Fingerprint Software Deployment Guide
Updated: September, 2010
Fingerprint Software Deployment Guide
Updated: September, 2010
Note: Before using this information and the product it supports, read the general information in Appendix B “Notices” on page 33.
First Edition (September 2010)
© Copyright Lenovo 2010.
LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restricted rights to use, reproduction and disclosure.
LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are delivered pursuant a General Services Administration “GSA”contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.
Contents
Preface . . . . . . . . . . . . . . . . . |
v |
Chapter 1. Overview . . . . . . . . . . |
1 |
Chapter 2. Installation . . . . . . . . . |
3 |
Installation procedures and command-line |
|
parameters . . . . . . . . . . . . . . . . . |
3 |
Using msiexec.exe . . . . . . . . . . . . . . |
4 |
Standard Windows Installer public properties . . . |
7 |
Installation examples . . . . . . . . . . . . . |
7 |
Installing ThinkVantage Fingerprint Software . . . . |
8 |
Silent installation . . . . . . . . . . . . . |
8 |
Options. . . . . . . . . . . . . . . . . |
9 |
Installing Lenovo Fingerprint Software . . . . . |
11 |
Silent installation . . . . . . . . . . . . |
11 |
Options. . . . . . . . . . . . . . . . |
11 |
Chapter 3. Working with Fingerprint |
|
Software. . . . . . . . . . . . . . . . |
15 |
Management console tool . . . . . . . . . . |
15 |
User-specific commands . . . . . . . . . |
15 |
Global settings commands . . . . . . . . |
16 |
Secure mode and convenient mode . . . . . . |
17 |
Secure mode - administrator . . . . . . . |
17 |
Secure mode - limited user . . . . . . . . |
18 |
Convenient mode - administrator . . . . . |
18 |
Convenient mode - limited user . . . . . . |
19 |
Chapter 4. Working with |
|
ThinkVantage Fingerprint Software . |
21 |
Using the RSA SecurID software token . . . . . |
21 |
Provisioning the ThinkVantage Fingerprint |
|
Software for the RSA SecurID software |
|
token . . . . . . . . . . . . . . . . |
21 |
Generating an RSA SecurID tokencode . . . |
22 |
Authenticating the RSA SecurID-protected |
|
applications . . . . . . . . . . . . . . |
22 |
Using the ThinkVantage Fingerprint Software |
|
with RSA SecurID Ready VPN clients . . . . |
22 |
Considerations for using the external |
|
fingerprint reader with the RSA SecurID |
|
software token . . . . . . . . . . . . . |
23 |
Using ThinkVantage Fingerprint Software with |
|
Novell Netware Client . . . . . . . . . . . . |
23 |
Authenticating . . . . . . . . . . . . . |
24 |
Configurable settings . . . . . . . . . . . . |
24 |
ThinkVantage Fingerprint Software service. . . . |
26 |
Chapter 5. Working with Lenovo |
|
Fingerprint Software . . . . . . . . . |
27 |
Active Directory support for Lenovo Fingerprint |
|
Software . . . . . . . . . . . . . . . . . |
27 |
Considerations for using Lenovo Fingerprint |
|
Software . . . . . . . . . . . . . . . . . |
28 |
Deploying the ghost image with Lenovo |
|
Fingerprint Software. . . . . . . . . . . |
28 |
Erasing fingerprint data . . . . . . . . . |
28 |
Lenovo Fingerprint Software service . . . . . . |
28 |
Appendix A. Considerations for the |
|
Lenovo Fingerprint Keyboard. . . . . |
31 |
Configuration and setup . . . . . . . . . . . |
31 |
Pre-desktop authentication . . . . . . . . . . |
31 |
Windows logon . . . . . . . . . . . . . . |
31 |
Authentication with Client Security Solution . . . |
32 |
Appendix B. Notices . . . . . . . . . |
33 |
Trademarks . . . . . . . . . . . . . . . . |
34 |
© Copyright Lenovo 2010 |
iii |
iv Fingerprint Software Deployment Guide
Information presented in this guide is to support Lenovo® computers installed with either the ThinkVantage® or Lenovo Fingerprint Software program.
Note: In this deployment guide, Fingerprint Software refers to both ThinkVantage Fingerprint Software and Lenovo Fingerprint Software.
The goal of Fingerprint Software is to help customers address corporate IT regulatory compliance, reduce the costs associated with managing passwords, and enhance computing security.
The Fingerprint Software Deployment Guide provides the information required for installing Fingerprint Software on one or more computers, and also provides instructions and scenarios on the administrative tools that can be customized to support IT and corporate policies.
This guide is intended for IT administrators, or those responsible for deploying Fingerprint Software to computers throughout their organizations. If you have suggestions or comments, communicate with your Lenovo authorized representative. This guide is updated periodically, and you can check the latest publication on the Lenovo Web site at http://www-307.ibm.com/pc/support/site.wss/TVAN-ADMIN.html.
