SecureDoc v7.2 Release Notes

Support for Public and Private Cloud Providers

SecureDoc CloudVM solution allows you to protect data in public, private and/or hybrid Clouds. SecureDoc offers a common and unified encryption strategy across any endpoint and now SecureDoc CloudVM extends that protection into virtualized or Cloud IaaS environment. By providing a common platform for all the endpoints and Cloud encryption needs, SecureDoc CloudVM increases security, ensures encryption compliance, reduces complexity within your organization. SecureDoc CloudVM ensures that encryption & intelligent key management plus key control / ownership remain all the time within the full and exclusive control of your organization.

Ability to create SecureDoc Installation Packages for Windows client devices from SESWeb

Now, SES administrators can configure profile, installation / deployment settings, and create download installation package for Windows client devices from SES Web console for cloud deployment without relying on the Windows SES console.

Note: Since the installation packages created from the SES Web are only for cloud deployment, a few profile options are restricted for Windows client OS.
Note: When an installation package is created all the required y-mode and other settings will automatically be applied For more information on how to create installation packages from SESWeb, refer to the “Creating Installation Package Settings in SESWEb” section in the SecureDoc CloudVM Quick Deployment Guide.

SD-15137

SD-16524

Ability to import cloud instances (from Amazon Web Services and Microsoft Azure) and view their compliance status

The SES CloudVM administrator can import all VMs from public cloud providers (Amazon Web Services, Microsoft Azure) for management and also view all cloud instances - from a single pane of glass - with positive identification of which VMs are secured (SecureDoc installed on them). The Service Settings (under the Configuration option in the left navigation menu) page in SES Web allows SES Web administrators to input the configuration data (such as Subscription ID, Client ID, Access Key ID, etc.) for importing the cloud devices. The imported cloud instances can be viewed in the Cloud Devices tab in SESWeb. For more information on how to import cloud instances from the Cloud Providers, refer to the “Importing Cloud Devices from Cloud Providers” and “Viewing Imported Devices and their Compliance” section in the SecureDoc CloudVM Quick Deployment Guide.

Ability for periodic/incremental sync of cloud devices

SecureDoc CloudVM has the capability to seamlessly sync cloud devices from the private and public cloud providers (AWS and Azure) at a desired interval. A “Sync interval” configuration option allows SES administrators to set the sync interval value (in hours) to update the cloud devices.

Option to choose a cloud-specific pre-boot environment

SES administrators have an option to configure the customized pre-boot environment. You can choose the PBLx64 option for Windows Servers or the Root Folder option for Windows Client Devices. This configuration option is available in the installation package settings (Installation Profile -> General ->CloudBootPath ). For more information on how to configure the cloud boot path, refer to the “Configuring Installation Package Settings in SESWeb” section in the SecureDoc CloudVM Quick Deployment Guide.

SD-14991

SD-16749

Support for Auto-scaling (Amazon Web Services & Microsoft Azure)

SecureDoc CloudVM extends support for Amazon Web Services (AWS) Auto-scaling functionality. Using SecureDoc CloudVM, IT administrators can automatically increase / decrease the number of Virtual Machines (while keeping them encrypted) and use them instantly during the Auto-scaling process. The child cloud instances will be registered in SES and will be displayed in the Devices tab in SESWeb.

For more information on setting up Auto-Scaling, refer to the “Setting up Auto-Scaling for Amazon Web Services” and “Scaling Virtual Machine Scale Set (VMSS) in Azure” sections in the SecureDoc CloudVM Quick Deployment Guide.

Ability to crypto-erase a cloud device (Secure Delete)

The SES administrators can shut down a registered cloud device using SESWeb crypto-erase functionality. Since crypto-erase wipes all vestiges of the key file(s) and the SecureDoc components necessary for authentication, the device cannot be accessed.

Note: At this phase, the SESWeb crypto-erase functionality does not delete a cloud device (move it to the recycle bin) and the license key will not be released. Also, SES administrators can only shut down, but cannot terminate a cloud device using crypto-erase functionality.

For more information on how to crypto-erase a device, refer to the “Deleting a Cloud Device (Secure Delete)” section in the SecureDoc CloudVM Quick Deployment Guide.

Support for High Availability (HA) for private and public cloud providers (AWS, Azure, Xen and Hyper-V)

SecureDoc CloudVM supports the High Availability deployment for the High Availability Virtual Machines (VMs). These VMs will remain encrypted and functional ever after failures so that the IT administrators can securely ensure an agreed level of operational performance.

