This document contains the release notes for SecureDoc CloudVM v7.2
System Requirements
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.2 are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.
Important Note
The primary intent of this version of SecureDoc Enterprise Server is to provide the “early adopter” customers with new functionality that will permit the installation and management of SecureDoc on Cloud-hosted servers.
WinMagic’s recommendation is that this version be installed as a separate SES instance (with a separate database), specifically defined to handle and manage Cloud-hosted servers to be encrypted using SecureDoc.
Upgrade Instructions
- IMPORTANT: Customers currently running a “live” implementation of SecureDoc Enterprise Server should not upgrade their existing SES to this edition (whose focus is primarily on providing an early CloudVM-enabled management environment), but instead should install this so that it uses a separate Database name, and to install SES on a separate Server.
- The use of the existing SES Server database’s Administrator Key File is recommended, so that the two databases are encrypted using the same Encryption Key, which may simplify merging information from the two environments into a single environment in a future version.
- This version of SecureDoc cannot be upgraded from the SecureDoc 7.1 SR2a version.
- This version of SecureDoc does NOT support client upgrades from the previous versions (7.1 or earlier ) of SecureDoc (although it can manage those client devices). However, previous versions of SecureDoc Enterprise Servers (SES) can be upgraded to this current version (within the upgrade path mentioned above). The newly upgraded servers can communicate with the old client devices.
- This version of SecureDoc supports Windows Servers up to 2012R2 only.
- This version of SecureDoc is NOT tested on Apple Mac devices, so users are recommended to not use this version to deploy installation packages to new Apple Mac devices.
New Features and Improvements
Reference | Description |
---|---|
SD-15136 |
Support for Public and Private Cloud Providers SecureDoc CloudVM solution allows you to protect data in public, private and/or hybrid Clouds. SecureDoc offers a common and unified encryption strategy across any endpoint and now SecureDoc CloudVM extends that protection into virtualized or Cloud IaaS environment. By providing a common platform for all the endpoints and Cloud encryption needs, SecureDoc CloudVM increases security, ensures encryption compliance, reduces complexity within your organization. SecureDoc CloudVM ensures that encryption & intelligent key management plus key control / ownership remain all the time within the full and exclusive control of your organization. |
SD-16863 |
Ability to create SecureDoc Installation Packages for Windows client devices from SESWeb Now, SES administrators can configure profile, installation / deployment settings, and create download installation package for Windows client devices from SES Web console for cloud deployment without relying on the Windows SES console.
|
SD-15137 SD-16524 |
Ability to import cloud instances (from Amazon Web Services and Microsoft Azure) and view their compliance status The SES CloudVM administrator can import all VMs from public cloud providers (Amazon Web Services, Microsoft Azure) for management and also view all cloud instances - from a single pane of glass - with positive identification of which VMs are secured (SecureDoc installed on them). The Service Settings (under the Configuration option in the left navigation menu) page in SES Web allows SES Web administrators to input the configuration data (such as Subscription ID, Client ID, Access Key ID, etc.) for importing the cloud devices. The imported cloud instances can be viewed in the Cloud Devices tab in SESWeb. For more information on how to import cloud instances from the Cloud Providers, refer to the “Importing Cloud Devices from Cloud Providers” and “Viewing Imported Devices and their Compliance” section in the SecureDoc CloudVM Quick Deployment Guide. |
SD-15662 |
Ability for periodic/incremental sync of cloud devices SecureDoc CloudVM has the capability to seamlessly sync cloud devices from the private and public cloud providers (AWS and Azure) at a desired interval. A “Sync interval” configuration option allows SES administrators to set the sync interval value (in hours) to update the cloud devices. |
SD-15160 |
Option to choose a cloud-specific pre-boot environment SES administrators have an option to configure the customized pre-boot environment. You can choose the PBLx64 option for Windows Servers or the Root Folder option for Windows Client Devices. This configuration option is available in the installation package settings (Installation Profile -> General ->CloudBootPath ). For more information on how to configure the cloud boot path, refer to the “Configuring Installation Package Settings in SESWeb” section in the SecureDoc CloudVM Quick Deployment Guide. |
SD-14991 SD-16749 |
Support for Auto-scaling (Amazon Web Services & Microsoft Azure) SecureDoc CloudVM extends support for Amazon Web Services (AWS) Auto-scaling functionality. Using SecureDoc CloudVM, IT administrators can automatically increase / decrease the number of Virtual Machines (while keeping them encrypted) and use them instantly during the Auto-scaling process. The child cloud instances will be registered in SES and will be displayed in the Devices tab in SESWeb. For more information on setting up Auto-Scaling, refer to the “Setting up Auto-Scaling for Amazon Web Services” and “Scaling Virtual Machine Scale Set (VMSS) in Azure” sections in the SecureDoc CloudVM Quick Deployment Guide. |
SD-15347 |
Ability to crypto-erase a cloud device (Secure Delete) The SES administrators can shut down a registered cloud device using SESWeb crypto-erase functionality. Since crypto-erase wipes all vestiges of the key file(s) and the SecureDoc components necessary for authentication, the device cannot be accessed.
