Lenovo ThinkCentre M58 Deployment Manual
  1. Manuals
  2. Brands
  3. Lenovo Manuals
  4. Software
  5. ThinkCentre M58
  6. Deployment manual

Lenovo ThinkCentre M58 Deployment Manual

(english) hardware password manager deployment guide
Hide thumbs Also See for ThinkCentre M58:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, Deployment Manual

Hardware Password Manager

Deployment Guide
Updated: July, 2010

Advertisement

Table of Contents
loading

Related Manuals for Lenovo ThinkCentre M58

Summary of Contents for Lenovo ThinkCentre M58

  • Page 1: Hardware Password Manager

    Hardware Password Manager Deployment Guide Updated: July, 2010...
  • Page 3 Hardware Password Manager Deployment Guide Updated: July, 2010...
  • Page 4 Third Edition (July 2010) © Copyright Lenovo 2010. LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restricted rights to use, reproduction and disclosure.

  • Page 5: Table Of Contents

    Scenario 2 - CMOS error ..Lenovo device ....Scenario 3 - Replace the fingerprint device. .
  • Page 6 Appendix C. Hints and tips ..43 Trademarks ....Appendix D. Notices ..49 Hardware Password Manager Deployment Guide...

  • Page 7: Preface

    Preface ® This guide is intended for IT administrators, or those who are responsible for deploying the Lenovo Hardware Password Manager™ program on computers in their organizations. The purpose of this guide is to provide the information required for installing Hardware Password Manager on one or many computers, provided that licenses for the software are available for each target computer.
  • Page 8 Hardware Password Manager Deployment Guide...

  • Page 9: Chapter 1. Overview

    Hardware Password Manager—the HPM server checks user credentials against data on the LDAP server. On Lenovo client devices which support HPM, the administrator installs an agent that contains a Hardware Password Manager application. When the client device powers on, it communicates through UDP port 50001 with the HPM server.
  • Page 10 Hardware Password Manager Deployment Guide...

  • Page 11: Chapter 2. Installing Hardware Password Manager On Thinkmanagement Console

    Next, you install the HPM client software on individual Lenovo devices that support HPM. A BIOS setting is used to enable or disable HPM support on these devices. This setting must be set to Enabled for the device to work with HPM.

  • Page 12: Preparing The Core Server

    Preparing the core server The HPM core server will use the ThinkManagement Console 9.0 that is based on LANDesk Management Suite 9.0. For more information about LANDesk Management Suite system requirements, go to the following Web site: http://community.landesk.com/support/docs/DOC-7478 For details on prerequisites for installing ThinkManagement Console 9.0, go to the following Web site: http://community.landesk.com/support/docs/DOC-6767 The preferred platform for ThinkManagement Console 9.0 is the Windows Server 2008 R2 (64-bit) operating system.

  • Page 13: Thinkmanagement Console With Hpm Server Setup

    To obtain the installation package for ThinkManagement Console with HPM, register to download from the Web site at http://www.landesk.com/lenovo. After completing the registration, you will receive an email with a link to download the installation package as well as LANDesk credentials for activating the core server after installation.

  • Page 14: Migrating To A New Ldap Server

    Installing Hardware Password Manager on a Lenovo device To add Hardware Password Manager features to a Lenovo device, you must deploy an HPM agent to the device. You can do this by using either a push or a pull method.
  • Page 15 2. Click Set as default. A green check mark will appear over the icon for this configuration. You can now use the push method to deploy the agent to your Lenovo devices. Refer to the Getting Started and Discovering and Installing Agents help wizards under the Help menu in the console for more information.
  • Page 16 The name of the executable file will be based on the name of the agent configuration. The process will run in the background for about a minute. Two executable files and two log files will be created. One executable, designated by “_with_status”, will provide an installer that displays installation status to the user.

