cynapspro endpoint data protection - user guide

Last Update: May 25, 2010

cynapspro

Endpoint Data Protection 2010

User Guide

Cynapspro Endpoint Data Protection

DevicePro prevents data loss by controlling all kinds of ports and external storage

devices.

CryptionPro protects your company data by efficiently encrypting data stored on

external devices.

CryptionPro HDD protects confidential data through automatic and efficient hdd

encryption.

ApplicationPro controls the use of applications based on a white list or black list.

ErasePro ensures that files are securely and permanently deleted.

PowerPro cuts energy costs and reports suspicious activity.

2 cynapspro Endpoint Data Protection – User Guide

Table of Content

General Information..................................................................................................... 6

The cynapspro Management Console: ......................................................................... 6

Change Hostname/ Port ......................................................................................... 6

Change Language .................................................................................................. 6

cynapspro Admin Tool ............................................................................................... 7

Database Settings ................................................................................................. 7

Directory Service Settings ...................................................................................... 7

cynapspro Server Settings ...................................................................................... 7

Log Level ............................................................................................................. 7

Server Management ................................................................................................. 7

Server Relocation .................................................................................................. 8

Database Maintenance .............................................................................................. 9

Merging of Two Databases ...................................................................................... 9

License Management .............................................................................................. 10

Log File Management .............................................................................................. 10

Log Files of the cynapspro Agent ........................................................................... 10

Audit Logs .......................................................................................................... 11

cynapspro Client .................................................................................................... 12

General Information ............................................................................................ 12

Generate an MSI Packet for the Client .................................................................... 12

Installation/ Update of the Agents ......................................................................... 12

Ticket System ........................................................................................................ 14

Custom Error Messages ........................................................................................... 14

Directory Service Structure ......................................................................................... 16

Active Directory/ NDS Synchronization ...................................................................... 16

Active Directory Synchronization – Scheduler .......................................................... 17

Management of Domain Controller ......................................................................... 17

Mange your own Directory ....................................................................................... 18

Inheritance of Group Rights ..................................................................................... 18

Integration of Third Party Systems .............................................................................. 20

Administration .......................................................................................................... 21

Change Requests.................................................................................................... 21

Mail Notifications .................................................................................................... 21

Administrative Roles ............................................................................................... 22

Administrators and Access Scope ............................................................................. 23

DevicePro ................................................................................................................. 25

Rights Management ................................................................................................ 25

Access Management ............................................................................................ 25

Activate/Deactivate Users or Computers ................................................................. 27

User Information ................................................................................................. 27


Import Permissions .............................................................................................. 28

Combining Computers and Users ........................................................................... 28

Computer Rights ................................................................................................. 29

Precedence in case of Conflicting Rights ................................................................. 30

Device White List .................................................................................................... 31

White listing Device Types .................................................................................... 31

White listing Individual Devices ............................................................................. 31

Media Release ..................................................................................................... 34

Challenge Response to obtain Access to Individual Devices ....................................... 35

Content Header Filter .............................................................................................. 36

Reporting & Analysis ............................................................................................... 37

Access Rights Changes Not Yet Transmitted ............................................................ 37

Active/Inactive Users ........................................................................................... 37

Analysis of Rights Changes ................................................................................... 37

Access Rights Analysis ......................................................................................... 37

Access Rights Overview - Details ........................................................................... 37

Access Rights Overview - Summary ....................................................................... 38

Deviations from Default Rights .............................................................................. 38

One-Time or Temporary Permissions ..................................................................... 38

Audit Log............................................................................................................... 38

Blocked Access .................................................................................................... 38

Access Statistics .................................................................................................. 39

cynapspro Agent .................................................................................................... 40

User Rights/ Currently Connected Devices .............................................................. 41

Request Access Rights ......................................................................................... 41

Challenge Response for the Release of Individual Devices ......................................... 42

Enter Unblocking Code ......................................................................................... 43

Login As ............................................................................................................. 43

Import Access Rights ........................................................................................... 44

Solution Scenarios .................................................................................................. 44

No Connection to the Server ................................................................................. 44

Getting Started after the Installation ..................................................................... 44

View Already Installed Computers ......................................................................... 45

Restrict Access to Company-Owned Devices ........................................................... 45

Assign Specific Devices to Selected Users ............................................................... 46

Blocking File Types .............................................................................................. 47

Change Access Permissions Offline ........................................................................ 47

File Access Log .................................................................................................... 48

Administrator with different Access Levels .............................................................. 48

ApplicationPro ........................................................................................................... 49

Introduction ........................................................................................................... 49


Rights Management ................................................................................................ 49

Learning Mode ....................................................................................................... 50

Managing ApplicationPro with the Learning Mode ..................................................... 50

Management of Programs ..................................................................................... 51

Management of Roles ........................................................................................... 51

ApplicationPro Settings ........................................................................................... 52

Trusted Objects ................................................................................................... 52

Solution Scenarios for ApplicationPro ........................................................................ 52

Quick White Listing of Applications ........................................................................ 52

White Listing Many Programs for Many Users .......................................................... 53

CryptionPro .............................................................................................................. 54

Overview ............................................................................................................... 54

Encryption Options ................................................................................................. 54

Key Management ................................................................................................... 55

CryptionPro Group Management ............................................................................... 56

CryptionPro Mobile (global settings) .......................................................................... 56

Device Blacklist ...................................................................................................... 56

Unencrypted File Transfer ........................................................................................ 56

User Configuration .................................................................................................. 57

CryptionPro Mobile (Client Software) ......................................................................... 57

Solution Scenarios for (CryptionPro) ......................................................................... 58

Automatic Encryption for All Users ......................................................................... 58

Save Without Encryption ...................................................................................... 59

CryptionPro HDD 2010 ............................................................................................... 60

Default Settings ..................................................................................................... 60

Pre-Boot Authentication ....................................................................................... 60

PBA Settings ....................................................................................................... 61

Full Disk Encryption ............................................................................................. 61

Installation Settings ............................................................................................. 62

Installation and Management ................................................................................ 63

ErasePro................................................................................................................... 65

User Management .................................................................................................. 65

Secure Deletion of Files ........................................................................................... 66

PowerPro .................................................................................................................. 67

Profile Management ................................................................................................ 67

Computer Settings .................................................................................................. 67

Scheduler .............................................................................................................. 68

Exceptions for Important Programs ........................................................................... 68

User Rights ............................................................................................................ 68

Settings ................................................................................................................ 69

Appendix .................................................................................................................. 70


Components for the Creation of a cynapspro Rights File .............................................. 70

Change Device Port ............................................................................................. 70

Change Device Type ............................................................................................ 70

White Listed Device Types .................................................................................... 71

Component for White Listing a Unique Device ............................................................ 72

White List a PDA for All Users: .............................................................................. 72

Use Cases ............................................................................................................. 73

Define User or Computer Rights for a Port .............................................................. 73

Change access rights of a Computer for 2 Ports and 2 Device Types .......................... 73

Add 2 Devices of Different Device Types to the white list of Device Models ................. 74

Remove Device from the Device Model White List .................................................... 74

Add a PDA to the Global White List ........................................................................ 74

Remove a User from a Unique Device White List...................................................... 74

Useful Command Lines ............................................................................................ 75

Start AD/NDS/LDAP Synchronization...................................................................... 75

Automatically Activate All Users ............................................................................ 75

Change License File ............................................................................................. 75

Define the First Network Drive Letter ..................................................................... 75

Client Rollout using the cynapspro Server ............................................................... 75

Client Update using the cynapspro Server .............................................................. 75

Automatic Deletion of Log Files ............................................................................. 75

Changing the Domain Controller Information .......................................................... 76

Changing the Path for the XML Interface ................................................................ 76

Import and Export Settings from Server to Server ................................................... 76

Copyright ................................................................................................................. 77


General Information

For the administration of the cynapspro Server, there are two tools available:

The cynapspro Management Console:

The cynapspro Management Console is the central interface for controlling all

cynapspro functions. The Management Console can be accessed from any location,

i.e. each administrator can run it from his work station.

The cynapspro 2010 Management Console can be accessed via the start menu:

> All Programs > cynapspro GmbH

Change Hostname/ Port

You can run the Management Console from any workstation. Just copy the exe-file to a

network drive or directly to your computer. Enter the hostname or the port when prompted.

Go to the toolbar and select File> cynapspro server if you want to log on to a different

server and / or change the settings.

Change Language

In order to change the language in the Management Console, go to Tools > Options in the

toolbar menu.

There are the two languages offered German and English.


cynapspro Admin Tool

The cynapspro Admin Tool is used to configure or check the server settings.

After successful installation of the cynapspro server, you can use the cynapspro admin tool

to verify and change server or database settings.

By default, the tool is installed at

C:\Program Files\cynapspro GmbH\DevicePro 2010\

and can be accessed using

> All Programs > DevicePro 2010.

Database Settings

Click on the button Validate to test the connection to the specified database. cynapspro

solutions need a user with database administrator rights (DB Owner) to access the database.

Directory Service Settings

A prerequisite for the synchronization of the directory structure is that the specified user

holds the necessary access rights (List Contents, Read All Properties).

Enter in the field domain controller the hostname of the directory service server.

Click on the button Validate to test the connection.

cynapspro Server Settings

Two ports are used by default to manage the communication between cynapspro server and

client components. Define the client-server XmlRpcPort and the server-client Notification

port.

The client-server XmlRpcPort is used by clients to connect to the server (default: 6005).

The server-client notification XmlRpcPort serves to notify the clients about changes made to

their rights on the server (default: 6006).

Log Level

The server services as well as the agent permanently log all activities. The level of detail can

be defined with the following options being available:

- Operating Mode: Errors only

- Administration Mode: Detailed

- Debug Mode: Very detailed

Server Management

You can run multiple cynapspro servers, for example to ensure safeguarding against failure.

When installing an additional server, specify the same database in the installation routine.

You will then see all cynapspro servers under server management. You can now define

whether the client should randomly select a server to sign on or whether a specific sequence

should be applied.

The server management is also recommended when you plan a move of the cynapspro

server.


Before uninstalling the old cynapspro server, just assign a higher priority to the new

cynapspro server to ensure uninterrupted service.

