Management and Security powered by Landesk

ThinkVantage Hardware Password Manager

Lenovo ThinkVantage Hardware Password Manager is a hardware password management application that is an add-on to Ivanti® Endpoint Manager powered by Landesk. It provides hardware-based password authentication for Lenovo notebooks and desktops equipped with Hardware Password Manager BIOS chips.

This chapter contains the following information:

Instructions for installation and deployment of ThinkVantage Hardware Password Manager are found in ThinkVantage Hardware Password Manager installation and deployment.

Overview of ThinkVantage Hardware Password Manager

When ThinkVantage Hardware Password Manager is installed, the Ivanti core server acts as the Hardware Password Manager server—it manages and authenticates Hardware Password Manager devices. In addition, an LDAP server functions as the authentication server for Hardware Password Manager—the Hardware Password Manager server checks user credentials against data on the LDAP server.

On client devices with Lenovo Hardware Password Manager BIOS chips, the administrator installs a Ivanti agent that contains a Hardware Password Manager driver. When the client device boots, it communicates through a UDP channel with the Hardware Password Manager server module (a Windows service) on the Ivanti core server.

After the client has booted to the operating system, it uses the Ivanti agent to communicate with a Web service on the Ivanti core server. This communication is through an HTTPS channel.

The administrator uses the Hardware Password Manager features in Endpoint Manager to manage Hardware Password Manager devices and create and deploy policies to these devices. These policies determine how Hardware Password Manager is implemented for the devices; for example, the administrator selects which user options are available on Hardware Password Manager devices as part of the policy definition.

Managing Hardware Password Manager devices with Ivanti® Endpoint Manager powered by Landesk

When the Hardware Password Manager patch is installed on a Ivanti core server, interface elements are added to the console to help you manage Hardware Password Manager devices.

In the network view, Hardware Password Manager devices that have been discovered and managed are listed in a separate Hardware Password Managed devices group. You can view these devices and their properties from the network view. Also in the network view, when a list of devices includes Hardware Password Manager devices, you can right-click on a Hardware Password Manager device to use a context menu with Hardware Password Manager features.

In the toolbox, a ThinkVantage Hardware Password Manager group is added, with three items: Enrolled users, Intranet Account Groups, and Remote actions and policy settings.

The options in the interface are described in detail in the following sections:

Viewing Hardware Password Manager devices and their properties

In the Endpoint Manager network view, a separate folder under the Devices folder is added for Lenovo Hardware Password Manager devices that have been discovered and managed. Open this Hardware Password Managed devices folder to view a list of Lenovo Hardware Password Manager devices.

To view a Hardware Password Manager device’s properties
  1. In the Endpoint Manager network view, expand the Devices folder and click the Hardware Password Managed devices folder.
  2. Right-click the name of a Hardware Password Manager device and select HPM properties.

Options in the properties dialog are summarized below. Some options are editable, but others can’t be changed from this dialog.

Summary

Passwords listed on this tab can be automatically generated or can be set for each device, depending on how the policy is defined.

  • Registration time and status: lists the date/time of registration and current status.
  • BIOS passwords: displays the passwords for each BIOS profile and the date/time the profile was last backed up. This section includes the supervisor password (SVP), which logs on to the device with administrator access, and the power-on password (POP), which logs on to the device as a user.
  • Hard disk passwords: lists passwords for accessing each hard disk on the device. This section displays the master password, the user password, and the backup password for the hard disk (click the View button to see the backup password).
  • Emergency Admin Account: lists the credentials for the administrative account that can access the Hardware Password Manager device. The emergency admin account is created on every device. This credential can be used in an emergency to access the device’s BIOS with administrator privileges.
Enrolled users

All users that are enrolled to access the Hardware Password Manager device are listed on this tab. The intranet account user name is the name used for LDAP user account login. The hardware account user name is the name used to save data to the hardware account (a secure area of non-volatile memory that can only be accessed by the computer’s BIOS). The LDAP path shows the user’s location in the LDAP server tree (for example, CN=ADMINISTRATOR,CN=USERS,DC=TESTLAB).

Member of

This tab lists the Intranet Account groups that the device is a member of. The LDAP path shows the group’s location in the LDAP server tree.

Remote Actions

The Remote actions section lists all previous remote actions that have been applied to this Hardware Password Manager device. The Revoke user remote actions section lists users that were enrolled on the device but whose access has been revoked.

