SecureDoc v7.1 SR5 HF1 Release Notes

すべて表示

Product/Feature Deprecation Pre-Notice

Please note that WinMagic is deprecating SecureDoc V4 PreBoot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 PreBoot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

 

Important Note

WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.

Please refer to the When SecureDoc server is upgraded to version 7.1SR5 HF1 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.

 

System Requirements

System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 SR5 HF1 are listed here.

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

 

Resolved Issues

ReferenceDescription
SD-18776

HP EliteBook Folio 1040 G1 device type’s built-in Smartcard Reader was producing errors at Pre-boot, unable to be used for SmartCardbased authentication.

This issue has been resolved. The user can now authenticate at Pre-boot with built-in smartcard reader for the HP EliteBook Folio 1040 G1 device.

SD-18809

MacFileVault2 – Unable to log in where certain special characters were defined in User passwords

Issue: Certain special characters were not supported in user passwords for authenticating to FileVault 2-protected devices managed by SecureDoc. The result was these characters could be used to define passwords, but the resulting passwords containing those characters could not be used to authenticate. The user would receive a “password is incorrect” error.

The special characters affected were:

!, \, |, ', ", `, $, #, %, &, (, ), {, }, * and a “space” in between password characters.

These characters are now supported. A Mac client user is able to create passwords with these characters, including special characters for MacFileValue2.

Note: The dash ‘-‘ is still an unsupported character, as well as the use of a “space” at the beginning or end of a password.

SD-20175

SecureDoc Web Console (SESWeb) display error: Fewer devices would appear in Reports than would appear under the Devices tab.

This issue has now been resolved.

SD-20193

Lenovo ThinkPad T440 devices randomly experience issues returning from hibernation, error 0x000009a appears

This issue has been resolved. After device model T440’s are encrypted with SecureDoc, waking up from hibernation will not affect the device. It will resume without any issues.

SD-20427

Touch screen and stylus pen is now supported on Panasonic CF-20 and FZ-G1 (MK4) devices

SecureDoc now supports the touch screen and stylus pen on Panasonic CF-20 and FZ-G1 devices in Pre-Boot Linux (PBL) and Pre-Boot Linux for UEFI devices (PBLU) modes.

NOTE: Native UEFI mode Pre-boot (PBU) mode does not support the touch and pen controls on these devices.

SD-20506

Support has been added for the Gemalto IDPrime MD830 Smart Cards

SecureDoc now supports the Gemalto IDPrime MD830 Smart card for smart card-based Pre-Boot Authentication.

SD-20587

Support has been added for HID Crescendo C1150 Smart Cards

SecureDoc now supports the HID Crescendo C1100 and C1150 Smart Cards

Limitation: The C1100 and C1150 smart cards only are only supported with PIV-configured profiles (PIV stands for Personal Identity Verification). To configure PIV profiles on smart cards, use the advanced diagnostic features of ActivClient middleware.

SecureDoc does not support C1100 and C1150 smart cards that have non-PIV profiles loaded on the cards.

NOTE: The Crescendo C1300 is not supported in 7.1 SR5 HF1.

SD-20634

The challenge and response input fields at Boot Logon were misaligned on the screen when using a custom background image with PBU

This issue is now resolved. The Input fields are correctly positioned on the PreBoot for UEFI devices (native mode) screen.

SD-20646

MS Surface Pro 4 – The on-screen keyboard appeared and was functional at the Boot Logon screen – even though it was not activated

This issue is now resolved. The on-screen keyboard can only be used when it is activated by the user, whereupon it is displayed on the Boot Logon screen.

SD-20657

PBConnex is unable to connect with a valid 802.1x network connection when the device has multiple NIC’s attached to the device

This issue is now resolved. PBConnex can now properly detect the NIC having the valid 802.1x network connection and connect and authenticate to the server.

