Views:

The following table explains the policies that govern logging on to the Full Disk Encryption agent.

Note:

Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker do not require authentication and are not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents.

Table 1. Full Disk Encryption Login Policy Descriptions

Policy Name

Description

Value Range and Default

Account Lockout Action

Specify the action to be taken when the device has failed to communicate with the PolicyServer as specified in the policy Account Lockout Period.

  • Erase: All content on the device is wiped.

  • Remote Authentication: Require user to perform remote authentication.

Erase, Remote Authentication

Default: Remote Authentication

Account Lockout Period

Specify the number of days that the client may be out of communication with the PolicyServer.

0-999

Default: 360

Dead Man Switch

Specify a sequence of characters, when entered will erase all contents on the device.

1-255 characters

Default: N/A

Device Locked Action

Specify the action to be taken when the device locks.

  • Time Delay: The amount of time that must elapse before the user can retry logging on.

  • Erase: All content on the device is wiped.

  • Remote Authentication: Require user to perform remote authentication.

Time Delay, Erase, Remote Authentication

Default: Time Delay

Failed Login Attempts Allowed

Specify the number of failed Login attempts before using Lock Device Time Delay.

0-100

Default: 5

If Found

Specify information to be displayed.

1-255 characters

Default: N/A

Legal Notice

Specify whether a legal notice should be displayed.

Enable/Disable

Default: Disabled

Legal Notice Display Time

Specify when the configured legal notice should be displayed to the user.

Installation, Startup

Default: Startup

Legal Notice Text

Specify the body of the legal notice.

Insert File

Default: N/A

Lock Device Time Display

Lock device for X minutes if user exceeds Failed Attempts Allowed.

1-999,999 minutes

Default: 1

Preboot Bypass

Specify if the preboot should be bypassed.

Yes, No

Default: No

Logon Background Color

Specify the background color during logon.

Enable, Disable

Default: Disable

Logon Background Color > Blue Value

Specify the blue value of the RGB color code.

0-255

Default: 63

Logon Background Color > Green Value

Specify the green value of the RGB color code.

0-255

Default: 59

Logon Background Color > Red Value

Specify the red value of the RGB color code.

0-255

Default: 57

Logon Banner

Specify if a banner image should be shown during logon.

Enable, Disable

Default: Disable

Logon Banner > Logon Banner Image

Specify the logon banner image.

Maximum size: 128 KB

Resolution: 512 x 64 pixels

File formats: PNG with transparency (recommended), JPG and GIF

Support Info

Display Help Desk information or Administrator contact.

Default: N/A

Token Authentication

Policy related to physical tokens including smart cards and USB tokens. All sub-policies are visible only when Token Authentication is enabled.

Enable, Disable

Default: Disable

OCSP Validation

Verifying certificates via OCSP allows for the revocation of invalid certificates via the CA.

Note:

All sub-policies are visible only when OCSP Validation is Enabled.

Enable, Disable

Default: Disable

OCSP CA Certificates

Certificate Authority certificates.

Note:

This is a sub-policy of OCSP Validation.

0-1024 characters

Default: N/A

OCSP Expired Certificate Status Action

Defines the action to take if the OCSP certificate status is expired.

Note:

This is a sub-policy of OCSP Validation.

Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access

Default: Denial of Login

OCSP Grace

A grace period in days that allows authentication to occur even if the OCSP server has not verified the certificate in this number of days.

Note:

This is a sub-policy of OCSP Validation.

0-365

Default: 7

OCSP Responders

Certificate Authority certificates.

Note:

This is a sub-policy of OCSP Validation.

Yes, No

Default: Yes

OCSP Responder Certificate

Certificate Authority Certificate

Note:

This is a sub-policy of OCSP Responders.

0-1024 characters

Default: N/A

OCSP Responder URL

Certificate Authority certificates.

Note:

This is a sub-policy of OCSP Responders.

0-1024 characters

Default: N/A

OCSP Revoked Certificate Status Action

Defines the action to take if the OCSP certificate status is revoked.

Note:

This is a sub-policy of OCSP Responders.

Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access

Default: Denial of Login

OCSP Show Success

Whether success of OCSP reply should be displayed.

Note:

This is a sub-policy of OCSP Responders.

Yes, No

Default: Yes

OCSP Unknown Certificate Status Action

Specify the action when an OCSP certificate status is unknown.

This is sub-policy of OCSP Responders.

Time Delay, Erase, Remote Authentication, Denial of Login, Allow Access

Default: Denial of Login

Token Passthru

Pass the token to the desktop GINA for further processing during the boot process.

This is sub-policy of OCSP Responders.

Yes, No

Default: No
Parent topic: Full Disk Encryption Policies