedenceintheidentication operation.

Globalsettingscommands

TheglobalsettingsoftheFingerprintSoftwarecanbechangedbytheSETTINGSsection.Allthecommands inthissectionneedadministratorsrights.Thesyntaxis:
FPRCONSOLESETTINGScommand
wherecommandisoneofthefollowingcommands:SECUREMODE,LOGON,CAD,TBX,SSO.
16FingerprintSoftwareDeploymentGuide
Page 25
Table9.Globalsettingscommands
CommandSyntaxDescription
Securitymode
Example:
Tosettoconvenientmode: fprconsolesettings securemode0
SECUREMODE0|1
ThissettingswitchesbetweenConvenient andSecuremodeoftheFingerprint Software.
Logontype
LOGON0|1[/FUS]
CTRL+ALT+DELmessage
CAD0|1
Power-onsecurity
TBX0|1
Power-onsecuritysinglesign-on
SSO0|1
Thissettingenables(1)ordisables(0)the logonapplication.Ifthe/FUSparameter isusedthelogonisenabledinFast UserSwitchingmodeifthecomputer congurationallowsthis.
Thissettingenables(1)ordisables(0)the PressCtrl+Alt+Deletetextinlogon.
Thissettinggloballyturnsoff(0)power-on securitysupportinthengerprintsoftware. Whenthepower-onsecuritysupportis turnedoffnopower-onsecuritywizardsor pagesareshownanditdoesnotmatter whataretheBIOSsettings.
Thissettingenables(1)ordisables(0)the usageofngerprintusedinBIOSinlogon toautomaticallylogonuserwhentheuser wasveriedinBIOS.

Securemodeandconvenientmode

FingerprintSoftwarecanberunintwosecuritymodes,asecuremodeandaconvenientmode.Thesecure modeisintendedforsituationswhenyouwanttoachievehighersecurity.Specialfunctionsarereservedfor administratorsonly.Onlyadministratorscanlogonusingpasswordwithoutadditionalauthentication.
Theconvenientmodeisintendedforhomecomputerswhereahighsecuritylevelisnotsoimportant.Allthe userscanperformalloperations,includingeditingpassportsofotherusersandpossibilitytologontothe systemusingpassword(withoutngerprintauthentication).
Anadministratorisanymemberoflocaladministratorsgroup.Afteryousetthesecuremode,onlythe administratorcantoggleitbacktotheconvenientmode.

Securemode-administrator

Toenhancesecurity,ifthewrongusernameorpasswordistypedatlogon,thesecuremodedisplaysthe followingmessage:“Onlyadministratorscanlogonthiscomputerwithusernameandpassword.”
Table10.Optionsforadministratorsinthesecuremode
FingerprintsDescription
Createanewpassport
EditPassportsAdministratorscaneditonlytheirownpassport.
Administratorscancreatetheirownpassportandthey canalsocreatethepassportofalimiteduser.
Chapter3.WorkingwithFingerprintSoftware17
Page 26
Table10.Optionsforadministratorsinthesecuremode(continued)
FingerprintsDescription
DeletePassportAdministratorscandeletealllimiteduserandother
administratorpassports.Ifotherusersareusingpower-on security,theadministratorwillhavetheoptiontoremove usertemplatesfrompower-onsecurityatthistime.
Power-onSecurity
Settings
LogonsettingsAdministratorscanmakechangestoalllogonsettings.
ProtectedscreensaverAdministratorscanaccess.
PassporttypeAdministratorscanaccess-onlyrelevantwithserver.
Securitymode
ProServers
AdministratorscandeleteLimiteduserandadministrator ngerprintsusedinpower-on. Note:Theremustatleastbeonengerprintpresentwhen power-onmodeisenabled.
Administratorscantogglebetweensecureandconvenient modes.
Administratorscanaccess-onlyrelevantwithserver.

Securemode-limiteduser

DuringaWindowslogon,alimitedusermustuseangerprinttologon.Ifthelimiteduserngerprintreader isnotworking,anadministratorwillneedtochangethengerprintsoftwaresettingtoconvenientmodeto enableusernameandpasswordaccess.
Table11.Optionsforlimitedusersinthesecuremode
SettingDescription
Createanewpassport
EditPassportsLimitedusercaneditonlytheirownpassport.
DeletePassportLimitedusercandeleteonlytheirownpassport.
Power-onSecurity
Logonsettings
ProtectedscreensaverLimitedusercanaccess.
PassporttypeLimitedusercannotaccess.
Securitymode
ProServers
Limitedusercannotaccess.
Limitedusercannotaccess.
Limitedusercannotmodifylogonsettings.
Limitedusercannotmodifysecuritymodes.
Limitedusercanaccess-onlyrelevantwithserver.

