Views:
The following table explains the policies that govern logging on to the Full Disk Encryption agent.
Note
Note
Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker do not require authentication and are not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents.

Full Disk Encryption Login Policy Descriptions

Policy Name
Description
Value Range and Default
Account Lockout Action
Specify the action to be taken when the device has failed to communicate with the PolicyServer as specified in the policy Account Lockout Period.
  • Erase: All content on the device is wiped.
  • Remote Authentication: Require user to perform remote authentication.
Erase, Remote Authentication
Default: Remote Authentication
Account Lockout Period
Specify the number of days that the client may be out of communication with the PolicyServer.
0-999
Default: 360
Dead Man Switch
Specify a sequence of characters, when entered will erase all contents on the device.
1-255 characters
Default: N/A
Device Locked Action
Specify the action to be taken when the device locks.
  • Time Delay: The amount of time that must elapse before the user can retry logging on.
  • Erase: All content on the device is wiped.
  • Remote Authentication: Require user to perform remote authentication.
Time Delay, Erase, Remote Authentication
Default: Time Delay
Failed Login Attempts Allowed
Specify the number of failed Login attempts before using Lock Device Time Delay.
0-100
Default: 5
If Found
Specify information to be displayed.
1-255 characters
Default: N/A
Legal Notice
Specify whether a legal notice should be displayed.
Enable/Disable
Default: Disabled
Legal Notice Display Time
Specify when the configured legal notice should be displayed to the user.
Installation, Startup
Default: Startup
Legal Notice Text
Specify the body of the legal notice.
Insert File
Default: N/A
Lock Device Time Display
Lock device for X minutes if user exceeds Failed Attempts Allowed.
1-999,999 minutes
Default: 1
Preboot Bypass
Specify if the preboot should be bypassed.
Yes, No
Default: No
Logon Background Color
Specify the background color during logon.
Enable, Disable
Default: Disable
Logon Background ColorBlue Value
Specify the blue value of the RGB color code.
0-255
Default: 63
Logon Background ColorGreen Value
Specify the green value of the RGB color code.
0-255
Default: 59
Logon Background ColorRed Value
Specify the red value of the RGB color code.
0-255
Default: 57
Logon Banner
Specify if a banner image should be shown during logon.
Enable, Disable
Default: Disable
Logon BannerLogon Banner Image
Specify the logon banner image.
Maximum size: 128 KB
Resolution: 512 x 64 pixels
File formats: PNG with transparency (recommended), JPG and GIF
Support Info
Display Help Desk information or Administrator contact.
Default: N/A
Token Authentication
Policy related to physical tokens including smart cards and USB tokens. All sub-policies are visible only when Token Authentication is enabled.
Enable, Disable
Default: Disable
OCSP Validation
Verifying certificates via OCSP allows for the revocation of invalid certificates via the CA.
Note
Note
All sub-policies are visible only when OCSP Validation is Enabled.
Enable, Disable
Default: Disable
OCSP CA Certificates
Certificate Authority certificates.
Note
Note
This is a sub-policy of OCSP Validation.
0-1024 characters
Default: N/A
OCSP Expired Certificate Status Action
Defines the action to take if the OCSP certificate status is expired.
Note
Note
This is a sub-policy of OCSP Validation.
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
OCSP Grace
A grace period in days that allows authentication to occur even if the OCSP server has not verified the certificate in this number of days.
Note
Note
This is a sub-policy of OCSP Validation.
0-365
Default: 7
OCSP Responders
Certificate Authority certificates.
Note
Note
This is a sub-policy of OCSP Validation.
Yes, No
Default: Yes
OCSP Responder Certificate
Certificate Authority Certificate
Note
Note
This is a sub-policy of OCSP Responders.
0-1024 characters
Default: N/A
OCSP Responder URL
Certificate Authority certificates.
Note
Note
This is a sub-policy of OCSP Responders.
0-1024 characters
Default: N/A
OCSP Revoked Certificate Status Action
Defines the action to take if the OCSP certificate status is revoked.
Note
Note
This is a sub-policy of OCSP Responders.
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
OCSP Show Success
Whether success of OCSP reply should be displayed.
Note
Note
This is a sub-policy of OCSP Responders.
Yes, No
Default: Yes
OCSP Unknown Certificate Status Action
Specify the action when an OCSP certificate status is unknown.
This is sub-policy of OCSP Responders.
Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access
Default: Denial of Login
Token Passthru
Pass the token to the desktop GINA for further processing during the boot process.
This is sub-policy of OCSP Responders.
Yes, No
Default: No
Keywords: login