Preface ® This guide is intended for IT administrators, or those who are responsible for deploying the Lenovo Hardware Password Manager™ program on computers in their organizations. The purpose of this guide is to provide the information required for installing Hardware Password Manager on one or many computers, provided that licenses for the software are available for each target computer.
Hardware Password Manager—the HPM server checks user credentials against data on the LDAP server. On Lenovo client devices which support HPM, the administrator installs an agent that contains a Hardware Password Manager application. When the client device powers on, it communicates through UDP port 50001 with the HPM server.
Next, you install the HPM client software on individual Lenovo devices that support HPM. A BIOS setting is used to enable or disable HPM support on these devices. This setting must be set to Enabled for the device to work with HPM.
Preparing the core server The HPM core server will use the ThinkManagement Console 9.0 that is based on LANDesk Management Suite 9.0. For more information about LANDesk Management Suite system requirements, go to the following Web site: http://community.landesk.com/support/docs/DOC-7478 For details on prerequisites for installing ThinkManagement Console 9.0, go to the following Web site: http://community.landesk.com/support/docs/DOC-6767 The preferred platform for ThinkManagement Console 9.0 is the Windows Server 2008 R2 (64-bit) operating system.
To obtain the installation package for ThinkManagement Console with HPM, register to download from the Web site at http://www.landesk.com/lenovo. After completing the registration, you will receive an email with a link to download the installation package as well as LANDesk credentials for activating the core server after installation.
Installing Hardware Password Manager on a Lenovo device To add Hardware Password Manager features to a Lenovo device, you must deploy an HPM agent to the device. You can do this by using either a push or a pull method.
Page 15
2. Click Set as default. A green check mark will appear over the icon for this configuration. You can now use the push method to deploy the agent to your Lenovo devices. Refer to the Getting Started and Discovering and Installing Agents help wizards under the Help menu in the console for more information.
Page 16
The name of the executable file will be based on the name of the agent configuration. The process will run in the background for about a minute. Two executable files and two log files will be created. One executable, designated by “_with_status”, will provide an installer that displays installation status to the user.
“Changing server policy settings” on page 17 Viewing Hardware Password Manager devices and their properties In the Network View, a separate folder under the Devices folder is added for Lenovo Hardware Password Manager devices that have been discovered and managed. Open this Hardware Password Managed devices folder to view a list of Computers and Hard disks.
Managing enrolled users on Hardware Password Manager devices When a Lenovo Hardware Password Manager device is registered with the Hardware Password Manager server, the main user of that device is enrolled as an authorized user of that Hardware Password Manager device.
Viewing Hardware Password Manager users and their properties The HPM Enrolled Users tool enables you to view all users that are enrolled to access Lenovo Hardware Password Manager devices. You can view a list of all users, or you can select groups in the LDAP directory tree to view subsets of the list.
This tab lists any Remove User actions that have been performed on the user, including the name of the device from which the user was removed and the date and time of the last status change. Removing a user’s access to a Hardware Password Manager device After a user has been enrolled on a Hardware Password Manager device, you can remove that enrollment if the user should no longer have access to the device.
5. If you selected With expiration, select Duration, and then select the beginning and end time for the access to Hardware Password Manager devices; or select Login count remaining, and then select the number of logins; or select Number of days allowed per machine, and then specify the number of days. 6.
Updating client policies globally You can determine which client policies are applied to all managed Lenovo Hardware Password Manager devices by selecting policies in the Update Client Policy dialog box. The policies you can select include the following OS-level items: •...
Password Manager devices. Updating hardware passwords globally Lenovo Hardware Password Manager provides global management of different hardware passwords for Hardware Password Manager devices. You can specify the same password to be used by all Hardware Password Manager devices, or you can auto-generate a different password for each device. This feature manages the following kinds of passwords: •...
Updating the emergency account Each Lenovo Hardware Password Manager device has an emergency access account that can be used to log in to the device if the user is unable to log in. You can change the credentials for this account and apply the change to all Hardware Password Manager devices with the Update Emergency Account remote action.
Server policy settings include various ways to manage user enrollment, credentials, and client portal and BIOS settings for the Lenovo Hardware Password Manager devices you manage. The settings are changed from the ThinkManagement console; items that affect individual devices are then held in a pending queue until the next time each device is booted and requests an updated policy.
Hardware Password Manager groups” on page 12 for a description of roles.) So, for example, a user might see all options on the Hardware Password Manager BIOS menu but a Service Technician might have a limited set of options available. Note: When the client policy is set to Hardware Account equals Windows credentials, the Change Hardware Account password option will not be displayed whether or not it is selected for the role.
Page 27
5. Click OK. To assign permissions to a group that can be authenticated through the new authentication, do the following: 1. In the User's tool, click + on the toolbar or right-click Group Permissions, and then click New group permission. 2.
Chapter 4. Hardware Password Manager Client Lenovo devices that support Hardware Password Manager need to be registered with a management server (referred to as the Hardware Password Manager server). The process of registering a device begins with the installation of an agent on the device. After the user completes the initial registration process through the Hardware Password Manager Client Portal the device is registered;...
When the client is installed, it communicates with the Hardware Password Manager server to authenticate the device. The client can then request Hardware Password Manager policy settings from the Hardware Password Manager server. The registration process is then completed when the user enters credentials for logging on to the device.
