Bet 268554 Gitcs Safeboot Reg Supt Gitcs-osi-055 2

If you are using a printed copy of this document, please check that the version number is consistent with the current version number in the EIS Electronic Library.

Title: GITCS-OSI-055 SafeBoot Mobile Data Security Client Support for Local Desktop Support Teams

Page 1 of 24 Version 2.0

Owner: Christina Payton Confidential Last Save Date: 26-Sep-2007

GITCS-OSI-055

SafeBoot Mobile Data Security Client Support for Local Desktop Support Teams

Version 2.0

Effective Date: 01-Oct-2007

Purpose: The purpose of this OSI is to describe how to support SafeBoot Mobile Data Security Client Software loaded on a Lilly business notebook/tablet for Zone 1, Zone 2, and Zone 3 local desktop support groups.

Scope: The scope for this document is global Zone 1, Zone 2 and Zone 3 local support teams.

Areas Involved: Global IT Customer Services

Supersedes/Replaces: GITCS-OSI-055, SafeBoot Mobile Data Security Client Software Version 4.2 and Higher, Version 1.0


ELI LILLY AND COMPANY





TABLE OF CONTENTS 1. INTRODUCTION ............................................................................................................................................. 3

1.1 SCOPE....................................................................................................................................................... 3 1.2 CHANGE CONTROL REQUEST ...................................................................................................................... 3 1.3 REFERENCE DOCUMENTS............................................................................................................................ 3 1.4 DOCUMENTS REFERENCED IN THIS PROCEDURE: .......................................................................................... 3 1.5 ROLES AND RESPONSIBILITIES: .................................................................................................................... 4 1.6 GLOSSARY/ACRONYMS/ABBREVIATIONS: ...................................................................................................... 6

2. USING SAFEBOOT MOBILE DATA SECURITY CLIENT .............................................................................. 7 2.1 CHECKING SAFEBOOT ENCRYPTION STATUS ................................................................................................ 7 2.2 VERIFYING SYNCHRONIZATION WITH SAFEBOOT SERVER............................................................................... 8

3. TIER 2 – LOCAL SUPPORT USER TOOLS................................................................................................... 9 3.1 RECOVERING A COMPUTER WITH UNKNOWN SAFEBOOT CREDENTIALS (BOOT ONCE)...................................... 9 3.2 PERMANENTLY REMOVING SAFEBOOT AND DECRYPTING A BUSINESS COMPUTER (BOOTABLE FUNCTIONING MACHINE) ........................................................................................................................................................... 18 3.3 RECOVERING DATA FROM A FAILED OR NON-BOOTABLE HARD DRIVE (WITHOUT DECRYPTING)........................ 19 3.4 BIND USER TOOL...................................................................................................................................... 22

4. TRAINING ..................................................................................................................................................... 23

REVISION HISTORY: .......................................................................................................................................... 24

PROCEDURE APPROVAL SIGNATURES:......................................................................................................... 24







1. INTRODUCTION

1.1 Scope The purpose of this document is to describe how to support SafeBoot Mobile Data Security Client software on a Lilly business notebook/tablet for Zone 1, Zone 2, and Zone 3 local desktop support groups.

1.2 Change Control Request Problems with the content of this Operational Support Instructions (OSI) document will be documented with a Change Request and resolved in a subsequent version of the document.

1.3 Reference Documents Refer to the GITCS Master Document List System located on the GITCS website for the latest version of this document. The GITCS Quality Integrator maintains the Master Document List Systems.

1.4 Documents Referenced in this Procedure: Document Name Location

GITCS-OSI-052 SafeBoot Mobile Data Security Administration GITCS Master Document List System







1.5 Roles and Responsibilities: Role Responsibility

Enterprise Administrator

Highest Administrative Authority for the SafeBoot Administrative Environment. The Enterprise Administrator is the system owner.

1. Server Architecture/Design/Administration a. Architecture and design implementation b. Administer the SafeBoot Database c. Administer the SafeBoot Server(s)

2. Policy Design and Maintenance a. Globally administer user and machine groups policies b. Create and apply changes to policies for users and machine groups

3. User Management a. Globally create/delete/rename user accounts b. Globally administer users in support groups

4. Machine Management a. Globally create/delete/rename machine accounts

5. Group Management a. Globally create/delete/rename user groups b. Globally create/delete/rename machine groups

6. AD Synchronization Management a. Globally maintain Active Directory Connector objects.

7. Password/token resets a. Perform WebRecovery Password Resets b. Perform Administrative Password Resets

8. Perform Recovery Operations a. Perform WebRecovery Machine Recoveries/unlocks b. Perform Administrative Machine Recoveries/unlocks c. Perform Administrative SafeBoot decryption and SafeBoot

uninstallation d. Distribute daily SafeTech access codes to Regional Administrators,

as needed.







