IronKey Enterprise Admin Guide

Admin Guide
Last Updated October 7, 2010
IronKey Enterprise
Management Service
IRONKEY ADMIN GUIDE PAGE 1
Thank you for choosing IronKey.
IronKey is committed to creating and developing
the best security technologies and making
them simple-to-use, affordable, and available
to everyone. Years of research and millions of
dollars of development have gone into bringing
this technology to you in the IronKey.
We are very open to user feedback and would
greatly appreciate hearing about your comments,
suggestions, and experiences with the IronKey.
Standard Feedback:
feedback@ironkey.com
Anonymous Feedback:
https://www.ironkey.com/feedback
User Forum:
https://forum.ironkey.com

CONTENTS
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Meet IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IronKey Enterprise Administrative Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Setup and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Creating Your IronKey Enterprise Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Activation and Initialization of the 1st system Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Adding Standard Users to the Enterprise Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Activating IronKey Enterprise for Basic Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Updating Device Software (Windows Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Deploying IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Method 1: Automated Distributed Deployment . . . . . . . . . . . . . . . . . . . . . . 15
The user is now active in the Enterprise Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Method 2: Distributed Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Method 3: Manual Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Best Practices for a Smooth Rollout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

System Elements and Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IronKey Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IronKey Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
IronKey Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Admin Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Events & System Auditability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Silver Bullet Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Password Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using the Admin Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Accessing the Admin Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
The Enterprise Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Using the Silver Bullet Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Using Password Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Enterprise Support Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Using the System Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Update Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Using the Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Accessing the Admin Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Using Secure Device Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Promoting a Standard User to be an Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Recommissioning Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Importing Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Importing RSA SecurID Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Importing a Digital Certificate into the IronKey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Administering the IronKey Anti-Malware Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Interpreting IronKey Malware Scanner Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Common Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Adding New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Activating Devices for a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Adding New Admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Adding New Devices to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Disabling Lost Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Helping a User with Password Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Using Non-Administrative Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enterprise Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Technical Support for System Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Product Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Overview
Meet IronKey Enterprise
The IronKey Enterprise Management Service gives you control over protecting your
organization’s data, ensuring that security policies are enforced, and remotely managing IronKey
Enterprise Secure Drives, the world’s most secure USB flash drives.
IronKey Enterprise consists of three interrelated elements that provide overall USB flash drive
security and device management:
»» The IronKey Secure Flash Drive hardware

»» Applications bundled on the IronKey (based on policy configuration)
»» The IronKey’s secure online services, which provide centralized
administrative capabilities to IronKey Enterprise Admins
This guide informs you about how to get the most out of IronKey Enterprise, as well as best
practices for deploying and managing IronKey devices in your enterprise environment.

IronKey Enterprise Administrative Features
The Admin Console: Centralized Online Device Management
IronKey Enterprise includes a centralized management console for managing tens, hundreds or
thousands of devices, reducing overall deployment times and maintenance requirements.
IronKey Policies: Enforcing Corporate Security Policies

Configure policies for device password strength, self-destruction settings, and enabling specific
IronKey applications, services.
IronKey Groups: Organize Users Into Groups

Create groups to manage your users based on any criteria needed to keep you organized. Users
can be easily added and removed from Groups and administrative tasks performed by group.
Silver Bullet Service: Protecting Against Malicious Users

IronKey’s Silver Bullet Service confirms that IronKey devices are authorized before allowing
them to be unlocked. This real-time service allows Admins to completely disable and even
remotely detonate devices, extending the control needed to protect important data.
Admin Tools: Onboard each Administrator’s IronKey

Admins have additional functionality enabled in their IronKey’s Control Panel, including Secure
Device Recovery, Admin Approval, and Device Recommissioning.
Secure Device Recovery: Securely Unlocking Users’ Devices

Secure Device Recovery is IronKey’s patent-pending PKI mechanism for Admins to unlock
another user’s IronKey device, such as in the case of employee termination, regulatory
compliance, or forensic investigations. Unlike many other solutions, there is no central database
of back-door passwords.
Admin Approval: Securely Promoting Users to Become Admins

When a new Admin is created, or a user is promoted to become an Admin, a verification
procedure occurs not only on the service, but also on an existing Admin’s IronKey device. This
ensures that the new user is cryptographically approved and able to become an Admin for your
Enterprise Account.
Device Recommissioning: Securely Repurposing Users’ Devices
When employees leave the organization, their IronKey devices can be safely recommissioned
to new users. This process requires Admin authentication and authorization using IronKey
Enterprise’s secure online services.

Setup and
Deployment
Getting Started
IMPORTANT—BEFORE YOU BEGIN
IronKey Enterprise is designed to protect your organization from the risks of data loss and
data leakage by delivering world-class security. However, it is important to follow a few best
practices when setting up your Enterprise Account to ensure that the proper levels of security
and usability are met:
»» Make sure the person setting up the Enterprise Account has a thorough knowledge of your
organization’s security policies and is authorized to be the System Admin for all of your
organization’s IronKey devices. That person will define the default policy for IronKey devices.
»» Create more than one System Administrator. To ensure the highest security, even IronKey
is unable to intervene in your Enterprise Account, in the event that a lone System Admin
leaves the organization, loses his only IronKey device, or forgets that device’s password.
Have multiple System Admins at all times, each with multiple active devices.
Please review “Deploying IronKey Enterprise” on page 15 for tips to ensure a smooth
deployment.
CREATING YOUR IRONKEY ENTERPRISE ACCOUNT

Before you can begin deploying and managing IronKey Enterprise drives for end-users, you must
create your IronKey Enterprise Account. To set up the account, you need:
»» A computer running Microsoft Windows 2000 (SP4), XP (SP2),Vista, Windows 7, or Mac
10.4+.
»» A USB 2.0 port for high-speed data transfer
»» An Internet connection
»» The email you received from IronKey with your Enterprise Account Number

Step Description
Enter your Account Number at: This can also be done by clicking the link in the email
1 you received from IronKey regarding setting up your
https://my.ironkey.com/enterprise IronKey Enterprise Account.
You must confirm that you are

the appropriate authority for
setting up your organization’s
2 IronKey Enterprise Account.
Select the checkbox and click
“Continue.”
The next several steps allow you

to establish security policies for
your drives.
To start, select the number of
failed password attempts that
3
a user may enter before the
IronKey self-destructs and all the
data on the IronKey is lost.
All policy items can be changed
later.
Set the password policy options,

including minimum password
length allowed, the minimum
4
number of required characters,
and requirements for backing up
device passwords.

Step Description
Configure the set of software

applications and services that
your users will have on their
IronKey devices.
Putting the mouse over the help
5
icon for each item shows a brief
description of what that item is.
See the section on Policy Items
later in this document for more
information.
Define a “Lost and Found”

message that appears on the
IronKey Unlocker screen when
each device is plugged in.
For example, this may include
contact information in case
6 a lost device is found, or
department information for easily
distinguishing devices.
You may optionally choose to
leave this blank or to allow users
to define their own Lost and
Found message.

Step Description
Set up the 1st System Admin
Online Account
The next three steps guide
you through creating your own
my.ironkey.com account for
accessing and managing your
7 organization’s Enterprise Account.
This involves creating a username
and password, confirming your
email address, answering Secret
Questions, and choosing a Secret
Image and Phrase for anti-
phishing protection.
Invite the 2nd System Admin

Enter the username and email
address of the 2nd System Admin.
8 This is will automatically send an
email with an Activation Code to
that user.
ACTIVATION AND INITIALIZATION OF THE 1ST SYSTEM ADMIN

After confirming your information, an email is sent to you containing the Activation Code for
your first IronKey Enterprise Secure Flash Drive.
Step Description
Your IronKey must be activated on a Windows (2000,
Plug in any unactivated IronKey
1 XP, Vista, 7) or Mac computer. To use the full speed of
drive from the set you purchased.
the IronKey, plug it into a USB 2.0 port.

