Admin Guide
IronKey Enterprise
Management Service
Thank you for choosing IronKey.
IronKey is committed to creating and developing
the best security technologies and making
them simple-to-use, affordable, and available
to everyone. Years of research and millions of
dollars of development have gone into bringing
this technology to you in the IronKey.
We are very open to user feedback and would
greatly appreciate hearing about your comments,
suggestions, and experiences with the IronKey.
Standard Feedback:
feedback@ironkey.com
Anonymous Feedback:
https://www.ironkey.com/feedback
User Forum:
https://forum.ironkey.com
CONTENTS
Overview . . . . 4
Meet IronKey Enterprise . . . 4
IronKey Enterprise Administrative Features. . . 5
Setup and Deployment . . . . 6
Getting Started . . . 6
Creating Your IronKey Enterprise Account . . . 6
Activation and Initialization . . . 9
Adding Users to the Enterprise Account . . . 10
Activating IronKey Enterprise for Basic Users . . . 11
Deploying IronKey Enterprise . . . 12
Deployment Method 1: Automated Distributed Deployment. . . 12
Deployment Method 2: Distributed Deployment. . . 12
Deployment Method 3: Manual Deployment . . . 13
Updating Device Software . . . 14
Best Practices for a Smooth Rollout . . . 15
Deployment Checklist . . . 15
Using IronKey Enterprise . . . . 16
System Elements and Terminology . . . 16
IronKey Users . . . 16
IronKey Devices . . . 17
IronKey Policies. . . 18
Events and System Auditability . . . 24
Understanding the Silver Bullet Service . . . 24
Understanding Password Assistance . . . 25
Using the Admin Console. . . 27
Accessing the Admin Console . . . 27
The Enterprise Dashboard . . . 27
Managing Users . . . 31
Managing Devices . . . 33
Using the Silver Bullet Service . . . 34
Using Password Assistance . . . 35
Managing Policies. . . 35
Managing Licenses . . . 36
Using the Admin Tools . . . 37
Accessing the Admin Tools. . . 37
Using Secure Device Recovery . . . 37
Promoting a Standard User to be an Admin. . . 38
Recommissioning Devices. . . 39
Importing Authentication Credentials . . . 40
Importing RSA SecurID Tokens . . . 40
Importing a Digital Certificate into the IronKey . . . 41
Administering the IronKey Anti-Malware Service . . . 43
Interpreting IronKey Malware Scanner Reports . . . 43
Common Tasks . . . 44
Adding New Users . . . 44
Activating Devices for a User . . . 44
Adding New Admins . . . 45
Adding New Devices to Users . . . 45
Disabling Lost Devices . . . 46
Helping a User with Password Assistance. . . 46
Using Non-Administrative Features . . . 46
Known Issues . . . 47
Enterprise Support . . . . 48
Product Specifications. . . 49
Overview
Meet IronKey Enterprise
The IronKey Enterprise Secure Flash Drive, designed to be the world’s
most secure USB flash drive, tightly integrates with the IronKey
Enterprise Management Service to give you control over protecting your organization’s data, ensuring that security policies are enforced, and remotely managing IronKey devices.
IronKey Enterprise consists of three interrelated elements that provide a
robust solution to USB flash drive security and device management:
»
The IronKey Secure Flash Drive hardware»
Applications bundled on the IronKey (based on policy configuration)»
The IronKey’s secure online services, which provide centralized administrative capabilities to IronKey Enterprise AdminsThis guide informs you about how to get the most out of IronKey Enterprise, as well as best practices for deploying and managing IronKeys in your enterprise environment.
IronKey Enterprise Administrative Features
The Admin Console: Centralized Online Device Management
IronKey Enterprise includes a centralized management console for managing tens, hundreds or thousands of devices, reducing overall deployment times and maintenance requirements.
IronKey Policies: Enforcing Corporate Security Policies
IronKey Enterprise allows you to configure policies for device password strength,
self-destruction settings, and enabling specific IronKey applications, services and more. Policies are
downloaded to a device during activation, and changes to policies are automatically updated on affected devices after each device is unlocked.
Silver Bullet Service: Protecting Against Malicious Users
IronKey’s Silver Bullet Service will confirm that IronKey devices are authorized before allowing
them to be unlocked. This real-time service allows Admins to completely disable and even remotely detonate devices, extending the control needed to protect important data. It also supports users who are not always online by allowing a predetermined number of unlock attempts before disabling the device.
When enabled, each IronKey will quickly check with the Silver Bullet Service immediately after the user tries to unlock the device, but prior to allowing the device to be unlocked. Active users will be able to unlock their IronKeys and continue as normal. Disabled users will receive a “Deny” command preventing them from unlocking the device, while lost or stolen devices that have been marked for detonation will receive a “Destroy” command and will initiate a self-destruct sequence on the device.
Admin Tools: Onboard each Administrator’s IronKey
Admins have additional functionality enabled in their IronKey’s Control Panel, including Secure Device Recovery, Admin Approval, and Device Recommissioning.
Secure Device Recovery: Securely Unlocking Users’ Devices
Secure Device Recovery is IronKey’s patent-pending PKI mechanism for Admins to unlock another user’s IronKey device, such as in the case of employee termination, regulatory
compliance, or forensic investigations. Unlike many other solutions, there is no central database of back-door passwords.
Device Recommissioning: Securely Repurposing Users’ Devices
When employees leave the organization, their IronKeys can be safely recommissioned to new users. This process requires Admin authentication and authorization using IronKey Enterprise’s secure online services.
Admin Approval: Securely Promoting Users to Become Admins
When a new Admin is created, or a user is promoted to become an Admin, a verification
procedure occurs not only on the service, but also on an existing Admin’s IronKey device. This ensures that the new user is cryptographically approved and able to become an Admin for your Enterprise Account.
Setup and
Getting Started
IMPORTANT—BEFORE YOU BEGIN
IronKey Enterprise is designed to protect your organization from the risks of data loss and data leakage by delivering world-class security. However, it is important to follow a few best practices when setting up your Enterprise Account to ensure that the proper levels of security and usability are met:
•
Make sure the person setting up the Enterprise Account has a thoroughknowledge of your organization’s security policies and is authorized to be the System Admin for all of your organization’s IronKey devices. That person will define the default policy for IronKey devices.
•
Make sure there are multiple System Admins. To ensure the highest security, even IronKey is unable to intervene in your Enterprise Account in the event that a lone System Admin leaves the organization, loses his only IronKey device, or forgets that device’s password. Have multiple System Admins at all times, each with multiple active devices.Please review the Best Practices section in this document for a smooth deployment.
