Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 34

Safe Guard Easy/Safe Guard Enterprise compatibility, One-touch registration - manual

Get Lenovo ThinkPad T400 PDF manuals and user guides View all Lenovo ThinkPad T400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

- enrolled - returns whether the current Windows system user is enrolled in the utility - enabled - returns whether the utility is enabled in the BIOS program - show - displays results to the console for all of the above commands • Return codes: - 0 - false - 1 - true - 2 - error • Example: cmp_util.exe -supported The behavior of the fingerprint enrollment differs slightly between a Hardware Password Manager registered system and a non-registered system. For registered systems, the BIOS program prompts for Hardware Password Manager User Login credentials (Hardware account ID and password) instead of actual hardware passwords. After verifying the specified user login credentials, the BIOS program obtains the actual hardware passwords from the hardware account and saves them in the fingerprint device. Other fingerprint scenarios to consider: 1. User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot authentication (hardware passwords are set) In this scenario, the user has already set a POP and has enrolled for pre-boot fingerprint authentication. The Client Portal treats the scenario the same as when any pre-boot passwords are set prior to registering in Hardware Password Manager. In this case, the Client Portal instructs the user to remove all hardware passwords. 2. User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot authentication (hardware passwords are cleared) In this scenario, the user has already enrolled for pre-boot fingerprint authentication but has manually cleared the POP and HDP (as requested in the previous scenario). The system starts and the user can enroll with Hardware Password Manager. However, the next time the user starts the system and swipes their finger, the BIOS program retrieves the old password or passwords from the fingerprint device and determines that they are not valid. The BIOS program then prompts for user login credentials. If the user is validated with their hardware account, the hardware passwords are retrieved from the system hardware account by the BIOS program and the passwords are validated. If they are confirmed, the new passwords are stored in the fingerprint device automatically. Safe Guard Easy/Safe Guard Enterprise compatibility In environments where the Safe Guard Easy/Safe Guard Enterprise utility is used, the Hardware Password Manager client must be installed after the Safe Guard Easy/Safe Guard Enterprise utility. There is also a limitation where the Hardware Password Manager single sign-on feature does not work when the Safe Guard Easy/Safe Guard Enterprise utility is installed. Thus, the user is not automatically logged into the Windows operating system when the user performs a normal Hardware Password Manager user login. One-touch registration As an administrator, you can register your systems with Hardware Password Manager to protect them from unauthorized users during the deployment and distribution process. This is accomplished by allowing an administrator to pre-register all of their systems in the Hardware Password Manager server with a common local administrator account. This process requires a single manual step (one-touch) to complete, which is required to prevent denial of service attacks. 26 Hardware Password Manager Deployment Guide

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
enrolled - returns whether the current Windows system user is enrolled in the utility
enabled - returns whether the utility is enabled in the BIOS program
show - displays results to the console for all of the above commands
Return codes:
0
- false
1
- true
2
- error
Example:
cmp_util.exe -supported
The behavior of the fingerprint enrollment differs slightly between a Hardware Password Manager registered
system and a non-registered system. For registered systems, the BIOS program prompts for Hardware
Password Manager User Login credentials (Hardware account ID and password) instead of actual hardware
passwords. After verifying the specified user login credentials, the BIOS program obtains the actual
hardware passwords from the hardware account and saves them in the fingerprint device.
Other fingerprint scenarios to consider:
1.
User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot
authentication (hardware passwords are set)
In this scenario, the user has already set a POP and has
enrolled for pre-boot fingerprint authentication. The Client Portal treats the scenario the same as when
any pre-boot passwords are set prior to registering in Hardware Password Manager. In this case, the
Client Portal instructs the user to remove all hardware passwords.
2.
User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot
authentication (hardware passwords are cleared)
In this scenario, the user has already enrolled for
pre-boot fingerprint authentication but has manually cleared the POP and HDP (as requested in the
previous scenario). The system starts and the user can enroll with Hardware Password Manager.
However, the next time the user starts the system and swipes their finger, the BIOS program retrieves
the old password or passwords from the fingerprint device and determines that they are not valid. The
BIOS program then prompts for user login credentials. If the user is validated with their hardware
account, the hardware passwords are retrieved from the system hardware account by the BIOS program
and the passwords are validated. If they are confirmed, the new passwords are stored in the fingerprint
device automatically.
Safe Guard Easy/Safe Guard Enterprise compatibility
In environments where the Safe Guard Easy/Safe Guard Enterprise utility is used, the Hardware Password
Manager client must be installed after the Safe Guard Easy/Safe Guard Enterprise utility.
There is also a limitation where the Hardware Password Manager single sign-on feature does not work when
the Safe Guard Easy/Safe Guard Enterprise utility is installed. Thus, the user is not automatically logged into
the Windows operating system when the user performs a normal Hardware Password Manager user login.
One-touch registration
As an administrator, you can register your systems with Hardware Password Manager to protect them from
unauthorized users during the deployment and distribution process. This is accomplished by allowing an
administrator to pre-register all of their systems in the Hardware Password Manager server with a common
local administrator account. This process requires a single manual step (one-touch) to complete, which is
required to prevent denial of service attacks.
26
Hardware Password Manager Deployment Guide