Server Relocation

You have bought new hardware or other circumstances require that you move the cynapspro

server to a new machine. This one is no problem at all, if the current IP address and / or the

server name will also be used for the new server. The cynapspro agents will then

automatically find the new server. If the IP address and server name will be different, you

can move the cynapspro server component as follows.

You can use one of the following two methods to relocate the cynapspro server:

1) You install the new cynapspro server with access to the old/new database (you define the SQL server during the installation or afterwards via the Admin Tool.) Now open

the Management Console on the old server and go to Administration > Server

Management. You can now prioritize the new server as higher than the old one. All

clients will now log on to the new server.

2) You install the new cynapspro server with access to the old/new database (you define

the SQL server during the installation or afterwards via the Admin Tool.) Start the

new Sever, go to Administration > Generate MSI package for the clients and generate a new MSI package (do not forget to define the default settings for clients). Use

"Open folder" to go directly to the directory. Copy the new MSI package into the MSI

directory of the old server and run an update of the agents from the old server. The

old server now distributes the server information of the new server to the clients,

which will then all log onto the new server.

In both cases, it is possible that not all clients are online and get the update. Thus, they

would still report to the old server. It is best to leave the old server running for about two


weeks, to be sure that all clients have received the update. Use "Update of the Agents" on

the old server and look up "Inactive" to see how many and which clients have been offline

and have therefore not received the update.

Database Maintenance

If you use cynapspro Endpoint Data Protection solutions over a prolonged period of time or

in larger environments, the DevicePro database that is stored in your SQL Server can

significantly grow in volume. To keep this database volume low, you can archive the data

generated through logging and auditing, or delete duplicate records.

To evaluate duplicates, please click on Analyze. You can now see how many duplicate

records have been entered under logging and auditing. You can Delete these duplicates to

minimize the database without losing data.

If the volume of the database is still too large, you can archive old records into files that can

still be evaluated later.

Select the time period that should be used for each file, define the path to the archive and

whether you want the archiving to be done automatically or manually.

Merging of Two Databases

If you have installed several cynapspro servers in different environments and you want to

bring them together now, you need to proceed as follows.

Connect to the cynapspro server, which you want to eliminate.

Export the database information in a file (txt format) with the following command from the

command line:

<Installation Path>\DpAdmin Tool.exe /exportACL "<path>\<filename>.txt"

Then connect to the cynapspro server you want to keep.


Import the information using the following command line

<Installation Path>\DpAdmin Tool.exe /importACL "<Path>\<filename>.txt"

The user information is tied to the user name (e.g. AD account name). Thus, no

complications arise, if the SID has changed.

License Management

Here you can see your number of licenses you have purchased, the actual number of active

users, as well as all add-ons that have been activated with your license.

If you want to activate additional licenses or add-ons, such as logging, ApplicationPro,

CryptionPro, etc. you only need a new Lic file. Open it with the Browse button and click

Confirm.

The new licenses and add-ons will be activated immediately.

Log File Management

By default, cynapspro saves its log files in the LOG folder of the installation directory. You

can change the path of the log files as you see fit.

You can also change the degree of detail of the logs by selecting one of three radio buttons.

The operation mode is a very basic logging, the administration mode creates fairly

detailed log file and the debug mode provides very detailed logging.

You also have the option to compress log files. If you need support, these compressed files

are very helpful to our support workers. Select the time period as well as the components.

Now click on compress and open the folder. Send this file along with the error description to

our support ([email protected]).

Log Files of the cynapspro Agent

To check the log file of a user’s agent, go to rights management.

Just click with the right mouse button on the corresponding user. The context menu has the

menu option Log files of the agent. There are three choices. Choice number One: You can

view the latest log by clicking on Current.

The current file opens in the editor as log format.


If you would you like to access an older log file or open multiple logs of that user, you should

select choice number Two: You can now select the desired log file(s) from a list.

After clicking on the selected log file, it will open in Notepad. You can now check the

activities of the user.

You can also Delete older or all log files in the cynapspro Management Console.

Audit Logs

Go to the audit administration to enable or disable audit logs.


If not all administrators should be allowed to access the logging of all users, or if access

should only be possible together with a representative of the workers’ council or the

management, you can restrict access by depositing up to two passwords. Access to the audit

logs will only be granted if both passwords have been entered.

cynapspro Client

General Information

By installing the cynapspro client component, a kernel filter driver is installed on the

Windows system.

The task of the kernel filter driver is to monitor the rights that have been allocated to the

user or computer.

The use of the kernel filter driver has the advantage that all rights remain valid and effective

when the computer is offline.

Furthermore, the kernel filter driver ensures a much higher security and prevents

incompatibilities and problems.

The cynapspro client component should be installed on each workstation.

Generate an MSI Packet for the Client

Here you can generate an MSI package for the installation of the cynapspro 2010 agents.

The settings for the package will be automatically copied from the current cynapspro 2010

Server.

Optionally, you can generate the MSI package so that the tray icon is hidden in Windows.

To ensure an optimal offline support, we recommend not hiding the tray icon.

By activating the checkbox Prevent Service Stop the MSI package will be generated in

such a way, that even users with administrative rights can no longer stop the service that is

used for communication between server and client.

The password protection for the uninstall is designed to prevent users with administrative

rights from removing the cynapspro 2010 agent.

If you have a low bandwidth in your network, you can increase the Timeout on the client.

By default, a timeout of 12 seconds has been defined.

If you have computers connected over WLAN or UMTS / GPRS to the corporate network, you

can use Rights for communication devices to specify that a radio connection will not

blocked until the computer is restarted.

Installation/ Update of the Agents

To help you manage version updates, you can update or install cynapspro agents directly

from the Management Console. For the installation you need to define under Settings -

Installation a domain user with the appropriate privileges for the installation (e.g.

[email protected]). Under Settings – Update, you have two options. You can initiate the

update manually or have the update run automatically each time the server is updated.


In order to start a manual update or an installation from the Console, go to Administration

> Installation > Update of the agents, select the desired systems and click on the

Install/Update.

An automatic update is started, if you got to Download Settings, activate automatically

and then confirm the setting.

You can also have the updates roll out according to a time schedule by activating Schedule.

If you want to rename the MSI file, please activate Allow name changes. This setting is

recommended if the installation is done with the help of a software distribution solution or

from a network drive.

To obtain an overview over all clients that have not yet been equipped with the cynapspro

agent, just select under View Only computers without an Agent.

If the installation has not been carried out properly via the Management Console, please

check whether the MSI was transferred to the client under C:\Temp. If this is not the case,

please check your firewall settings. If the MSI is located under C:\Temp but could not be

executed remotely, you need to make the following Group Policy changes:

Computer Configuration\Administrative Templates\Network\NetworkConnections\Windows

Firewall\Domain Profile\Windows Firewall: Allow inbound remote administration exception

Computer Configuration\Administrative Templates\Network\NetworkConnections\Windows

Firewall\Standard Profile\Windows Firewall: Allow inbound remote administration exception


Ticket System

Cynapspro offers a ticket system, which enables users to send access rights requests to the

administrator.

If you do not want users to use this feature, you can deactivate the checkbox Allow access

change requests in the client settings. Users then can no longer apply for any access

changes using the ticket system.

You can also specify the network drive letter assignment, which specifies from which

drive letter onwards external storage devices can be expected. If you set the first network

drive letter, you can prevent that an external storage device may have the same drive letter

as a network drive.

On click is enough, to avoid one of the most common support cases in companies.

Custom Error Messages

Custom error messages allow you to create your own message to the user in case an access

violation is prevented. The message will appear as a popup above the system clock.

Go to Administration > Client Management > Custom error Messages. You start with

choosing one of the two languages offered: German and English. To change the default

message to your liking, just double-click on the access violation. For example, click on no

access, enter the appropriate message and press OK. Optionally you can add the parameter

#DeviceType at any point in your message; if you want the user to know which device type

is locked.

If you want to allow users access to external storage, but also draw attention to the dangers

of these devices, you can use security warnings.


When a mass storage device is accessed for the first time, the warning you have defined will

appear. The user needs to confirm once that he has read and understood the warning. Only

after confirmation of the security warning, access to the external storage devices will be

allowed.

The process will be registered in the log file.


Directory Service Structure

Active Directory/ NDS Synchronization

Active Directory / NDS synchronization allows you to copy users and groups from your

existing directory service into the cynapspro database. The synchronization of the cynapspro

server with the Directory Service will read the complete structure from the directory and

copy it to the cynapspro database.

There will be no schema extensions or other modifications in the directory service. All

relevant data will just be copied.

Before you start the first synchronization, it is possible to set default permissions for the

users. This is useful, as you do not need to manually define rights for every new user.

Go to Rights Management> Specific Users> Default Rights (New user).

To start the synchronization, go to AD and NDS synchronization, and click the Start button.

If you have enabled some groups and want new users of these groups to be activated

immediately, just activate the checkbox Automatically activate new users.

You can choose OUs or groups you want to synchronize in the left window. Thus you don’t

need to synchronize the entire directory service every time.


Active Directory Synchronization – Scheduler

Users and groups are frequently created or deleted. So that the Directory Service doeas not

have to be synchronized manually with every change, there is the function of automatic

synchronization. The scheduler (scheduler dt) enables you to activate such automatic

synchronization of the directory structure.

You can set the times and days of the week as well as time intervals. Click Confirm to

activate your settings.

Management of Domain Controller

If you have multiple domain controllers (DC) and want to synchronize all OUs, groups and

users of the DC, you can enter additional DC.

The Primary Domain Controller was specified during the installation.

Go to Secondary Domain Controllers and add additional DCs, by clicking on Insert and

entering the required data. Then click Confirm.


Synchronization Log

The synchronization log tells you whether a synchronization was successful or whether it has

failed.

Users that No longer Exist in the directory service

If users, computers, groups or OUs are deleted from the directory service, you will see them

after the synchronization under Not Available Users. In order to remove them from the

database, just make your selection and click Delete.

The audit record of past user activities will, however, not be deleted.

Mange your own Directory

You can also manage users in cynapspro without Active Directory or Novell eDirectory.

As soon as an MSI package is installed on a computer, you can find the computer and all

registered users under Unordered.

For a better overview, you can create your own OUs. Just click with the mouse button on the

domain / workgroup and select Insert Organizational Unit.

Users can then be moved to the previously created OUs. Select the user you want to move,

press the right mouse button and choose Move To.

