Remote Administration
Remote Administration
Deploying a policy locally may be useful for a uniform installation of Matrix42 Full Disk Encryption on a small number of computers or on an ad-hoc basis. But what about a large number of computers scattered throughout a company that need to be installed or updated as soon as they are connected to the network?
This section details how to install and configure Matrix42 Full Disk Encryption remotely via the use of policy files. For details about unattended installation, the Matrix42 FDE – Installation and Troubleshooting Guide, chapter 2.4, subchapter “Unattended installation”.
Policy files
A policy file is a file that contains all the required Matrix42 Full Disk Encryption configuration settings for the target computer. These policy files can be created using the Policy Builder (for details, see section 2).
There are two types of policy files:
- Full Disk Encryption policies to configure the Full Disk Encryption mechanism as well as boot security settings and external media control.
- Pre-Boot Authentication policies for the PBA component.
Administration tasks
The following tasks can be performed using policy files:
FDE policy files can be used to:
- Install, remove, and configure FDE boot security settings.
- Install, remove, and configure FDE external mass storage media encryption.
- Encrypt and decrypt hard disk partitions.
- Create ERI and configure ERI password restrictions.
- Change Administration password.
- Configure Logging, TPM, Branding or HelpDesk text updates.
- Remove the whole product or deinitialize FDE.
PBA policy files can be used to:
- Install and configure PBA smart card reader and PKCS#11 settings.
- Install and configure PBA settings for encryption mechanisms and certificate labels.
- Configure authentication options to PBA.
- Change Administration password.
- Configure Pre-boot appearance
- Update the branding or HelpDesk text files.
- Configure Logfile settings.
- Add/Remove HelpDesk key to PBA.
- De-initialize PBA or remove PBA
Deploying Full Disk Encryption policies
To remotely administrate Matrix42 Full Disk Encryption the following tasks are required:
- Create a Full Disk Encryption policy that contains all the required settings for the target computers (for details, see Creating an initialization policy).
- Save this policy under the filename ‘Autoconf.nbs’.
- Copy the Autoconf.nbs policy to each target computer, in the FDE installation directory. Usually the FDE installation directory is: C:\WINDOWS\NAC.
- There are now two different ways to start processing the policy:
- Restart the computer to automatically process the Autoconf.nbs file when the target computer boots. After successfully processing the FDE policy, the Autoconf.nbs will be deleted on the target computer.
- Restart the pbaservice service (can be performed via services.msc).
- For details about creating FDE policies, see section 2.1.
Deploying Pre-Boot Authentication policies
Follow these steps to perform remote PBA administrative tasks:
- Create a PBA policy that contains all the settings required for the target computers and save this policy under the filename Autoconf.PBA. For further information refer to chapter 2.2.
- Copy autoconf.PBA to the PBA installation directory on each target computer. Usually the PBA installation directory is: C:WINDOWS\NAC\SBS.
- There are now two different ways to start processing the policy:
- Restart the computer to automatically process the Autoconf.pba file when the target computer boots. After successfully processing the PBA policy, the Autoconf.pba will be deleted on the target computer.
- Restart the fdeservice service (can be performed via services.msc).