DigitalPersonaProEnterprise5AdministratorGuide20140421

DigitalPersona Pro EnterpriseVersion 5

Administrator Guide

1996-2014 DigitalPersona, Inc. All Rights Reserved.

All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws, other applicable copyright laws, and international treaty provisions. DigitalPersona and its suppliers retain all rights not expressly granted.

U.are.U and DigitalPersona are trademarks of DigitalPersona, Inc. registered in the United States and other countries. Windows, Windows Server 2003/2008, Windows 8, WIndows 7, Windows Vista and Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners.

This DigitalPersona Pro Enterprise Administrator Guide and the software it describes are furnished under license as set forth in the License Agreement screen that is shown during the installation process.

Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and translated, in any form and by any means, without the prior written consent of DigitalPersona. The contents of this manual are furnished for informational use only and are subject to change without notice.

Any mention of third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party products.

DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or liability for any errors or inaccuracies that may appear in it.

Feedback

Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any errors, omissions, or suggestions for future improvements. You can contact us at

[email protected]

or DigitalPersona, Inc. 720 Bay Road Suite 100 Redwood City, CA 94063 USA

Published: 4/21/2014 (v 5.5.1)

DigitalPersona Pro Enterprise - Administrator Guide iii

Table of Contents

1 Solution Overview 10Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Compatible workstation clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

DigitalPersona Pro Workstation for Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13DigitalPersona Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Client user interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Authentication and Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Security applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Licensing model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Changes from previous version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Section One: Installation

2 Pro Server Installation 22Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Extending the Active Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Configure each domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Install DigitalPersona Pro Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configuring DigitalPersona Pro Server for Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Changes Made During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Uninstalling DigitalPersona Pro Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3 Pro Client installation 35System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Remote installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Remote installation for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Client Suite installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Local installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Command line Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

DigitalPersona Pro Enterprise - Administrator Guide iv

Table of Contents

Installation on Citrix Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44About Transform files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Uninstalling Pro Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4 Pro Kiosk installation 46System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Recent changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Changes compared to version 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Changes compared to version 4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Remote installation for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Local installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Command line installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Installation on Citrix Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

About Transform files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5 Optional installations 55Included in product package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Suite installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

License Activation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Users and Computers Snap-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Attended Enrollment Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56User Query Tool Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57GPMC Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Separate product packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Extended Server Policy Module (ESPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Pro Cogent FR Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6 Citrix and remote installation 60Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Installation on Citrix solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Installation & Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Disabling automatic client updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Installing Citrix support after DigitalPersona Pro client installation . . . . . . . . . . . . . . . . . . . . . . 62

Section Two: Administration

7 Administration overview 65Administration Tools package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8 License Activation & Management 67

DigitalPersona Pro Enterprise - Administrator Guide v

Table of Contents

License Activation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68License activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Pro Enterprise Server activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Server activation from another computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Package or component activation (v 5.3 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 ADUC snap-ins 82

Users and Computers snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82User properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82User object commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Computer object commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

User Query Tool snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86ActiveX control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Interactive dialog-based application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Command line utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

10 Attended Enrollment 94Setting up Attended Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

To assign, or remove Register/Delete permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Enrolling user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Deleting Fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

11 Policies and Settings 99Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Computer Configuration/Policies/Software Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

DigitalPersona Pro Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Security/Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Kiosk Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

DigitalPersona Pro Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Computer Configuration\Policies\Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106DigitalPersona Pro Client (Details) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Authentication Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111General Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Kiosk Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Managed applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Security/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

DigitalPersona Pro Enterprise Server (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

DigitalPersona Pro Enterprise - Administrator Guide vi

Table of Contents

DigitalPersona Pro Enterprise Server (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119User Configuration\Policies\Software Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125DigitalPersona Pro Client (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Security/Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

User Configuration\Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127DigitalPersona Pro Client (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

12 Single Sign-On 129Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Disable Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Create managed logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

13 GPMC Extensions 130Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Implementation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Install Workstation Administrative Templates Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

14 Recovery 134User recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Computer recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Account lock recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

15 Pro Reports 136Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Setting up DigitalPersona Pro Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Web console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Creating a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Creating a new subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Adding a report to an existing subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Editing a subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Bookmarking a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Deleting a report or subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

16 Pro Events 145Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Secret Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Credential Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Windows Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

DigitalPersona Pro Enterprise - Administrator Guide vii

Table of Contents

Authentication Domain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15117 Extended Server Policy Module 15218 Utilities 153

Cleanup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Section Three: Pro Clients

19 Pro Workstation 155Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Workstation setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Opening the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Using the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Managing user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Self Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Enrolling your fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Enrolling a PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Enrolling scenes for the Face credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Setting up cards and tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Setting up a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Setting up a contactless or proximity card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Enrolling a Bluetooth device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Changing your Windows password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Security Applications Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Smart card authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Backing up and restoring your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Setting your preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170ID Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

20 Pro Kiosk 173Feature overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Comparing Pro Workstation and Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Logging On to Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Using One Touch Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Logging on to Windows without Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Automatic logon using the Shared Kiosk Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Using the Password Manager Admin Tool with Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Logging On to Password-Protected Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

User logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

DigitalPersona Pro Enterprise - Administrator Guide viii

Table of Contents

Switching Users on Pro Kiosk Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Using multiple Kiosk accounts with Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

21 Pro Administrative Console 179Opening the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Using the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Configuring your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Setting authentication policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Logon Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Session Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Specifying credentials settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configuring your applications settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Applications tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Section Four: Appendices

