Cynapspro Endpoint Data Protection provides tools to manage data protection on endpoints. It includes modules for device control, encryption, application control and secure deletion. The user guide describes the management console, administration tools, directory synchronization, rights management features of each module, and solution scenarios for common implementation tasks. It provides information on logging, reporting, troubleshooting and other administrative functions.
1. cynapspro
Endpoint Data Protection 2010
User Guide
Cynapspro Endpoint Data Protection
DevicePro prevents data loss by controlling all kinds of ports and external storage
devices.
CryptionPro protects your company data by efficiently encrypting data stored on
external devices.
CryptionPro HDD protects confidential data through automatic and efficient hdd
encryption.
ApplicationPro controls the use of applications based on a white list or black list.
ErasePro ensures that files are securely and permanently deleted.
PowerPro cuts energy costs and reports suspicious activity.
Last Update: May 25, 2010
2. 2 cynapspro Endpoint Data Protection – User Guide
Table of Content
General Information..................................................................................................... 6
The cynapspro Management Console: ......................................................................... 6
Change Hostname/ Port ......................................................................................... 6
Change Language .................................................................................................. 6
cynapspro Admin Tool ............................................................................................... 7
Database Settings ................................................................................................. 7
Directory Service Settings ...................................................................................... 7
cynapspro Server Settings ...................................................................................... 7
Log Level ............................................................................................................. 7
Server Management ................................................................................................. 7
Server Relocation .................................................................................................. 8
Database Maintenance .............................................................................................. 9
Merging of Two Databases ...................................................................................... 9
License Management .............................................................................................. 10
Log File Management .............................................................................................. 10
Log Files of the cynapspro Agent ........................................................................... 10
Audit Logs .......................................................................................................... 11
cynapspro Client .................................................................................................... 12
General Information ............................................................................................ 12
Generate an MSI Packet for the Client .................................................................... 12
Installation/ Update of the Agents ......................................................................... 12
Ticket System ........................................................................................................ 14
Custom Error Messages ........................................................................................... 14
Directory Service Structure ......................................................................................... 16
Active Directory/ NDS Synchronization ...................................................................... 16
Active Directory Synchronization – Scheduler.......................................................... 17
Management of Domain Controller ......................................................................... 17
Mange your own Directory ....................................................................................... 18
Inheritance of Group Rights ..................................................................................... 18
Integration of Third Party Systems .............................................................................. 20
Administration .......................................................................................................... 21
Change Requests.................................................................................................... 21
Mail Notifications .................................................................................................... 21
Administrative Roles ............................................................................................... 22
Administrators and Access Scope ............................................................................. 23
DevicePro ................................................................................................................. 25
Rights Management ................................................................................................ 25
Access Management ............................................................................................ 25
Activate/Deactivate Users or Computers ................................................................. 27
User Information ................................................................................................. 27
3. 3 cynapspro Endpoint Data Protection – User Guide
Import Permissions .............................................................................................. 28
Combining Computers and Users ........................................................................... 28
Computer Rights ................................................................................................. 29
Precedence in case of Conflicting Rights ................................................................. 30
Device White List .................................................................................................... 31
White listing Device Types .................................................................................... 31
White listing Individual Devices ............................................................................. 31
Media Release ..................................................................................................... 34
Challenge Response to obtain Access to Individual Devices ....................................... 35
Content Header Filter .............................................................................................. 36
Reporting & Analysis ............................................................................................... 37
Access Rights Changes Not Yet Transmitted ............................................................ 37
Active/Inactive Users ........................................................................................... 37
Analysis of Rights Changes ................................................................................... 37
Access Rights Analysis ......................................................................................... 37
Access Rights Overview - Details ........................................................................... 37
Access Rights Overview - Summary ....................................................................... 38
Deviations from Default Rights .............................................................................. 38
One-Time or Temporary Permissions ..................................................................... 38
Audit Log............................................................................................................... 38
Blocked Access.................................................................................................... 38
Access Statistics .................................................................................................. 39
cynapspro Agent .................................................................................................... 40
User Rights/ Currently Connected Devices .............................................................. 41
Request Access Rights ......................................................................................... 41
Challenge Response for the Release of Individual Devices ......................................... 42
Enter Unblocking Code ......................................................................................... 43
Login As ............................................................................................................. 43
Import Access Rights ........................................................................................... 44
Solution Scenarios .................................................................................................. 44
No Connection to the Server ................................................................................. 44
Getting Started after the Installation ..................................................................... 44
View Already Installed Computers ......................................................................... 45
Restrict Access to Company-Owned Devices ........................................................... 45
Assign Specific Devices to Selected Users ............................................................... 46
Blocking File Types .............................................................................................. 47
Change Access Permissions Offline ........................................................................ 47
File Access Log .................................................................................................... 48
Administrator with different Access Levels .............................................................. 48
ApplicationPro ........................................................................................................... 49
Introduction ........................................................................................................... 49
4. 4 cynapspro Endpoint Data Protection – User Guide
Rights Management ................................................................................................ 49
Learning Mode ....................................................................................................... 50
Managing ApplicationPro with the Learning Mode ..................................................... 50
Management of Programs ..................................................................................... 51
Management of Roles ........................................................................................... 51
ApplicationPro Settings ........................................................................................... 52
Trusted Objects ................................................................................................... 52
Solution Scenarios for ApplicationPro ........................................................................ 52
Quick White Listing of Applications ........................................................................ 52
White Listing Many Programs for Many Users .......................................................... 53
CryptionPro .............................................................................................................. 54
Overview ............................................................................................................... 54
Encryption Options ................................................................................................. 54
Key Management ................................................................................................... 55
CryptionPro Group Management ............................................................................... 56
CryptionPro Mobile (global settings) .......................................................................... 56
Device Blacklist ...................................................................................................... 56
Unencrypted File Transfer ........................................................................................ 56
User Configuration .................................................................................................. 57
CryptionPro Mobile (Client Software) ......................................................................... 57
Solution Scenarios for (CryptionPro) ......................................................................... 58
Automatic Encryption for All Users ......................................................................... 58
Save Without Encryption ...................................................................................... 59
CryptionPro HDD 2010 ............................................................................................... 60
Default Settings ..................................................................................................... 60
Pre-Boot Authentication ....................................................................................... 60
PBA Settings ....................................................................................................... 61
Full Disk Encryption ............................................................................................. 61
Installation Settings ............................................................................................. 62
Installation and Management ................................................................................ 63
ErasePro................................................................................................................... 65
User Management .................................................................................................. 65
Secure Deletion of Files ........................................................................................... 66
PowerPro .................................................................................................................. 67
Profile Management ................................................................................................ 67
Computer Settings.................................................................................................. 67
Scheduler .............................................................................................................. 68
Exceptions for Important Programs ........................................................................... 68
User Rights ............................................................................................................ 68
Settings ................................................................................................................ 69
Appendix .................................................................................................................. 70
5. 5 cynapspro Endpoint Data Protection – User Guide
Components for the Creation of a cynapspro Rights File .............................................. 70
Change Device Port ............................................................................................. 70
Change Device Type ............................................................................................ 70
White Listed Device Types .................................................................................... 71
Component for White Listing a Unique Device ............................................................ 72
White List a PDA for All Users: .............................................................................. 72
Use Cases ............................................................................................................. 73
Define User or Computer Rights for a Port .............................................................. 73
Change access rights of a Computer for 2 Ports and 2 Device Types .......................... 73
Add 2 Devices of Different Device Types to the white list of Device Models ................. 74
Remove Device from the Device Model White List .................................................... 74
Add a PDA to the Global White List ........................................................................ 74
Remove a User from a Unique Device White List...................................................... 74
Useful Command Lines ............................................................................................ 75
Start AD/NDS/LDAP Synchronization...................................................................... 75
Automatically Activate All Users ............................................................................ 75
Change License File ............................................................................................. 75
Define the First Network Drive Letter ..................................................................... 75
Client Rollout using the cynapspro Server ............................................................... 75
Client Update using the cynapspro Server .............................................................. 75
Automatic Deletion of Log Files ............................................................................. 75
Changing the Domain Controller Information .......................................................... 76
Changing the Path for the XML Interface ................................................................ 76
Import and Export Settings from Server to Server ................................................... 76
Copyright ................................................................................................................. 77
6. 6 cynapspro Endpoint Data Protection – User Guide
General Information
For the administration of the cynapspro Server, there are two tools available:
The cynapspro Management Console:
The cynapspro Management Console is the central interface for controlling all
cynapspro functions. The Management Console can be accessed from any location,
i.e. each administrator can run it from his work station.
