Release Notes 7.8.4

Table of Contents

Part I Introduction 3 1 Document Conventions 3 2 DriveLock Documentation 3 Part II System Requirements 5 1 DriveLock Agent 5 2 DriveLock Management Console and Control Center 5 3 DriveLock Enterprise Service 5 Part III Supported Platforms 7 Part IV Version History 9 1 DriveLock 7.8.6 9 2 DriveLock 7.8.4 9 3 DriveLock 7.8.2 10 Part V Known Issues 11 1 Installation of Management Components Using Group Policy 12 2 DriveLock Device Scanner 12 3 Manual Updates 12 4 Self Service unlock 12 5 DriveLock iOS and iTunes 12 6 Windows Portable Devices (WPD) 12 7 DriveLock Disk Protection 13 8 DriveLock File Protection and Microsoft OneDrive 14 9 Antivirus 14 Part VI Test Installation and Upgrade 15 1 DriveLock Evaluation 15 2 Updating DriveLock Components 15 General Issues 15 Updating DriveLock Disk Protection 15

1 Introduction

This document contains important information about the new version of DriveLock and changes from previous DriveLock versions. The DriveLock Release Notes also describes changes and additions to DriveLock that were made after the documentation was completed. This and other documentation can be found on our online help page www.drivelock.help.

1.1 Document Conventions

Throughout this document the following conventions and symbols are used to emphasize important points that you should read carefully, or menus, items or buttons that you need to click or select.

Caution: This format means that you should be careful to avoid unwanted results, such as potential damage to operating system functionality or loss of data

Hint: Useful additional information that might help you save time.

Italics represent fields, menu commands, and cross-references. Bold type represents a button that you need to click. A fixed-width typeface represents messages or commands typed at a command prompt. A plus sign between two keyboard keys means that you must press those keys at the same time. For example, ALT+R means that you must hold down the ALT key while you press R. A comma between two or more keys means that you must press them consecutively. For example ‘ALT, R, U’ means that you must first press the Alt key, then the R key, and finally the U key.

1.2 DriveLock Documentation

The DriveLock Documentation consists of the following manuals: · DriveLock QuickStart Guide The QuickStart Guide describes the required steps to setup DriveLock using the DriveLock QuickStart setup wizard.The DriveLock QuickStart setup wizard can be used to simplify the installation and configuration of a basic DriveLock environment.

· DriveLock Installation Guide The Installation Guide describes the available installation packages, the system requirements and the steps for installing each DriveLock component. This is the first document a DriveLock administrator should read.

· DriveLock Administration Guide The Administration Guide describes the DriveLock architecture and components. It contains detailed instructions for configuring DriveLock using the DriveLock Management Console (DMC). This document is intended for DriveLock administrators who need to become familiar with all available DriveLock functionality.

· DriveLock Control Center User Guide This manual describes how to configure and use the DriveLock Control Center (DCC). This document is intended for administrators and users who will use DriveLock Control Center for reporting and forensic analysis.

· DriveLock User Guide The DriveLock User Guide is aimed at end users. It describes how to request the temporary unlocking of a computer, how to use DriveLock Encryption 2-Go and how to use Network Profiles.

· DriveLock Security Awareness This manual describes the new security awareness features, which are also included in DriveLock Smart SecurityEducation.

You can read and download the latest version of these manuals from our online help website www.drivelock.help.

2 System Requirements

This section contains recommendations and minimum requirements. The requirements may vary depending on your configuration of DriveLock, its components and features, and your system environment.

2.1 DriveLock Agent

Before distributing or installing the DriveLock agents on your corporate network, please ensure that the computers meet these requirements and are configured properly to provide full functionality. Main memory: o at least 4 GB RAM Free disk space: o approx. 1 GB with average policies that do not include your own video files o at least 2 GB if Security Awareness campaigns are used with video sequences (Security Awareness Content AddOn)

How much disk space you need largely depends on how DriveLock agents are configured via policies and on the settings and features they contain. It is therefore difficult to provide an exact specification here. We recommend that you verify and determine the exact value in a test setup with a limited number of systems before performing a company-wide roll-out.