Step Description
The IronKey autoruns as a virtual CD-ROM.
• Windows: This screen might not appear if your
computer does not allow devices to autorun. You
can start it manually by double-clicking the IronKey
Unlocker drive in “My Computer” and double-
clicking the “IronKey.exe” file.
The “Activate Your IronKey”

2
screen appears.
• Mac: Double-click the IronKey drive on your

desktop, and double-click the “IronKey” application.
NOTE: On a Mac you can install the IronKey Auto-
Launch Assistant, which automatically opens the
IronKey Unlocker when you plug in an IronKey. See
“Preferences” in IronKey Control Panel Settings. (Mac
only)
Enter your email address, then copy and paste your
Activation Code into the fields provided on the
Retrieve the email with your IronKey window. Click “Continue” when you are ready.
3
Activation Code.
If your IronKey cannot connect to the Internet, click
“Edit Proxy Settings” to adjust its network settings.
Your password is case-sensitive and must match your
organization’s password policy.
4 Create a device password, then
If enabled, you have the option to back up your

Back up your password online password online to your my.ironkey.com account. That
5 to your my.ironkey.com account way, if you ever forget your password, you can safely
recover it by logging into:
https://my.ironkey.com

Step Description
During this process, it generates the AES encryption
keys, creates the file system for the secure volume,
copies secure applications and files to the secure
6 The IronKey initializes.
volume, and configures the device to the policy you
defined. Depending on your configuration, this might
take several minutes.
IMPORTANT: After this device has been initialized, it is very important that you activate a
second System Admin device, otherwise there is no way to manage your Enterprise account if
something happens to the 1st System Admin device.
NOTE: The process for activating the 2nd System Admin device and all addition Admin devices
is slightly different than the process used to activate the 1st System Admin device.
ADDING STANDARD USERS TO THE ENTERPRISE ACCOUNT

You can now begin adding users to your Enterprise Account.
Step Description
Click the my.ironkey.com icon in

1 the IronKey Control Panel to
access the Admin Console.
Click “Manage Users” in the

2 sidebar of the Admin Console
tab.

Click the “Add” button in the
top right and select:
3
“Add User”
OR
“Add Multiple Users”
Add a single user
Enter user’s:
• Name (optional)
• Email (highly recommended)
Select:
• Role*
• Access Level Summary**
• Policy for the user’s device
• If Activation Code should be
emailed to user
4a Click on the “Save” button. The
user will then be added to the
Enterprise Account.
* NOTE: Only System Admins

can change Role. Default is
Standard User.
** NOTE: When Role is set to

“Custom Admin”, any combination
of these privileges can be granted:
• Manage Standard Users
• Manage Policies
• User & Device Assistance

Add multiple users
Copy and paste a CSV file’s

contents into the textbox
provided and click “Continue”.
Use this format:
Name,Email,Group,Role,Policy
Role can be one of the following:
• System Admin
• Admin
• Help Desk
4b • Auditor Watch the online demonstration for more information.
• Standard User An example of a row might be:
Up to 250 users can be added in John Doe,John_Doe@organization.com,IT Group,
a single import. Auditor,IT Policy
NOTE: All fields are optional

and default to an anonymous The resulting user would be:
Standard User with the Default User Name: John Doe”
Policy in the current selected Email Address: “John_Doe@organization.com”
group if not specified. Unless you Role: “Auditor”
are a System Admin, you can only Device Policy: “IT Policy”.
add Standard Users
.
ACTIVATING IRONKEY ENTERPRISE FOR BASIC USERS

To remotely manage users with IronKey Basic devices, you can ask them to activate IronKey
Enterprise on their devices:
1a. Admin: If the User doesn’t have an Enterprise account, add them in the Admin Console and
email them an Activation Code
1b. Admin: If the user has an Enterprise account, add a device to the user and email them an
Activation Code
2. User: Insert and unlock the Basic device
3. User: In the IronKey Control Panel, go to “Settings: IronKey Enterprise
4. User: Click the “Start Activation” button
5. User: Enter the Activation code, click “Continue”
6. User:Verifies the organization and system administrator information, then clicks “Continue”
7. User: Enters their password to complete Enterprise Activation.

UPDATING DEVICE SOFTWARE (WINDOWS ONLY)
You can update your IronKey through the IronKey Control Panel on Windows.
Step Description
In the IronKey Control Panel,

click “Settings” and then click
1
the “Check for Updates”
button. The IronKey can securely update its software and firmware
through signed updates that are verified in hardware. This
allows users to keep their devices up-to-date and protect
themselves from future malware and online threats.
• Windows: If an update is available, you can download and
Click the “Download Update” install it by clicking the “Download Update” button
button to download the
2
updates and install them on the • Mac: You can check for and download policy updates.
device. However, you must download software updates on a
Windows computer.
After the installation is

completed, you can check that
the device is updated to the
latest version:
8. Lock and unplug the device,
You can view details about your device, including model
3 and then reinsert it. number, serial number, software and firmware version,
secure files drive, and OS. You can also click the copy
9. In the IronKey Control button (CTRL+C) to copy device details to the clipboard
Panel, click “Settings”
for your forum posting or support request; visit the
and then click “About
IronKey” to view version
website (CTRL+W); or view legal notices (CTRL+N) and
information. certifications (CTRL+?).

Deploying IronKey Enterprise
You are now ready to distribute IronKey Secure Drives to your users. Inside the packaging is an
IronKey device and a Quick Start Guide.
There are three basic ways of deploying IronKey devices to your organization. You can decide
which one is right for your organization based on your security, privacy, and IT considerations.
DEPLOYMENT METHOD 1: AUTOMATED DISTRIBUTED

DEPLOYMENT
The simplest and most cost-effective way to deploy IronKey devices is to add users to the
Enterprise Account and then hand them an IronKey device. IronKey Enterprise will take care of
the rest.
Step Description
Make sure to provide the user’s email address and
Add a user to the Enterprise select the checkbox that will send the user an email
Account. Review the detailed with his Activation Code.
1
instructions elsewhere in this Mass imports of up to 50 users at a time will also have
document for more information. the users Activation Codes automatically emailed to
them.
Give the user an IronKey
2 Any purchased or recommissioned device will work.
Enterprise Secure Drive.
Have the user retrieve the email Instructions for this step are provided to the user in
with his Activation Code and copy the Quick Start Guide and in the email.
3 and paste it into the IronKey.
NOTE: Requires a Windows or Mac computer.
The user is now active in the Enterprise Account.
DEPLOYMENT METHOD 2: DISTRIBUTED DEPLOYMENT

If you have a very large user base, want to customize the invitation email, or your corporate
privacy policy is such that you will not import your users’ email addresses into the Enterprise
Account, you can import your users first and then email their setup information yourself.
Step Description
Add users to the Enterprise
Make sure to clear the checkbox that would send the
Account. Review the detailed
user an email with his Activation Code.
instructions elsewhere in this
1 document for more information. IMPORTANT: Even if you are performing a mass
import and do not want the users emailed, we strongly
recommend providing their email addresses to avoid
problems during activation and online account setup.

The setup information for that
user’s device is presented on the
2 screen (or in the case of a mass
import, in a downloadable CSV
file).
Email each user his IronKey setup
3 This can be done manually for small numbers of users.
information.
Give the user an IronKey
4 Any purchased or recommissioned device will work.
Enterprise Secure Drive.
Have the user retrieve the email
Instructions for this step are provided to the user in
5 with his Activation Code and copy
the Quick Start Guide and in the email.
and paste it into the IronKey.
DEPLOYMENT METHOD 3: MANUAL DEPLOYMENT

If you do not want your users to be involved in the activation process, you can manually set
up each IronKey and then hand it to the user. This method is simpler for the end-users, though
requires a little more effort from those deploying the devices.
Step Description
Make sure to clear the checkbox that would send the
user an email with his Activation Code.
Add a user to the Enterprise
Account. Review the detailed IMPORTANT: Even if you do not want the user
1 emailed, we strongly recommend providing their email
instruction earlier in this
document for more information. address to avoid problems during activation and online
account setup.
The setup information for that

user’s device is presented on the
2
screen (or if for a mass import, in
a downloadable CSV file).
Any purchased or recommissioned device will do.
Enter your email address and the Activation Code.
Activate an IronKey Enterprise NOTE: Your email address will not be associated with
3 Secure Drive, but stop before the device after Activation.
creating the device password.
When you get to the next screen, where you can
create the device password, exit the setup process and
unplug the device.
Give the device to the Make sure not to mix up your users’ devices. Use the
4
appropriate user. serial number on the back of the device as a reference.

Best Practices for a Smooth Rollout
Update Password Polices Only When Needed
When you update the password policy items in a policy, devices with that policy will update to
the latest version. However, since the password policy has changed, users will be required to
change their password so it conforms to the new password policy. Change the password policy
items only when needed so users do not have to excessively change their device passwords.
Create Separate Policy for Linux Users

If you plan to leverage IronKey’s Silver Bullet Service, create a separate policy for Linux users
that does not include Silver Bullet or that includes a large number of Silver Bullet attempts. The
Silver Bullet Service is not available for Linux systems and will result in disabling usage on Linux.
Encourage Users to Backup Passwords for Password Assistance

You can mandate through policy that each user back up his device password online. This will
allow Admins to use Password Assistance to email users a temporary link that reminds them
of their password in case they ever forget it. If your policy is to not have users back up their
device password, you can still use Secure Device Recovery to change their password for them.
Back Up Onboard Data Regularly

Encourage users to use the onboard Secure Backup software for backing up their onboard data.
In the case that an IronKey is lost or stolen, that data can later be recovered to a new IronKey.
Keep Admin and User Devices Up-To-Date

Ensure that Admin devices have the latest IronKey software. You can do this by clicking the
“Check for Updates” button in the IronKey Control Panel (under “Settings”). To ensure that
Windows XP users can update their devices, install the IronKey Assistant (see the IronKey
Assistant Deployment Guide for details).
Use Silver Bullet Wisely

It is recommended not to set the Silver Bullet policy too strictly (e.g. deny if not online or from
a specific IP address) for remote or travelling employees; otherwise, sometimes they might not
be able to use their IronKey devices.