  • Page 17: Chapter 3. Managing Hardware Password Manager Devices With Thinkmanagement Console

    “Changing server policy settings” on page 17 Viewing Hardware Password Manager devices and their properties In the Network View, a separate folder under the Devices folder is added for Lenovo Hardware Password Manager devices that have been discovered and managed. Open this Hardware Password Managed devices folder to view a list of Computers and Hard disks.

  • Page 18: Managing Enrolled Users On Hardware Password Manager Devices

    Managing enrolled users on Hardware Password Manager devices When a Lenovo Hardware Password Manager device is registered with the Hardware Password Manager server, the main user of that device is enrolled as an authorized user of that Hardware Password Manager device.

  • Page 19: Viewing Hardware Password Manager Users And Their Properties

    Viewing Hardware Password Manager users and their properties The HPM Enrolled Users tool enables you to view all users that are enrolled to access Lenovo Hardware Password Manager devices. You can view a list of all users, or you can select groups in the LDAP directory tree to view subsets of the list.

  • Page 20: Removing A User's Access To A Hardware Password Manager Device

    This tab lists any Remove User actions that have been performed on the user, including the name of the device from which the user was removed and the date and time of the last status change. Removing a user’s access to a Hardware Password Manager device After a user has been enrolled on a Hardware Password Manager device, you can remove that enrollment if the user should no longer have access to the device.

  • Page 21: Managing Remote Actions And Policy Settings For Hardware Password Manager Devices

    5. If you selected With expiration, select Duration, and then select the beginning and end time for the access to Hardware Password Manager devices; or select Login count remaining, and then select the number of logins; or select Number of days allowed per machine, and then specify the number of days. 6.

  • Page 22: Updating Client Policies Globally

    Updating client policies globally You can determine which client policies are applied to all managed Lenovo Hardware Password Manager devices by selecting policies in the Update Client Policy dialog box. The policies you can select include the following OS-level items: •...

  • Page 23: Updating Hardware Passwords Globally

    Password Manager devices. Updating hardware passwords globally Lenovo Hardware Password Manager provides global management of different hardware passwords for Hardware Password Manager devices. You can specify the same password to be used by all Hardware Password Manager devices, or you can auto-generate a different password for each device. This feature manages the following kinds of passwords: •...

  • Page 24: Updating The Emergency Account

    Updating the emergency account Each Lenovo Hardware Password Manager device has an emergency access account that can be used to log in to the device if the user is unable to log in. You can change the credentials for this account and apply the change to all Hardware Password Manager devices with the Update Emergency Account remote action.

  • Page 25: Changing Server Policy Settings

    Server policy settings include various ways to manage user enrollment, credentials, and client portal and BIOS settings for the Lenovo Hardware Password Manager devices you manage. The settings are changed from the ThinkManagement console; items that affect individual devices are then held in a pending queue until the next time each device is booted and requests an updated policy.

  • Page 26: Defining Scopes And Roles For Console Users

    Hardware Password Manager groups” on page 12 for a description of roles.) So, for example, a user might see all options on the Hardware Password Manager BIOS menu but a Service Technician might have a limited set of options available. Note: When the client policy is set to Hardware Account equals Windows credentials, the Change Hardware Account password option will not be displayed whether or not it is selected for the role.
  • Page 27 5. Click OK. To assign permissions to a group that can be authenticated through the new authentication, do the following: 1. In the User's tool, click + on the toolbar or right-click Group Permissions, and then click New group permission. 2.
  • Page 28 Hardware Password Manager Deployment Guide...

  • Page 29: Chapter 4. Hardware Password Manager Client

    Chapter 4. Hardware Password Manager Client Lenovo devices that support Hardware Password Manager need to be registered with a management server (referred to as the Hardware Password Manager server). The process of registering a device begins with the installation of an agent on the device. After the user completes the initial registration process through the Hardware Password Manager Client Portal the device is registered;...

  • Page 30: Enrolling Additional Users On A Hardware Password Manager Device

    When the client is installed, it communicates with the Hardware Password Manager server to authenticate the device. The client can then request Hardware Password Manager policy settings from the Hardware Password Manager server. The registration process is then completed when the user enters credentials for logging on to the device.