Inheritance of Group Rights

Managing users through groups reduce your administrative overhead.

By default, all users are excluded from inheritance. If you want users to automatically inherit

permissions, go to rights management and activate the checkbox in the column IA

(inheritance active). You can also activate inheritance in the context menu of the user by

selecting Activate Inheritance.


The user initially has the default rights that you have defined under specific user. If you

want the user to automatically have the rights of the parent group, go AD synchronization

and define inheritance settings.

This is where you determine how the inheritance rules should be applied.

You can create your own groups in the cynapspro management Console, so that you do not

have to create groups in AD / NDS. Go to DevicePro group management.

In the directory service tree, select the parent OU and pull up the context menu with the

right mouse button. Select Insert DevicePro group. Then rename the group you have just

created and assign the respective user using group members (right panel).


Integration of Third Party Systems

You already have a system where you manage all user or rights changes and you want that

changes will be automatically transferred to the cynapspro database? In order to support our

customers, we have developed rights management via third party software. All your changes

can be saved as an XML file that will automatically be read by our web service and trigger

the respective changes in the cynapspro database.

Just define in the cynapspro Management Console the path where you want to store the XML

files. Go to Administration > Integration with other systems. Define the path to your

XML files under Folder for data import. The other two paths will be created automatically.

However, if you want to use a different folder, just click Browse.

If you now place an XML file in the folder for data import, the file will be processed

immediately.

If the file was read successfully, it is automatically moved to the folder \ Success. If the

XML file contains errors, it is automatically moved to the folder \ Fail.

In addition to the folder structure, the cynapspro server informs you about the status of the

import process. If the XML file was processed successfully, you will see that this XML file has

the status "Success". If the XML command cannot be read, you receive the message "Failed"

and a return value "error text" with the error message status = "Failed", which is again

written in this XML file. The third party system this receives a feedback confirming success or

an indication why the import had failed.

Please refer to the components listed in the appendix that explain how to create a cynapspro

rights file.


Administration

Change Requests

The ticketing system enables you to record change requests from users and to directly apply

the requested changes with a right mouse-click.

The user just needs to open the tray icon with a right mouse-click to open the function

Request Changes. The window cynapspro - Request access rights will open. The user

can select the required device from a drop-down list and add the desired access scope. He

transfers his selection with Insert to the List of Access Rights Requests. The user can

then add an explanation or comment to justify his request before he submits the list to the

administrator.

The administrator immediately receives a message in the Management Console about the

change request. He can then immediately assign the requested rights or got to rights

management in order to review the user’s current rights.

This allows you to determine whether the requested changes are accepted or need to be

adjusted. Any changes will be effective immediately for the user.

Mail Notifications

Under Mail Notifications, you can define one or more email addresses for receiving alerts via

the Management Console or emails with change requests from users.


Go to Administration > Administrator – Tools > Mail notifications. Here you can

enable email notifications, and enter one or more email addresses that will receive a

notification in case of change requests.

Click on Insert, select the event that shall trigger an email and enter the corresponding

email address.

Next, you can enter the name of the default sender, the SMTP Server and the SMTP

server port (default: 25).

The settings will become effective after you have clicked on Confirm.

Administrative Roles

cynapspro 2010 allows administrators to assign different admin rights to administrators by

using a role model.

For the administrative roles, you can define the respective global and scope-specific

operations administrators can execute.

The global roles specify whether the administrator can see or change the following

operations:

- Default Rights

- Content Header Filter

- Audit Log

- Create MSI Packets for the Client

- Manage Log Files

- Administrative Roles

- Administrators & Areas


- License Management

- Client Settings

- Change Requests

- ApplicationPro

- Synchronization

- Scheduler

All these functions are global and cannot be limited to individual users or groups.

In the scope-specific roles, you can assign the following administrator rights:

- Rights Management

- Revision

- Release of device types

- Administrative Release

- User-defined release

- Logging

- ApplicationPro (Rights Management & Learning Mode)

- Reports (Rights that have not been updated, Rights Management Analysis , Rights

Analysis, Rights Overview, Audit Logs)

You can assign these rights according to your requirements to OUs, groups or a specific user.

Administrators and Access Scope

Supervisors generally have all the rights.

Administrators have specific roles and areas assigned.

Go to the Administrators tab and click on a user to see which administrative roles have

been allocated to him.

There are two tabs, called Global and Scope-specific.

- Under Scope-specific, you can assign to the administrator all administrative roles

with the scope ranging from the entire infrastructure down to the user level. Thus

department heads may manage the rights of their employees.

- Under Global, you can assign to the administrator the previously created global

roles.


In the administrators’ area, all OUs, groups and users are shown in three different colors:

- Red: The administrator does not have administrative roles in these OUs, groups and

users.

- Grey: Some elements of the Directory are managed by this administrator.

- Green: All Child OUs, groups and users are managed by this administrator.


DevicePro

Rights Management

Access Management

Access management is based on your directory service.

On the left side you see the OUs, groups and folders. Click on an OU, and you will see in the

upper right window the groups and users contained in it.

First select the respective users, computers or groups manually or use the search function in

the directory service structure. In the lower part of the right window you can now manage

their access. All appliances and ports are displayed here. Select the desired device and

activate the selection by pressing the right mouse button.

The following access settings are available:

- No Access

- Read Access

- Full Access

- Scheduled Access

After making a selection, you assign the changes with Save. The amended access rights will

become effective immediately. Neither a reboot nor a new logon of the user is required.

If the computer with the client component is not online, the change will be assigned at the

next logon.


The permission change can be controlled by selecting the Revision tab. You can see here

whether and what rights were assigned when, to whom and by whom and which assignment

process had been used.

By pressing the Emergency button, all user rights will be set to "No access”

Time Segment Scheme – Scheduled Access Permissions

Assign access rights for days of the week and hours of the day.

One-Time Access Permission

You can assign temporary access rights using One-Off Access Permissions. When the

assigned time has elapsed, permissions will be reset to their previous state.

Generate Unblocking Code

This feature allows you to support a user who is offline. The unblocking code can be used to

assign access rights.

Access permission for entire devices types

To generate an unblocking code for an entire device type, please go to the appropriate user,

right-click the desired device type. Select Generate Unblocking Code from the context.

Select the access scope and, where appropriate, the access period and then click on

generate.

The generated code can now be entered directly by the user using the tray icon of the client

component via the function enter activation code. This code is only valid for the user it has

been generated for and it can only be used once.


If the user needs access to a device that is currently not on the white list (released devices),

this can be bypassed by activating the checkbox "ignore white list”.

Activate/Deactivate Users or Computers

Access permissions only apply to users / computers set to active. Once the user or computer

is set to inactive, neither the rights for access management, nor the device release does

apply. To activate or deactivate a user or the group, use a right mouse-click to pull up the

context menu.

Only after activation of a user or computer for the corresponding module (DevicePro,

ApplicationPro or CryptionPro), is a license consumed.

You can activate or deactivate all modules at a time, if you use Activate All or Deactivate

All.

User Information

The button User Info takes you to a complete overview of all rights and settings for the

selected user.


Go to rights management, select a user and click on the User Info or go directly to the

appropriate user and use a right mouse-click to select User Info. A window will open with

the appropriate privileges and settings of the user. You now have the option of printing these

rights or to save them as a csv file for analysis.

Import Permissions

If you are currently working on a computer that is not connected to the company network,

but you still want to change user permissions, you can export the user rights from the

Management Console and import them into the agent.

For now, you configure the permissions of the corresponding user. Then you use a right

mouse-click on the user in the cynapspro Management Console. Select Export rights and

save the dpa file.

After you have made the dpa file available to the user, he can use a right mouse-click on the

cynapspro Tray icon and select the option Import rights. He can now select his dpa file.

After saving, the changed rights will be effective.

Combining Computers and Users

If you want a user to have different rights on one or more computers, you can make the

appropriate adjustments under rights management. Use a right mouse-click on the

corresponding user. The context menu shows the option assign computer.


Now you can see the directory service structure of your computers.

Select the desired computer and move it to the right window. Confirm your selection with

OK.

Now you can see that there is a computer assigned to the user.

Under user management, you can see all users that have computers assigned.

Select one of these computers and assign the appropriate rights under access management.

You can assign several computers to a user with each computer having different access

permissions.

Computer Rights

You can also assign access rights to one or more computers, regardless of which users are

logged on.


Go to the directory service tree under rights management. Navigate to the tab Computers

and select the desired computer.

Use the right mouse button to activate the machine for DevicePro, ApplicationPro or logging.

Then you can assign the requested rights under access management.

cynapspro first checks the rights of the computer. If there are no restrictions, it checks

restrictions for the combination of computer and user. If there are no such restrictions, the

access rights of the user apply.

Precedence in case of Conflicting Rights

You may wonder which rights take precedence if you have assigned different rights for the

computer and the user.

DevicePro first checks the computer rights. If there are no rights restrictions, DevicePro next

checks rights restrictions for the combination of computer and user. If there are not

restrictions there, the user rights will apply.


Device White List

For the management of device white lists, DevicePro differentiates between device types.

The following options are available:

- White listed Device Types

o Only listed device types can be used. All other device types will be blocked.

- White list of individual Devices

o White listing individual devices allows access to devices with a specific serial

number, regardless of what rights have been assigned to the user.

- Media Release

o The media release allows access to specific CDs or DVDs.

White listing Device Types

This is the vendor-specific device type, which you can share on your network. All devices of

this model (e.g. Kingston Data Traveler Model X) and the respective device type (USB mass

storage) will be authorized.

This device white list complements the access management of the individual user.

Once device model has been white listed for a device type, all other device models

of that device type will be blocked.

You can add any device that is currently connected or has been connected at some time to

the list of approved devices. Select the one or several clients to which the desired device(s)

has/have been connected.

The clients can be filtered by using the host name or the name of the user who is logged on

to the workstation.

If you have made your selection, press the Insert button at the top. A window with a

selection of the device appears. They can now be added to the white list.

By deactivating the checkbox Only show available devices, list will show all devices that

have ever been connected. Select any desired device and use Insert to add it to the device

white list.

Use the comment field to better organize the white listed devices and their origin.

White listing Individual Devices

External devices that show in the white list of individual devices always have the desired

access rights, regardless of the access permissions of the logged on user.