The cynapspro 2010 Management Console can be accessed via the start menu:
> All Programs > cynapspro GmbH
Change Hostname/ Port
You can run the Management Console from any workstation. Just copy the exe-file to a
network drive or directly to your computer. Enter the hostname or the port when prompted.
Go to the toolbar and select File> cynapspro server if you want to log on to a different
server and / or change the settings.
Change Language
In order to change the language in the Management Console, go to Tools > Options in the
toolbar menu.
There are the two languages offered German and English.
7. 7 cynapspro Endpoint Data Protection – User Guide
cynapspro Admin Tool
The cynapspro Admin Tool is used to configure or check the server settings.
After successful installation of the cynapspro server, you can use the cynapspro admin tool
to verify and change server or database settings.
By default, the tool is installed at
C:Program Filescynapspro GmbHDevicePro 2010
and can be accessed using
> All Programs > DevicePro 2010.
Database Settings
Click on the button Validate to test the connection to the specified database. cynapspro
solutions need a user with database administrator rights (DB Owner) to access the database.
Directory Service Settings
A prerequisite for the synchronization of the directory structure is that the specified user
holds the necessary access rights (List Contents, Read All Properties).
Enter in the field domain controller the hostname of the directory service server.
Click on the button Validate to test the connection.
cynapspro Server Settings
Two ports are used by default to manage the communication between cynapspro server and
client components. Define the client-server XmlRpcPort and the server-client Notification
port.
The client-server XmlRpcPort is used by clients to connect to the server (default: 6005).
The server-client notification XmlRpcPort serves to notify the clients about changes made to
their rights on the server (default: 6006).
Log Level
The server services as well as the agent permanently log all activities. The level of detail can
be defined with the following options being available:
- Operating Mode: Errors only
- Administration Mode: Detailed
- Debug Mode: Very detailed
Server Management
You can run multiple cynapspro servers, for example to ensure safeguarding against failure.
When installing an additional server, specify the same database in the installation routine.
You will then see all cynapspro servers under server management. You can now define
whether the client should randomly select a server to sign on or whether a specific sequence
should be applied.
The server management is also recommended when you plan a move of the cynapspro
server.
8. 8 cynapspro Endpoint Data Protection – User Guide
Before uninstalling the old cynapspro server, just assign a higher priority to the new
cynapspro server to ensure uninterrupted service.
Server Relocation
You have bought new hardware or other circumstances require that you move the cynapspro
server to a new machine. This one is no problem at all, if the current IP address and / or the
server name will also be used for the new server. The cynapspro agents will then
automatically find the new server. If the IP address and server name will be different, you
can move the cynapspro server component as follows.
You can use one of the following two methods to relocate the cynapspro server:
1) You install the new cynapspro server with access to the old/new database (you define
the SQL server during the installation or afterwards via the Admin Tool.) Now open
the Management Console on the old server and go to Administration > Server
Management. You can now prioritize the new server as higher than the old one. All
clients will now log on to the new server.
2) You install the new cynapspro server with access to the old/new database (you define
the SQL server during the installation or afterwards via the Admin Tool.) Start the
new Sever, go to Administration > Generate MSI package for the clients and generate
a new MSI package (do not forget to define the default settings for clients). Use
"Open folder" to go directly to the directory. Copy the new MSI package into the MSI
directory of the old server and run an update of the agents from the old server. The
old server now distributes the server information of the new server to the clients,
which will then all log onto the new server.
In both cases, it is possible that not all clients are online and get the update. Thus, they
would still report to the old server. It is best to leave the old server running for about two
9. 9 cynapspro Endpoint Data Protection – User Guide
weeks, to be sure that all clients have received the update. Use "Update of the Agents" on
the old server and look up "Inactive" to see how many and which clients have been offline
and have therefore not received the update.
Database Maintenance
If you use cynapspro Endpoint Data Protection solutions over a prolonged period of time or
in larger environments, the DevicePro database that is stored in your SQL Server can
significantly grow in volume. To keep this database volume low, you can archive the data
generated through logging and auditing, or delete duplicate records.
To evaluate duplicates, please click on Analyze. You can now see how many duplicate
records have been entered under logging and auditing. You can Delete these duplicates to
minimize the database without losing data.
If the volume of the database is still too large, you can archive old records into files that can
still be evaluated later.
Select the time period that should be used for each file, define the path to the archive and
whether you want the archiving to be done automatically or manually.
Merging of Two Databases
If you have installed several cynapspro servers in different environments and you want to
bring them together now, you need to proceed as follows.
Connect to the cynapspro server, which you want to eliminate.
Export the database information in a file (txt format) with the following command from the
command line:
<Installation Path>DpAdmin Tool.exe /exportACL "<path><filename>.txt"
Then connect to the cynapspro server you want to keep.
10. 10 cynapspro Endpoint Data Protection – User Guide
Import the information using the following command line
<Installation Path>DpAdmin Tool.exe /importACL "<Path><filename>.txt"
The user information is tied to the user name (e.g. AD account name). Thus, no
complications arise, if the SID has changed.
License Management
Here you can see your number of licenses you have purchased, the actual number of active
users, as well as all add-ons that have been activated with your license.
If you want to activate additional licenses or add-ons, such as logging, ApplicationPro,
CryptionPro, etc. you only need a new Lic file. Open it with the Browse button and click
Confirm.
The new licenses and add-ons will be activated immediately.
Log File Management
By default, cynapspro saves its log files in the LOG folder of the installation directory. You
can change the path of the log files as you see fit.
You can also change the degree of detail of the logs by selecting one of three radio buttons.
The operation mode is a very basic logging, the administration mode creates fairly
detailed log file and the debug mode provides very detailed logging.
You also have the option to compress log files. If you need support, these compressed files
are very helpful to our support workers. Select the time period as well as the components.
Now click on compress and open the folder. Send this file along with the error description to
our support (support@cynapspro.com).
Log Files of the cynapspro Agent
To check the log file of a user’s agent, go to rights management.
Just click with the right mouse button on the corresponding user. The context menu has the
menu option Log files of the agent. There are three choices. Choice number One: You can
view the latest log by clicking on Current.
The current file opens in the editor as log format.
11. 11 cynapspro Endpoint Data Protection – User Guide
If you would you like to access an older log file or open multiple logs of that user, you should
select choice number Two: You can now select the desired log file(s) from a list.
After clicking on the selected log file, it will open in Notepad. You can now check the
activities of the user.
You can also Delete older or all log files in the cynapspro Management Console.
Audit Logs
Go to the audit administration to enable or disable audit logs.
12. 12 cynapspro Endpoint Data Protection – User Guide
If not all administrators should be allowed to access the logging of all users, or if access
should only be possible together with a representative of the workers’ council or the
management, you can restrict access by depositing up to two passwords. Access to the audit
logs will only be granted if both passwords have been entered.
cynapspro Client
General Information
By installing the cynapspro client component, a kernel filter driver is installed on the
Windows system.
The task of the kernel filter driver is to monitor the rights that have been allocated to the
user or computer.
The use of the kernel filter driver has the advantage that all rights remain valid and effective
when the computer is offline.
Furthermore, the kernel filter driver ensures a much higher security and prevents
incompatibilities and problems.
The cynapspro client component should be installed on each workstation.
Generate an MSI Packet for the Client
Here you can generate an MSI package for the installation of the cynapspro 2010 agents.
The settings for the package will be automatically copied from the current cynapspro 2010
Server.
Optionally, you can generate the MSI package so that the tray icon is hidden in Windows.
To ensure an optimal offline support, we recommend not hiding the tray icon.
By activating the checkbox Prevent Service Stop the MSI package will be generated in
such a way, that even users with administrative rights can no longer stop the service that is
used for communication between server and client.
The password protection for the uninstall is designed to prevent users with administrative
rights from removing the cynapspro 2010 agent.
If you have a low bandwidth in your network, you can increase the Timeout on the client.
By default, a timeout of 12 seconds has been defined.
If you have computers connected over WLAN or UMTS / GPRS to the corporate network, you
can use Rights for communication devices to specify that a radio connection will not
blocked until the computer is restarted.
