Temporary Offline Policies

Ivanti Device Control allows disconnected clients to obtain special temporary permissions while offline.

Temporary offline policies are a mechanism that a user can use when they are disconnected from their corporate network and cannot receive policy updates from the server.

The feature works by having an endpoint-user contact a server admin with a set of required permissions (for example R/W Access to all USB removable devices) and a time-limit (for example, one hour). This information is used along with other data unique to the endpoint user to generate a request key. This key is communicated to the administrator, who enters it and can confirm the settings that the client requested.

If the admin is happy with the request they issue an answer that contains an unlocking code. The endpoint user may then enter this to unlock the device with their requested additional permissions.

As can be seen from the description, this mechanism requires a server-side component that generates the correct answer key for the given request. At present the integrator must use a recognized Ivanti Device Control Server application (SXS, or Ivanti Endpoint Server - Device Control) to process this request and supply the answer.

The high level procedure below should be followed:

  1. Set Machine Option 91 (oiSignKey): The server needs to generate a public/private key pair using ECDSA-256. The public side of this key should be given to the client via a policy that sets machine option 91 to that key value.
  2. Client Generates Request: The HSDCTempOfflinePolicyRequest function is used to generate a request key to be provided to the server.
  3. Server Side Validation: Provide the key to the server application that should provide the answer
  4. Unlock Client: Unlock the client using the HSDCTempOfflinePolicyAnswer function. Once this function completes, the agent will have the requested permission for the specified duration.

Functions

HSDCError HSDCAPI HSDCTempOfflinePolicyRequest (const char *jstr, char **pJstr)

Given a set of requested permissions and the duration of the policy to be applied, creates a request key that can be used for a temporary offline policy request.

HSDCError HSDCAPI HSDCTempOfflinePolicyAnswer (const char *jstr)

Applies a temporary offline policy with the given passphrase answer.

Function Documentation

HSDCTempOfflinePolicyRequest()

HSDCError HSDCAPI HSDCTempOfflinePolicyRequest ( const char * jstr, char ** pJstr )

Given a set of requested permissions and the duration of the policy to be applied, creates a request key that can be used for a temporary offline policy request.

Parameters

jstr

JSON string with input parameters, formatted as below:

Copy 
{
    "classid": "3",
    "duration": {
        "days": 0,
        "hours": 1,
        "minutes": 0
    },
    "rights": [
        "Read",
        "Write",
        "Encrypt",
        "Decrypt",
        "Export(Medium)",
        "Export(File)",
        "Import"
    ],
    "everyone": true
}

pJstr

[out] Returns a JSON string with details from jstr and the extra security tag, formatted as "security": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XX".

HSDCTempOfflinePolicyAnswer()

HSDCError HSDCAPI HSDCTempOfflinePolicyAnswer ( const char * jstr )

Applies a temporary offline policy with the given passphrase answer.

Parameters

jstr

JSON string with inputs parameters, formatted as below:

Copy 
{
    "security": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XX",
    "activation": "XXXXX-..."
}

security is the value given in the request call.

activation is the answer that the server returns in order to allow the request to proceed.