22 Glossary 192Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

23 Citrix Deployment Scenarios 200Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Installation and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Fast Connect with XenApp and Pro Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

XenApp server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Pro Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Maintaining local and remote Kiosk identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Setting up kiosks for local and remote identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Using kiosk local and remote identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

IGEL Universal Desktop support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

24 Policies and Settings - Alphabetical list 20625 Embedded Windows dependencies 210

Required components for supported Windows Embedded platforms . . . . . . . . . . . . . . . . . . . . . . . 210Required files for supported Windows Embedded platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

26 Identification List 21527 Pro Events for version 5.3 218

Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Secret Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221System, Services, Settings and User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

DigitalPersona Pro Enterprise - Administrator Guide ix

Table of Contents

External components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Fingerprint Match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224License Management, ID Server licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225OTP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Status Notifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

28 Schema extension 228Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Schema extension overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Schema objects details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Class details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Standard Classes Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

29 Index 293

DigitalPersona Pro Enterprise - Administrator Guide 10

Solution Overview 1

This chapter provides a high-level overview of the DigitalPersona Pro Enterprise solution, and includes the following major topics.

More details on specific components and modules are provided in the remainder of this Administrator Guide. Additional implementation, administration and reference-level documentation is provided through a series of Quick Start Guides and Application Guides for many of the components and modules as well as for major features. A series of integrated help files provide the finest level of detail for all user-centric features as well as many administrator features and functions.References to procedures, UI elements and images in this guide are always made to the current version of DigitalPersona Pro products. References to, and images of, Microsoft Windows products are to Windows Server 2008 and Windows 7 unless otherwise noted.

Topics Page

Introduction 11

Architecture 11

Components 12

Authentication and Credentials 15

Security applications 15

Licensing model 16

System Requirements 17

Support Resources 17

Changes from previous version 18

Chapter 1 - Solution Overview


IntroductionDigitalPersona Pro Enterprise is an enterprise-level central management solution for Endpoint Protection that enables administrators to manage security and authentication within Active Directory networks including data protection, access management and recovery. It represents an optimal solution to multiple security needs, including: Strong Authentication for PC, application and RADIUS logon Single Sign-On (SSO) for Enterprise applications

For further information on how DigitalPersona Pro Enterprise can help you solve your security needs, we have white papers, datasheets and case studies on our website at http://www.digitalpersona.com/enterprise.

ArchitectureThe conceptual architecture of DigitalPersona Pro Enterprise consists of four layers.

Management Provides an Active Directory-based solution for the enterprise; enabling the IT Administrator to configure, deploy and administer security policies throughout the organization.

Security Applications Provides pluggable applications and features that are managed through the DigitalPersona Pro management infrastructure.

Clients - Workstation software installed on notebooks, desktops and shared-user kiosks. Credentials Provides support for multiple authentication credentials that may be used in specified

combinations for verifying the identity of users accessing managed computers and security applications.



ComponentsDigitalPersona Pro Enterprise is a client-server product. It consists of server and client components that work within an existing Active Directory environment.

Server componentsDigitalPersona Pros server components fulfill four main purposes:

They allow IT Administrators to manage security and authentication policies via Active Directory Group Policy Objects. For these purposes, DigitalPersona Pro includes various GPMC (Group Policy Management Console) extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers.

They provide centralized, server-side authentication of various types of credentials (e.g. fingerprints, smart cards, bluetooth, one-time passwords etc.). For these purposes, DigitalPersona Pro runs authentication services within your domain and receives authentication requests from managed computers.

They allow centralized backup and roaming of computers and users credentials and passwords. For these purposes, DigitalPersona Pro uses Active Directory as a database of relevant data.

They also allow other general administrative tasks, including:

Access recovery into locked workstations Deployment of license activation codes.

The main server components of the DigitalPersona Pro Enterprise product are briefly described in the following table, and more fully described in the referenced pages.

Server component Purpose Page

Pro Enterprise Server Provides domain-wide, centralized administration of Pro clients and enables strong authentication through various credentials, such as Bluetooth tokens, Windows passwords, fingerprints, smart cards and more.

22

DigitalPersona Defender Enables two-factor authentication in workstation clients, and works with any OATH-compliant hardware token.

57

Pro Administration Tools Provides additional tools for administration of various DigitalPersona Pro features and utilities including License Management, GPMC Extensions, Access Recovery, Attended Enrollment and the Password Manager Admin Tool.

55, 64



Compatible workstation clientsThe DigitalPersona Pro Enterprise solution supports the following clients:

DigitalPersona Pro Workstation for Enterprise - This primary client enforces security and authentication policies on managed Windows computers while providing intuitive access to end-user features and functionality. It may be centrally managed by Pro Enterprise Server, or installed as a stand-alone product.

DigitalPersona Pro Kiosk for Enterprise - This specialized kiosk client provides DigitalPersona Pro features for environments where users log on to a shared, common Windows account or kiosk. It is centrally managed by Pro Enterprise Server.

NOTE: The Pro Workstation for Enterprise and Pro Kiosk for Enterprise clients may be installed individually on computers or deployed through Active Directory GPO, SMS (Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies.

