Does "Allow Autoboot user to be managed locally" option have to be checked, along with unchecking "Disable checking for Autoboot" for the Autoboot function to work properly?
I created a machine with only having the "Disable checking for Autoboot" unchecked, and it DID NOT bypass PBA.
Solved! Go to Solution.
first I would say to read the scripting guide - your command parameters are wrong.
it should be "sbadmcl.exe -command:disablesecurity"
you realise there is minimal protection if you turn off the preboot, and you won't be able to claim protection from any data loss regulations?
you need to create and deploy a proper $autoboot$ user as well of course? The options you're toying with only give the 'capacity' to be insecure, they don't make it happen.
the "allow autoboot to be managed locally" etc option enables the disablesecurity command in the api. It's a different way of doing the same thing.
I noticed in SB 4.2, in client file groups, there is a group called Command line files. I can check this group in the machine file properties.
In EE 5.2, in client file groups, Command line files group is there, but I CAN'T check on the group in the machine file properties (it's not showing).
Is this the reason autoboot isn't working?
no. The api has nothing to do with AutoBoot, it just lets you locally manage it, and I'm doubtful that's what you really want?
Best thing would for you to get some professional help - Although technically it's simple to make all your machines boot automatically, the implications, ie not being secure any more, not being protected against data disclosure laws etc, are much bigger and require more thought.
I guess I'm not wording my question correctly.
The file group which contains the file SBADMCL.exe, does that need to be added to the machines files to run sbadmcl -command:disablesecurity?
If so, does the properties of that file group (with sbadmcl) need to be set to client files or administration system files?
you need sbadmcl.exe and sbadmdll.dll to be in the client directory, one way of doing that as you say is to deploy them through EEM. It needs to be client files to appear on the machine properties window.
Ok, got it.
In EEM --> System tab --> Endpoint Encryption File groups --> "Command line file group" (the group that contains sbadmcl, sbadmdll.dll and sbadmcom.dll) If I right click on "Command line file group" and select Properties --> click on the Content icon --> under Group Content Types, do I select Client Files or Adminstration System Files, before creating the install set?Message was edited by: gldnju on 4/6/10 1:59:32 PM GMT-05:00
Ok, good. Now back to why I originally posted the message.
(By the way, this is an offline machine, hence the use of the SDB file.)
I have a customer that I created an install set for WITHOUT the file group which contained (Command Line file group: sbadmcl and sbadmdll.dll). The customer encrypted the machine only to find out that the autoboot function wasn't working. If the customer sends me the SBXFERDB.SDB file and I import it into the EEM database, make the change to the machine to include the Command Line file group, send it back to the customer to paste in the EE directory, the customer runs a synchronization, will the Command Line files sync to the machine to allow it to use Autoboot?