Additional Windows components: o .NET Framework 4.5.2 or newer (for Security Awareness Campaigns in general) o Windows Media Player (for Security Awareness Content AddOn)

2.2 DriveLock Management Console and Control Center

Be sure to install the two management components on the same computer because the DCC will access some of the dialogs provided by the DriveLock Management Console. Before distributing or installing the DriveLock management components DMC and DCC on your corporate network, please ensure that the computers meet these requirements and are configured properly to provide full functionality. Main memory: o at least 4 GB RAM Free disk space: o approx.350 MB Additional Windows components: o .NET Framework 4.5.2 or newer

2.3 DriveLock Enterprise Service

Before distributing or installing the DriveLock Enterprise Service on your corporate network, please ensure that the computers meet these requirements and are configured properly to provide full functionality.

Main memory: o at least 8 GB RAM Free disk space: o at least 4 GB, with policies that do include Security Awareness campaigns with video sequences (Security Awareness Content AddOn), approx. 15 GB is recommended o if the server is also running the SQL-Server database, additional 10 GB are recommended for storing DriveLock data Additional Windows components: o .NET Framework 4.5.2 or newer

Depending on the number and duration of the DriveLock events that are stored, the size of the DriveLock database can vary greatly from one system environment to another. It is therefore difficult to provide an exact specification here. We recommend setting up a test environment with the planned settings over a period of at least a few days to determine the exact values. These values can be used to calculate the required memory capacity.

3 Supported Platforms

DriveLock has been tested and is released for all Windows versions (having the latest available patches installed), which have been official released by Microsoft by the time this DriveLock version was released and which have not reached their end-of-service date:

Operating System XP 3) W7 SP12) OS X Win-10 Win-10 Win-10 Server Server Server Windows 1) W8.1 10.9+ 1607 1703/ 1803/ 2008 SP2 2012 2016 1709 18094) 2008R2 20012R2 SP1 Agent (DC/AC) Device Control x x x x x x x x Application Control x x x x x x x x File encryption Mobile Encryption x x x x x x x x Application File Protection6) x x x x x x x x Disk encryption Disk Protection x13) x x x 7) x 7) Management components Management x x x x x x x Console Control Center9) x x x x x x x Enterprise Server x12) x12) x12) x12) x x x

DriveLock IGEL WYSE Embedde eLux Virtual Channel UDLX Linux V6 d Thin- 4.12.100 Windows Clients + 10) ICA x x x x RDP x x x

DriveLock Thin-Client Support ICA (Citrix) XenApp XenApp XenApp / 6.0 6.511) XenDesktop 7.X RDP (Windows TS) 2008R2 2012 2016 SP1 20012R2

Database Microsoft SQL 2008 2012/20 2016 SP2 Server5) SP4 14 SP2 2008R2 SP3 Oracle Database14) 11.2 12.2

Remarks 1) Windows Intel X86 based Systems (x86_32, x86_64, AMD64) Windows Vista and Windows 8 are not supported any more. 2) Windows 7 SP1 KB3033929 (SHA-2 code signing support) is required on Windows 7 64-bit. 3) Windows XP Windows XP with SP3 fully patched and POSReady 2009 is supported. An additional license for support of legacy OS is required! 4) Windows 10-1809Please use the latest DriveLock release for this Windows version. We are not experiencing any issues so far with this version. 5) Microsoft SQL For installations up to 200 Clients. Express 6) File Protection Citrix Terminal Servers are not supported. 7) Disk Protection UEFI and GPT Partitioning are only supported for disks up to 2 TB running on Windows 8 64 bit or newer and UEFI Version V2.3.1 or newer. For UEFI running on Windows 10 Version 1703 the Update KB4032188 is mandatory. DriveLock Disk Protection is supported on Windows 10 version 1709 or newer with some limitations (see chapter "Known issues" for more information). 9) Control Center Internet Explorer 11 is required for remote connections to an DriveLock Agent. 10) Windows Der DriveLock Virtual Channel and the DriveLock Agent must not be installed on the same Client. Embedded 11) XenApp XenApp 6.5 Hotfix Roll Up 4 or newer. 12) DES On these operating systems DES should only be installed for evaluation or testing purposes. 13) FDE and XP DriveLock Disk Protection is supported only on Windows XP released for ATMs. 14) Oracle Support We still provide support for existing customers. We strongly recommend new customers to use SQL Server instead of Oracle Database.