  • Page 31: Removing A User From A Hardware Password Manager Device

    • You should drag the devices under Hardware Password Manager Devices to the Active Directory or eDirectory group listed in the HPM Groups tool. If your administrator has enabled multiple users on a device, complete the following steps to enroll more than one user.

  • Page 32: Updating Credentials On A Hardware Password Manager Device

    Updating credentials on a Hardware Password Manager device After Hardware Password Management is enabled on a device, you can access the Hardware Password Manager Login Menu to make changes to password management. You can also access the Client Portal to perform enrollment and registration tasks.

  • Page 33: Copyright Lenovo

    “Safe Guard Easy/Safe Guard Enterprise compatibility” on page 26 • “One-touch registration” on page 26 Fingerprint integration Hardware Password Manager is fully compatible with the Lenovo preferred fingerprint software (Authentec ® and UPEK). For Windows XP clients, it is recommended that the Hardware Password Manager client is installed without the Hardware Password Manager GINA.

  • Page 34: Safe Guard Easy/Safe Guard Enterprise Compatibility

    – enrolled - returns whether the current Windows system user is enrolled in the utility – enabled - returns whether the utility is enabled in the BIOS program – show - displays results to the console for all of the above commands •...

  • Page 35: Pre-Registration

    This process is initiated automatically on the client system based on policy, and administrator corporate credentials are obtained from the Hardware Password Manager server to allow the registration to proceed unattended. Note: One-touch refers to the one manual step required by the administrator to register the system in Hardware Password Manager.
  • Page 36 Hardware Password Manager Deployment Guide...

  • Page 37: Chapter 6. Scenarios

    1. If the PAP is not known on a desktop system, you can remove the CMOS battery to clear both the POP and PAP. 2. Hardware changes on Lenovo ThinkPads do not generate BIOS errors to allow for hot or warm-swapping, so the PAP/SVP is not required.

  • Page 38: Scenario 3 - Replace The Fingerprint Device

    • Enter the hardware account credentials with Hardware Password Manager Administrator privileges to release the SVP/PAP, such as the Emergency Admin account. If hardware account credentials with Hardware Password Manager User privileges are entered, the BIOS will prompt for the PAP/SVP. •...

  • Page 39: Scenario 6 - Replace The System Board

    In order to clear the HDP, you must have the HDD ID and the system ID in order to obtain the correct HDP and SVP. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Password Manager DOS utility.

  • Page 40: Scenario 9 - Change The Hard Disk Location Within A System

    HDD ID and the system ID in order to obtain the correct HDP and SVP from the console. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Password Manager DOS utility. After you obtain the HDD ID and machine ID, you can obtain the HDP and SVP using the ThinkManagement Console.

  • Page 41: Scenario 12 - Registered System Can No Longer Access The Hardware Password Manager Server

    structures are stored in flash, the flash utilities have been updated to not overwrite Hardware Password Manager related structures. • Forward Flashing - When flashing to a newer version of BIOS on a Hardware Password Manager registered system, the hardware account should not be disrupted (for example, the user’s Hardware Password Manager registration status and hardware account credentials should not change).

  • Page 42: User Scenarios

    Note: The hard drive should not be connected when the system is registered in Hardware Password Manager or else the hard disk will be assigned an HDP. User Scenarios This section describes scenarios that may be encountered by the user: Scenario 1 - Forgot Hardware Account credentials, network connected This scenario occurs when a user forgets their hardware account credentials but has network connectivity to the Hardware Password Manager server.

  • Page 43: Scenario 5 - Handling Enrollment From Multiple Boot Partitions

    a completely different set of scan codes on another keyboard type. For example, consider the password azw. On an English keyboard, the scan code representation is 0x1E, 0x2C, 0x11. However, on a German keyboard, the scan code representation is 0x1E, 0x15, 0x11. There are 3 keyboard types used to support different languages: •...
  • Page 44 Hardware Password Manager Deployment Guide...

