SecureDoc v6.1 Release Notes

すべて表示

New Features

SES Web Console and Mobile Device Management (MDM)

SecureDoc v6.1 now includes the SES web console, a web-based interface for SecureDoc Enterprise Server. The SES web console supports the daily administration features provided by the SecureDoc Enterprise Server, including user management, device management and recovery, pre-boot networking, and report management. It also includes a Mobile Device Management (MDM) server component; this component allows an enterprise to manage the deployment of Android® and iOS® devices and also to ensure that the appropriate security and password policies are enforced on these devices.

UEFI and Windows 8 support

SecureDoc v6.1 offers limited support for UEFI. Although UEFI is a common standard, each hardware vendor adds their own proprietary changes to the pre-boot environment. Therefore WinMagic cannot guarantee that SecureDoc works with every vendor device shipping with UEFI until that device has been tested and certified by WinMagic.

UEFI is supported on the specific Lenovo laptops listed below. These laptops have been tested and certified with Lenovo.

  • Lenovo ThinkPad T430: BIOS version G1ET71WW(2.07)
  • Lenovo ThinkPad T430s: BIOS version G7ET60WW(2.02)
  • Lenovo ThinkPad T530: BIOS version G4ET63WW(2.05)
  • Lenovo ThinkPad W530: BIOS version G5ET61WW(2.03)
  • Lenovo ThinkPad X230: BIOS version G2ET83WW(2.03)
  • Lenovo ThinkPad X230t: BIOS version GCET62WW(2.02)
  • Lenovo ThinkPad X1 Carbon

WinMagic will continue to test additional vendor devices; tested and certified devices will be added to the compatibility matrix: www.winmagic.com/device-compatibility

In the meantime, SecureDoc v6.1 supports Windows 8 in two separate ways:

  • For Lenovo laptops with WinMagic tested/certified UEFI, SecureDoc v6.1 supports unaltered pre-boot into Windows 8;
  • For all other devices, it will be required that UEFI be set to BIOS Compatibility Mode in order to work with/support Windows 8.

It is also important to note that UEFI offers many limitations to the SecureDoc 6.1 pre-boot environment: the following features may not work -

  • PBConnex (our pre-boot network-based authentication method);
  • Intel Anti-Theft authentication;
  • Multi-factor authentication (Fingerprint, Token or SmartCard authentication);
  • Password hint;
  • Non-English keyboard layouts.

FileVault 2 support

SecureDoc v6.1 now integrates seamlessly with FileVault 2, the native encryption engine on Mac OS X clients. SES gives businesses the flexibility of using either SecureDoc or FileVault 2 encryption, while still providing the ability to manage all their devices through SES's central management console.

OSA support

  • added support for localized keyboard layouts;
  • support for multiple users per device;
  • user administration through SES;
  • synchronization with Active Directory passwords.

Conversion with "no recovery"

This package option prevents SecureDoc from creating recovery data in order to speed up the encryption process. This option is useful if you need to quickly encrypt a new drive. Do not use this feature if the drive contains critical data.

Other new features

  • SecureDoc v6.1 now supports Intel AT 4.0;
  • support for static IP addresses on client devices in the pre-boot environment;
  • SecureDoc v6.1 now supports a new licensing model;
  • can now deploy SecureDoc with the use of an initial password (silent deployment) -the user does not see boot logon during installation or conversion;
  • improvements to FFE (File Folder Encryption).

 

Bug Fixes and Improvements

Reference

Description

SD-57

SES installer does not check for .Net 3.51

Installing SES on a server on which the .NET 3.51 runtime has not previously been installed would cause the ADSync Configuration utility to not work correctly.

Corrected: In Version 6.1, the installer will now check for the existence of the .NET Framework 3.5 SP1 on windows 7/windows 2008 R2, and if needed will prompt the installing user with the message: "Please install DotNet Framework 3.5 SP1 to proceed with the installation. To install DotNet Framework 3.5 SP1 on Windows 7/Windows 2008 R2 turn this feature ON from Windows Features". In Windows7/Windows 2008R2 the .Net Framework can only be installed from the Windows Feature administration panel - If the user tries to install using the downloaded installer, it won't install.

NOTE: If the operating system is something other than Windows 7/Windows 2008 R2, the installer will prompt a Prerequisites dialog for installing DotNet Framework 3.5 SP1.