Installation/ Update of the Agents
To help you manage version updates, you can update or install cynapspro agents directly
from the Management Console. For the installation you need to define under Settings -
Installation a domain user with the appropriate privileges for the installation (e.g.
admin@domain.local). Under Settings – Update, you have two options. You can initiate the
update manually or have the update run automatically each time the server is updated.
13. 13 cynapspro Endpoint Data Protection – User Guide
In order to start a manual update or an installation from the Console, go to Administration
> Installation > Update of the agents, select the desired systems and click on the
Install/Update.
An automatic update is started, if you got to Download Settings, activate automatically
and then confirm the setting.
You can also have the updates roll out according to a time schedule by activating Schedule.
If you want to rename the MSI file, please activate Allow name changes. This setting is
recommended if the installation is done with the help of a software distribution solution or
from a network drive.
To obtain an overview over all clients that have not yet been equipped with the cynapspro
agent, just select under View Only computers without an Agent.
If the installation has not been carried out properly via the Management Console, please
check whether the MSI was transferred to the client under C:Temp. If this is not the case,
please check your firewall settings. If the MSI is located under C:Temp but could not be
executed remotely, you need to make the following Group Policy changes:
Computer ConfigurationAdministrative TemplatesNetworkNetworkConnectionsWindows
FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception
Computer ConfigurationAdministrative TemplatesNetworkNetworkConnectionsWindows
FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception
14. 14 cynapspro Endpoint Data Protection – User Guide
Ticket System
Cynapspro offers a ticket system, which enables users to send access rights requests to the
administrator.
If you do not want users to use this feature, you can deactivate the checkbox Allow access
change requests in the client settings. Users then can no longer apply for any access
changes using the ticket system.
You can also specify the network drive letter assignment, which specifies from which
drive letter onwards external storage devices can be expected. If you set the first network
drive letter, you can prevent that an external storage device may have the same drive letter
as a network drive.
On click is enough, to avoid one of the most common support cases in companies.
Custom Error Messages
Custom error messages allow you to create your own message to the user in case an access
violation is prevented. The message will appear as a popup above the system clock.
Go to Administration > Client Management > Custom error Messages. You start with
choosing one of the two languages offered: German and English. To change the default
message to your liking, just double-click on the access violation. For example, click on no
access, enter the appropriate message and press OK. Optionally you can add the parameter
#DeviceType at any point in your message; if you want the user to know which device type
is locked.
If you want to allow users access to external storage, but also draw attention to the dangers
of these devices, you can use security warnings.
15. 15 cynapspro Endpoint Data Protection – User Guide
When a mass storage device is accessed for the first time, the warning you have defined will
appear. The user needs to confirm once that he has read and understood the warning. Only
after confirmation of the security warning, access to the external storage devices will be
allowed.
The process will be registered in the log file.
16. 16 cynapspro Endpoint Data Protection – User Guide
Directory Service Structure
Active Directory/ NDS Synchronization
Active Directory / NDS synchronization allows you to copy users and groups from your
existing directory service into the cynapspro database. The synchronization of the cynapspro
server with the Directory Service will read the complete structure from the directory and
copy it to the cynapspro database.
There will be no schema extensions or other modifications in the directory service. All
relevant data will just be copied.
Before you start the first synchronization, it is possible to set default permissions for the
users. This is useful, as you do not need to manually define rights for every new user.
Go to Rights Management> Specific Users> Default Rights (New user).
To start the synchronization, go to AD and NDS synchronization, and click the Start button.
If you have enabled some groups and want new users of these groups to be activated
immediately, just activate the checkbox Automatically activate new users.
You can choose OUs or groups you want to synchronize in the left window. Thus you don’t
need to synchronize the entire directory service every time.
17. 17 cynapspro Endpoint Data Protection – User Guide
Active Directory Synchronization – Scheduler
Users and groups are frequently created or deleted. So that the Directory Service doeas not
have to be synchronized manually with every change, there is the function of automatic
synchronization. The scheduler (scheduler dt) enables you to activate such automatic
synchronization of the directory structure.
You can set the times and days of the week as well as time intervals. Click Confirm to
activate your settings.
Management of Domain Controller
If you have multiple domain controllers (DC) and want to synchronize all OUs, groups and
users of the DC, you can enter additional DC.
The Primary Domain Controller was specified during the installation.
Go to Secondary Domain Controllers and add additional DCs, by clicking on Insert and
entering the required data. Then click Confirm.
18. 18 cynapspro Endpoint Data Protection – User Guide
Synchronization Log
The synchronization log tells you whether a synchronization was successful or whether it has
failed.
Users that No longer Exist in the directory service
If users, computers, groups or OUs are deleted from the directory service, you will see them
after the synchronization under Not Available Users. In order to remove them from the
database, just make your selection and click Delete.
The audit record of past user activities will, however, not be deleted.
Mange your own Directory
You can also manage users in cynapspro without Active Directory or Novell eDirectory.
As soon as an MSI package is installed on a computer, you can find the computer and all
registered users under Unordered.
For a better overview, you can create your own OUs. Just click with the mouse button on the
domain / workgroup and select Insert Organizational Unit.
Users can then be moved to the previously created OUs. Select the user you want to move,
press the right mouse button and choose Move To.
Inheritance of Group Rights
Managing users through groups reduce your administrative overhead.
By default, all users are excluded from inheritance. If you want users to automatically inherit
permissions, go to rights management and activate the checkbox in the column IA
(inheritance active). You can also activate inheritance in the context menu of the user by
selecting Activate Inheritance.
19. 19 cynapspro Endpoint Data Protection – User Guide
The user initially has the default rights that you have defined under specific user. If you
want the user to automatically have the rights of the parent group, go AD synchronization
and define inheritance settings.
This is where you determine how the inheritance rules should be applied.
You can create your own groups in the cynapspro management Console, so that you do not
have to create groups in AD / NDS. Go to DevicePro group management.
In the directory service tree, select the parent OU and pull up the context menu with the
right mouse button. Select Insert DevicePro group. Then rename the group you have just
created and assign the respective user using group members (right panel).
20. 20 cynapspro Endpoint Data Protection – User Guide
Integration of Third Party Systems
You already have a system where you manage all user or rights changes and you want that
changes will be automatically transferred to the cynapspro database? In order to support our
customers, we have developed rights management via third party software. All your changes
can be saved as an XML file that will automatically be read by our web service and trigger
the respective changes in the cynapspro database.
Just define in the cynapspro Management Console the path where you want to store the XML
files. Go to Administration > Integration with other systems. Define the path to your
XML files under Folder for data import. The other two paths will be created automatically.
However, if you want to use a different folder, just click Browse.
If you now place an XML file in the folder for data import, the file will be processed
immediately.
If the file was read successfully, it is automatically moved to the folder Success. If the
XML file contains errors, it is automatically moved to the folder Fail.
In addition to the folder structure, the cynapspro server informs you about the status of the
import process. If the XML file was processed successfully, you will see that this XML file has
the status "Success". If the XML command cannot be read, you receive the message "Failed"
and a return value "error text" with the error message status = "Failed", which is again
written in this XML file. The third party system this receives a feedback confirming success or
an indication why the import had failed.
Please refer to the components listed in the appendix that explain how to create a cynapspro
rights file.
21. 21 cynapspro Endpoint Data Protection – User Guide
Administration
Change Requests
The ticketing system enables you to record change requests from users and to directly apply
the requested changes with a right mouse-click.
The user just needs to open the tray icon with a right mouse-click to open the function
Request Changes. The window cynapspro - Request access rights will open. The user
can select the required device from a drop-down list and add the desired access scope. He
transfers his selection with Insert to the List of Access Rights Requests. The user can
then add an explanation or comment to justify his request before he submits the list to the
administrator.
The administrator immediately receives a message in the Management Console about the
change request. He can then immediately assign the requested rights or got to rights
management in order to review the user’s current rights.
This allows you to determine whether the requested changes are accepted or need to be
adjusted. Any changes will be effective immediately for the user.
Mail Notifications
Under Mail Notifications, you can define one or more email addresses for receiving alerts via
the Management Console or emails with change requests from users.
22. 22 cynapspro Endpoint Data Protection – User Guide
Go to Administration > Administrator – Tools > Mail notifications. Here you can
enable email notifications, and enter one or more email addresses that will receive a
notification in case of change requests.
Click on Insert, select the event that shall trigger an email and enter the corresponding
email address.
