Service Account Lists for Windows logon

Note: Service accounts are only supported for Windows endpoints protected by SafeGuard Enterprise with SafeGuard Power-on Authentication.
A typical scenario for most implementations is that a rollout team installs new computers in an environment including the installation of SafeGuard Enterprise. For installation or verification reasons, rollout operators may log on to the respective computer before the end user receives the new machine and is able to activate the SafeGuard Power-on Authentication.

Thus, the scenario may be as follows:

  1. SafeGuard Enterprise is installed on an endpoint.

  2. After restarting the endpoint, the rollout operator logs on.

  3. The rollout operator is added to the SafeGuard POA and the POA becomes active. The rollout operator becomes owner of the endpoint.

When the end user receives the endpoint, they will not be able to log on to the SafeGuard POA. The user needs to perform a Challenge/Response procedure.

To prevent that administrative operations on a SafeGuard Enterprise protected endpoint lead to an activation of the SafeGuard Power-on Authentication and the addition of rollout operators as users and machine owners to the endpoint, SafeGuard Enterprise allows you to create service account lists for SafeGuard Enterprise protected endpoints. The users included in these lists are treated as SafeGuard Enterprise guest users.

With service accounts the scenario is as follows:

  1. SafeGuard Enterprise is installed on an endpoint.

  2. After restarting the endpoint, a rollout operator included on a service account list logs on (Windows logon).

  3. According to the service account list applied to the computer the user is identified as a service account and is treated as a guest user.

The rollout operator is not added to the SafeGuard POA and the POA does not become active. The rollout operator does not become owner of the endpoint. The end user can log on and activate the SafeGuard POA.

Note: Service account lists are assigned to endpoints in policies. They should be assigned in the first SafeGuard Enterprise configuration package you create for the configuration of endpoints.