DigitalPersona Pro Workstation for EnterpriseDigitalPersona Pro Workstation for Enterprise is the primary client application for end-users, providing an intuitive means for increasing both security and convenience through a variety of configurable options including enrollment and use of multiple credentials, and the use of automated logons for enterprise resources, programs and websites. For more details, see the chapter Pro Workstation on page 155.

DigitalPersona Pro KioskDigitalPersona Pro Kiosk for Enterprise is a client application specifically designed for environments where users need fast, convenient and secure multi-factor identification on workstations shared by multiple users. Although users share a common Windows account, DigitalPersona Pro Kiosk for Enterprise provides separately controlled access to resources, applications and data. For a full description of its features, see the chapter Pro Kiosk on page 173.



Client user interfacesPro Enterprise Workstation contains two separate program interfaces; a user dashboard and an Administrative Console. Access to the Administrative Console requires local administrator privileges. The Pro Kiosk client provides the same user dashboard, but does not have an Administrative Console.

Settings that govern the features and behavior of the user dashboard are in most cases controlled through Active Directory GPO settings. However, settings that are left Not Configured in Active Directory may be configured by the local administrator using the Administrative Console. These local settings will then be effective for all users on the specific computer.

Whenever a setting is configured (enabled or disabled) in Active Directory, the local administrator cannot modify the setting through the Administrative Console.

For this reason especially if the needs specific to your environment require you to provide end users with local administrative rights DigitalPersona strongly recommends IT Administrators explicitly configure each desired setting in Active Directory, rather than relying on default behaviors associated with the unconfigured state.



Authentication and CredentialsThe default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a computer or other resource, is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging into to websites.

DigitalPersona Pro clients provide a means for the IT Administrator to easily setup and enforce strong authentication such as two-factor and multi-factor authentication using a variety of supported credentials.

DigitalPersona Pro supports the use of various credentials for authentication, including Windows passwords, fingerprints, smart cards, contactless cards, proximity cards, face, PIN, Bluetooth and One-Time-Passwords.

An additional Self Password Recovery credential may be used solely for recovering access to a managed client computer in place of a forgotten password.

Initial setup and enrollment of credentials is provided through a Setup wizard, or may be controlled by an administrator using Attended Enrollment.

Security applicationsDigitalPersona Pro Enterprise security applications integrate with the basic functionality of the solution.

Additional DigitalPersona Pro Enterprise security applications may be available. Contact your DigitalPersona partner or reseller for further information, or go to our website at:

http://www.digitalpersona.com/enterprise/products/pro-enterprise.

Password Manager Admin ToolThe Password Manager Admin Tool simplifies and secures access to password-protected software programs and websites through the use of managed logons that allow users to identify themselves through the use of any supported credential or combination of credentials specified by the administrator, as defined in the Authentication and Credentials topic above. Administrators use the DigitalPersona Password Manager Admin Tool to create managed logons specifying information for logon and change password screens for websites, programs and network resources. These managed logons are then deployed to managed workstations, where they are accessible to the user through the Password Manager application and the mini-dashboard. Managed logons always take precedence over personal logons created by users.For additional information on the Password Manager Admin Tool, see the DigitalPersona Password Manager Admin Tool Application Guide (available on our website at http://www.digitalpersona.com/Support), or see the help file within the program.



Licensing modelDigitalPersona Pro Enterprise features and functionality as described in this Administrator Guide are included in the core version of the product, unless otherwise indicated.

The basic licensing model is the User license, which permits enrolling of user credentials by a specified number of DigitalPersona Pro Enterprise users. The specific DigitalPersona Pro SKU and/or package you purchased may entitle you to licensing of one or more additional modules or components that are integrated with DigitalPersona Pro.

You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation keys and/or files that are part of the package you purchased. Make sure you contact your DigitalPersona representative, should you have any questions. Some modules or optional components may need to be activated individually.

For information on other licensed versions of the product which may be available, and licensing for specific features, contact your DigitalPersona Account Manager or Reseller - or visit our website at:

http://www.digitalpersona.com/enterprise/products/pro-enterprise.

Licenses may be activated through Active Directory using the License Activation Manager. For more information about DigitalPersona Pro Enterprise license activation, see License Activation & Management on page 67.



System Requirements

* Also supported: Windows XP Embedded SP3, Windows Embedded Standard 2009 and Windows Embedded Standard 7, with dependencies as documented on page 210.

Personal logons allow end-users to create automated logon to programs, websites and network resources. Managed logons have the same function but are created by an administrator and deployed to end-users.

NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when the browser is launched from the legacy desktop, not from the Metro UI.

Support ResourcesThe following resources are provided for additional support.

Readme files in the root directory of each product package contain late-breaking product information. AskPersona.com (http://askpersona.com) is a DigitalPersona knowledge portal providing answers to

many frequently asked questions about our products. DigitalPersona Maintenance and Support customers will find additional information about technical

support resources in their Maintenance and Support confirmation email. Online help is included with each component and application.

Product/Component Minimum Requirements

DigitalPersona Pro Enterprise Server

Microsoft Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2 (32/64 bit) or Windows SBS 2003 SP2

Active Directory 12 MB disk space plus 5Kper user

DigitalPersona Pro Workstation for Enterprise

Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2 (32/64-bit) or Windows 7/8/Vista (32/64-bit) or Windows XP Professional SP3 (32/bit).* Home editions of Windows 7/Vista/XP are not supported.

