Chapter 1. Overview - Lenovo ThinkCentre M58 Deployment Manual

Chapter 1. Overview

The Lenovo Hardware Password Manager (HPM) gives an administrator the ability to manage hardware
passwords for all registered PC devices. Further, it creates the notion of a BIOS-level user ID and password
for the end user to use as a single sign-on proxy. This user ID and password can be synchronized with the
Windows ID and password for the user. The user also has the option to authenticate himself to BIOS using
his fingerprint. When the device powers on, the user is asked for these credentials. If provided, the device
will login the user to his desktop. This mechanism preserves the user's privacy and makes it possible for him
to use the device, even though he does not know what the actual hardware passwords are.
When HPM is installed, the Lenovo ThinkManagement Console core server acts as the HPM server—it
manages and authenticates HPM devices. In addition, an Active Directory or eDirectory LDAP server
functions as the authentication server for Hardware Password Manager—the HPM server checks user
credentials against data on the LDAP server.
On Lenovo client devices which support HPM, the administrator installs an agent that contains a Hardware
Password Manager application. When the client device powers on, it communicates through UDP port
50001 with the HPM server.
After the client has booted to the operating system, it uses the Hardware Password Manager client application
to communicate with a Web service on the server. This communication is through an HTTPS channel.
The administrator uses the HPM features in the ThinkManagement Console to manage HPM devices and
create and deploy policies to these devices. These policies determine how Hardware Password Manager
is implemented for the devices; for example, the administrator selects which user options are available
on HPM devices as part of the policy definition.
© Copyright Lenovo 2010 1