CREATING YOUR IRONKEY ENTERPRISE ACCOUNT
Before you can begin deploying and managing IronKey Enterprise drives for end-users, you must create your IronKey Enterprise Account. To set up the account, you need:
»
A PC running Microsoft Windows 2000 (SP4), XP (SP2), or Vista»
A USB 2.0 port for high-speed data transfer»
An Internet connection»
The email you received from IronKey with your Enterprise Account NumberStep Description
1 Enter your Account Number at
https://my.ironkey.com/enterprise This can also be done by clicking the link in the email you received from IronKey regarding setting up your IronKey Enterprise Account.
2 You must confirm that you are
the appropriate authority for setting up your organization’s IronKey Enterprise Account. Select the checkbox and click “Continue.”
3 The next several steps allow you to establish security policies for your drives.
To start, select the number of failed password attempts that a user may enter before the IronKey self-destructs and all the data on the IronKey is lost. All policy items can be changed later.
4 Set the password policy options, including minimum password length allowed, the minimum number of required characters, and requirements for backing up device passwords.
5 Configure the set of software
applications and services that your users will have on their IronKeys.
Putting the mouse over the help icon for each item shows a brief description of what that item is. See the section on Policy Items later in this document for more information.
6 Define a “Lost and Found”
message that appears on the IronKey Unlocker screen when each device is plugged in. For example, this may include contact information in case a lost device is found, or department information for easily
distinguishing devices.
You may optionally choose to leave this blank or to allow users
to define their own Lost and
Found message.
7 The next several steps guide you through creating your own
my.ironkey.com account for how you individually will access your organization’s Enterprise Account. This involves creating a username
and password, confirming your
email address, answering Secret Questions, and choosing a Secret Image and Phrase for
ACTIVATION AND INITIALIZATION
After confirming your information, an email is sent to you containing the Activation Code for your first IronKey Enterprise Secure Flash Drive.
Step Description
1 Plug in any unactivated IronKey
drive from the set you purchased. Your IronKey must be activated on a Windows (2000, XP, or Vista) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port.
2 The “Activate Your IronKey” screen appears.
The IronKey autoruns as a virtual CD-ROM.
• Windows: This screen might not appear if your computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in “My Computer” and
double-clicking the “IronKey.exe” file.
• Mac: Double-click the IronKey drive on your
desktop, and double-click the “IronKey” file.
NOTE: You can install the IronKey Auto-Launch
Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See “Preferences” in IronKey Control Panel Settings. (Mac only)
3 Retrieve the email with your Activation Code. Copy and paste the code into the IronKey window. Click “Continue” when you are ready.
Enter your email address and your Activation Code into
the fields provided on the IronKey window.
If your IronKey cannot connect to the Internet, click “Edit Proxy Settings” to adjust its network settings. 4 Create a device password and a nickname for your IronKey.
Because you can have multiple IronKeys associated with one IronKey account, the nickname helps you distinguish between different IronKey devices.
Your password is case-sensitive and must match your organization’s password policy.
5 Back up your password online to
your my.ironkey.com account If enabled, you have the option to back up your password online to your my.ironkey.com account. That way, if you ever forget your password, you can safely log into
https://my.ironkey.com and recover it.
6 The IronKey initializes. During this process, it generates the AES encryption
keys, creates the file system for the secure volume, copies secure applications and files to the secure volume, and configures the onboard Firefox browser. Depending on your configuration, this might take several minutes.
After this device has been initialized, use the same steps to activate a second System Admin’s device. IronKey Enterprise is ready for use.
IMPORTANT: Label this drive now as the administrator drive or leave it unmarked based
on your security preferences. Keep this drive in a safe place. It is essential for maintaining your IronKey Enterprise Account.
ADDING USERS TO THE ENTERPRISE ACCOUNT
You can now begin adding users to your Enterprise Account.
Step Description
1 Click the my.ironkey.com icon in the IronKey Control Panel to access the Admin Console.
2 Click “Manage Users” in the sidebar of the Admin Console tab.
3 Click the “Add” button in the top right.
4a To add a single user, enter the user’s name (optional), email (optional), role, policy for the user’s device, and if you want the system to send the user an email with the Activation Code for setting up his IronKey device (this requires that an email address be supplied). Then click “Submit”.
The user will then be added to the Enterprise Account.
4b To add a list of multiple users, click the “Add Multiple
Users” button at the top right.
5 Copy and paste a CSV file’s
contents into the textbox provided and click “Continue”.
• Use this format:
Name,Email,Role,Policy
• The Role can be one of the following:
• System Admin • Admin User • Auditor • Standard User
• Up to 100 users can be added in a single import.
NOTE: All fields are optional
and default to an anonymous Standard User with the Default
Policy if not specified. Unless you
are a System Admin, you can only add Standard Users.
Watch the online demonstration for more information. An example of a row might be:
John Doe,John_Doe@Organization.com,Auditor,IT Policy
where the user’s name is “John Doe”, email address is “John_Doe@Organization.com”, he will be an Auditor, and his device will use a policy with the name “IT Policy”.
6 You will be required to fix any
errors before the data can be submitted. Once all data is
verified and correct you will be
allowed to submit it.
Once all errors are fixed, click
“Submit”, and the users will be added to the Enterprise Account.
ACTIVATING IRONKEY ENTERPRISE FOR BASIC USERS
To remotely manage users with IronKey Basic devices, you can ask them to activate IronKey Enterprise on their devices:
1. Add a new user in the Admin Console.
2. Send an activation code for the user to enter in the IronKey Basic Control Panel.
3. The user confirms the organization and its system administrator.
The device binds to the organization’s Enterprise account, receiving the Enterprise device policy.
Deploying IronKey Enterprise
You are now ready to distribute IronKey Secure Flash Drives to your users. Inside the packaging is an IronKey device, a Quick Start Guide, and a lanyard.
There are three basic ways of deploying IronKeys to your organization. You can decide which one is right for your organization based on your security, privacy, and IT considerations.
DEPLOYMENT METHOD 1: AUTOMATED DISTRIBUTED DEPLOYMENT
The simplest and most cost-effective way to deploy IronKeys to your userbase is to add users to the Enterprise Account and then hand them an IronKey device. IronKey Enterprise will take care of the rest.
Step Description
1 Add a user to the Enterprise Account. Review the detailed instructions elsewhere in this document for more information.
Make sure to provide the user’s email address and select the checkbox that will send the user an email with his Activation Code.
Mass imports of up to 50 users will also have the users Activation Codes automatically emailed to them. 2 Give the user an IronKey
Enterprise Secure Flash Drive. Any purchased or recommissioned device will work. 3 Have the user retrieve the email
with his Activation Code and copy and paste it into the IronKey.
