bet 268556 safeboot service desk gitcs-osi-054 2

8/22/2019 BET 268556 Safeboot Service Desk GITCS-OSI-054 2

1/32

If you are using a printed copy of this document, please check that the version number is consistent with the current versionnumber in the EIS Electronic Library.

Title: GITCS-OSI-054 SafeBoot Mobile Data Security ClientSoftware Support for Service Desks

Page 1 of 32 Version 2.0

Owner: Christina Payton Confidential Last Save Date: 26-Sep-2007

GITCS-OSI-054

SafeBoot Mobile Data Security ClientSoftware Support for Service Desks

Version 2.0

Effective Date: 01-Oct-2007

Purpose: The purpose of this OSI is to describe how to support end users with SafeBootMobile Data Security Client Software loaded on their business computers.

Scope: The scope for this document is global Zone 1, Zone 2 and Zone 3 service desks.

Areas Invol ved: Global IT Customer Services

Supersedes/Replaces : GITCS-OSI-054, SafeBoot Mobile Data Security Client Software Support forService Desks Version 4.2 and higher, Version 1.0


2/32

If you are using a printed copy of this document, please check that the version number is consistent with the current version

number in the EIS Electronic Library.

ELI LILLY AND COMPANYSafeBoot Mobile Data Security Client Software Support for Service Desks


Page 2 of 32Version 2.0


TABLE OF CONTENTS

1.

INTRODUCTION............................................................................................................................................. 3

1.1 SCOPE ....................................................................................................................................................... 31.2 CHANGE CONTROL REQUEST ...................................................................................................................... 31.3 REFERENCE DOCUMENTS............................................................................................................................31.4 DOCUMENTS REFERENCED IN THIS PROCEDURE: .......................................................................................... 31.5 ROLES AND RESPONSIBILITIES:.................................................................................................................... 41.6 GLOSSARY/ACRONYMS/ABBREVIATIONS:...................................................................................................... 5

2. USING SAFEBOOT MOBILE DATA SECURITY CLIENT.............................................................................. 7

2.1 CHECKING SAFEBOOT ENCRYPTION STATUS ................................................................................................ 7

3. TIER 1 REGIONAL SUPPORT USER TOOLS ............................................................................................ 8

3.1 RESETTING A FORGOTTEN PASSWORD.......................................................................................................... 83.2 RESETTING PASSWORD AFTER TOO MANY BAD ATTEMPTS TO LOGON .......................................................... 14

3.3 BINDUSERTOOL...................................................................................................................................... 223.4 RECOVERING A COMPUTER WITH UNKNOWN SAFEBOOT CREDENTIALS (BOOT ONCE).................................... 24

4. TRAINING ....................................................................................................................................................... 31

REVISION HISTORY: .......................................................................................................................................... 32

PROCEDURE APPROVAL SIGNATURES:......................................................................................................... 32


3/32







1. INTRODUCTION

1.1 Scope

The purpose of this document is to describe how to support end users with SafeBoot Mobile Data SecurityClient software on a Lilly Business Computer loaded on their business computer.

1.2 Change Contro l Request

Problems with the content of this Operational Support Instructions (OSI) document will be documented with aChange Request and resolved in a subsequent version of the document.

1.3 Reference Documents

Refer to the GITCS Master Document List System located on the GITCS website for the latest version of thisdocument. The GITCS Quality Integrator maintains the Master Document List Systems.

1.4 Documents Referenced in this Procedure:

Document Name Location

GITCS-OSI-052 SafeBoot Mobile Data Security Administration GITCS Master Document List System

GIS-OPS-SOP-010H Pilars Docbase , gel / eis / csc

CSC-SOP-006 Access and Control of the EDS LDAPPassword Help Desk Tool

Pilars Docbase , gel / eis / csc


4/32







1.5 Roles and Responsibilit ies:

Role Responsibility

EnterpriseAdministrator Highest Administrative Authority for the SafeBoot Administrative Environment. TheEnterprise Administrator is the system owner.