4 Version History

Even numbered versions are official releases available to all customers, while odd numbered versions are internal or customer specific releases. Only official releases are listed in the version history.

4.1 DriveLock 7.8.6

DriveLock 7.8.6 is a maintenance release Major fixes for these issues: · When updating the agent using msiexec a blank (black) screen might appear for a longer time.

· Palo Alto credential provider doesn't save accounts to EFS.

· The PBA for BIOS (32bit PBA) and UEFI now also supports the following tokens: SafeNet eToken NG-OPT (CardOS), SafeNet eToken NG-OPT 72k/Java, SafeNet eToken 5105, SafeNet eToken 5110.

· Block access to USB media on locked drives is also prevented even if the user has the right to format the drive.

· A memory leak in DLHM.exe was removed.

· The "Select all" button in the self-service dialog now works correctly and selects all listed computers.

· Manual mounting of an encrypted drive (file & folder encrypted) doesn't show an error message any more.

· The error "Element not found in current DriveLock policy" when importing self-service groups from a CSV file has been fixed.

4.2 DriveLock 7.8.4

DriveLock 7.8.4 is a feature release New features: · Security Awareness Packages: It’s much easier now to manage and deploy packages on the DES.

· Security Awareness Campaigns:

o We’ve created a wizard that guides you through the configuration.

o There’s no more difference between general and context-specific campaigns.

o It’s a lot easier to define how often your campaign will be displayed.

o You decide how often every single campaign will be displayed.

o You can push individual campaigns so that you can quickly get information to all users.

o You can configure multilingual texts for the display window of the Security Awareness campaigns.

· Drives and Devices: Combine different drives and devices into groups and configure shared settings.

· AD Organizational Units: You can now also restrict whitelist rules for AD organizational units.

· Device Scanner Database: You can select multiple devices during data transfer from the Device Scanner database in whitelist rules.

Major fixes for these issues: · Smartphone whitelist rules are not displayed in the Agent UI.

· File filter templates do not display correctly on Android smartphones.

· After rebooting and user logon, SD card readers display a blank usage policy.

· If the current user has no authorization for the "Root" tenant, the DCC is unexpectedly terminated at startup.

· Locked applications do not appear correctly in the "Applications" statistics in the DCC.

· Some detailed information about the Agent is lost during automatic update and is only available again after rebooting.

· In the File Filter Configuration dialog, sorting by description does not work.

· Recovery information for encrypted containers cannot be created correctly in a Citrix XenApp 6.5 Windows Server 2008 environment.

· The Temporarily Unlock wizard displays the wrong description to disable file monitoring and file filters.

4.3 DriveLock 7.8.2

DriveLock 7.8.2 is a major feature release New features: · Security awareness features significantly improved In addition to the awareness campaigns you have been familiar with so far, which were shown to users when they logged on, you can now also create and show campaigns for these specific events: - When users connect to external drives - When users connect to external devices - When users start applications or attempt to use locked applications Select different types of content most suited for your campaign: images, text, PDF or RTF files, videos or URL content.

· When you purchase the Security Awareness Content AddOn (as subscription), new multimedia and interactive content is also available as an additional content type (microLearning sessions, security flashes or eLearning courses).