SD-20691

Windows RME - Improvements to the existing RME logging feature

RME (Removable Media Encryption) logging now tracks the source and destination paths of files being copied to and from removable media. Supported on Windows RME only, the file actions that will be audited include: bi-directional copy, move, create, delete of any file or folder. The source and destination paths include files that are copied to and from: local drives and partitions, network paths/UNC, and external removable media.

Limitations:

1. WinMagic cannot guarantee that all externally connected devices will be handled, as there are many ways a connected external storage device presents its presence to a Windows computer. There are no problems for cases when a device is connected as a drive letter, but it can be attached as a WPD (Windows Portable Device) or similar, which does not result in a drive letter being defined for it. Such devices are mapped as extension to Windows Explorer’s folder system. An example would be copying data to an iPhone from the iTunes application. The storage on the iPhone would not be detected (nor would it have a drive letter assigned) in Windows Explorer, thus all data copied to the iPhone cannot be intercepted and logged by SecureDoc. The write would be captured successfully if the destination is a removable media.

2. SecureDoc cannot handle a case when a user opens a file on a removable media and then “Save As” it to a different location. In this case there is no relation between the source document and the destination one. The same is true about opening a file on a local drive and using the “Save As” function to save the file to removable media. The source will be missing in this case too. In a case of copying in the opposite direction, the read will be captured. It is only about detection of complimentary source/destination of the file. One way to handle such cases is by installing an on-client DLP (Data Loss Protection) system/application which will prevent data leaking from a removable media to other locations.

3. SecureDoc’s logic will support file copy operations based on file names. In an absolute majority of cases a file copied from one location to another will retain its name. But cases when a file is copied to/from removable media with a different name will not be handled. In a case of opposite direction the read will be captured. It is only about detection of complimentary source/destination of the file.

4. WinMagic may not support 3rd party network locations based on custom/3rd party extensions, such as Citrix network redirector.

SD-21099

SecureDoc clients were encountering difficulties connecting the Linux-based Pre-Boot environment (PBL) with 802.1x wired network.

Cause: SecureDoc clients were unable to get the Trusted Root CA Certificate, causing the Linux-based Pre-Boot (PBL) to be unable to successfully establish an 802.1x wired connection. This issue was observed in clients running V7.1 and later.

This issue is now resolved.

SD-21204

SecureDoc “on top” of FileVault2 (SD FV2) - During the deployment, FileVault2 is enabled and the encryption process starts before the users have an opportunity to define their passwords

This issue has been resolved. During the deployment on the device, the user must authenticate with a valid password before FV2 is enabled, after which the initial encryption starts.

SD-21218

SD FV2 – The Default Recovery password length is reverted back to 24 characters.

SDFV2 now can allow password length up to 24 characters for the Recovery Account. These can be comprised of upper cases, letters and numbers

SD-21430

SD FV2 – Unable to use certain special characters in the User password after the Account Password Reset has been performed

Issue: Certain special characters were not supported in user passwords for authenticating to FileVault 2-protected devices managed by SecureDoc after the user performs the SecureDoc account password reset.

The special characters affected were: ", \, $, and `.

\, $, and ` are now supported on all OSX platforms except for Mavericks 10.9.5. A Mac client user is able to create passwords with these characters, including special characters for SD FV2 after account password reset.

Note: The double quotes special character (") is currently not supported on any OSX platforms, nor is the use of a “space” at the beginning or end of passwords.

SD-21476, SD-21477

SD FV2 – Users with complex password are unable to be added to the Unlock List

Issue: Certain special characters were not supported in user passwords that were added to the Unlock List to FileVault 2 protected devices managed by SecureDoc.

The special characters affected were: \, $, and `.

These characters are now supported. A Mac client user can now be added to the Unlock List with these characters.

Note: The double quotes special character (") is currently not supported on any OSX platforms, nor is the use of a “space” at the beginning or end of passwords.

SD-21539

MacFileVault2 – Remote password reset unsuccessful if there are certain special characters in the password

Issue: This limitation only applies to OSX 10.9.5, where remote password reset initiated from SES contains unsupported special characters. In this case, the process to reset the password for SecureDoc client cannot be completed.