1. Server Architecture/Design/Administrationa. Architecture and design implementationb. Administer the SafeBoot Databasec. Administer the SafeBoot Server(s)

2. Policy Design and Maintenancea. Globally administer user and machine groups policiesb. Create and apply changes to policies for users and machine groups

3. User Managementa. Globally create/delete/rename user accountsb. Globally administer users in support groups

4. Machine Managementa. Globally create/delete/rename machine accounts

5. Group Managementa. Globally create/delete/rename user groupsb. Globally create/delete/rename machine groups

6. AD Synchronization Managementa. Globally maintain Active Directory Connector objects.

7. Password/token resetsa. Perform WebRecovery Password Resetsb. Perform Administrative Password Resets

8. Perform Recovery Operationsa. Perform WebRecovery Machine Recoveries/unlocksb. Perform Administrative Machine Recoveries/unlocksc. Perform Administrative SafeBoot decryption and SafeBoot

uninstallationd. Distribute daily SafeTech access codes to Regional Administrators,

as needed.


5/32







Regional

Administrator

The Regional Administrator (one per EIS IT Zone) administers all users andmachines for the respective Zone. Scope is machine groups and user groups inthe respective Zone only.

1. Server Managementa. Check status of SafeBoot Serverb. Restart SafeBoot Server

2. User Managementa. Globally create/delete/rename user accountsb. Globally administer users in support groups

3. Machine Managementa. Globally create/delete/rename machine accounts

4. Password/token resetsa. Perform WebRecovery Password Resetsb. Perform Administrative Password Resets

5. Perform Recovery Operations

a. Perform WebRecovery Machine Recoveries/unlocksb. Perform Administrative Machine Recoveries/unlocksc. Perform Administrative SafeBoot decryption and uninstallationsd. Distribute daily SafeTech access codes to Local Support User on an

as needed basis.

Regional

Support User

Tier 1/Remote

Tier2

Regional Support encompasses the typical Tier 1/Help Desk function, andpossesses the responsibility to perform password/token resets for users in theirrespective Zone. The Regional Support role also possesses the responsibility tounlock machines for machines in their respective Zone. It embodies thecapabilities of a technician doing remote Tier 2 support (remote control of the PCwith the business partner on the telephone).

It is not expected that SafeBoot will create any significant increase in incidents to

be resolved, but resolution times will increase due to the challenge/response natureof the account management tools.

1. Perform WebRecovery Password Resets2. Perform WebRecovery Machine Recoveries/unlocks

Local Support

User On-site

Tier 2

Local Support User role exists to allow a small number of Tier 2 technicians theability to provide valid SafeBoot pre-boot credentials to a SafeBoot users machinewithin the specific locality. This role has no administrative authority in the serverenvironment. Scope of the role is machines assigned to groups for their respectiveaffiliate location. Such technicians are presumed to have Windows-basedAdministrator rights to perform the needed modifications to the computer. Disasterrecovery incident resolution times will increase due to the need to decrypt theinformation on the computer to perform some recovery efforts.

1. Perform Disaster Recovery Operations using SafeBoot tools (WinTech)provided by the vendor

2. Performing Boot Once Procedure as needed3. Reinstall SafeBoot Data Encryption on notebooks during break/fix activities

End User Client end user. No administrative authority in the server environment. Ability tochange their password via self help utilities or request password reset.

1.6 Glossary/Acronyms/Abbreviations:


6/32







Acronym Descr iption

BET Business Event Training (Course Number)

GITCS Global IT Customer Services

OSI Operational Support Instructions

IVI Installation Verification Instructions

MBR Master Boot Record

T1 Tier 1

T2 Tier 2

CR Change Request

TT Trouble Ticket


7/32







2. USING SAFEBOOT MOBILE DATA SECURITY CLIENT

2.1 Checking SafeBoot Encrypt ion Status

To check the status of SafeBoot encryption or connection to the SafeBoot server, follow the steps below. Youwould want to do this to help an end user verify encryption has completed on the business computer.

Step # Action Expected Result

1Instruct the end user to right click on SafeBoot icon insystem tray

Drop down menu appears

2Have end user select Show Status from the menu(NOTE: Do not double click or SafeBoot screen saverwill activate.)

