Docstoc

SAFEGUARD® PDA ENTERPRISE EDITION 4200

Document Sample
SAFEGUARD® PDA ENTERPRISE EDITION 4200 Powered By Docstoc
					SAFEGUARD® PDA ENTERPRISE EDITION 4.20.0 What's New In 4.20.0       Full device Transparent Encryption now encrypts main memory and storage cards. Transparent Encryption key recovery to access storage cards in the event of the device becoming unavailable. MSFP settings are converted transparently to the according SG PDA settings. Grace period support now available on all devices. Support for high resolution and landscape mode displays. Support for IICS microSD SmartCards.

Notes on Windows Mobile 5.0 restrictions  Windows Mobile 5.0 devices are no longer at risk of an accidental hard reset due to loss of battery power. This has been avoided by a new device design that no longer includes a flash filestore that is needed for SG PDA's "survive hard reset" feature. We are currently working on a solution for surviving intentional hard resets on some Windows Mobile 5 devices.

System Requirements   Windows Mobile device: Windows Mobile 5.0 PocketPC Edition Desktop computer: Microsoft Windows XP

Installation We recommend making a backup copy of your device before you install SafeGuard PDA Enterprise Edition! Please read the document SGPDA_EE_42_FirstSteps_ENG.pdf about the various installation options and preparation steps! The initial Master Password for the SafeGuard PDA Enterprise Edition is: "SGPDA". Be sure to change it (with the SG PDA master password snap-in in the Microsoft Management Console) when starting to use the software in productive environments. NOTE: If you installed a previous version of SG PDA Enterprise using a special company key, you have to make sure that you apply the same company key to this installation package before distribution. The new installation package will overwrite the old package during upgrade.

Product Overview SafeGuard PDA protects your Windows Mobile device by unique means of flexible and secure user authentication as well as encryption methods. You have the option of authentication via password, symbol or even biometric handwritten signature. The encryption package features the up-to date algorithm AES ensuring confidentiality of your data. The Transparent Encryption module transparently encrypts files on storage cards and in main

memory. Their content will be stored in encrypted form but the files can be accessed just like regular files. The PrivateCrypto module is an explicit file encryption tool that is ideal to send encrypted e-mail attachments without the need for a complex PKI infrastructure in the background. The PrivateDisk module allows you to create virtual disks that transparently encrypt everything you store in them. You can "format" memory cards completely as PrivateDisks to keep their contents protected. The encryption formats of both modules are fully compatible to the PC versions of that software thus allowing you to exchange encrypted data between different platforms. On Windows Mobile Phone Edition devices you may configure a set of "emergency numbers" that can be dialed without having to authenticate. These functions automatically become available in SafeGuard PDA when the presence of a GSM chip is detected. (Please keep in mind, that numbers which are not official international emergency numbers like e.g. 112, the SIM chip must be active in order to allow dialing them.) This software supports English, German, French and Japanese user interfaces. The language can be selected directly on the device or preconfigured using the management console.

Known Restrictions  The HTC Universal (O2 XDA Exec, Qtek 9000, T-Mobile MDA Pro, Vodafone VPA IV) sometimes cannot load the PrivateDisk driver. On these occasions, an error message is shown when trying to mount a disk. In silent mode (creation of initial disks) no error message is shown but also no PrivateDisk is created when the error occurs. A soft reset sometimes solves the problem. We observed the problem to occur less often when no storage card was in the device during reboot. We also recommend using the newest firmware version. After initial successful mount of a PrivateDisk the problem should not happen any longer. No data can be lost because of that problem. The soft keyboard implementation (SIP) on HTC TyTN devices (e.g. T-Mobile Vario II, Vodafone VPA compact II) is broken. In case the keyboard is not shown at the login screen press “Help” and “Cancel” on the subsequent screen. This should make the keyboard visible again. The file encryption format has changed. Files encrypted with SafeGuard PDA 4.11 are not compatible with files encrypted with SafeGuard PDA 4.20. Therefore it is necessary to deactivate the transparent encryption before performing an update. Many branded devices run additional provider specific installations after a hard reset. Be sure to wait until the branding has completed successfully before installing SafeGuard PDA. Running SafeGuard PDA on devices with incomplete brandings is not supported. The functionality of the call key (green button) is available even when the device is locked. Users can redial the last number dialed on the device even if “phone without logon” is disabled. On Palm Treo devices “phone without logon” is not supported. The master password will be kept on the desktop even if SafeGuard PDA is uninstalled. After reinstallation the old master password will still be valid and you will need it for settings import/export and challenge/response mechanisms. Due to technical reasons path names for encrypted files must not exceed 230 characters. Due to Windows Mobile 5.0 restrictions “autorun.exe” has to be renamed to anything but “autorun.exe” (e.g. “SGAutorun.exe”) when performing a memory card based upgrade. If the application is not renamed the update will not be successful. This applies only to updates and not to regular installations. Qtek 9100 devices with firmware version 2.18.7.7 cannot be switched off by means of