Instructions for this step are provided to the user in the Quick Start Guide and in the email.
(NOTE: Requires a Windows or Mac computer.) The user is now active in the Enterprise Account.
DEPLOYMENT METHOD 2: DISTRIBUTED DEPLOYMENT
If you have a very large userbase, want to customize the invitation email, or your corporate privacy policy is such that you will not import your users’ email addresses into the Enterprise
Account, you can import your users first and then email their setup information yourself.
Step Description
1 Add users to the Enterprise Account. Review the detailed instructions elsewhere in this document for more information.
Make sure to clear the checkbox that would send the user an email with his Activation Code.
IMPORTANT: Even if you are performing a mass
import and do not want the users emailed, we strongly recommend providing their email addresses to avoid problems during activation and online account setup.
2 The setup information for that user’s device is presented on the screen (or in the case of a mass import, in a downloadable CSV
file).
3 Email each user his IronKey setup
information. This can be done manually for small numbers of users. 4 Give the user an IronKey
Enterprise Secure Flash Drive. Any purchased or recommissioned device will work. 5 Have the user retrieve the email
with his Activation Code and copy and paste it into the IronKey.
Instructions for this step are provided to the user in the Quick Start Guide and in the email.
DEPLOYMENT METHOD 3: MANUAL DEPLOYMENT
If you do not want your users to be involved in the activation process, you can manually set up each IronKey and then hand it to the user. This method is simpler to the end-users, though requires a little more effort from those deploying the devices.
Step Description
1 Add a user to the Enterprise Account. Review the detailed instruction earlier in this
document for more information.
Make sure to clear the checkbox that would send the user an email with his Activation Code.
IMPORTANT: Even if you do not want the user
emailed, we strongly recommend providing their email address to avoid problems during activation and online account setup.
2 The setup information for that user’s device is presented on the screen (or if for a mass import, in
a downloadable CSV file).
3 Activate an IronKey Enterprise Secure Flash Drive, but stop before creating the device password.
Any purchased or recommissioned device will do. Enter your email address and the Activation Code. (NOTE: Your email address will not be associated with the device after Activation.)
When you get to the next screen, where you can create the device password, exit the setup process and unplug the device.
4 Give the device to the
Updating Device Software
You can get software updates for devices via download.
Step Description
1 In the IronKey Control Panel, click “Settings” and then click the “Check for Updates” button.
The IronKey can securely update its software and firmware through signed updates that are verified in hardware. This
allows users to keep their devices up-to-date and protect themselves from future malware and online threats.
2 Click the “Download Update” button to download the updates and install them on the device.
• Windows: If an update is available, you can download and install it by clicking the “Download Update” button.
• Mac: You can check for and download policy updates. However, you must download software updates on a Windows computer.
3 After the installation is com-pleted, you can check that the device is updated to the latest version:
a. Lock and unplug the device,
and then reinsert it.
b. In the IronKey Control Panel, click “Settings” and then click “About IronKey” to view ver-sion information.
You can view details about your device, including model
number, serial number, software and firmware version, secure files drive, and OS. You can also click the copy button (CTRL+C) to copy device details to the clipboard
for your forum posting or support request; visit the
website (CTRL+W); or view legal notices (CTRL+N) and certifications (CTRL+?).
Best Practices for a Smooth Rollout
UPDATE PASSWORD POLICIES ONLY WHEN NEEDEDWhen you update the password policy items in a policy, devices with that policy will update to the latest version. However, since the password policy has changed, users will be required to change their password so it conforms to the new password policy. Change the password policy items only when needed so users do not have to excessively change their device passwords.
CREATE A SEPARATE POLICY FOR LINUX USERS
If you plan to leverage IronKey’s Silver Bullet Service, create a separate policy for Linux users
that does not include Silver Bullet or that includes a large number of Silver Bullet attempts.
The Silver Bullet Service is not available for Linux systems. On Linux computers, device usage is
disabled.
HAVE USERS BACK UP THEIR PASSWORDS FOR PASSWORD ASSISTANCE
You can mandate through policy that each user back up his/her device password online. This will allow Admins to use Password Assistance to email users a temporary link that reminds them of their password in case they ever forget it. If your policy is to not have users back up their device password, you can use Secure Device Recovery to change their password for them.
BACK UP YOUR DATA REGULARLY
Encourage users to use the onboard Secure Backup software for backing up their onboard data. In the case that an IronKey is lost or stolen, that data can later be recovered to a new IronKey.
KEEP ADMIN AND USER DEVICES UP-TO-DATE
Ensure that Admin devices have the latest IronKey software. You can do this by clicking the “Check for Updates” button in the IronKey Control Panel (under “Settings”). To ensure that Windows XP users can update their devices, install the IronKey Assistant (see the IronKey Assistant Deployment Guide for details).
USE SILVER BULLET WISELY
It is recommended not to set the Silver Bullet policy too strict (e.g. deny if not online or from a
specific IP address) for remote or travelling employees; otherwise, sometimes they might not be
able to use their IronKey.
Deployment Checklist
IronKey Enterprise Account successfully created and Default Policy defined First IronKey device activated—confirmed access to Admin Console
Redundant System Admin added—confirmed access to Admin Console Users added/imported into Enterprise Account
Deployment Methods 1 and 2
Emails with Activation Code sent IronKey devices distributed to users Deployment Method 3
IronKey devices manually activated IronKey devices distributed to users
Using IronKey
System Elements and Terminology
IRONKEY USERSEach member of your IronKey Enterprise Account is called a “User”.
User Roles
There are five separate user roles, differentiated by the user’s privileges:
»
System Admin: Can modify all users and system settings, including adding Admins, approving Admins, changing user roles, and deleting users.»
Admin User: Can manage users and add Standard Users»
Custom Admin: Has a mixture of privileges, such as policy management»
Auditor: Can view the Admin Console with read-only access»
Standard User: An IronKey user who cannot view the Admin Console All Admins and Auditors will have online IronKey accounts, as this is needed to access the Admin Console. Standard Users do not have online IronKey accounts.Only System Admins can add Admin users, delete users and change user roles.
User Statuses
The current status of a user signifies what state his account is in. There
are several user statuses, including:
»
Pending: System is waiting for user to activate his IronKey»
Active: User has activated at least one IronKey and has set up his online IronKey account»
Active (without online account): User has activated at least one IronKey but does not have an online IronKey account»
Locked: User’s account has been locked after three incorrect answers to challenge questions»
Disabled: User’s account has been temporarily disabled by an Admin»
Disabled (without online account): A user who does not have an online IronKey account has been temporarily disabled by an Admin»
Deleted: User’s name has been deleted by a System Admin, but can be re-used (NOTE: A user’s online account name cannot be used twice even if the user is deleted.)Other User Properties
For purposes of organization and smooth deployment, you can set a name
and email address for each user. These fields are optional, and if left blank
users will be displayed as User1, User2, User3... in the Admin Console.
