This content has been marked as final. Show 13 replies
How many different users use these loan laptops, and do they already have accounts of their own?
if so and the number is sensible, just add them all to the device.
On average 6 different users on each laptop a month. All of these users are desktop based users and don't have an account.
If I did add them all and left them, won't their Safeboot password get out of sync after a month? As they don't have SafeBoot on their desktops?
Indeed it will. You don't have many options then. Either use a shared account, or provision the laptop for the user as/when they need it with a unique user/password.
You're going to either have to fix the user list and password for each loan, or at least the password. You can do that all via a script of course if that's easier, but some (existing) user will need to boot the machine.
do you have a checkout/in process, or is it just ad-hock (user just picks it off the shelf?).
do you do anything to clean the machine between loans?
I'd love to go with the shared account, but that's against our policy. I haven't had a chance to even think about making scripts yet, how will a script help n this case?
It seems like we'll have to boot up each time for the user to login and synchronize and restart just to ensure it worked.
We do have a checkout/in process, which is already long and painful as it is. Cleaning? Yea sorta, we're supposed to! :P
I'd script the user as part of the checkout process then - I guess you've automated that somewhat?
If you have a dedicated laptop check-out admin, they could have a permanent account on the laptops. The laptop admin would then add/remove and synch. Also, if a person ever logs into SafeBoot, then uses it again in 6 months, it will still remember their password from 6 months ago. Otherwise the laptop admin would need to reset the password of the user, possibly leading to issues if the laptop check-out admin is not specifically designated as a password reset authority.
One thing you could try, is to have a shared account for those laptops that is only for SafeBoot. You could have a scheduled server job that resets that password the first of every month at 1:00am and e-mails it to a list of people. If you uncheck the right machine settings (require SB login, attempt windows login, etc), this would make the password only for SafeBoot access and not linked to Windows/Domain access. Perhaps you could get your management to approve that method. If you elect to do this, I would suggest a words list for the reset script to pick from, that way users would be less likely to write it down (Horse26 vs qw$09&8syx).
The checkout process is all manual I'm afraid, we clean them from time to time, and rebuild when there is too much to clean.
Could we disable or auto bypass the boot protection somehow but keep encryption? Or if not try an autoboot script so it bypasses the boot protection everytime?
mrgui that's an excellent method, but someone somewhere in the line has said no generic or shared accounts are allowed. But I'll definitely suggest that in the next meeting!
Couple of thoughts...
Do your AV machines and Loaner Laptops need encryption? This is an evaluation we did before deciding who to encrypt, and AV systems were excluded since they were a) locked down (physically) and b) wiped very regularly. Loaner laptops are a different battle.
You could absolutely disable the pre-boot authentication and rely solely on Windows authentication, what you want to do is setup the AutoBoot account (see your documentation) and then I'd probably suggest creating a group for these systems and then managing it at the group level. Keep in mind that you almost may as well be disabling encryption by enabling AutoBoot - you're allowing easier decryption of the device. If there could be information on the device worth protecting, definitely think this one out!
I'll assume that you have someone responsible for assigning out the laptops when users need them, correct? What about a setup like this:
1. User requests laptop.
2. IT logs into laptop (with SafeBoot enabled & no autoboot) with user present
3. IT runs provisioning script on laptop (see below)
4. IT reboots and verifies user can login to laptop through SafeBoot.
The provisioning script would be pretty simple, just:
1. Prompt for admin user name and admin SB password.
2. Prompt for clients user name and clients Windows password.
3. Issue a SETUSER to connect the user to the device.
4. Issue a ResetPassword that changes the users SB password to the password obtained in step #2.
You'll of course need to be there so that the script can prompt you for your password as a SB admin with rights to do those two things, and then the user will be there to enter their current Windows password. Depending on where the script lives and how secure it is, I suppose the username/password could be embedded within it if the person loaning laptops shouldn't be resetting password on their own outside of the script, but those are security things you'll need to think about.
The end result is that the user is attached to the laptop and that their passwords are in synch with limited trouble. You may want to take the script even further to create the account if it doesn't exist, or to remove all users from the laptop that aren't using it any longer.
remember if you use any kind of "autoboot" mode, regardless of product, be it Bitlocker, McAfee EEPC etc, you are storing the encryption key along with the data in an unprotected way (otherwise how would it boot on its own?).
This would probably mean you won't be compliant with many of the PII disclosure laws, so check with your legal team to make sure you are not opening your employer, or yourself, up to legal shenanigans.