Next, you can enter the name of the default sender, the SMTP Server and the SMTP
server port (default: 25).
The settings will become effective after you have clicked on Confirm.
Administrative Roles
cynapspro 2010 allows administrators to assign different admin rights to administrators by
using a role model.
For the administrative roles, you can define the respective global and scope-specific
operations administrators can execute.
The global roles specify whether the administrator can see or change the following
operations:
- Default Rights
- Content Header Filter
- Audit Log
- Create MSI Packets for the Client
- Manage Log Files
- Administrative Roles
- Administrators & Areas
23. 23 cynapspro Endpoint Data Protection – User Guide
- License Management
- Client Settings
- Change Requests
- ApplicationPro
- Synchronization
- Scheduler
All these functions are global and cannot be limited to individual users or groups.
In the scope-specific roles, you can assign the following administrator rights:
- Rights Management
- Revision
- Release of device types
- Administrative Release
- User-defined release
- Logging
- ApplicationPro (Rights Management & Learning Mode)
- Reports (Rights that have not been updated, Rights Management Analysis , Rights
Analysis, Rights Overview, Audit Logs)
You can assign these rights according to your requirements to OUs, groups or a specific user.
Administrators and Access Scope
Supervisors generally have all the rights.
Administrators have specific roles and areas assigned.
Go to the Administrators tab and click on a user to see which administrative roles have
been allocated to him.
There are two tabs, called Global and Scope-specific.
- Under Scope-specific, you can assign to the administrator all administrative roles
with the scope ranging from the entire infrastructure down to the user level. Thus
department heads may manage the rights of their employees.
- Under Global, you can assign to the administrator the previously created global
roles.
24. 24 cynapspro Endpoint Data Protection – User Guide
In the administrators’ area, all OUs, groups and users are shown in three different colors:
- Red: The administrator does not have administrative roles in these OUs, groups and
users.
- Grey: Some elements of the Directory are managed by this administrator.
- Green: All Child OUs, groups and users are managed by this administrator.
25. 25 cynapspro Endpoint Data Protection – User Guide
DevicePro
Rights Management
Access Management
Access management is based on your directory service.
On the left side you see the OUs, groups and folders. Click on an OU, and you will see in the
upper right window the groups and users contained in it.
First select the respective users, computers or groups manually or use the search function in
the directory service structure. In the lower part of the right window you can now manage
their access. All appliances and ports are displayed here. Select the desired device and
activate the selection by pressing the right mouse button.
The following access settings are available:
- No Access
- Read Access
- Full Access
- Scheduled Access
After making a selection, you assign the changes with Save. The amended access rights will
become effective immediately. Neither a reboot nor a new logon of the user is required.
If the computer with the client component is not online, the change will be assigned at the
next logon.
26. 26 cynapspro Endpoint Data Protection – User Guide
The permission change can be controlled by selecting the Revision tab. You can see here
whether and what rights were assigned when, to whom and by whom and which assignment
process had been used.
By pressing the Emergency button, all user rights will be set to "No access”
Time Segment Scheme – Scheduled Access Permissions
Assign access rights for days of the week and hours of the day.
One-Time Access Permission
You can assign temporary access rights using One-Off Access Permissions. When the
assigned time has elapsed, permissions will be reset to their previous state.
Generate Unblocking Code
This feature allows you to support a user who is offline. The unblocking code can be used to
assign access rights.
Access permission for entire devices types
To generate an unblocking code for an entire device type, please go to the appropriate user,
right-click the desired device type. Select Generate Unblocking Code from the context.
Select the access scope and, where appropriate, the access period and then click on
generate.
The generated code can now be entered directly by the user using the tray icon of the client
component via the function enter activation code. This code is only valid for the user it has
been generated for and it can only be used once.
27. 27 cynapspro Endpoint Data Protection – User Guide
If the user needs access to a device that is currently not on the white list (released devices),
this can be bypassed by activating the checkbox "ignore white list”.
Activate/Deactivate Users or Computers
Access permissions only apply to users / computers set to active. Once the user or computer
is set to inactive, neither the rights for access management, nor the device release does
apply. To activate or deactivate a user or the group, use a right mouse-click to pull up the
context menu.
Only after activation of a user or computer for the corresponding module (DevicePro,
ApplicationPro or CryptionPro), is a license consumed.
You can activate or deactivate all modules at a time, if you use Activate All or Deactivate
All.
User Information
The button User Info takes you to a complete overview of all rights and settings for the
selected user.
28. 28 cynapspro Endpoint Data Protection – User Guide
Go to rights management, select a user and click on the User Info or go directly to the
appropriate user and use a right mouse-click to select User Info. A window will open with
the appropriate privileges and settings of the user. You now have the option of printing these
rights or to save them as a csv file for analysis.
Import Permissions
If you are currently working on a computer that is not connected to the company network,
but you still want to change user permissions, you can export the user rights from the
Management Console and import them into the agent.
For now, you configure the permissions of the corresponding user. Then you use a right
mouse-click on the user in the cynapspro Management Console. Select Export rights and
save the dpa file.
After you have made the dpa file available to the user, he can use a right mouse-click on the
cynapspro Tray icon and select the option Import rights. He can now select his dpa file.
After saving, the changed rights will be effective.
Combining Computers and Users
If you want a user to have different rights on one or more computers, you can make the
appropriate adjustments under rights management. Use a right mouse-click on the
corresponding user. The context menu shows the option assign computer.
29. 29 cynapspro Endpoint Data Protection – User Guide
Now you can see the directory service structure of your computers.
Select the desired computer and move it to the right window. Confirm your selection with
OK.
Now you can see that there is a computer assigned to the user.
Under user management, you can see all users that have computers assigned.
Select one of these computers and assign the appropriate rights under access management.
You can assign several computers to a user with each computer having different access
permissions.
Computer Rights
You can also assign access rights to one or more computers, regardless of which users are
logged on.
30. 30 cynapspro Endpoint Data Protection – User Guide
Go to the directory service tree under rights management. Navigate to the tab Computers
and select the desired computer.
Use the right mouse button to activate the machine for DevicePro, ApplicationPro or logging.
Then you can assign the requested rights under access management.
cynapspro first checks the rights of the computer. If there are no restrictions, it checks
restrictions for the combination of computer and user. If there are no such restrictions, the
access rights of the user apply.
Precedence in case of Conflicting Rights
You may wonder which rights take precedence if you have assigned different rights for the
computer and the user.
DevicePro first checks the computer rights. If there are no rights restrictions, DevicePro next
checks rights restrictions for the combination of computer and user. If there are not
restrictions there, the user rights will apply.
31. 31 cynapspro Endpoint Data Protection – User Guide
Device White List
For the management of device white lists, DevicePro differentiates between device types.
The following options are available:
- White listed Device Types
o Only listed device types can be used. All other device types will be blocked.
- White list of individual Devices
o White listing individual devices allows access to devices with a specific serial
number, regardless of what rights have been assigned to the user.
- Media Release
o The media release allows access to specific CDs or DVDs.
White listing Device Types
This is the vendor-specific device type, which you can share on your network. All devices of
this model (e.g. Kingston Data Traveler Model X) and the respective device type (USB mass
storage) will be authorized.
This device white list complements the access management of the individual user.
Once device model has been white listed for a device type, all other device models
of that device type will be blocked.
You can add any device that is currently connected or has been connected at some time to
the list of approved devices. Select the one or several clients to which the desired device(s)
has/have been connected.
The clients can be filtered by using the host name or the name of the user who is logged on
to the workstation.
If you have made your selection, press the Insert button at the top. A window with a
selection of the device appears. They can now be added to the white list.
By deactivating the checkbox Only show available devices, list will show all devices that
have ever been connected. Select any desired device and use Insert to add it to the device
white list.
Use the comment field to better organize the white listed devices and their origin.
White listing Individual Devices
External devices that show in the white list of individual devices always have the desired
access rights, regardless of the access permissions of the logged on user.
Go to the device white list and click on Individual Device. You can set access permissions
for individual devices for users and / or computers.
32. 32 cynapspro Endpoint Data Protection – User Guide
When you have selected the computer, click on Insert and a window Insert New Device
opens. You will now see all devices that are connected at the moment. If you want to add a
device that is not currently connected, but had previously been connected, just deactivate
the checkbox Only show available devices. Select one or more devices from the list.