IRONKEY DEVICES
Every IronKey Enterprise Secure Flash Drive in your Enterprise Account is associated with a user. Users can have one or many IronKey devices.
Device Properties
IronKey devices include the following properties:
»
Device Name, useful for inventorying the Case ID»
Device Status, similar to user statuses»
The capacity of the drive (in GB)»
The unique serial number of the IronKey Cryptochip inside the device Consistent, unique serial numbers for enhanced asset inventory management and endpoint security control are in these locations:• Lasered onto the device, including a barcode • Printed on the product packaging
• On the “About IronKey” pane of the IronKey Control Panel
• On the IronKey Admin Console, with the device’s model number
• Integrated into the USB standard field name, so that it is
available to Windows and other operating systems for security whitelisting and inventory management by other products For large-scale deployments, you can export IronKey Admin Console
information including the serial number to a .CSV file for electronic
transfer to another system.
Users can have more than one IronKey device
»
Product identification numbers (PIDs) for S200 and D200 models are useful for inventorymanagement and security control (Basic: 0×0201; Personal: 0×0202; Enterprise: 0×0203).
»
The policy to which this device is adhering»
The date on which this device was activated»
The date and user for when the device was created and last modifiedDevices also include a comments section, in which you may write information as needed. For example, you could enter information regarding your own inventory data, the device’s case serial ID, or information regarding the use or purpose of this device.
IRONKEY POLICIES
IronKey Enterprise devices comply with the policies you define in the Admin Console. Policy
items you can control include:
PASSWORD SECURITY POLICIES
»
The number of invalid password attempts before self-destructionAfter too many consecutive invalid password attempts, IronKey devices initiate a
self-destruct sequence with advanced “flash-trash” technology. This hardware-level security protects against brute-force password attacks. Configure this feature with a balance of
security and end-user convenience in mind.
• Range is from 2 to 200 attempts • Default: 10 attempts
• Recommendation: 10 attempts
»
The minimum password length for device passwordsOnly passwords with this many or more characters will be allowed.
• Range is from 4 to 20 characters • Default: 4 characters
• Recommendation: Depends on self-destruct limit
»
The minimum number of uppercase letters in device passwordsOnly passwords with this many or more uppercase letters will be allowed.
• Range is from 0 to 5 letters • Default: 0
»
The minimum number of lowercase letters in device passwordsOnly passwords with this many or more lowercase letters will be allowed.
• Range is from 0 to 5 letters • Default: 0
»
The minimum number of digits in device passwordsOnly passwords with this many or more digits will be allowed.
• Range is from 0 to 5 digits • Default: 0
»
The minimum number of special characters in device passwords Only passwords with this many or more special characters will be allowed.• Range is from 0 to 5 characters • Default: 0
»
Whether whitespaces are allowed in device passwordsThis setting determines whether or not spaces are permitted in IronKey device passwords.
• Default: Yes
• Recommendation: Yes APPLICATION POLICIES
»
Whether Mozilla Firefox is available on the deviceIf enabled, a Firefox web browser will be included onboard each IronKey device. This
onboard browser is portable, so cookies, history files, bookmarks, add-ons and online
passwords are not stored on the local computer.
• Default: Enabled
»
Whether the IronKey Identity Manager is available on the deviceIf enabled, the IronKey Identity Manager will be included on each IronKey device. It allows users to seamlessly log into their online accounts (using IE6, IE7, IE8 and the onboard Firefox) and most applications that require username and password credentials, as well as generate strong passwords and manage portable bookmarks. Not having to type out passwords provides added protection from keyloggers and other crimeware. Additionally, websites that support VeriSign Identity Protection (VIP) can be locked down to the IronKey for two-factor authentication.
• IronKey devices using a version prior to 1.3.5 are using the IronKey Password Manager. This policy is compatible with the IronKey Password Manager.
• Default: Enabled
»
Whether IronKey’s Secure Backup software is available on the deviceIf enabled, IronKey’s Secure Backup software will be included on each IronKey device. This
software allows users to back up an encrypted copy of files from their IronKey device to
their local computer. If the IronKey device is lost or stolen, backed up data can be restored to another IronKey.
• Default: Enabled
• Recommendation: Enabled
»
Whether RSA SecurID is available on the deviceIf enabled, each IronKey will include an application for generating RSA SecurID one-time
passwords for strong authentication. A .stdid file will need to be imported to use this
application.
• Default: Disabled
»
Whether CRYPTOCard is available on the deviceIf enabled, each IronKey will include an application for generating CRYPTOCard one-time
passwords for strong authentication. A token file will need to be imported to use this
»
Whether the IronKey Malware Scanner is available on the deviceIf purchased and enabled, each IronKey will include an application that scans the IronKey on each use, detecting and cleaning malware from the device.
• Default: Disabled
SERVICE POLICIES
»
Whether the device automatically locks after a specified period of inactivity (i.e.without keyboard or mouse activity)
• Whether to force lock the device if open files cannot be closed • Whether users can configure these settings
• The idle time-out ranges from 5 to 180 minutes
»
Whether the device must be authorized before being able to be unlocked (Silver BulletService)
The Silver Bullet Service will confirm that IronKey devices are authorized and in good
standing before allowing them to be unlocked. This real-time service allows Administrators to completely disable and even remotely detonate devices, extending the control needed to protect important data.
• This feature requires an Internet connection
• This feature is not available on Linux and disables Linux usage when enabled • Default: Disabled
»
Whether the device may or may not be unlocked if it is not connected to the Internet or able to be authorizedSince users are not always able to be online, this setting defines a predetermined number of
unlock attempts (“Silver Bullet attempts”) before disabling the device. IronKeys will be able to be unlocked this many times when not able to connect to the service. Set this policy with a balance of security and user convenience in mind.
• This feature depends on Silver Bullet being enabled
• The number of times the device can be unlocked while not connected to the Internet ranges from 1 to 200
• Default: Allow 10 times
• Recommendation: Allow 10 times
»
Trusted Networks: Whether the device may or may not be unlocked based on wherethe user is (i.e. which IP address the device is coming from)
The Silver Bullet Service can be configured to allow or deny access to a device based on a
Trusted Network IP address whitelist. Users coming from an IP address on the whitelist (e.g.
from the office) will be permitted to use their device, while users who are coming from an
untrusted network, (e.g. home) will be denied.