Deployment Checklist
IronKey Enterprise Account activation email received by the 1st System Admin user
IronKey Enterprise Account successfully created and Default Policy defined
First IronKey device activated—confirmed access to Admin Console
Second System Admin added—confirmed access to Admin Console
Users added/imported into Enterprise Account
Deployment Methods 1 and 2
Emails with Activation Code sent
IronKey devices distributed to users
Deployment Method 3
IronKey devices manually activated
IronKey devices distributed to users

Using IronKey
Enterprise
System Elements and Terminology
IRONKEY USERS
Each member of your IronKey Enterprise Account is called a “User”.
User Roles
There are six user roles, differentiated by the user’s privileges:
»» System Admin: Can manage all users and system settings, including adding
Admins, approving Admins, changing user roles, and deleting users.
Only System Admins »» Custom Admin: Has a assignable privileges, such as User or Policy management
can add Admin users,
»» Admin: Can manage Standard Users
delete users and
change user roles. »» Help Desk Admin: Can assist existing users with devices.
»» Auditor: Can view the Admin Console with read-only access
»» Standard User: A normal end user without administrative capabilities.
All Admins and Auditors will have online IronKey accounts, as this is needed to access
the web-based Admin Console.

User Privileges by Role in Admin Console
Privilege System Custom Admin Help Auditor
Admin Admin Desk
Admin
Manage System Console
Device Update Management X
Manage Standard Users
(Includes Groups, & Devices)
Users: Add Single, Add Multiple, Rename,
X * X
Edit, Enable, Disable
Users: Delete X
Groups: Add, Rename, Move, Delete, X * X
Devices: Add, Rename, Enable, Disable,
X * X
Change Policy, Cancel Device Activation
Devices: Silver Bullet, Detonate Device X
Manage Admin Users
All actions possible on Standard Users &
X
Devices
Set Role X
Set Custom Admin Privileges X
Manage Policies
Add New, Edit &Save Version X *
Delete X
User & Device Assistance
Email Device Password to User X * X X
Resend Activation Code to User X * X X
Regenerate Expired Activation Code X * X X
View Admin Console “Tab” X X X X
View Groups, User Profiles, Devices,
X X X X X
Policies, History/Logs, Dashboards
* These privileges can be enabled for each Custom Admin user
User Privileges by Role in IronKey Control Panel Admin Tools

Privilege System Custom Admin Help Auditor
Admin Admin Desk
Admin
Device Recovery: Unlock Devices &
X X X X
Change Device Password
Recommission: Recommission Device X * X X
Recommission: Delete User Account
X *
from Server during Device Recommission
Admin Approval X

User Status
The current status of a user signifies what state their account is in. There are several
user statuses, including:
»» Pending: System is waiting for user to activate their 1st IronKey device
»» Active: User has activated at least one IronKey and has set up his online IronKey
account
»» Active (without online account): User has activated at least one IronKey but does not
have an online IronKey account
»» Locked: User’s online account has been locked after three incorrect answers to
challenge questions
»» Disabled: User’s account has been temporarily disabled by an Admin
»» Disabled (without online account): A user who does not have an online IronKey
account has been temporarily disabled by an Admin
»» Deleted: User’s name has been deleted by a System Admin, but can be re-used
NOTE: A user’s online account username cannot be used twice even if the user is deleted.
Other User Properties

For purposes of organization and smooth deployment, you can set a name and email
address for each user. These fields are optional, and if left blank users will be displayed
User1, User2, User3, in the Admin Console.
GROUPS
By default, all users are created as members of a single group. Admins can manage users more
effectively by organizing users into different groups. Every user, including administrators, can be a
member of only one group.
Groups are created using a tree-based structure, where every group has a parent / higher
level group, and every group may have children / lower level groups. Every child group can have
its own children. This enables delegated administration by creating sets of users that can be
managed by specific admins.
Admins can manage Standard Users in their group and in any child Groups . Admins can also
manage any child Groups.
System Admins can manage any Standard User or Admin User regardless of which Group
System Admin belongs.

IRONKEY DEVICES
Every IronKey Enterprise Secure Drive in your Enterprise Account is associated with a user.
Users can have one or more IronKey devices.
Device Properties
IronKey devices include the following properties that are visible in Admin Console:
»» Device Name, useful for inventorying the Case ID
»» Device Status, similar to user statuses
Users can have »» The Policy the device is using
more than one »» The hardware model number of the device
IronKey device
»» The capacity of the drive (in GB)
»» The version of software it is running
»» The serial number. For x200 devices and higher, this matches the barcode on the
outer case of the IronKey device. It also appears as the USB serial number visible to
host computer operating systems. For S100 devices, it displays the eight right most
digits of the Cryptochip inside the device.
Consistent, unique serial numbers for enhanced asset inventory management and
endpoint security control are in these locations:
»» Laser etched onto the device, including a barcode
»» Printed on the product packaging
»» On the “About IronKey” pane of the IronKey Control Panel
»» On the IronKey Admin Console, with the device’s model number
»» Integrated into the USB standard field name, so that it is available to Windows and
other operating systems for security white listing and inventory management by other
products
For large-scale deployments, you can export IronKey Admin Console information
including the serial number to a .CSV file for electronic transfer to another system.
»» Product identification numbers (PIDs) for S200 and D200 models are useful for
inventory management and security control (Basic: 0×0201; Personal: 0×0202;
Enterprise: 0×0203).
»» The policy to which this device is adhering
»» The date on which this device was activated
»» The date and user for when the device was created and last modified
Devices also include a comments section, in which you may write information as
needed. For example, you could enter information regarding your own inventory data,
the device’s case serial ID, or information regarding the use or purpose of this device.

IRONKEY POLICIES
The behavior of IronKey Enterprise devices is managed through policies defined in the Admin
Console. The following categories of items can be managed:
»» IronKey hardware device settings (examples: Password Policy or Silver Bullet)
»» IronKey software settings (examples: Unlock Screen Message or Automatic Locking)
»» Software available on the IronKey device (examples: Identity Manager, Anti-Malware, RSA
SecurID)
See “Managing Policies” on page 36 for additional information about IronKey Policies.
ADMIN CONSOLE
The Admin Console is a web-based interface for overall administration of the IronKey
Enterprise Management Service (EMS).
Access: my.ironkey.com
Features:
»» Managing users, groups, & devices
»» Managing policies
»» Managing updates
»» Monitoring events
»» Enterprise Support materials
ADMIN TOOLS
The Admin Tools enable Admin management of IronKey Enterprise devices:
Access: IronKey Control Panel: Admin

Tools
Features:
»» Admin Approval of new IronKey
Administrators
»» Secure Device Recovery
•
Unlocking users’ devices
•
Resetting users’ device passwords
»» Device Recommissioning - Wipes a
device so it can be transferred to a
new user
NOTE: Using the Admin Tools require a
network connection to my.ironkey.com

EVENTS & SYSTEM AUDITABILITY
Important security events and user activities involving the Enterprise Management Service
are logged into the system to provide a clear audit trail for compliance or investigations.
Details such as which user, which device, when the event occurred, at which IP address, and a
description of what occurred are provided for each event when applicable.
Events are shown in the Enterprise Dashboard of the Admin Console. Examples of some of the
logged events include:
»» When Secure Device Recovery is performed
»» When a device is recommissioned
»» When a policy is created or modified
»» When a user is added into the IronKey Enterprise Account
»» When a device is added to a user
»» When a user is deleted or a device is disabled
»» When a device has detonated using the Silver Bullet Service
»» When a user or device profile has been modified
»» When an Admin is approved
»» Login activities, such as when Admins log into the Admin Console

SILVER BULLET SERVICE
IronKey’s Silver Bullet Service extends the control Admins need to remotely manage IronKey
devices and protect critical data by requiring IronKey devices to check for authorization prior to
unlocking.
The Silver Bullet Service works as follows:

»» The Silver Bullet policy items are enabled via policy by an Admin User.
»» When a user enters his device password and clicks “Unlock” on a device that have Silver
Bullet enabled, the device will quickly check with IronKey’s Silver Bullet Service to ensure
that it is in good standing and coming from a Trusted Network IP address.
»» If the device is active and in good standing, it will receive an “Allow” command, the device
will unlock, and the user will continue his work.
»» If the device or user has been disabled in the Admin Console, the device will receive a
“Deny” command and will not unlock.
»» If the device has been lost or stolen and the data must be protected at all costs, the Admin
can mark the device for remote detonation. The device status will be Active (Pending
Detonation), and the next time the device is used it will receive a “Detonate” command
and immediately self-destruct. A detonated device cannot be used again.
If the user is not connected to the Internet, the device will not be able to check for
authorization. In this case, it will abide by the maximum threshold of permitted Silver Bullet
attempts. This number, pre-defined in policy, may be 0 (Deny) through 200, meaning that the
device would allow up to 200 unlock attempts before disabling itself until it can connect to the
Internet and check for authorization.