Convenientmode-administrator

DuringaWindowslogon,administratorscanlogonusingeithertheirusernameandpasswordortheir ngerprint.
Table12.Optionsforadministratorsintheconvenientmode
SettingsDescription
Createanewpassport
EditPassportsAdministratorscaneditonlytheirownpassport.
DeletePassportAdministratorscandeleteonlytheirownpassport.
Administratorscancreateonlytheirownpassport.
18FingerprintSoftwareDeploymentGuide
Page 27
Table12.Optionsforadministratorsintheconvenientmode(continued)
SettingsDescription
Power-onSecurity
LogonsettingsAdministratorscanmakechangestoalllogonsettings.
ProtectedscreensaverAdministratorscanaccess.
PassporttypeAdministratorscanaccess-onlyrelevantwithserver.
Securitymode
ProServers
AdministratorscandeleteLimiteduserandadministrator ngerprintsusedinpower-on. Note:Theremustbeatleastonengerprintpresentwhen power-onmodeisenabled.
Administratorscantogglebetweensecureandconvenient modes.
Administratorscanaccess-onlyrelevantwithserver.

Convenientmode-limiteduser

DuringaWindowslogon,limiteduserscanlogonusingeithertheirusernameandpasswordortheir ngerprint.
Table13.Optionsforlimitedusersintheconvenientmode
SettingsDescription
Createanewpassport
EditPassportsLimiteduserscaneditonlytheirownpassport.
DeletePassportLimiteduserscandeleteonlytheirownpassport.
Power-onSecurity
Logonsettings
ProtectedscreensaverLimiteduserscanaccess.
PassporttypeLimiteduserscannotaccess-onlyrelevantwithserver.
Securitymode
ProServers
Limiteduserscancreateonlytheirownpassword.
Limiteduserscandeleteonlytheirownngerprints.
Limiteduserscannotmodifylogonsettings.
Limiteduserscannotmodifysecuritymodes.
Limiteduserscanaccess-onlyrelevantwithserver.
Chapter3.WorkingwithFingerprintSoftware19
Page 28
20FingerprintSoftwareDeploymentGuide
Page 29

Chapter4.WorkingwithThinkVantageFingerprintSoftware

ThengerprintconsolemustberunfromtheThinkVantageFingerprintSoftwareinstallationfolder.Thebasic syntaxisFPRCONSOLE[USER|SETTINGS].TheUSERorSETTINGScommandspecieswhichmodeof operationwillbeused.Thefullcommandisthen"fprconsoleuseraddTestUser".Whenthecommandisnot knownornotallparametersarespecied,theshortcommandlistisshowntogetherwiththeparameters.
ThinkVantageFingerprintSoftware,installationinstructions,managementconsole,andallrelated documentationareavailableat: http://www-307.ibm.com/pc/support/site.wss/TVAN-EAPFPR.html

UsingtheRSASecurIDsoftwaretoken

ThinkVantageFingerprintSoftwareprovisionedwiththeRSASecurIDsoftwaretokenprovidesastrong authenticationapproachwithoutsacricingenduser’sconvenience.Whenintegratedintocomputersand computerperipherals,auser'sngerprintcanbeusedasanadditionalauthenticationfactortosecureaccess todevices,networks,andweb-basedapplicationsandportalsprotectedbytheRSASecurIDsoftwaretoken.

ProvisioningtheThinkVantageFingerprintSoftwarefortheRSASecurID softwaretoken

TheThinkVantageFingerprintSoftwarecanbeprovisionedviathestandardRSASecurIDsoftwaretoken le-basedprovisioningmethod,andthereisnoadditionalcongurationrequiredtointer-operatewith yourexistingRSASecurIDinfrastructure.
Note:TheRSASecurIDsoftwaretokenversion2.0isnotsupportedforusewiththeThinkVantage FingerprintSoftware.OnlytheRSASecurIDsoftwaretokenversion3.0issupported.
TosetuptheThinkVantageFingerprintSoftwareandimporttheRSASecurIDsoftwaretoken,dothe following:
1.DownloadtheThinkVantageFingerprintSoftwareversion5.9.3.XXXX(fortheWindows7operating system)orversion5.8.5.XXXX(fortheWindowsVista http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-73583.
2.MakesureyousetOTP=1atthecommandlinetoenabletheRSASecurIDsupportfeatureduringthe installation.Forexample,youcanrunthefollowingcommand:
msiexec-isetup.msi/qnOTP=1.
3.Aftertheinstallationprocesscompletes,restartyourcomputerandenrollyourngerprints.
4.LaunchtheThinkVantageFingerprintSoftware,andclickSecurityTokenstoimporttheRSASecurID softwaretoken.
5.ClickAdd,andintheTokennameledtypeanameforthetokenyouareimporting.
6.ClickBrowsetoselectthetokenle.
Note:Ifthetokenleispassword-protected,enterthepasswordrst;iftheleisamulti-tokenle,you willbeaskedtoselectthattokenletobeimported.
7.ClickImport.IftheRSASecurIDsoftwaretokenhasbeensuccessfullyimported,theRSASecurIDicon willbedisplayedintheYourSecurityT okenssection.
®
orWindowsXPoperatingsystem)at:
©CopyrightLenovo2010
21
Page 30