In the window Insert New Device, there is a column labeled Unique. If you activate the
checkbox, the device has the same serial number on all ports. It can then be connected
without any problems at all ports and you always have full access to it. If the manufacturer
has not assigned a unique serial number to the device, you can connect the devices to
multiple ports to register and enable the respective serial numbers.
By default, you can register devices in the white list with Hardware ID and serial number of
the manufacturer. In a few cases, the manufacturer does not have consistent serial numbers
assigned to its devices. Each time one of these devices is plugged in, Windows generated a
serial number. For these devices, we recommend to register the device for the white list
using the Volume ID.
If you want to register a device model, you can do so using the Hardware ID or the name of
that device model.
You can define whether you want to register a device using the Hardware ID + serial
number, Hardware ID, Volume ID or the name.
33. 33 cynapspro Endpoint Data Protection – User Guide
Once the white list has been saved, all devices of the specified device model can
immediately be used by all users.
You have the following three options to register a specific device.
If you want to register this device for individual users, go to the access management for
users and click Insert. You can thus define that a user always has read or write access to
this specific USB stick, no matter where he logs on.
34. 34 cynapspro Endpoint Data Protection – User Guide
If you want to register this device for a computer, go to the access management for
computers and click Insert. Select the desired computer and confirm with OK. The access
level can then be changes under Rights. Each user on that computer now has read access or
full access to the specified device.
You can also register a device for a user-computer combination. Go to the registered device,
select the desired user and continue with Assign computer. Select the respective computer
and click OK. The access level can then be changed under Rights.
Media Release
With the media release, you register a certain CD / DVD for the company, an OU or a
single employee. The media is identified by a hash value that is calculated in the
background.
The media release can be found in the menu under white list > media. Select from the List
of cynapspro agents a computer that is running the CD / DVD. Click on Insert and select
the disk that you want to share. If you want to share a disk that is currently not connected,
just deactivate Only show available devices. Click on Insert to confirm your selection.
35. 35 cynapspro Endpoint Data Protection – User Guide
Click on Save to register the CD / DVD for all users. If you want to register the media for
specific OUs or users only, or only in combination with specific computers, go to the access
management > Insert and select the desired OUs or users. To assign a user-computer
combination, you select the user, click on Assign computer and confirm your selection with
OK.
Challenge Response to obtain Access to Individual Devices
The Challenge Response method allows you to grant offline user access to individual devices.
This is done in cooperation with the user. The user opens his cynapspro agent.
Under Actual Devices, the user sees a list of all devices currently connected to his
computer. He now uses a right mouse-click on the desired device and selects Generate
request code.
The administrator now enters the request code in the Management Console. He goes to the
user and selects Device Release / Challenge Response Release. Information about the
requested device will be displayed. Select the access scope and a time period (optional) and
click on Generate.
36. 36 cynapspro Endpoint Data Protection – User Guide
The generated code can now be entered directly by the user in the tray icon of his client
component using the function Enter activation code. This code applies only to that
individual user and can only be used once.
Content Header Filter
Content Header Filter are used to create filters used to prevent the reading, writing or
copying of certain files or file types on external devices. Files with the specified name,
extension or size will be blocked when the blacklist option has been used. Alternatively, you
can manage the Content Header Filter list as a white list. In this case, only the files and file
types you have specified can be accessed.
You can use the Content Header Filter globally for the whole company or for specific users
only. For a global deployment, just activate the checkbox in the column global. If you want
to use the filter for individual users or groups, select the object under rights management
administrative rights and insert the filter in the tab Content Filter.
For example, you can create a filter, which generally blocks all mp3 files with more than 100
bytes and the file Joke.exe. You only need to perform the following steps:
- Insert a new filter in the filter definition window. By double-clicking on the
filter, you can rename it. If you want the filter to apply to all users, just click
on Global.
- Now click on Insert under rule definition to create a new rule.
- Under Name, enter * (anything). Under Extension, enter mp3; under Size
Min (smallest size) enter 100 bytes. Now all mp3 files with more than 100
bytes are blocked on external devices.
- For locking the Joke.exe, you simply enter under Name the word joke and
under Extension you enter exe.
37. 37 cynapspro Endpoint Data Protection – User Guide
Reporting & Analysis
You have several reporting options to obtain an overview over user access rights.
The scope of all reports can be adjusted to show either the complete directory structure or
only a specific part of it.
If you are looking for information from a specific OU or group only, you select it from the
tree before calling up the report.
Activate Display immediately if you want all query results to be displayed automatically.
You won’t need to click on Display every time.
Access Rights Changes Not Yet Transmitted
Sometimes it happens that a user has not registered on the network for some time. In case
his permissions have been changed during that time, the changes will not have been
transmitted. The report shows all users for whom this is the case.
Active/Inactive Users
You can check here which users have already been activated and which users are not yet
protected by cynapspro.
Analysis of Rights Changes
Here you can check which administrator has assigned which rights, when and to whom.
Access Rights Analysis
If you want to verify which user has certain rights to a device type, just click on the device
type in the rights analysis with a right mouse-click and select the access type.
Click on Display. You can now see all user that have the default access rights for these
devices. You may also combine of several device types for this report.
Access Rights Overview - Details
This overview report shows which access permissions have been assigned to which users.
Click on the desired device type and click on Display. You will see an overview over all users
and their access permissions for this device type.
38. 38 cynapspro Endpoint Data Protection – User Guide
Access Rights Overview - Summary
The Rights Overview - Summary shows the distribution of access permissions in
percentages. Select the Device, the desired View and click on Display. You now have an
overview on how often the various levels of access have been assigned in your network for
the device type you have selected.
You can choose between the following views:
- Table
- Pie Chart
- Bar Chart
Deviations from Default Rights
This report shows users with access rights that deviate from a new user. This report thus
shows which users have been customized.
One-Time or Temporary Permissions
This report shows which users which users currently have temporarily amended rights.
Audit Log
The audit log records when and where users have read, copied, written or deleted files.
Blocked Access
Under blocked access, you have an overview over all blocked access attempts, i.e. you can
track which users could not access a device when and why.
39. 39 cynapspro Endpoint Data Protection – User Guide
Access Statistics
The access statistics show at what time users accessed an external storage device.
40. 40 cynapspro Endpoint Data Protection – User Guide
cynapspro Agent
The cynapspro tray icon allows you to call up various functions with a double-click.
41. 41 cynapspro Endpoint Data Protection – User Guide
User Rights/ Currently Connected Devices
The client component enables the user to check his various access rights. Furthermore, the
user sees all currently connected devices and the related rights under Actual Devices.
Request Access Rights
The user can request additional access rights using the function Access query in the
cynapspro agent menu.
42. 42 cynapspro Endpoint Data Protection – User Guide
The user can select the desired device type from a drop-down list and send an access
request. The user can request several types of access at the same time. He selects the
device type and clicks on Insert to add the device to his List of access rights to request.
The user can then add an explanation or comment before sending this list off to the
administrator using the Send button.
The administrator will immediately get a message about this change request in the
Management Console under Administration or by email.
Challenge Response for the Release of Individual Devices
The Challenge Response method allows you to grant offline user access to individual devices.
This is done in cooperation with the user. The user opens his cynapspro agent.
Under Actual Devices, the user sees a list of all devices currently connected to his
computer. He now uses a right mouse-click on the desired device and selects Generate
request code.
The administrator now enters the request code in the Management Console. He goes to the
user and selects Device Release / Challenge Response Release. Information about the
43. 43 cynapspro Endpoint Data Protection – User Guide
requested device will be displayed. Select the access scope and a time period (optional) and
click on Generate.
The generated code can now be entered directly by the user in the tray icon of his client
component using the function Enter activation code. This code applies only to that
individual user and can only be used once.
Enter Unblocking Code
If an employee is not working within the company network, but wants to have his rights
changed, then this is possible using an activation code.
Under rights management, you can generate an unblocking code for users or groups to
unlock devices. Then employee can then enter this code in his cynapspro agent and will
immediate have the appropriate permissions assigned.
Login As
If you want to do some work on a computer where another user is already logged on, e.g. to
perform some administrative functions, you can login using the cynapspro agent and you will
immediately have your usual access rights. There is no need for the other Windows user to
log off.
To use the Login As function, just double-click on the cynapspro tray icon. Go to Change
rights and select choose Login as… and a Login Windows will appear.
Enter the appropriate username and password.
The rights of that user will now apply on this machine.