PASSWORD ASSISTANCE
A common helpdesk task is to assist users with forgotten passwords. IronKey Enterprise includes
three ways Admins can assist users with forgotten passwords:
Method Recommended Requirements
For...
PASSWORD
Allowing users to • Users must have an online account
SELF-RECOVERY
recover passwords • Device passwords must be backed up
Users log into my.ironkey. without helpdesk online
com with email and online intervention. • Admin intervention is NOT required
password
Allowing Admins • Device passwords must be backed up
PASSWORD
to assist users who online
ASSISTANCE
may be remote or • Users must have valid email addresses in
One-time URL is emailed to who would not the system
user, linking to page display- use Password Self- • Standard Users do NOT have to have an
ing forgotten password Recovery online account
SECURE DEVICE • Admin must have physical possession of
RECOVERY Ensuring the most the user’s device
secure procedures
Admin plugs in his and • Device passwords do NOT have to be
are used to recover
user’s device, uses Admin backed up online
devices and manage
Tools to unlock device or passwords. • Standard Users do NOT have to have an
change password online account

Using the Admin Console
ACCESSING THE ADMIN CONSOLE
The Admin Console is available for all approved Admins, and it can be accessed by clicking the
my.ironkey.com button in the IronKey Control Panel. This will securely log you in with mutual
authentication over a secure channel.
Step Description
Ensure that you have completed
Review the section on Getting Started for more
1 the Setup Process detailed
information.
elsewhere in this document.
Click the my.ironkey.com icon in
the IronKey Control Panel.
This will securely log you in with

mutual authentication over SSL.
2
If you are using a proxy, you may
need to update your IronKey’s
Network Settings so that it
knows how to connect to the
Internet.
After your browser opens to the

3 welcome page, click the Admin
Console tab.

THE ENTERPRISE DASHBOARD
The Enterprise Dashboard shows you the latest security events and user activities in your
Enterprise Account, statistics on how many active users and devices there currently are, as well
as important notifications, such as lists of pending users and devices awaiting detonation (if any).

DASHBOARD MAPS AND EVENTS
Details regarding the IronKey World Map and Events Table on the Enterprise Dashboard:
• Security events, such as remote detonation of devices, are marked in red
• Important events, such as Admin activities, are marked in yellow
• Common user events are marked in green
Additionally:
• You can select which events to view in the map by clicking the + menu icon
on the right
• Hovering over an event will bring up details on the event
• Clicking an item in the table will center and zoom in on the event in the map,
displaying additional data on the event
• You can zoom on the map by clicking the +/- icons on the left or dragging the
zoom sidebar
• You can move the geographic areas being viewed by dragging the map with
your mouse
• Columns can be sorted by clicking the column title
• You can change the time period for events using the “View” dropdown menu
• You can download the list of events by clicking the “Download” icon
• You can change the number of items listed per page and which page you are
viewing
• If there are pending users in your Enterprise Account, a list of their
information and Activation Codes can be downloaded from using the
“Download List” button
Dashboard Charts
Details regarding the IronKey Charts on the Enterprise Dashboard:
»» IronKey Charts use the Adobe Flash Player. If Flash Player is not installed on your
computer, you will see text-based versions of the charts.
»» You can download the data in the chart by clicking the Download icon
»» Each chart is interactive. Moving your mouse over the chart will bring up contextual
data.
»» Right-click the chart to for additional options, including viewing a Full Screen version
of the chart and printing the chart.
»» Chart data can be updated approximately every five minutes.

GENERAL STATISTICS
This chart displays a number of important
general statistics about your Enterprise Account,
including:
• Total current users by status
• Total current users by role
• Total devices by status
• Total devices by capacity
DEVICES BY VERSION
This chart displays the devices in your Enterprise
Account (vertical axis) by the software version
they are running (horizontal axis). This allows
you to determine how many devices are running
an out-of-date version of the IronKey software.
ADMIN ACTIVITIES
This chart displays a timeline of important Admin
activities, including Secure Device Recovery,
Password Assistance, and Admin Approval. The
vertical axis is the frequency of events, while the
horizontal axis is the timeline.
DEVICE ACTIVITIES
This chart displays how long it has been since:
» A device’s password was last backed up
» The last recorded device activity
The vertical axis is the number of devices, while
the horizontal axis is the number of weeks since
the specific event has occurred for each device.
NOTE: To change the default time zone from GMT, click “Account Settings” in the left sidebar.
You can also change time and date formats.

MANAGING USERS
The Managing Users screen can be viewed in two modes:
»» IronKey Users by Group
»» IronKey Users List
Toggle between Group and List view by clicking the Group or List Icons.
IronKey Users by Group

Click the Group icon to view your IronKey Users by Group.
Details about IronKey User by Group:

»» You can “Add”, “Rename”, and “Delete” groups (only empty Groups can be deleted)
»» Add users to a group by dragging and dropping them on a group’s icon
»» Organize the users into logical groups
»» Left-click on the user name to select a user
»» Right-click on the user name, to perform actions on that user:
»» Add Device (Note: Only System Admins can add devices to Admin users)
»» Rename User
»» View User Profile
»» Enable/Disable User
»» Delete User (Note: Only System Admins can delete users)
»» Left-click on the expand button to view a user’s Device(s)
»» Left-click on a device to perform actions on that device:

»» Rename Device
»» View Device Profile
»» Enable/Disable Device
»» Change Device Policy
»» Cancel Device Activation

IronKey Users List
»» Download the list of users by clicking the “Download” button

»» To add a user, click the “Add” button
»» To add a device to a user, select the checkbox in that user’s row and click the “Add Device”
button (Note: Only System Admins can add devices to Admin users)
»» To delete a user, select the checkbox in that user’s row and click the “Delete User” button
(Note: Only System Admins can delete users)
»»
Other User Management Actions
Search
»» To find a user, enter a username or email address in the search box in the upper-right of the
header, and click the search button. Suggested matches appear as you type.
»» Click the options icon in the search box to include searching within comments fields or for
deleted users.
View
»» User Management displays only “Current” users, which filters out those with an Account
Status is Disabled(Inactive) or Deleted. Filtering is not applied based on Device Status
»» To view Disabled and Deleted users, click on the User Options button and change
the “View” pulldown menu to “All Users”.

User Profile Page
Clicking a user will bring up the User Profile page.
Details regarding the User Profile Page

»» To edit a user, click the “Edit” button
»» To add a device to a user, click the “Add Device” button
»» You can download the list of that user’s services activities by clicking the “Download” button
»» To view that user’s devices in detail, click the device name in the IronKey Devices section
User Deletion
»» To Delete the user, click the “Delete User” button (available for System Admins only)
»» When a user is deleted all of their devices are disabled, however the devices can be
Recommissioned then activated by another user.
»» They system maintains all the Account & Device activity of Deleted users for audit purposes.
IMPORTANT: Deletion of a user is not reversible.

MANAGING DEVICES
Click “Manage Devices” in the left sidebar to view the IronKey Device List.
Details regarding the Manage Devices page:

»» You can change the list between “Current” and “All Devices” using the “View” dropdown
menu. “Disabled” and “Recommissioned” devices are not displayed in the “Current” list.
»» You can download the list of devices by clicking the “Download” button .csv
»» To edit multiple devices at once, select the checkbox in the appropriate devices’ rows and
click the “Edit” button. Currently, changing the devices policy is supported.
»» To disable multiple devices at once, select the checkbox in the appropriate devices’ rows and
click the “Disable Device” button
NOTE: You cannot disable the device you are currently using
NOTE: Disabled devices can only be re-enabled from the “Device Profile” page.
»» To find a device, enter a device name or serial number in the search box in the upper-right
of the header, and click the search button. Suggested matches appear as you type. You can
also click the options icon in the search box to include searching within comments fields or
for deleted devices.
NOTE:You can also manage devices from the “Groups” view.
»» Click a device to view the device’s profile page.