Go to the device white list and click on Individual Device. You can set access permissions

for individual devices for users and / or computers.


When you have selected the computer, click on Insert and a window Insert New Device

opens. You will now see all devices that are connected at the moment. If you want to add a

device that is not currently connected, but had previously been connected, just deactivate

the checkbox Only show available devices. Select one or more devices from the list.

In the window Insert New Device, there is a column labeled Unique. If you activate the

checkbox, the device has the same serial number on all ports. It can then be connected

without any problems at all ports and you always have full access to it. If the manufacturer

has not assigned a unique serial number to the device, you can connect the devices to

multiple ports to register and enable the respective serial numbers.

By default, you can register devices in the white list with Hardware ID and serial number of

the manufacturer. In a few cases, the manufacturer does not have consistent serial numbers

assigned to its devices. Each time one of these devices is plugged in, Windows generated a

serial number. For these devices, we recommend to register the device for the white list

using the Volume ID.

If you want to register a device model, you can do so using the Hardware ID or the name of

that device model.

You can define whether you want to register a device using the Hardware ID + serial

number, Hardware ID, Volume ID or the name.


Once the white list has been saved, all devices of the specified device model can

immediately be used by all users.

You have the following three options to register a specific device.

If you want to register this device for individual users, go to the access management for

users and click Insert. You can thus define that a user always has read or write access to

this specific USB stick, no matter where he logs on.


If you want to register this device for a computer, go to the access management for

computers and click Insert. Select the desired computer and confirm with OK. The access

level can then be changes under Rights. Each user on that computer now has read access or

full access to the specified device.

You can also register a device for a user-computer combination. Go to the registered device,

select the desired user and continue with Assign computer. Select the respective computer

and click OK. The access level can then be changed under Rights.

Media Release

With the media release, you register a certain CD / DVD for the company, an OU or a

single employee. The media is identified by a hash value that is calculated in the

background.

The media release can be found in the menu under white list > media. Select from the List

of cynapspro agents a computer that is running the CD / DVD. Click on Insert and select

the disk that you want to share. If you want to share a disk that is currently not connected,

just deactivate Only show available devices. Click on Insert to confirm your selection.


Click on Save to register the CD / DVD for all users. If you want to register the media for

specific OUs or users only, or only in combination with specific computers, go to the access

management > Insert and select the desired OUs or users. To assign a user-computer

combination, you select the user, click on Assign computer and confirm your selection with

OK.

Challenge Response to obtain Access to Individual Devices

The Challenge Response method allows you to grant offline user access to individual devices.

This is done in cooperation with the user. The user opens his cynapspro agent.

Under Actual Devices, the user sees a list of all devices currently connected to his

computer. He now uses a right mouse-click on the desired device and selects Generate

request code.

The administrator now enters the request code in the Management Console. He goes to the

user and selects Device Release / Challenge Response Release. Information about the

requested device will be displayed. Select the access scope and a time period (optional) and

click on Generate.


The generated code can now be entered directly by the user in the tray icon of his client

component using the function Enter activation code. This code applies only to that

individual user and can only be used once.

Content Header Filter

Content Header Filter are used to create filters used to prevent the reading, writing or

copying of certain files or file types on external devices. Files with the specified name,

extension or size will be blocked when the blacklist option has been used. Alternatively, you

can manage the Content Header Filter list as a white list. In this case, only the files and file

types you have specified can be accessed.

You can use the Content Header Filter globally for the whole company or for specific users

only. For a global deployment, just activate the checkbox in the column global. If you want

to use the filter for individual users or groups, select the object under rights management

administrative rights and insert the filter in the tab Content Filter.

For example, you can create a filter, which generally blocks all mp3 files with more than 100

bytes and the file Joke.exe. You only need to perform the following steps:

- Insert a new filter in the filter definition window. By double-clicking on the

filter, you can rename it. If you want the filter to apply to all users, just click

on Global.

- Now click on Insert under rule definition to create a new rule.

- Under Name, enter * (anything). Under Extension, enter mp3; under Size

Min (smallest size) enter 100 bytes. Now all mp3 files with more than 100

bytes are blocked on external devices.

- For locking the Joke.exe, you simply enter under Name the word joke and

under Extension you enter exe.


Reporting & Analysis

You have several reporting options to obtain an overview over user access rights.

The scope of all reports can be adjusted to show either the complete directory structure or

only a specific part of it.

If you are looking for information from a specific OU or group only, you select it from the

tree before calling up the report.

Activate Display immediately if you want all query results to be displayed automatically.

You won’t need to click on Display every time.

Access Rights Changes Not Yet Transmitted

Sometimes it happens that a user has not registered on the network for some time. In case

his permissions have been changed during that time, the changes will not have been

transmitted. The report shows all users for whom this is the case.

Active/Inactive Users

You can check here which users have already been activated and which users are not yet

protected by cynapspro.

Analysis of Rights Changes

Here you can check which administrator has assigned which rights, when and to whom.

Access Rights Analysis

If you want to verify which user has certain rights to a device type, just click on the device

type in the rights analysis with a right mouse-click and select the access type.

Click on Display. You can now see all user that have the default access rights for these

devices. You may also combine of several device types for this report.

Access Rights Overview - Details

This overview report shows which access permissions have been assigned to which users.

Click on the desired device type and click on Display. You will see an overview over all users

and their access permissions for this device type.


Access Rights Overview - Summary

The Rights Overview - Summary shows the distribution of access permissions in

percentages. Select the Device, the desired View and click on Display. You now have an

overview on how often the various levels of access have been assigned in your network for

the device type you have selected.

You can choose between the following views:

- Table

- Pie Chart

- Bar Chart

Deviations from Default Rights

This report shows users with access rights that deviate from a new user. This report thus

shows which users have been customized.

One-Time or Temporary Permissions

This report shows which users which users currently have temporarily amended rights.

Audit Log

The audit log records when and where users have read, copied, written or deleted files.

Blocked Access

Under blocked access, you have an overview over all blocked access attempts, i.e. you can

track which users could not access a device when and why.


Access Statistics

The access statistics show at what time users accessed an external storage device.


cynapspro Agent

The cynapspro tray icon allows you to call up various functions with a double-click.


User Rights/ Currently Connected Devices

The client component enables the user to check his various access rights. Furthermore, the

user sees all currently connected devices and the related rights under Actual Devices.

Request Access Rights

The user can request additional access rights using the function Access query in the

cynapspro agent menu.


The user can select the desired device type from a drop-down list and send an access

request. The user can request several types of access at the same time. He selects the

device type and clicks on Insert to add the device to his List of access rights to request.

The user can then add an explanation or comment before sending this list off to the

administrator using the Send button.

The administrator will immediately get a message about this change request in the

Management Console under Administration or by email.

Challenge Response for the Release of Individual Devices

The Challenge Response method allows you to grant offline user access to individual devices.

This is done in cooperation with the user. The user opens his cynapspro agent.

Under Actual Devices, the user sees a list of all devices currently connected to his

computer. He now uses a right mouse-click on the desired device and selects Generate

request code.

The administrator now enters the request code in the Management Console. He goes to the

user and selects Device Release / Challenge Response Release. Information about the


requested device will be displayed. Select the access scope and a time period (optional) and

click on Generate.

The generated code can now be entered directly by the user in the tray icon of his client

component using the function Enter activation code. This code applies only to that

individual user and can only be used once.

Enter Unblocking Code

If an employee is not working within the company network, but wants to have his rights

changed, then this is possible using an activation code.

Under rights management, you can generate an unblocking code for users or groups to

unlock devices. Then employee can then enter this code in his cynapspro agent and will

immediate have the appropriate permissions assigned.

Login As

If you want to do some work on a computer where another user is already logged on, e.g. to

perform some administrative functions, you can login using the cynapspro agent and you will

immediately have your usual access rights. There is no need for the other Windows user to

log off.

To use the Login As function, just double-click on the cynapspro tray icon. Go to Change

rights and select choose Login as… and a Login Windows will appear.

Enter the appropriate username and password.

The rights of that user will now apply on this machine.

To hand back to the currently logged on Windows user so that his access rights will again

apply, just use the context menu of the cynapspro tray icon to log out.


Import Access Rights

If you are currently working on a computer that is not tied to the company network, but you

want to change the user rights anyway, so you can export the user rights from the

Management Console and import then using the cynapspro agent.

In a first step, you configure the permissions of the corresponding user. Then click on the

user in the cynapspro Management Console using a right mouse-click. Select Export rights

and save the dpa-file.

To import the dpa-file, double-click on the cynapspro tray icon. Go to the menu item

Change rights and select Import rights... Select the dpa-file of the user. After saving the

changed rights are immediately valid.

Solution Scenarios

No Connection to the Server

The installation was completed without problems. However, the Management

Console cannot "Connect" to the server.

Make sure all settings are stored properly by checking them in the cynapspro

Admin Tool. If all settings are correct, please check the firewall settings and

change the authentication method.

Instructions

The cynapspro Admin Tool can be found in the start menu at

Start > Program Files > CynapsPro GmbH > DevicePro 2010.

Test all database settings, as well as the directory service settings by using the button Check

Validate. If necessary, adjust the settings that were made.

If there is still no "Connect" to the server possible, please check whether the specified ports

are activated in your firewall.

If the connection still fails, change the authentication method and / or check whether the

specified user has the required rights.

Getting Started after the Installation

You have completed the installation successfully and want to use cynapspro to

manage your endpoints. The first users or groups from your Active Directory / NDS

shall now be provided with certain access privileges.

In a first step you configure the default permissions, and then you start the

synchronization of AD / NDS. Next you activate the first users or groups. Then you

create the MSI client package and install it on the workstations.

Instructions

Open the Management Console and got to rights management. In the specific user group,

you will see the menu item default rights (new users).

Open this window to define the default permissions for new users. Use a right mouse-click on

a device type and define the access level. Then click on Confirm.

When you have configured all device types, you can start the synchronization from AD /

NDS. Go to the menu item AD synchronization. Click on the Start button to automatically

start the synchronization. All users and groups are copied from the existing AD / NDS into

the cynapspro database.


If you want to synchronize the directory on a scheduled basis, you need to create a

synchronization job in the Scheduler. If you want to immediately activate newly created

users, you need to enable Automatically activate new users in the active groups.