50 MB disk space, 100 MB during installation Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to create/

use Password Manager personal logons or use managed logons. Microsoft Internet Explorer 6-10 to create managed logons using the Password Manager Admin Tool

DigitalPersona Pro Kiosk for Enterprise

Windows 7/8/Vista (32/64 bit) or Windows XP Professional SP3 (32 bit). Home editions are not supported.

50 MB disk space, 100 MB during installation Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to use

managed logons



All DigitalPersona Pro Enterprise documentation is available on our website at: http://www.digitalpersona.com/Support/Reference-Material/DigitalPersona-Pro-Reference-Material-Guides.

Changes from previous version

5.5 vs 5.4.1The major differences between the 5.5 release and the previous 5.4.1 release are summarized below.

1 Support for Microsoft 2012 server.

2 Support for NetMotion.

3 Fingerprint authentication for Citrix XenDesktop

4 Microsoft Windows Logo Certification.

5 The User Query Tool has been modified to enable reporting users who have answered the Self Password Recovery questions.

6 Support for U.are.U 5160 PIV Certified fingerprint sensor, Eikon II and Eikon Mini fingerprint readers.

7 Passwords are treated as credentials, and therefore consume a license, only when used for SSO and for authentication into the Pro Administrative Console.

8 The Delete License command has been refined so that user data from the local cache is removed during the process, and the warning (from v5.4.1) not to use DigitalPersona Pro on this account in the future is no longer necessary.

9 Enhancements to the processes for enrolling and using Card credentials (Smart Cards, Contactless Cards and Proximity Cards) to simplify their use and align the experience more closely with that of other credentials.

10 Support for two models of Dell/Wyse thin clients; D90 & Z90 running Ubuntu and SUSE) using ICA or RDP clients. Requires separate part number and download.

5.4.1 vs 5.4The major differences between the 5.4.1 release and the previous 5.4 release are summarized below.

1 Delete License - A new feature available through the DigitalPersona Users and Computers snap-in allows the administrator to delete the DigitalPersona user license for a selected user. This new command on the context menu for a user in the Active Directory Users and Computers console releases the DigitalPersona license associated with this user back to the license pool.



Note that use of this command will delete all DigitalPersona credentials and other user data stored in Active Directory. The user account should no longer be used with DigitalPersona Pro, and the product should not be reinstalled in the same user account. If use of DigitalPersona Pro is attempted on this account, an Access Denied error will be reported due to previously locally cached credentials. See page 84.

2 User Query Tool - Additional functionality has been added to the User Query Tool which now returns a flag indicating whether a license was taken by a specified user, and provides the ability to delete the license. See pages 86 and following.

3 Kiosk access restrictions - Note that in versions prior to 5.4.1, kiosk access restriction through an identification list (see page 215) applies only to fingerprint access, and access through other credentials, such as WIndows password, is not restricted. Beginning with version 5.4.1, the restriction applies to all supported credentials.

4

5.4 vs 5.3The major differences between the 5.4 release and the previous 5.3 release are summarized below.

1 DigitalPersona Reporter has a brand new interface, with dozens of reports for compliance and auditing, the ability to schedule, email and export in popular formats such as PDF, XLS, XML, and the ability to extensively filter and customize reports. Pre-canned reports support HIPAA, PCI and Sox compliance standards.

2 New simplified Client Suite Installer and Administrative Suite Installer provides a more convenient way to install related Digitalpersona Pro Enterprise components.

3 DigitalPersona Pro Workstation for Enterprise can now be installed in Evaluation mode, which does not require connection to a DigitalPersona Pro Enterprise Server.

4 Client licenses are no longer required for DigitalPersona Pro Workstation and Pro Kiosk. Pro Server User Licenses are required to cover the number of users enrolling credentials in the DigitalPersona Pro Enterprise environment. Instructions for installing the previous version (5.3) Client Package and Component licenses are included for reference beginning on page 73.

5 New Fast Connect feature allows for SSO to Citrix Published Applications and Desktops with XenApp and XenDesktop. See Citrix Deployment Scenarios on page 200.

6 Quick Actions now support the use of smart (contact, contactless and proximity) cards, and the new Fast Connect feature. See Quick Actions tab on page 170.

7 Support has been added for Windows 8, in Legacy mode only.

8 Additional per-user policies and settings. See User properties on page 82.



9 The User Query Tool now reports the dates that fingerprints were first enrolled and last enrolled. See User Query Tool snap-in on page 86.

10 Password Manager Pro has been renamed the Password Manager Admin Tool.

11 Some pages and settings in the Administrative Console have been changed. Management of DigitalPersona Pro Users is no longer available through the Administrative Console. See Pro Administrative Console on page 179.

12 The DigitalPersona Pro 5.4 package includes a new version (v5.7) of DigitalPersona Defender.

13 Support for new contactless (Felica) and proximity (Indala) cards.

14 User secrets (i.e. Password Manager logon account data) created on disconnected computers are now synchronized with the Pro Server data once reconnect ion is established.

15 New centrally-managed, roaming, question-and-answer-based Self Password Recovery feature allows the user to recover access to any domain computer where they have logged on at least once.

16 Support for YubiKey tokens used as RFID tokens or as OTP tokens through DigitalPersona Defender.

17 On Windows Server 2003, DigitalPersona 5.4.0 administrative templates are installed in a new location, the Windows\Inf\{language} folder. When upgrading previous versions of Pro Server to 5.4.0 on Windows Server 2003, all adminstrative templates have to explicitly be removed from GPOs, and the new adm files added to Administrative Templates.