SD-141

Support for password synchronization in Mac OS X client

Support has been added in V6.1 for the Mac OS client to automate synchronization of User Credentials (Password-sync) with those of the same Mac OS user. This feature had been limited in the past to Windows users, and now is accessible to Mac users.

SD-181

Port control error with Pocket Wifi GP-02 router

In a previous release, inserting a Pocket Wifi GP-02 (Japanese model) adapter (presumed equivalent the Huawei E587 model) into the USB slot would incorrectly trigger the SecureDoc Client to present a "port control policy error 10" error message, even when Port Control was not used in the profile in effect on the affected computer.

This has been corrected in Version 6.1, permitting the Pocket Wifi GP-02 device type to be used on SecureDoc-protected devices.

SD-184

Unable to activate Intel AT (Intel AT 4.0) on [HP] EliteBook 8770w

SecureDoc 6.1 supports Intel Anti Theft (AT) v4.0.

SD-186

[HP] Alcor built-in smartcard fails to work with built-in reader in HPEliteBook 8460p

In 5.3 SR2 pre-boot authentication using the Alcor built-in smart card with the built-in reader in HP Elitebook 8460 would not work. This has been fixed in 6.1.

SD-330

OSA - unlocking a hard drive

By default OSA requires a re-boot when transitioning from the pre-boot environment after unlocking the hard drive.

SD-333 and SD-372

Error 0x51 when using PBN on Dell E6410

In a previous version, when using PBConnex authentication on Dell E6410 or E6400 machines having a Seagate Self-Encrypting Drive (SED) it was not possible for users other than the original user to log into the machine until after the original user had successfully logged in at the SecureDoc pre-boot.

This has been corrected in v6.1: any user with legitimate domain credentials (assuming membership in any appropriate groups defining login rights within PBConnex) can now log in at pre-boot on Dell E6410 or E6400 machines having a Seagate Self-Encrypting Drive (SED).

SD-341

Lenovo W520 laptop fails to resume from hibernation

This occurred because of a corrupt hibernation file) and affected SecureDoc v5.3 SR1.

This issue is now fixed and the laptop is able to hibernate and resume without any issues when SecureDoc's preboot component is installed.

SD-359

Missing backspace key in on-screen keyboard for Windows tablet

Under the SecureDoc V4 Boot loader, if a user needed to perform Challenge-Response recovery on a Windows Tablet computer, an abbreviated on-screen keyboard would be shown offering the characters 0-9, a-f (Hexadecimal) to permit the user to enter the recovery string. This abbreviated keyboard did not include a backspace key. The incorrect entry of any characters would require the device to be rebooted so the user could re-try recovery.

This version corrects this issue; a backspace key has been added to the abbreviated virtual keyboard under the V4 boot loader.

SD-519

Cannot use SDXC card slot after encrypting with SecureDoc

In SecureDoc v5.3 SR2, the SDXC card slot in Mac OSX 10.7.3 computers became unusable after encryption.

The issue is now fixed in SecureDoc 6.1. The user will now be able to use the SDXC card slot on Mac OSX 10.7.3 computers after encryption.

SD-549

Support for Broadcomm BCM57XX & RealTek RTL81XX NICs in PBL

Support for Broadcomm BCM57xx-series and Realtek RTL81xx-series Wireless Network Interface Cards (NICs) has been improved in SecureDoc V6.1's Wireless Pre-Boot Authentication (PBConnex).

SD-595

Mac OS X - cannot use SDKC card slot after encrypting with SecureDoc

This has been fixed in v6.1.

SD-638

Tablet PC support in PBL

The following Motion Computing Tablets are supported with their onscreen keyboards in SecureDoc v6.1

- F5V Touch: Pen only

- J3500: Pen and Touch

- F5t non-touch: Pen only

SD-724

Password synchronization issues on SES-managed Mac client

Platform: Mac - SES Client.

In an earlier version of the SecureDoc Enterprise client for Mac OS X, with Password Synchronization and Single Sign-on options enabled in the profile, the following issue could occur: Having completed initial encryption, the user authenticates at Pre-Boot for the first time using the one-time initial password. The Mac OS starts, and the SecureDoc client agent prompts the user to enter his Mac account password. If the device was then rebooted, rather than using the presumed-synchronized Mac OS password at pre-boot, the user would be obliged to re-enter the one-time initial password again. Only following this second login at Pre-Boot, and upon logging into the OS with his Mac OS password, would SecureDoc synchronize the Pre-Boot password to the user's Mac OS X password, after which the user could log in at Pre-Boot using his Mac OS password, as expected.