Client Policy

The Windows policy list shows the status of OS-related policy settings currently applied on the device. The BIOS policy list shows the status of BIOS-related policy settings currently applied on the device. (These settings are selected in the Update Client Policy dialog; see Updating client policies globally for information on setting the policy.)

Managing enrolled users on Hardware Password Manager devices

When a Lenovo Hardware Password Manager device is registered with the Hardware Password Manager server, the main user of that device is enrolled as an authorized user of that Hardware Password Manager device. You can enroll additional users on each Hardware Password Manager device, either by using the Client Portal on the device or by including the user in a Hardware Password Manager group that has rights to that device.

To manage users for Hardware Password Manager devices, use the Enrolled users option in the Endpoint Manager toolbox (or, in the Endpoint Manager console, click Tools | ThinkVantage Hardware Password Manager | Enrolled Users).

Using the Enrolled users tool, you can

  • Configure the LDAP server connection
  • View a list of Hardware Password Manager users
  • View the properties of a Hardware Password Manager user
  • Revoke a user’s access to a Hardware Password Manager device

Configuring an LDAP server connection

In the Enrolled users and Intranet account groups views, users and groups are listed in a tree structure that displays the users and groups on the LDAP server you use for Hardware Password Manager authentication. To view that tree structure, you must first configure the LDAP server connection.

The information you enter in this dialog enables the Hardware Password Manager server to connect to the LDAP server, which can be either a Microsoft Active Directory server or a Novell eDirectory server.

You can migrate from one LDAP server to another without losing data. If you find that you need to use a different server for LDAP authentication, enter the configuration data for the new server.

To configure an LDAP server connection
  1. Click Enrolled users in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Enrolled Users).
  2. Click the LDAP server button.
  3. Enter the Hostname of the LDAP server.
  4. If you want to use a port other than the default to access the server, clear the Use default port checkbox and enter another port number.
  5. Select the Server type (MS Active Directory or Novell eDirectory).
  6. Select the Encryption type for the server.
  7. Enter the credentials used to access the LDAP server in the Authorized user and Password text boxes. The user can be in the form domain\username or can simply be the user name.

Viewing Hardware Password Manager users and their properties

The Manage enrolled users tool lets you view all users that are enrolled to access Lenovo Hardware Password Manager devices. You can view a list of all users, or you can select groups in the LDAP directory tree to view subsets of the list. You can view all properties for each enrolled Hardware Password Manager user, including the user ID, LDAP path, groups that include the user, and devices the user is enrolled on. These properties are not editable in the properties dialog.

To view enrolled Hardware Password Manager users and their properties
  1. Click Enrolled users in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Enrolled users).
  2. To view all enrolled users, click All users in the tree structure.
  3. To view a subset of users, expand any groups that are listed in the tree structure and click a group name.
  4. To view user properties, right-click a user in a user list and select Properties.

NOTE: You can also select the user and click the Properties button on the toolbar.

Options in the properties dialog are summarized below.

Summary

This tab lists the ID and common name of the user, the path in the LDAP tree that the user is found in, and the user’s current status. Also lists the date and time the user was enrolled as a Hardware Password Manager user.

Member of

Lists the Hardware Password Manager groups to which the user belongs, with the LDAP path of each group.

Enrolled devices

Lists the devices on which the user is enrolled, giving the device name and machine ID.

Remote actions

Lists any revoke user actions that have been performed on the user, including the name of the device from which the user was revoked and the date and time of the last status change.

Revoking a user’s access to a Hardware Password Manager device

After a user has been enrolled on a Hardware Password Manager device, you can revoke that enrollment if the user should no longer have access to the device. To revoke a user, you create a remote action that is applied to each device you specify. The next time the device contacts the Hardware Password Manager server to update its policy, the user is removed from the list of users for that device.

To revoke a user from a Hardware Password Manager device
  1. Click Enrolled users in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Enrolled Users).
  2. In the user list, select the user.
  3. Click the Revoke user button on the toolbar.
  4. In the Create Remote Action dialog, clear the checkbox for one or more devices from which you want to revoke the user.
  5. Click OK.

