The Accounts tab gives system administrators an interface for managing the users of the system. An administrator can search for a user and disable the entire account, or disable individual devices that have been connected and authenticated as a particular user. Administrators can also define the list of unmanaged users.
|Name||The user's name (coming from their Active Directory user object).|
|This is the email address that is associated with the PK Protect account for the user. The email addresses for users are entered when allowing and denying access to Smartkeys.|
|UPN Mode||If you have user accounts stored in multiple Active Directory forests, UPN Mode allows admins to allow users to login to PK Protect with User Principal Names. Users will need to authenticate with the proper credentials for each Active Directory user to access each of the correlated PK Protect Identities.|
|Allow||The allow flag is the status of the account for the user. If a user's account has been compromised, an administrator can kill access to the account and all the devices the account is logged in on from this field.|
Managed versus unmanaged users
PK Protect supports two types of users: Managed and Unmanaged. Unmanaged users can choose their own passphrase without reporting to PK Endpoint Manager (PEM). From the PK Protect user's perspective, it does not matter much whether they are managed or not. For administrators, there is an important difference to point out.
An unmanaged user is also a "Zero Knowledge User" in the system. What this means is that PEM cannot access or unlock any of the Smartkeys this type of account generates. In addition, if an unmanaged user loses or forgets their password, PEM cannot recover this type of account, because it cannot decrypt any of the content (including the unmanaged user's encrypted password stored in PEM).
Setting up an unmanaged user on PK Endpoint Manager
- To define a group or list of users who are eligible to become unmanaged users, an administrator needs to enter the Active Directory group, or user entry in the Domain group.
- Click Update in the Unmanaged Users/Groups field. Start typing the name of the Group or User. PEM will pull up matches to select. You can also use Advanced AD Search.
- Save the results.
Note: An unmanaged user still needs to exist in Active Directory.
Converting a managed account on the PK Protect client
- After a user is defined in the unmanaged user group, the user can change their password through the PK Protect client. This dialog is available when looking at the account information from the right click menu in the system tray. Click Change to start the process.
- This will create a separate "unmanaged" credential different from their credentials being used in Active Directory.
- After a user is unmanaged, the user will need to keep their own credentials secure. There is no recovery for a lost unmanaged credential.
The accounts page that lets administrators search for accounts within connected directories. Administrators can use boolean expressions for granular searches with wildcard operators such as "contains" and "ends with". Example scenario below:
- In the first row group
- Click the blue "AND" button. A
- Add two rows by clicking "Add Row" two times.
- Define the details of these two rows.
- Click "Add Group" from the first group to create a second grouping.
- This new group is highlighted by the indent as well as the grey colored line box around it.
- Click "OR" within the new group
- Click the "Add Row" button from the newly created second grouping.
- Define the details of these two rows within this second group
- End Result: There should be two groups, one with 2 rows as AND, and another grouping with 2 rows defined as OR. The resulting boolean can be shown as (A AND B AND (Y OR Z))