• You should drag the devices under Hardware Password Manager Devices to the Active Directory or eDirectory group listed in the HPM Groups tool. If your administrator has enabled multiple users on a device, complete the following steps to enroll more than one user.
Updating credentials on a Hardware Password Manager device After Hardware Password Management is enabled on a device, you can access the Hardware Password Manager Login Menu to make changes to password management. You can also access the Client Portal to perform enrollment and registration tasks.
“Safe Guard Easy/Safe Guard Enterprise compatibility” on page 26 • “One-touch registration” on page 26 Fingerprint integration Hardware Password Manager is fully compatible with the Lenovo preferred fingerprint software (Authentec ® and UPEK). For Windows XP clients, it is recommended that the Hardware Password Manager client is installed without the Hardware Password Manager GINA.
– enrolled - returns whether the current Windows system user is enrolled in the utility – enabled - returns whether the utility is enabled in the BIOS program – show - displays results to the console for all of the above commands •...
This process is initiated automatically on the client system based on policy, and administrator corporate credentials are obtained from the Hardware Password Manager server to allow the registration to proceed unattended. Note: One-touch refers to the one manual step required by the administrator to register the system in Hardware Password Manager.
1. If the PAP is not known on a desktop system, you can remove the CMOS battery to clear both the POP and PAP. 2. Hardware changes on Lenovo ThinkPads do not generate BIOS errors to allow for hot or warm-swapping, so the PAP/SVP is not required.
• Enter the hardware account credentials with Hardware Password Manager Administrator privileges to release the SVP/PAP, such as the Emergency Admin account. If hardware account credentials with Hardware Password Manager User privileges are entered, the BIOS will prompt for the PAP/SVP. •...
In order to clear the HDP, you must have the HDD ID and the system ID in order to obtain the correct HDP and SVP. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Password Manager DOS utility.
HDD ID and the system ID in order to obtain the correct HDP and SVP from the console. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Password Manager DOS utility. After you obtain the HDD ID and machine ID, you can obtain the HDP and SVP using the ThinkManagement Console.
structures are stored in flash, the flash utilities have been updated to not overwrite Hardware Password Manager related structures. • Forward Flashing - When flashing to a newer version of BIOS on a Hardware Password Manager registered system, the hardware account should not be disrupted (for example, the user’s Hardware Password Manager registration status and hardware account credentials should not change).
Note: The hard drive should not be connected when the system is registered in Hardware Password Manager or else the hard disk will be assigned an HDP. User Scenarios This section describes scenarios that may be encountered by the user: Scenario 1 - Forgot Hardware Account credentials, network connected This scenario occurs when a user forgets their hardware account credentials but has network connectivity to the Hardware Password Manager server.
a completely different set of scan codes on another keyboard type. For example, consider the password azw. On an English keyboard, the scan code representation is 0x1E, 0x2C, 0x11. However, on a German keyboard, the scan code representation is 0x1E, 0x15, 0x11. There are 3 keyboard types used to support different languages: •...
Page 46
Table 1. Hardware Password Manager policy settings (continued) Policy setting Description Most secure Most convenient Common Emergency User Defines the emergency account user name Emergency Emergency Name and Password and password for all systems. Although Account set Account set the user name will always be common, the (auto-generated (hard-code password can be common or unique for each...
Page 48
1. Create a folder called LANDeskBackup on a share on a separate server that is not the core server. 2. Open a command prompt on the core server by clicking Start ➙ Run, and launching CMD.EXE. 3. In the command prompt, change to the ManagementSuite directory. By default the ManagementSuite directory is located at %ProgramFiles%\LANDesk\ManagementSuite, but it might have been installed in a different location: cd %ProgramFiles%\LANDesk\ManagementSuite 4.
Page 49
If migrating to a new database, many items cannot be exported. Take screen shots of such configurations so that they can be applied to the new core server. An example of these include but are not limited to: RBA configuration for the LANDesk users and for the Template user Preferred Server settings Unmanaged Device Discovery configurations Preferred Server settings...
Page 52
Problem description: Single sign-on to Windows will not work if the Windows policy setting is enabled that requires the user to Press Ctrl+Alt+Del to login. This security setting determines whether pressing Ctrl+Alt+Del is required before a user can log in. When this policy is enabled on a computer, a user is not required to press Ctrl+Alt+Del to log in.
Page 53
Problem description: If installing SGN or SGE on Windows XP when the Hardware Password Manager client is installed, an error is displayed indicating the Lenovo GINA is active and the installation fails. Solution: Uninstall the Hardware Password Manager client, restart the system, install SGE or SGN, restart again, then reinstall the client.
Page 54
If you have already restored your system (for example, lost your CAPI key store), deregister and reregister in Hardware Password Manager. • Symptom: When registering in Hardware Password Manager, if network connectivity is lost during the suspend/resume operation and the user logs off before network connectivity resumes, the client application completes the registration process normally.
Page 55
Solution: The user must use a wired network connection when performing an intranet login from the BIOS. • Symptom: Receive the incorrect user name or password specified message when the intranet user name and/or password are correct and is greater than 63 characters in length. Problem description: BIOS allows a maximum 64 byte user name and password (including null termination) to be entered when performing an intranet login (63 characters each for the user name and password, for example).
Page 57
Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any Lenovo intellectual property right may be used instead.
Page 58
Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Access Connections Lenovo ThinkVantage ThinkPad The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: Lotus Lotus Notes Intel is a trademark of Intel Corporation in the United States, other countries, or both.