· Signed DriveLock policies (experimental feature)

· You can add certificates to DriveLock policies now; they can be automatically parameterized during installation and provide additional protection against manipulation on the clientAdditional status information of the DriveLock agents via tray icon and command line provides detailed information on the current configuration of the agent on a client

· In the DCC's HelpDesk view, you can see information on the status of the agents that are temporarily unlocked; this information is updated with every heartbeat interval

· Now you can collect log files and support information directly from a connected agent with the DCC and send them to DriveLock SE, together with the ticket ID and customer name

· You can now update the DES and the databases without user interaction, and all tenant databases are also updated during the update process

· You can now clean up local hash databases, and delete unwanted applications manually

· A simpler editing mode allows you to manage policy assignments more easily for many or a large number of existing policies

Major fixes for these issues: · In some cases, the DriveLock Agent loses its assignment to the DES and the assigned tenant during the update

· Sometimes the warning "Could not resolve CSP" is written to the DES logfile for no reason

· The MMC crashes when accessing a local whitelist database while the agent is adding to it

· The permission settings for the "Antivirus" and "Disk Protection" helpdesk views do not work properly in the the DCC

· The DES does not process Microsoft patch information longer than 32 characters correctly

· You cannot save the temporary unlock view settings in the MMC without entering a password

· In some cases, file filter settings are not evaluated correctly in "Access denied" configurations

· Smartphone whitelist rules are not displayed correctly in DriveLock AgentUI

· When formatting a USB drive with enforced encryption, an error occurs on thin clients without DriveLock Virtual Channel

· A confusing UI causes existing unencrypted data to be deleted by mistake when configuring the advanced settings for enforced encryption with File Protection

· The panel for the self-service unlock settings is missing in the MMC in the task view

· You can only change the file filter settings for encrypted media rules in the MMC after saving

· If you disable application control in the policy, the filter driver remains enabled in certain situations

· You can format USB media devices, although access permissions are active without write permissions

· If Machine Learning is enabled, installations installed via msi.dll (e.g. Office 2013) are not handled correctly and their applications are completely added to the local whitelist.

· Long texts in the self-service usage policy are cut off because the scrollbar is missing

5 Known Issues

This chapter contains known issues for this version of DriveLock. Familiarize yourself with the information in this chapter to avoid unnecessary effort during testing and deployment.

5.1 Installation of Management Components Using Group Policy

Installing the DriveLock Management Console, the DriveLock Control Center or the DriveLock Enterprise Service by using Group Policy is not possible. Instead, use the DriveLock Installer to install these components as described in the Installation Guide.

5.2 DriveLock Device Scanner

Use the Device Scanner integrated in the product in all environments where only the standard client "Root" has been set up. This applies to most customer installations. If you have a multi-client environment, you will receive an error message when viewing and saving the scan results.

5.3 Manual Updates

If other policy deployment than GPO is used, on Windows 8 and higher, a manual update of the DriveLock Agent will not finish properly, if you start the DriveLock Agent.msi from the Windows Explorer (e.g. by double clicking). Run the MSI-package from an administrative command window with msiexec or use DLSetup.exe.

5.4 Self Service unlock

Self Service unlock and Apple iPhones If you use the Self Service wizard to unlock connected iPhone devices, it will still be possible to copy pictures manually from the connected iPhone after the unlock period ended.

5.5 DriveLock iOS and iTunes

DriveLock recognizes and controls current generation Apple devices (iPod Touch, iPhone, iPad etc.) For older Apple devices that are only recognized as USB drives no granular control of data transfers is available (for example, iPod Nano). DriveLock and iTunes use similar multicast DNS responders for automatic device discovery in networks. When installing both DriveLock and iTunes the installation order is important: · If DriveLock has not been installed yet you can install iTunes at any time. DriveLock can be installed at any later time without any special considerations.

· If DriveLock is already installed on a computer and you later install iTunes you have to run the following command on the computer before you start the iTunes installation: drivelock -stopdnssd. Without this step the iTunes installation will fail.

After an update of the iOS operating system on a device, iTunes will automatically start a full synchronization between the computer and the device. This synchronization will fail if DriveLock is configured to block any of the data being synchronized (photos, music, etc.).

5.6 Windows Portable Devices (WPD)

Locking “Portable devices” prevented, that some Windows Mobile Devices could be synchronized via "Windows Mobile Device Center", although the special device was released in a whitelist.