18 DigitalPersona Drive Encryption is not supported in this version.


Section One: Installation

This section of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters:

Chapter Number and Title Purpose Page

2 - Pro Server Installation Requirements and procedure for installing DigitalPersona Pro Enterprise Server.

22

3 - Pro Client installation Requirements and procedure for installing DigitalPersona Pro clients.

35

4 - Pro Kiosk installation Requirements and procedure for installing DigitalPersona Pro Kiosk clients.

46

5 - Optional installations Requirements and procedure for installing optional DigitalPersona Pro Enterprise components.

55


Pro Server Installation 2

This chapter provides instructions for the installation of DigitalPersona Pro Enterprise Server on a domain controller.

Instructions for uninstalling DigitalPersona Pro Enterprise Server are on page 31.

Deployment OverviewHere is a high-level overview of the steps required for initial deployment of DigitalPersona Pro Enterprise Server on the domain controller for a Windows 2003/2008 Server network.

Upgrading from Previous VersionsBefore upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.

Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized

Procedure Page

1 Extend the Active Directory schema to include attributes and classes used by DigitalPersona Pro Enterprise Server. Requires AD Schema Administrator rights.

You can view the details of the changes that will be made to the schema by opening the file dp-schema.ldif located in the AD Schema Extension folder in the product package.

23

2 Configure each domain on which DigitalPersona Pro Enterprise Server will be installed by running DPDomainConfig.exe (located in the folder "AD Domain Configuration" in the product package). Requires AD Domain Administrator rights.

24

3 Install the DigitalPersona Pro Enterprise Server software. Note that this will set firewall rules necessary for the operation of DigitalPersona software.

26

4 (Windows Server 2003 only) Add DigitalPersona Administrative Templates to OUs.

55, 133

5 (Optional) Configure Pro Enterprise Server for use with DigitalPersona Pro Kiosk, if Pro Kiosk will be used in the domain.

28

Detailed instructions for installation begin on page 22.

Chapter 2 - Pro Server Installation


channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro Enterprise 5.3.

Also, make sure to review the readme.txt files included with each component in the product package that you are installing.

CompatibilityDigitalPersona Pro Enterprise Server version 5.4 is compatible with the following DigitalPersona products:

DigitalPersona Pro Workstation for Enterprise 4.4.3 and above. DigitalPersona Pro Kiosk for Enterprise 4.4.3 and above. DigitalPersona Password Manager Admin Tool 5.3.0 and above DigitalPersona Privacy Manager Pro 5.51 or higher DigitalPersona Defender Server 5.7

DigitalPersona Pro Server Enterprise 5.4 should NOT be

installed over (or upgraded to) DigitalPersona Pro Server for Active Directory versions prior to 4.4.3. used in a mixed environment with Pro Server for Active Directory versions 3.x or 4.x or with Pro

Workstation/Kiosk 3.x/4.x.

If any previous version of DigitalPersona Pro Server for Active Directory was installed, the administrator should uninstall it and run the DigitalPersona Cleanup wizard (located in the product package) to delete all the previous DigitalPersona Pro data.

This release is not compatible with, and requires the uninstallation of any other DigitalPersona products on the same computer.

Extending the Active Directory SchemaPrior to installing DigitalPersona Pro Server, the Active Directory schema must be extended to create new attributes for the user object and new classes, as well as to make modifications to existing classes. The Active Directory Schema Extension Wizard automatically handles all of the necessary changes to the schema.

This schema extension is version 2. The schema extension version number is independent of the DigitalPersona Pro product version number. Each Pro product release will identify the schema extension version it requires. This schema extension is global to the Active Directory forest.

If you want to view the script that is used to extend the schema (dp-schema.ldif), it is available in the product package at the following location:

AD Schema Extension\dp-schema.ldif



The Active Directory Schema Extension Wizard must be run from the schema master domain controller, or the data may not replicate fast enough to allow the wizard to continue. If the data is not replicated fast enough, the wizard will terminate, and you should then wait one replication cycle before running the wizard again.

After the schema extension, and again after configuring your domains, you must wait for Active Directory schema replication to be completed. The amount of time this takes will depend on the complexity of your Active Directory structure.

You must have Schema Administrator privileges to run the Schema Extension Wizard.

To run the Active Directory Schema Extension Wizard

1 Double-click DPSchemaExt.exe, which is located in the Schema Extension folder in the Server installation package, to start the Schema Extension Wizard.

2 Read the terms and conditions on the License Agreement page. If you agree with them, select I accept the license agreement and then click Next.

3 When prompted to proceed with the schema extension, click Yes.

4 Next, specify a location and name for the log file generated by the Schema Extension Wizard in the Save Log File As dialog box. Then, click Save.

5 If the schema is not writable, the wizard will inform you of the fact and will allow you to make it writable. If this dialog box displays, click Yes to make the schema writable and perform the schema extension.

6 The wizard will extend the schema and provide information such as the class and attribute names. To close the wizard, click Finish.

The name of each new attribute and class added to the Active Directory schema follows Microsoft naming conventions. The names are assigned a dp prefix, which is registered with Microsoft.

The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.

Configure each domainFor each domain on which you plan to install DigitalPersona Pro Server, you need to run the DigitalPersona Pro Active Directory Domain Configuration Wizard, which configures the required domain-specific data including the necessary cryptographic keys.