To hand back to the currently logged on Windows user so that his access rights will again
apply, just use the context menu of the cynapspro tray icon to log out.
44. 44 cynapspro Endpoint Data Protection – User Guide
Import Access Rights
If you are currently working on a computer that is not tied to the company network, but you
want to change the user rights anyway, so you can export the user rights from the
Management Console and import then using the cynapspro agent.
In a first step, you configure the permissions of the corresponding user. Then click on the
user in the cynapspro Management Console using a right mouse-click. Select Export rights
and save the dpa-file.
To import the dpa-file, double-click on the cynapspro tray icon. Go to the menu item
Change rights and select Import rights... Select the dpa-file of the user. After saving the
changed rights are immediately valid.
Solution Scenarios
No Connection to the Server
The installation was completed without problems. However, the Management
Console cannot "Connect" to the server.
Make sure all settings are stored properly by checking them in the cynapspro
Admin Tool. If all settings are correct, please check the firewall settings and
change the authentication method.
Instructions
The cynapspro Admin Tool can be found in the start menu at
Start > Program Files > CynapsPro GmbH > DevicePro 2010.
Test all database settings, as well as the directory service settings by using the button Check
Validate. If necessary, adjust the settings that were made.
If there is still no "Connect" to the server possible, please check whether the specified ports
are activated in your firewall.
If the connection still fails, change the authentication method and / or check whether the
specified user has the required rights.
Getting Started after the Installation
You have completed the installation successfully and want to use cynapspro to
manage your endpoints. The first users or groups from your Active Directory / NDS
shall now be provided with certain access privileges.
In a first step you configure the default permissions, and then you start the
synchronization of AD / NDS. Next you activate the first users or groups. Then you
create the MSI client package and install it on the workstations.
Instructions
Open the Management Console and got to rights management. In the specific user group,
you will see the menu item default rights (new users).
Open this window to define the default permissions for new users. Use a right mouse-click on
a device type and define the access level. Then click on Confirm.
When you have configured all device types, you can start the synchronization from AD /
NDS. Go to the menu item AD synchronization. Click on the Start button to automatically
start the synchronization. All users and groups are copied from the existing AD / NDS into
the cynapspro database.
45. 45 cynapspro Endpoint Data Protection – User Guide
If you want to synchronize the directory on a scheduled basis, you need to create a
synchronization job in the Scheduler. If you want to immediately activate newly created
users, you need to enable Automatically activate new users in the active groups.
If you have not enabled Automatically activate new users in the active groups before
the first synchronization, the default permissions will not apply for any of the users. Navigate
to rights management and activate the desired users and groups with a right mouse-click
for access permissions to become effective.
After activating users and groups, you should install the cynapspro agent on the
workstations. Go to administration. Under client management you will see the menu item
Generate MSI package for the client. Select the path where you want to save the
package and click Generate.
If you don’t want users to be able to see their access rights, to request access rights or to
enter an unblocking code when offline, you should activate Hide tray icon. If you want to
prevent users from stopping the cynapspro service, you should activate the
corresponding checkbox.
After generating the package you now run the MSI file on the workstations.
You will find three Bat-files at the location you have specified. You install the software agent
by running DBAgentSetup.msi or by starting the install.bat file. If you prefer to install the
agent using the command line, type in the following command:
msiexec /i C:DeviceproMSIDBAgentSetup.msi
View Already Installed Computers
You would like to know which machines have already been equipped with the
cynapspro agent.
Go to Update of the Agents to view all clients that have already been installed or
filter for clients without an agent.
Instructions
Go to Administration / Update of the Agents and use the selection next to View. Select
only computers without an agent to view all computers not yet quipped with a cynapspro
agent. If you want to see any previously installed agents, select All Agents and click on
Inactive in order to see computer that are turned off.
Restrict Access to Company-Owned Devices
You have successfully assigned all rights and have complete control over who can
use which external devices. You now want to make sure that only company-owned
and approved devices are used. Employees should certainly be able to work with
company USB sticks, but they should not be allowed to bring their private devices.
The same goes for digital cameras.
Usually there is only a limited number of device models in circulation in a company.
You can now create a white list of manufacturers and models, which may be used in
the company. All other device models will be blocked, even if the employee has the
rights to use this device type.
46. 46 cynapspro Endpoint Data Protection – User Guide
Instructions
Go to the Management Console and select the menu item Device White List. You can select
from 3 types of device releases.
- White list of Device Models
- Unique Devices
- Media
Select the item White list of Device Models.
In the right hand window, you see all white listed device types. The name is taken from
Windows and corresponds to the name in the Device Manager.
If you want to add more device models, you do not need to do this manually. It is sufficient
for a device of the desired model to be connected to a computer in the network. Select this
computer.
If there are many computers online, use the filter to limit the selection.
Once the computer has been selected, click on Insert. The computer will be scanned and all
connected devices will be grouped by device type. Select all the device types that you want
to white list and confirm with OK. The selected device types are added to the list and once
you have saved the changes, they can be used by all users.
Changes are immediately distributed to all computers that are online using a push method.
All other computers will receive the latest white list next time they are started.
When selecting a computer in order to inert its devices, you can choose between devices
that are currently connected or any devices that have ever been connected to this computer.
You can also select multiple or all computers that are online. You will then see all the devices
used in the company. This saves time and you even get a mini-inventory.
Assign Specific Devices to Selected Users
In case that allowing in-house devices is not considered save enough, you may
want to specify exactly which person can use which devices.
You can monitor the device models, as well the rights individual devices. These can
be distinguished by serial numbers, if the manufacturer has assigned a unique
serial number. Then we can allow user X to use a specific camera or USB stick, all
other devices will be blocked, even if they are of the same model and the same
manufacturer.
Instructions
Go to the Management Console and select the menu item Device White List. Select
Unique Devices. Select the desired workstation from the list of cynapspro agents.
In a larger infrastructure, you can use the filter to search for the desired computer.
47. 47 cynapspro Endpoint Data Protection – User Guide
Once the computer has been selected, click on Insert and select the devices you want to
have white listed. Next you specify the users and groups, which should have access to the
white listed devices only.
Blocking File Types
Your staff should not be allowed to open just any files. You can block all files of a
specific type or only allow files with a limited amount of data.
The Content Header Filter allows you to determine exactly which file types and
sizes users should be allowed to access. This is where you define rules that can be
assigned to users.
Instructions
Go to the Management Console > Administration and select the menu item Advanced
Settings. This is where you define rules for the Content Header Filter.
To create a new filter, click on the button Insert next to filter definition. A filter called New
Filter is created.
To add new file types to the New Filter, go to rule definition and click on Insert. Give the
new rule a name and type in the extension column the file extension (e.g. *.exe). The
columns Size min and Size max can be used to specify the minimum and maximum size of
the blocked file type.
Click in the filter definition on Global, if you want this rule to be effective for all users. If you
want to assign this rule to certain users or groups only, then go to rights management and
select the respective users or groups. Under the tab Content Header Filter you can then
assign the rule by clicking on Insert.
Change Access Permissions Offline
If an employee is working outside the company network and needs his access
rights changed, then this is possible via an activation code.
Go to rights management and create a code to unblock devices for the user or
group. The user will then enter the code in his cynapspro agent to have the new
access rights assigned. Changes will be effective immediately.
Instructions
Go to rights management in the Management Console. Go to the group or user and make a
right mouse-click on the desired device type. In the context menu select Generate
unlocking code. Define the access level and its validity (temporary or permanent). Then
click on the button Generate.
If a white list has been generated for this device model and if the desired device is not on
the white list, you need to check Ignore white list.
Transmit to the user the generated code. He can then enter the code using the cynapspro
agent. For this he makes a right mouse-click on the cynapspro tray icon, goes to the menu
point Change rights and selects Enter unblocking code. Once the code has been
successfully entered, the new rights will be effective immediately.
48. 48 cynapspro Endpoint Data Protection – User Guide
File Access Log
Suppose a virus has infiltrated your corporate network or confidential data was
passed on to third parties. You want to understand now or prove who is
responsible.
The log file includes records of who access which file at what time. You can filter
the data by defining a time period or file name.
Instructions
Go to the Management Console and select Audit from the Summary menu. Select the
desired group or user or the whole tree. Then define the filter rules.
You now have access to all logged activities in your company network. If you have the
shadow box activated, you need to enter the required passwords before you can check up on
user activities.