Support for live migration of the encrypted Virtual Machines on private clouds (Xen and Hyper-V)

SecureDoc CloudVM offers support for the live migration of virtual machines. The encrypted virtual machines can be transitioned between different physical machines keeping the encryption options intact.

SecureDoc CloudVM does not support Generation 2 (UEFI) Virtual Machines

Limitation:
The SecureDoc pre-boot functionality does not work on the Generation 2 with UEFI virtual machines. Therefore, these Generation 2 VMs cannot be encrypted using SecureDoc CloudVM.

Work-around:
None - Do not use this version of SecureDoc CloudVM to encrypt Generation 2 UEFI virtual machines.

Users’ Key File are sent down to a device when manually assigning users to device(s)

Limitation:
When a user is manually assigned to a device in SES Web, the users’ key file is sent down to the device, even if the option “Prevent key file from being stored on device during deployment” option was enabled in SESWeb.

Clarification:
This option prevents key files from being added to the machine ONLY during initial deployment of the machine – it does not prevent key files from subsequently being sent to the machine. For security purposes, the ideal scenario is to have CloudVM machines to only boot through PBConnex-brokered Auto-Boot, such that they must reach out to the SDConnex Server in order to receive a key file dynamically over the network.

The use of local key files should be avoided, as it constitutes a reduced level of security when considered in the Cloud context.

Work-around:
None - As a recommended best-practice, do not add users or user-level Key Files to CloudVM client devices.

Microsoft Windows Server 2012 vSphere with EFI displays black screen after the pre-boot install

Limitation:
SecureDoc installation packages created and deployed from SESWeb do not support Windows VSphere UEFI-based servers.

Work-around:
None - Do not install this version of SecureDoc CloudVM client encryption on Windows Server 2012 UEFI devices hosted inside vSphere.

Mobile Device Management–related services are NOT supported in SESWEb

Limitation:
The Mobile Device Management (MDM)-related services (e.g. Reports) have been removed from SESWeb. SESWeb administrators can no longer configure the MDM-related services using SESWeb.

Work-around:
None

Devices still auto-boot into Windows when moved (using SES Console) from a "PBN Autoboot Enabled" policy folder to a "No PBN Autoboot Enabled" folder that has no policy linked

Limitation:
This issue occurs when moving an "auto-boot enabled" folder using SES Console. When a device is moved from a folder that is linked with "Enable PBNAutoboot" policy option to a folder that has the “Enable PBNAutoboot” option disabled, the moved devices still auto-boot into Windows.

Work-around:

1. Perform folder movement only from SESWeb if you have assigned policies.
2. If you are managing devices using SES Console, use the PBN group property to give PBN Auto-Boot permissions.

Azure Running instances reported as “ReadyRole”

Limitation:
Please be advised that SecureDoc CloudVM extends only limited support for Azure Classic VMs. When Azure Classic VMs are synced into SES Web, their instance state will be reported as “ReadyRole” instead of “Running”.

Work-around:
None - ReadyRole” actually means the same as a status of “Running” for other devices. This is because the Classic instances, unlike the RM instances, have a different system state label.

SecureDoc CloudVM: Duplicate names are created in SES when moving an Organizational Unit (OU) to a different parent Organizational Unit

Limitation:
SecureDoc CloudVM does not support moving of parent folders between two different Organizational Units (OU’s) in the Active Directory. If any parent folder is moved from one OU to a different OU, then duplicate OU names are created in the SecureDoc Enterprise Sever (SES).

Work-around:
None - Users should avoid the movement of parent folders between Organization units, if at all possible.

Installation packages cannot be created and prepared in an environment where SES Console and SDConnex are installed on physically separate instances (VM’s or real hardware)

Limitation:
The SecureDoc installation package creation fails if SES administrators use a different server to host SDConnex than the one that hosts SESWeb’s IIS Service (i.e. SDConnex is configured on a different server using the key file and Database from the other server) for creation of web installer packages.

Work-around:
None - Users are recommended to ensure that the SES Web (IIS) Server also has been installed with SDConnex and the SES Console (which can be in a non-used state, but it brings to the server the Installer executables required for creating installation packages within SESWeb).
In case of multiple SDConnex setups for the SecureDoc CloudVM product to function, make sure that there is at least one SDConnex instance running on the server where SES CloudVM is installed.

Encryption progress bar is NOT displayed on some Azure RM Virtual Machines with Standard A1 & A0 size

Limitation:
When a SESWeb package is created and deployed with the "Hide Encryption Progress from User" option set to NO, the encryption progress bar is not visible after the device restart.

