Working with Ivanti Device Control Tools and Options

Ivanti Device Control tools and options include several configuration options affecting the performance and behavior of Device Control, the ability to grant temporary access permissions, and crypto password recovery.

You can perform the following tasks using Device Control tools and options:

The Ivanti Device Control (Device Control) Options page is part of the Tools module and has options related to Device Control functions.

  1. Select Tools > Options.

    You can access the Options page only if you have the appropriate permissions to do so. For more information on Options access, seeGranting Access to Device Control Tools.

    2. The Options page opens.

  2. Select the Device Control tab.
    The Device Control page opens.

    For more information on Device Control options, see The Ivanti Device Control Options Page.

Configuring Ivanti Device Control allows you to optimize the performance and behavior of Device Control.

  1. Select Tools > Options.

    You can access the Options page only if you have the appropriate permissions to do so. For more information on access to the Options page, see Granting Access to Device Control Tools.

    2. The Options page opens.

  2. Select the Device Control tab.
    The Device Control options display.

Temporary permissions allow access to protected devices for offline users. These permissions are valid until they expire or the endpoint reconnects to the protected network.

In some cases, users need to modify their permissions while they are not connected to your network. For example, a user who has no access to the Internet may want to read a file stored on a removable storage device, or might be at an offsite meeting and needs authorization to install a customer’s software application on his laptop.

To modify permissions while in an offline state, the user must contact a Ivanti Endpoint Security administrator, explain the required permissions, and quote a key code provided by the Device Control agent. The administrator verifies the information provided by the user and generates an unlock code, which grants the required permissions.

Temporary access permissions are valid until they expire or the endpoint reconnects to the Ivanti Endpoint Security Server.

Users of encrypted devices must make a request to a Device Control administrator to receive temporary access permissions.

  1. Right-click the Device Control agent icon in the system tray on the endpoint.
  2. Select Request temporary access offline.
    The Request Temporary Access Offline wizard opens.
  3. Click Next.
    The Input dialog appears.
  4. The user specifies the details of the permission they are requesting.
    1. Select a device class from the Device Class drop-down list.
    2. Select the check boxes corresponding to the permissions being requested.
    3. Select how long the permissions are valid for in the Lifetime of the permission fields.
    4. The user for whom the permission applies to from the For which user? fields.
  5. The user telephones you (a Device Control administrator) and explains the problem.

Granting temporary access permissions allows users increased access to their encrypted device for a specified interval.

After receiving a request for temporary access permissions, confirm the circumstances and details of the request with the requesting user before granting additional permissions.

  1. Select Tools > Device Control > Grant Temporary Permissions.
    The Grant Temporary Permissions wizard appears in the main window.

    You can pull the comments stored in the audit log by running this query:

    SELECT * FROM [UPCCommon].[dbo].[vAuditLog]
    WHERE OriginatingComponent = 'TemporaryPermissions'
    ORDER BY AuditID DESC

  2. Confirm the permission settings for the device with the user and specify them in the Device class and permissions fields.
    The data in the Device Class and Duration fields should match that specified by the user in the Input page of the Request Temporary Access Offline wizard.

    The settings specified by the offline user and the administrator must be identical for the unlock key generated by the administrator to work when entered by the offline user.

    1. Click the Endpoint button to select the computer the permission is applicable for in the Endpoint field.
    2. Click the User button to select the user the permission will apply to in the User field.

      If the offline user has chosen the For everyone option, then the administrator must select the Everyone user.

  3. The user clicks Next.
    Step Result: The Unlock page appears.
  4. The user reads out the 27-character Client key to you.
  5. Type the alphanumeric client key provided by the user in the Client key field in the wizard.
  6. [Optional] Type any comments in the Comments field.
  7. Click Generate.
    An Unlock Code dialog appears.

    8. The unlock code will only be generated if the permission settings entered by both the administrator and the offline user match.

  8. Read out the 44-character unlock code to the user.
  9. The user types the alphanumeric code in the Unlock code field of the Unlock page.
  10. The user clicks Next.
    The Finish page appears and a system tray message informs the that the permission status has been changed up to a certain time.

    11. The offline user is limited to 15 tries at entering the correct unlock code before a lockout period comes into effect. A lockout period also comes into effect if the Request Temporary Access Offline wizard is used to generate a client key 15 times without a valid unlock code being entered.

  11. Click Finish.
    The Request Temporary Access Offline wizard closes.

The offline user has temporary access to the selected device.

If a user has forgotten the password associated with an encrypted device, the administrator can generate a passphrase for the user to gain access to the device using the Password Recovery tool.