GeneratinganRSASecurIDtokencode

WhentheThinkVantageFingerprintSoftwarehasbeenprovisionedwithanRSASecurIDsoftwaretoken,you willbeabletogenerateanRSASecurIDtokencodefromabiometricreaderembeddedinthecomputeror keyboard.
TogenerateanRSASecurIDtokencode,dothefollowing:
1.ClickStartThinkVantageTokencodesGenerator.
2.TheSwipengerwindowisdisplayedtoaskyoutoswipeyourngerprint.
3.Swipeyourngerprinttoauthenticateyouraccount.
4.Selectthetokenyouwanttousefromthedrop-downlistbox.Ifyouhavejustonetoken,thetokencode willbegeneratedautomatically.
Note:Awindowwillbedisplayedindicatingthevaliddurationofthegeneratedtokencode.The tokencodeistime-basedanditexpiresafteracertainperiodoftime(typicallyoneminute).Ifthisisa pinlesstoken,thenthetokencodecanbecopied,pastedorentereddirectlyintoanyapplicationdialogs.
5.Ifthisisapinfultoken,selectUsePIN,enteryourPIN,andclickOK.YoucanalsoselectRemember thePINtohaveyourpinenteredautomatically.
6.TheTokencodeledwilldisplaytheRSASecurIDtokencodethatcanbeusedforauthenticatingthe systemsandapplicationsprotectedbytheRSASecurIDsoftwaretoken.Ifyouarepromptedtoenter theNextT okenmode,selectNexttogenerateanothertokencode.

AuthenticatingtheRSASecurID-protectedapplications

ThefollowingexampleshowshowtousetheRSASecurIDtokencodegeneratedbytheThinkVantage FingerprintSoftwaretoauthenticatetheRSASecurID-protectedapplications.
1.LaunchaWeb-basedapplicationthatisprotectedbytheRSASecurIDsoftwaretoken,andtheRSA SecurIDloginwindowisdisplayed.
2.ClickStartThinkVantageTokencodesGenerator,andswipeyourngerprinttoauthenticate youraccount.
3.SelecttheRSASecurIDsoftwaretokenthatprotectstheapplication.Ifthisisapinfultoken,select UserPIN,andenterthepin.
4.ClickCopytocopytheautomaticallygeneratedtokencode.
5.EntertheusernameintheUserIDeld,andpastethetokencodeyoujustcopiedinthePasscodeled.
6.ClickLogintostarttheauthenticationprocess.

UsingtheThinkVantageFingerprintSoftwarewithRSASecurIDReady VPNclients

TheThinkvantageFingerprintSoftwarecanbeusedwithanumberofRSASecurIDReadyVPNclientsthat havetheRSASecurIDsoftwaretokentoprovideenhancedusability.Inthiscase,youareonlyrequiredto enterthePINfortheRSASecurIDsoftwaretoken,andswipeyourngerprinttoauthorizethereleaseofa tokencodetotheVPNclient.ThentheVPNclientcanbesuccessfullyconnected.
BeforeenablingtheRSASecurIDReadyVPNclients,youneedtoinstallandconguretheCheckpoint SecuRemoteprogramasfollows:
1.DownloadtheCheckpointSecuRemoteprogramat: https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/ media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&leid=10625,andinstall theprogramwhenthedownloadprocesscompletes.
22FingerprintSoftwareDeploymentGuide
Page 31
2.Duringtheprograminstallationprocess,selectInstallVPN-1SecuRemoteintheDesktopSecurity window.
3.Followtheinstructionsonthescreenandrestartthecomputer.
4.Right-clicktheSecuRemoteiconintheWindowsnoticationarea,andselectConnect.Amessageis displayedtoremindyoutocreateanewsite.ClickY es.
5.TheSiteWizardisdisplayed.EntertheserveraddressornameintheSeverAddressorNameeld, andclickNext.
6.SelectSecurIDastheauthenticationmethod,andclickNext.
7.SelectUseSecurIDSoftwaretoken,andclickNext.
8.EntertheusernameandPINassociatedwithyourRSASecurIDsoftwaretoken.
9.SelectStandard,andclickNext.
10.FollowtheinstructionsonthescreentosuccessfullyconguretheCheckpointSecuRemoteprogram.
ConsiderationsforusingtheexternalngerprintreaderwiththeRSA SecurIDsoftwaretoken
Forsecurityreasons,theimportedRSASecurIDsoftwaretokenisalwaysboundwithangerprintreader. Thenthefollowingtwoscenariosexist:
•WhenyouimporttheRSASecurIDsoftwaretoken,andonlytheinternalngerprintreaderispresent,then theimportedtokenisalwaysboundwiththeinternalngerprintreader.
•WhenyouimporttheRSASecurIDsoftwaretoken,andboththeinternalandexternalngerprintreaders arepresent,thentheimportedtokenisboundwiththengerprintreaderthatissetasthepreferred deviceintheBIOS.
Inthiscase,whenyouwanttoaccesstheRSASecurIDsoftwaretokentogenerateatokencode,youmust connectthengerprintreaderwithwhichthetokenisboundtothecomputer.Iftwongerprintreadersare present,youmustsetthengerprintdevicewithwhichthetokenisboundasthepreferreddeviceinthe BIOS.Otherwise,youwillfailingeneratingatokencode.
ForThinkVantageFingerprintSoftware5.9.3.XXXX,ifyouconnectthengerprintdevicewithwhichthe importedRSASecurIDsoftwaretokenisboundtothecomputer,andthepriorityofthengerprintdeviceis setaccordinglyintheBIOS,thenyoucanswipeyourngerprintoneithertheinternalorexternalngerprint readertoverifyandgenerateatokencode.However,forThinkVantageFingerprintSoftware5.8.5.XXXX, youcanswipeyourngerprinttoverifyandgenerateatokencodeonlyonthengerprintreaderthatis setasthepreferreddeviceintheBIOS.