  • Page 45: Appendix A. Security And Convenience

    MHDP). Determines whether to set the User Hard Drive Set Common UHDP Not Selected Selected Password (UHDP) to a common hard-coded (auto-generated (hard-code value or to generate the UHDP automatically. password) password) Client - Emergency Account © Copyright Lenovo 2010...
  • Page 46 Table 1. Hardware Password Manager policy settings (continued) Policy setting Description Most secure Most convenient Common Emergency User Defines the emergency account user name Emergency Emergency Name and Password and password for all systems. Although Account set Account set the user name will always be common, the (auto-generated (hard-code password can be common or unique for each...

  • Page 47: Appendix B. Disaster Recovery

    C:\Program Files\LANDesk\ManagementSuite\ folder directory. It is recommended that the critical files be backed up to a secure share on a separate server. The following steps explain how to use CoreDataMigration.exe. © Copyright Lenovo 2010...
  • Page 48 1. Create a folder called LANDeskBackup on a share on a separate server that is not the core server. 2. Open a command prompt on the core server by clicking Start ➙ Run, and launching CMD.EXE. 3. In the command prompt, change to the ManagementSuite directory. By default the ManagementSuite directory is located at %ProgramFiles%\LANDesk\ManagementSuite, but it might have been installed in a different location: cd %ProgramFiles%\LANDesk\ManagementSuite 4.
  • Page 49 If migrating to a new database, many items cannot be exported. Take screen shots of such configurations so that they can be applied to the new core server. An example of these include but are not limited to: RBA configuration for the LANDesk users and for the Template user Preferred Server settings Unmanaged Device Discovery configurations Preferred Server settings...
  • Page 50 Hardware Password Manager Deployment Guide...
  • Page 51 Solution: As documented in the LANDesk Installation guide, disable the antivirus and firewall protection during client agent installation. • Symptom: When the Do not require Ctrl+Alt+Del Windows policy is disabled, Hardware Password Manager single sign-on to Windows will not occur; the user is required to enter their Windows credentials. © Copyright Lenovo 2010...
  • Page 52 Problem description: Single sign-on to Windows will not work if the Windows policy setting is enabled that requires the user to Press Ctrl+Alt+Del to login. This security setting determines whether pressing Ctrl+Alt+Del is required before a user can log in. When this policy is enabled on a computer, a user is not required to press Ctrl+Alt+Del to log in.
  • Page 53 Problem description: If installing SGN or SGE on Windows XP when the Hardware Password Manager client is installed, an error is displayed indicating the Lenovo GINA is active and the installation fails. Solution: Uninstall the Hardware Password Manager client, restart the system, install SGE or SGN, restart again, then reinstall the client.
  • Page 54 If you have already restored your system (for example, lost your CAPI key store), deregister and reregister in Hardware Password Manager. • Symptom: When registering in Hardware Password Manager, if network connectivity is lost during the suspend/resume operation and the user logs off before network connectivity resumes, the client application completes the registration process normally.
  • Page 55 Solution: The user must use a wired network connection when performing an intranet login from the BIOS. • Symptom: Receive the incorrect user name or password specified message when the intranet user name and/or password are correct and is greater than 63 characters in length. Problem description: BIOS allows a maximum 64 byte user name and password (including null termination) to be entered when performing an intranet login (63 characters each for the user name and password, for example).
  • Page 56 Hardware Password Manager Deployment Guide...
  • Page 57 Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any Lenovo intellectual property right may be used instead.
  • Page 58 Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Access Connections Lenovo ThinkVantage ThinkPad The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: Lotus Lotus Notes Intel is a trademark of Intel Corporation in the United States, other countries, or both.

This manual is also suitable for:

Thinkcentre m58pThinkpad t400Thinkpad t500Thinkpad w700Thinkpad x200Thinkpad x200s ... Show all

Table of Contents