Details regarding the Device Profile page:
»» To disable/enable a device, click the “Disable” button
»» To add comments for a device, click the “Edit” button in the Comments section
»» You can download a list of that device’s service activities by clicking the “Download” button
»» To view that device’s user in detail, click the user’s name
USING THE SILVER BULLET SERVICE

»» To disable/re-enable a device using Silver Bullet, click the “Disable” / “Re-Enable” button.
»» To detonate and permanently destroy a device that has Silver Bullet enabled, click the
“Detonate” button.
• A confirmation will appear, after which the device will be pending detonation
• You can cancel a pending detonation by clicking the “Cancel Detonation” button
»» When the device has detonated, you can review a Silver Bullet Report on the device profile
page, including where and when the device detonated.
NOTE: Only a System Admin can Detonate a device or cancel a pending detonation.
USING PASSWORD ASSISTANCE

»» To assist a user who has forgotten his device password, click the “Send Password to User”
button. This button will only appear for users how have an email address and who have
backed up their device password online.
»» An email will automatically be sent to the user. In that email is a one-time URL that will take
the user to a page that displays his password in a CAPTCHA. The user must click the link as
soon as he gets the email, as the link expires in approximately 24 hours,

MANAGING POLICIES
Policy Numbers & Versions
IronKey policies are identified by the following elements:
»» Policy Name - A unique name you provide when you create a policy.
»» Policy Number - The number is sequentially assigned to each policy created in an Enterprise
account.
»» Policy Version - The version is updated for each time the policy is updated.
Your organization can have an unlimited number of new policies. When a new policy is created,
you must choose a unique name for that policy (e.g. Sales Policy, Classified, etc.). The system will
automatically assign the next available number to that policy (e.g. Policy 2.x, Policy 3.x, etc.)
Every time an existing policy is modified, a new version of that policy is created (e.g. Policy 2.001,
Policy 2.002, Policy 2.003).
All devices will update to the most current version of the policy assigned to that device.
Checking for policy updates and downloading the latest policy happens automatically shortly
after the device is unlocked. Policy changes are then enforced the next time the device is
unlocked. Clicking the “Check for Updates” button in the IronKey Control Panel will check for
policy updates immediately.
For example, if the password requirements for the organization change, an Admin can update
the appropriate items in an IronKey policy. The policy status for the affected devices is now
in a pending state. The next time the affected devices are unlocked, they will check to see if
they have the latest policy. In this case they do not, so they will automatically download the
latest policy. The next time the device is unlocked, the new policy will be enforced. Since the
password policy has changed, the user will be forced to change his device password before being
able to access his files.
In the example below, the Default policy is assigned version number 1.000. The next policy
created is named Sales and its version number is 2.000. The policy named Testing, has been
updated once. Notice this version number is updated to 3.001.
Manage Policies Page

Click “Manage Policies” in the left sidebar to view the IronKey Policies List.

Details regarding the Manage Policies page:
»» Add a new policy by clicking the “Add Policy” button.
»» Every time a new policy is created, it is assigned a unique policy number, the leftmost digit.
»» Clicking the Policy Name will bring up the “Edit Policy” page.
»» Every time a policy is modified, a new Policy Version is created.
»» Each Policy Version displays how many Active devices are using that Version.
»» Creating a new Policy Version changes the previous version Status to “Out-of-date”.
»» It’s possible for multiple “Out-of-date” Policy Versions to exist for the same Policy. This can
occur when a device is either not being used at all or is being unlocked from a computer
that is not connected to the internet.
»» When devices update to the latest version of a policy and there are no Active devices
using an “Out-of-date” version, its Status automatically changes to “Retired”. Retired Policy
Versions are automatically removed from the Active Policies List.
»» A Policy can be Deleted if none of the Policy Versions is being used by an Active device.
»» The displayed list of policies can be changed between “Active Policies”, “Retired & Deleted
Policies”, and “All Policies” via the “View” dropdown menu.
»» Download the list of policies by clicking the “Download” button.
Edit Policy Page
Details regarding the Edit Policy page:
»» Some items are dependent on others. Review the IronKey Policies section below in this
document for more information.
»» Clicking the “Save Version” button will save the policy as a new version, if you have made
changes to it.
»» While in edit mode, clicking the “Save As New” button will save the policy as a new policy, if
you change the policy name.
»» While in edit mode, clicking the “Cancel” button will not save any changes to the policy
»» Editing the Policy Name will require the policy to be saved as a new policy
»» It is possible to delete a policy, if it is not being used by any Active devices. Deleting a Policy
cannot be undone, and deletes all Policy Versions. Deleted policies are still visible and can be
viewed, but its not possible to create a new Policy from a deleted Policy.
NOTE: Only a System Admin can delete a Policy.

General Settings - Edit Policy name, display version & status.
Password Policy - Set the number of failed password entry attempts before the device self-
destructs. Configure password strength and syntax.
Onboard Software - Choose which software is available to users.
Silver Bullet Services - Remotely disable, enable, or destroy an IronKey. Also support
restricting unlocking to White Listed IP ranges.
Control Panel - Configure IronKey Control Panel behavior such as a custom Unlock Screen
Message and Automatic Device Locking.
Advanced - Enable online accounts for all users, configure automatic or manual device policy
updates.

Policy Item Description
GENERAL SETTINGS
• Edit Policy Name
The Policy Name can be edited. Doing so requires saving as a new policy and you will be unable
to save as a Version.
Password Policy
PASSWORD POLICY
• Set the number of failed
password entry attempts before
the device self-destructs
• Configure password syntax
options
The number of invalid password attempts before self-destruction

After too many consecutive invalid password attempts, IronKey devices initiate a self-destruct
sequence with advanced “flash-trash” technology. This hardware-level security protects against
brute-force password attacks. Configure this feature with a balance of security and end-user
convenience in mind.
»» Range is from 2 to 200 attempts
»» Default: 10 attempts
»» Recommendation: 10 attempts
The minimum password length for device passwords
Only passwords with this many or more characters will be allowed.
»» Range is from 4 to 20 characters
»» Default: 4 characters
»» Recommendation: Depends on self-destruct limit

The minimum number of uppercase letters in device passwords
Only passwords with this many or more uppercase letters will be allowed.
»» Range is from 0 to 5 letters
»» Default: 0
The minimum number of lowercase letters in device passwords
Only passwords with this many or more lowercase letters will be allowed.
»» Range is from 0 to 5 letters
»» Default: 0
The minimum number of digits in device passwords
Only passwords with this many or more digits will be allowed.
»» Range is from 0 to 5 digits
»» Default: 0
The minimum number of special characters in device passwords
Only passwords with this many or more special characters will be allowed.
»» Range is from 0 to 5 characters
»» Default: 0
Determine if whitespace is allowed in device passwords
This setting determines whether or not spaces are permitted in IronKey device passwords.
»» Default:Yes
»» Recommendation:Yes
If the user may, must, or may not back up his device password online
If enabled, users can back up their device password to their Online Security Vault. If users
have access to their online account, they can recover their device password without Admin
intervention by manually logging into Safe Mode and viewing their password in a CAPTCHA.
»» Default: May
»» Recommended: Must (to ensure availability of Password Assistance)

Onboard Software Policies
ONBOARD SOFTWARE
Choose from the available
onboard software applications.
Make Mozilla Firefox available on the device

If enabled, a Firefox web browser will be included onboard each IronKey device. This onboard browser
is portable, so cookies, history files, bookmarks, add-ons and online passwords are not stored on the
local computer.
»» Default: Enabled
If IronKey’s Secure Sessions Service is available for the device
If enabled, IronKey’s Secure Sessions Service will create an encrypted tunnel directly from the user’s
IronKey out to a secured IronKey web server, where the traffic is then decrypted and sent out to the
destination site. This security feature provides anti-phishing and anti-pharming protection (for example,
IronKey does its own DNS checking), as well as enhanced privacy protection (for example the IP
address will not be available to other websites and ISPs).
»» This feature depends on Mozilla Firefox being enabled
If the IronKey Identity Manager is available on the device
If enabled, the IronKey Identity Manager will be included on each IronKey device. It allows users to
easily log into their online accounts (using IE6, IE7, IE8 and the onboard Firefox) and most applications
that require username and password credentials, as well as generate strong passwords and manage
portable bookmarks. Not having to type out passwords provides added protection from keyloggers and
other crimeware. Additionally, websites that support VeriSign Identity Protection (VIP) can be locked
down to the IronKey for two-factor authentication.
»» IronKey devices using a version prior to 1.3.5 are using the IronKey Password Manager. This
policy is compatible with the IronKey Password Manager.
If the user may or may not back up his Identity Manager data
This setting allows users to back up their encrypted Identity Manager data to an Online Security Vault.
That way, if their device is ever lost or stolen, they can restore their passwords to a new IronKey.
»» This feature depends on the Identity Manager being enabled
»» Default:Yes (may)
»» Recommendation:Yes (may)