If you have not enabled Automatically activate new users in the active groups before

the first synchronization, the default permissions will not apply for any of the users. Navigate

to rights management and activate the desired users and groups with a right mouse-click

for access permissions to become effective.

After activating users and groups, you should install the cynapspro agent on the

workstations. Go to administration. Under client management you will see the menu item

Generate MSI package for the client. Select the path where you want to save the

package and click Generate.

If you don’t want users to be able to see their access rights, to request access rights or to

enter an unblocking code when offline, you should activate Hide tray icon. If you want to

prevent users from stopping the cynapspro service, you should activate the

corresponding checkbox.

After generating the package you now run the MSI file on the workstations.

You will find three Bat-files at the location you have specified. You install the software agent

by running DBAgentSetup.msi or by starting the install.bat file. If you prefer to install the

agent using the command line, type in the following command:

msiexec /i C:\Devicepro\MSI\DBAgentSetup.msi

View Already Installed Computers

You would like to know which machines have already been equipped with the

cynapspro agent.

Go to Update of the Agents to view all clients that have already been installed or

filter for clients without an agent.

Instructions

Go to Administration / Update of the Agents and use the selection next to View. Select

only computers without an agent to view all computers not yet quipped with a cynapspro

agent. If you want to see any previously installed agents, select All Agents and click on

Inactive in order to see computer that are turned off.

Restrict Access to Company-Owned Devices

You have successfully assigned all rights and have complete control over who can

use which external devices. You now want to make sure that only company-owned

and approved devices are used. Employees should certainly be able to work with

company USB sticks, but they should not be allowed to bring their private devices.

The same goes for digital cameras.

Usually there is only a limited number of device models in circulation in a company.

You can now create a white list of manufacturers and models, which may be used in

the company. All other device models will be blocked, even if the employee has the

rights to use this device type.


Instructions

Go to the Management Console and select the menu item Device White List. You can select

from 3 types of device releases.

- White list of Device Models

- Unique Devices

- Media

Select the item White list of Device Models.

In the right hand window, you see all white listed device types. The name is taken from

Windows and corresponds to the name in the Device Manager.

If you want to add more device models, you do not need to do this manually. It is sufficient

for a device of the desired model to be connected to a computer in the network. Select this

computer.

If there are many computers online, use the filter to limit the selection.

Once the computer has been selected, click on Insert. The computer will be scanned and all

connected devices will be grouped by device type. Select all the device types that you want

to white list and confirm with OK. The selected device types are added to the list and once

you have saved the changes, they can be used by all users.

Changes are immediately distributed to all computers that are online using a push method.

All other computers will receive the latest white list next time they are started.

When selecting a computer in order to inert its devices, you can choose between devices

that are currently connected or any devices that have ever been connected to this computer.

You can also select multiple or all computers that are online. You will then see all the devices

used in the company. This saves time and you even get a mini-inventory.

Assign Specific Devices to Selected Users

In case that allowing in-house devices is not considered save enough, you may

want to specify exactly which person can use which devices.

You can monitor the device models, as well the rights individual devices. These can

be distinguished by serial numbers, if the manufacturer has assigned a unique

serial number. Then we can allow user X to use a specific camera or USB stick, all

other devices will be blocked, even if they are of the same model and the same

manufacturer.

Instructions

Go to the Management Console and select the menu item Device White List. Select

Unique Devices. Select the desired workstation from the list of cynapspro agents.

In a larger infrastructure, you can use the filter to search for the desired computer.


Once the computer has been selected, click on Insert and select the devices you want to

have white listed. Next you specify the users and groups, which should have access to the

white listed devices only.

Blocking File Types

Your staff should not be allowed to open just any files. You can block all files of a

specific type or only allow files with a limited amount of data.

The Content Header Filter allows you to determine exactly which file types and

sizes users should be allowed to access. This is where you define rules that can be

assigned to users.

Instructions

Go to the Management Console > Administration and select the menu item Advanced

Settings. This is where you define rules for the Content Header Filter.

To create a new filter, click on the button Insert next to filter definition. A filter called New

Filter is created.

To add new file types to the New Filter, go to rule definition and click on Insert. Give the

new rule a name and type in the extension column the file extension (e.g. *.exe). The

columns Size min and Size max can be used to specify the minimum and maximum size of

the blocked file type.

Click in the filter definition on Global, if you want this rule to be effective for all users. If you

want to assign this rule to certain users or groups only, then go to rights management and

select the respective users or groups. Under the tab Content Header Filter you can then

assign the rule by clicking on Insert.

Change Access Permissions Offline

If an employee is working outside the company network and needs his access

rights changed, then this is possible via an activation code.

Go to rights management and create a code to unblock devices for the user or

group. The user will then enter the code in his cynapspro agent to have the new

access rights assigned. Changes will be effective immediately.

Instructions

Go to rights management in the Management Console. Go to the group or user and make a

right mouse-click on the desired device type. In the context menu select Generate

unlocking code. Define the access level and its validity (temporary or permanent). Then

click on the button Generate.

If a white list has been generated for this device model and if the desired device is not on

the white list, you need to check Ignore white list.

Transmit to the user the generated code. He can then enter the code using the cynapspro

agent. For this he makes a right mouse-click on the cynapspro tray icon, goes to the menu

point Change rights and selects Enter unblocking code. Once the code has been

successfully entered, the new rights will be effective immediately.


File Access Log

Suppose a virus has infiltrated your corporate network or confidential data was

passed on to third parties. You want to understand now or prove who is

responsible.

The log file includes records of who access which file at what time. You can filter

the data by defining a time period or file name.

Instructions

Go to the Management Console and select Audit from the Summary menu. Select the

desired group or user or the whole tree. Then define the filter rules.

You now have access to all logged activities in your company network. If you have the

shadow box activated, you need to enter the required passwords before you can check up on

user activities.

Administrator with different Access Levels

You have multiple locations or departments and you do not want all administrators

to have access to all levels or settings.

There are two types of administrators for cynapspro solutions.

o Supervisors (All administrative rights)

o Administrators (Allocated administrative rights)

Create administrative roles and assign them to the administrators for certain

areas (OUs, groups, users).

Instructions

Go to the Management Console > Administration and you will see two menu items:

Administrative Roles and Administrators & Scopes.

First, you define the administrative roles. Click on Global, if you want to create roles for

management of the cynapspro server.

If you want to create roles for managing users and groups, click on Scope-specific. Add a

role and determine what information an administrator with this role may see and what kind

of changes he may make.

Then go to the menu item Administrators & Scopes. Click on the administrators tab and

assign the role to one of the administrators listed.

Under Scope-specific you can even select groups or individual users, for which the

administrator should be responsible.

In the administrators’ area, all OUs, groups and users are shown in three different colors:

- Red: The administrator does not have administrative roles in these OUs, groups and

users.

- Grey: Some elements of the Directory are managed by this administrator.

- Green: All Child OUs, groups and users are managed by this administrator.


ApplicationPro

Introduction

ApplicationPro protects your clients with an application access control that uses the black list

or white list method. You determine which user gets access to selected applications - all

other programs are blocked.

ApplicationPro automatically assigns a hash value to a program. Thus, a user can log on to

all computers of the company and always get the same program permissions. Thanks to this

technology, users cannot rename files by obtaining unauthorized access to programs.

This will ensure, for example, that no unauthorized software (e.g. viruses, Trojans, games,

joke programs ...) can be installed or run on company computers.

The management of ApplicationPro is greatly facilitated by the learning mode. This function

records all programs an employee or group use during their daily routine. Those applications

will then be reviewed and white listed.

Rights Management

Before you start with the user management of ApplicationPro, you should activate this

product. Just use a right mouse-click on the user, then click Activate / Deactivate and

select ApplicationPro.

If a user is deactivated, he will be allowed to use all programs. Once a user is activated, he

will have programs assigned and all other applications will be blocked.

After installation or upgrade of the client component, it is recommended to restart the

computer. If you haven’t assigned a program packet to the user, he will be able to access al

programs.

Go to access management and look for the tab ApplicationPro. This tab contains the

following options:

Save

Confirm the settings you have just made. The rights changes will be immediately pushed to

the agent.

Insert Role

Assign a previously created role definition to a user. Roles may contain several program

packages and are used for simplification and clarity.

Insert Package

Assign a previously created package to a user. Packages consist of one or more selected

applications.

Delete

Remove roles and packages from a user or group.

Role Definition

Link that takes you to the role administration.

Start Learning Mode

Recording of programs accessed by a user or group of users.

User Programs

Result list of the learning mode. Recorded applications can easily be assigned to packages.


Learning Mode

The learning mode is a so-called "non-blocking mode." This means that all programs can be

started during the time period in which the learning mode is activated.

The learning mode records all programs that are accessed by the user and applies not only

to the user-faced applications, but also to the programs running in the background. A hash

value is created, which can be used to add certain applications to a custom package.

These packages can then be assigned to one or more users.

Managing ApplicationPro with the Learning Mode

To start recording the programs accessed by a user, mark the user in the top part of the

right window and click on Start learning mode in the window below.

Select the time period for the learning mode. The learning mode can be started and ended

manually or you can use a scheduler.

After completion of the learning mode, you will see under user programs all applications

that have been executed by the user, whether consciously in the foreground or hidden in the

background. You will see in the results which path had been used to run an application.


Select one or more programs you want to assign to a package and click on save.

If you already have created packages, you can add the selected programs to them. You can

also create a new package for these applications. Confirm the settings with OK. You can now

create additional packages or close the results window.

In order to assign the software package to a user, click on Insert package. Select the

appropriate package and click OK. Save your changes and the cynapspro agent will

immediately be notified and put them to effect.

From now on, all unauthorized applications will be blocked. If an application has been

overlooked during the recording process, you can start the learning mode again to release all

programs for its duration. Add the newly recorded program to an existing package or to a

new one and assign it to the user.

Management of Programs

In the navigation pane of the Management Console, you will find the ApplicationPro program

management. Here you can create and edit software packages.

To create a package, go to New Package. You can add programs from your computer to the

package definition. When you add an application, its hash value will immediately be

detected. This hash value is identical for this program on every workstation.

Individual packages can be grouped in folders. They can be assigned to a folder or only

linked to it using the button New Link. Thus a program may be part of several packages,

even though it is stored only once

Management of Roles

Under ApplicationPro you will see the menu item Role Management. Here you can combine

software packages and package folder into roles.