This issue has been corrected and requirement for the second login has been corrected. Now, upon first logging into the Mac OS with his Mac OS credentials, the user will be presented with a panel into which he will enter and confirm his OS X password; in this way Password Synchronization will take effect from the first post-encryption login, as intended.

SD-761

Error 0x12 shown after switching from password to token protection

In a prior release, only where the SES Admin had changed a device to having the DATEV Smart Card token support (and certain other tokens) used as factors during authentication, if the user should attempt using the Challenge Response recovery (which should turn the affected key file to Password-protected), the incorrect result was that the user would be shown Error ID 0x12, followed by a recommendation to contact the Administrator.

This has been corrected in V6.1, and the user's key file is correctly changed to being password-protected.

SD-962

Error when using PBConnex with Intel AT

In a prior version, having defined both the use of: a) PBConnex (option "Get Keyfile via PBConnex") with the automation of storing a local key file on the device (option "Save Keyfile to client machine"), and b) Intel Anti-Theft (AT) functionality, it was determined that while devices could authenticate cleanly while connected to the network, it was not possible to authenticate to the device using the local key file (while it was offline).

This issue has been corrected, and devices running the above-specified combination of settings will now be able to authenticate both online and offline.

SD-1090

Intel AT 3.0 - lock-out feature not working when maximum number of failed login attempts reached

An issue was identified where, using Intel Anti-Theft features in the profile, the device would not correctly lock up if the user exceeded the maximum number of failed login attempts. This has now been corrected and the device will correctly lock up after the user has exceeded the maximum failed login attempts.

SD-1101

Conformance with SP 800-132

The SecureDoc keyfile concept now complies with the NIST Special Publication 800-132 standard, as documented here:

http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

SD-1277

Cannot add new printer

Under an earlier release, installation of the SecureDoc client could impede the user's ability to define a new printer definition/connection to a network printer. Following SecureDoc Client installation, the Add Network Printer option would be inaccessible.

This issue has been resolved in V6.1, and users can now correctly define new connections to Network Printers on a SecureDoc-protected device.

SD-1314

Installation problem on OPAL drive on Toshiba machine

Toshiba HDD Accelerator is not compatible with SecureDoc when used on Toshiba machines with OPAL SEDs. The user is required to uninstall Toshiba HDD Accelerator before installing SecureDoc.

SD-1319

XP Token Lock feature causes BSOD

In an issue discovered to affect SecureDoc v5.3SR4, if inserting a token into the USB reader as the device is starting to enter stand-by mode or hibernation, or as the device is beginning to emerge from stand-by or hibernation modes, the result can be a Blue Screen stop error.

This issue has been resolved, and the SecureDoc client will accept the insertion of the token at any point.

SD-1360

Unable to login after pushing a new key file for recovery

An issue appeared in v5.3SR4 in that, following the upgrade of a Standalone Mac SecureDoc client to an SES-managed Mac Client, the user would be unable to log in a the SD Mac pre-boot after a new keyfile had been transmitted to the upgraded device.

This issue has been fixed in SecureDoc v6.1.

SD-1544

Package error - users not being installed in correct boot slot

Where new users were defined at the package level (typically administator-level users) and those users were to be installed into a specific Boot Slot, those users were not being added to the specified boot slot but were being added into the next available Boot Slot, or even occasionally into the default Boot Slot.

This issue has been resolved in V6.1, and such users will now be added correctly to the Boot Slot defined by the SES Administrator.

SD-1871

Lenovo 20-series and 30-series laptops - BSOD when hardware passwords are renewed through SES policy

User encounters a system failure (BSOD) when opening the HPM client software and running the renew vault command after the HPM administrator has already initiated the renew vault command from the SES console (by assigning a profile).

Workaround: When the HPM administrator is managing the user's HPM vault, the user must be told not to open the HPM client software.

SD-1915

Error 8123 after hardware encryption on Samsung SSD SED

The following SSD SED from Samsung - model MZ-7TD2560/0L7 - might fail hardware encryption (with the error code 8123). If this occurs, the user will need to update the Samsung firmware to DXT01L64 in order for hardware encryption to work.

 すべて表示 Release Notes