Work-around:
None - Users are advised to expect (in this version) that they may in some circumstances not see the Encryption Progress panel on Azure RM Virtual machines with Standard A1 and A0 sizes, even if the installation package was configured to display it.

Microsoft Azure Classic VMs are not removed to Recycle Bin upon termination from Azuremanagement console

Limitation:
When the Azure Classic VMs are terminated from the Azure management GUI, they are still visible on the Devices tab in SESWeb, and are not moved to the Recycle Bin. Further, the SecureDoc CloudVM license count remains unaffected.

Work-around:
None - If it is confirmed that an Azure Classic VM has been terminated, the SES Administrator should manually delete that VM, sending it to the Recycle Bin.

The added disk / volume is automatically encrypted with the "Thorough" instead of "Standard" encrypting mode

Limitation:
When a SESWeb package is created and deployed with both the "Encrypt All Disks", "Data Only (Faster)" and the "No Recovery" options enabled, then when a second (or subsequent) hard disk is added to the device, that disk is encrypted using a different encryption mode (it will be encrypted using “Thorough" mode).

Work-around:
None - Users should expect that initial encryption of disk drives added to an existing, previously encrypted Cloud Server will be performed using thorough-mode, with attendant additional time required to complete that initial encryption (compared to standard-mode).

Microsoft Azure Scale Set VMs are not detected in the Cloud Devices tab in SESWeb

Limitation:
Azure Scale Set VM’s (VMSS) cannot be imported. The cloned Azure (RM) VMs are not visible in the Cloud Devices tab in SESWeb.

Work-around:
None - In this version of SES, Azure Scale Set Virtual machines will not appear in the Cloud Devices tab in SESWeb, and therefore the termination of these scaled instances will not be possible.

Child Virtual Machines fail registration if the parent machine is permanently deleted from SES

Limitation:
If a parent virtual machine is permanently removed from SecureDoc Enterprise Sever, then the child virtual machines fail registration.

Work-around:
None - The parent virtual devices should either be active or present in the Recycle Bin.

Administrators cannot modify/assign the profiles for the devices registered using SESWeb package

Limitation:
The deployed installation packages (which contains the profile options) created using the SESWeb cannot be modified.

Work-around:
NA

Self-Help warning messages are prompted when deploying SecureDoc package from SESWeb

Limitation:
Self-Help warning messages, such as “Self-Help questions must be answered before continuing” and “Self-Help recover is not available for this user. Please contact your administrator” are prompted after users log into SecureDoc Control Center (SDCC).

Work-around:
None - At this stage, if a different profile behavior is required for a given device, the device should be decrypted, SecureDoc should be uninstalled, a new profile/package deployed to the device and the device re-encrypted.

The remote command “Lock Device” does NOT work

Limitation:
The client devices fail to lock when SES administrators attempt to lock a selected client device by sending a remote “Lock Device” command from SESWeb, the device fails to lock.

Work-around:
None - In this version, if it is desired to lock the device, Administrators are recommended to seize control of the device’s desktop remotely, and then send it to screen lock.

Microsoft Azure RM Instances cannot be encrypted using "Initial Conversion - Thorough" mode option

Limitation:
Using the 'Initial conversion Thorough' mode for all disk encryption in Microsoft Azure RM VMs does NOT completely encrypt the VM even after a significant amount of time.

Work-around:
None - For Azure RM devices, it is recommended to use Standard Mode option.

BitLocker encryption for Azure RM cloud instances does not support “Full Encryption”

Limitation:
When a SecureDoc CloudVM package is created and deployed with BitLocker Conversion option “Full Encryption” enabled in the SES Console, then device encryption fails.
BitLocker drive encryption only supports “Used Space Only” encryption.

Work-around:
If using BitLocker drive encryption, ensure that the option to encrypt “Used Space Only” is selected. This may require a specific profile and installation package combination for these Cloud-hosted device types.

The “Prevent KF from being saved locally on machine at deployment” option does NOT prevent certain KF push operations

Limitation:
When the “Prevent KF from being saved locally on machine at deployment” option in the SESWeb installation package settings is set to Yes, still the key files will be pushed down to:

• Users assigned to a package
• Windows accounts, if enabled
• Users assigned to a folder where a device is moved

Work-around:
It is strongly recommended not to enable this option. If you want to push a key file to a device, manually push them by assigning user to a device.

Note: This issue has similarities to the earlier issue: SD-17067 Users’ Key File are sent down to a device when manually assigning users to device(s), and the same best practice recommendation applies to reduce or eliminate other User Key Files if possible for Cloud-hosted Virtual Machines, if possible.