Using roles helps maintain clarity and facilitates an efficient management of ApplicationPro.


To create a new role, click New Role. Name the role and assign the appropriate programs

and roles using the buttons Add Program / Insert role.

Note: If you insert a role, the parent role will include all the programs of the child role.

ApplicationPro Settings

In the ApplicationPro settings, you can decide whether you want to use the white list or the

blacklist method. The white list method ensures that users can only access those programs

that have been explicitly assigned to them. The blacklist method only blocks those programs

that have been assigned to the user. All other programs are allowed.

Trusted Objects

Here you can define various directories as trusted objects. Users are allowed to run all

applications they contain, regardless of any blocking rules defined under application control.

Solution Scenarios for ApplicationPro

Quick White Listing of Applications

You have assigned selected applications to a user. The user gets back to you and

asks to be granted access to another program as soon as possible.

Start the learning mode. By running the learning mode, all applications will be

immediately released while it is running. You can then stop the learning mode and

add the appropriate program to the user’s package.


Instructions

You will find the learning mode under Rights Management. Go to the user and select the

tab ApplicationPro. You will see the button Start Learning Mode. Define the duration of

the learning mode. During this time the user has access to all applications.

After the user has run his programs, stop the learning mode by clicking on the button Stop

Learning Mode.

Note: Only program starts are recorded by the learning mode. If applications are already

running when the learning mode is started, they will not be recorded.

If you want to allow the user to continue using the program, click on the button user

programs. Select the appropriate program and add it to one of the packages assigned to

the user.

White Listing Many Programs for Many Users

You have already created several software packages and want every user of a

division to be able to access these same applications. Of course you want to do this

with as little effort as possible.

Specify roles that include multiple packages or other roles. These roles can be

assigned to the users.

Instructions

Go to the Management Console and select ApplicationPro from the left hand navigation.

There you select the roles. Create a new role with the button New role. This role can for

example be named after a department. Then you can use Insert package to assign

software packages to this role. If you have already defined subordinate roles, you can add

them to the new role using Insert role. Assign the newly created role to the users under

rights management, where you select the tab ApplicationPro.

Note: Only program starts are recorded by the learning mode. If applications are already

running when the learning mode is started, they will not be recorded.


CryptionPro

Overview

CryptionPro ensures that...

unauthorized persons cannot read your data.

the loss of an external storage device is not a security risk.

data stored on external devices is automatically encrypted in the background.

you can access your encrypted data anytime and everywhere.

CryptionPro encrypts your data in the background. For all read and write operations on and

to external storage media, files are automatically encrypted or decrypted without requiring

any user activity.

Users continue to work as before and all data remain readable throughout the company, no

matter which user logs on to which computer. If someone tries to read the data from the

external storage when it is connected to a computer without the CryptionPro client or at a

computer outside of the company network, the files will not be readable and thus the

damage caused by the loss of an external storage device is limited to the hardware costs.

Optionally, you can also save unencrypted data to an external storage media, for example if

you want to give it to a customer.

Encryption Options

The preconditions for the use of CryptionPro consist of a valid license and an installed

cynapspro server and client.

Go to the menu item Encryption > Encryption Options and Activate encryption.


You then select the functions that should be made available to users:

- Without encryption

Users are allowed to copy files without encryption on disks.

Under Settings for unencrypted file transfer, you write a security message that

will be displayed after the user has activated the unencrypted file transfer. This

message appears after the activation via the cynapspro agent as a popup. Activate

Unencrypted files auditing as a security measure. This allows you to review und

Unencrypted file transfer all non-encrypted files that were copied to external

storage media. You also need to specify after which time interval without activity, the

encryption should be automatically reactivated. This option is an assurance against

employee forgetting to reactivate encryption after they have completed their

unencrypted file transfer.

- Common encryption

On all computers in your company with a cynapspro agent, all files can always be

read and written by each employee, the decryption takes place in the background.

- Group encryption

Create group affiliations under CryptionPro Group management. If a user is in the

same group as the employee who created a file, or in the parent group, the file will be

automatically decrypted in the background. All other users of your directory service

will not be able to decrypt the file. Exception: Files can be decrypted with the

appropriate password using CryptionPro Mobile.

- Individual encryption

Only the user who encrypts a file can decrypt it again. All other users can not decrypt

this file. Exception: Files can be decrypted with the appropriate password using

CryptionPro Mobile.

- Mobile encryption

Allows the use of CryptionPro Mobile. If this option is assigned to a user, the

activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of

files outside the company network. An .exe-file is automatically copied to the USB

stick, which decrypts files on any computer if the appropriate password is provided.

In addition CryptionPro Mobile can also encrypt files outside the company network.

Furthermore, you can decide which encryption method you want to sue. There are currently

two methods available: Triple-DES and AES

Unfortunately, encryption with AES is not available on Windows 2000 computers. If you have

this operating system in use, the Triple DES method will be the right choice for you.

For all companies using Windows XP, Windows Vista or Windows 7, AES is recommended as

a better and safer method.

Key Management

For each installation, a new key is created for CryptionPro. To ensure that you can export

your data with the old key even after a server crash, you should export the key under key

management. After a server crash you can import the key after when the new installation

has been completed.

Furthermore, you have the option to generate a master key. The master key will make it

possible to decrypt files which cannot be decrypted by the client. Please note that this

information must be stored securely and must be protected from unauthorized access.


CryptionPro Group Management

Create group affiliations under CryptionPro Group management. If a user is in the same

group as the employee who created a file, or in the parent group, the file will be

automatically decrypted in the background. All other users of your directory service will not

be able to decrypt the file. Exception: Files can be decrypted with the appropriate password

using CryptionPro Mobile.

CryptionPro Mobile (global settings)

Define your password policy, which will be taken into account when creating the password

via the cynapspro agent.

Determine whether all unencrypted data stored on the hard disk should automatically be

deleted or only deleted after confirmation when you close CryptionPro Mobile. Define

whether a file can be decrypted on the same and / or other storage media. Define if the

source file may be permanently decryptable, or whether a copy can be created.

Device Blacklist

You can exclude certain devices from the encryption. These devices can be stored on the

blacklist of devices.

Unencrypted File Transfer

Activate Unencrypted files auditing as a security measure. This allows you to review und

Unencrypted file transfer all non-encrypted files that were copied to external storage

media.


User Configuration

Next, you activate the product for the employees who will use CryptionPro.

Go to rights management and use a right mouse-click on the user, then click Activate /

Deactivate and select CryptionPro. A green check mark in the column CP signals the

activation of the product.

You can decide for every user which encryption options should be available to him:

- Without encryption

Allows the users to copy files without encryption on disks.

Under Settings for unencrypted file transfer, you write a security message that

will be displayed after the user has activated the unencrypted file transfer. This

message appears after the activation via the cynapspro agent as a popup. Activate

Unencrypted files auditing as a security measure. This allows you to review und

Unencrypted file transfer all non-encrypted files that were copied to external

storage media. You also need to specify after which time interval without activity, the

encryption should be automatically reactivated. This option is an assurance against

employee forgetting to reactivate encryption after they have completed their

unencrypted file transfer.

- Common encryption

On all computers in your company with a cynapspro agent, all files can always be

read and written by each employee, the decryption takes place in the background.

- Group encryption

Create group affiliations under CryptionPro Group management. If a user is in the

same group as the employee who created a file, or in the parent group, the file will be

automatically decrypted in the background. All other users of your directory service

will not be able to decrypt the file. Exception: Files can be decrypted with the

appropriate password using CryptionPro Mobile.

- Individual encryption

Only the user who encrypts a file can decrypt it again. All other users can not decrypt

this file. Exception: Files can be decrypted with the appropriate password using

CryptionPro Mobile.

- Mobile encryption

Allows the use of CryptionPro Mobile. If this option is assigned to a user, the

activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of

files outside the company network. An .exe-file is automatically copied to the USB

stick, which decrypts files on any computer if the appropriate password is provided.

In addition CryptionPro Mobile can also encrypt files outside the company network.

If only one option has been activated for a user, it will be applied automatically. If several

options have been activated, he may decide via the tray icon whether the next file should be

encrypted or not. To do so, he makes a double-click on the tray icon and selects the menu

item Encryption.

Important: Even if a user has both the options "Common Encryption" and "Without

Encryption" activated, he will be able read both encrypted and unencrypted files. This setting

only has an effect if he wants to save or copy data to an external storage media.

If CryptionPro was not activated for the user, he will not be able to read encrypted files.

However, as soon as he gets activated for CryptionPro, he will be able to edit all the

"common" encrypted files as normal.

CryptionPro Mobile (Client Software)

If the option mobile encryption is activated for a user with, the user can decrypt and encrypt

files outside the company network. To do so, he makes a double-click on the tray icon and


selects the menu item Encryption. He then activates mobile encryption and enters the

password to be used for CryptionPro Mobile.

From that moment on, the file cryptionpromobile.exe will automatically be copied on any

USB device to which data is saved or copied.

Users just need to start CryptionPro Mobile on the USB device and enter a password. They

can now decrypt an encrypt files anywhere and anytime.

Depending on the settings that were made in the Management Console, you will receive a

message when closing CryptioPro Mobile asking you if you want to encrypt the unencrypted

files, or if you want to delete the local copies of files.

If you choose Yes, CryptioPro Mobile encrypts the current file and displays the next.

If you choose Yes for all, CryptioPro Mobile will go through the whole USB device to encrypt

the remaining unencrypted files before exiting.

If you choose No, CryptioPro Mobile leave the current file unencrypted and displays the next.

If you choose No for all, CryptioPro Mobile will not encrypt any data an exist. If you don’t

want to exists the program yet, select Cancel.

If you want to delete decrypted data from the computer hard disk (if you open a file on an

external hard disk, Windows automatically creates a temporary copy of the file on the

computer) while working, just answer the following question with Yes. If you select No, the

data will remain in temp folder on the computer hard disk machine.

Solution Scenarios for (CryptionPro)

Automatic Encryption for All Users

You want to make sure that all files are always encrypted, but can be read and

edited everywhere in the company. There is no reason to leave any data

unencrypted data. But it is also important that users don’t have to be trained and

that their work is not negatively impacted.