Windows starting from Windows Vista and later uses a new "User-mode Driver Framework" for this kind of devices. DriveLock now includes this type of driver. The driver is deactivated on the following systems because of a malfunction in the Microsoft operating system: · Windows 8

· Windows 8.1 without Hotfix KB3082808

· Windows 10 older than version 1607

5.7 DriveLock Disk Protection

Antivirus protection software may cause the DriveLock Disk Protection installation to fail if the antivirus software quarantines files in the C:\SECURDSK folder. If this occurs please disable your antivirus protection for the duration of the Disk Protection installation and re-enable it after the installation is completed. We recommend that you configure your virus scanner with an exception for the C:\SECURDSK folder. When Installing DriveLock Disk Protection we strongly recommend that you deactivate the application control if they are active in the whitelist modus. This will prevent the blocking of programs that are necessary for the installation. On a small number of computer models the default DriveLock Disk Protection pre-boot environment configuration may not work correctly and cause the computer to become unresponsive. If this occurs turn off the computer and restart it while pressing the [Shift] key. When prompted select the option to use the 16-bit pre-boot operating environment. Hibernation will not work while a disk is encrypted or decrypted. After complete encryption or decryption windows has to be restarted once to make hibernate work again.

UEFI mode

Not all hardware vendors implement the complete UEFI functionality. We recommend not to use the UEFI mode with UEFI versions less than 2.3.1.

The full functionality of the Pre-Boot-Authentication (PBA) for UEFI is not yet available as for BIOS. · Touchscreen is not supported. A hardware keyboard (USB or PS/2) is required.

· Mouse operation is not yet supported.

· Some PS/2 keyboards may work improperly.

· The PBA GUI is only available in English.

Additional topics: · Secure Boot must be deactivated up to version 7.6.4. DriveLock 7.6.6 and higher supports UEFI secure boot.

· If you update the firmware, the NVRAM variables on the mainboard that DriveLock requires may be deleted. We strongly recommend that you install the firmware updates for the mainboard /UEFI before installing DriveLock PBA / FDE ( this also applies to recently purchased devices or to bug fixes).

· A 32 bit Windows operating system or 32 bit DriveLock cannot be installed on 64 bit capable hardware. Please use a 64 bit version of a Windows operating system and DriveLock instead.

· There is still a limitation to disks up to a maximum of 2 TB disk size.

· On some HP PCs Windows always will be set to position one again in the UEFI boot order and the DriveLock PBA has to be selected manually from the UEFI boot menu. In this case fast boot has to be switched off in UEFI to keep the DriveLock PBA at position one.

· Windows 10 Version 1703 (Creators Update) can remove the DriveLock boot entry from the UEFI boot menu while shutting down or when hibernating. Therefore the DriveLock PBA will no longer boot at the next startup and Windows cannot boot from the encrypted system hard disk. In August 2017 Microsoft released Update KB4032188 which resolves this issue. Update KB4032188 will be installed automatically by Windows or can be downloaded manually. https://www.catalog.update.microsoft.com/Search.aspx?q=KB4032188 Check if update KB4032188 or any later update that replaces KB4032188 is installed before you install DriveLock Disk Protection for UEFI. When upgrading to Windows 10 Version 1703 where DriveLock Disk Protection for UEFI is already installed, add update KB4032188 to the Creators Update before you upgrade.

· Due to an issue in Windows 10 Version 1709 and newer, DriveLock Disk Protection for BIOS cannot identify the correct disk if more than one hard disk is connected to the system. Therefore Disk Protection for BIOS is not yet released for Windows 10 1709 systems with more than one hard disk attached until Microsoft provides a fix for this issue.

5.8 DriveLock File Protection and Microsoft OneDrive

With Microsoft OneDrive, Microsoft Office may synchronize directly with OneDrive instead of writing the file to the local folder first. Then the DriveLock encryption driver is not involved and the Office files will not be encrypted in the Cloud. To switch off the Office synchronization, uncheck Use Office 2016 to sync Office files that I open or similar settings in OneDrive. It must be assured, that Office files as other files always are stored locally.

5.9 Antivirus

Antivirus generally Since DriveLock 7.8, the on-demand scanner (Cyren) will not be included any more. Customers with a valid Avira license/subscription can use the Avira scanner to scan external drives, until the subscription terminates. Avira Antivirus Since DriveLock 7.9 Avira is no longer supported.