UsingThinkVantageFingerprintSoftwarewithNovellNetwareClient

Topreventconicts,FingerprintSoftwareandNovellNetwareClientusernamesandpasswordsmustmatch. IfyouhaveFingerprintSoftwareinstalledonyourcomputerandtheninstalltheNovellNetwareClient,some itemsintheregistrymightbeoverwritten.IfyouencounterproblemswithFingerprintSoftwarelogon,goto thelogonsettingsscreenandre-enabletheLogonProtector.
IfyouhavetheNovellNetwareClientinstalledonyourcomputerbuthavenotloggedontotheclientbefore installingFingerprintSoftware,theNovellLogonscreenwilldisplay.Providetheinformationrequestedby thescreen.
Note:TheinformationinthissectionisforThinkVantageFingerprintSoftwareonly.
TochangeLogonProtectorSettings:
•StarttheControlCenter.
Chapter4.WorkingwithThinkVantageFingerprintSoftware23
Page 32
•ClickSettings.
•ClickLogonsettings.
•EnableordisableLogonProtector.Ifyouwanttousengerprintlogon,checktheReplaceWindows logonwithngerprint-protectedlogoncheckbox.
Note:EnablinganddisablingLogonProtectorrequiresareboot.
•Enableordisablefastuserswitching,whensupportedbyyoursystem.
•(Optionalfeature)Enableordisableautomaticlogonforauserauthenticatedbypower-onbootsecurity.
•SetNovelllogonsettings.ThefollowingsettingsareavailablewhenloggingontoaNovellnetwork:
ActivatedFingerprintSoftwareautomaticallyprovidesknowncredentials.IftheNovelllogonfails,the
NovellClientlogonscreenisdisplayedalongwithaprompttoenterthecorrectdata.
–FingerprintSoftwaredisplaystheNovellClientlogonscreenandaprompttoenterthelogondata.
–DisabledFingerprintSoftwaredoesnotattemptaNovelllogon.