Regional Administrator

The Regional Administrator (one per EIS IT Zone) administers all users and machines for the respective Zone. Scope is machine groups and user groups in the respective Zone only.

1. Server Management a. Check status of SafeBoot Server b. Restart SafeBoot Server

2. User Management a. Globally create/delete/rename user accounts b. Globally administer users in support groups

3. Machine Management a. Globally create/delete/rename machine accounts

4. Password/token resets a. Perform WebRecovery Password Resets b. Perform Administrative Password Resets

5. Perform Recovery Operations a. Perform WebRecovery Machine Recoveries/unlocks b. Perform Administrative Machine Recoveries/unlocks c. Perform Administrative SafeBoot decryption and uninstallations d. Distribute daily SafeTech access codes to Local Support User on an

as needed basis.

Regional Support User – Tier 1/Remote Tier2

Regional Support encompasses the typical Tier 1/Help Desk function, and possesses the responsibility to perform password/token resets for users in their respective Zone. The Regional Support role also possesses the responsibility to unlock machines for machines in their respective Zone. It embodies the capabilities of a technician doing remote Tier 2 support (remote control of the PC with the business partner on the telephone).

It is not expected that SafeBoot will create any significant increase in incidents to be resolved, but resolution times will increase due to the challenge/response nature of the account management tools.

1. Perform WebRecovery Password Resets and Account Unlocks 2. Provide Boot Once assistance to Local Support Users as needed

Local Support User – On-site Tier 2

Local Support User role exists to allow a small number of Tier 2 technicians the ability to provide valid SafeBoot preboot credentials to a SafeBoot user’s machine within the specific locality. This role has no administrative authority in the server environment. Scope of the role is machines assigned to groups for their respective affiliate location. Such technicians are presumed to have Windows-based Administrator rights to perform the needed modifications to the computer. Disaster recovery incident resolution times will increase due to the need to decrypt the information on the computer to perform some recovery efforts.

1. Perform Disaster Recovery Operations using SafeBoot tools (WinTech & SafeTech) provided by the vendor

2. Performing Boot Once Procedure as needed 3. Reinstall SafeBoot Data Encryption on notebooks during break/fix activities

End User Client end user. No administrative authority in the server environment.







1.6 Glossary/Acronyms/Abbreviations: Acronym Description

BET Business Event Training (Course Number)

GITCS Global IT Customer Services

OSI Operational Support Instructions

IVI Installation Verification Instructions

MBR Master Boot Record

T1 Tier 1

T2 Tier 2

CR Change Request

TT Trouble Ticket

HDD Hard Disk Drive







2. USING SAFEBOOT MOBILE DATA SECURITY CLIENT

2.1 Checking SafeBoot Encryption Status To check the status of SafeBoot encryption or connection to the SafeBoot server, follow the steps below. You would want to do this to verify encryption is completed

Step # Action Expected Result

1 Right click on SafeBoot icon in system tray Menu Appears

2 Select “Show Status” from menu (NOTE: Do not double click or SafeBoot screen saver will activate.)

SafeBoot Status Window appears

3 Verify Encryption status in bottom right corner of window

Encryption status will be:

• Blue: In Progress

• Red: None

• Green: Encrypted

4 Click “Close” button SafeBoot Status Windows closes







2.2 Verifying Synchronization with SafeBoot Server To verify synchronization with the SafeBoot server, follow the steps below. You would want to do this to verify end user(s) are added or updates are received. Synchronization is on a 1-3 minute delay, so it will not start immediately when user logs into PC.


1 Right click on SafeBoot icon in system tray Menu Appears

2 Select “Show Status” from menu (NOTE: Do not double click or SafeBoot screen saver will activate.)

SafeBoot Status Window appears

3 Verify that ”Finish Synchronization” appears in Activity Log area of windows

For example last line should read: 12/05/2006 17:29:30 finished synchronization

4 Scroll up in windows to see what updates were performed (i.e. added end user, updating token, updating database, etc.)

All updates will appear in activity log

5 Click “Close” SafeBoot Status Window closes







3. TIER 2 – LOCAL SUPPORT USER TOOLS

The tools in this section are to be used by the Local Support Users in troubleshooting business computer problem(s) with an encrypted SafeBoot business computer.