Make IronKey Secure Backup software available on the device
If enabled, IronKey’s Secure Backup software will be included on each IronKey device. This
software allows users to back up an encrypted copy of files from their IronKey device to their
local computer. If the IronKey device is lost or stolen, backed up data can be restored to
another IronKey.
»» Recommendation: Enabled
Make RSA SecurID is available on the device
If enabled, each IronKey will include an application for generating RSA SecurID one-time
passwords for strong authentication. Devices prior to IronKey Enterprise 2.0.6.0 require a
.stdid file will need to be imported to use this application, while device with 2.0.6.0+ can use
dynamic seed provisioning with the RSA Authentication Manager 7.1 (CT-KIP).
»» Default: Disabled
Make CRYPTOCard available on the device
If enabled, each IronKey will include an application for generating CRYPTOCard one-time
passwords for strong authentication. A token file will need to be imported to use this
application.
Make the IronKey Malware Scanner available on the device
If purchased and enabled, each IronKey will include an application that scans the IronKey on
each use, detecting and cleaning malware from the device.
Silver Bullet Access Controls
SILVER BULLET
Enables remote disabling /
destruction of IronKey. Devices
that have not contacted the
server within a specified limit,
are automatically disabled until
they connect. An IP whitelist can
also be used to deny access to
devices attempting to unlock on
untrusted networks.
Whether the device must be authorized before being unlocked

The Silver Bullet Service will confirm that IronKey devices are authorized and in good
standing before allowing them to be unlocked. This real-time service allows Administrators

to completely disable and even remotely detonate devices, extending the control needed to
protect important data.
»» This feature requires an Internet connection
»» This feature is not available on Linux and disables Linux usage when enabled
Whether the device may be unlocked if it is not connected to the Internet or able to be
authorized
Since users are not always able to be online, this setting defines a predetermined number of
unlock attempts (“Silver Bullet attempts”) before disabling the device. IronKey devices are able
to be unlocked this many times when not able to connect to the service. Set this policy with a
balance of security and user convenience in mind.
»» This feature depends on Silver Bullet being enabled
»» The number of times the device can be unlocked while not connected to the Internet
ranges from 1 to 200
»» Default: Allow 10 times
»» Recommendation: Allow 10 times
Trusted Networks: Whether the device may or may not be unlocked based on where the
user is (i.e. which IP address the device is coming from)
The Silver Bullet Service can be configured to allow or deny access to a device based on a
Trusted Network IP address whitelist. Users coming from an IP address on the whitelist (e.g.
from the office) will be permitted to use their device, while users who are coming from an
untrusted network, (e.g. home) will be denied.
WARNING: Set this policy with caution as being too restrictive may prevent trusted users
from being able to access their data.
»» This feature depends on Silver Bullet being enabled
»» This feature does not apply to System Admins.
»» Examples of Valid Input (Internal IP Addresses should not be used):
•
To allow a specific IP address, just enter it in:
From: 192.168.0.1
• To allow a block of IP addresses, use the * character:
From: 192.168.0.*
• To allow a range of IP addresses, use both the From and To fields:
From: 192.168.0.1 To: 192.186.0.12
• To add additional IP addresses, click the “Add More” button.
• To delete an entry, click the “X” button next to that row.

IronKey Control Panel
IK CONTROL PANEL
• Unlock Screen Message -
Display a custom message on
the IronKey Unlock screen.
• Automatic Locking - If the
IronKey is idle a period of time.
The Unlock Screen Message that appears on device insertion

This message will appear on the IronKey Unlocker screen whenever the device is plugged
into a computer. In the event that the IronKey is lost, someone can return it to the contact
information in the Unlock Screen Message.
»» Range is 0 to 255 characters and up to 6 six lines of text
»» Default: Blank
If the user can modify the Lost and Found Message
This setting determines whether or not users can edit or create their own Lost and Found
Message.
»» Default: No
If the device automatically locks after a specified period of inactivity (i.e. without
keyboard or mouse activity)
»» Should force lock be enabled on the device if open files cannot be closed
»» If users can configure these settings
»» The idle time-out ranges from 5 to 180 minutes
Advanced Settings
If Standard Users have an online my.ironkey.com account
Having an online account gives a Standard User basic management capabilities of his IronKey
devices. This setting controls whether or not users have an online IronKey account they can
access. Administrators and Auditors must have online accounts to access the Admin Console.
Disabling this feature will not prevent users from backing up data to their Online Security
Vault, but it will prevent them from recovering their backed up device password without
Administrator intervention.
»» Default:Yes (have)
»» Recommendation:Yes (to ensure availability of Password Self-Recovery)

Automatically update device policy every time device is unlocked
Once an IronKey is unlocked, it can automatically check for and download the latest policy for
that device. This ensures that changes to security policies are enforced as soon as possible.
»» Recommendation: It is strongly recommended that this feature be enabled
MANAGING LICENSES
Click “Manage Policies” in the left sidebar. Below the IronKey Policy list, you can view your
IronKey Licenses list. Services must be enabled for the list to appear.
»» You can view a list of enabled services, number of available seats, and number of total seats
»» If you try to add a new user or device that exceeds the number of licensed seats, or if your
license has expired, a message prompts you to update or renew your license
ENTERPRISE SUPPORT PAGE

A number of online support resources are available for you on the Enterprise Support page,
including video tutorials and product documentation. It also contains information for contacting
IronKey Technical Support, including your Account Number.

Using the System Console
The System Console tab contains system-wide management features that are only available to System Admins
UPDATE MANAGEMENT
Update Management enables a System Admin to approve which Device Update is available when a user checks
for updates from the IronKey Control Panel. All device Updates available to Enterprise customers are listed on
this page. As a convenience to admins, the release notes for each update are available inline.
Each IronKey device update may contain newer firmware and/or software run from an IronKey device’s CD-
ROM volume.
The default settings make the most recent device update available to all users, which maintains the traditional
behavior the IronKey update capability.
»» Different Device Update versions can be approved for Admins and Standard users, which allows
administrators to be updated first so they can be prepared to answer questions.
»» The Update Version approved for Admins must be greater than or equal to the version approved for
Standard Users.

At some point the Approved Device Update may be removed from the server. If an Device Update is removed,
it will still appear in the drop down list, with the suffix (No longer available). Users will no longer be able to
update until a newer Device Update is selected as the Approved update.
It is possible to test the latest device update on a limited set of devices before generally approving it for all
Standard or Admin Users. Testing can be accomplished by assigning a policy as the Update Testing policy. Any
device using that policy, either Standard User or Admin User bypasses the approval list and is able to update to
the laster update.

Using the Admin Tools
ACCESSING THE ADMIN TOOLS
Some additional administrative functionality is available onboard each approved, active Admin’s IronKey
device. When you click the Admin Tools icon, the device will do a real-time check with your Enterprise
Account to authenticate the Admin and ensure that the Admin is still authorized to use the Admin Tools.
Revoked Admins, for example, will not be able to continue. You must be connected to the Internet to use
the Admin Tools.
USING SECURE DEVICE RECOVERY

IronKey’s Secure Device Recovery allows Admins to unlock your organization’s IronKey devices:
» Without knowing the user’s device password
» Without using a password database
» Without using a backdoor/redundant password
» With admin authentication (protection against stolen admin devices)
» With admin authorization (protection against rogue admins)
» With a proper audit-trail of the event
Step Description
Click the Admin Tools icon in the

IronKey Control Panel.
1
The device will perform real-time
authentication and authorization.

Step Description
Insert the device that you want to

access into the computer’s USB
port. Wait a few moments so the
device can enumerate.
2 Then click the “Refresh Device
List” button.
The device will search for the
other IronKey.
You can either choose to unlock

the user’s device or change that
device’s password.
To unlock the device, click the
“Unlock Device” button. A
progress bar will appear and when
the device is unlocked, Windows
Explorer will auto-launch to that
3
device’s secure volume.
To change the device’s password,
enter in the new password for
that device, confirm it, and click
the “Change” button. A progress
bar will appear and then a
confirmation that the password
has been reset successfully.
NOTE: Recovering a device that is not from your Enterprise Account, not yet activated, or not
an IronKey Enterprise Secure Drive is not possible. If an error appears, check if this is the issue.

PROMOTING A STANDARD USER TO BE AN ADMIN
A System Admin can modify user roles and permissions in the Admin Console. When a user is
invited to be an Admin, or when a Standard user is promoted to become an Admin, an existing
Admin must approve the process using Admin Approval.
Step Description
In the Admin Tools sidebar, click

1
“Admin Approval.”
Click the “Check for Admins”

button.
2 This will perform an online check
for users awaiting Admin
Approval.
Check all devices that you

approve for having administrative A table of devices that are awaiting approval will be
3
functionality. Then click the displayed.
“Approve” button.
The next time that user clicks
the my.ironkey.com button in
the IronKey Control Panel, he
4
receives administrative privileges
and have access to the Admin
Console.