• WARNING: Set this policy with caution as being too restrictive may prevent trusted users from being able to access their data.
• This feature depends on Silver Bullet being enabled
• This feature does not apply to System Admins.
• Examples of Valid Input (Internal IP Addresses should not be used):
• To allow a specific IP address, just enter it in: • From: 192.168.0.1
• To allow a block of IP addresses, use the * character:
• From: 192.168.0.*
• To allow a range of IP addresses, use both the From and To fields: • From: 192.168.0.1 To: 192.186.0.12
• To add additional IP addresses, click the “Add More” button.
• To delete an entry, click the “X” button next to that row.
»
Whether the user may, must, or may not back up his device password onlineIf enabled, users can back up their device password to their Online Security Vault. If users have access to their online account, they can recover their device password without Admin intervention by manually logging into Safe Mode and viewing their password in a CAPTCHA.
• Default: May
• Recommended: Must (to ensure availability of Password Assistance)
»
Whether the user may or may not back up his Identity Manager dataThis setting allows users to back up their encrypted Identity Manager data to an Online Security Vault. That way, if their device is ever lost or stolen, they can restore their passwords to a new IronKey.
• This feature depends on the Identity Manager being enabled • Default: Yes (may)
• Recommendation: Yes (may)
»
Whether IronKey’s Secure Sessions Service is available for the deviceIf enabled, IronKey’s Secure Sessions Service will create an encrypted tunnel directly from
the user’s IronKey out to a secured IronKey web server, where the traffic is then decrypted
and sent out to the destination site. This security feature provides phishing and anti-pharming protection (for example, IronKey does its own DNS checking), as well as enhanced privacy protection (for example the IP address will not be available to other websites and ISPs).
• This feature depends on Mozilla Firefox being enabled
• Default: Enabled
»
Whether Standard Users have an online my.ironkey.com accountHaving an online account gives a Standard User basic management capabilities of his IronKey devices. This setting controls whether or not users have an online IronKey account they can access. Administrators and Auditors must have online accounts to access the Admin Console. Disabling this feature will not prevent users from backing up data to their Online Security Vault, but it will prevent them from recovering their backed up device password without Administrator intervention.
• Default: Yes (have)
»
Automatically update device policy every time device is unlocked Once an IronKey is unlocked, it can automatically check for and download the latest policy for that device. This ensures that changes to security policies are enforced as soon as possible.• Default: Enabled
• Recommendation: It is strongly recommended that this feature be enabled
OTHER POLICY ITEMS
»
The Lost and Found Message that appears on device insertionThis message will appear on the IronKey Unlocker screen whenever the device is plugged into a computer. In the event that the IronKey is
lost, someone can return it to the contact information in the Lost and
Found Message.
• Range is 0 to 255 characters and up to 6 six lines of text • Default: Blank
»
Whether the user can modify the Lost and Found MessageThis setting determines whether or not users can edit or create their
own Lost and Found Message. • Default: No
Policy Properties
IronKey policies include the following properties:
»
Policy Name, unique name that is non-editable»
Policy Status»
The user who created this policy»
The date on which this policy was createdThe current status of a policy signifies if the policy is current and if
devices are using that policy. There are several policy statuses, including:
»
Active: Policy version is the most current version and available for use»
Out-of-date: Policy version is not current, but has devices still using it»
Retired: Policy version is not current and no devices are still using itHow Device Policies Work
Your organization can have an unlimited number of new policies. When a new policy is created, you must choose a unique name for that policy (e.g.
Sales Policy, Classified, etc.) and the system will automatically generate an
Every time an existing policy is modified, a new version of that policy is
created (e.g. Policy 2.001, Policy 2.002). All devices will update to the most current version of the policy assigned to that device. Checking for policy updates and downloading the latest policy happens automatically when the device is unlocked. Policy changes are then enforced the next time the device is unlocked. Clicking the “Check for Updates” button in the IronKey Control Panel will also check for policy updates.
For example, if the password requirements for the organization change, an Admin can update the appropriate items in an IronKey policy. The policy status for the affected devices is now in a pending state. The next time the affected devices are unlocked, they will check to see if they have the latest policy. In this case they do not, so they will automatically download the latest policy. The next time the device is unlocked, the new policy will be enforced. Since the password policy has changed, the user will be
forced to change his device password before being able to access his files.
The Make-Up of Policy Numbers and Versions
Policy 4.012
The policy number, The policy version, used used for distinguishing to distinguish edits to separate policies. an existing policy.
EVENTS AND SYSTEM AUDITABILITY
Important security events and user activities involving the Enterprise Management Service are logged into the system to provide a clear audit trail for compliance or investigations. Details such as which user, which device, when the event occurred, at which IP address, and a description of what occurred are provided for each event when applicable.
Events are shown in the Enterprise Dashboard of the Admin Console. Examples of some of the logged events include:
»
When Secure Device Recovery is performed»
When a device is recommissioned»
When a policy is modified»
When a user is invited into the IronKey Enterprise Account»
When a device is added to a user»
When a user is deleted or device(s) disabled»
When a device has detonated using the Silver Bullet Service»
When a user or device profile has been modified»
When an Admin is approved»
Login activities, such as when Admins log into the Admin ConsoleUNDERSTANDING THE SILVER BULLET SERVICE
IronKey’s Silver Bullet Service extends the control Admins need to remotely manage IronKey devices and protect critical data by requiring IronKeys to check for authorization prior to unlocking.
The Silver Bullet Service works as follows:
»
The Silver Bullet policy items are enabled via policy by an Admin User.»
When a user enters his device password and clicks “Unlock” on a device that have Silver Bullet enabled, the device will quickly check with IronKey’s Silver Bullet Service to ensure that it is in good standing and coming from a Trusted Network IP address.»
If the device is active and in good standing, it will receive an “Allow” command, the device will unlock, and the user will continue his work.»
If the device or user has been disabled in the Admin Console, the device will receive a “Deny” command and will not unlock.»
If the device has been lost or stolen and the data must be protected at all costs, the Admin can mark the device for remote detonation. The device status will be Active (Pending Detonation), and the next time the device is used it will receive a “Detonate” command and immediately self-destruct. A detonated device cannot be used again.If the user is not connected to the Internet, the device will not be able to check for authorization. In this case, it will abide by the maximum
threshold of permitted Silver Bullet attempts. This number, pre-defined in
policy, may be 0 (Deny) through 200, meaning that the device would allow up to 200 unlock attempts before disabling itself until it can connect to the Internet and check for authorization.