Virtual Machines (XEN/Hyper-V) running Windows client-based 7, 8.1 and 10 Operating Systems (OS) are NOT supported in the legacy (PBU) mode

Limitation:
When a SecureDoc CloudVM package is created with the Native UEFI pre-boot environment boot loader option in the Boot Configuration Settings and deployed it to the client-based Virtual Machines that are running Windows 7, 8.1 or 10 Operating System, a blue screen is displayed and the users won’t be able to log into Windows.

Work-around:
None - Users are cautioned to avoid any attempt to encrypt Xen/Hyper-V Windows 7, 8.1 and 10 virtual Client devices until this limitation is removed in a future version.

New clones cannot be created from the crypto-erased parent machines

Limitation:
If a Master virtual machine is crypto-erased, the new child instances using that master image will also be crypto-erased.

Work-around:
Do not crypto-erase a parent virtual machine if you want to create new clones from its image.

The newly added hard-drives are not encrypted even though the “Encrypt all disk” option is selected

Limitation:
When a new hard-disk is added to an already encrypted client device, SecureDoc fails to start encrypting this disk.

Work-around:
None - Users are advised to send an Admin-level Key File to the device, log into the SecureDoc Client Control Center using that Key File and manually initiate encryption of the newly-added disk. Recommended that once this has completed, the additional Key File should be removed from the Virtual Client.

Azure Auto-Scaling cannot be correctly executed if a parent Virtual Machine is destroyed in the process on VMSS creation

Limitation:
During the VMSS creation, a parent VM is automatically moved to Recycle Bin during the sync process. If an administrator accidentally deletes this parent VM, the auto-scaling instances fail to register.

Work-around:

1. Create a Parent image.
2. Copy the image to a new storage account before creating the VMSS in the newly created storage account.

When cloud instances are auto-Scaled up/down within 3-hour interval, the terminated cloud instances are not moved to Recycle Bin

Limitation:
When the cloud instances are auto-scaled up and then down within a span of 3-hour period, the auto-scaled down (terminated) devices do not get moved from the Devices tab to Recycle Bin. Since these devices still exist in the Devices tab, their licenses are not freed up.

Work-around:
Manually move the terminated (auto-scaled down) devices to Recycle Bin to free up the licenses consumed by these terminated auto-scale devices.

The partial encryption option is not available on SESWeb

Limitation:
SESWeb does NOT support partial encryption. The "Encrypt partition only option" has been removed from SESWEb. SecureDoc CloudVM installation packages cannot be created with the “encrypt partition only” option.

Work-around:
None

SESWeb does NOT support Windows accounts feature for the CloudVM package deployment

Limitation:
Windows Account feature has been disabled in SESWeb. When a SecureDoc CloudVM package is created and deployed with the “Prevent key file from being stored on device during deployment” option is set to “Yes” and if the administrator has enabled the Windows account feature, then the key file will be sent down to that device.

Work-around:
If Windows Accounts are required, use the SES console to add the necessary additional Users to the device, after which those key files will be transmitted to the device during the next communication with the device.

Note: As a security “best practice”, normally it is desirable to limit the use of local key files on Cloud-hosted Virtual Machines.

Recovery information may not be available for BitLocker encrypted disks on VSphere Private CloudVMs

Limitation:
When a SecureDoc CloudVM package is created and deployed on vSphere Private CloudVMs from SESWeb with the BitLocker encryption option enabled, the encrypted drive is not populated in the Associated Disks group box in the Edit Device Information window in the SES Console.

Work-around:
Use SecureDoc encryption for VSphere Private CloudVMs instead of BitLocker until this limitation is removed in a future version.

Disable the “Password Sync” functionality while enabling the “Prevent key file from being stored on device during deployment” option for Active Directory (AD) users

Limitation:
While creating and deploying SecureDoc CluodVM package with ADSync configured, if the “Password Sync” functionality in the SES Console is not disabled, then the client registration fails.

Work-around:
None - Users should ensure that the Password Sync functionality in the SES Console is disabled if the “Prevent key file from being stored on device during deployment” option is enabled.

Error message "Please contact WinMagic Technical Support (0x6210)" is displayed when logging into boot logon after the recovery from emergency disk created on SES

Limitation:
The boot log on recovery option with emergency disk does not work with SecureDoc CloudVM Preboot (PBLx64). Administrators can use WinPE and emergency disk to recover the files, but cannot use it to recover pre-boot.

Work-around:
None