RECOMMISSIONING DEVICES
When employees leave the organization, their IronKey can be recommissioned to new users
using IronKey secure online services for Admin authentication and authorization.
Step Description
In the Admin Tools sidebar, click

1
“Recommission Device.”
Insert the device that you

want to recommission into the
computer’s USB port. Wait a
few moments so the device can
enumerate.
2
Then click the “Refresh Device
List” button.
The device will search for the

other IronKey.
Click the “Recommission Device”
button. A progress bar shows
your progress throughout the
recommissioning process.
Selecting the “Also delete user

from the system” checkbox
will delete the user as well as
3 the device. This feature is only
available for System Admins.
NOTE: Recommissioning cannot

be undone. All data on the device
will be permanently lost.

Importing Authentication Credentials
IMPORTING RSA SECURID TOKENS
If enabled through your policy, your users’ IronKey devices can provide additional strong
authentication capabilities by generating RSA SecurID one-time passwords. You must provide a
.stdid file to your users for importing tokens.
Step Description
1 Open the RSA SecurID application

Click the icon in the IronKey Control Panel’s
application list on your user’s device.
10. Click the “Options” button.

Import a .stdid file. This may be 11. Click the “Add” button.
exported by your RSA server. For
12. Browse to the location of the .stdid file.
2 information on that procedure,
see your RSA SecurID server 13. A password might be required to unlock the
documentation. file.
The tokens will be added.
If you prefer, you can rename the Click the “Rename” button to create a name for
3
tokens. the selected token.
4 In the Options window you can also Be careful when deleting tokens, as this operation
delete tokens by clicking the “Delete” cannot be undone.
or “Delete All” button.
IMPORTING A DIGITAL CERTIFICATE INTO THE IRONKEY

The IronKey Cryptochip includes a limited amount of extremely secure hardware storage space,
which can be used for storing the private key associated with a digital certificate. This provides
your users additional strong authentication capabilities. For example, you could store a self-
signed certificate used for internal systems that will allow users to automatically log in when
using the IronKey’s onboard Firefox web browser.
The import process uses IronKey’s PKCS#11 interface and requires Mozilla Firefox.
NOTE: Space for only one additional private key exists in the IronKey Cryptochip, though
it will receive the benefits of the Cryptochip’s tamper proof hardware and self-destruct
mechanisms.

Step Description
Click the icon in the IronKey Control Panel’s application
1 Open the onboard Firefox. list on your user’s device.
1. Click “Tools” in the menu bar.
Open Firefox’s Options menu 2. Click “Options.”

2
to the Encryption tab. 3. Click the “Advanced” icon.
4. Click the “Encryption” tab.
Click the “View Certificates”

button.
3
This opens the Firefox
Certificate Manager.
IronKey’s certificate is
4 available here. To add your ow
click the “Import” button.

Browse to the PKCS#12- You will be prompted for the location of the PKCS#12-
5 format certificate file and format certificate file (the file extension will be .p12 in
open it. UNIX/Linux, .pfx in Windows).
A window appears asking you

to confirm where to store the
6 certificate.
Choose “IronKey PKCS#11”
Enter the password that

was used to protect the
certificate.
7
If no password was used,
simply leave the text field
blank.
Your certificate is now stored
securely in the IronKey
8 Cryptochip and is available
for use in the onboard Mozilla
Firefox.
NOTE: When deleting certificates, you must restart Firefox for the action to take effect.You cannot delete
the IronKey certificate that was pre-packaged with your device.

Administering the IronKey Anti-Malware Service
If purchased and enabled, your organization can protect its IronKey devices from the latest malware threats
with the IronKey Anti-Malware Service and IronKey Malware Scanner. See the User Guide for more
information on how the IronKey Malware Scanner works. As an Admin, you will want to be familiar with how
to interpret Malware Scanner reports.
INTERPRETING IRONKEY MALWARE SCANNER REPORTS

The IronKey Malware Scanner on each user’s device maintains detailed logging of important events, such as
checking for updates, downloading updates, scanning for malware, and malware detections, as well as vital
status information such as the version of the software and the signature file database being used. The location
of this file is at:
F:\IronKey-System-Files\Reports\IKMalwareScanner_Report.txt
Where “F” is the IronKey’s Secure Files volume (where the user stores his data). Malware Scanner Reports
are written in Apache Common Log format with tab-delimited data:
[ip address] [timestamp] [event] [status code] [data size or file count]
In the event of an infection, users are instructed to send the report to their administrator to diagnose and
resolve the issue. Here are some details on interpreting important events:
EVENT DESCRIPTION
Infection events include
»» The name of the malware
»» The type of malware (e.g. virus, trojan, etc.)
INFECTION »» The location the malware was found
»» The result of trying to repair or delete the infected file. Usually the
file will be repaired or deleted, though in rare cases the file cannot be
altered and is left on the device. The status in that case is “Unresolved”.
»» The Malware Scanner will attempt to update before each scan. The
most common failure is when the device cannot connect to the Internet.
UPDATE »» Some users may experience issues installing the update if they do not
have enough space available on their IronKey. It is recommended that
users allocate 135 MBs of space for the signature file database.

Common Tasks
ADDING NEW USERS
Step Description
Access the Admin Console by clicking

1 the my.ironkey.com icon in the IronKey
Control Panel.
2 Navigate to the Manage Users page.
In the Manage Users page, click

3
.
• Add User - Click “Add User” to add a single

user.
• Add Multiple Users - Click “Add Multiple
Users” to enter several users at one time.

Add Multiple Users
Use .csv format to add each user’s information as follows:
»» Name
»» Email address
»» Group
»» Role
»» Policy
Add a User
Enter the following user information:”
»» Name
»» Email
»» Role
»» Policy
Activate the checkbox to notify the user via email and activate the appropriate Access
Level Checkbox.
Note: Only System Admins can add new Admins.

ACTIVATING DEVICES FOR A USER
When you plug a new IronKey Enterprise Secure Flash Drive into your computer, it prompts
you for an email address and an Activation Code. An Internet connection is required.
Step Description
Plug a new IronKey Enterprise Your IronKey must be activated on a Windows (2000,
1 Secure Flash Drive into the XP, or Vista) or Mac computer. To use the full speed of
computer USB port. the IronKey, plug it into a USB 2.0 port.
The IronKey autoruns as a virtual CD-ROM.
• Windows: This screen might not appear if your

computer does not allow devices to autorun. You
can start it manually by double-clicking the IronKey
Unlocker drive in “My Computer” and double-
clicking the “IronKey.exe” file.
The “Activate Your IronKey”
2 • Mac: Double-click the IronKey drive on your
screen appears.
desktop, and double-click the “IronKey” file.
NOTE: You can install the IronKey Auto-Launch

Assistant, which automatically opens the IronKey
Unlocker when you plug in an IronKey. See
“Preferences” in IronKey Control Panel Settings. (Mac
only)
The information presented to you when you added the
user in the Admin Console (and emailed to the user, if
Retrieve the email with your that checkbox was selected) is needed here.
Activation Code. Copy and paste • If you did not provide an email address for your user,
3 it into the IronKey window. you must enter your email address. This is used for
Click “Continue” when you are authentication purposes and is not associated with
ready. the user after activation.
• If your IronKey cannot connect to the Internet, click
“Edit Proxy Settings” to adjust its network settings.
At this point, the device is ready You can either continue with initialization, or hand
4 to be initialized with a password the device to the user for him to complete the setup
and continue the setup process. process.

ADDING NEW ADMINS
Step Description
Add the new user and set the This process can only be performed by a System
1
role to be an administrative role. Admin.
An email will go out to the
2 user (optional) with his setup
information.
The user activates a new IronKey
3
Enterprise Secure Flash Drive.
Once activated, the device must
An email will be sent to the inviting System Admin as a
4 be approved by an Admin before
reminder to perform the Admin Approval.
it can access the Admin Console.
The next time the new Admin
clicks the my.ironkey.com icon in
5
his IronKey Control Panel, he will
receive administrative privileges.
ADDING NEW DEVICES TO USERS

When you add a user, a device will automatically be added to the system upon activation. To
add additional devices to a user, follow the directions below.
Step Description
In the Admin Console, go to the
user profile page for the user
1 See “Using the Admin Console” for more information.
for whom you want to add an
additional device.
2 Click the “Add Device” button.
A new device with a pending
3 status is added. The Activation
Code for that device appears.

