NoteEncryption Management for Apple FileVault and
Encryption Management for Microsoft BitLocker do not require authentication and are
not
affected by authentication policies. Client, login, password, and authentication policies,
or allowing the user to uninstall the Endpoint Encryption
agent software only affects the Full Disk Encryption and File Encryption agents.
|
Policy Name
|
Description
|
Value Range and Default
|
||
---|---|---|---|---|
Account Lockout Action
|
Specify the action to be taken when the device has failed to communicate with the
PolicyServer as specified in
the policy Account Lockout Period.
|
Erase, Remote Authentication
Default: Remote Authentication
|
||
Account Lockout Period
|
Specify the number of days that the client may be out of communication with the
PolicyServer.
|
0-999
Default: 360
|
||
Dead Man Switch
|
Specify a sequence of characters, when entered will erase all contents on the
device.
|
1-255 characters
Default: N/A
|
||
Device Locked Action
|
Specify the action to be taken when the device locks.
|
Time Delay, Erase, Remote Authentication
Default: Time Delay
|
||
Failed Login Attempts Allowed
|
Specify the number of failed Login attempts before using Lock Device Time
Delay.
|
0-100
Default: 5
|
||
If Found
|
Specify information to be displayed.
|
1-255 characters
Default: N/A
|
||
Legal Notice
|
Specify whether a legal notice should be displayed.
|
Enable/Disable
Default: Disabled
|
||
Legal Notice Display Time
|
Specify when the configured legal notice should be displayed to the user.
|
Installation, Startup
Default: Startup
|
||
Legal Notice Text
|
Specify the body of the legal notice.
|
Insert File
Default: N/A
|
||
Lock Device Time Display
|
Lock device for X minutes if user exceeds Failed Attempts Allowed.
|
1-999,999 minutes
Default: 1
|
||
Preboot Bypass
|
Specify if the preboot should be bypassed.
|
Yes, No
Default: No
|
||
Support Info
|
Display Help Desk information or Administrator contact.
|
Default: N/A
|
||
Token Authentication
|
Policy related to physical tokens including smart cards and USB tokens. All
sub-policies are visible only when Token Authentication is enabled.
|
Enable, Disable
Default: Disable
|
||
OCSP Validation
|
Verifying certificates via OCSP allows for the revocation of invalid certificates
via the CA.
|
Enable, Disable
Default: Disable
|
||
OCSP CA Certificates
|
Certificate Authority certificates.
|
0-1024 characters
Default: N/A
|
||
OCSP Expired Certificate Status Action
|
Defines the action to take if the OCSP certificate status is expired.
|
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
|
||
OCSP Grace
|
A grace period in days that allows authentication to occur even if the OCSP
server has not verified the certificate in this number of days.
|
0-365
Default: 7
|
||
OCSP Responders
|
Certificate Authority certificates.
|
Yes, No
Default: Yes
|
||
OCSP Responder Certificate
|
Certificate Authority Certificate
|
0-1024 characters
Default: N/A
|
||
OCSP Responder URL
|
Certificate Authority certificates.
|
0-1024 characters
Default: N/A
|
||
OCSP Revoked Certificate Status Action
|
Defines the action to take if the OCSP certificate status is revoked.
|
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
|
||
OCSP Show Success
|
Whether success of OCSP reply should be displayed.
|
Yes, No
Default: Yes
|
||
OCSP Unknown Certificate Status Action
|
Specify the action when an OCSP certificate status is unknown.
This is sub-policy of OCSP Responders.
|
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
|
||
Token Passthru
|
Pass the token to the desktop GINA for further processing during the boot
process.
This is sub-policy of OCSP Responders.
|
Yes, No
Default: No
|