Managing S100, S200 or D200 Devices
Managing an S100 and S200 or D200 device is done using the Admin Console. However, some additional administrative functionality is onboard each approved, active Admin 200 Series device.
Important: If your first and second system administrators in your account use Web-based login, you must create a new System Admin user with a Device and Password authentication and activate an S100, S200 or D200 device before activating these device types with users of other roles.
The Admin Tools feature on the S100 and 200 Series device allows you to:
• Recover a device
• Approve new Admin users
• Recommission a device
When you click the Admin Tools icon, the device will do a real-time check with your EMS Account to authenticate the Admin and ensure that the Admin is still authorized to use the Admin Tools.
Revoked Admins, for example, will not be able to continue. You must be connected to the Internet to use the Admin Tools.
Note: Administrators who use Web-based login can manage S100/S200/D200 using only the management tasks that are available in Admin Console.
Note: You can manage S250/D250, H300, H350, W500, W700, W700-SC, S1000, D300M, and Sentry devices using the Admin Console interface exclusively.
Approving Admin Users
With S100, S200 and D200 devices, when you add a new Admin user or promote a Standard user to an Admin, a System Admin must approve the change before the user will receive Admin privileges.
You can only approve active users (those with an activated device); this is part of the underlying security technology. When a device is activated for a new Admin user, you will receive a reminder by email to approve the Admin user.
In the Admin Tools sidebar, click Admin Approval.
Click the Check for Admins button. This will perform an online check for users awaiting Admin Approval.
Check all devices that you approve for administrative functionality, then click the Approve button. A table of devices that are awaiting approval will be displayed.
The next time the approved user unlocks the device and clicks the Online Account button in the Control Panel, the user will receive administrative privileges and have access to the Admin Console and Admin Tools.
Or (for only access to Admin Console):
Navigate to the user profile of the user with an admin S100, S200, or D200 that is pending approval.
Click the Approve Admin button.
The next time the approved user unlocks the device and clicks the Online Account button in the Control Panel, the user will receive administrative privileges and have access to the Admin Console.
Important Note: this method does not grant privileges to use Admin Tools (recovery and recommission for S100/X200 devices). If you wish to grant Admin Tools privileges, please use Admin Tools on an existing admin device to perform Admin Approval (see above).
Note: With S250/D250, W500, W700, W700-SC, H300, H350, S1000, D300M, and Sentry devices, no admin approval is required. System Admins simply add the new Admin user or edit an existing user’s role to promote the user to an Admin.
Assisting With Passwords
A common help desk task is to assist users with forgotten passwords. IronKey EMS includes three ways Admins can assist users with S200 or D200 devices who have forgotten their passwords:
User recovers the password without help desk intervention
• Users log into my.ironkey.com with email and online password.
• Users must have an online account.
• Device passwords must be backed up online
• Admin intervention is NOT required
Use Password Assistance to send password to user
• One-time URL is emailed to user with a link to a page that displays the forgotten password.
• Allows Admins to assist remote users or users who cannot use Password Self-Recovery.
• Device passwords must be backed up online.
• Users must have valid email addresses in the system.
• Standard Users do NOT have to have an online account.
Recover the device for the user
• Admin uses Admin Tools on the Admin device to unlock and change the password on the user’s device.
This method ensures that the most secure procedures are used to recover devices and manage passwords.
• Admin must have physical possession of the user’s device.
• Device passwords do NOT have to be backed up online.
• Standard Users do NOT have to have an online account.
To use Password Assistance to send device password to user
In Admin Console, click Manage Users and select the name of the user who has forgotten his password.
Under Devices, click the user’s device name, and then click the Send Password to User button. This button will only appear for users who have an email address and who have backed up their device password online.
An email will automatically be sent to the user. In that email is a one-time URL that will take the user to a page that displays his password in a CAPTCHA. The user must click the link as soon as he gets the email, as the link expires in approximately 5 hours.
To recover an S200 or D200 device
Secure Device Recovery allows an Admin to unlock your organization’s devices:
• Without knowing the user’s device password
• Without using a password database
• Without using a backdoor/redundant password
• With admin authentication (protection against stolen admin devices)
• With admin authorization (protection against rogue admins)
• With a proper audit-trail of the event
You must use a 200 Series device with administrative privileges to recover another 200 Series device.
Click the Admin Tools icon in the Control Panel. The device will perform real-time authentication and authorization.
Insert the device that you want to access into the computer’s USB port. Wait a few moments so the device can enumerate then click the Refresh Device List button. The Admin device will search for the other device.
Do one of the following actions:
• If you want to unlock the user’s device, click the Unlock Device button;
a progress bar will appear when the device is unlocked and Windows Explorer will auto-launch to the device’s secure volume.
• If you want to change the password on the device, type a new password, confirm it, and then click the Change button;
a progress bar will appear and then a confirmation that the password has been reset successfully.
Note: Also, devices that are not part of the EMS Account, not yet activated and initialized, or that are not a supported IronKey EMS secure drive cannot be recovered; an error message will result.
When employees leave the organization, you can recommission an S200 or D200 device to new users using secure online services for Admin authentication and authorization.
Note: To recommission a 200 Series device, you must use another 200 Series device with administrative privileges. You cannot recommission the first System Admin device.
In the Admin Tools sidebar, click Recommission Device.
Insert the device that you want to recommission into the computer’s USB port. Wait a few moments so the device can enumerate, then click the Refresh Device List button. The device will search for the other device.
Click the Recommission Device button. A progress bar shows your progress throughout the recommissioning process.
Selecting the Also delete user from the system check box will delete the user as well as the device. This feature is only available for System Admins.
Note: recommissioning cannot be undone. All data on the device will be permanently lost.