For questions and information about using the various components in Fingerprint Software workspaces, refer to the online help system and user guides that come with Fingerprint Software.
© Copyright Lenovo 2010 |
v |
vi Fingerprint Software Deployment Guide
The objective of biometric fingerprint technologies offered by Lenovo is to help customers address corporate IT regulatory compliance, reduce the costs associated with managing passwords, and enhance computing security. Fingerprint Software enables fingerprint authentication on individual computers and networks by working with the Lenovo fingerprint readers. It can be integrated with Client Security Solution 8.3 or Password Manager. For more information about the integration with the two programs, refer to the Client Security Solution 8.3 Deployment Guide. You can find out more about Lenovo fingerprint technologies and download Fingerprint Software from the Lenovo Web site at: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-73583.
Fingerprint Software offers these functions:
•Client software capabilities
–Microsoft® Windows® password replacement: Replace your password with your fingerprint for easy, fast, and secure system access.
–BIOS password (also known as power-on password) and hard disk drive passwords replacement: Replace passwords with your fingerprint to enhance logon security and convenience.
–Pre-boot fingerprint authentication for SafeGuard Enterprise full-drive encryption: Utilize fingerprint authentication to decrypt your hard disk drive before starting the Windows operating system.
–Single swipe to access the BIOS and the Windows operating system: Swipe your fingerprint at startup to gain access to the BIOS and the Windows operating system.
–Single swipe to turn on the computer: Swipe your fingerprint to turn on the computer.
Note: This feature has the dependency on the hardware; therefore, it is supported by certain computer models.
–Fingerprint Software sensor indicator: Indicate the working state of the sensor, and the success in swiping your fingerprint or not.
Note: This feature has the dependency on the hardware; therefore, it is supported by certain computer models.
–Integration with Client Security Solution: Use with the Client Security Solution Password Manager and leverage the Trusted Platform Module. Users can swipe their finger to access Web sites and select applications.
•Administrator features
–Security mode toggle: Allow an administrator to toggle between secure and convenient modes to modify access rights of limited users.
•Security capabilities
–Software security: Protect user templates through strong encryption when stored on a system and when transferred from the reader to the software.
–Hardware security: Provide a security reader with a co-processor that stores and protects fingerprint templates, BIOS passwords, and encryption keys.
© Copyright Lenovo 2010 |
1 |
2 Fingerprint Software Deployment Guide
This chapter contains instructions on installing Fingerprint Software.
The Microsoft Windows Installer provides several administrative functions through command-line parameters. The Windows Installer can perform an administrative installation of an application or product to a network for use by a workgroup or for customization. Command-line options that require a parameter must be specified with no space between the option and its parameter. For example:
setup.exe /s /v"/qn REBOOT="R"" is valid, while
setup.exe /s /v "/qn REBOOT="R"" is not.
Note: The default behavior of the installation when executed alone (running setup.exe without any parameters) is to prompt the user to reboot at the end of the installation. A reboot is required for the program to function properly. The reboot can be delayed through a command line parameter for a silent installation as documented in the preceding section and in the example section.
For the Fingerprint Software installation package, an administrative installation unpacks the installation source files to a specified location.
To run an administrative installation, run the setup package from the command line using the /a parameter:
setup.exe /a
An administrative installation presents a wizard that prompts the administrative user to specify the locations for unpacking the setup files. The default extract location is C:\. You can choose a new location that may include drives other than C:\ (for example, other local drives or mapped network drives). You can also create new directories during this step.
To run an administrative installation silently, you can set the public property TARGETDIR on the command line to specify the extract location:
setup.exe /s /v"/qn TARGETDIR=F:\TVTRR"
or
msiexec.exe /i "setup.msi" /qn TARGERDIR=F:\FPR
Note: If you are not using the latest version of Windows Installer, the setup.exe file will be configured to update the Windows Installer engine to the latest version. The update of the Windows Installer engine will prompt you to reboot the system even in an administrative extract installation. To prevent a reboot in this situation, you can use the REBOOT property of the Windows Installer. If the Windows Installer is the latest version, the setup.exe file will not attempt to update the Windows Installer engine.
© Copyright Lenovo 2010 |
3 |
Once and administrative installation has been completed, the administrative user can make customizations to the source files, such as adding settings to the registry.
The following parameters and descriptions are documented in the InstallShield developer help documentation. Parameters that do not apply to Basic MSI projects were removed.