Authenticating

TopassNovelltoFingerprintSoftware,dothefollowing:
1.InstallFingerprintSoftware.
2.InstalltheNovellNetwareClient.
3.Whenprompted,clickY estologontotheNovellNetwareClient.
4.Restartthecomputer.
5.Whenprompted,clickY estologontoFingerprintSoftware.
6.StarttheNovellNetwareClient.
7.Authenticatetotheserver.
8.LogontotheWindowsoperatingsystem.
9.Restartthecomputer.
Note:Y ourauthenticationIDandpasswordfortheWindowsoperatingsystemandNovellNetware Clientmustbeidentical.
Congurablesettings
SomefeaturesofThinkVantageFingerprintSoftwarecanbeconguredthroughthefollowingregistry settings.
Prebootorpower-onsoftwareinterface:Themechanismforenablingngerprintprebootorpower-on supportandstoringngerprintsonthecompanionchipisnotnormallydisplayedinthengerprint softwareunlessthereareBIOSorharddrivepasswordssetonthesystem.Inordertooverridethis behaviorandforcetheseoptionstobeshownwithouttheexistenceofBIOSorharddrivepasswords, addoneofthefollowing,thatapplytoyourcomputermachinetype,totheregistry:
[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0]
REG_DWORD"BiosFeatures"=2
or,
[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0]
REG_DWORD"BiosFeatures"=4
24FingerprintSoftwareDeploymentGuide
Page 33
ThissettingisusefulwhenSafeGuardEasyisinstalledonasystemwithoutBIOSpasswordsandis utilizingngerprintauthenticationtodecrypttheharddrive.
Sounds:FingerprintSoftwarecanbeconguredtoplayasoundcontainedinaWAVleundervarious circumstanceduringthengerprintauthenticationprocess.Theregistrysettingsforthesesoundsare asfollows:
HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0\settings]
'Success' REG_SZ"sndSuccess"=[pathtosoundle]
Theledesignatedwillplaywheneverasuccessfulswipeisregistered.
'Failure' REG_SZ"sndFailure"=[pathtosoundle]
Theledesignatedwillplaywheneveranunsuccessfulswipeisattempted.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ngerprint
'Scan' REG_SZ"sndScan"=[pathtosoundle]
TheledesignatedwillplaywheneverthengerprintvericationdialogisdisplayedforClientSecurity Solution-relatedoperations.Ifthevalueisnotpresentorisemptythennosoundisplayed.
'Quality' REG_SZ"sndQuality"=[pathtosoundle]
Theledesignatedwillplaywheneveranunreadableswipehasoccurred.Ifthevalueisnotpresent orisemptythennosoundisplayed.
Passwordvalidationduringsystemunlock:Bydefault,thengerprintsoftwarevalidatesstored passwordduringsystemunlock.Thevalidationrequirescontactingthedomaincontrollerandmight causedelay.T oavoidthedelay,disablethepasswordvalidationduringsystemunlockandbyediting theregistryasfollows:
[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0\settings]
REG_DWORD"DoNotT estUnlock"=1
Thengerprintsoftwarewillcontinuetovalidatethepasswordatsystemlogon.
Note:Whentheaboveregistrykeyissetto1,ifthedomainadministratorchangestheuser'swhenthe user'ssystemislocked,thengerprintsoftwarewillhavetheoldpasswordstoreduntiltheuserlogs offandlogsonagain.
Unlockingthecomputerwithngerprint:Bydefault,ThinkVantageFingerprintSoftwareiscongured toauthenticatetheWindowslogonaccount,andtounlockthecomputer.T odisableitsfeatureof authenticatingtheWindowslogonaccount,edittheregistryasfollows:
[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0\settings\Provider]
[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0\settings\Provider\ProviderFilters]
"{18CBEEAA-6708-41A1-9379-D08915333CF2}"=dword:0000000d
Chapter4.WorkingwithThinkVantageFingerprintSoftware25
Page 34

ThinkVantageFingerprintSoftwareservice

Theupeksvr.exeserviceisaddedtothesystemaftertheThinkVantagengerprintsoftwareisinstalled.It startsrunningwhilestartup,andthenrunsallthetimetheuserisloggingon.Theupeksvr.exeserviceisthe coreoftheThinkVantageFingerprintSoftwareandrunsalltheoperationswiththedeviceanduser'sdata.It alsoshowsallthebiometricvericationGUIandprovidessecureaccesstotheuser'sdata.
26FingerprintSoftwareDeploymentGuide
Page 35

Chapter5.WorkingwithLenovoFingerprintSoftware

ThengerprintconsolemustberunfromtheLenovoFingerprintSoftwareinstallationfolder.Thebasic syntaxisFPRCONSOLE[USER|SETTINGS].TheUSERorSETTINGScommandspecieswhatsetof operationwillbeused.Thefullcommandis"fprconsoleuseraddT estUser".Whenthecommandisnot knownornotallparametersarespecied,theshortcommandlistisshowntogetherwiththeparameters.
TheLenovoFingerprintSoftware,installationinstructions,managementconsoleandallrelated documentationareavailableontheLenovoWebsiteat:http://www.lenovo.com/support