Running the wizard requires administrator privileges on the domain controller.

You should run this wizard only once on each domain where Pro Server will be installed.

When installing multiple DigitalPersona Pro Enterprise Servers, it is critical that you run the wizard only once during any replication period, allowing full replication to be completed before going on to run the wizard on the next domain.



Running the wizard a second time during a single replication period will result in corrupted Server data, and any DigitalPersona Pro Enterprise Servers in the domain will be unusable.

After running the Domain Configuration wizard, domain level permissions to enroll/delete fingerprints are reset to the default, i.e. Allow.

To run the DigitalPersona Pro Enterprise Domain Configuration Wizard

1 Double-click DPDomainConfig.exe, which is located in the Domain Configuration folder in the Server installation package.

2 Read the license agreement that displays and, if you agree to the terms and conditions, select I accept the license agreement and then click Next.

3 A warning reminds you not to run this wizard if you have an existing DigitalPersona Pro Enterprise Server installation on this domain. If you are sure there are no other DigitalPersona Pro Enterprise Server installations on the domain you are configuring, check the I accept that the domain will be configured box and click Next.

4 In the Save Log File As dialog box, specify a file name and folder path for the log file generated by the wizard and click Save.

5 When you click Save, the wizard performs the changes on the domain.

6 To close the wizard, click Finish.



Install DigitalPersona Pro Enterprise ServerAfter extending the Active Directory schema and configuring the domain where you will install Pro Server, you are ready to install the software.

Before installing DigitalPersona Pro Enterprise Server, ensure that the computer meets the minimum requirements listed on page 17.

WARNING: To avoid possible data loss, wait one data replication cycle after domain configuration before installing DigitalPersona Pro Enterprise Server.

Note also that the installation will set three inbound firewall policies necessary for the operation of DigitalPersona software as follows:

To install DigitalPersona Pro Server

1 Double-click Setup.exe to run the DigitalPersona Pro Enterprise Server Installation Wizard, located in the Pro Enterprise Server folder of the DigitalPersona Pro Enterprise Server installation package.

2 When the wizard opens, click Next.

3 Read the terms and conditions on the License Agreement page. If you agree with them, select the I accept the license agreement button and then click Next.

4 On the next page, you can specify the folder in which DigitalPersona Pro Enterprise Server will be installed. If you want to install the server in the default location, which is C:\Program Files\DigitalPersona, click Next. Or click Browse to specify a new location and then click Next to continue.

5 The wizard will install the Server software. To close the wizard, click Finish.

DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and

Policy Name Description

DigitalPersona Authentication Service (Echo Request - ICMPv4-In)

Inbound rule for DigitalPersona Authentication Service to allow Echo Request messages to be sent as ping requests.

DigitalPersona Authentication Service (DCOM-In)

Inbound rule for DigitalPersona Authentication Service to allow remote DCOM activation via the RPCSS service.

DigitalPersona Authentication Service (TCP-In)

Inbound rule for DigitalPersona Authentication Service to allow it to be remotely connected via DCOM.



settings to Active Directory containers. These policies and settings are described in the chapter, Policies and Settings on page 99.

In releases prior to 5.2, administrative templates were automatically copied to the default folder for administrative templates during installation of DigitalPersona Pro Enterprise Server,

On Windows Server 2003, this folder is C:\Windows\inf. On Windows Server 2008, the folder is X:\Windows\PolicyDefinitions.

Beginning in release 5.2, these administrative templates are no longer copied as part of the Pro Enterprise installation. They are now part of the DigitalPersona Pro Administrative Tools, GPMC Extensions component, which may be installed on any Active Directory aware computer.

For additional information on the GPMC Extensions, see GPMC Extensions on page 130. For policies and settings available through the GPMC extensions, see Policies and Settings on page 99.



Configuring DigitalPersona Pro Server for Pro Kiosk

Configuration StepsComplete the following Pro Server and Kiosk installation and configuration steps in the order shown below. Specific instructions for configuration are described in the following sections and additional pages as referenced.Complete the following 1 Install DigitalPersona Pro Server, 5.x or higher version. This includes performing Schema

Extension, Domain Configuration and the Server installation as specified on pages 23 and following. If previous versions of DigitalPersona Pro Server were installed in the domain, you should run the Domain Configuration Wizard, but should not run the Schema Extension Wizard again in this case.

2 Install the DigitalPersona Pro Administration Tools. You do not need to install all of the included Administration Tools components,. However, the GPMC Extensions component must be installed. See Administration Tools on page 55.

3 Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk on page 29. By default, the entire domain is considered as one kiosk. You may want to set up multiple, separate kiosks.

4 Assign kiosk permissions. By default, all domain users are allowed Kiosk permissions. You can restrict identification to specific groups or users by following the instructions in the chapter Identification List on page 215. Note that by design, AD Domain Administrator will have access even if not granted permission on an Identification List. However, you can change the permission for the Domain Administrator from Allow to Deny for any specific kiosk.

5 Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See Kiosk Shared Account Settings on page 29 and Adding Shared Account Settings Using GPO on page 29.

6 Install DigitalPersona Pro Kiosk on kiosk computers. See Pro Kiosk installation on page 46 for instructions.

7 Enroll user credentials. By default, all domain users are allowed to enroll their own credentials. However, you can choose whether you want to supervise the credential enrollment process, or allow users to enroll credentials themselves when they first log on to or unlock a kiosk computer. For more information, refer to the topic Attended Enrollment on page 94.