Managing Hardware Password Manager groups

Hardware Password Manager groups link user groups (as defined in the LDAP server) with Hardware Password Manager devices. Hardware Password Manager groups are useful because they allow multiple users to access one or more devices without individually enrolling each user on each device. When a device is added to a group, all members of that group have access rights to the device and can use an intranet account login to log in to the device.

When you open the Intranet Account Groups tool, groups are listed in the LDAP tree view. Each group is created on your LDAP server; you can’t create a group in Endpoint Manager. However, you can edit groups (define the group role) and drag devices into groups to associate those devices with the members of the groups.

Intranet account groups are distinguished by the role defined for the users in the group:

  • User: an end user of a Hardware Password Manager device.
  • Service Tech: an IT technician, allowed limited access to the device for servicing. Access can be limited to a time frame (duration), or the technician can be allowed a certain number of logins.
  • Administrator: an administrative user allowed to access devices.

For example, all members of a group that is defined with the Service Tech role can log on to devices in the group with the restrictions of the Service Tech role. If the role is defined so the user can only log in to the device two times, access to the device expires for the user after the second login.

To edit a Hardware Password Manager group
  1. Click Intranet account groups in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Intranet account groups).
  2. In the LDAP tree view, click a group name and click the Edit intranet account group button on the toolbar.
    Most items in the Edit intranet account group dialog are not editable. You can select the role for the group; if you select Service Tech, you can limit access to Hardware Password Managed devices.
  3. Select the HPM role from the combo box.
  4. Check the with expiration check box if you want to limit access to the device for a length of time or a specific number of logins. (This applies only to Service Tech users.)
  5. If you selected with expiration, select Duration and choose a beginning and end time for access to Hardware Password Managed devices; or select Login count remaining and choose a number of logins.
  6. Click OK.
To associate devices with a group
  1. Click Intranet account groups in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Intranet account groups).
  2. To associate a device with a group, drag the device from the network view to the group name in the LDAP tree view.
  3. To view the devices associated with a group, click the group name and click the View intranet account loggable devices button on the toolbar.

The dialog shows the LDAP distinguished name of the group and lists the devices associated with the group. Members of the group can log on to all devices listed here, unless you have defined group as a Service Tech group with an expiration on group access, and the association has expired.

Managing remote actions and policy settings for Hardware Password Manager devices

Remote actions are changes to a Hardware Password Manager device’s settings that are applied to one or more devices by the administrator. Actions include credential management, registering or deregistering devices, and enrolling or revoking users.

Remote actions are not applied immediately to Hardware Password Manager devices. After the administrator applies one or more remote actions to a device, the actions are pending until the next time the device is powered on. The device then connects to the Hardware Password Manager server and requests any pending actions. The actions are completed by the client and the new settings are in effect.

One remote action is to change policy settings on the Hardware Password Manager device. There are two types of policies: those applied at the OS level (Windows policies) and those applied at the BIOS level (BIOS policies). Policies determine how the device manages credentials, and determine whether registration and user enrollment are automatically started when the device is powered on. They also determine whether multiple users can be enrolled on a Hardware Password Manager device and how user login is handled for the BIOS menu.

As you manage remote actions, you can apply actions individually or globally. When the Remote actions and policy settings tool is open, you can drag Hardware Password Manager devices from the network view and drop them onto specific remote actions. Or you can use buttons on the toolbar to apply actions globally.

Remote actions include the following:

  • Renew hardware account: replaces the BIOS hardware passwords with a new set of credentials that are generated by the Hardware Password Manager server. The new credentials are stored in the hardware account, a secure area of non-volatile memory that can only be accessed by the computer’s BIOS.
  • Restore hardware account: restores the BIOS hardware passwords in the hardware account with the backup credentials stored in the Hardware Password Manager server. This includes system and user password backups.
  • Deregister device: removes the device from the list of registered Hardware Password Manager devices; the device will no longer communicate with the Hardware Password Manager server automatically.
  • Revoke user: removes a user from the list of users allowed to access a Hardware Password Manager device.
  • Update client policy: saves an updated policy to the Hardware Password Manager BIOS of the device, replacing the previous policy.
  • Update common hardware password: saves new common hardware passwords to the Hardware Password Manager device; common hardware passwords are valid for all Hardware Password Manager devices managed by the Hardware Password Manager server (see Updating hardware passwords globally).
  • Update emergency account: saves the emergency account credentials to the Hardware Password Manager device; the emergency username and password can be used to restore access to a device if the user is unable to log on (see Updating the emergency account).
To apply remote actions to Hardware Password Manager devices
  1. Click Remote actions and policy settings in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Remote actions and policy settings).
  2. To apply a remote action to an individual device, drag the device name from the network view to one of these actions: Renew hardware account, Restore hardware account, Deregister device, or Update client policy.
  3. To revoke a user, drag the target user onto the Revoke user action in the Remote Actions tree. (You can also revoke users in the Manage enrolled users tool.)
  4. To apply an updated client policy to all Hardware Password Manager devices, click the Update client policy globally button on the toolbar. Select the policy items you want to enable from the Windows policy and BIOS policy tabs, then click OK. (See policy descriptions under Updating client policies globally.)
  5. To apply common passwords to all Hardware Password Manager devices, click the Update common passwords button on the toolbar. Select the checkbox next to each type of password that you want to apply to all Hardware Password Manager devices. To use the same password for all devices, type the password in the text box for the password type you select. If you leave the text box blank, a unique password will be generated for each device.
  6. To change the emergency (administrative) account on all Hardware Password Manager devices, click the Update emergency account button on the toolbar. Type a new user name in the text box. To use the same password for all devices, type the password in the text box. If you leave the text box blank, a unique password will be generated for each device.

Updating client policies globally

You can determine which client policies are applied to all managed Lenovo Hardware Password Manager devices by selecting policies in the Update client policy dialog. The policies you can select include the following OS-level items:

  • Hardware account equals Windows credentials: the login credentials stored in the hardware account of the HPM BIOS are the same as the user’s Windows credentials.
  • Windows equals corporate credentials: the user’s Windows credentials are the same as the user’s credentials on the corporate network.
  • Auto-start registration at Windows login: when the user logs in to Windows the first time after the Hardware Password Manager device is managed by the Hardware Password Manager server, the Hardware Password Manager registration will open automatically.
  • Auto-start user enrollment at Windows login: when a user logs in to Windows after the Hardware Password Manager device is registered, Hardware Password Manager enrollment will open automatically.
  • Allow multiple users to enroll on a single device: more than one user can be enrolled on a device. If this checkbox is cleared, only the first user to be enrolled on a device can be an enrolled user (although administrator and service technician users can still access the device if needed).

The following BIOS-level policies can be selected:

  • Show last logon account for user login: at the BIOS user logon screen, the last user account to have logged on to the BIOS is displayed as the default.
  • Prompt for user login on warm boot: if the device is rebooted, the BIOS will require a user login to ensure that the same user is accessing the device after the reboot.

In the Update client policy dialog, a list of devices shows which devices will have the new policy applied on their next startup. The dialog has a default selection of policy settings; if you have changed the settings but want to return to the original defaults, click the Reset to default button.

Updating hardware passwords globally

Lenovo Hardware Password Manager features in Ivanti® Endpoint Manager powered by Landesk include global management of different hardware passwords for Hardware Password Manager devices. You can specify the same password to be used by all Hardware Password Manager devices, or you can auto-generate a different password for each device. This feature manages the following kinds of passwords:

  • SVP: the supervisor password gives a user full administrator access to a device, including configuration of BIOS settings. It is a superset of the power-on password.
  • POP: the power-on password lets a user power on the device and access it with normal user privileges.
  • MHDP: the master hard disk password lets the user access the hard disk and reset the user hard disk password. It is a superset of the UHDP.
  • UHDP: the user hard disk password lets a user access the hard disk.

You can select any of these four types of passwords to be applied to managed Hardware Password Manager devices. If you select a password type and want all devices to use the same password, type that password in the text box. If you want each device to have a unique password, select the checkbox for that password type but leave the text box blank.

If you have made changes and want to return to the default, click the Reset to default button. By default, all four passwords are set with a uniquely generated password for each device.

After you change these settings and click OK, a remote action task is created in the remote actions tree list (in the Update common hardware passwords folder). You can click that task to view the status of the task as it is applied to the Hardware Password Manager devices. Under that task in the tree, the devices are listed by status—Active, Pending, Failed, or Successful. You can also view the All devices folder to see all devices.

To view the current hardware passwords for a Hardware Password Manager device
  1. Click Remote actions and policy settings in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Remote actions and policy settings).
  2. In the Remote actions tree view, expand Remote actions by type.
  3. Expand Update common hardware passwords.
  4. Click either the All devices folder or one of the status folders. Double-click a device name in the list of devices.

