Computer tab

The Computer tab shows the computer default options that govern how clients interact with the Application Server.

The following table describes the Computer tab default options and setting values.

Option

Value

Description

BitLocker Enforcement

Disabled

Feature is inactive.

Enabled

Encrypts the system partition of all client computers (Windows 10 and above) using BitLocker. When enabled, the user is prompted to enter the encryption PIN and the system drive encryption happens in the background.

Certificate generation

Automatic

A Certification Authority® (CA) digital certificate is generated automatically for media encryption, when a user does not have a certificate. This is the default value.

Disabled

When a user does not have a CA digital certificate, encrypted media cannot be used.

Clear unused space when encrypting

Disabled

The encryption process does not erase unused media disk space. This is the default value.

Enabled

The encryption process automatically erases unused media disk space.

Client Hardening

Disabled

Feature is inactive. This is the default value.

Basic

  • Prevents users from deleting shadow files and log entries.
  • Allows an administrator to uninstall the client using Endpoint Maintenance.

Extended

  • Prevents users from deleting shadow files and log entries.
  • Allows an administrator to uninstall the client using the Salt value defined using Endpoint Maintenance.

DC audit mode

Disabled

No device access or use events are logged. This is the default value.

Enabled

Users have full access to all unmanaged devices.

If no matching policy is configured for a given device, the client will provide logging information that can be used to create usage policies later.

WRITE-AUDIT and READ-AUDIT events are logged in sdcevent.log.

An endpoint is NOT secure while in Audit Mode.

Device Attachment Notification

Enabled

Enables device attached and device detached notifications when a device is connected to an endpoint.

Disabled

Disables device attached and device detached notifications when a device is connected to an endpoint.

Device eventlog

Disabled

System does not send a log entry to the Windows Event Log when a device access or use event occurs. This is the default value.

Enabled

System sends a log entry to the Windows Event Log when a device access or use event occurs.

Device log

Disabled

No device access or use events are logged. This is the default value.

Enabled

All device access and use events are logged.

Device log throttling

3600 (Default)

Defines the period (in seconds) during which repeated attempts to log a previously logged event are ignored.

DLP filter

Not configured (Default)

When configured this setting defines a filter string to be used against all MS Office and PDF documents contents. In order to work, DLP requires the Windows Search service to be configured properly for all the given files.

The filter string has to meet AQS requirements i.e.:

  • contents:"secret"
  • contents:(secret AND private)
  • contents:(secret OR private)
  • contents: secret AND tag: confidential

eDirectory translation

Disabled

eDirectory user account information is not shown with the Windows account information. This is the default value.

Enabled

eDirectory user account information is shown with the Windows account information.

Encryption grace period

0 (Default)

Time, shown in hours, of the grace period for removable storage media encrypted without Easy Exchange, during which the media is accessible after attaching and removing the media, provided that the client has not yet logged an event.

Encryption notification

No Notification (Default)

The user does not receive a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client.

This option applies only to a custom encryption notification message created by the administrator. It cannot be used to suppress the default notification.

Encryption Notification

The user receives a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client. The notification request includes a custom message regarding read/encrypt/write user privileges. The Encryption Notification field must contain a message created by the administrator, to enable the notification property.

The customizable message only applies when the user has the option to encrypt the device. When the user is required to encrypt the device the default system prompt is displayed, not the customized message.

Encryption retain data

Unselected (Default)

The check box in the Encrypt Medium dialog on the client is deselected.

Forced Unselected

The check box in the Encrypt Medium dialog on the client is deselected. This option preset by the administrator and cannot be modified by the user.

Selected

The check box in the Encrypt Medium dialog on the client is selected.

Forced Selected

The check box in the Encrypt Medium dialog on the client is selected. This option preset by the administrator and cannot be modified by the user.

Encryption strength

Strong (AES-128-XTS, Argon 2d)

Controls the encryption strength profile. The strength comes from the algorithms bundled into the profile.