Configuring Kiosk GPO Settings

Perform fingerprint identification on serverThe GPO setting Perform fingerprint identification on server must be applied and enabled for all Pro Kiosk clients that will be using fingerprint credentials. For further details, see Perform fingerprint identification on server on page 121.

Kiosk Shared Account Settings

At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account information. For more information, see Adding Shared Account Settings Using GPO on page 26.

Creating the OU for the KioskWhen you install DigitalPersona Pro Server and Pro Kiosk, the entire domain is considered as one kiosk unless you complete further configuration.

To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are geographically located in different sites, each OU per site is a kiosk.

Specifying a Shared Account for the KioskPro Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer. Account information includes the user name, domain name and password for an Active Directory account. You should have one Shared Account per kiosk with a Password never expires setting.

You can configure the kiosk Shared Account by supplying the kiosk Shared Account information through GPO settings, as described below.

If the kiosk Shared Account information is distributed through Group Policies settings, all computers that belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk Shared Account settings.

Pro Kiosk automatically assigns the Impersonate a client after authentication user right to the kiosk Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This right allows Pro Kiosk to authenticate multiple users while using only one logon session for the Shared Account.

Adding Shared Account Settings Using GPOThe Pro Kiosk Shared Account setting is provided as part of the GPMC Extensions component of the DigitalPersona Pro Administration Tools, a separate installation available in your Pro Enterprise product package.



Note that beginning with Pro Enterprise 5.3, the AD location of these settings have been changed. The settings previously found at Computer Configuration/Administrative Templates/DigitalPersona Pro Client Kiosk Administration have been replaced and are included for backward compatibility only.

The new location is Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk Administration.

You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk Workstation Shared Account Settings. Specify the following values: Kiosk Shared Account user name Kiosk Shared Account NetBIOS domain name Kiosk Shared Account password

The Shared Account information will be enabled for all computers in the OU.

Assigning Kiosk PermissionsIn situations where additional security restrictions are necessary or desirable, you can modify the default permissions to allow or deny specific groups or users from using each kiosk. The default installation permits every domain user to use all kiosks in the domain and no additional configuration is necessary.

For an example of how to restrict identification, see Restricting kiosk identification on page 122.

Password Manager Admin Tool settings If you plan on using managed logons with DigitalPersona Pro Kiosk, the templates created in the Password Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk user accounts.

The Password Manager logon functionality is the same as in Pro Workstation except that kiosk users cannot create their own personal logons, but can use managed logons created by the administrator. For more information, on the Password Manager GPO settings, refer to Policies and Settings on page 99. For additional information on managed logons, see the Password Manager Application Guide.



Changes Made During InstallationRunning the Schema Extension Wizard adds the following data to Active Directory.

Active Directory ContainersThe Schema Extension Wizard installs two subcontainers in the Active Directory System container. They contain information administrators can use to verify and administer the DigitalPersona Pro Server installation. In the ADUC (Active Directory Users and Computers) Snap-in, ensure that Advanced Features is selected from the View menu in order to view the System container.

The new containers installed are the BAS (Biometric Authentication Servers) container and the Licenses container.

The Biometric Authentication Servers container provides the objectCategory and objectClass for the BAS.

The Licenses container stores the license files for DigitalPersona Pro products.



Published InformationDigitalPersona Pro Server publishes its service using the following properties:

Service Class Name, set to Authentication Service. Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}. Vendor Name, set to DigitalPersona. Product Name, set to UareUPro. Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}. Authentication Server Object Name, the DNS name of the host computer. Service Principal Name, a unique name identifying the instance of a service for a client. Schema Version Number, the version of the Active Directory schema extension. Product Version Number, the version of DigitalPersona Pro Server software. Product Version High, set to [current version]. Product Version Low, set to [current version]. Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product

GUID. The keyword values are the same as the property values listed in this section.

The Server publishes its service in compliance with the Active Directory Service Connection Point specifications.

DNS RegistrationThe use of DNS registration enables DigitalPersona Pro Workstations to locate Pro Servers without needing additional local configuration to do so. If your DNS Server supports dynamic registration, DigitalPersona Pro Server registers itself with the DNS using the service name, _dpproent.

The format of the DNS resource records for DigitalPersona Pro Server is:

_dpproent._tcp.[domain] 600 IN SRV 0 100 0 [server name] _dpproent._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]Pro Server calculates site coverage based on the availability of other Pro Servers on the domain (as well as sites configured for the domain) and then creates Service Resource Records (SRV RRs) for the domain and sites it covers.

Settings in the DigitalPersona Pro Administrative Template govern whether or not Pro Server utilizes dynamic registration. For information on this and other DNS related settings, see pages 122 and following.

Automatic RegistrationBy default, DigitalPersona Pro Server registers itself with DNS every time Pro Server starts, is automatically refreshed at specified intervals, and unregisters itself every time DigitalPersona Pro Server stops.



When DigitalPersona Pro Server unregisters itself, it removes only the records it has created during automatic registration. Records entered by the administrator will be unaffected.

Automatic Registration may be disabled through a GPO setting.

Manual DNS RegistrationIf your DNS Server does not support dynamic registration, or if dynamic registration is disabled through a DigitalPersona Pro GPO setting, an administrator can manually register the Pro Servers by entering the DNS resource records in the format shown above.

You can view the default values of settings created during Pro Server setup by opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\ DigitalPersona\bin folder.

