Resetting Groove Login Credentials for Managed Devices
A password or smart card login is associated with each Groove user account. In a managed environment, a password and smart card login private key created during domain creation by the server administrator enables the resetting of passwords or smart card logins. To allow resetting of any login credentials for users running Groove 3.0e or earlier, you must set a device security policy accordingly. Therefore, to service managed users running Groove 3.0e or earlier, data recovery requires Groove devices to be registered with a man-agement domain.
However, versions 3.0f or later of the management server provide identity-based data recovery for managed users running Groove 3.0f or later; device management is not required in this case. See “Resetting Groove Login Credentials (for Groove 3.0f or later)”
in the Managing Identity Policies section of this guide for information about setting up data recovery for managed identities with Groove 3.0f or later.
The following sections cover the administrative and client aspects of resetting a user pass-word or smart card login:
• Administering Centralized Reset of Login Credentials
• Client Reset of User Login Credentials
Administering Centralized Reset of Login Credentials
To centrally control Groove user login credential reset, you configure the management server and Groove clients so that the necessary private key is available on the management server (or in a specified file from which you can upload it temporarily to the management server) when users need to reset their own passwords. When a domain member clicks the
“Forgot your password?” link in the Groove Login window of Groove and notifies an administrator of this request, the administrator can use the management server’s Member Information page to grant the request.
Centrally managing the reset of Groove user passwords or smart card logins is an alterna-tive to resetting login credentials locally on individual client devices described in “Setting Up Data Recovery on Managed Devices”.While the centralized method is somewhat less secure than the data recovery method (because the management server holding the private key is typically in a DMZ with internet access), it is more convenient than restoring a password individually on a Groove client device.
Before you begin, be aware of the following requirements and considerations:
• If you use a management server version 3.0e or earlier, and/or you support users of Groove 3.0e or earlier, Groove login credential reset requires identities to be members of a management domain and devices to be registered with that domain, as described above in “Registering User Devices with the Management Server”.
• For users of Groove 3.0e or earlier, make sure to enable the device policy that enables password/smart card login reset, as described above in “Controlling Login Credential Reset and Data Recovery” above.
• Verify that Groove users have accessed their managed account to activate the reset policy.
• Allowing reset of a forgotten Groove user password or smart card login involves the reset private key, generated during domain creation by the server administrator.
Therefore, you need the password for the reset private key (and the private key file itself if it's not stored on the server), obtainable from your server administrator.
• If you want to review and customize the reset instructions that will be sent to users requesting the reset, do so from the Security Policies tab of any Device Policy template in the domain, as described below in “Customizing Reset Instructions for Managed Devices”.
• In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Support Administrator to reset passwords or smart card logins.
To enable a managed user on a managed device to change a Groove password or smart card login, follow these steps:
1. When a domain member clicks the Reset Password or Smart Card Login button from Groove and notifies you of the request (by phone or other method), go to the management server administrative Web site and in the navigation pane, click the domain group of which the user is a member. The Members tab appears with a list of group members. See the “Client Reset of User Login Credentials” below for information about client actions
2. From the Members tab, click the name of the member requesting the reset. The Member Information window appears.
3. From the Member Information window, click the Reset Password or Smartcard Login button (available when a member has clicked the Request Reset button from Groove). The Reset Password or Smart Card Login window appears that includes a Reset Access Code and a form for resetting the user password or smart card login.
If the reset private key (generated by the server administrator during domain creation) resides in a specified file (instead of on the management server), the Reset form includes a File location text box.
If the option to Remember private key login credentials has been enabled on the domain setup page and the private key is stored on the management server, a short form appears that does not involve using the reset private key.
4. If a File location text box appears, browse to the file location of the reset private key.
5. Confirm with the user that the Reset Access Code on the management server matches the Reset Access Code in Groove’s Request Reset window on the user’s device.
Note: Make sure to verify that the user who requested the password or smart card login reset is authorized to use the Groove account.
6. If the access code on the Reset Password page does not match the user's access code, press the Refresh Access Code button to check if a new access code is avail-able. Note that refreshing the screen discards any unsaved changes to the user infor-mation or password reset form. Therefore, a pop-up message appears allowing you to click OK to proceed and refresh the screen, or Cancel to cancel the refresh.
7. Select the option, ‘I confirm I have verified the member’s identity and the password reset access code.’
8. Click OK. This action attempts to open the user’s secret key file using the private key password or smart card login that you entered. If the key is in a specified file, it is uploaded to the management server at this time. If the private key password or smart card login is valid, a Reset confirmation pop-up window appears. Otherwise, an error message window appears.
9. Click OK to accept the confirmation, or to accept the error and correct your entry.
The user’s screen automatically refreshes and displays a form that allows them to enter a new password or select new smart card login certificates. You can
customize the text instructions in this form as described in “Customizing Reset Instructions for Managed Devices” below.
Client Reset of User Login Credentials
Managed users running Groove on managed devices in a domain are subject to administra-tive control over their password/smart card login reset capability. Once you set up the management environment to enable users to reset their Groove passwords, as described above in “Administering Centralized Reset of Login Credentials”, users must request per-mission to reset their password or smart card login (if they have forgotten it, for example).
Note: Users should be prepared to authenticate themselves out of band to the domain administrator when requesting a password/smart card login reset.
The Groove user request for password/smart card login reset permission involves the fol-lowing steps:
1. A managed Groove user assigned to a device policy that has the reset password or reset smart card login policy enabled, requests a password by clicking the ‘Forgot
your password?’ or ‘Request Smartcard Login Reset’ link on the Groove login window. This displays a Request Password Reset or Request Smart Card Login Reset pop-up window that contains the user’s password reset or smart card login access code along with instructions to contact the administrator.
If the user defined a password hint and a hint pop-up window appears with a Request Reset button, the user, reminded by the hint, can try logging in again.
2. The user contacts the domain administrator (by phone, for example) and verifies identity to the domain administrator by citing the reset access code in the Request Reset window. This code should match what appears for the user in the administra-tor’s Members Information/Reset Password or Smart Card Login window on the management server.
3. The user presses the Request Reset button. Clicking Request Reset refreshes the Request Password/Smart Card Login Reset window, generates a ‘reset request’
entry in the management server audit log, and displays a Reset Password or Reset Smart Card Login button in the management server’s Member Information page for this user.
Clicking the Cancel button cancels the request and returns to the Groove login window.
4. The administrator responds to the reset request, as described in “Administering Centralized Reset of Login Credentials”.
5. If a New Password window appears on the client screen, along with instructions, the user enters a new password, confirms it, and clicks OK. Groove opens the user’s managed account.
If a New Smartcard Login window appears, along with instructions, the user selects new certificates and clicks OK. Groove opens the user’s managed account.
For information about customizing reset instructions, see “Customizing Reset Instructions for Managed Devices” below.