Computer tab
The Computer tab shows the computer default options that govern how clients interact with the Application Server.
The following table describes the Computer tab default options and setting values.
Option |
Value |
Description |
---|---|---|
BitLocker Enforcement |
Disabled |
Feature is inactive. |
Enabled |
Encrypts the system partition of all client computers (Windows 10 and above) using BitLocker. When enabled, the user is prompted to enter the encryption PIN and the system drive encryption happens in the background. |
|
Certificate generation |
Automatic |
A Certification Authority® (CA) digital certificate is generated automatically for media encryption, when a user does not have a certificate. This is the default value. |
Disabled |
When a user does not have a CA digital certificate, encrypted media cannot be used. |
|
Clear unused space when encrypting |
Disabled |
The encryption process does not erase unused media disk space. This is the default value. |
Enabled |
The encryption process automatically erases unused media disk space. |
|
Client Hardening |
Disabled |
Feature is inactive. This is the default value. |
Basic |
|
|
Extended |
|
|
DC audit mode |
Disabled |
No device access or use events are logged. This is the default value. |
Enabled |
Users have full access to all unmanaged devices. If no matching policy is configured for a given device, the client will provide logging information that can be used to create usage policies later. WRITE-AUDIT and READ-AUDIT events are logged in sdcevent.log. An endpoint is NOT secure while in Audit Mode. |
|
Device Attachment Notification |
Enabled |
Enables device attached and device detached notifications when a device is connected to an endpoint. |
Disabled |
Disables device attached and device detached notifications when a device is connected to an endpoint. |
|
Device eventlog |
Disabled |
System does not send a log entry to the Windows Event Log when a device access or use event occurs. This is the default value. |
Enabled |
System sends a log entry to the Windows Event Log when a device access or use event occurs. |
|
Device log |
Disabled |
No device access or use events are logged. This is the default value. |
Enabled |
All device access and use events are logged. |
|
Device log throttling |
3600 (Default) |
Defines the period (in seconds) during which repeated attempts to log a previously logged event are ignored. |
DLP filter |
Not configured (Default) |
When configured this setting defines a filter string to be used against all MS Office and PDF documents contents. In order to work, DLP requires the Windows Search service to be configured properly for all the given files. The filter string has to meet AQS requirements i.e.:
|
eDirectory translation |
Disabled |
eDirectory user account information is not shown with the Windows account information. This is the default value. |
Enabled |
eDirectory user account information is shown with the Windows account information. |
|
Encryption grace period |
0 (Default) |
Time, shown in hours, of the grace period for removable storage media encrypted without Easy Exchange, during which the media is accessible after attaching and removing the media, provided that the client has not yet logged an event. |
Encryption notification |
No Notification (Default) |
The user does not receive a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client. This option applies only to a custom encryption notification message created by the administrator. It cannot be used to suppress the default notification. |
Encryption Notification |
The user receives a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client. The notification request includes a custom message regarding read/encrypt/write user privileges. The Encryption Notification field must contain a message created by the administrator, to enable the notification property. The customizable message only applies when the user has the option to encrypt the device. When the user is required to encrypt the device the default system prompt is displayed, not the customized message. |
|
Encryption retain data |
Unselected (Default) |
The check box in the Encrypt Medium dialog on the client is deselected. |
Forced Unselected |
The check box in the Encrypt Medium dialog on the client is deselected. This option preset by the administrator and cannot be modified by the user. |
|
Selected |
The check box in the Encrypt Medium dialog on the client is selected. |
|
Forced Selected |
The check box in the Encrypt Medium dialog on the client is selected. This option preset by the administrator and cannot be modified by the user. |
|
Encryption strength |
Strong (AES-128-XTS, Argon 2d) |
Controls the encryption strength profile. The strength comes from the algorithms bundled into the profile. |
Compliant (AES-256-CBC, PBKDF2) |