UNDERSTANDING PASSWORD ASSISTANCE
A common helpdesk task is to assist users with forgotten passwords. IronKey Enterprise includes three ways Admins can assist users with forgotten passwords:
Method Recommended For . . . Requirements
Password Self-Recovery
Users log into my.ironkey.com with email and online password
Allowing users to recover passwords without helpdesk intervention.
»
Users must have an online account»
Device passwords must be backed up online»
Admin intervention is NOT requiredPassword Assistance One-time URL is emailed to user, linking to page displaying forgotten password Allowing Admins to assist users who may be remote or who would not use Password Self-Recovery
»
Device passwords must be backed up online»
Users must have valid email addresses in the system»
Standard Users do NOT have to have an online accountSecure Device Recovery
Admin plugs in his and user’s device, uses Admin Tools to unlock device or change password
Ensuring the most secure procedures are used to recover devices and manage passwords.
»
Admin must have physical possession of the user’s device»
Device passwords do NOT have to be backed up online»
Standard Users do NOT have to have an online accountAdmin Tools
Admin Console
Onboard Admin Devices
Online at my.ironkey.com
Access: Via IronKey Control Panel
Availability: Approved Admins only
Features:
»
Secure Device Recovery• Unlocking users’ devices • Resetting users’ passwords
»
Device Recommissioning»
Admin ApprovalAccess: Via IronKey Control Panel
Availability: Approved Admins only
Features:
»
Managing users»
Managing devices»
Managing policies»
Monitoring eventsStep Description
1 Ensure that you have completed the Setup Process detailed elsewhere in this document.
Review the section on Getting Started for more information.
2 Click the my.ironkey.com icon in the IronKey Control Panel. This will securely log you in with
mutual authentication over SSL.
If you are using a proxy, you may need to update your IronKey’s Network Settings so that it knows how to connect to the Internet.
3 After your browser opens to the welcome page, click the Admin Console tab.
THE ENTERPRISE DASHBOARD
The Enterprise Dashboard shows you the latest security events and user activities in your Enterprise Account, statistics on how many active users and devices there currently are, as well
as important notifications, such as lists of pending users and devices awaiting detonation (if any).
Using the Admin Console
ACCESSING THE ADMIN CONSOLEThe Admin Console is available for all approved Admins, and it can be accessed by clicking the my.ironkey.com button in the IronKey Control Panel. This will securely log you in with mutual authentication over a secure channel.
Details regarding the IronKey World Map and Events Table on the Enterprise Dashboard:
»
Security events, such as remote detonation of devices, are marked in red»
Important events, such as Admin activities, are marked in yellow»
Common user events are marked in green»
You can select which events to view in the map by clicking the + menu icon on the right»
Hovering over an event will bring up details on the event»
Clicking an item in the table will center and zoom in on the event in the map, displaying additional data on the event»
You can zoom on the map by clicking the +/- icons on the left or dragging the zoom sidebar»
You can move the geographic areas being viewed by dragging the map with your mouse»
Columns can be sorted by clicking the column title»
You can change the time period for events using the “View” dropdown menu»
You can download the list of events by clicking the “Download” icon»
You can change the number of items listed per page and which page you are viewing»
If there are pending users in your Enterprise Account, a list of their information andActivation Codes can be downloaded from using the “Download List” button
Details regarding the IronKey Charts on the Enterprise Dashboard:
»
IronKey Charts use the Adobe Flash Player. If Flash Player is not installed on your computer, you will see text-based versions of the charts.»
You can download the data in the chart by clicking the Download icon»
Each chart is interactive. Moving your mouse over the chart will bring up contextual data.»
Right-click the chart to for additional options, including viewing a Full Screen version of the chart and printing the chart.»
Chart data can be updated approximately every five minutes.NOTE: To change the default time zone from GMT, click “Account Settings” in the left sidebar. You can also change time and date formats.
GENERAL STATISTICS
This chart displays a number of important general statistics about your Enterprise Account, including:
»
Total current users by status»
Total current users by role»
Total devices by status»
Total devices by capacityDEVICES BY VERSION
This chart displays the devices in your Enterprise Account (vertical axis) by the software version they are running (horizontal axis). This allows you to determine how many devices are running an out-of-date version of the IronKey software.
ADMIN ACTIVITIES
This chart displays a timeline of important Admin activities, including Secure Device Recovery, Password Assistance, and Admin Approval. The vertical axis is the frequency of events, while the horizontal axis is the timeline.
DEVICE ACTIVITIES
This chart displays how long it has been since:
»
A device’s password was last backed up»
The last recorded device activityThe vertical axis is the number of devices, while the horizontal axis is the number of weeks since
MANAGING USERS
Click “Manage Users” in the left sidebar to view your IronKey User List.
Details regarding the Manage Users page:
»
You can change the list between current and all users via the “View” dropdown menu»
You can download the list of users by clicking the “Download” button»
To add a user, click the “Add” button»
To add a device to a user, select the checkbox in that user’s row and click the “Add Device” button (Note: Only System Admins can add devices to Admin users)»
To delete a user, select the checkbox in that user’s row and click the “Delete User” button (Note: Only System Admins can delete users)»
To find a user, enter a username or email address in the search box in the upper-right of theheader, and click the search button. Suggested matches appear as you type. You can also click
the options icon in the search box to include searching within comments fields or for deleted
User Profile Pages
Clicking a user will bring up the user’s profile page.
Details regarding the User Profile page:
»
To edit a user, click the “Edit” button»
To delete the user, click the “Delete User” button (available for System Admins only)»
To add a device to a user, click the “Add Device” button»
You can download the list of that user’s service activities by clicking the “Download” buttonMANAGING DEVICES
Click “Manage Devices” in the left sidebar to view your IronKey Device List.
Details regarding the Manage Devices page:
»
You can change the list between current and all devices using the “View” dropdown menu»
You can download the list of devices by clicking the “Download” button»
To edit multiple devices at once, select the checkbox in the appropriate devices’ rows and click the “Edit” button»
To disable multiple devices at once, select the checkbox in the appropriate devices’ rows and click the “Disable Device” button (Note: You cannot disable the device you are currently using)»
To find a device, enter a device name or serial number in the search box in the upper-rightof the header, and click the search button. Suggested matches appear as you type. You can also
click the options icon in the search box to include searching within comments fields or for
Device Profile Pages
Click a device to view the device’s profile page.
Details regarding the Device Profile page:
»
To disable/enable a device, click the “Disable” button»
To add comments for a device, click the “Edit” button in the Comments section»
You can download a list of that device’s service activities by clicking the “Download” button»
To view that device’s user in detail, click the user’s nameUSING THE SILVER BULLET SERVICE
»
To disable a device that has Silver Bullet enabled, click the “Disable” button»
To detonate a device that has Silver Bullet enabled, click the “Detonate” button.»