The View hardware passwords dialog shows the current password settings for the device that were changed with the remote action task, as well as the date/time the password was changed.

Updating the emergency account

Each Lenovo Hardware Password Manager device has an emergency access account that can be used to log on to the device if the user is unable to log on. You can change the credentials for this account and apply the change to all Hardware Password Manager devices with the Update emergency account feature.

By default, the user name is "Admin" and the password is uniquely generated for each client. You can change the user name, password, or both. If you specify a user name but leave the password field blank, a unique password will be generated for each device. If you have made changes and want to return to the default, click the Reset to default button.

To view the current emergency account credentials for a Hardware Password Manager device
  1. Click Remote actions and policy settings in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Remote actions and policy settings).
  2. In the Remote actions tree view, expand Remote actions by type.
  3. Expand Update emergency account.
  4. Click either the All devices folder or one of the status folders. Double-click a device name in the list of devices.

The View emergency account dialog shows the current emergency account credentials for the device that were changed with the remote action task, as well as the date/time the credentials were changed.

Changing server policy settings

Server policy settings include various ways to manage user enrollment, credentials, and client portal and BIOS settings for the Lenovo HPM devices you manage. The settings are changed from the Endpoint Manager core server console; items that affect individual devices are then held in a pending queue until the next time each device is booted and requests an updated policy.

To change server policy settings
  1. Click Remote actions and policy settings in the toolbox (or click Tools | ThinkVantage Hardware Password Manager | Remote actions and policy settings).
  2. Click the Server policy settings button on the toolbar.
  3. Make changes on the four tabs in the dialog, then click OK when you have finished.

The tabs in the Server policy settings dialog are described below.

General

This tab lists the name, IP address, and UDP port of the LDAP server used to authenticate Hardware Password Manager users.

The Status of portal service section shows whether the portal service on the Endpoint Manager server is running. The portal service is a UDP server, one of the components on the Hardware Password Manager server. It is used for communication with the Hardware Password Manager device BIOS when the user logs on using the Intranet Account Login. You can start, stop, or restart the service as needed from this dialog.

Check Allow users to enroll on multiple devices if you want to let more than one user enroll on Hardware Password Manager devices. If this checkbox is cleared, only the first user enrolled on a device is allowed to enroll.

Check Enable one-touch registration if you want to pre-register new Hardware Password Manager devices with one-touch features from Lenovo. One-touch registration automatically registers the device and creates the emergency admin account when the user logs in to Windows.

Credentials

This tab determines the length of auto-generated passwords and the number of password backups to keep. Backups are encrypted and stored in the Endpoint Manager database.

By default, auto-generated hardware passwords, as well as emergency admin account passwords, are between 32 and 64 characters long. You can change the minimum and maximum numbers for both types of passwords. You can also specify how many backups to save for hardware passwords.

Client Portal

This tab specifies which menu items are enabled for display on the Client Portal menu on managed Hardware Password Manager devices. The device user accesses the portal from the Windows Start menu (Start | All Programs | ThinkVantage | ThinkVantage Hardware Password Manager).

The Client Portal menu items are selected separately for the three user roles: User, Service Tech, and Administrator. Users log on to Hardware Password Manager devices with an assigned role, which correlates to the user group that the user belongs to. (See Managing Hardware Password Manager groups for a description of roles.) So, for example, a User may see all options on the Client Portal while a Service Tech may have a limited set of options available.

BIOS

This tab specifies which menu items are enabled for display on the BIOS menu of managed Hardware Password Manager devices, and allows you to specify which BIOS versions are excluded from Hardware Password Manager device management.

BIOS menu items are selected separately for the three user roles: User, Service Tech, and Administrator. Users log on to Hardware Password Manager devices with an assigned role, which correlates to the user group that the user belongs to. (See Managing Hardware Password Manager groups for a description of roles.) So, for example, a User may see all options on the HPM BIOS menu while a Service Technician may have a limited set of options available.

The BIOS version exclude list section lets you list BIOS versions that you want to exclude from Hardware Password Manager management. If you attempt to perform any remote actions on a device with a listed BIOS, the remote action will fail. Likewise, if you attempt to register a Hardware Password Manager device that has a listed BIOS, the registration will not be performed.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other