Administrator with different Access Levels
You have multiple locations or departments and you do not want all administrators
to have access to all levels or settings.
There are two types of administrators for cynapspro solutions.
o Supervisors (All administrative rights)
o Administrators (Allocated administrative rights)
Create administrative roles and assign them to the administrators for certain
areas (OUs, groups, users).
Instructions
Go to the Management Console > Administration and you will see two menu items:
Administrative Roles and Administrators & Scopes.
First, you define the administrative roles. Click on Global, if you want to create roles for
management of the cynapspro server.
If you want to create roles for managing users and groups, click on Scope-specific. Add a
role and determine what information an administrator with this role may see and what kind
of changes he may make.
Then go to the menu item Administrators & Scopes. Click on the administrators tab and
assign the role to one of the administrators listed.
Under Scope-specific you can even select groups or individual users, for which the
administrator should be responsible.
In the administrators’ area, all OUs, groups and users are shown in three different colors:
- Red: The administrator does not have administrative roles in these OUs, groups and
users.
- Grey: Some elements of the Directory are managed by this administrator.
- Green: All Child OUs, groups and users are managed by this administrator.
49. 49 cynapspro Endpoint Data Protection – User Guide
ApplicationPro
Introduction
ApplicationPro protects your clients with an application access control that uses the black list
or white list method. You determine which user gets access to selected applications - all
other programs are blocked.
ApplicationPro automatically assigns a hash value to a program. Thus, a user can log on to
all computers of the company and always get the same program permissions. Thanks to this
technology, users cannot rename files by obtaining unauthorized access to programs.
This will ensure, for example, that no unauthorized software (e.g. viruses, Trojans, games,
joke programs ...) can be installed or run on company computers.
The management of ApplicationPro is greatly facilitated by the learning mode. This function
records all programs an employee or group use during their daily routine. Those applications
will then be reviewed and white listed.
Rights Management
Before you start with the user management of ApplicationPro, you should activate this
product. Just use a right mouse-click on the user, then click Activate / Deactivate and
select ApplicationPro.
If a user is deactivated, he will be allowed to use all programs. Once a user is activated, he
will have programs assigned and all other applications will be blocked.
After installation or upgrade of the client component, it is recommended to restart the
computer. If you haven’t assigned a program packet to the user, he will be able to access al
programs.
Go to access management and look for the tab ApplicationPro. This tab contains the
following options:
Save
Confirm the settings you have just made. The rights changes will be immediately pushed to
the agent.
Insert Role
Assign a previously created role definition to a user. Roles may contain several program
packages and are used for simplification and clarity.
Insert Package
Assign a previously created package to a user. Packages consist of one or more selected
applications.
Delete
Remove roles and packages from a user or group.
Role Definition
Link that takes you to the role administration.
Start Learning Mode
Recording of programs accessed by a user or group of users.
User Programs
Result list of the learning mode. Recorded applications can easily be assigned to packages.
50. 50 cynapspro Endpoint Data Protection – User Guide
Learning Mode
The learning mode is a so-called "non-blocking mode." This means that all programs can be
started during the time period in which the learning mode is activated.
The learning mode records all programs that are accessed by the user and applies not only
to the user-faced applications, but also to the programs running in the background. A hash
value is created, which can be used to add certain applications to a custom package.
These packages can then be assigned to one or more users.
Managing ApplicationPro with the Learning Mode
To start recording the programs accessed by a user, mark the user in the top part of the
right window and click on Start learning mode in the window below.
Select the time period for the learning mode. The learning mode can be started and ended
manually or you can use a scheduler.
After completion of the learning mode, you will see under user programs all applications
that have been executed by the user, whether consciously in the foreground or hidden in the
background. You will see in the results which path had been used to run an application.
51. 51 cynapspro Endpoint Data Protection – User Guide
Select one or more programs you want to assign to a package and click on save.
If you already have created packages, you can add the selected programs to them. You can
also create a new package for these applications. Confirm the settings with OK. You can now
create additional packages or close the results window.
In order to assign the software package to a user, click on Insert package. Select the
appropriate package and click OK. Save your changes and the cynapspro agent will
immediately be notified and put them to effect.
From now on, all unauthorized applications will be blocked. If an application has been
overlooked during the recording process, you can start the learning mode again to release all
programs for its duration. Add the newly recorded program to an existing package or to a
new one and assign it to the user.
Management of Programs
In the navigation pane of the Management Console, you will find the ApplicationPro program
management. Here you can create and edit software packages.
To create a package, go to New Package. You can add programs from your computer to the
package definition. When you add an application, its hash value will immediately be
detected. This hash value is identical for this program on every workstation.
Individual packages can be grouped in folders. They can be assigned to a folder or only
linked to it using the button New Link. Thus a program may be part of several packages,
even though it is stored only once
Management of Roles
Under ApplicationPro you will see the menu item Role Management. Here you can combine
software packages and package folder into roles.
Using roles helps maintain clarity and facilitates an efficient management of ApplicationPro.
52. 52 cynapspro Endpoint Data Protection – User Guide
To create a new role, click New Role. Name the role and assign the appropriate programs
and roles using the buttons Add Program / Insert role.
Note: If you insert a role, the parent role will include all the programs of the child role.
ApplicationPro Settings
In the ApplicationPro settings, you can decide whether you want to use the white list or the
blacklist method. The white list method ensures that users can only access those programs
that have been explicitly assigned to them. The blacklist method only blocks those programs
that have been assigned to the user. All other programs are allowed.
Trusted Objects
Here you can define various directories as trusted objects. Users are allowed to run all
applications they contain, regardless of any blocking rules defined under application control.
Solution Scenarios for ApplicationPro
Quick White Listing of Applications
You have assigned selected applications to a user. The user gets back to you and
asks to be granted access to another program as soon as possible.
Start the learning mode. By running the learning mode, all applications will be
immediately released while it is running. You can then stop the learning mode and
add the appropriate program to the user’s package.
53. 53 cynapspro Endpoint Data Protection – User Guide
Instructions
You will find the learning mode under Rights Management. Go to the user and select the
tab ApplicationPro. You will see the button Start Learning Mode. Define the duration of
the learning mode. During this time the user has access to all applications.
After the user has run his programs, stop the learning mode by clicking on the button Stop
Learning Mode.
Note: Only program starts are recorded by the learning mode. If applications are already
running when the learning mode is started, they will not be recorded.
If you want to allow the user to continue using the program, click on the button user
programs. Select the appropriate program and add it to one of the packages assigned to
the user.
White Listing Many Programs for Many Users
You have already created several software packages and want every user of a
division to be able to access these same applications. Of course you want to do this
with as little effort as possible.
Specify roles that include multiple packages or other roles. These roles can be
assigned to the users.
Instructions
Go to the Management Console and select ApplicationPro from the left hand navigation.
There you select the roles. Create a new role with the button New role. This role can for
example be named after a department. Then you can use Insert package to assign
software packages to this role. If you have already defined subordinate roles, you can add
them to the new role using Insert role. Assign the newly created role to the users under
rights management, where you select the tab ApplicationPro.
Note: Only program starts are recorded by the learning mode. If applications are already
running when the learning mode is started, they will not be recorded.
54. 54 cynapspro Endpoint Data Protection – User Guide
CryptionPro
Overview
CryptionPro ensures that...
unauthorized persons cannot read your data.
the loss of an external storage device is not a security risk.
data stored on external devices is automatically encrypted in the background.
you can access your encrypted data anytime and everywhere.
CryptionPro encrypts your data in the background. For all read and write operations on and
to external storage media, files are automatically encrypted or decrypted without requiring
any user activity.
Users continue to work as before and all data remain readable throughout the company, no
matter which user logs on to which computer. If someone tries to read the data from the
external storage when it is connected to a computer without the CryptionPro client or at a
computer outside of the company network, the files will not be readable and thus the
damage caused by the loss of an external storage device is limited to the hardware costs.
Optionally, you can also save unencrypted data to an external storage media, for example if
you want to give it to a customer.
Encryption Options
The preconditions for the use of CryptionPro consist of a valid license and an installed
cynapspro server and client.
Go to the menu item Encryption > Encryption Options and Activate encryption.
55. 55 cynapspro Endpoint Data Protection – User Guide
You then select the functions that should be made available to users:
- Without encryption
Users are allowed to copy files without encryption on disks.