A confirmation will appear, after which the device will be pending detonation»
You can cancel a pending detonation by clicking the “Cancel Detonation” button»
When the device has detonated, you can review a Silver Bullet Report on the device profileUSING PASSWORD ASSISTANCE
»
To assist a user who has forgotten his device password, click the “Send Password to User” button. This button will only appear for users how have an email address and who have backed up their device password online.»
An email will automatically be sent to the user. In that email is a one-time URL that will takethe user to a page that displays his password in a CAPTCHA. The user must click the link as soon as he gets the email, as the link expires in approximately 24 hours,
MANAGING POLICIES
Click “Manage Policies” in the left sidebar to view your IronKey Policies List.
Details regarding the Manage Policies page:
»
You can change the list between current and all policies via the “View” dropdown menu»
You can add a new policy by clicking the “Add Policy” button»
You can download the list of policies by clicking the “Download” button»
Every time you create a new policy, a new ordinal policy number is automatically created»
Every time you modify a policy, a new version is created»
Service policy: During account setup, you can specify whether devices automatically lockafter a specified period of inactivity (i.e. without keyboard or mouse activity). • Whether to force lock the device if open files cannot be closed • Whether users can configure these settings
• The idle time-out ranges from 5 to 180 minutes. A reminder appears 30 seconds before
Policy Profile Pages
Click a policy to view the policy’s profile page.
Details regarding the Policy Profile page:
»
To view the description, default setting, value range, and supported device models andsoftware versions for a policy, hover over the “?” help button that follows each policy item.
»
To edit the policy, click the “Edit” button. You can then edit the items in-line.»
Some items are dependent on others. Review the IronKey Policies section earlier in this document for more information.»
While in edit mode, clicking the “Save Version” button will save the policy as a new version»
While in edit mode, clicking the “Save As New” button will save the policy as a new policy»
While in edit mode, clicking the “Cancel” button will not save any changes to the policy»
Editing the Policy Name will require the policy to be saved as a new policyMANAGING LICENSES
Click “Manage Policies” in the left sidebar. Below the IronKey Policy list, you can view your
IronKey Licenses list. Services must be enabled for the list to appear.
»
You can view a list of enabled services, number of available seats, and number of total seats»
If you try to add a new user or device that exceeds the number of licensed seats, or if your license has expired, a message prompts you to update or renew your license»
You can update your IronKey licenses by emailing the text from Box 1 to IronKey Customer Service, pasting the new license information from the reply email in Box 2, and then clicking the “Enter” buttonNOTE: To use Anti-Malware Service, you must open port 443 on your firewall to allow
outbound communication from your server and devices to McAfee.
ENTERPRISE SUPPORT PAGE
A number of online support resources are available for you on the Enterprise Support page, including video tutorials and product documentation. It also contains information for contacting IronKey Technical Support, including your Account Number.
Using the Admin Tools
ACCESSING THE ADMIN TOOLSSome additional administrative functionality is available onboard each approved, active Admin’s IronKey device. When you click the Admin Tools icon, the device will do a real-time check with your Enterprise Account to authenticate the Admin and ensure that the Admin is still authorized to use the Admin Tools. Revoked Admins, for example, will not be able to continue. You must be connected to the Internet to use the Admin Tools.
USING SECURE DEVICE RECOVERY
IronKey’s Secure Device Recovery allows Admins to unlock your organization’s IronKeys:
»
Without knowing the user’s device password»
Without using a password database»
Without using a backdoor/redundant password»
With admin authentication (protection against stolen admin devices)»
With admin authorization (protection against rogue admins)»
With a proper audit-trail of the eventStep Description
1 Click the Admin Tools icon in the IronKey Control Panel.
The device will perform real-time authentication and authorization.
2 Insert the device that you want to access into the computer’s USB port. Wait a few moments so the device can enumerate.
Then click the “Refresh Device
List” button.
The device will search for the other IronKey.
3 You can either choose to unlock the user’s device or change that device’s password.
To unlock the device, click the “Unlock Device” button. A
progress bar will appear and when the device is unlocked, Windows Explorer will auto-launch to that device’s secure volume.
To change the device’s password, enter in the new password for
that device, confirm it, and click
the “Change” button. A progress bar will appear and then a
confirmation that the password
has been reset successfully.
NOTE:Recovering a device that is not from your Enterprise Account, not yet activated, or not an IronKey Enterprise Secure Flash Drive is not possible. If an error appears, check if this is the issue.
PROMOTING A STANDARD USER TO BE AN ADMIN
A System Admin can modify user roles and permissions in the Admin Console. When a user is invited to be an Admin, or when a Standard user is promoted to become an Admin, an existing Admin must approve the process using Admin Approval.
Step Description
1 In the Admin Tools sidebar, click “Admin Approval.”
2 Click the “Check for Admins” button.
This will perform an online check for users awaiting Admin
Approval.
3 Check all devices that you approve for having administrative functionality. Then click the “Approve” button.
A table of devices that are awaiting approval will be displayed.
4 The next time that user clicks the my.ironkey.com button in the IronKey Control Panel, he receives administrative privileges and have access to the Admin Console.
RECOMMISSIONING DEVICES
When employees leave the organization, their IronKeys can be recommissioned to new users using IronKey secure online services for Admin authentication and authorization.
Step Description
1 In the Admin Tools sidebar, click “Recommission Device.”
2 Insert the device that you want to recommission into the computer’s USB port. Wait a few moments so the device can enumerate.
Then click the “Refresh Device
List” button.
The device will search for the other IronKey.
3 Click the “Recommission Device” button. A progress bar shows your progress throughout the recommissioning process. Selecting the “Also delete user from the system” checkbox will delete the user as well as the device. This feature is only available for System Admins.
NOTE: Recommissioning cannot
be undone. All data on the device will be permanently lost.
Importing Authentication Credentials
IMPORTING RSA SECURID TOKENSIf enabled through your policy, your users’ IronKey devices can provide additional strong authentication capabilities by generating RSA SecurID one-time
passwords. You must provide a .stdid file to your
users for importing tokens.
Step Description
1 Open the RSA SecurID application Click the icon in the IronKey Control Panel’s application list on your user’s device.
2 Import a .stdid file. This may be
exported by your RSA server. For information on that procedure, see your RSA SecurID server documentation.
1. Click the “Options” button. 2. Click the “Add” button.
3. Browse to the location of the .stdid file.
4. A password might be required to unlock the
file.
The tokens will be added. 3 If you prefer, you can rename the
tokens. Click the “Rename” button to create a name for the selected token. 4 In the Options window you can also
delete tokens by clicking the “Delete” or “Delete All” button.
