Computer tab

Feature is inactive.

Encrypts the system partition of all client computers (Windows 10 and above) using BitLocker. When enabled, the user is prompted to enter the encryption PIN and the system drive encryption happens in the background.

A Certification Authority^® (CA) digital certificate is generated automatically for media encryption, when a user does not have a certificate. This is the default value.

When a user does not have a CA digital certificate, encrypted media cannot be used.

The encryption process does not erase unused media disk space. This is the default value.

The encryption process automatically erases unused media disk space.

Feature is inactive. This is the default value.

• Prevents users from deleting shadow files and log entries.
• Allows an administrator to uninstall the client using Endpoint Maintenance.

• Prevents users from deleting shadow files and log entries.
• Allows an administrator to uninstall the client using the Salt value defined using Endpoint Maintenance.

No device access or use events are logged. This is the default value.

Users have full access to all unmanaged devices.

If no matching policy is configured for a given device, the client will provide logging information that can be used to create usage policies later.

WRITE-AUDIT and READ-AUDIT events are logged in sdcevent.log.

An endpoint is NOT secure while in Audit Mode.

Enables device attached and device detached notifications when a device is connected to an endpoint.

Disables device attached and device detached notifications when a device is connected to an endpoint.

System does not send a log entry to the Windows Event Log when a device access or use event occurs. This is the default value.

System sends a log entry to the Windows Event Log when a device access or use event occurs.

No device access or use events are logged. This is the default value.

All device access and use events are logged.

Defines the period (in seconds) during which repeated attempts to log a previously logged event are ignored.

When configured this setting defines a filter string to be used against all MS Office and PDF documents contents. In order to work, DLP requires the Windows Search service to be configured properly for all the given files.

The filter string has to meet AQS requirements i.e.:

• contents:"secret"
• contents:(secret AND private)
• contents:(secret OR private)
• contents: secret AND tag: confidential

eDirectory user account information is not shown with the Windows account information. This is the default value.

eDirectory user account information is shown with the Windows account information.

Time, shown in hours, of the grace period for removable storage media encrypted without Easy Exchange, during which the media is accessible after attaching and removing the media, provided that the client has not yet logged an event.

The user does not receive a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client.

This option applies only to a custom encryption notification message created by the administrator. It cannot be used to suppress the default notification.

The user receives a custom encryption request notification when attaching an unencrypted removable storage device to a computer running the client. The notification request includes a custom message regarding read/encrypt/write user privileges. The Encryption Notification field must contain a message created by the administrator, to enable the notification property.

The customizable message only applies when the user has the option to encrypt the device. When the user is required to encrypt the device the default system prompt is displayed, not the customized message.

The check box in the Encrypt Medium dialog on the client is deselected.

The check box in the Encrypt Medium dialog on the client is deselected. This option preset by the administrator and cannot be modified by the user.

The check box in the Encrypt Medium dialog on the client is selected.

The check box in the Encrypt Medium dialog on the client is selected. This option preset by the administrator and cannot be modified by the user.

Controls the encryption strength profile. The strength comes from the algorithms bundled into the profile.

Does not show the client in the Windows system tray and suppresses all event notifications except local authorization (Application Control).

Shows the client in the Windows system tray. Users can view all client status information. This is the default value.

Shows the client in the Windows system tray. Users can view all client status information, excluding shadow file policies.

Shows the client in the Windows system tray. Users can only view device status information for devices allowed for the client.

Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.

Shows the client in the Windows system tray. Users can only view device status information for devices configured for the client.

Shows the client in the Windows system tray. Users can only view devices status information allowed for the client, excluding shadow file policies.

The client driver will not block the execution of an unauthorized executable.

The client driver will block the execution of an unauthorized executable.

The client driver will send no log events to the Windows Event Log when a file is executed.

The client driver will send Access Denied events to the Windows Event Log when a file is executed.

The client driver will send Access Denied as well as non-Blocking events to the Windows Event Log.

All execution events are reported in the Ivanti Device & Application Control Application Server logs.

Access Denied execution events are reported in the Ivanti Device & Application Control Application Server logs.

No execution events are reported in the Ivanti Device & Application Control Application Server logs.

Denied and unmanaged execution events are reported in the Ivanti Device & Application Control Application Server logs.

The user receives no notifications of the actions of the client driver.

The client driver notifies the user of Access Denied events by means of a message box when they execute a file.

The client driver notifies the user of Denied and non-blocked events by means of a message box when they execute a file.