||
Legacy (AES-256-CTR, SHA-256) |
||
Endpoint status
|
Do not Show |
Does not show the client in the Windows system tray and suppresses all event notifications except local authorization (Application Control). |
Show All |
Shows the client in the Windows system tray. Users can view all client status information. This is the default value. |
|
Show All without Shadow |
Shows the client in the Windows system tray. Users can view all client status information, excluding shadow file policies. |
|
Show Allowed |
Shows the client in the Windows system tray. Users can only view device status information for devices allowed for the client. |
|
Show Allowed without Shadow |
Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies. |
|
Show Configured |
Shows the client in the Windows system tray. Users can only view device status information for devices configured for the client. |
|
Show Configured without Shadow |
Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies. |
|
Hide Status Window |
Shows the client in the Windows system tray. Users are unable to access complete client status information. |
|
Execution blocking |
Non-blocking mode |
The client driver will not block the execution of an unauthorized executable. |
Blocking mode |
The client driver will block the execution of an unauthorized executable. |
|
Execution eventlog |
No events logged |
The client driver will send no log events to the Windows Event Log when a file is executed. |
Access-denied logged |
The client driver will send Access Denied events to the Windows Event Log when a file is executed. |
|
Denied and non-blocked access |
The client driver will send Access Denied as well as non-Blocking events to the Windows Event Log. |
|
Execution log |
Log everything |
All execution events are reported in the Ivanti Device & Application Control Application Server logs. |
Log access denied |
Access Denied execution events are reported in the Ivanti Device & Application Control Application Server logs. |
|
Logging disabled |
No execution events are reported in the Ivanti Device & Application Control Application Server logs. |
|
Log denied and unmanaged Execution |
Denied and unmanaged execution events are reported in the Ivanti Device & Application Control Application Server logs. |
|
Execution notification |
No notifications |
The user receives no notifications of the actions of the client driver. |
Access denied |
The client driver notifies the user of Access Denied events by means of a message box when they execute a file. |
|
Denied and non-blocked access |
The client driver notifies the user of Denied and non-blocked events by means of a message box when they execute a file. |
|
Notification Text |
Enables you to specify the message that is displayed to the user. |
|
Hard drive detection method |
Legacy |
Relies on Windows OS recognition for "Removable Storage Device". |
Enhanced |
Relies on Windows OS recognition as "Removable Storage Device" and external BUS (USB/FW/BT/IrDA). |
|
Local authorization |
Enabled |
The Ask User values of the Execution blocking (user options) are honored. |
Disabled |
The Ask User values of the Execution blocking (user options) are inhibited. |
|
Log upload delay |
3600 (Default) |
Random time, shown in seconds, that the client delays after the Log upload time before uploading the log to the Application Server log. |
Log upload interval |
180 (Default) |
Time, shown in seconds, that the client uploads the log to the Application Server log. Caution: Event logs do not upload from the client when the server or database are unavailable. Logs upload when the client next connects to the server and/or database. |
Log upload threshold |
10000 (Default) |
Defines the number of lines written to the log before the client uploads the log to the Application Server log. |
Log upload time |
05:00 (Default) |
Time of day that the client uploads the log to the Application Server log. |
Maximum shadow file size |
|
When set to a value other than 0, this setting applies a maximum size (in MB) to shadowed files. If files to be shadowed are larger than this size, only their file-names are shadowed. A value of 0 disables this behavior. The setting does not apply to shadowed Prints. |
Microsoft CA key provider |
Disabled (Default) |
Microsoft CA keys cannot be used for encryption. |
Enabled (Decentralized) |
Microsoft CA keys can be used only for decentralized encryption. |
|
Enabled |
Microsoft CA keys can be used for centralized and decentralized encryption. |
|
Online state definition |
Server connectivity |
Enforces online and/or offline permission rules for device use when the client has no connectivity with any Application Server. This is the default value. |
Wired connectivity |
Enforces online and/or offline permission rules for device use when the client has an active wired network interface connection. |