DISABLING LOST DEVICES
When a device is lost or stolen, disable the device in the Admin Console. This will disable its services and
ensure access control protection. For devices that are Silver Bullet-enabled, it will also prevent the user from
unlocking the device.
Step Description
1 In the Admin Console, go to the
Manage Devices page.
2 Select the checkbox next to the
device you want to disable.
3 Click the “Disable Device” button Unlike recommissioning devices, disabling devices can
at the bottom of the page. be undone. If the device is found, it can be re-enabled.
HELPING A USER WITH PASSWORD ASSISTANCE

When a user forgets his device password, he may call the helpdesk for assistance in unlocking his device. The
simplest way to remotely help such a user is with Password Assistance.
Step Description
1 In the Admin Console, go to the
Manage Users page and select the
user from the User List.
2 On the User’s Profile page, select
the device that the user wants to
unlock.
3 Click the “Password Assistance” An email is sent to the user with a one-time URL in it.
button on the Device Profile page. That URL links to a web page that reminds the user of
A confirmation message notifies his device password. If left unused, the URL expires in
you that an email was sent to the approximately 24 hours.
user. This feature requires that the user has backed up his
password to my.ironkey.com. If he has not, then the
button is not available.
Using Non-Administrative Features

For information on how to use the various features of the IronKey available to all of your users through policy
(such as Secure Backup, the IronKey Password Manager, and Secure Sessions), review the IronKey Enterprise
User Guide, available on the Enterprise Support page of the Admin Console and on the virtual CD of each
IronKey Enterprise Secure Flash Drive.

Known Issues
Here are a few important caveats to be aware of while using IronKey Enterprise:
»» The very first IronKey in your Enterprise Account cannot be recovered through Secure Device
Recovery. That device should be put in a safe place for emergency access to the system.
»» In approving Admins, the user to be approved must be active in the system (i.e. activate a device)
before being able to be approved. This is part of the underlying security technology.
»» IronKey devices that are not running the latest firmware and software may not be able to use the
Silver Bullet Service or certain other new features. Updating old devices will allow them to use these
features.
»» Admins must update their older devices with the latest software to use Admin Tools to manage
newer devices.
»» In some cases, recommissioned devices will not auto-launch. They can be manually launched.
»» Updating an IronKey on Windows 2000 (SP4) and Windows XP requires Windows administrative
privileges. Windows administrative privileges are not required when updating an IronKey on Vista.
»» Some users might have difficulty understanding that the IronKey mounts as two drives: a virtual CD
that launches the IronKey Unlocker, and the secure files volume that mounts when the device is
unlocked. Point users to IronKey’s video tutorials at support.ironkey.com for visual instructions of the
most common IronKey tasks.
»» See the release notes at support.ironkey.com for known issues specific to a release..

Enterprise Support
IronKey is committed to providing
world-class support to its enterprise
customers.
IronKey technical support solutions
and resources are available around
the clock through the IronKey
Support website (located at https://
support.ironkey.com). These
resources include video tutorials, a
Knowledgebase of frequently asked
questions and technical notes, the
IronKey Troubleshooter, product
documentation, and the ability to
submit your inquiries to the IronKey
Support team.
IronKey also maintains customer forum (located at https://forum.ironkey.com) where our
community members share their product knowledge, exchange ideas, help each other with
encountered problems, and interact with IronKey employees.
TECHNICAL SUPPORT FOR SYSTEM ADMINISTRATORS

The IronKey Support team is available to answer questions that IronKey Enterprise
administrators may have about their product implementation. IronKey Support can be
contacted by filing a support request (https://support.ironkey.com/supportrequest) or
by emailing support@ironkey.com. Please always reference your Account Number when
contacting us. It can be located on the Enterprise Support page of the Admin Console. Our
support team is available to assist you Monday through Friday 6AM-5PM Pacific Time.
A number of materials, including a copy of this document, can be found on the Enterprise
Support page of the Admin Console. There you will find the most specific information
regarding using IronKey Enterprise. Please have your Standard Users contact your help desk
for assistance, or have them review the support materials on support.ironkey.com. Due to
the customized nature of each IronKey Enterprise Account, technical support for IronKey’s
enterprise products and services is available for System Administrators only.

Product Specifications
For details about your device, see “About IronKey” in IronKey Control Panel Settings.
CAPACITY*
Up to 32GB, depending on the model
DIMENSIONS
75mm X 19mm X 9mm
WEIGHT
0.8 oz
WATERPROOF
MIL-STD-810F
OPERATING TEMPERATURE
0C, 70C
OPERATING SHOCK
16G rms
ENCRYPTION
Hardware: 256-bit AES (Models S200, D200), 128-bit AES (Model S100)
Hashing: 256-bit SHA
PKI: 2048-bit RSA
FIPS CERTIFICATIONS
See www.ironkey.com for details.
HARDWARE
USB 2.0 (High-Speed) port recommended, USB 1.1
OS COMPATIBILITY
Windows 2000 (SP4), XP (SP2+), Vista, or Windows 7
IronKey Unlocker for Linux (2.6+, x86)
IronKey Unlocker for Mac (10.4+, Intel)

Contact Information
Product Feedback Feature Requests
feedback@ironkey.com featurerequest@ironkey.com
IronKey Online Support

https://my.ironkey.com End-Users: please contact your
https://support.ironkey.com Helpdesk or System Admin.
https://forum.ironkey.com Admins: email support@ironkey.com
https://store.ironkey.com and reference your Enterprise
Account Number

Note: IronKey is not liable for technical or editorial errors and/or omissions contained herein; nor for
incidental or consequential damages resulting from the furnishing or use of this material. The information
provided herein is subject to change without notice.
The information contained in this document represents the current view of IronKey on the issue discussed as of the date of publication. IronKey
cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. IronKey
makes no warranties, expressed or implied, in this document. IronKey and the IronKey logo are trademarks of IronKey, Inc. in the United States and
other countries. All other trademarks are the properties of their respective owners. © 2010 IronKey, Inc. All rights reserved. IK0900196

IronKey Enterprise Admin Guide

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

IronKey Enterprise Admin Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

Admin Guide

Last Updated October 7, 2010

IRONKEY ADMIN GUIDE PAGE 1

Setup and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Using IronKey Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

IRONKEY ADMIN GUIDE PAGE 2

IRONKEY ADMIN GUIDE PAGE 3

»» The IronKey Secure Flash Drive hardware

IRONKEY ADMIN GUIDE PAGE 4

IronKey Policies: Enforcing Corporate Security Policies

IronKey Groups: Organize Users Into Groups

Silver Bullet Service: Protecting Against Malicious Users

Admin Tools: Onboard each Administrator’s IronKey

Secure Device Recovery: Securely Unlocking Users’ Devices

Admin Approval: Securely Promoting Users to Become Admins

Device Recommissioning: Securely Repurposing Users’ Devices

IRONKEY ADMIN GUIDE PAGE 5

CREATING YOUR IRONKEY ENTERPRISE ACCOUNT

IRONKEY ADMIN GUIDE PAGE 6

You must confirm that you are

The next several steps allow you

Set the password policy options,

IRONKEY ADMIN GUIDE PAGE 7

Configure the set of software

Define a “Lost and Found”

IRONKEY ADMIN GUIDE PAGE 8

Invite the 2nd System Admin

ACTIVATION AND INITIALIZATION OF THE 1ST SYSTEM ADMIN

IRONKEY ADMIN GUIDE PAGE 9

The “Activate Your IronKey”

• Mac: Double-click the IronKey drive on your

4 Create a device password, then

If enabled, you have the option to back up your

IRONKEY ADMIN GUIDE PAGE 10

ADDING STANDARD USERS TO THE ENTERPRISE ACCOUNT

Click the my.ironkey.com icon in

Click “Manage Users” in the

IRONKEY ADMIN GUIDE PAGE 11

* NOTE: Only System Admins

** NOTE: When Role is set to

IRONKEY ADMIN GUIDE PAGE 12

Copy and paste a CSV file’s

NOTE: All fields are optional

ACTIVATING IRONKEY ENTERPRISE FOR BASIC USERS

IRONKEY ADMIN GUIDE PAGE 13

In the IronKey Control Panel,

After the installation is

IRONKEY ADMIN GUIDE PAGE 14

DEPLOYMENT METHOD 1: AUTOMATED DISTRIBUTED

The user is now active in the Enterprise Account.

DEPLOYMENT METHOD 2: DISTRIBUTED DEPLOYMENT

IRONKEY ADMIN GUIDE PAGE 15

DEPLOYMENT METHOD 3: MANUAL DEPLOYMENT

The setup information for that

IRONKEY ADMIN GUIDE PAGE 16

Create Separate Policy for Linux Users

Encourage Users to Backup Passwords for Password Assistance

Back Up Onboard Data Regularly

Keep Admin and User Devices Up-To-Date

Use Silver Bullet Wisely

IRONKEY ADMIN GUIDE PAGE 17

IronKey Enterprise Account successfully created and Default Policy defined

First IronKey device activated—confirmed access to Admin Console