Compliant (AES-256-CBC, PBKDF2)

Legacy (AES-256-CTR, SHA-256)

Endpoint status

Do not Show

Does not show the client in the Windows system tray and suppresses all event notifications except local authorization (Application Control).

Show All

Shows the client in the Windows system tray. Users can view all client status information. This is the default value.

Show All without Shadow

Shows the client in the Windows system tray. Users can view all client status information, excluding shadow file policies.

Show Allowed

Shows the client in the Windows system tray. Users can only view device status information for devices allowed for the client.

Show Allowed without Shadow

Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.

Show Configured

Shows the client in the Windows system tray. Users can only view device status information for devices configured for the client.

Show Configured without Shadow

Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.

Execution blocking

Non-blocking mode

The client driver will not block the execution of an unauthorized executable.

Blocking mode

The client driver will block the execution of an unauthorized executable.

Execution eventlog

No events logged

The client driver will send no log events to the Windows Event Log when a file is executed.

Access-denied logged

The client driver will send Access Denied events to the Windows Event Log when a file is executed.

Denied and non-blocked access

The client driver will send Access Denied as well as non-Blocking events to the Windows Event Log.

Execution log

Log everything

All execution events are reported in the Ivanti Device & Application Control Application Server logs.

Log access denied

Access Denied execution events are reported in the Ivanti Device & Application Control Application Server logs.

Logging disabled

No execution events are reported in the Ivanti Device & Application Control Application Server logs.

Log denied and unmanaged Execution

Denied and unmanaged execution events are reported in the Ivanti Device & Application Control Application Server logs.

Execution notification

No notifications

The user receives no notifications of the actions of the client driver.

Access denied

The client driver notifies the user of Access Denied events by means of a message box when they execute a file.

Denied and non-blocked access

The client driver notifies the user of Denied and non-blocked events by means of a message box when they execute a file.

Notification Text

Enables you to specify the message that is displayed to the user.

Hard drive detection method

Legacy

Relies on Windows OS recognition for "Removable Storage Device".

Enhanced

Relies on Windows OS recognition as "Removable Storage Device" and external BUS (USB/FW/BT/IrDA).

Local authorization

Enabled

The Ask User values of the Execution blocking (user options) are honored.

Disabled

The Ask User values of the Execution blocking (user options) are inhibited.

Log upload delay

3600 (Default)

Random time, shown in seconds, that the client delays after the Log upload time before uploading the log to the Application Server log.

Log upload interval

180 (Default)

Time, shown in seconds, that the client uploads the log to the Application Server log.

Caution: Event logs do not upload from the client when the server or database are unavailable. Logs upload when the client next connects to the server and/or database.

Log upload threshold

10000 (Default)

Defines the number of lines written to the log before the client uploads the log to the Application Server log.

Log upload time

05:00 (Default)

Time of day that the client uploads the log to the Application Server log.

Maximum shadow file size

 

When set to a value other than 0, this setting applies a maximum size (in MB) to shadowed files. If files to be shadowed are larger than this size, only their file-names are shadowed.

A value of 0 disables this behavior. The setting does not apply to shadowed Prints.

Microsoft CA key provider

Disabled (Default)

Microsoft CA keys cannot be used for encryption.

Enabled (Decentralized)

Microsoft CA keys can be used only for decentralized encryption.

Enabled

Microsoft CA keys can be used for centralized and decentralized encryption.

Online state definition

Server connectivity

Enforces online and/or offline permission rules for device use when the client has no connectivity with any Application Server. This is the default value.

Wired connectivity

Enforces online and/or offline permission rules for device use when the client has an active wired network interface connection.

Organizational Unit Grouping

Disabled

Disables organizational unit grouping.

Enabled

During an Active Directory synchronization, non-empty Organizational Units are mapped to Workstation Groups and populated with Workstations (unless they were manually assigned to another group).