ActiveDirectorysupportforLenovoFingerprintSoftware

ThefollowingtableshowsthepolicysettingsfortheLenovoFingerprintSoftware.
Table14.Policysettings
SettingDescription
Enable/disablengerprintlogonSpeciestheuseofngerprintsinsteadofWindows
passwordstologintothecomputer.Ifyouenablethis setting,therearetwomoreoptionsyoucanenableor disable:
DisableCTRL+AL T+DELdialogforlogoninterfaceIf youselectthisoption,themessagedirectingtheuser topressCTRL+AL T+DELtologinisturnedoff.(Only availableinWindowsXP)
Requirenon-administratoruserlogonwith ngerprintauthenticationIfyouselectthisoption, userswhoarenotadministratorswillonlybeableto loginusingngerprints.
Allowusertoretrievepasswordthroughngerprint authentication
Alwaysshowpower-onsecurityoptions
Usengerprintauthenticationinsteadofpower-onand HDpasswords
SetnumberoffailedattemptsbeforelockoutSetsthenumberoffailedattemptstologonallowed
SetinactivetimeoutSetsthedurationofsysteminactivity(inseconds)allowed
AllowuserstoenrollngerprintsIfyouenablethissetting,thenon-administratorusersare
Ifyouenablethissetting,usersareabletoviewthe WindowspasswordfortheiraccountintheLenovo FingerprintSoftwareafterngerprintauthentication.
Ifyouenablethissetting,userswillbeabletoselectusing theFingerprintReaderinsteadofpower-onandhard diskdrivepasswordswhenthecomputeristurnedon. IntheLenovoFingerprintSoftwareenrollmentwindow, power-onngerprintauthenticationcanbeenabledor disabledforeachenrollednger.
Ifyouenablethissetting,thengerprintauthentication willbeusedinsteadofpasswordsforpower-onandthe harddrive.
beforetheuserislockedout,andalsotheduration(in seconds)theuserislockedout.
beforetheuserlogsoff.
abletoenrollngerprintsusingtheLenovoFingerprint Software.
©CopyrightLenovo2010
27
Page 36
Table14.Policysettings(continued)
SettingDescription
AllowuserstodeletengerprintsIfyouenablethissetting,thenon-administratorusersare
abletodeletepreviouslyenrolledngerprintsusingthe LenovoFingerprintSoftware.
Allowuserstoimport/exportngerprints
Show/Hideelementsinsettingtabofngerprintsoftware
Ifyouenablethissetting,thenon-administratorusersare abletoimportandexportpreviouslyenrolledngerprints usingtheLenovoFingerprintSoftware.
Ifyouenablethissetting,theITadministratorsareableto controlngerprintsoftwaresettingGUI.

ConsiderationsforusingLenovoFingerprintSoftware

ThissectionprovidestheinformationaboutspecialconsiderationsforworkingwithLenovoFingerprint Software.

DeployingtheghostimagewithLenovoFingerprintSoftware

FingerprintdataisstoredintheLenovoFingerprintSoftwarereaderthatisencryptedbyAES128.Whenyou createaghostimagefortheWindowsoperatingsystem,theFingerprintdatastoredinthesensorwillnotbe migratedtotheghostimage.Toavoidthisproblem,usetheexportorimportfeatureprovidedbyLenovo FingerprintSoftware.Fordetailedinformationabouttheimplementationoftheimportandexportfeature, referto“Managementconsoletool”onpage15
.
Erasingngerprintdata
OnceLenovoFingerprintSoftwareisinstalled,thengerprintdatawillbestoredintheLenovoFingerprint Softwarereader.Eachtimewhenyouturnonthecomputer,thesystemwillcheckwhetherthengerprint dataofLenovoFingerprintSoftwarematchesthedatastoredinthereader.Whenyoumigrateorrestore theoperatingsysteminstalledwithLenovoFingerprintSoftwaretothetargetcomputer,LenovoFingerprint Softwaremightnotworkcorrectlyduetothemismatcheddata.
Toxthisproblem,youneedtoerasethengerprintdatastoredinthesensorandre-installLenovo FingerprintSoftware.
Toerasethengerprintdata,dothefollowing:
1.RepeatedlypressandreleaseF1duringcomputerstartuptoentertheBIOS.
2.SelectSecurityFingerprintEraseInternalFingerprintData.
3.ClickYes,andthenthengerprintdatacouldbeerasedfromtheFingerprintreader.

LenovoFingerprintSoftwareservice

Note:TheLenovoFingerprintSoftwarerequirestheterminalserviceonthesystem.Ifyouturnoffthe
terminalservice,someunexpectedresultsmightoccurintheLenovoFingerprintSoftware.
ThefollowingservicesareaddedtothesystemaftertheLenovoFingerprintSoftwareisinstalled:
•ATService.exe(onbydefault):Y oumustturnontheA TService.exeservicetousethengerprintsystem. Thisservicemanagesrequestsfromapplicationsusingthengerprintsensor.
•DataTransferService(onbydefault):WhenDataT ransferServiceortheATService.exeserviceis abnormallyterminated,LenovoFingerprintSoftwarewillnotworkasexpected.
28FingerprintSoftwareDeploymentGuide
Page 37
•ADMonitor.exe(offbydefault):Y oumustturnontheADMonitor.exeservicetosupportActiveDirectory Administration.ThisservicemonitorstheregistryforchangespropagateddownfromActiveDirectoryand reectsthechangeslocally.
Chapter5.WorkingwithLenovoFingerprintSoftware29
Page 38
30FingerprintSoftwareDeploymentGuide
Page 39

