|Policy types and their fields of applications|
|User may only boot from internal hard disk||
Note: This setting is only supported by endpoints with an earlier SafeGuard Enterprise version than 6.1 installed. It was used to enable recovery by allowing the user to start the endpoint from external media. As of version 6.1 this setting does not have any effect on endpoints. For the recovery scenario concerned, you can use recovery with Virtual Clients, see Challenge/Response using Virtual Clients.Determines whether users may start the computer from the hard drive and/or another medium.
YES: Users can only boot from the hard disk. The SafeGuard POA does not offer the option to start the computer with a floppy disk or other external media.
NO: Users may start the computer from hard disk, floppy disk or external medium (USB, CD etc.)
|Logon mode||Determines how users need to authenticate
themselves at the SafeGuard POA.
Note: Once this logon process has been selected, users can only log on using a previously issued token.
You can combine the settings User ID/Password and Token. To test whether logon using a token works, first select both settings. Only deselect the User ID/Password logon mode, if authentication using the token was successful. In order to switch between logon modes, allow users to log on once while the two settings are combined or they might run into a logon deadlock. You must also combine the two settings, if you want to allow Local Self Help for token logon.
|Display unsuccessful logons for this user||If this is set to Yes: After logon at the SafeGuard POA and Windows, a dialog is shown containing information on the last failed logon (user name/date/time).|
|Display last user logon||If this is set to Yes:
After logon at the SafeGuard POA and Windows, a dialog is shown
containing information on the
|Disable 'forced logoff' in workstation lock||
Note: This setting only takes effect on endpoints with Windows XP. Windows XP is no longer supported as of SafeGuard Enterprise 6.1. This policy setting is still available in the SafeGuard Management Center to support SafeGuard Enterprise 6 clients managed with a 7.0 Management Center.If users wish to leave the endpoint for a short time only, they can click Block workstation to lock the computer for other users and unlock it with the user password. No: The user who has locked the computer as well as an administrator can unlock it. If an administrator unlocks the computer, the currently logged on user is logged off automatically. Yes: Changes this behavior. In this case, only the user can unlock the computer. The administrator cannot unlock it and the user will not be logged off automatically.
|Activate user/domain preselection||Yes: The SafeGuard POA
saves the user name and domain of the last logged on user. Users
therefore do not need to enter their user name every time they
No: The SafeGuard POA does not save the user name and the domain of the last logged on user.
|Service Account List||To prevent administrative operations on a
SafeGuard Enterprise protected endpoint leading to an activation
of the Power-on Authentication and the addition of rollout
operators as users to the endpoint, SafeGuard Enterprise allows
you to create service account lists for Windows logon at
SafeGuard Enterprise endpoints. The users listed are treated as
SafeGuard Enterprise guest users.
Before you select a list here you must first create the lists in the Policies navigation area under Service Account Lists.
|Pass through to Windows||
Note: For the user to be able to grant other users access to their computer, the user has to be permitted to deactivate logon passthrough to Windows.
BitLocker Logon Mode for Boot Volumes
|The following options are available:
|BitLocker Fallback Logon Mode for Boot Volumes||If the setting defined as BitLocker Logon Mode for
Boot Volumes cannot be applied, SafeGuard
Enterprise offers the following alternatives for logon:
|BitLocker Logon Mode for Non-Boot Volumes||For non-boot volumes (fixed data drives) the following
options are available:
|BitLocker Fallback Logon Mode for Non-Boot Volumes||If the setting defined as BitLocker Logon Mode for
Non-Boot Volumes cannot be applied, SafeGuard
Enterprise offers the following alternatives:
|Maximum no. of failed logons||Determines how many times a user can attempt to log on using an invalid user name or password. After incorrectly entering a user name or password three times in a row for instance, a fourth attempt will lock the computer.|
|Display "Logon failed" messages in POA||Defines level of detail for messages on failed logons:
|Action if token logon status is lost||Defines behavior after removing the token from
Possible actions include:
|Allow unblocking of token||Determines whether the token may be unblocked at logon.|
|Lock screen after X minutes inactivity||Determines the time after which an unused desktop
is automatically locked.
The default value is 0 minutes, and the desktop will not be locked if this value is not changed.
|Lock screen at token removal||Determines whether the screen is locked if a token is removed during a session.|
|Lock screen after resume||Determines whether the screen is locked if the computer is reactivated from standby mode.|