Password complexity

Enforced (Default)

Defines enforcement of password complexity. Enforcing complexity requires passwords to be at least 6 characters in length and contain at least 3 of the following:

  • uppercase letters (A-Z);
  • lowercase letters (a-z);
  • base 10 digits (0-9);
  • non-alphanumeric characters (e.g., !, $, #, %);
  • any other Unicode characters.

Not enforced

Defines that passwords are not required to meet complexity requirements.

Password minimum length

6 (default)

Defines the least number of characters that can make up a password. The value influences password complexity enforcement when Password Complexity is enforced. When allowing weak passwords, the minimum length can be set to 1.

Portable encryption capacity

128 GB

The maximum capacity of devices which may be encrypted using the Portable Encryption method. This value may be any number between 32 GB and 2000 GB (2 TB).

Powershell Protection

Disabled

Disables PowerShell protection.

Enabled

Applies Macro and Script protection settings (within User/Group Default settings) to PowerShell scripts also.

Restriction for weaker encryption

No restrictions

No restriction is applied to media found with a weaker encryption profile than the one configured.

Force Upgrade

Media found with a weaker encryption profile than the one configured are forced to upgrade.

Disable

Media found with a weaker encryption profile than the one configured are disabled.

Server address

Not configured (Default)

Defines the IP address or fully qualified DNS name for the Application Server that the client connects to.

Shadow directory

Not configured (Default)

Defines the local temporary directory where shadow and log files are stored before they are uploaded to the Application Server. The default directory is \SystemRoot\sxdata\shadow\. You cannot use a remote directory.

The specified shadow folder path must already exist.

SysLog server address

Not configured (Default)

Specifies the SysLog server address and the optional port to use.

System Trust AC

Disabled

Feature is inactive.

Basic

Applications and libraries owned by the TrustedInstaller service account or digitally signed by Microsoft are authorized to execute.

The ci.dll contains hardcoded certificate identifiers that are used by Microsoft at installation and during Windows updates.

Extended

In addition to the behavior from the Basic mode, applications and libraries digitally signed by a third party certificate that is valid from the operating system point of view are authorized to execute.

You can use mmc.exe to visualize these certificates, and content is stored under these registry entries:

  • Trusted Root Certification Authorities
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
  • Intermediate Certification Authorities
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
  • Third-Party Root Certification Authorities
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

An administrator can modify these registry entries. See this knowledge base article for more information.

System Trust Subjects

Not configured

Feature is inactive.

System Trust Subjects

Restricts the System Trust AC functionality based on the digital certificate subject name. You can use wildcards and separate several entries using semicolons.

Example: Company1*;!Company2*;Company3

Telemetry

Minimum

Sends a minimal set of anonymized telemetry data to Ivanti on a weekly basis.

Full

Sends a fuller set of anonymized telemetry data to Ivanti on a weekly basis.

This data will be used to help us target common functionality areas to address in future releases as well as enabling us to gain better insight to help troubleshoot issues. We believe that capturing anonymized data will help us to give you the greatest return of value going forward with IDAC, helping us to focus in the right areas of the product that matter the most to you. For further information, please see the following KB article: https://forums.ivanti.com/s/article/idac-telemetry.

Update Notification

No messages

No permissions change condition messages are displayed to the user.

Temporary device permission changes

Displays a message when temporary permissions are changed, before the temporary permissions are to expire, and when temporary permissions are invalid.

All device permission changes

Displays a message when any changes are made to permissions (permanent, scheduled, offline, online, and temporary) that affect the user. This is the default value.

USB key logger

Disabled

Does not detect keylogging activity.

Exclusive mode (Lock/block, notify and log event)

Locks an endpoint and logs an event when an additional USB keyboard is detected, including keyboard emulation devices like Rubber Ducky.

The user is notified about the connection change through a message box upon re-login. Immediately find and remove the detected device. If the device is a valid second keyboard, the warning can be ignored.