|
Organizational Unit Grouping |
Disabled |
Disables organizational unit grouping. |
Enabled |
During an Active Directory synchronization, non-empty Organizational Units are mapped to Workstation Groups and populated with Workstations (unless they were manually assigned to another group). |
|
Password complexity |
Enforced (Default) |
Defines enforcement of password complexity. Enforcing complexity requires passwords to be at least 6 characters in length and contain at least 3 of the following:
|
Not enforced |
Defines that passwords are not required to meet complexity requirements. |
|
Password minimum length |
6 (default) |
Defines the least number of characters that can make up a password. The value influences password complexity enforcement when Password Complexity is enforced. When allowing weak passwords, the minimum length can be set to 1. |
Portable encryption capacity |
128 GB |
The maximum capacity of devices which may be encrypted using the Portable Encryption method. This value may be any number between 32 GB and 2000 GB (2 TB). |
Powershell Protection |
Disabled |
Disables PowerShell protection. |
Enabled |
Applies Macro and Script protection settings (within User/Group Default settings) to PowerShell scripts also. |
|
Restriction for weaker encryption |
No restrictions |
No restriction is applied to media found with a weaker encryption profile than the one configured. |
Force Upgrade |
Media found with a weaker encryption profile than the one configured are forced to upgrade. |
|
Disable |
Media found with a weaker encryption profile than the one configured are disabled. |
|
Server address |
Not configured (Default) |
Defines the IP address or fully qualified DNS name for the Application Server that the client connects to. |
Shadow directory |
Not configured (Default) |
Defines the local temporary directory where shadow and log files are stored before they are uploaded to the Application Server. The default directory is \SystemRoot\sxdata\shadow\. You cannot use a remote directory. The specified shadow folder path must already exist. |
SysLog server address |
Not configured (Default) |
Specifies the SysLog server address and the optional port to use. |
System Trust AC |
Disabled |
Feature is inactive. |
Basic |
Applications and libraries owned by the TrustedInstaller service account or digitally signed by Microsoft are authorized to execute. The ci.dll contains hardcoded certificate identifiers that are used by Microsoft at installation and during Windows updates. |
|
Extended |
In addition to the behavior from the Basic mode, applications and libraries digitally signed by a third party certificate that is valid from the operating system point of view are authorized to execute. You can use mmc.exe to visualize these certificates, and content is stored under these registry entries:
An administrator can modify these registry entries. See this knowledge base article for more information. |
|
System Trust Subjects |
Not configured |
Feature is inactive. |
System Trust Subjects |
Restricts the System Trust AC functionality based on the digital certificate subject name. You can use wildcards and separate several entries using semicolons. Example: Company1*;!Company2*;Company3 |
|
Telemetry |
Minimum |
Sends a minimal set of anonymized telemetry data to Ivanti on a weekly basis. |
Full |
Sends a fuller set of anonymized telemetry data to Ivanti on a weekly basis. This data will be used to help us target common functionality areas to address in future releases as well as enabling us to gain better insight to help troubleshoot issues. We believe that capturing anonymized data will help us to give you the greatest return of value going forward with IDAC, helping us to focus in the right areas of the product that matter the most to you. For further information, please see the following KB article. |
|
Update Notification |
No messages |
No permissions change condition messages are displayed to the user. |
Temporary device permission changes |
Displays a message when temporary permissions are changed, before the temporary permissions are to expire, and when temporary permissions are invalid. |
|
All device permission changes |
Displays a message when any changes are made to permissions (permanent, scheduled, offline, online, and temporary) that affect the user. This is the default value. |
|
USB key logger |
Disabled |
Does not detect keylogging activity. |
Exclusive mode (Lock/block, notify and log event) |
Locks an endpoint and logs an event when an additional USB keyboard is detected, including keyboard emulation devices like Rubber Ducky. The user is notified about the connection change through a message box upon re-login. Immediately find and remove the detected device. If the device is a valid second keyboard, the warning can be ignored. |