Be careful when deleting tokens, as this operation cannot be undone.
IMPORTING A DIGITAL CERTIFICATE INTO THE IRONKEY
The IronKey Cryptochip includes a limited amount of extremely secure hardware storage space,
which can be used for storing the private key associated with a digital certificate. This provides
your users additional strong authentication capabilities. For example, you could store a
self-signed certificate used for internal systems that will allow users to automatically log in when
using the IronKey’s onboard Firefox web browser.
The import process uses IronKey’s PKCS#11 interface and requires Mozilla Firefox.
NOTE: Space for only one additional private key exists in the IronKey Cryptochip, though
it will receive the benefits of the Cryptochip’s tamperproof hardware and self-destruct
mechanisms.
Step Description
1 Open the onboard Firefox. Click the icon in the IronKey Control Panel’s application list on your user’s device.
2 Open Firefox’s Options menu
to the Encryption tab. 1. Click “Tools” in the menu bar.2. Click “Options.” 3. Click the “Advanced” icon. 4. Click the “Encryption” tab. 3 Click the “View Certificates”
button.
This opens the Firefox
4 IronKey’s certificate is
available here. Now you can add your own.
Click the “Import” button.
5 Browse to the
PKCS#12-format certificate file and
open it.
You will be prompted for the location of the
PKCS#12-format certificate file (file extension will be .p12 in UNIX/ Linux, .pfx in Windows).
6 A window appears asking you
to confirm where to store the certificate.
Choose “IronKey PKCS#11”
7 Enter the password that was used to protect the
certificate.
If no password was used,
simply leave the text field
blank.
8 Your certificate is now stored
securely in the IronKey Cryptochip and is available for use in the onboard Mozilla Firefox.
NOTE: When deleting certificates, you must restart Firefox for the action to take effect. You cannot delete the IronKey certificate that was pre-packaged with your device.
Administering the IronKey Anti-Malware Service
If purchased and enabled, your organization can protect its IronKeys from the latest malware threats with the IronKey Anti-Malware Service and IronKey Malware Scanner. See the User Guide for more information on how the IronKey Malware Scanner works. As an Admin, you will want to be familiar with how to interpret Malware Scanner reports.
INTERPRETING IRONKEY MALWARE SCANNER REPORTS
The IronKey Malware Scanner on each user’s device maintains detailed logging of important events, such as checking for updates, downloading updates, scanning for malware, and malware detections, as well as vital status information such as the version of the software and the
signature file database being used. The location of this file is at:
F:\IronKey-System-Files\Reports\IKMalwareScanner_Report.txt
Where “F” is the IronKey’s Secure Files volume (where the user stores his data). Malware
Scanner Reports are written in Apache Common Log format with tab-delimited data:
[ip address] [timestamp] [event] [status code] [data size or file count]
In the event of an infection, users are instructed to send the report to their administrator to diagnose and resolve the issue. Here are some details on interpreting important events:
EVENT DESCRIPTION
INFECTION Infection events include
»
The name of the malware»
The type of malware (e.g. virus, trojan, etc.)»
The location the malware was found»
The result of trying to repair or delete the infected file. Usually the file will be repaired or deleted, though in rare cases the file cannot be altered and is left on the device. The status in that case is “Unresolved”.UPDATE
»
The Malware Scanner will attempt to update before each scan. Themost common failure is when the device cannot connect to the Internet.
»
Some users may experience issues installing the update if they do not have enough space available on their IronKey. It is recommended that users allocate 135 MBs of space for the signature file database.Common Tasks
ADDING NEW USERSStep Description
1 Access the Admin Console by clicking the my.ironkey.com icon in the IronKey Control Panel.
2 In the Manage Users page, click the “Add” button.
3 In the box that appears, enter in the user’s name (optional), email (optional), role, policy for the user’s device, and if you want the system to send the user an email with the information for setting up his IronKey device (requires an email address). Then click “Submit.”
• If a name is not provided, the system will default to an ordinal anonymous user naming scheme of User1, User2, User3, etc.
• If an email address is not supplied, then the Admin’s email address should be used for the one-time device activation.
• Only System Admins can add new Admins. 4 Information for setting up the user’s
IronKey device is displayed on the screen, namely the Activation Code and email address that should be entered into an IronKey Enterprise Secure Flash Drive.
The new user is now a part of your IronKey Enterprise Account and will be in a pending status until he activates his IronKey device.
ACTIVATING DEVICES FOR A USER
When you plug a new IronKey Enterprise Secure Flash Drive into your computer, it prompts you for an email address and an Activation Code. An Internet connection is required.
Step Description
1 Plug a new IronKey Enterprise Secure Flash Drive into your computer’s USB port.
Your IronKey must be activated on a Windows (2000, XP, or Vista) or Mac computer. To use the full speed of the IronKey, plug it into a USB 2.0 port.
2 The “Activate Your IronKey”
screen appears. The IronKey autoruns as a virtual CD-ROM.
• Windows: This screen might not appear if your computer does not allow devices to autorun. You can start it manually by double-clicking the IronKey Unlocker drive in “My Computer” and
double-clicking the “IronKey.exe” file.
• Mac: Double-click the IronKey drive on your
desktop, and double-click the “IronKey” file.
NOTE: You can install the IronKey Auto-Launch
Assistant, which automatically opens the IronKey Unlocker when you plug in an IronKey. See “Preferences” in IronKey Control Panel Settings. (Mac only)
3 Retrieve the email with your Activation Code. Copy and paste it into the IronKey window. Click “Continue” when you are ready.
The information presented to you when you added the user in the Admin Console (and emailed to the user, if that checkbox was selected) is needed here.
• If you did not provide an email address for your user, you must enter your email address. This is used for authentication purposes and is not associated with the user after activation.
• If your IronKey cannot connect to the Internet, click “Edit Proxy Settings” to adjust its network settings.
4 At this point, the device is ready to be initialized with a password and continue the setup process.
You can either continue with initialization, or hand the device to the user for him to complete the setup process.
ADDING NEW ADMINS
Step Description
1 Add the new user and set the
role to be an administrative role. This process can only be performed by a System Admin. 2 An email will go out to the user
(optional) with his setup information.
3 The user activates a new IronKey Enterprise Secure Flash Drive. 4 Once activated, the device must
be approved by an Admin before it can access the Admin Console.
An email will be sent to the inviting System Admin as a reminder to perform the Admin Approval.
5 The next time the new Admin clicks the my.ironkey.com icon in his IronKey Control Panel, he will receive administrative privileges.
ADDING NEW DEVICES TO USERS
When you add a user, a device will automatically be added to t