SafeBoot Status Window appears

3Have end user verify the encryption status in thebottom right corner of window

Encryption status will be:

Blue: In Progress

Red: None

Green: Encrypted

4Instruct end user to click Close button SafeBoot Status Windows closes


8/32







3. TIER 1 REGIONAL SUPPORT USER TOOLS

The following tools are provided for Regional Support Users (Tier 1 Service Desk Agents) who have privilegedaccounts to log into the SafeBoot Web Recovery tool.

3.1 Resetting a forgot ten password

The following procedure should be used when a SafeBoot End User calls the Service Desk when they haveforgotten their password.


1Navigate to the SafeBoot Web Helpdesk website foryour zone.

Z1 - IC1encrprd01: https://40.1.234.72 Z2 - YO2VMENCSVR01: https://40.205.6.78 Z3 - sg3sboot01: https://40.191.33.58

NOTE: Use of fully qualified domain name(am.lilly.com) will cause the website to lock during areset. Recommendation: use IP address.)

SafeBoot Web Helpdesk opens

2Select Perform SafeBoot Recovery. Under HelpdeskOperators

SafeBoot Web Helpdesk Recovery pageappears. NOTE: If you see a 4 alongthe left edge of the screen, this isexpected it just confirms that you areusing ver 4 of SafeBoot.

3Select PC/Laptop/User Recoverybutton

Web Helpdesk Logon page appears


9/32








4Login using your SafeBoot credentials. Web Helpdesk User Challenge screen

appears

5 Verify end user identity usingGIS-OPS-SOP-010H (Challenge Questions).

End user identity is verified

6Verify the end user is at the SafeBoot Security Systemscreen and is getting :Password is Incorrect errormessage. (If End User is getting Account Lockederror, see Section 3.2 of this document.)

End user verifies they are at SafeBootlogin and is getting Password is Incorrecterror

7 Have the end user enter their User ID in the SafeBootLogin Screen and click Options. Button The end user will be presented with aSafeBoot Options screen with their nameas Common Name.


10/32








8Have the end user click Recover. button The end user will be presented with a 16

digit User Code on their screen.

9Have the end user read the 16 digit User Code fromtheir screen.

User reads 16 digit User Code fromscreen

10On the Web Helpdesk User Challenge screen, enterthe end users code in the Challenge (from end usersscreen) space and reads it back to the End User toVerify Ensure that Reset Users Password is selectedunder Select Action. Click Next.

You will be presented with the WebHelpdesk User Recovery Responsescreen showing you a 17 digit user code.


11/32








11From the Web Helpdesk User Recovery Responsescreen, read Line 1 of the recovery code (this will be a17 digit code) to the end user.

User code is read and verified to the enduser. End user enters code in the

Recovery Code box on their screen.

12 Have end user click Next The end user will see a message on thescreen that says, SafeBoot is now readyto recover your computer. To proceed,click Finish.

13

Instruct the end user to click Finish

A message appears on the end usersscreen that says, Recovery completedsuccessfully.


12/32








14Instruct the end user to click OK

User receives message that passwordhas been reset to 12345

15Have the end user enter the password, 12345 on theSafeBoot login screen and click OK.

User will be prompted to change theirSafeBoot password.

16Have end user enter a new SafeBoot password (thisshould be what the user wants their Windowspassword to be.)

End user changes SafeBoot passwordand will see Password ChangedSuccessfully window

17 Windows will then begin to load. End user will be prompted with iPassprompt

18

If Then Result

The user is already connectedvia Ethernet to the Lillynetwork (i.e. at an affiliate)

Have the end user click Noto iPASS prompt.

End user will be promptedwith the SecurityAuthentication screen

The end user is workingremotely and is in locationwhere they can make an

iPASS connection

Have end user click on Yesto make an iPASSconnection to Lilly

End user is prompted tologin into iPASS and entertheir iPASS information and

presented with the SecurityAuthorization screen.

The end user is unable toconnect to the Lilly network atthis time




13/32








19End user clicks OK to the Security Authorization

End user is logged into Windowsautomatically with their forgotten

Windows credentials. NOTE: Theforgotten password is NOT presented tothe user.

