User Machine Assignment in the SafeGuard Management Center

Users can be allocated to specific computers in the SafeGuard Management Center. If a user is assigned to a computer in the SafeGuard Management Center (or vice versa) this allocation is incorporated into the UMA. The user data (certificate, key, etc.) is replicated on this computer and the user can log on to this computer. When a user is removed from the UMA, all user data is automatically deleted from the SafeGuard POA. The user can no longer log on at the SafeGuard POA with their user name and password.

Note: In Users and Computers, to view the assignment of users and computers you need at least Read only access rights for one of the objects (user or computer) involved. To define or change the assignment, you need Full access rights for both of the objects involved. The UMA display showing available users/machines is filtered according to your access rights. In the UMA grid display, which shows the users assigned to computers and vice versa, objects for which you do not have the required access rights are shown for your information, but the assignment cannot be modified.

When you assign a user to a computer, you can also specify who can allow other users to log on to this computer.

Under Type the SafeGuard Management Center indicates how the user was added to the SafeGuard Enterprise Database. Adopted means that the user has been added to the UMA on an endpoint.

Note: If no one is assigned in the SafeGuard Management Center and no user is specified as the owner, the first user to log on after the installation of SafeGuard Enterprise on the computer is entered as the owner. This user can allow further users to log on to this computer, see Register further SafeGuard Enterprise users. If users are assigned to this computer in the SafeGuard Management Center at a later date, they can log on at the SafeGuard Power-on Authentication. Nevertheless, such users must be full users (with existing certificate and key). The owner of the computer does not need to assign access entitlements in this case.

The following settings are used to specify who is allowed to add users to the UMA:

Example:

The following example shows how you can assign logon entitlements in the SafeGuard Management Center to just three users (User_a, User_b, User_c) for Computer_ABC.

First: Specify the response you require in the SafeGuard Management Center. SafeGuard Enterprise is installed on all endpoints during the night. In the morning, the users should be able to log on to the computer with their credentials.

  1. In the SafeGuard Management Center, assign User_a, User_b and User_c to Computer_ABC. (Users and Computers -> Select computer_ABC -> Assign user by drag-and-drop). By doing this, you have specified a UMA.

  2. In a policy of the type Specific Machine Settings, set Allow registration of new SGN users for to Nobody. Since User_a, User_b and User_c are not allowed to add new users is not necessary to specify a user as an owner.

  3. Assign the policy to the computer and/or to a point within the directory structure at which it will be active for the computer.

When the first user logs on to Computer_ABC, an autologon is implemented for the SafeGuard POA. The computer policies are sent to the endpoint. Since User_a is included in the UMA and will become a full user when logging on to Windows. The user's policies, certificates and keys are sent to the endpoint. The SafeGuard POA is activated.

Note: The user can check the status message in the SafeGuard System Tray Icon (balloon tool tip) when this process has completed.

User_a is now a full user in terms of SafeGuard Enterprise and after the first logon can authenticate at the SafeGuard POA and is automatically logged on.

User_a now leaves the computer and User_b wants to log on. As the SafeGuard POA is activated, there is no more autologon.

User_b and User_c have two options for gaining access to this computer.

In both cases, the Windows logon dialog is displayed.

User_b can enter their Windows credentials. The user's policies, certificates and keys are sent to the endpoint. The user is activated in the SafeGuard POA. User_b is now a full user in terms of SafeGuard Enterprise and after the first logon can authenticate themselves at the SafeGuard POA and will be automatically logged on.

While the computer policy specifies that no one can import users to this computer, since these users are already in the UMA, User_b and User_c nevertheless gain "full" user status at the Windows logon and are activated in the SafeGuard POA.

No other users will be added to the UMA or will ever be able to authenticate themselves at the SafeGuard Power-on Authentication. Any users logging on to Windows who are not User_a, User_b or User_c are excluded from the UMA in this scenario and will never be active in the SafeGuard POA.

Users can always be added later on in the SafeGuard Management Center. However, their key ring will not be available after the first logon as synchronization will only be triggered by this first logon. After logging on again, the key ring will be available and the users can access their computers according to policies applying. If they have never successfully logged on to an endpoint, they can be added as described above.
Note: If the last valid user certificate is removed from the UMA by an SO or MSO, any user can pass the SafeGuard POA of the corresponding computer. The same applies if the domain of the endpoint changes. Then only Windows credentials are necessary to log on to the computer, to reactivate the SafeGuard POA and to be added as the new owner.