Sometimes, a user forgets a password set up to access an encrypted removable storage device attached to his computer, or fails to enter this password correctly five times in a row. The user must then contact an administrator with the identity of the device and a security code. Using this information, the administrator, if the access is approved, can generate a passphrase. The device that the user needs to access is decrypted using the passphrase and re-encrypted using a new password.

Key recovery is of two types:

The procedure for recovering a password for an encrypted device for a user that has access to an endpoint with the Ivanti Device Control Agent installed on it involves a number of steps carried out by the user who wants to access the device as well as those carried out by the administrator authorizing the decryption and re-encryption.

  1. The user attempts to access a removable storage device that is encrypted.
    The Unlock Medium dialog appears.
  2. The user types the password more than the allowed number of times.
    An attempts exceeded message appears.
  3. The user initiates password recovery in one of the following ways:
    • By clicking Recover Password in the Unlock Medium dialog.

      Use this option if you do not want to try and guess the password.

    • By clicking the Recover encrypted container (password recovery) link in the attempts exceeded message.
      The Recover Password dialog opens.
  4. The user telephones you (a Ivanti Device Control administrator with Password Recovery access rights), explains the problem, and reads out the 32-character Encrypted Medium ID.
  5. [Optional] Check whether the person on the telephone is allowed to access the encrypted medium.
    The user details are verified.
  6. Select Tools > Device Control > Recover Password.
    The Recover Password wizard appears in the main window.
  7. Select the 32-character alphanumeric string provided by the user from the Encrypted Medium ID drop-down field.

    Every time a removable device is encrypted in Ivanti Device Control, a new encrypted medium ID is generated and displayed in the Encrypted Medium ID drop-down field.

  8. Type the 44-character alphanumeric security code received from the caller in the Security Code field.
  9. Click Generate.
    If the Encrypted Medium ID and/or the Security Code are incorrect, an error message is displayed explaining which one needs correcting.
    The Password dialog opens.
  10. Read out the 52-character passphrase to the user.
  11. The user types the alphanumeric passphrase in the Enter passphrase received from administrator field of the Recover Password dialog.
  12. The user inputs a new password.
    1. Specify the new password in the New Password field.
    2. Retype the password in the Confirm Password field.
  13. Click OK.
    A password changed message appears.

The user successfully generates a new password for the encrypted device.

A user who is trying to access an encrypted device on a computer that does not have the Ivanti Device Control Agent installed can recover the password by using the Secure Volume Browser application on the device to initiate password recovery.

Sometimes, users who are working on computers that do not have the Ivanti Device Control Agent installed on them forget their encryption passwords for encrypted devices, or they fail to enter an encryption password correctly after a specified number of attempts.

In such a case, the user needs to use Secure Volume Browser (since they do not have the Ivanti Device Control Agent) and contact a Ivanti Device Control administrator with the identity of the device and a security code. Using this information, the Administrator, if the access is approved, can generate a passphrase. The device that the user needs to access is decrypted using the passphrase and re- encrypted using a new password.

  1. The user clicks SVolBro.exe on the encrypted removable storage device.
    The Secure Volume Browser window opens.
  2. The user selects the encrypted medium in the Folders column.
    An encrypted medium is identified by its lock icon.


    3. A password prompt appears in the Secure Volume Browser window.

  3. The user types the password more than the allowed number of times.
    If the user does not know the password, they can also press the ENTER key more than the allowed number of times.
    An attempts exceeded message appears.
  4. The user clicks the Recover encrypted container (password recovery) link.
    The Recover Password dialog opens.
  5. The user telephones you (a Ivanti Device Control administrator with Password Recovery access rights), explains the problem, and reads out the 32-character Encrypted Medium ID.
  6. [Optional] Verify that the person on the telephone is allowed to access the encrypted medium.
  7. Select Tools > Device Control > Recover Password.
    The Recover Password wizard appears in the main window.
  8. Select the 32-character alphanumeric string provided by the user from the Encrypted Medium ID drop-down field.

    Every time a removable device is encrypted in Ivanti Device Control, a new encrypted medium ID is generated and displayed in the Encrypted Medium ID drop-down field.

  9. Type the 44-character alphanumeric security code received from the caller in the Security Code field.
  10. Click Generate.
    If the Encrypted Medium ID and/or the Security Code are incorrect, an error message is displayed explaining which one needs correcting.
    The Password dialog opens.
  11. Read out the 52-character passphrase to the user.
  12. The user types the alphanumeric passphrase in the Enter passphrase received from administrator field of the Recover Password dialog.
  13. The user inputs a new password.
    1. Specify the new password in the New Password field.
    2. Retype the password in the Confirm Password field.


  14. Click OK.
    A password changed message appears.

The user successfully generates a new password for the encrypted device.

You cannot recover a password if the Device Log option is disabled and you have not recovered the machine’s log at least once after encrypting the device.