Using this tab, the system administrator can manage the users. Administrators can search for a user and disable their account or, they can disable individual devices that are connected and authenticated as a particular user. Administrators can also define unmanaged users within this screen.
In PEM Administrator, there are two types of users i.e., Managed and Unmanaged.
Managed Users are those which authenticate using their standard identity credentials. For example, using their Windows username and password they log into network (if Microsoft AD is their identity provider).
Unmanaged user is a ‘Zero Knowledge User’ within the system. An unmanaged user is one that chooses their own passphrase without reporting to the system. If an unmanaged user generates any smartkeys then PEM cannot access or unlock it. Additionally, if a user forget their password PEM cannot recover credentials for this account, nor they can decrypt any of the content.
Setting up an Unmanaged User
To define an unmanaged user, click the Edit button in the Domain panel and execute the following steps:
To define a group or list of unmanaged users, enter the Active Directory group or user email in the Unmanged Users /Groups. The PEM will display applicable matches as user or group names are typed. Select the desired user or group.
Unmanaged users must exist in Active Directory to be configured.
2. Click Save to complete the process. Click Cancel if you wish to exit without saving.
Converting a managed account on PEM client
- After a user is defined as an umanaged user, they can change their password through PEM Agent user interface. From the PEM Agent icon in the tray, right click on the icon and select My Account. The PEM Agent: My Account dialog opens. Now, click Change.
- This will create "unmanaged" credential which is different from their credentials being used in Active Directory.
- After the password is changed the user fall into the unmanaged user category. They need to secure their own credentials. If an unmanaged user loses their credentials, it cannot be recovered.
Searching for Accounts
An administrator can search for accounts within the connected directories. Administrators can use Boolean expressions and, wildcard operators such as ‘contains’, ‘equal’, etc. To help filter the data from a very large set of users.
Additionally, an admin can update the details of the user by clicking the Edit button. Similarly, they can terminate the account by hitting Delete button. Results can be filtered by selecting different column headers. The following information is available for each account.
The Allow flag displays the status of the user account. If user’s account has been compromised, an administrator can remove access to the account and all the devices from which the account is logged in.
Selecting this option, displays three options External, No and Yes.
This field displays the email address of the end user associated with this account.
This field indicates whether an account is in ‘Email’ or ‘UPN’ mode; these modes are used to distinguish individual users.
This field allows you to specify whether the source is local or not. There are two options i.e., Yes or No.
This field displays the name of the account.
This field displays the domain of the user is associated with.
This field displays the UPN associated with the user for this account.
If user account is stored in multiple Active Directory forests. In this scenario, UPN Mode allow users to login to PEM with their User Principal Names. Users will need to authenticate with the proper credentials for each Active Directory user to access each of the correlated PK Protect Identities.
In the following example the Account panel is displaying details of a user named William Edwards. It also displays additional information such as its UPN, email address, number of devices to which it is connected, etc.
Viewing the list of Devices Associated with an Account
The Device column in the Accounts panel displays the number of devices associated with a user. An admin can view the list of all the devices by clicking the number displayed in the Device column.
This will display the ‘Devices’ panel, which provides an additional detail related to the devices associated with the account.