 

 



software. The "Lock & Power OFF" option does not work on these devices.  Since SafeGuard PDA takes control over operating system authentication, it typically cannot coexist with other security applications of similar functionality. Always use only one authentication security product on your Pocket PC! If you use a WLAN card and the logon method is "Signature", you have to wait on Power ON until the WLAN card is fully initialized (watch the LEDs) before you can enter the signature. Otherwise your signature will not be recognized during your first logon attempt, because the initialization of the WLAN consumes too much CPU. If you use special input software like Calligrapher and you intend to use the biometric signature logon, be sure that you enroll your signature in the same mode, which you use later for logon. i.e. if Calligrapher is active during enrollment, it should also be active during signature logon. In case of password logon, SafeGuard PDA will always switch to the virtual keyboard, independent of the method you have configured for your daily work. Experience has shown, that all other input methods are not well suited for password entry, since the recognition of the entered letters is too error prone. Most of the current PDA backup programs are not able to save the current password. New passwords must be set after restoring such a backup. Please protect your backups against unauthorized access. One possible way is to use PrivateCrypto to encrypt your backups. Restoring a backup which does not contain a SafeGuard PDA installation on a device that is protected by SafeGuard PDA is NOT supported. In these cases you need to hard-reset your device before restoring the backup. All PrivateDisks should be unmounted before performing a backup. Some backup applications have shown difficulties accessing the volume file of a mounted PrivateDisk. Only standard PCM WAV sound files can be used as alarm sounds. Please ensure that your sound file is in the correct format before using it as alarm sound. In some rare cases on devices of certain vendors, especially on devices with only 32 MB of RAM, it may happen that the original operating system password dialog is shown for logon. You can use your SG PDA password to authenticate or perform a soft reset, which typically brings back the SG PDA authentication screen. After the client installation via ActiveSync, the PDA will perform a soft-reset. After the reset, some devices will not automatically turn on again. Simply take the device from the cradle, power on the device manually and you will be prompted to set the user password. Afterwards the installation is completed. To install the client software via Windows Installer, the user must have PowerUser rights or Windows Installer must be configured to run under enhanced rights. Users with normal user rights will not be able to de-install the software. To install the administration part of the software, you need administrative rights. When performing a partial Firmware upgrade that does not erase the complete PDA (e.g. Updating the GPRS Stack of a Phone Edition PDA) it is recommended to deactivate the login before doing the upgrade and activate it again afterwards. This ensures that the upgrade can proceed uninterrupted. PrivateCrypto does not work reliably on PDAs with Japanese user interfaces. A recovery key will only be created during memory card based installations using a configuration file that has recovery key creation enabled. Automatic hard reset on failed logons / Fujitsu-Siemens T810: If a failed logon attempt triggers an automatic hard reset of the device, the user has to manually select “hard reset” from the T810’s menu. Any other selection will render the device unusable until a









  







  

proper hard reset is conducted.        In some rare cases a soft reset is triggered if “phone without logon” is enabled on Asus P525 and iPAQ hw6945 devices SafeGuard PDA is currently not compatible with 3 party virus scanner and/or backup programs If files change their encryption status (e.g. becoming encrypted) either by initial encryption or file move/copy operations the file date of the original file is not preserved Transparent encryption exclusion lists are currently limited to 127 characters. Using the SGDeinst tool is the recommended way of uninstalling SGPDA. MSI uninstall is not fully supported on every device. The recommended procedure for upgrading SafeGuard PDA is to completely uninstall any previous versions of SafeGuard PDA and then install the new version. Latest information on virus scanner compatibility is available in the knowledge base of the MyUtimaco section on http://www.utimaco.com.
rd

More Comments On SafeGuard PDA Compatibility Of Encryption Modules The PrivateCrypto module of SafeGuard PDA is compatible to version 2.0x of SafeGuard PrivateCrypto for Windows and Symbian OS. Archives created using older versions can be decrypted without problems. When using SafeGuard PrivateCrypto 2.10, be sure to create archives with the AES-128 encryption algorithm for compatibility with SafeGuard PDA. By using SafeGuard PrivateCrypto for Windows it is possible to create archives containing several files. This is not possible with SafeGuard PrivateCrypto for Pocket PC. Archives created under Windows, which contain more than one file can be decrypted without restrictions on a Pocket PC. The PrivateCrypto and PrivateDisk modules use the AES (Rijndael) algorithm for encryption. This algorithm is the successor of the standard DES algorithm and offers up-to-date performance and security. Both modules adhere to the international PKCS#5 standard on deriving strong encryption keys from the passwords you enter.