Activate CryptionPro for all users and enable the option "Common encryption" only.

Instructions

Go to the Management Console > rights management. Select the desired user, group or OU

and all users assigned to this group or OU or will appear in the top part of the right hand

window. Use a right mouse-click on the user(s), then click Activate / Deactivate and

select CryptionPro.


In the window below, you activate the checkbox Common encryption and Save you

changes."

From now on everything the user writes or copies to external storage devices will

automatically be encrypted, without him needing to do something. When accessed, the files

are automatically decrypted in the background and can be read everywhere in the company.

Save Without Encryption

You want to ensure that a user, who is used to providing data to customers on a

USB device, can continue doing so. He needs to be able to write or copy data

without encryption without being trained and without additional effort.

Activate CryptionPro for this user and enable the option "Without encryption" only.

Instructions

Go to the Management Console > rights management. Select the desired user and use a

right mouse-click. Click on Activate / Deactivate and select CryptionPro.

In the window below, you activate the checkbox Without encryption and Save you

changes."

From now on, everything the user writes or copies to external storage media will

automatically be saved without encryption. The files can be accessed and read everywhere,

both within the company and outside. Although the user only has the option Without

encryption activated, he is able to read all encrypted files in the company network.


CryptionPro HDD 2010

CryptionPro HDD facilitates the centrally controlled management of hard disk encryption

and PreBoot authentication. To install the client component, follow the instructions outlined

in the installation guide.

Default Settings

We recommend defining the standard settings for CryptionPro HDD before initializing

PreBoot Authentication (PBA) and Full Disk Encryption (FDE) for every computer.

Go to the Management Console > Encryption > CryptionPro HDD settings. Before you

can make any adjustments, you must enter the administrator password that you specified

during the installation of CryptionPro HDD.

Next, enter the password for the Emergency Recovery and define the location for the

Emergency Recovery Information (ERI file fixed). This file is important, in case you forget

your password and cannot log on.

Pre-Boot Authentication

In the next tab, you specify the settings for the Pre-Boot Authentication (PBA). If you select

self initialization by the user, the next user who successfully logs on will automatically be

initialized at the respective client. The PBA will be skipped this one time when the system is

started up.


If Single-Sign-On is enabled, you don’t need to register twice, since the data of the pre-

boot authentication is passed on to the Windows logon. The step Confirm Windows Logon

corresponds to the confirmation of "Ctrl+Alt+Del". If you are using a smart card, the settings

can be defined to work in exactly the same way.

PBA Settings

Under the tab PBA settings, you see the Helpdesk, locking and other settings. The help

desk will help you unlock a locked computer (computers can be locked accidentally, for

example, by entering the wrong password several times).

Under Locking, you define a time penalty or the blocking of the logon process, if the wrong

password was entered several times.

Use Other Settings to select a wallpaper and the language for the keyboard.

Full Disk Encryption

In the next tab, you define the settings for the Full Disk Encryption (FDE). You have the

option to either encrypt the complete hard disk (all sectors) or only the data. If you encrypt

only the data, you have the advantage that the first encryption runs much faster. You can

also choose the type of encryption algorithm as well as define a password which is

important in order to take further steps.


Installation Settings

In order to install the client component of CryptionPro HDD, you should first define the

directory where the installation file for CryptionPro HDD (f9u.msi) was filed. Then you need

to store the correct user name and password of the user who has access to the specified

path.


Installation and Management

If you want to change settings for the individual computers, go to the menu item

Installation and management, which you will find in the left hand panel under Hard Disk

Encryption.


Select in the directory tree the OU or folder with the computers on which you want to

install and manage CryptionPro HDD. Use a right mouse-click on the appropriate computer

and activate the computer. Click again on the computer to install CryptionPro HDD. After

you have installed CryptionPro HDD on this computer, you can make further settings for

this machine. When this is done, you can initialize the Full Disk Encryption.

For the initialization, simply select a computer, use a right mouse-click and select initialize

FDE or PBA. Now, a script is running, which will execute the changes on the client.

After the client was once initialized, more settings will be completed after pressing save for

the function accept PBA settings or accept FDE settings. You can also assign an

individual administrator password. By activating the option Encrypt all, all hard disks of

the client will be completely encrypted.

If you would like to deactivate FDE or PBA on a client, simply click on uninitialize or, if

necessary, remove.


ErasePro

ErasePro allows the central management of data destruction for files, folders and partitions.

To install the client component, follow the instructions outlined in the installation guide.

User Management

The user management for ErasePro is located in the Management Console under the menu

item Power and Data Destruction Management.

The navigation is divided into Power Management and Data Destruction Management.

To manage ErasePro, please go to the menu item Users Management under Data

Destruction Management.

To manage your users, go to the directory service structure and select the appropriate

OU or group.

Users assigned to this group or OU will appear in the top part of the right hand window.

Use a right mouse-click on the user(s), then click Activate / Deactivate and select

ErasePro.

Now you can decide which methods you want to put at your employees’ disposal for data

destruction.

The following data destruction or secure deletion options are available: Overwrite with

random numbers, 3 times overwrite (DOD method), 6 times overwrite (DOD II

method), 7 times overwrite BSI Standard (VSITR method) and 35 times overwrite

(Peter Gutmann method).

All changes are immediately transferred to the client.


Secure Deletion of Files

If you have activated the user in the Management Console and defined the deletion

method(s), users can securely delete data using the common context menu.

The employees simply use a right mouse-click on the partition, folder or file that is to be

destroyed. The context menu will have the option Secure Delete.

If the employee chooses the option Secure Delete then this object is immediately

destroyed.

It is also possible to securely delete empty sectors (not allocated to the file system).


PowerPro

PowerPro provides centrally controlled management of the power configuration of your

company computers. Follow the instructions outlined in the installation guide to install the

client component.

Profile Management

The administration of PowerPro can be found in the Management Console under the menu

item Power and Data Destruction and Management. Go to Power Profiles to define

appropriate profiles for weekdays and weekends or for different user profiles.

Above you see an example of a profile configuration. This profile was configured to perform

the following power saving operations: turn off the monitor after 10 minutes of inactivity;

reduce CPU utilization and put the computer in the hibernate state (stand by) if the

processor has been idle for a certain amount of time; shut down the fan unless the

processor is handling a full load; allow Wake-On-LAN to be used.

Criteria are always entered twice to differentiate between power supplies: AC – computers

connected with a power cable to the mains; DC – computers running on battery power.

Computer Settings

After creating the profiles, you can determine which computer should be assigned to which

profile at what time. Go to computer settings under power management. Select from

the directory service structure the group or OU in which the computer(s) you want to

manage are located.


Go to rights management and use a right mouse-click on the computer, then click Activate

/ Deactivate and select PowerPro. Go to the Power Profile tab below the computer list,

and determine which profile should be used at what time.

Scheduler

Use the Scheduler to shut down, put to standby mode, or even start computers at a

particular point in time. Define when the respective operations should be carried out. Go to

Rights Management, select the desired computers and assign these definitions to them

under the tab Scheduler.

Exceptions for Important Programs

Determine exceptions that will overrule the Scheduler. For example, when a computer

should not be shut down or the monitor not be turned off.

Define the appropriate applications and processes and whether this exception shall be

applied at a certain level of network activity or CPU utilization.

These exceptions may apply globally to all computers in the company or they may be

assigned to specific computers under computer settings > Exceptions tab.

User Rights

Define which users may make changes to the client.


Settings

Define appropriate parameters for the evaluation and analysis of saved energy costs and

CO2 emissions.


Appendix

Components for the Creation of a cynapspro Rights File

Change Device Port

Example:

<?xml version="1.0"?>

<Xml> <Header></Header> <Body> <Schema>1</Schema>

<DP Type="9" Name="Firewire"> <SD>

<ACE sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="0"></ACE> </SD> </DC> </Body> </Xml>

You can block individual ports using the parameters DP Type=“Value“ (…)... Enter the

port name with the corresponding ID (Type). The class name information (Name) is

optional and for clarity purposes only.

Parallel Port: <DP Type="3" Name="Parallel Port"></DP>

Serial Port: <DP Type="4" Name="Serial Port"></DP>

Firewire: <DP Type="9" Name="FireWire"></DP>

PCMCIA: <DP Type="10" Name="PCMCIA"></DP>

USB Port: <DP Type="14" Name="USB (without keyboards,

mice...)"></DP>

You can change the rights of individual groups and users using the Security Descriptor (SD)

component. First you need to define the Port-/Device Type (DP or DC). In between, you set

the SD (Security Descriptor =) where you will enter the Access Control Entry (ACE). In the

Access Control Entry, you deposit the SID of the user or group, and the Access = Right

(AR). Novell GUIDs are automatically transformed by cynapspro into a SID.

Please use S-1-5-11 for unknown users. All access rights may have the values 0 for No

Access, 1 for Read Access and 3 for Full Access. Read access can only be assigned to

Floppy Disk, CD/DVD and external storage devices.

If you want to change access rights for computers, you need to use the host parameter.

Enter the fully qualified name of the computer.

To assign a computer to a user you combine the parameters host and SID.

Change Device Type

Example:




<DC Id="1" Name="CD / DVD">

<SD> <ACE sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="0"></ACE> </SD> </DC> </Body>

</Xml>

You can block entire device types using the parameter DC Type=“<Value>“. Enter the

device type with the corresponding ID (Type). The class name information (Name) is

optional and for clarity purposes only.

unknown devices: <DC Id="0" Name="Unknown"></DC>

CD/DVD: <DC Id="1" Name="CD / DVD"></DC>

disk drive: <DC Id="2" Name="Floppy Disk"></DC>

external storage media: <DC Id="5" Name="External Storage"></DC>

Infrared devices: <DC Id="6" Name="Infrared"></DC>

Bluetooth Adapter: <DC Id="7" Name="Bluetooth"></DC>

WLAN cards/Adapters: <DC Id="8" Name="WiFi"></DC>

Scanners/Cameras: <DC Id="11" Name="Scanners and Cameras"></DC>

TV Cards/Adapters: <DC Id="12" Name="TV Tuner"></DC>

Printers: <DC Id="13" Name="Printers"></DC>

PDA/Smartphones: <DC Id="15" Name="PDA"></DC>

Blackberrys: <DC Id="16" Name="Blackberry"></DC>

Modems: <DC Id="17" Name="Modem"></DC>

ISDN Cards/Adapters: <DC Id="18" Name="ISDN Cards"></DC>

You can change the rights of individual groups and users using the Security Descriptor (SD)

component. First you need to define the Port-/Device Type (DP or DC) or open a release (DM

or DN). In between, you set the SD (Security Descriptor) where you will enter the Access

Control Entry (ACE). In the Access Control Entry, you deposit the SID of the user or group,

and the Access = Right (AR). Novell GUIDs are automatically transformed by cynapspro into

a SID.