Enables you to specify the message that is displayed to the user.

Relies on Windows OS recognition for "Removable Storage Device".

Relies on Windows OS recognition as "Removable Storage Device" and external BUS (USB/FW/BT/IrDA).

The Ask User values of the Execution blocking (user options) are honored.

The Ask User values of the Execution blocking (user options) are inhibited.

Random time, shown in seconds, that the client delays after the Log upload time before uploading the log to the Application Server log.

Time, shown in seconds, that the client uploads the log to the Application Server log.

Caution: Event logs do not upload from the client when the server or database are unavailable. Logs upload when the client next connects to the server and/or database.

Defines the number of lines written to the log before the client uploads the log to the Application Server log.

Time of day that the client uploads the log to the Application Server log.

When set to a value other than 0, this setting applies a maximum size (in MB) to shadowed files. If files to be shadowed are larger than this size, only their file-names are shadowed.

A value of 0 disables this behavior. The setting does not apply to shadowed Prints.

Microsoft CA keys cannot be used for encryption.

Microsoft CA keys can be used only for decentralized encryption.

Microsoft CA keys can be used for centralized and decentralized encryption.

Enforces online and/or offline permission rules for device use when the client has no connectivity with any Application Server. This is the default value.

Enforces online and/or offline permission rules for device use when the client has an active wired network interface connection.

Disables organizational unit grouping.

During an Active Directory synchronization, non-empty Organizational Units are mapped to Workstation Groups and populated with Workstations (unless they were manually assigned to another group).

Defines enforcement of password complexity. Enforcing complexity requires passwords to be at least 6 characters in length and contain at least 3 of the following:

• uppercase letters (A-Z);
• lowercase letters (a-z);
• base 10 digits (0-9);
• non-alphanumeric characters (e.g., !, $, #, %);
• any other Unicode characters.

Defines that passwords are not required to meet complexity requirements.

Defines the least number of characters that can make up a password. The value influences password complexity enforcement when Password Complexity is enforced. When allowing weak passwords, the minimum length can be set to 1.

The maximum capacity of devices which may be encrypted using the Portable Encryption method. This value may be any number between 32 GB and 2000 GB (2 TB).

Disables PowerShell protection.

Applies Macro and Script protection settings (within User/Group Default settings) to PowerShell scripts also.

No restriction is applied to media found with a weaker encryption profile than the one configured.

Media found with a weaker encryption profile than the one configured are forced to upgrade.

Media found with a weaker encryption profile than the one configured are disabled.

Defines the IP address or fully qualified DNS name for the Application Server that the client connects to.

Defines the local temporary directory where shadow and log files are stored before they are uploaded to the Application Server. The default directory is \SystemRoot\sxdata\shadow\. You cannot use a remote directory.

The specified shadow folder path must already exist.

Specifies the SysLog server address and the optional port to use.

Feature is inactive.

Applications and libraries owned by the TrustedInstaller service account or digitally signed by Microsoft are authorized to execute.

The ci.dll contains hardcoded certificate identifiers that are used by Microsoft at installation and during Windows updates.

In addition to the behavior from the Basic mode, applications and libraries digitally signed by a third party certificate that is valid from the operating system point of view are authorized to execute.

You can use mmc.exe to visualize these certificates, and content is stored under these registry entries:

• Trusted Root Certification Authorities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
• Intermediate Certification Authorities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
• Third-Party Root Certification Authorities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

An administrator can modify these registry entries. See this knowledge base article for more information.

Feature is inactive.

Restricts the System Trust AC functionality based on the digital certificate subject name. You can use wildcards and separate several entries using semicolons.

Example: Company1*;!Company2*;Company3

Sends a minimal set of anonymized telemetry data to Ivanti on a weekly basis.

Sends a fuller set of anonymized telemetry data to Ivanti on a weekly basis.

This data will be used to help us target common functionality areas to address in future releases as well as enabling us to gain better insight to help troubleshoot issues. We believe that capturing anonymized data will help us to give you the greatest return of value going forward with IDAC, helping us to focus in the right areas of the product that matter the most to you. For further information, please see the following KB article.

No permissions change condition messages are displayed to the user.

Displays a message when temporary permissions are changed, before the temporary permissions are to expire, and when temporary permissions are invalid.

Displays a message when any changes are made to permissions (permanent, scheduled, offline, online, and temporary) that affect the user. This is the default value.

Does not detect keylogging activity.