Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 9

Chapter 1. Overview The Lenovo Hardware Password Manager (HPM) gives an administrator the ability to manage hardware passwords for all registered PC devices. Further, it creates the notion of a BIOS-level user ID and password for the end user to use as a single sign-on proxy. This user ID and password can be synchronized with the Windows ID and password for the user. The user also has the option to authenticate himself to BIOS using his fingerprint. When the device powers on, the user is asked for these credentials. If provided, the device will login the user to his desktop. This mechanism preserves the user's privacy and makes it possible for him to use the device, even though he does not know what the actual hardware passwords are. When HPM is installed, the Lenovo ThinkManagement Console core server acts as the HPM server-it manages and authenticates HPM devices. In addition, an Active Directory or eDirectory LDAP server functions as the authentication server for Hardware Password Manager-the HPM server checks user credentials against data on the LDAP server. On Lenovo client devices which support HPM, the administrator installs an agent that contains a Hardware Password Manager application. When the client device powers on, it communicates through UDP port 50001 with the HPM server. After the client has booted to the operating system, it uses the Hardware Password Manager client application to communicate with a Web service on the server. This communication is through an HTTPS channel. The administrator uses the HPM features in the ThinkManagement Console to manage HPM devices and create and deploy policies to these devices. These policies determine how Hardware Password Manager is implemented for the devices; for example, the administrator selects which user options are available on HPM devices as part of the policy definition. © Copyright Lenovo 2010 1