AppendixA.ConsiderationsfortheLenovoFingerprint Keyboard

ThengerprintdeviceusedinsomeThinkPad intheLenovoFingerprintKeyboard.Specialconsiderationsmightberequiredifthengerprintkeyboardis usedonsomeThinkPadnotebookmodels.
Formoreinformation,gotothengerprintsoftwaredownloadpageontheLenovoWebsiteforalistofthese ThinkPadnotebookmodels.
OnlythemodelslistedforLenovoFingerprintSoftwarerequirespecialconsiderationwhenusedwiththe ngerprintkeyboard.AllotherThinkPadnotebookmodels,whichuseThinkVantageFingerprintSoftware, useangerprintdevicethatiscompatiblewiththedeviceincludedinthengerprintkeyboard,anddo notrequireanyspecialconsideration.
®
notebookmodelsisdifferentthanthengerprintdeviceused
Congurationandsetup
LenovoFingerprintSoftware2.0orlatermustbeinstalledforusewiththengerprintdeviceusedinthe ThinkPadnotebook.UsersmustenrollngerprintswiththeLenovoFingerprintSoftwareusingtheintegrated ngerprintdevice.
ThinkVantageFingerprintSoftware5.8orlatermustbeinstalledforusewiththeLenovoFingerprintKeyboard. UsersmustalsoenrollngerprintswiththeThinkVantageFingerprintSoftwareusingthengerprintkeyboard.
Note:Fingerprintsregisteredwithonedevicearenotinterchangeablewiththeotherdevice.

Pre-desktopauthentication

Eitherthebuilt-inngerprintdeviceorthengerprintkeyboardwillbeusedforpre-desktopauthentication (replacingthesystempoweronorharddrivepasswordwithangerprint).TheBIOSwilldeterminewhich devicetousewhenthesystemispoweredon.
Bydefault,theBIOSwillonlyacceptswipesonthengerprintkeyboard,ifitisconnected.Swipesonthe integratedngerprintdevicewillbeignoredforpre-desktopauthenticationifangerprintkeyboardis connected.Ifthengerprintkeyboardisnotconnected,theintegratedngerprintdevicewillbeused forpre-desktopauthentication.
TheBIOSsettingforReaderPrioritycanbechangedtousethebuilt-inngerprintsensor.IftheReader PrioritysettingissettoInternalonly,thentheintegratedngerprintsensorcanbeusedforpre-desktop authentication.Swipesonthengerprintkeyboardwillbeignoredinthiscase.

Windowslogon

BoththeLenovongerprintkeyboardandthengerprintdeviceusedwiththeThinkPadnotebookcomputer modelsprovidetheirowninterfaceforuserstologintoWindowswithanenrolledngerprint.
Important:CompatibilityproblemsintheprocessofWindowslogonmightoccurifthengerprintlogon interfacesarenotconguredcorrectly.
WhentheThinkPadnotebookcomputermodelisequippedwithboththeLenovongerprintkeyboardand theintegratedngerprintdevice,andinstalledwiththeClientSecuritySolutionprogram,therearetwo approachestologintotheWindows7operatingsystemusingngerprintauthentication:
©CopyrightLenovo2010
31
Page 40
•UsingtheFingerprintSoftwarelogoninterfaceThelogoninterfacesofbothLenovoFingerprintSoftware andThinkVantageFingerprintSoftwaremustbeenabled.Whenbothngerprintlogoninterfaces areenabledintheWindows7operatingsystem,userscanswipetheirngeroneitherthengerprint keyboardortheintegratedngerprintdevicetologin.
•UsingtheClientSecuritySolutionlogoninterfaceTheClientSecuritySolutionlogoninterfacecanbe usedinsteadoftheFingerprintSoftwarelogoninterfaces.WhenusingtheClientSecuritySolutionlogon interfacetologintotheWindowsoperatingsystemwithngerprintauthentication,theFingerprint SoftwarelogonisdisabledfromtheSettingsoptionintherespectiveFingerprintSoftwareworkspace, andtheClientSecuritySolutionlogoninterfaceisconguredintheManagesecuritypoliciesoption fromtheClientSecuritySolutionAdvancedmenu.
Notes:
1.TheBIOSReaderPrioritysettingdoesnotapplyinthissituation.Eitherdevicecanbeusedfor logonifbothdevicesareavailable.
2.OnlyClientSecuritySolution8.3orlatersupportsthisfunction.Formoreinformation,see “AuthenticationwithClientSecuritySolution”onpage32.