20At this point the end user no longer knows their Windows password so it must be reset to create

the synchronization with the SafeBoot password.

If Then Result

The end user is connected viaEthernet to the Lilly network(i.e. at an affiliate) or the useris working remotely via iPASS

1. Walk the end userthrough changing theirLotus Notes passwordto what they made theirSafeBoot password.

2. Click NO whenprompted tosynchronize the Notespassword with Windows

3. Instruct end user to

Logoff (usingStart/shutdown/Logoff DO NOT RESTART.

4. Reset end usersWindows password to atemporary passwordthat will force them tochange at next login.

1. End users Lotus Notespassword is changed tocurrent what theSafeBoot password wasset to in Step 16.

2. Windows password ISNOT changed at thispoint.

3. End user is logged outand brought back to the

Ctrl/Alt/Del screen readyto login in to windows

4. End user logs intoWindows with theTemporary password andwill be prompted tochange password to theone set in Step 16

Proceed to Step 21

The end user isunable toconnect to the Lilly network atthis time (Skip steps 20-24).

End process here andadvise the end user tocall Service Desk whenthey can connect to Lilly

network to synchronizepasswords.

The end user will continue tobe able to log into SafeBootwith the new password thatwas set in Step 16, however

SafeBoot will still be loggingthem into Windows with theforgotten password so thismust be reset.


14/32








21Have end user log on to Windows with temporaryWindows password.

End user logs on with temporarypassword and is prompted to change

Windows password. NOTE: If end useris not prompted to change Windowspassword, have user press Ctrl/Alt/Deland change password.

22End user enters new password (This should be sameas they entered in step 16)

Windows Password is changed

23Have end user restart computer using Start/ShutDown/Restart

Computer restarts and end user isprompted with SafeBoot logon

24Have end user logon to SafeBoot with their newWindows password

End user is logged in to SafeBoot andinto Windows. SafeBoot and Windowspasswords are now changed andsynchronized.

3.2 Resetting Password after too Many Bad Attempts to Logon

The following procedure should be used to reset a SafeBoot users password when they have attempted tolog in with an incorrect password too many times.







SafeBoot Web Helpdesk Recovery pageappears. NOTE: If you see a 4 alongthe left edge of the screen, this isexpected it just confirms that you areusing Ver 4 of SafeBoot.


15/32








3Select PC/Laptop/User Recovery Web Helpdesk Logon page appears


appears

5 Verify end user identity usingGIS-OPS-SOP-010H End user identity is verified

6Verify the end user is at the SafeBoot Security Systemscreen and is getting Account Locked error message.(If End User is getting Password is Incorrect error, seeSection 3.1 of this document.)

End User verifies at SafeBoot login and isgetting Account Locked error.


16/32








7Have the end user enter their User ID in the SafeBootLogin Screen and click Options.

The end user will be presented with aSafeBoot Options screen with their name

as Common Name.

8Have the end user click Recover. The end user will be presented with a 16

digit User Code on their screen.

9Have the end user read you the 16 digit User Codefrom their screen.

User reads the 16 digit User Code to youfrom screen.

10On the Web Helpdesk User Challenge screen, enterthe end users code in the Challenge (from end usersscreen) space. Select the first Change Tokenoption. The drop down to the right of the radio buttonshould say, Password only. Click Next.

You will be presented with the WebHelpdesk User Recovery Responsescreen.


17/32








11From the Web Helpdesk User Recovery Responsescreen, read Line 1 of the recovery code (this will be a17 digit code) to the end user. Instruct the End User to

click Next.

End User enters code and clicks Next."

12Read line 2 of the recovery code (this will be 8 digits)to the end user) to the end user. Instruct the End Userto click Next.

User code is read to end user andverified.


18/32








13End user enters code and clicks Next.

The end user will see a message on theend users screen that says, SafeBoot is

now ready to recover your computer. Toproceed, click Finish.

14Instruct the end user click Finish

A message appears on the end usersscreen that says, Recovery completedsuccessfully.


19/32








15Instruct the end user to click OK

All of the text boxes will close except forthe login box.

16Have the end user enter the password, 12345 on theSafeBoot login screen and click OK.