Under Settings for unencrypted file transfer, you write a security message that
will be displayed after the user has activated the unencrypted file transfer. This
message appears after the activation via the cynapspro agent as a popup. Activate
Unencrypted files auditing as a security measure. This allows you to review und
Unencrypted file transfer all non-encrypted files that were copied to external
storage media. You also need to specify after which time interval without activity, the
encryption should be automatically reactivated. This option is an assurance against
employee forgetting to reactivate encryption after they have completed their
unencrypted file transfer.
- Common encryption
On all computers in your company with a cynapspro agent, all files can always be
read and written by each employee, the decryption takes place in the background.
- Group encryption
Create group affiliations under CryptionPro Group management. If a user is in the
same group as the employee who created a file, or in the parent group, the file will be
automatically decrypted in the background. All other users of your directory service
will not be able to decrypt the file. Exception: Files can be decrypted with the
appropriate password using CryptionPro Mobile.
- Individual encryption
Only the user who encrypts a file can decrypt it again. All other users can not decrypt
this file. Exception: Files can be decrypted with the appropriate password using
CryptionPro Mobile.
- Mobile encryption
Allows the use of CryptionPro Mobile. If this option is assigned to a user, the
activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of
files outside the company network. An .exe-file is automatically copied to the USB
stick, which decrypts files on any computer if the appropriate password is provided.
In addition CryptionPro Mobile can also encrypt files outside the company network.
Furthermore, you can decide which encryption method you want to sue. There are currently
two methods available: Triple-DES and AES
Unfortunately, encryption with AES is not available on Windows 2000 computers. If you have
this operating system in use, the Triple DES method will be the right choice for you.
For all companies using Windows XP, Windows Vista or Windows 7, AES is recommended as
a better and safer method.
Key Management
For each installation, a new key is created for CryptionPro. To ensure that you can export
your data with the old key even after a server crash, you should export the key under key
management. After a server crash you can import the key after when the new installation
has been completed.
Furthermore, you have the option to generate a master key. The master key will make it
possible to decrypt files which cannot be decrypted by the client. Please note that this
information must be stored securely and must be protected from unauthorized access.
56. 56 cynapspro Endpoint Data Protection – User Guide
CryptionPro Group Management
Create group affiliations under CryptionPro Group management. If a user is in the same
group as the employee who created a file, or in the parent group, the file will be
automatically decrypted in the background. All other users of your directory service will not
be able to decrypt the file. Exception: Files can be decrypted with the appropriate password
using CryptionPro Mobile.
CryptionPro Mobile (global settings)
Define your password policy, which will be taken into account when creating the password
via the cynapspro agent.
Determine whether all unencrypted data stored on the hard disk should automatically be
deleted or only deleted after confirmation when you close CryptionPro Mobile. Define
whether a file can be decrypted on the same and / or other storage media. Define if the
source file may be permanently decryptable, or whether a copy can be created.
Device Blacklist
You can exclude certain devices from the encryption. These devices can be stored on the
blacklist of devices.
Unencrypted File Transfer
Activate Unencrypted files auditing as a security measure. This allows you to review und
Unencrypted file transfer all non-encrypted files that were copied to external storage
media.
57. 57 cynapspro Endpoint Data Protection – User Guide
User Configuration
Next, you activate the product for the employees who will use CryptionPro.
Go to rights management and use a right mouse-click on the user, then click Activate /
Deactivate and select CryptionPro. A green check mark in the column CP signals the
activation of the product.
You can decide for every user which encryption options should be available to him:
- Without encryption
Allows the users to copy files without encryption on disks.
Under Settings for unencrypted file transfer, you write a security message that
will be displayed after the user has activated the unencrypted file transfer. This
message appears after the activation via the cynapspro agent as a popup. Activate
Unencrypted files auditing as a security measure. This allows you to review und
Unencrypted file transfer all non-encrypted files that were copied to external
storage media. You also need to specify after which time interval without activity, the
encryption should be automatically reactivated. This option is an assurance against
employee forgetting to reactivate encryption after they have completed their
unencrypted file transfer.
- Common encryption
On all computers in your company with a cynapspro agent, all files can always be
read and written by each employee, the decryption takes place in the background.
- Group encryption
Create group affiliations under CryptionPro Group management. If a user is in the
same group as the employee who created a file, or in the parent group, the file will be
automatically decrypted in the background. All other users of your directory service
will not be able to decrypt the file. Exception: Files can be decrypted with the
appropriate password using CryptionPro Mobile.
- Individual encryption
Only the user who encrypts a file can decrypt it again. All other users can not decrypt
this file. Exception: Files can be decrypted with the appropriate password using
CryptionPro Mobile.
- Mobile encryption
Allows the use of CryptionPro Mobile. If this option is assigned to a user, the
activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of
files outside the company network. An .exe-file is automatically copied to the USB
stick, which decrypts files on any computer if the appropriate password is provided.
In addition CryptionPro Mobile can also encrypt files outside the company network.
If only one option has been activated for a user, it will be applied automatically. If several
options have been activated, he may decide via the tray icon whether the next file should be
encrypted or not. To do so, he makes a double-click on the tray icon and selects the menu
item Encryption.
Important: Even if a user has both the options "Common Encryption" and "Without
Encryption" activated, he will be able read both encrypted and unencrypted files. This setting
only has an effect if he wants to save or copy data to an external storage media.
If CryptionPro was not activated for the user, he will not be able to read encrypted files.
However, as soon as he gets activated for CryptionPro, he will be able to edit all the
"common" encrypted files as normal.
CryptionPro Mobile (Client Software)
If the option mobile encryption is activated for a user with, the user can decrypt and encrypt
files outside the company network. To do so, he makes a double-click on the tray icon and
58. 58 cynapspro Endpoint Data Protection – User Guide
selects the menu item Encryption. He then activates mobile encryption and enters the
password to be used for CryptionPro Mobile.
From that moment on, the file cryptionpromobile.exe will automatically be copied on any
USB device to which data is saved or copied.
Users just need to start CryptionPro Mobile on the USB device and enter a password. They
can now decrypt an encrypt files anywhere and anytime.
Depending on the settings that were made in the Management Console, you will receive a
message when closing CryptioPro Mobile asking you if you want to encrypt the unencrypted
files, or if you want to delete the local copies of files.
If you choose Yes, CryptioPro Mobile encrypts the current file and displays the next.
If you choose Yes for all, CryptioPro Mobile will go through the whole USB device to encrypt
the remaining unencrypted files before exiting.
If you choose No, CryptioPro Mobile leave the current file unencrypted and displays the next.
If you choose No for all, CryptioPro Mobile will not encrypt any data an exist. If you don’t
want to exists the program yet, select Cancel.
If you want to delete decrypted data from the computer hard disk (if you open a file on an
external hard disk, Windows automatically creates a temporary copy of the file on the
computer) while working, just answer the following question with Yes. If you select No, the
data will remain in temp folder on the computer hard disk machine.
Solution Scenarios for (CryptionPro)
Automatic Encryption for All Users
You want to make sure that all files are always encrypted, but can be read and
edited everywhere in the company. There is no reason to leave any data
unencrypted data. But it is also important that users don’t have to be trained and
that their work is not negatively impacted.
Activate CryptionPro for all users and enable the option "Common encryption" only.
Instructions
Go to the Management Console > rights management. Select the desired user, group or OU
and all users assigned to this group or OU or will appear in the top part of the right hand
window. Use a right mouse-click on the user(s), then click Activate / Deactivate and
select CryptionPro.
59. 59 cynapspro Endpoint Data Protection – User Guide
In the window below, you activate the checkbox Common encryption and Save you
changes."
From now on everything the user writes or copies to external storage devices will
automatically be encrypted, without him needing to do something. When accessed, the files
are automatically decrypted in the background and can be read everywhere in the company.
Save Without Encryption
You want to ensure that a user, who is used to providing data to customers on a
USB device, can continue doing so. He needs to be able to write or copy data
without encryption without being trained and without additional effort.
Activate CryptionPro for this user and enable the option "Without encryption" only.
Instructions
Go to the Management Console > rights management. Select the desired user and use a
right mouse-click. Click on Activate / Deactivate and select CryptionPro.
In the window below, you activate the checkbox Without encryption and Save you
changes."
From now on, everything the user writes or copies to external storage media will
automatically be saved without encryption. The files can be accessed and read everywhere,
both within the company and outside. Although the user only has the option Without
encryption activated, he is able to read all encrypted files in the company network.