IMPORTANT: Use of these tools may cause permanent loss of data. There is no guarantee that data can be recovered from a failed hard drive or operating system. The best and easiest practice is to ensure all end users are performing and maintaining frequent secure backups of their data. If a hard drive is damaged or is not bootable, the hard drive should be replaced or formatted and a new eBuild applied with the back up data.

If you have any questions about this tool, please contact the Enterprise or Regional SafeBoot Administrator prior to using these tools.

3.1 Recovering a Computer with Unknown SafeBoot Credentials (Boot Once) This option is used in case the user name is forgotten or the end user or technician is not assigned to the business computer and the business computer is in the pre boot environment. In this instance you will need to initiate a process to boot the business computer into Windows. An example of an instance to use this process would be when a new Local Support User needs to log onto a business computer that has not been synchronized for an extended period of time, thus the new support user does not have valid credentials on the machine.

NOTE: This process should never be used with an End User.


1 Navigate to the SafeBoot Web Helpdesk website for your zone.

• Z1 - IC1encrprd01: https://40.1.234.72 • Z2 - YO2VMENCSVR01: https://40.205.6.78 • Z3 - sg3sboot01: https://40.191.33.58

NOTE: Use of fully qualified domain name (am.lilly.com) will cause the website to lock during a reset. Recommendation: use IP address.)

SafeBoot Web Helpdesk opens

2 Select “Perform SafeBoot Recovery. Under Helpdesk Operators

SafeBoot Web Helpdesk Recovery page appears. NOTE: If a “4” appears on this screen, it is just an indication that you are using Version 4 of SafeBoot








3 Select “PC/Laptop/User Recovery”

Web Helpdesk Logon page appears

4 Login using your SafeBoot credentials.

Web Helpdesk User Challenge screen appears

5 Have Local Support User (Tier 2 Tech) boot computer to the SafeBoot Login Screen. Instruct them to leave the User Name and SafeBoot Password fields blank and then click on “Options.”

SafeBoot Options screen appears.








6 Have Local Support User (Tier 2 Tech) click on “Recover.”

The Local Support User (Tier 2 Tech) will be presented with a 16 digit key on their screen.

7 Have Local Support User (Tier 2 Tech) read this 16 digit “User Code” from their screen to you.

User code is read and verified

8 On the Web Helpdesk User Challenge screen, enter the end user’s code in the “Challenge (from end user’s screen)” space. Select the “Boot Machine Once” option. Click Next.”

You will be presented with the Web Helpdesk User Recovery Response screen.








9 From the Web Helpdesk User Recovery Response screen, read Line 1 of the recovery code (this will be a 17 digit code) to the end user. Instruct the End User to click “Next” on their screen.

Local Support User (Tier 2 Tech) will receive a screen with a blank Recovery Code.

10 User enters code and verifies code back Code is verified

11 Click on Enter Challenge line at top of screen. You will be taken back to the User Challenge screen.

12 Instruct Local Support user to click on Next.

The Local Support User will see a message on their screen that says, “SafeBoot is now ready to recover your machine. To proceed, click Finish.”








13 Instruct them to Click Finish

Local Support User (Tier 2 Tech) receives a message that says, “Recovery completed successfully.”

14 Instruct them to Click OK

Local Support User (Tier 2 Tech) will receive a message that the business computer will “Boot Once.” Business computer will restart, windows will load and Local Support User (Tier 2 Tech) will be presented with a SafeBoot login prompt that will look different than the normal prompt.

15 Have Local Support User (Tier 2 Tech) click Recover on the SafeBoot Login in prompt.

They will receive a screen with another 16 digit User Code.








16 Have the Local Support User (Tier 2 Tech) read the 16 digit “User Code” from the screen to you. Enter the 16 digit Code into the Challenge box, verify the code, Select the “Cancel Screen Saver” option and click on Next.

User Code is read and verified.

17 Instruct the Local Support User (Tier 2 Tech) to click on Next on their screen.

Local Support User (Tier 2 Tech) will receive a screen with a blank Recovery Code.








18 Read the Recovery Code Line 1 to the Local Support User (Tier 2 Tech) who will enter it into the Recovery Code field.

Code is verified and entered

19 Instruct the Local Support User (Tier 2 Tech) to click Next

Local Support User will see a message on their screen that says, “SafeBoot is now ready to recover the business computer. To proceed, click Finish.”