6 Test Installation and Upgrade

6.1 DriveLock Evaluation

You can install the DriveLock - the Agent, the Management Console, the Control Center, the Enterprise Service and Microsoft SQL Express - on the same computer. This topology makes it easy to evaluate DriveLock’s central reporting features using minimal hardware. On our website www.drivelock.help you can find a Quick Start Guide that guides you through the initial installation. This guide also shows you how to create a test installation and set up the initial configuration with the help of the Quick Start Wizard.

If you downloaded the DriveLock software from the Web site (www.drivelock.com), a 30-day trial license is included. To evaluate DriveLock on a single computer, you don’t need to perform any license configuration. If you install the DriveLock Agent on multiple client computers and configure DriveLock settings using Microsoft Group Policy, a Centrally Stored Policy or a configuration file or if you want to tests the Disk Protection too, you have to add a license key to the configuration. You can use the evaluation license key that is installed with DriveLock Management Console (by default, C:\Program Files\CenterTools\DriveLock MMC\Tools\AgentTrial.lic). When using the quick start wizard, this license is imported in the generated policy automatically.

6.2 Updating DriveLock Components 6.2.1 General Issues The DriveLock Installation Guide describes all necessary steps required to update the components. In addition theses release notes may contain additional information. The DMC and the DCC will be installed in separate directories to avoid side effects when updating these components automatically.

The DriveLock Control Center uses some components of the DriveLock Management Console for remote maintenance. Both components must each have the same version number, which must also match the version of the installed DES.

6.2.2 Updating DriveLock Disk Protection After the DriveLock Agent has been updated, an existing DriveLock FDE installation will be updated automatically and without re-encryption to the most current version. After updating the FDE components, a reboot may be required. For further information on updating DriveLock Disk Protection or updating the operating system where DriveLock Disk Protection is already installed, see our separate document available for download from our website www.drivelock.help.

Die in diesen Unterlagen enthaltenen Angaben und Daten, einschließlich Information in this document, including URL and other Internet Web site URLs und anderen Verweisen auf Internetwebsites, können ohne references, is subject to change without notice. Unless otherwise noted, vorherige Ankündigung geändert werden. Die in den Beispielen the example companies, organizations, products, domain names, e-mail verwendeten Firmen, Organisationen, Produkte, Personen und Ereignisse addresses, logos, people, places, and events depicted herein are fictitious, sind frei erfunden. Jede Ähnlichkeit mit bestehenden Firmen, and no association with any real company, organization, product, domain Organisationen, Produkten, Personen oder Ereignissen ist rein zufällig. Die name, e-mail address, logo, person, place, or event is intended or should Verantwortung für die Beachtung aller geltenden Urheberrechte liegt be inferred. Complying with all applicable copyright laws is the allein beim Benutzer. responsibility of the user. Unabhängig von der Anwendbarkeit der entsprechenden DriveLock and others are either registered trademarks or trademarks of Urheberrechtsgesetze darf ohne ausdrückliche schriftliche Erlaubnis der DriveLock SE or its subsidiaries in the United States and/or other DriveLock SE kein Teil dieser Unterlagen für irgendwelche Zwecke countries. vervielfältigt oder übertragen werden, unabhängig davon, auf welche Art The names of actual companies and products mentioned herein may be und Weise oder mit welchen Mitteln, elektronisch oder mechanisch, dies the trademarks of their respective owners. geschieht. Es ist möglich, dass DriveLock SE Rechte an Patenten bzw. angemeldeten Patenten, an Marken, Urheberrechten oder sonstigem geistigen Eigentum besitzt, die sich auf den fachlichen Inhalt dieses Dokuments beziehen. Das Bereitstellen dieses Dokuments gibt Ihnen jedoch keinen Anspruch auf diese Patente, Marken, Urheberrechte oder auf sonstiges geistiges Eigentum, es sei denn, dies wird ausdrücklich in den schriftlichen Lizenzverträgen von DriveLock SE eingeräumt. Weitere in diesem Dokument aufgeführte tatsächliche Produkt- und Firmennamen können geschützte Marken ihrer jeweiligen Inhaber sein.