IronKey EMS On-Prem 7.1.0.0 supports the following devices: S100, S200, D200, S250, D250, W500, W700, W700-SC, H300, H350, S1000, D300M, and Sentry EMS.


NOTE: To check what IronKey EMS On-Prem version you currently have, enter the command "application version" into the CLI.


What's New in IronKey EMS On-Premises 7.1.0.0?


Improved CLI output for several commands


* Web based login accounts (all releases)
- Added full support for Web-based login
  Previous releases required Administrators to have an IronKey Enterprise device to access the management console to manage their IronKey EMS account. Administrators can log in directly to the management console web application with Username & Password only.
- Added Two-factor authentication for Web-based login
  Admins who use Web-based login will authenticate using their user name and password, and also be required to provide an Access Code, sent in an email message.
- With the IronKey EMS On-Prem 7.1.0.0 release, web based login is available for all accounts including those upgraded from version 6.1 or earlier. You will have the option of adding a user with authentication type 'Username & Password.' The first time this is done, you will be prompted to create the Default User Policy. For more information, refer to the Admin Guide section on 'Adding a user.'

Approve legacy device admins from the user profile


- Previously, approval of S100/X200 admins could only be performed from an existing S100/X200 admin device. Now, any existing system admin can approve S100/X200 users as admins by going to the user profile and clicking 'Approve Admin.'
- Note: This grants the new admin device acccess to the Admin Console, but not Admin Tools (used for S100/X200 device recovery and recommission). If you wish to grant Admin Tools privileges, please use an existing legacy device admin to perform Admin Approval. See 'Approving Admin users' in the Admin Guide for more details.

Upgrading to IronKey EMS On-Prem 7.1.0.0 from Previous Versions

When you upgrade to IronKey EMS On-Prem 7.1.0.0 from a previous version, you must first update the database. Database upgrades must be done in sequence from the version currently installed to the next version until you reach the latest version. For example, from version 5.1, you must run the database upgrade script from 5.1 to 5.2, then 5.2 to 6, then from 6 to 6.1, 6.1 to 7.0, and finally 7.0 to 7.1. Once the database is upgraded, you can uninstall the old version of the server, and install version 7.1. See the IronKey EMS On-Prem Setup Guide for step-by-step upgrade instructions to the 7.1.0.0 release or contact support with any questions before you start.

IMPORTANT: After you upgrade the on-prem, you must update your server license by requesting a new license from DataLocker. You can request and add the new license from the Enterprise Support page in the Admin Console. See the IronKey EMS On-Prem Setup Guide for more details.


Known Issues


* IronKey On-Prem version 6.1.0.0 and upgrades from version 6.1.0.0 – Devices with Default Device Policy cannot download a new policy version automatically.
Workaround: To download a new Default policy version: Default Device Policy needs to be updated and new version saved. End user must manually click on the ‘Check For Updates’ button in the device Control Panel to update the policy on the device. After this is completed, the device will start updating the policy automatically two minutes after the unlock.
To assigned a new policy to the device with Default policy: Once a new policy is assigned to the device in Admin Console, end user must manually click on the ‘Check For Updates’ button in the device Control Panel to update the policy on the device. After this is completed, the device will start updating the policy automatically two minutes after the unlock.

* If you discontinue use of anti-malware service, devices may still have malware scanner enabled.
Workaround: Update your device policies and save a new version. After this is completed, the devices will update and disable malware scanner.

* Devices may always update configuration even if no policy changes have been made, in policies where IronKey Secure Sessions was enabled.
Workaround: Update your device policies and save a new version. After this is completed, the devices will update only when policy changes are made.

* Activation fails for S100 or X200 devices on an IronKey On-Prem server in which the first administrators use Web-based login.
Workaround: Please activate an S100 or X200 system administrator device before activating any other S100 or X200 users. For these devices, the first user activated must be a system administrator that has access to Admin Tools to manage subsequent devices. The first S100 or X200 system admin device will automatically be approved as a system administrator. Please keep this device in a safe place. Refer to the Admin Guide for more information on 'Managing S200 or D200 devices.'

* S100 or X200 admin devices approved with the 'Approve Admin' button in a user's profile do not have access to Admin Tools.
Workaround: Use an existing system administrator S100 or X200 device with Admin Tools to approve additional administrators for access to Admin Tools. Administrators approved with the 'Approve Admin' button in the user's profile (accessible from Admin Console) gain access to the Admin Console, but not to Admin Tools. Refer to the Admin Guide for more information on 'Approving Admin users.'

* A prompt to install VMware tools might be displayed when logged into EMS On-Prem CLI. Click "Never Remind Me Again" on the prompt.

* Some pages in Admin Console might be slightly misaligned when the browser window is resized small. For the best browsing experience maximize your browser window.

* Comments on Device profile page or User profile page are not saved if entered text is in angle brackets.

* Silver Bullet IP Range addresses are not displayed on the Review Default Policy confirmation page.

* In IronKey EMS On-Prem upgraded from version 4.0 and older, users will not receive updated text for Default Storage Activation Email. Workaround: Access Admin Console. Click on System Console tab and select Message Center from the left side menu. Open Default Storage Activation Email. Modify the template or click Revert to Default button. Click "Save" button. Storage users will now receive updated email template.


Frequently Asked Questions (FAQs)


Q: Does High Availability functionality require a new license?

A: Setting up an HA pair will require an additional Server, and associated additional licenses.


Q: Can I deploy the IronKey EMS On-Prem .ova on hypervisor platforms other than VMware ESXi?

A: IronKey EMS On-prem .ova has been validated only on the Type 1 hypervisor platform VMware vSphere ESXi and Type 2 hypervisor VMware Workstation Player.


Q: Has DataLocker mitigated the SWEET32 vulnerability?

A: The review of EMS On-Prem and Cloud has found our systems NOT VULNERABLE to the SWEET32 exploit.


Q: Are IronKey EMS products (including EMS On-Prem and Secure USB devices) vulnerable to security attacks?

A: No, IronKey EMS products are not vulnerable to the following security attack:
BadUSB – IronKey Secure USB devices S100, S200, D200, S250, D250, W500, W700, W700-SC, S1000 and Datalocker Secure USB devices H300, H350 are not vulnerable to BadUSB malware which was revealed at Black Hat on August 7, 2014. BadUSB is the first USB malware designed to attack the device itself instead of attacking the data on the device. IronKey's and Datalocker’s leadership in security, including its use of digital signatures in all controller firmware, makes its products immune to this new threat.


Q: What about Shellshock vulnerability?

A: Our Security Engineering Team has evaluated the IronKey EMS security posture and exposure to the Shellshock vulnerability. It was determined that the IronKey EMS, including EMS Cloud service, EMS On-Prem, and ACCESS Enterprise are not exploitable by the Shellshock vulnerability.


Q: Has DataLocker mitigated the POODLE SSL Vulnerability?

A: The review of EMS On-Prem and Cloud has found our systems NOT VULNERABLE to the POODLE exploit.

Q: Does the IronKey EMS On-Prem communicate with the DataLocker datacenter?

A: The IronKey EMS On-Prem was designed to be a self-contained product. Therefore, it does not need to communicate with the Datalocker datacenter to support end-user activities.

Q: How do I update the device software using IronKey EMS On-Prem?

A: The latest device software updates can be loaded as a file into the IronKey EMS On-Prem. (See the IronKey EMS On-Prem Setup Guide, "Updating Device Software" section for details.)

Q: Are there any feature differences between hosted IronKey EMS Cloud and IronKey EMS On-Prem?

A: You can manage the on-prem as a standalone product. Otherwise, the two products have a similar feature set.