Note: The special character of “ is currently not supported on any OSX platforms.

SD-21558

SD FV2 – After changing the user password locally, the SD FV2 password does not sync

Suggested Work-around: This is not a problem with SDFV2. We suggest that users changing their passwords locally follow these steps:

 Modify password from SES and send down the remote command
 Using WinMagic Recovery Account to login and reset the password

Improvements

ReferenceDescription
N/A

SD Mac V7.1SR5 HF1 Supports Mac OS 10.12.3

PER-130

Support has been added for the Windows 10 Education edition operating system

The SecureDoc installation now supports Windows 10 Education edition.

 

Limitations

ReferenceDescription
SD-14762, SD-21212

LIMITATION: SecureDoc’s RMCE Viewer is presently not able to display files and folders from within a container-encrypted Western Digital Element 3TB HDD when this drive is connected to machines that do not have SecureDoc installed

RMCE Viewer does not display files and folders from Western Digital Element 3TB HDD on machines without SecureDoc installed

Limitation: The RMCE Viewer does not properly display folders and files on the Western Digital Element 3TB portable HDD when attached to a non-SecureDocdevice. It is recommended that RMCE only be used on this make/model of Hard Disk Drive (HDD) when sharing encrypted files among devices that have been installed with the SecureDoc client software.

Work-around: N/A.

SD-20432

Devices that have been configured with Native SecureDoc Pre-Boot for UEFI devices on Panasonic FZ-G1 and CF-20 devices may find that the Touch screen and stylus pen controls are unresponsive at Boot Logon after returning from hibernation

Limitation: The touch screen is not responsive after the device wakes up from Hibernation when PBU is enabled. WinMagic is currently working with Panasonic to address limitations with their UEFI BIOS.

Work-around: It’s recommended to use PBL (Linux-based Pre-Boot) or PBLU (Linux-based Pre-Boot for UEFI devices) on Panasonic tablets until a full resolution is provided.

SD-21129, SD-21438

Samsung 900X3G Boot is unable to boot Hardware Encryption

Limitation: Samsung BIOS firmware does not support the required protocols for SED (hardware encryption). Therefore, SecureDoc pre-boot fails to unlock Opal Self-Encrypting Drives (SEDs) at pre-boot on these devices.

Work-around: It is recommended to “force” software encryption on the Self Encrypting Drives (SEDs) for this device type until a resolution has been provided.

SD-21590

LIMITATION: The SecureDoc client installer (for a given version) cannot be run multiple times on the same device

Limitation: Although it is possible to upgrade a device’s version of SecureDoc (for example, from one version to the next, or to upgrade from the StandAlone Silver version to the Gold version within the same overall version number) - it is not possible to run the same-version SecureDoc Client Installer more than once on a given device.

SD-21171, SD-21454

A black screen (with a blinking cursor in the top left corner) may randomly appear upon resuming from Hybrid Sleep on devices equipped with Self Encrypting Drives (SEDs)

Randomly a black screen appears after the system resumes from Hybrid Sleep on a device using an SED

Limitation: In some cases, a black screen has appeared on a system returning from Hybrid Sleep on a device using an SED.

Workaround – Enable Sleep/Hibernation in the power settings – or fully power off the system and log back into Boot Login

Note:
 This issue does NOT occur on SWE
 This issue only occurs on Hybrid sleep and not Sleep/Hibernate

SD-21412

Unresponsive Touch screen and stylus pen controls at Boot Logon after returning from hibernation on Panasonic FZ-G1 and CF-20 devices (only in PBU mode)

Limitation: The touch screen is not responsive after the device wakes up from Hibernation when PBU is enabled. WinMagic is currently working with Panasonic to address limitations with their UEFI BIOS.

Work-around: It’s recommended to use PBL or PBLU on Panasonic tablets until a full resolution is provided.

 すべて表示 Release Notes