For more information on how to crypto-erase a device, refer to the “Deleting a Cloud Device (Secure Delete)” section in the SecureDoc CloudVM Quick Deployment Guide. |
SD-15348 |
Support for High Availability (HA) for private and public cloud providers (AWS, Azure, Xen and Hyper-V) SecureDoc CloudVM supports the High Availability deployment for the High Availability Virtual Machines (VMs). These VMs will remain encrypted and functional ever after failures so that the IT administrators can securely ensure an agreed level of operational performance. |
SD-15349 |
Support for live migration of the encrypted Virtual Machines on private clouds (Xen and Hyper-V) SecureDoc CloudVM offers support for the live migration of virtual machines. The encrypted virtual machines can be transitioned between different physical machines keeping the encryption options intact. |
Known Limitations
Note: For the Known Limitations other than the ones mentioned below, refer to the “Known Limitations” section in the SecureDoc Release Notes v7.1 SR1.
Reference | Description |
---|---|
SD-15253 |
SecureDoc CloudVM does not support Generation 2 (UEFI) Virtual Machines Limitation: Work-around: |
SD-17067 |
Users’ Key File are sent down to a device when manually assigning users to device(s) Limitation: Clarification: The use of local key files should be avoided, as it constitutes a reduced level of security when considered in the Cloud context. Work-around: |
SD-17217 |
Microsoft Windows Server 2012 vSphere with EFI displays black screen after the pre-boot install Limitation: Work-around: |
SD-17264 SD-17403 |
Mobile Device Management–related services are NOT supported in SESWEb Limitation: Work-around: |
SD-17308 |
Devices still auto-boot into Windows when moved (using SES Console) from a "PBN Autoboot Enabled" policy folder to a "No PBN Autoboot Enabled" folder that has no policy linked Limitation: Work-around:
|
SD-17341 |
Azure Running instances reported as “ReadyRole” Limitation: Work-around: |
SD-17381 |
SecureDoc CloudVM: Duplicate names are created in SES when moving an Organizational Unit (OU) to a different parent Organizational Unit Limitation: Work-around: |
SD-17352 |
Installation packages cannot be created and prepared in an environment where SES Console and SDConnex are installed on physically separate instances (VM’s or real hardware) Limitation: Work-around: |
SD-17545 |
Encryption progress bar is NOT displayed on some Azure RM Virtual Machines with Standard A1 & A0 size Limitation: Work-around: |
SD-17572 |
Microsoft Azure Classic VMs are not removed to Recycle Bin upon termination from Azuremanagement console Limitation: Work-around: |
SD-17581 |
The added disk / volume is automatically encrypted with the "Thorough" instead of "Standard" encrypting mode Limitation: Work-around: |
SD-17595 |
Microsoft Azure Scale Set VMs are not detected in the Cloud Devices tab in SESWeb Limitation: Work-around: |
SD-17658 |
Child Virtual Machines fail registration if the parent machine is permanently deleted from SES Limitation: Work-around: |
SD-17670 |
Administrators cannot modify/assign the profiles for the devices registered using SESWeb package Limitation: Work-around: |
SD-17535 |
Self-Help warning messages are prompted when deploying SecureDoc package from SESWeb Limitation: Work-around: |
SD-17602 |
The remote command “Lock Device” does NOT work Limitation: Work-around: |
SD-17642 |
Microsoft Azure RM Instances cannot be encrypted using "Initial Conversion - Thorough" mode option Limitation: Work-around: |
SD-17639 |
BitLocker encryption for Azure RM cloud instances does not support “Full Encryption” Limitation: Work-around: |
SD-17746 |
The “Prevent KF from being saved locally on machine at deployment” option does NOT prevent certain KF push operations Limitation:
Work-around:
|
SD-17815 |
Virtual Machines (XEN/Hyper-V) running Windows client-based 7, 8.1 and 10 Operating Systems (OS) are NOT supported in the legacy (PBU) mode Limitation: Work-around: |
SD-17908 |
New clones cannot be created from the crypto-erased parent machines Limitation: Work-around: |
SD-17663 |
The newly added hard-drives are not encrypted even though the “Encrypt all disk” option is selected Limitation: Work-around: |
SD-17922 |
Azure Auto-Scaling cannot be correctly executed if a parent Virtual Machine is destroyed in the process on VMSS creation Limitation: Work-around:
|
SD-17929 |
When cloud instances are auto-Scaled up/down within 3-hour interval, the terminated cloud instances are not moved to Recycle Bin Limitation: Work-around: |
SD-18049 |
The partial encryption option is not available on SESWeb Limitation: Work-around: |
SD-17772 |
SESWeb does NOT support Windows accounts feature for the CloudVM package deployment Limitation: Work-around:
|
SD-18078 |
Recovery information may not be available for BitLocker encrypted disks on VSphere Private CloudVMs Limitation: Work-around: |
SD-18093 |
Disable the “Password Sync” functionality while enabling the “Prevent key file from being stored on device during deployment” option for Active Directory (AD) users Limitation: Work-around: |
SD-18103 |
Error message "Please contact WinMagic Technical Support (0x6210)" is displayed when logging into boot logon after the recovery from emergency disk created on SES Limitation: Work-around: |
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.” |