Table 1. Parameters
Parameter |
Description |
|
|
/a : administrative installation |
The /a switch causes setup.exe to perform an |
|
administrative installation. An administrative installation |
|
copies (and uncompresses) your data files to a directory |
|
specified by the user, but does not create shortcuts, |
|
register COM servers, or create an uninstallation log. |
|
|
/x : uninstalling mode |
The /x switch causes setup.exe to uninstall a previously |
|
installed product. |
|
|
/s : silent mode |
The command setup.exe /s suppresses the setup.exe |
|
initialization window for a Basic MSI installation program, |
|
but does not read a response file. Basic MSI projects do |
|
not create or use a response file for silent installations. |
|
To run a Basic MSI product silently, run the command |
|
line setup.exe /s /v/qn. (To specify the values of |
|
public properties for a silent Basic MSI installation, |
|
you can use a command such as setup.exe /s /v"/qn |
|
INSTALLDIR=D:\Destination".) |
|
|
/v : pass arguments to Msiexec |
The /v argument is used to pass command line switches |
|
and values of public properties through to Msiexec. |
|
|
/L : setup language |
Users can use the /L switch with the decimal language |
|
ID to specify the language used by a multi-language |
|
installation program. For example, the command to |
|
specify German is setup.exe /L1031. |
|
|
/w : wait |
For a Basic MSI project, the /w argument forces setup.exe |
|
to wait until the installation is complete before exiting. If |
|
you are using the /w option in a batch file, you may want |
|
to precede the entire setup.exe command line argument |
|
with start /WAIT. A properly formatted example of this |
|
usage is as follows: |
|
start /WAIT setup.exe /w |
|
|
|
|
To install from the unpacked source after making customizations, the user calls msiexec.exe from the command line, passing the name of the unpacked *.MSI file. msiexec.exe is the executable program of the Windows Installer used to interpret installation packages and install products on target systems.
msiexec /i "C:\WindowsFolder\Profiles\UserName\ Personal\MySetups\project name\product configuration\release name\ DiskImages\Disk1\product name.msi"
Note: Enter the preceding command as a single line with no spaces following the slashes.
The following table describes the available command line parameters that can be used with msiexec.exe and examples of how to use it.
4 Fingerprint Software Deployment Guide
Table 2. Command line parameters
Parameter |
Description |
|
|
/I package or product code |
Use this format to install the product: |
|
Othello:msiexec /i "C:\WindowsFolder\Profiles\ |
|
UserName\Personal\MySetups |
|
\Othello\Trial Version\ |
|
Release\DiskImages\Disk1\ |
|
Othello Beta.msi" |
|
Product code refers to the Globally Unique Identifier (GUID) that is |
|
automatically generated in the product code property of your product's |
|
project view. |
|
|
/a package |
The /a option allows users with administrator privileges to install a product |
|
onto the network. |
|
|
/x package or product code |
The /x option uninstalls a product. |
|
|
/L [i|w|e|a|r |u|c|m|p|v|+] log file |
Building with the /L option specifies the path to the log file; these flags indicate |
|
which information to record in the log file: |
|
• i logs status messages |
|
• w logs non-fatal warning messages |
|
• e logs any error messages |
|
• a logs the commencement of action sequences |
|
• r logs action-specific records |
|
• u logs user requests |
|
• c logs initial user interface parameters |
|
• m logs out-of-memory messages |
|
• p logs terminal settings |
|
• v logs the verbose output setting |
|
• + appends to an existing file |
|
• * is a wildcard character that allows you to log all information (excluding |
|
the verbose output setting) |
|
|
/q [n|b|r|f] |
The /q option is used to set the user interface level in conjunction with the |
|
following flags: |
|
• q or qn creates no user interface |
|
• qb creates a basic user interface |
|
The user interface settings below display a modal dialog box at the end of |
|
installation: |
|
• qr displays a reduced user interface |
|
• qf displays a full user interface |
|
• qn+ displays no user interface |
|
• qb+ displays a basic user interface |
|
|
/? or /h |
Either command displays Windows Installer copyright information |
|
|
Chapter 2. Installation 5
Table 2. Command line parameters (continued)
Parameter |
Description |
|
|
TRANSFORMS |
The TRANSFORMS command line parameter specifies any transforms that |
|
you would like applied to your base package. |
|
msiexec /i "C:\WindowsFolder\ |
|
Profiles\UserName\Personal |
|
\MySetups\ |
|
Your Project Name\Trial Version\ |
|
My Release-1 |
|
\DiskImages\Disk1\ |
|
ProductName.msi" TRANSFORMS="New Transform 1.mst" |
|
You can separate multiple transforms with a semicolon. Do not use semicolons |
|
in the name of your transform, as the Windows Installer service will interpret |
|
those incorrectly. |
|
|
Properties |
All public properties can be set or modified from the command line. Public |
|
properties are distinguished from private properties and are all capital letters. |
|
For example, COMPANYNAME is a public property. |
|
To set a property from the command line, use the following syntax: |
|
PROPERTY=VALUE |
|
If you wanted to change the value of COMPANYNAME, you would enter the |
|
following: |
|
msiexec /i "C:\WindowsFolder\ |
|
Profiles\UserName\Personal\ |
|
MySetups\Your Project Name\ |
|
Trial Version\My Release-1\ |
|
DiskImages\Disk1\ProductName.msi" |
|
COMPANYNAME="InstallShield" |
|
|
6 Fingerprint Software Deployment Guide