Please use S-1-5-11 for unknown users. All access rights may have the values 0 for No

Access, 1 for Read Access and 3 for Full Access. Read access can only be assigned to

Floppy Disk, CD/DVD and external storage devices.

If you want to change access rights for computers, you need to use the host parameter.

Enter the fully qualified name of the computer.

To assign a computer to a user you combine the parameters host and SID.

White Listed Device Types

Example:


<Xml>

<Header></Header> <Body> <Schema>1</Schema>

<DM Class="1" Cert="1" HwId="IDE\\CDROMLITE-ON_DVDRW_SHM-

165P6S________________MS0F____"></DM>


</Body>

</Xml>

To add various device models to the white list for device types, please use the parameters

DM Class="<value>" Cert="<Value>" HwId="<HardwareID> ".

The parameters Class or Port represent the corresponding device type or port:

unknown devices: Class="0"

CD/DVD: Class="1"

Disk drive: Class="2"

Parallel Port: Port="3"

Serial Port: Port="4"

external storage media: Class="5"

Infrared devices: Class="6"

Bluetooth Adapters: Class="7"

WLAN cards/Adapters: Class="8"

Firewire: Port="9"

PCMCIA: Port="10"

Scanners/Cameras: Class="11"

TV Cards/Adapters: Class="12"

Printers: Class="13"

USB Port: Port="14"

PDA/Smartphone: Class="15"

Blackberry: Class="16"

Modems: Class="17"

ISDN Cards/Adapters: Class="18"

For the parameter Cert you enter the value 1 for Add or 0 for Remove.

The Windows Hardware ID of the device should be entered with the parameter HwID.

Component for White Listing a Unique Device

White List a PDA for All Users:


<Xml>

<Header></Header> <Body>

<Schema>1</Schema>

<DN Port="14" Class="15"

InstanceId="USB\\VID_0BB4&PID_0BCE\\5&1C5E86F8&0&1"

Name="Windows Mobile-based Device">

<SD>

<ACE sid="S-1-1-0" ar="3"></ACE>

</SD>

</DN>

</Body>

</Xml>


You can use the serial number and Hardware ID to white list individual devices for specific

users and/or computers with Read Access or Full Access. Use the parameters DN Port =

"<Value>" Class = "<Value>" InstanceId = "<HwID+SNr>" Name = " "<Device

Description>". With the values Port and Class, you define the exact access path for the

device. The InstanceID consists of Hardware ID and serial number of the corresponding

device. With the parameter InstanceID, you can optionally define a device description.

You can use the parameter <DN (…)>…</DN> to define affected users and permissions

by using the following tags. Open with the SD the "Security Descriptor" in which you then

pass on the access control entry (ACE) pass. In the access control entry, you deposit the

SID of the users or groups, as well as the access right (AR).

The permission level is defined with the values 0 for No Access, 1 for Read Access 3 for

Full Access. Read Access can only be granted for floppy disk, CD/DVD and external storage

devices.

To remove a user or a computer from a device white list, you use the parameter del. The

value behind this parameter specifies the number of objects. You then deposit the SID or the

computer.

Use Cases

Define User or Computer Rights for a Port

<?xml version="1.0"?> <Xml> <Header></Header> <Body>

<Schema>1</Schema>

<DP Type="14" Name="USB"> <SD> <ACE host="computer.damain.in" sid="S-1-5-21-3757206099-4223034928-3177353085-1003" ar="3"></ACE> </SD>

</DP> </Body> </Xml>

Change access rights of a Computer for 2 Ports and 2 Device Types

<?xml version="1.0"?> <Xml>

<Header></Header>

<Body> <Schema>1</Schema> <DP Type="9" Name="FireWire"> <SD>

<ACE host="hostname.domain.at" ar="0"></ACE> </SD> </DP> <DP Type="10" Name="PCMCIA"> <SD> <ACE host="hostname.domain.at" ar="3"></ACE>

</SD> </DP> <DC Id="7" Name="Bluetooth">

<SD> <ACE host="hostname.domain.at" ar="0"></ACE> </SD> </DC>


<DC Id="8" Name="WiFi"> <SD> <ACE host="hostname.domain.at" ar="3"></ACE> </SD> </DC> </Body> </Xml>

Add 2 Devices of Different Device Types to the white list of Device Models


<Xml>

<Header></Header> <Body> <Schema>1</Schema> <DM Class="1" Cert="1" HwId="IDE\\CDROMLITE-ON_DVDRW_SHM-165P6S________________MS0F____"></DM>

<DM Port="14" Class="5" Cert="1" HwId="USB\\VID_0835&PID_0835"></DM> </Body>

</Xml>

Remove Device from the Device Model White List


<Xml>

<Header></Header> <Body> <Schema>1</Schema> <DM Cert="0" HwId="V1394\\NIC1394"></DM>

</Body> </Xml>

Add a PDA to the Global White List

<?xml version="1.0"?> <Xml> <Header></Header>

<Body>

<Schema>1</Schema> <DN Port="14" Class="15" InstanceId="USB\\VID_0BB4&PID_0BCE\\5&1C5E86F8&0&1" Name="Windows Mobile-based Device"> <SD>

<ACE sid="S-1-1-0" ar="3"></ACE> </SD> </DN> </Body> </Xml>

Remove a User from a Unique Device White List




<DN InstanceId="IDE\\CDROMLITE-ON_DVDRW_SHW-16H5S_________________LS0N____\\5&23126E32&0&0.1.0" Name="LITE-ON DVDRW SHW-16H5S"> <SD> <ACE Del="1" sid="S-1-5-21-3757206099-4223034928-3177353085-1003"></ACE> </SD>

</DN> </Body> </Xml>

Useful Command Lines

Start AD/NDS/LDAP Synchronization

DpAdmin Tool.exe /sync [/activate]

Start with the command line / sync the complete synchronization of your existing directory

service structure. With the additional parameter /activate, all new users will automatically be

activated in the cynapspro Management Console for DevicePro.

Note: Other cynapspro solutions should always be activated in the Management Console.

Automatically Activate All Users

DpAdmin Tool.exe /activate

Automatically activate all users for DevicePro.

Change License File

DpAdmin Tool.exe /license LICENSE_FILE_PATH /user LICENSE_NAME

Define the First Network Drive Letter

DpAdmin Tool.exe /driveLetter "<network drive letter>"

To ensure that no conflicts may arise between network drives and external storage devices

with regard to the allocation of network drive letters, you can use the above command to

define the first letter used for storage media.

Client Rollout using the cynapspro Server

/install [all] [MACHINE_NAMES]

Install the cynapspro agent on all [all] or specific computers [MACHINE_NAMES].

Client Update using the cynapspro Server

/update [all] [MACHINE_NAMES]

Update the cynapspro agent on all [all] or specific computers [MACHINE_NAMES].

Automatic Deletion of Log Files

DpAdmin Tool.exe /serverLogsTime 5 - (5 day limit)

DpAdmin Tool.exe /serverLogsTime 0 - (no time limit)

DpAdmin Tool.exe /serverLogsSize 5 - (5 MB size limit)


DpAdmin Tool.exe /serverLogsSize 0 - (no size limit)

DpAdmin Tool.exe /agentLogsTime 5 - (5 day limit)

DpAdmin Tool.exe /agentLogsTime 0 - (no time limit)

DpAdmin Tool.exe /agentLogsSize 5 - (5 MB size limit)

DpAdmin Tool.exe /agentLogsSize 0 - (no size limit)

To minimize the memory requirements of cynapspro, you can use the following parameters

to automatically delete log files, which monitor all program activities, based on a time period

or the volume.

Changing the Domain Controller Information

DpAdmin Tool.exe /xmlrpcport 6005 /agentPort 6006 /dsType 1 /domainController

[DC_NAME] /adUser [AD_USER] /adPassword [AD_PASSWORD] /dbServer [DB_SERVER]

/dbName [DB_NAME] /dbUserName [DB_USER_NAME] /dbPassword [DB_PASSWORD]

Only registered parameters will be taken into account for the change.

Changing the Path for the XML Interface

DpAdmin Tool.exe /impdir ACL_IMPORT_DIR /impdirsuccess IMPORT_SUCCESS_DIR

/impdirfail IMPORT_FAIL_DIR

Define the import path (ACL_IMPORT_DIR), the path for successful file imports

(IMPORT_SUCCESS_DIR) or XML-files with errors (IMPORT_FAIL_DIR).

Import and Export Settings from Server to Server

/importACL ACL_FILE_PATH

/exportACL ACL_FILE_PATH

Import all user rights and device white lists of another server using the export / import

function


Congratulations!

You are now familiar with all aspect of cynapspro Endpoint Data Protection.

If you need any further assistance, we are at your disposal.

We shall be happy to support you if there are any emerging questions or issues.

We hope you’ll enjoy using our products.

Copyright

All Rights Reserved, 2004 - 2010 cynapspro GmbH. This document is copyrighted. All rights

are reserved by cynapspro GmbH. Any other use, especially the disclosure to third parties,

storage within a data system, distribution, processing, presentation, performance and

production is prohibited. This applies to the entire document, as well as to any of its parts.

Subject to change. The software described in this document is subject to continuous

development. As a result, functions described in the documentation may differ from the

actual software.

Cynapspro and DevicePro ® are registered trademarks of cynapspro GmbH. All other product

names and trademarks are the property of their respective owners.

cynapspro GmbH

Am Hardtwald 1

76275 Ettlingen

Germany

Phone +49 (0)7243-945-250

Fax +49 (0)7243-945-100

Email: [email protected]

Website: http://www.cynapspro.com

http://www.cynapspro.com/

cynapspro endpoint data protection - user guide

Technology

Transcript of cynapspro endpoint data protection - user guide