20 Have the Local Support User (Tier 2 Tech) click Finish

A message appears on Local Support User (Tier 2 Tech) screen that says, “Recovery completed successfully.”








21 Have Local Support User (Tier 2 Tech) to Click OK

Local Support User (Tier 2 Tech) will be prompted with the iPass logon.

22 NOTE: If the Local Support User (Tier 2 Tech) is not connected to the Lilly network, they will need to connect via Ethernet or make a connection via iPASS at this point. To bring valid credentials down to the business computer it must connect with the SafeBoot server. If you are only trying to access the business computer to retrieve data you do not need to be connected to the network.

If Then Result

If already connected via Ethernet to the Lilly network (i.e. at an affiliate)

Click No to iPASS prompt. Local Support User (Tier 2 Tech) will be prompted with the Security Authentication screen

If working remotely and in location where they can make an iPASS connection

Click on Yes to make an iPASS connection to Lilly

Local Support User (Tier 2 Tech) will be prompted to login into iPASS and enter iPASS information and presented with the Security Authorization screen.

If unable to connect to the Lilly network or just needing to access business computer to move data

Click No to iPASS prompt. Local Support User (Tier 2 Tech) will be prompted with the Security Authentication screen

23 Click OK to the Security Authorization screen Windows Logon screen appears

24 Have Local Support User (Tier 2 Tech) enter valid Windows logon credentials to logon the business computer (if they are not connected to the network, these credentials will need to be cached on machine or they will not be able to log in.)

Windows will load. Connection to SafeBoot server is made, if connected to network, and valid credentials are added.

25 Have Local Support User (Tier 2 Tech) open the SafeBoot status icon and verify SafeBoot synchronization occurred in Activity Log

Local Support User credentials are verified in activity log.

26 Have Local Support User (Tier 2 Tech) restart business computer

Local Support User (Tier 2 Tech) will be prompted with the normal login prompt for SafeBoot








27 Have Local Support User login to SafeBoot with valid SafeBoot credentials

Local Support User will be prompted for Windows credentials and Windows desktop will appear







3.2 Permanently Removing SafeBoot and Decrypting a Business Computer (Bootable Functioning Machine) The following procedure is used to remove SafeBoot, decrypt the drive and remove all SafeBoot files from Windows and the Windows Registry, from the business computer that is functioning properly. To remove and decrypt a non-bootable machine, see Section 3.3.


1 Local Support User submits a TT to Regional SafeBoot Administrator to have SafeBoot removed and business computer decrypted using.

Regional SafeBoot Administrator initiates removal and decryption via GITCS-OSI-052 SafeBoot Mobile Data Security Administration

2 Regional SafeBoot Administrator forces a synchronization of the local business computer after initiating removal of SafeBoot or the Local Support User can force the sync from the SafeBoot icon in the system tray

Synchronization will begin and the business computer will begin to decrypt and SafeBoot will be removed (this can take 2-3 hours complete – during this time the computer should be left alone).

3 Business computer will automatically reboot once decryption is complete

SafeBoot is removed from the business computer, from Windows, and from the Windows Registry. The business computer is no longer encrypted.







3.3 Recovering Data from a Failed or Non-bootable Hard Drive (without decrypting). In the event that the Windows operating system, the MBR (Master Boot Record) or the SafeBoot File System is corrupted, the following steps should be taken to access the hard drive and recover the data to a network drive or a removable media device (e.g., USB thumb drive, external hard drive).

NOTE: This procedure only give you the ability to recover data from the drive. It will not allow you to troubleshoot issues or repair any errors. To repair a drive, see section 3.3.

You will need the following items for this process:

• SafeBoot WinTechv5 CD Rom (Modified for SafeBoot)

• CD Rom Drive

• Removable media device or network share access

• Machine configuration file for machine that needs to be recovered (on a removable media device or Network Drive)


1 Submit a TT to GLO/Encrypt-Client queue using profile: SB KeyRequest Profile.

Regional Administrator received TT and exports *.sbd file to a secure network location

2 Navigate to the machine configuration file in the location the Regional SafeBoot Administrator exported it to. Cut & Paste this to a removable media device or a secure network location.

Configuration file is copied to appropriate location.

3 Insert SafeBoot WinTechv5 disc into the CD ROM drive of the business computer you need to recover. Also connect the removable media device, if needed, and restart the business computer.

Business computer will boot to the CD and will be booted to a SafeBoot screen and you will be prompted to start Network support.