Compatibility Of PrivateDisk Volumes The PrivateDisk module of SafeGuard PDA is compatible to version 1.x of SafeGuard PrivateDisk for Windows. Secure disks can be shared without problems between both platforms, if they are formatted internally as FAT and not NTFS. Note that the size of flash storage is reported differently by the operating systems, e.g. a 128 MB SD card can be reported as 120.99 MB by PocketPC 2002 and as 122.24 MB by Windows Mobile 2003. So if you use a Windows Mobile 2003 device to create a PrivateDisk volume spanning the whole memory card, you might eventually not be able to mount the volume on an older PDA! Therefore you should format your memory cards on PocketPC 2002 devices if you intend to use them for PDA's with PocketPC 2002 and Windows Mobile 2003.

ATTENTION!  Self extracting executables created by PrivateCrypto only work on the processor platform on which they were created, but are independent from the version of the operating system.



On low memory, undeletable files (parts of .uti archives) can remain on the machine. Please check your current archive if PrivateCrypto cancels an operation due to low memory. After resetting the PDA, these files can be deleted manually. Please note also, that files that do not share the same format between normal and Pocket PCs (e.g. Pocket Word, Pocket Excel) are not converted by ActiveSync when transferred in encrypted form. If the target PC has ActiveSync and Microsoft Office installed, the Pocket format of these files can be opened on the PC without problems though. If "Disable ActiveSync connections with foreign devices" is active and SGPDA will be uninstalled on the Desktop PC, then SGPDA will not be uninstalled on the PDA any more. Reason: PDA thinks Desktop PC is a foreign PC and refuses to connect. To uninstall SGPDA, deactivate "Disable ActiveSync connections with foreign devices" first and replicate with each PDA before de-installing the software.





Demo-Version Restrictions SafeGuard PDA Authentication Module    After logon a message box is shown which informs that a demo version of SafeGuard PDA is installed No customer replaceable bitmap at logon screen (PocketPC only) Logon screen and About box shows the word "DEMO"

PrivateCrypto Encryption Module     The About box shows the word "DEMO" After the program start the "About box" is shown during a short delay All archives are marked as "encrypted with the demo version" No customer replaceable appearance

PrivateDisk Encryption Module    The About box shows the word "DEMO" Maximum PrivateDisk size is limited to 2 MB No customer replaceable title bitmap

Download Links To Related Third Party Software In order to take full advantage of this SafeGuard product, you may need some additional software, which is available for free download from third party vendors.

Adobe Acrobat Reader 6.0 or higher Necessary for reading files in PDF format. E.g. The user manual of this product. Download: http://www.adobe.com/products/acrobat/readstep2.html

Microsoft ActiveSync 4.2 or higher Necessary for performing local data synchronization between Pocket PC and desktop PC. Download: http://www.microsoft.com/downloads Exact URL on English version at the time when this text was created: http://www.microsoft.com/downloads/details.aspx?FamilyID=7269173a-28bf-4cac-a682-58d3233 efb4c&DisplayLang=en

Microsoft Management Console The Microsoft Management Console is part of the Windows 2000 and XP Operating System and is used as central user interface for management tasks. If you use Windows NT, you need to download and install this component separately, in order to be able to use the management snap-ins of this SafeGuard product. Download: http://www.microsoft.com/downloads Exact URL on English version at the time when this text was created: http://www.microsoft.com/downloads/details.aspx?FamilyID=3f620a07-c996-4a81-aad8-30134a4 3ec46&DisplayLang=en

Microsoft Windows Installer The Microsoft Windows Installer is part of the Windows 2000 and XP Operating System and is used to process setup packages in MSI format. If you use Windows NT, you need to download and install this component separately, in order to be able to install this SafeGuard product. Download: http://www.microsoft.com/downloads Exact URL on English version at the time when this text was created: http://www.microsoft.com/downloads/details.aspx?FamilyID=4b6140f9-2d36-4977-8fa1-6f8a0f5dc a8f&DisplayLang=en

