Symptoms

This article defines the supported activation workflows for Dell Encryption Enterprise (formerly Dell Data Protection | Enterprise Edition) and Dell Encryption External Media (formerly Dell Data Protection | External Media Edition). Affected Products: Dell Encryption EnterpriseDell Data Protection | Enterprise EditionDell Encryption External MediaDell Data Protection | External Media Edition Affected Operating Systems: Windows

Cause

Not applicable.

Resolution

Dell Encryption Enterprise can authenticate with a Dell Data Security server by one of several authentication workflows. For more information, select the appropriate workflow. Active-Directory-Based Activation Active Directory-based activation is Dell Encryption Enterprise’s default method of validating user accounts for policy-based encryption. The Dell Encryption network provider filter captures authentication information during login. This is securely sent to the Dell Data Security (formerly Dell Data Protection) server. The server validates the credentials against the configured Active Directory domains. Note: In environments using a remote LDAP service (Azure Active Directory, Okta, Duo), the Dell Data Security server requires a local domain controller for proper authentication to Active Directory. The local domain controller must be specified within the Domain settings for that environment in the Dell Data Security server. For more information, reference the Domain Access section for your server version in How to Configure the Dell Data Security / Dell Data Protection Server Administration Console. Opt-In (Deferred) Activation Opt-in (deferred) activation allows the Active Directory user account that is used during activation to be independent of the account that is used to log in to the endpoint. Instead of the network provider capturing the authentication information, the user instead manually specifies the Active Directory-based account when prompted. Once the credentials are entered, the authentication information is securely sent to the Dell Security Management server. The server then validates it against the configured Active Directory domains. This workflow can be enabled either During Installation or Post-Install, including after the device has been activated for a new user. For more information, select the appropriate method. During Installation To enable opt-in activation: The child installer may be run with the OPTIN=1 parameter to enable opt-in activation. Note: Dell Encryption Enterprise must be downloaded and extracted from the Master Installer. For information about downloading Dell Encryption Enterprise, reference How to Download Dell Encryption Enterprise or Dell Encryption Personal.For information about the extraction process, reference How to Extract Child Installers from the Dell Data Security Master Installer.For more information about adding parameters, reference the CLI section in How to Install Dell Encryption Enterprise / Dell Data Protection Enterprise Edition. Post-Install To enable opt-in activation: Right-click the Windows start menu and then click Run. In the Run UI, type regedit and then press OK. This opens the Registry Editor. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Dell\Dell Data Protection\Encryption. Right-click the Encryption folder, select New, and then click DWORD (32-bit) Value. Name the DWORD value OPTIN. Double-click OPTIN. In Value data, delete the 0, populate the field with 1, and then click OK. Reboot the device. The opt-in prompt appears on reboot. Server Encryption (KIOSK Mode) Activation Server encryption activation allows a single Active Directory user account to be defined for the endpoint, comparable to the opt-in activation workflow. Once the user is defined with certificate-based activation, Dell Encryption generates a synthetic user account. The synthetic account is bound to the provided username and password to validate with Active Directory. This synthetic account is used for all key unlocks. The key unlocks are then performed by a certificate validation to the back-end server using TLS with mutual authentication. This workflow can be enabled either During Installation or Post-Install before the device has been activated. For more information, select the appropriate method. Warning: This mode can either be enabled during the installation of the application, or after installation but before activation. Note: Server encryption activation requires communication directly to the back-end server to validate the certificate that is assigned to the synthetic user. These certificate validation processes cannot be proxied through a front-end server.By default, the single Active Directory user must also be a domain administrator. This can be modified with configuration. During Installation To enable server encryption mode activation: The child installer may be run with the SERVERMODE=1 parameter to enable server encryption mode activation. Note: Dell Encryption Enterprise must be downloaded and extracted from the Master Installer. For information about downloading Dell Encryption Enterprise, reference How to Download Dell Encryption Enterprise or Dell Encryption Personal.For information about the extraction process, reference How to Extract Child Installers from the Dell Data Security Master Installer.For more information about adding parameters, reference the CLI section in How to Install Dell Encryption Enterprise / Dell Data Protection Enterprise Edition. Post-Install To enable server encryption mode activation: Right-click the Windows start menu and then click Run. In the Run UI, type regedit and then press OK. This opens the Registry Editor. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Credant\CMGShield. Right-click the Encryption folder, select New, and then click DWORD (32-bit) Value. Name the DWORD value SM. Double-click SM. In Value data, delete the 0, populate the field with 1, and then click OK. Reboot the device. To contact support, reference Dell Data Security International Support Phone Numbers.Go to TechDirect to generate a technical support request online.For additional insights and resources, join the Dell Security Community Forum.

Support Cases