AuthenticationwithClientSecuritySolution

Note:ThefollowinginformationappliesonlytoClientSecuritySolution8.3andlater.Previousversions
ofClientSecuritySolutiondonotsupporttheuseoftheintegratedngerprintdevicewiththengerprint keyboard.
WhenperforminganactionwithClientSecuritySolutionthatrequiresngerprintauthentication,suchas auto-llingapasswordintoaWebsitewithPasswordManager,usersmustswipeangeronthengerprint keyboard,ifitisconnected,whenprompted.Swipesonthebuilt-inngerprintdevicewillbeignoredifthe ngerprintkeyboardisconnected.Ifthengerprintkeyboardisnotconnected,theintegratedngerprint sensormustbeused.
Aregistrysettingisavailabletorequireuserstousethebuilt-inngerprintsensorforauthenticatingwith ClientSecuritySolution.Ifthisregistryentryisset,ngerprintauthenticationwithClientSecuritySolution mustbedonewiththebuilt-insensor,andswipesfromthengerprintkeyboardwillbeignored.
Theregistryentryisasbelow:
[HKLM\Software\Lenovo\TVTCommon\ClientSecuritySolution] REG_DWORD"PreferInternalFPSensor"=1
Thedefaultvalueoftheaboveregistryentryis0,whenngerprintauthenticationwithClientSecuritySolution mustbedonewiththengerprintkeyboard,andswipesonthebuilt-inngerprintdevicewillbeignored.
ThissettingmayalsobechangedbyusingtheClientSecuritySolutionAdministrativeTemplatelewith grouppoliciesforActiveDirectory.
Notes:
1.WhentheBIOSReaderPrioritysettingissettoInternalonly,itisrecommendedtosettheregistry entryvalueto1.ThiswillenableauthenticationwithClientSecuritySolutiontosimulatethesetting forBIOSpre-desktopauthentication.
2.TheBIOSsettingandthisregistrysettingareindependent.
32FingerprintSoftwareDeploymentGuide
Page 41

AppendixB.Notices

Lenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.Consult yourlocalLenovorepresentativeforinformationontheproductsandservicescurrentlyavailableinyour area.AnyreferencetoaLenovoproduct,program,orserviceisnotintendedtostateorimplythatonlythat Lenovoproduct,program,orservicemaybeused.Anyfunctionallyequivalentproduct,program,orservice thatdoesnotinfringeanyLenovointellectualpropertyrightmaybeusedinstead.However,itistheuser's responsibilitytoevaluateandverifytheoperationofanyotherproduct,program,orservice.
Lenovomayhavepatentsorpendingpatentapplicationscoveringsubjectmatterdescribedinthis document.Thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents.Y oucansend licenseinquiries,inwriting,to:
Lenovo(UnitedStates),Inc Morrisville,NC27560 USA Attention:LenovoDirectorofLicensing
LENOVOPROVIDESTHISPUBLICATION“ASIS”WITHOUTWARRANTYOFANYKIND,EITHEREXPRESS ORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFNON-INFRINGEMENT, MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.Somejurisdictionsdonotallow disclaimerofexpressorimpliedwarrantiesincertaintransactions,therefore,thisstatementmaynotapply toyou.
Thisinformationcouldincludetechnicalinaccuraciesortypographicalerrors.Changesareperiodically madetotheinformationherein;thesechangeswillbeincorporatedinneweditionsofthepublication. Lenovomaymakeimprovementsand/orchangesintheproduct(s)and/ortheprogram(s)describedinthis publicationatanytimewithoutnotice.
Theproductsdescribedinthisdocumentarenotintendedforuseinimplantationorotherlifesupport applicationswheremalfunctionmayresultininjuryordeathtopersons.Theinformationcontainedinthis documentdoesnotaffectorchangeLenovoproductspecicationsorwarranties.Nothinginthisdocument shalloperateasanexpressorimpliedlicenseorindemnityundertheintellectualpropertyrightsofLenovo orthirdparties.Allinformationcontainedinthisdocumentwasobtainedinspecicenvironmentsandis presentedasanillustration.Theresultobtainedinotheroperatingenvironmentsmayvary.
Lenovomayuseordistributeanyoftheinformationyousupplyinanywayitbelievesappropriatewithout incurringanyobligationtoyou.
Anyreferencesinthispublicationtonon-LenovoWebsitesareprovidedforconvenienceonlyanddonotin anymannerserveasanendorsementofthoseWebsites.ThematerialsatthoseWebsitesarenotpartof thematerialsforthisLenovoproduct,anduseofthoseWebsitesisatyourownrisk
Anyperformancedatacontainedhereinwasdeterminedinacontrolledenvironment.Therefore,the resultinotheroperatingenvironmentsmayvarysignicantly.Somemeasurementsmayhavebeenmade ondevelopment-levelsystemsandthereisnoguaranteethatthesemeasurementswillbethesame ongenerallyavailablesystems.Furthermore,somemeasurementsmayhavebeenestimatedthrough extrapolation.Actualresultsmayvary.Usersofthisdocumentshouldverifytheapplicabledatafortheir specicenvironment.
©CopyrightLenovo2010
33
Page 42

Trademarks

ThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:
Lenovo ThinkCentre ThinkPad ThinkVantage
Microsoft,Windows,andWindowsVistaarethetrademarksoftheMicrosoftgroupofcompanies.
Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.
34FingerprintSoftwareDeploymentGuide
Page 43
Page 44
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use