Microsoft XP Administration Pack for Windows 2000 Server In order to take full advantage of Windows XP Clients in a Windows 2000 Server domain, you may want to download and install this XP administration package. This package is not mandatory for this SafeGuard product. Download: http://www.microsoft.com/downloads Exact URL on English version at the time when this text was created: http://www.microsoft.com/downloads/details.aspx?FamilyID=d232481f-28ea-4ba6-919b-95a8d75 7eff9&DisplayLang=en

History Of Changes In Older Versions What Has Been New In 4.11.1    SHARP WS003SH: These devices could not connect to the Internet when SGPDA 4.11.0 was installed. SHARP WS003SH: Making phone calls without authentication can now be blocked. HP iPAQ 5550: Fingerprint logon has been improved. This has resolved problems caused

when the device was locked for a longer time.   A watchdog has been implemented to detect attempts to interrupt the startup process. The device will be rebooted automatically if necessary. There is now a separate PDA tool for deinstalling the product on Windows Mobile 5.0 devices. Until now the software could only be deinstalled via ActiveSync or by hard-resetting the device. The new tool is the supported deinstallation method if SGPDA has been installed via a third party application or from memory card. You will find the tool on the product CD. Note that deinstallation with this tool is disabled by default. Administrators must set the policy "Allow deinstallation of SGPDA" in central administration and deploy the policy to the PDA first, before a user is able to run the deinstallation tool. This provides a way to distribute the tool to the user together with an updated .cfg file so that users can deinstall the software themselves, without interaction from the administrator. SafeGuard PDA now displays an error message if mounting a PrivateDisk for the Full Device Encryption feature fails (see Known Restrictions). PrivateDisks created/mounted with SafeGuard PrivateDisk 2.0 or newer on the PC can now also be used on the PDA. Older versions of SG PDA only accepted SafeGuard PrivateDisk 1.x volumes. Note: the PDA version of SafeGuard PrivateDisk only supports AES-128.

 

What Has Been New In 4.11.0       Transparent PIM Encryption is now also available for Windows Mobile 5. The GUI on the device is now also available in Japanese. Option to import country specific emergency phone numbers without requiring separate policies per country (TEL files) Option to prevent autorun from storage cards (WM 5 only) Autorun tool can be used for SG PDA product installation with third party software (SGReboot is not used anymore) Improved upgrade does not ask for a new password anymore.

What Has Been New In 4.10.1  The "Allow phone calls without logon" and "Allow notification messages in logon screen" features now also work for devices that use the Dutch, Finnish, Norwegian or Swedish language. Autorun.exe can now be used for installation from all locations. The SGReboot tool is no longer needed for installation involving 3rd party tools. On a Windows Mobile 5 device, "Phone without logon" now allows users to select a contact from the contacts list. Windows Mobile 5.0 SG PDA now allows attachments to be redirected to a PrivateDisk. Other PIM encryption options are currently grayed out but will be available in the next version of the product. Blocking Bluetooth can now be used "out of the box" for T-Mobile MDA Pro and Dell Axim X51 (no need to manage a driver name). The user manual is now available in English, French and German. The administration manual and the first steps guide are available in English and German.

  

 

   

"Lock and Power off" now also work for devices that do not have a power switch. Bugfix: Calendar application on some devices displayed an error message when calendar entries were encrypted. Bugfix: Signature logon had a problem with the complex signature enforcment feature. Bugfix: The Challenge/Response CAB file in the client MSI installation file was not signed. As a result, neither this option nor a full installation could be implemented on Windows Mobile 5 devices. Bugfix: The software created a log file trace.txt when importing configuration files. Bugfix: PrivateDisk full device encryption did not work on Windows Mobile 5 devices. Bugfix: Encryption of PIM data sometimes caused the boot phase of Windows Mobile 2003 devices to hang.

  

What Has Been New In 4.10.0       PIM Encryption on Windows Mobile 2003 devices now works transparent, data is encrypted/decrypted on-the-fly (no delays in logon time, push-mail compatible). Additionally supports Windows Mobile 5.0 devices (restrictions in this release: no PIM Encryption, no Hard Reset Survive). New authentication method for logon with certificates on secure MMC cards. Besides GSM phones, SafeGuard PDA now also supports CDMA phones which are typically used in USA and parts of Asia. Navigation software awareness: SafeGuard PDA now can be configured not to lock the screen after a timeout period if navigation software is active. Logon screen now also supports square screen devices.

Other Important Hints You can order the licensed version from any authorized Utimaco reseller. The Personal Edition of SafeGuard PDA is also available online: Utimaco: www.utimaco.com Handango: www.handango.com PocketGear: www.pocketgear.com See http://www.utimaco.com/SG-PDA for more information on this product.

Oberursel. Germany, 2007-05-25


				
DOCUMENT INFO