Computer Tab

The Computer tab shows the computer default options that govern how clients interact with the Application Server.

The following table describes the Computer tab default options and setting values.

Option Value Description
Client Hardening Disabled Feature is inactive. This is the default value.
Basic
  • Prevents users from deleting shadow files and log entries.
  • Allows an administrator to uninstall the client using Endpoint Maintenance.
Extended
  • Prevents users from deleting shadow files and log entries.
  • Allows an administrator to uninstall the client using the Salt value defined using Endpoint Maintenance.
Certificate generation Automatic A Certification Authority® (CA) digital certificate is generated automatically for media encryption, when a user does not have a certificate. This is the default value.
Disabled When a user does not have a CA digital certificate, encrypted media cannot be used.
Clear unused space when encrypting Disabled The encryption process does not erase unused media disk space. This is the default value.
Enabled The encryption process automatically erases unused media disk space.
Device Log Disabled No device access or use events are logged. This is the default value.
Enabled All device access and use events are logged.
DC audit mode Disabled No device access or use events are logged. This is the default value.
Enabled Users have full access to all unmanaged devices.

If no matching policy is configured for a given device, the client will provide logging information that can be used to create usage policies later.

WRITE-AUDIT and READ-AUDIT events will be logged in sdcevent.log.

An endpoint is NOT secure while in Audit Mode.

Device Eventlog Disabled System does not send a log entry to the Windows Event Log when a device access or use event occurs. This is the default value.
Enabled System sends a log entry to the Windows Event Log when a device access or use event occurs.
Device Throttling 3600 (Default) Defines the period (in seconds) during which repeated attempts to log a previously logged event are ignored.
eDirectory Translation Disabled eDirectory user account information is not shown with the Windows account information. This is the default value.
Enabled eDirectory user account information is shown with the Windows account information.
Encryption Grace Period 0 (Default) Time, shown in hours, of the grace period for removable storage media encrypted without Easy Exchange, during which the media is accessible after attaching and removing the media, provided that the client has not yet logged an event.
Encryption Notification No Notification (Default) The user does not receive a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client.

This option applies only to a custom encryption notification message created by the administrator. It cannot be used to suppress the default notification.

Encryption Notification The user receives a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client. The notification request includes a custom message regarding read/encrypt/write user privileges. The Encryption Notification field must contain a message created by the administrator, to enable the notification property.

The customizable message only applies when the user has the option to encrypt the device. When the user is required to encrypt the device the default system prompt is displayed, not the customized message.

Encryption Retain Data Unselected (Default) The check box in the Encrypt Medium dialog on the client is deselected.
Forced Unselected The check box in the Encrypt Medium dialog on the client is deselected. This option preset by the administrator and cannot be modified by the user.
Selected The check box in the Encrypt Medium dialog on the client is selected.
Forced Selected The check box in the Encrypt Medium dialog on the client is selected. This option preset by the administrator and cannot be modified by the user.
Endpoint Status Do not Show Does not show the client in the Windows system tray and suppresses all event notifications except local authorization (Application Control).
Show All Shows the client in the Windows system tray. Users can view all client status information. This is the default value.
Show All without Shadow Shows the client in the Windows system tray. Users can view all client status information, excluding shadow file policies.
Show Allowed Shows the client in the Windows system tray. Users can only view device status information for devices allowed for the client.
Show Allowed without Shadow Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.
Show Configured Shows the client in the Windows system tray. Users can only view device status information for devices configured for the client.
Show Configured without Shadow Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.
Compliance mode Enabled The Application Server uses Compliance mode algorithms for cryptographic services. This is the default value.
Disabled The Application Server does not use Compliance mode algorithms for cryptographic services.
DLC filter Not configured (Default) When configured this setting defines a filter string to be used against all MS Office and PDF documents contents. In order to work, DLP requires the Windows Search service to be configured properly for all the given files.

The filter string has to meet AQS requirements i.e.:

  • contents:"secret"
  • contents:(secret AND private)
  • contents:(secret OR private)
  • contents: secret AND tag: confidential

Log upload delay 3600 (Default) Random time, shown in seconds, that the client delays after the Log upload time before uploading the log to the Application Server log.
Log upload interval 180 (Default) Time, shown in seconds, that the client uploads the log to the Application Server log.

Caution: Event logs do not upload from the client when the server or database are unavailable. Log upload will occur the next time the client connects to the server and/or database

Log upload threshold 10000 (Default) Defines the number of lines written to the log before the client uploads the log to the Application Server log.
Log upload time 05:00 (Default) Time of day that the client uploads the log to the Application Server log.
Microsoft CA Key Provider Disabled (Default) Microsoft CA keys cannot be used for encryption.
Enabled (Decentralized) Microsoft CA keys can be used only for decentralized encryption.
Enabled Microsoft CA keys can be used for centralized and decentralized encryption.
Password Complexity Enforced (Default) Defines enforcement of password complexity. Enforcing complexity requires passwords to be at least 6 characters in length and contain at least 3 of the following:
  • uppercase letters (A-Z);
  • lowercase letters (a-z);
  • base 10 digits (0-9);
  • non-alphanumeric characters (e.g., !, $, #, %);
  • any other Unicode characters.
Not enforced Defines that passwords are not required to meet complexity requirements.
Password Minimum Length 6 (default) Defines the least number of characters that can make up a password. The value influences password complexity enforcement when Password Complexity is enforced. When allowing weak passwords, the minimum length can be set to 1.
Portable Encryption Capacity 128 GB The maximum capacity of devices which may be encrypted using the Portable Encryption method. This value may be any number between 32 GB and 2000 GB (2 TB).
Online State Definition Server connectivity Enforces online and/or offline permission rules for device use when the client has no connectivity with any Application Server. This is the default value.
Wired connectivity Enforces online and/or offline permission rules for device use when the client has an active wired network interface connection.
Server Address Not configured (Default) Defines the IP address or fully qualified DNS name for the Application Server that the client connects to.
Shadow Directory Not configured (Default) Defines the local temporary directory where shadow and log files are stored before they are uploaded to the Application Server. The default directory is \SystemRoot\sxdata\shadow\. You cannot use a remote directory.

The specified shadow folder path must already exist.

SysLog server address Not configured (Default) Specifies the SysLog server address and the optional port to use.
Update Notification No messages No permissions change condition messages are displayed to the user.
Temporary device permission changes Displays a message when temporary permissions are changed, before the temporary permissions are to expire, and when temporary permissions are invalid.
All device permission changes Displays a message when any changes are made to permissions (permanent, scheduled, offline, online, and temporary) that affect the user. This is the default value.
USB Keylogger Disabled Does not detect keylogging activity.
Notify user Notifies the user when a keylogger is detected.
Log event Logs an event when a keylogger is detected.
Notify user and log event Notifies the user when a keylogger is detected and logs an event.
Block keyboard and notify user Notifies the user when a keylogger is detected and disables the keyboard.
Block and log event Logs an event when a keylogger is detected and disables the keyboard.
Block, notify, and log event >Notifies the user when a keylogger is detected, logs an event, and disables the keyboard. This is the default value.
Exclusive mode (Lock/block, notify and log event) Locks an endpoint and logs an event when an additional USB keyboard is detected, including keyboard emulation devices like Rubber Ducky.

The user is notified about the connection change through a message box upon re-login. Immediately find and remove the detected device. If the device is a valid second keyboard, the warning can be ignored.