Dell Data Protection | Enterprise Edition for Mac Administrator Guide
© 2013 Dell Inc. Registered trademarks and trademarks used in the DDP|E, DDP|ST, and DDP|CE suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated.
Contents 1 Introduction Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer Support . 2 Requirements Hardware . Software 3 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Prerequisites 9 . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . .
Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About Optional Firmware Password Protection . Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 How to Enable Mac OS X Boot Camp Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 . . . . . . . . . . . . . .
1 Introduction The Dell Data Protection | Enterprise Edition for Mac Administrator Guide provides the information needed to deploy and install the client software. Overview Dell enables an enterprise to support a mobile workforce with the peace of mind that sensitive information is secure.
Administrator Guide
2 Requirements Client hardware and software requirements are provided in this chapter. Ensure that the deployment environment meets the requirements before continuing with deployment tasks. Hardware The following table details supported hardware. NOTE: The system disk must be partitioned with the GUID Partition Table (GPT) partition scheme and have a Mac OS X Extended (Journaled) format.
Windows Operating Systems (32- and 64-bit) Supported to Access Encrypted Media • Microsoft Windows 7 SP0-SP1 - Enterprise - Professional - Ultimate - Home Premium • Microsoft Windows 8 - Enterprise - Pro - Windows 8 (Consumer) Mac Operating Systems (32- and 64-bit kernels) Supported to Access Encrypted Media • Mac OS X Lion 10.7.5 • Mac OS X Mountain Lion 10.8.3, 10.8.4, and 10.8.5 • Mac OS X Mavericks 10.
3 Tasks Install/Upgrade Dell Data Protection | Enterprise Edition for Mac This section guides you through the Dell Data Protection | Enterprise Edition for Mac installation/upgrade and activation process. There are two methods to install/upgrade Dell Data Protection | Enterprise Edition for Mac. Select one of the following: • Interactive Installation/Upgrade and Activation - This method is the easiest method to install or upgrade the client software package.
Interactive Installation/Upgrade and Activation To install/upgrade and activate the client software, follow the steps below. You must have an administrator account to perform these steps. NOTE: Before you begin, save the user’s work and close other applications; immediately after the installation is complete, the computer will need to restart. 1 Open the Dell-Data-Protection-.dmg file located in the Dell installation media and open the installer.
Activate Dell Data Protection | Enterprise Edition for Mac The activation process associates network user accounts in the Dell Enterprise Server to the Mac computer and retrieves each account’s security policies, sends inventory and status updates, enables recovery workflows, and provides comprehensive compliance reporting. The client software performs the activation process for each user account it finds on the computer as each user logs in to his user account.
Command Line Installation/Upgrade To install the client software using the command line, follow the steps below. If you intend to use Boot Camp on encrypted Mac computers or intend to use a version of operating system that is not yet fully supported by Dell, you must configure your installation to not use firmware password protection (you must modify the com.dell.ddp.plist as shown in step 3 below.) 1 Open the Dell-Data-Protection-.dmg file located in the Dell installation media.
Domains DisplayName COMPANY Domain department.organization.com [Replace this value with the Domain URL that users will activate against] FirmwarePasswordMode Required [If using Boot Camp, this value must be Optional. For more information, see About Optional Firmware Password Protection.] PolicyProxies Host policyproxy.organization.
8 Enter the user name and password managed by Active Directory, select the Domain to log on to, and click Activate. If policies have already been set in the Dell Remote Management Console and you have Encrypt Using FileVault for Mac=True, the following prompts will display. If polices have not yet been set in the Dell Remote Management Console, these prompts will display upon the Encrypt Using FileVault for Mac=True policy being received by the endpoint.
Enable Encryption NOTE: Only Mac OS X Extended (Journaled) volumes and system disks that are partitioned with the GUID Partition Table (GPT) partition scheme are supported for encryption. Use this process to enable encryption on a client computer if encryption was not enabled prior to activation. This process enables encryption only for a single computer. You can choose to enable encryption for all Mac computers at the Enterprise policy level if desired.
View Encryption Policy and Status You can view the encryption policy and status on the local computer or in the Dell Remote Management Console. View Policy and Status on the Local Computer To view encryption policy and encryption status on the local computer, follow the steps below. 1 Launch System Preferences and click Dell Data Protection. 2 Click Policies to view the current policy set for this computer. Use this view to confirm the specific encryption policies in effect for this computer.
Removable Storage EMS Encrypt External Media True or False This is the “master policy” for all other Removable Storage policies. This policy must be set to True for any other Removable Storage policies to be applied. True means that all Removable Storage encryption policies are enabled. False means that no encryption of removable storage takes place, regardless of other policy values.
EMS Device Whitelist See the AdminHelp for instructions on how to use this policy. This policy allows the specification of removable storage devices to exclude from EMS encryption, thereby allowing users full access to the specified removable storage devices. This policy is available on an Enterprise, Domain, Group, and Endpoint level. Local settings override inherited settings. If a device is in more than one group, all EMS Device Whitelist entries across all Groups, apply.
EMS Access and Device Code Length 8, 16, or 32 Number of characters Access and Device Codes have. 32 characters is the most secure, while 8 is the easiest to enter. EMS Cooldown Time Delay 0-5000 seconds Number of seconds the user must wait between the first and second rounds of Access Code entry attempts. EMS Cooldown Time Increment 0-5000 seconds Incremental time to add to the previous cooldown time after each unsuccessful round of Access Code entry attempts.