To manually register a Pro Server in Microsoft DNS

1 Open the DNS console and expand the Forward Lookup Zone.

2 In the left pane, select and then right-click on [domainname], and select Other New Records in the context menu.

3 In the Resource Record Type dialog box, click on Service Location, and then click the Create Record button.

4 In the New Resource Record dialog, set the following values:

Service: _dpproent Weight: 100 Port Number: 0 Host offering this service: domaincomputername.domainname.com

5 Click OK to save the settings and return to the main DNS console window.

6 Under the same [domainname], expand the _sites key.7 In the left pane, select and then right-click on Default-First-Site-Name and select Other New

Records from the context menu.

8 Repeat steps 3 through 5 for each Pro server that you want to register.

If the DP Service Resource Records (SRV RRs) are not added, either dynamically or manually, the DigitalPersona Pro Workstation will not be able to find the Servers and will perform fingerprint enrollment and authentication locally.



Improving PerformanceThe Priority and Weight settings can be modified to achieve better response time and load-balancing in the _dpproent.Properties dialog box, which is accessible by double-clicking _dpproent in the DNS Console.

The _dpproent SRV RRs can be found in the following paths in the DNS Console:

DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[site name]/_tcpIf your DNS does not support dynamic registration, you will have to add these SRV RRs manually. For your convenience, these entries are stored in a file, UareUPro.DNS, which is located in the folder in which you installed DigitalPersona Pro Server.

Configuring DNS Dynamic RegistrationAdditional parameters for configuring DNS registration are available in the DigitalPersona Pro Administrative Template when added to the governing GPO. These settings are described beginning on page 122.

Uninstalling DigitalPersona Pro ServerDigitalPersona Pro Server can be uninstalled from the Add/Remove Programs Control Panel in Windows if you have administrator privileges on the domain on which Pro Server is installed. The software is listed as, DigitalPersona Pro Enterprise Server version [version number].When you uninstall the Server software, the published information (described in Published Information on page 29) and the DNS SRV RRs (described in DNS Registration on page 29) are removed.

Although the Add/Remove Programs Control Panel uninstalls DigitalPersona Pro Server software, the user data (such as fingerprint credentials and secure application data) and global domain data remain in Active Directory. DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove this data. See Utilities on page 153 for details.


Pro Client installation 3

This chapter provides instructions for installing the DigitalPersona Pro Workstation for Enterprise client. Installation of the DigitalPersona Pro Kiosk client is covered in Chapter 4, beginning on page 46.

In most environments, DigitalPersona Pro Enterprise Servers will be used for authentication. They should be installed and configured before installing DigitalPersona Pro Workstation for Enterprise.

The following topics cover the installation of DigitalPersona Pro Workstation for Enterprise:

System requirements Installation Remote installation Client Suite installation Local installation Command line Installation Installation on Citrix Presentation Server

System requirementsBefore installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system requirements listed on page 17, and that you have Administrative Rights on the computer.

Upgrading from Previous VersionsBefore upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.

Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product package that you are installing.

CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new operating system.

CompatibilityDigitalPersona Pro Workstation version 5.4 is compatible with the following DigitalPersona products:

Chapter 3 - Pro Client installation


DigitalPersona Pro Enterprise Server 5.4.0 and above. DigitalPersona Defender 5.7 and above. DigitalPersona Password Manager Admin Tool 5.4.0 and above DigitalPersona Privacy Manager Pro 5.51 and above.

This release is not compatible with, and requires the uninstall of, any other DigitalPersona products on the same computer.

Installation

Remote installationFor remote installation of patches, see the next section.

The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools.

Note that this installer only works for computer-based policy installation, not user-based installations.

PrerequisitesBefore installing your DigitalPersona Pro client, you must install the following prerequisites.

Windows Management Framework Core package - Includes the following components: Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article 968930.

Microsoft .NET Framework version 2.0 or above Microsoft Visual C++ 2010 SP1 Redistributable package



Installing Pro WorkstationTo install Pro Workstation remotely through Active Directory use the following procedure. Some steps will vary depending on the operating system version.

For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment.

1 Create an administrative installation package.

a. Open a command prompt session and navigate to the location where you have stored the product package. Change the directory to Pro Enterprise Workstation\x86 for the 32-bit version or Pro Enterprise Workstation\x64 for the 64-bit version. Note that the 32-bit version will not install on 64-bit computers.

b. Type setup.exe /ac. The product installation wizard launches and prompts you for a location where you would like the

administrative installation package to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example, \\servername\InstallDir, where InstallDir is a predefined shared folder. There is no need to reboot at the end of the wizard.

2 Create a Group Policy Object (GPO) that will be used to distribute the software package.

a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

b. In the console tree, right-click your domain, and then click Properties.

c. Click the Group Policy tab, and then click New.

d. Type a name for this new policy (for example, DigitalPersona Pro 5.5 distribution), and then press Enter.

e. Click Properties, and then click the Security tab.

f. Clear the Apply Group Policy check box for the security groups that you don't want this policy to apply to.

g. Select the Apply Group Policy check box for the groups that you want this policy to apply to.

h. When you are finished, click OK.

3 Assign the package

a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

b. In the console tree, right-click your domain, and then click Properties.


DigitalPersona Pro Enterprise - Administrator G

Documents

DigitalPersonaProEnterprise5AdministratorGuide20140421