4 Click Yes to start network support. The Network Profiles window is displayed.

5 Ensure “Dynamic IP Address” is selected and click OK.

Network drivers are loaded and the PE Network Configurator window appears

6 Click on Network Drives button Network Drives window appears








7 Map any network drives that you will need to access during the recovery. (Location of the configuration file or secured area you plan to copy data to.) If you are using only a removable media device, you do not need to map any drives.

To map a drive:

• Select letter to map drive to by selecting drop down arrow

• Enter path (i.e. \\sever\share) • Enter domain and user Name (i.e.

AM\AB1234) • Enter password • Click Map Drive

Repeat these steps for multiple drives you will need to map.

Mapped drives appear in the bottom section of the window

8 After mapping all drives needed, click on the “X” in upper right corner to close the window.

Window closes and PE Network Configurator window appears again

9 Click OK

Settings are applied and specified drives are mapped. PE Network Configurator window disappears.

10 Click on the Yellow GO button in the bottom left corner of the screen and select “Programs”

Menu appears

11

Select “SafeBoot WinTech” from the menu

WinTech dialog appears showing the physical drives available to mount (NOTE: if you have a removable hard drive attached, you will see it in this list also – this hard drive does NOT need to be mounted)

12 Choose the hard drive you wish to mount (usually C: or D:) by highlighting it and clicking on Next. (Repeat steps 11-16 for each drive you need to mount).

You will be prompted to browse to the location of the machine key (this is the machine configuration file provided in Step #1).

13 Click Browse and navigate to the network hard drive you mapped or the removable media device to locate the exported business computer’s configuration file.

*.SBD file is located

14 Highlight file and click on Open WinTech dialog appears with path to business computer’s configuration file.

15 Click Next Select business computer window appears

16 Highlight business computer you are wanting to recover and click Finish

Message appears that the hard drive is now ready








17 Click OK SafeBoot WinTech screen appears

18 Click on the Yellow GO button in the bottom left corner of the screen an select Programs

Menu appears

19 Select “A43 File Management Utility” Utility Opens

20

Click on hard drive you mounted on left side of windows

You should see data on right side of window – this data is now available to be recovered. (If no data is revealed on the right side, then the drive did not get mounted. Contact your Regional SafeBoot Administrator for further troubleshooting).

21 Copy data to a network drive or to a removable media device as needed.

Data is recovered.

22 IMPORTANT: MUST DO THIS! Click on Removable media device or shared drive that contains the *.SBD file and delete *.SBD file. Remove all other instances of the SDB file (transfer share, email message etc.) from where the SDB file originated.

*.SBD file is deleted.

23 Close A43 File Management Utility Utility Closes

24 Click on the Yellow GO button in the bottom left corner of the screen and select “Shut Down”/”Shut Down”. Remove CD from drive and removable media device from business computer, if connected.

Machine shuts down.

25 Submit TT to GLO/Encrypt using <profile name> to remove the business computer from the SafeBoot server

Business computer is removed from the

SafeBoot server.

26 IMPORTANT: Reimage or dispose of business computer properly.

Business computer HDD is reimaged or reformatted.







3.4 Bind User Tool This is a configuration of the SafeBoot package installer that allows a Local Support User to bind (add) a user to a machine with or without their windows password. This can only be used if the machine is already encrypted and Windows is up and running.


1

NOTE: Bind User cannot be run on a machine that is not fully encrypted. Run the SB: Bind User Tool from ISIT

Installation begins and you are prompted to enter credentials for the user you need to bind to the machine

2

If Then Result

End User is an existing SafeBoot User or if the End User is at the desk during the installation

Have End User enter their User name and password and click OK

End User is a new SafeBoot user and is not physically present to enter password.

Enter User name, click check box to “Bind UserID without a Password” and click OK

User is successfully bound to the machine

3

Click OK

If Then

User is an existing SafeBoot User or if the user is at the desk during the installation

Have End User log in with their User name and password to ensure they can log in

End User is a new SafeBoot user and is not physically present to enter password.

End User will need to contact the service desk to get their temporary SafeBoot Password and have the service desk walk them thru logging in







4. TRAINING

Training on this procedure includes reading this document and understanding the contents therein. If this reading is included as a part of your training curriculum, please utilize the electronic training acknowledgement process to record the training. If the electronic training acknowledgement process is not available, complete a hardcopy training acknowledgement form and forward it to the local Training Coordinator. Retain a copy of the training acknowledgement form for your records