User Experience Force Restart on Policy Updates True or False True forces a computer restart after the specified delay upon receiving a policy update requiring a restart. The delay is specified by the Length of Each Restart Delay and Number of Restart Delays Allowed policies. False neither forces nor prompts for a restart. The policy requiring the restart will take effect the next time the user restarts their computer.
Color Green Red Yellow Description Encrypted portion Not encrypted portion Portion being re-encrypted For example, by a change in encryption algorithms. The data is still secure. It is just transitioning to a different type of encryption. The Encryption pane includes all volumes attached to the computer residing on GUID Partition Table (GPT) formatted disks. The volumes can have one of five configurations described below. Icon Volume Type and Status The currently booted Mac OS X system volume.
To view effective polices, in the Actions area, click View Effective Policies. 7 Click the Security Policies tab. The following tasks can be completed from this tab: Expand the types of policies as desired. Change individual policies as desired. When finished, click Save. In the left pane, click Actions > Commit Policies. Click Apply Changes. 8 Click the Users tab. This area displays a list of users activated on this Mac computer.
Mount Volume Prerequisites • An unencrypted external recovery volume or computer that will be running the recovery utility • A FireWire cable • The Device ID/Unique ID of the computer targeted for recovery - In most cases, you can find the computer targeted for recovery in the Dell Remote Management Console by searching for the owner’s user name and viewing the devices encrypted for that user. The format of the Unique ID/Device ID is “John Doe's MacBook.Z4291LK58RH”.
10 Select the volume or drive that needs recovery and click Continue. Selecting the drive will recover all volumes on the drive at once. The file selector window displays. 11 Select the recovery bundle (saved in step 4) and click Open. The Select Recovery Operation dialog displays. 12 Select the Mount Volume option. 13 Click Continue to confirm the Mount Volume. The Mount Volume Successful dialog displays. 14 Click Close.
Boot the computer targeted for recovery into Target Disk Mode. You can accomplish this by either launching the Startup Disk pane in System Preferences and clicking Target Disk Mode, or by holding down the T key while you restart this computer. NOTE: Firmware password protection blocks the ability to use the T key at startup to enter Target Disk Mode. More information about Target Disk Mode is available from Apple at http://support.apple.com/kb/HT1661.
Process 1 As a Dell Administrator, log in to the Dell Remote Management Console. 2 In the left pane, click Actions > Recover Endpoint. 3 When the Recover Endpoint page displays, select the Endpoint type as Mac from the drop-down menu and enter the Unique ID. TIP: You can access the Unique ID by clicking Endpoints in the left pane and clicking Search. Select the correct device and click the Device Details icon. The Unique ID displays. Write the Unique ID or type it into TextEdit.
Uninstall Dell Data Protection | Enterprise Edition for Mac The client software may be uninstalled by running the Uninstall Dell Data Protection application. To uninstall the client software, follow the steps below. NOTE: Before running the uninstall application, the disk must be fully decrypted. 1 If the disk is currently encrypted, set the computer's Encryption Enabled policy to False in the Dell Remote Management Console and commit the policy.
Administrator Guide
4 Activation as Administrator The Client Tool offers the administrator new methods for activating the client software on a Mac computer and examining the client software. Two methods of activation are available: • Activation using Administrator credentials • Temporary activation that emulates the user without leaving footprints on that computer. Both methods can be used directly through a shell, or in a script.
Administrator Guide
A Appendix A About Optional Firmware Password Protection NOTE: More recent Mac computers do not support Firmware Password Protection. Firmware Password Protection is supported for the following models: iMac11.* Macmini4.* MacBook7.* MacBookAir2.* MacBookPro7.* MacPro5.* XServe3.* For example, iMac11.1 and iMac11.2 will support Optional Firmware Password Protection (as indicated by the *), but iMac12.1 or later will not.
Administrator Guide
B Appendix B How to Enable Mac OS X Boot Camp NOTE: When using Boot Camp, the Windows operating system cannot be encrypted. Boot Camp is a utility included with Mac OS X that assists you in installing Windows on Mac computers in a dual-boot configuration.
Administrator Guide
C Appendix C How to Retrieve a Firmware Password Even if the client computer is configured for firmware password enforcement, it may not be needed for recovery. If the computer to recover is bootable, set the boot target in the Startup Disk system preferences pane. In the case where the firmware password is needed to accomplish recovery (if the computer is not bootable and firmware password protection is enforced), follow the steps below.
Administrator Guide
D Appendix D Client Tool The Client Tool is a shell command that runs on a Mac endpoint. It is used to activate the client from a remote location or to run a script through a remote management utility. As administrator, you can activate a client and do the following: • Activate as administrator • Activate temporarily • Retrieve information from the Mac client To use the Client Tool manually, open a ssh session and enter the desired command on the command line.
Client Tool Commands Command Purpose Syntax Results Server Polls the server for updated policies on behalf of the Mac client -s 0 = Success Any other value indicates that either the server or Mac client software was busy or not responding. NOTE: The poll can take several minutes to complete.
E Glossary Dell Device Server - The Dell Device Server is used for client activations. The Dell Device Server is a component of the Dell Enterprise Server. Dell Enterprise Server - The Dell Enterprise Server is made up of a collection of components. When referring to the Server-side of the product as a whole, it is collectively known as the Dell Enterprise Server. Dell Policy Proxy - The Dell Policy Proxy is used to distribute policies to Dell Data Protection | Enterprise Edition for Mac client software.
Administrator Guide
0XXXXXA0X