3 Replies Latest reply on Dec 8, 2010 5:53 AM by peter_eepc

    Removing Autoboot user

      We plan to rollout encryption for 100+ devices in few weeks. Instead of giving a default password to login the first time, we are thinking of adding autoboot user and then removing it later once the windows password and SSO gets updated on the endpoint and on the MEE server.

       

      My question is, can we selectively disablesecurity/ remove autoboot user based on if the user updated the windows password. Say for example, if there are 13 (out of 100) laptops not encrypted or if they are encrypted, but waiting for reboot for SSO update.

       

      How can i automatically remove autoboot user on the other 87 machines and leave these 13 machines. Is it wise to do this via enablesecurity & disablesecurity (command using sbadmcl) or can we do it at the MEE server (via adding & removing autoboot user)?

       


      Pls. advise

       

      using MEE version 5.2.3.5

        • 1. Re: Removing Autoboot user

          You can do it manually via eem or the API (setuser/removeuser) - but how are you going to tell if some other user changed their password or not, and how will they change their password if you're using autoboot mode? SSO won't work with Autoboot - if it did then it would only be setting the details of the autoboot account itself?

           

          You'd be better off looking into AutoDomain I think - I was designed to handle/automate all this deployment stuff.

          • 2. Re: Removing Autoboot user

            Yes, I'm indeed using autodomain script to harvest the cached users and add them to respective machines.

             

            So, if a Laptop-1 and Laptop-2 have autoboot user added to the policy and autodomain script added to the installation set. Can I do the following

             

            Push the installation set with autodomain

            Agent installation completes

            Autodmain harvest user ids (User-A & User-B) and adds them to Laptop-1

            User-A logs in the laptop at the GINA after the encryption installation and reboot

            The policy has SSO enabled, so the windows password is updated in the SB filesystem and also synched with the MEE server

            The consequent machine reboots does not bring Preboot

            One week later, we remove Autoboot user from machine policy

            Now when User-A reboots he logs in with the Windows credentials which he/she is familiar with.

             

            Here I only took example fo Laptop-1. Laptop-2 may be lying around not powered on. So how would I remove the autoboot user (after having the knowledge that the laptop is encrypted and SSO updated) from Laptop-1. How would I capture the fact that Laptop-1 indeed had User-A login and update SSO credentials?

             

            That is where I'm stuck....

            • 3. Re: Removing Autoboot user

              You may find out that issues stemming from whole SSO concept, multiple users assigned to each machine and automatic autoboot approach are to complex to handle. Why not to stick to simple and proven approach of single user, default initial password and non-SSO deployment?