|SafeGuard Full Disk Encryption / User Machine Assignment|
Users can be allocated to specific computers in the SafeGuard Management Center. If a user is assigned to a computer in the SafeGuard Management Center (or vice versa) this allocation is incorporated into the UMA. The user data (certificate, key, etc.) is replicated on this computer and the user can log on to this computer. When a user is removed from the UMA, all user data is automatically deleted from the SafeGuard POA. The user can no longer log on at the SafeGuard POA with their user name and password.
When you assign a user to a computer, you can also specify who can allow other users to log on to this computer.
Under Type the SafeGuard Management Center indicates how the user was added to the SafeGuard Enterprise Database. Adopted means that the user has been added to the UMA on an endpoint.
The following settings are used to specify who is allowed to add users to the UMA:
Can Become Owner: If this setting is selected, the user can be registered as the owner of a computer.
User is Owner: This setting means that this user is entered in the UMA as the owner. Only one user per computer can be entered in the UMA as the owner.
The Allow registration of new SGN users for policy setting in policies of the type Specific Machine Settings determines who is allowed to add further users to the UMA. The Enable registration of SGN Windows users setting in Specific Machine Settings policies determines whether SGN Windows users may be registered on the endpoint and added to the UMA.
Allow registration of new SGN users for
Even the user entered as the owner cannot add more users to the UMA. The option for an owner to add further users is deactivated.
Owner (default setting)
If you select Yes, SGN Windows users can be registered on the endpoint. An SGN Windows user is not added to the SafeGuard POA, but has a key ring for accessing encrypted files, just as an SGN user. If you select this setting, all users, that would have otherwise become SGN guest users, will become SGN Windows users. The users are added to the UMA as soon as they have logged on to Windows. SGN Windows users can be removed from the UMA automatically on managed endpoints and manually on unmanaged endpoints. For further information, see Specific machine settings - basic settings.
The following example shows how you can assign logon entitlements in the SafeGuard Management Center to just three users (User_a, User_b, User_c) for Computer_ABC.
First: Specify the response you require in the SafeGuard Management Center. SafeGuard Enterprise is installed on all endpoints during the night. In the morning, the users should be able to log on to the computer with their credentials.
In the SafeGuard Management Center, assign User_a, User_b and User_c to Computer_ABC. (Users and Computers -> Select computer_ABC -> Assign user by drag-and-drop). By doing this, you have specified a UMA.
In a policy of the type Specific Machine Settings, set Allow registration of new SGN users for to Nobody. Since User_a, User_b and User_c are not allowed to add new users is not necessary to specify a user as an owner.
Assign the policy to the computer and/or to a point within the directory structure at which it will be active for the computer.
When the first user logs on to Computer_ABC, an autologon is implemented for the SafeGuard POA. The computer policies are sent to the endpoint. Since User_a is included in the UMA and will become a full user when logging on to Windows. The user's policies, certificates and keys are sent to the endpoint. The SafeGuard POA is activated.
User_a is now a full user in terms of SafeGuard Enterprise and after the first logon can authenticate at the SafeGuard POA and is automatically logged on.
User_a now leaves the computer and User_b wants to log on. As the SafeGuard POA is activated, there is no more autologon.
User_b and User_c have two options for gaining access to this computer.
User_a deactivates the Pass through to Windows option in the SafeGuard POA logon dialog and logs on.
User_b uses Challenge/Response to log on at the SafeGuard POA.
In both cases, the Windows logon dialog is displayed.
User_b can enter their Windows credentials. The user's policies, certificates and keys are sent to the endpoint. The user is activated in the SafeGuard POA. User_b is now a full user in terms of SafeGuard Enterprise and after the first logon can authenticate themselves at the SafeGuard POA and will be automatically logged on.
While the computer policy specifies that no one can import users to this computer, since these users are already in the UMA, User_b and User_c nevertheless gain "full" user status at the Windows logon and are activated in the SafeGuard POA.
No other users will be added to the UMA or will ever be able to authenticate themselves at the SafeGuard Power-on Authentication. Any users logging on to Windows who are not User_a, User_b or User_c are excluded from the UMA in this scenario and will never be active in the SafeGuard POA.