End user will be prompted to change theirSafeBoot password.

17Have end user enter a new SafeBoot password (thisshould be what the user wants their Windowspassword to be.)

End User changes SafeBoot password

18Windows will then begin to load.

End user will be prompted with iPasslogon screen.


20/32








19 NOTE: If end user is not connected to the Lilly network, they will need to make a connection viaiPASS at this point.

If Then Result

The user is already connectedvia Ethernet to the Lillynetwork (i.e. at an affiliate)



The end user is workingremotely and is in locationwhere they can make aniPASS connection

Have end user click on Yesto make an iPASSconnection to Lilly

End user is prompted tologin into iPASS and entertheir iPASS information andpresented with the SecurityAuthorization screen.

The end user is unable to

connect to the Lilly network atthis time

Have the end user click No

to iPASS prompt.

End user will be prompted

with the SecurityAuthentication screen

20Have end user click OK to the Security Authorizationscreen

End user is logged into Windowsautomatically with their forgotten Windowscredentials. NOTE: The forgottenpassword will NOT be presented to theuser.


21/32








21At this point the end user no longer knows their Windows password so it must be reset to createsynchronization with the SafeBoot password.

If Then Result

The end user is connected viaEthernet to the Lilly network(i.e. at an affiliate) or the useris working remotely via iPASS

1. Walk the end userthrough changing theirLotus Notes passwordto what they made theirSafeBoot password.

2. Click NO whenprompted tosynchronize the Notespassword with Windows

3. Instruct end user toLogoff (usingStart/shutdown/Logoff DO NOT RESTART.

4. Reset end usersWindows password to atemporary passwordthat will force them tochange at next login.

1. End users Lotus Notespassword is changed tocurrent what theSafeBoot password wasset to in Step 17.

2. Windows password ISNOT changed at thispoint.

3. End user is logged outand brought back to theCtrl/Alt/Del screen readyto login in to windows

4. End user logs intoWindows with theTemporary password andwill be prompted tochange password to theone set in Step 17

Proceed to Step 21

The user is unable to connectto the Lilly network at this time(Skip steps 21-25).

End process here andadvise the end user to callService Desk when theycan connect to Lillynetwork to synchronizepasswords.

The end user will continue tobe able to log into SafeBootwith the new password thatwas set in Step 17, howeverSafeBoot will still be loggingthem into Windows with theforgotten password so thismust be reset.

22Have end user log on to Windows with temporaryWindows password.

End user logs on with temporarypassword and is prompted to changeWindows password. NOTE: If End Useris not prompted to change Windowspassword, have user press Ctrl/Alt/Deland change password.

23End user enters new password (This should be sameas they entered in step 14)

Windows Password is changed

24 Have end user restart business computer usingStart/Shut Down/Restart

Business computer restarts and end useris prompted with SafeBoot logon

25Have end user logon to SafeBoot with their newWindows password

End user is logged in to SafeBoot and intoWindows. SafeBoot and Windowspasswords are now changed andsynchronized.


22/32







3.3 Bind User Tool

This is a configuration of the SafeBoot package installer that allows a Local Support User or Regional SupportUser to bind (add) a user to a machine with or without their windows password. This can only be used if themachine is already encrypted and Windows is up and running.

Step#

Action Expected Resu lt

1 Remote control intomachine if you donthave physical accessto it.

Connected via remote control to the users computer

2

Walk End Userthrough running theSB: Bind User Toolfrom ISIT.

Installation begins and you are prompted to enter credentials for the useryou need to bind to the machine

3

If Then Result

End User is an existingSafeBoot User or if the EndUser is at the desk during theinstallation

Have End User enter theirUser name and passwordand click OK

End User is a new SafeBootuser or/and is not physicallypresent to enter password.

Enter User name, clickcheck box to Bind UserIDwithout a Password andclick OK

User is successfully boundto the machine


23/32







Step#

Action Expected Resu lt

4

Click OK

If Then

User is an existing SafeBoot Useror if the user is at the desk duringthe installation

Have End User log in with theirUser name and password toensure they can log in

End User is a new SafeBoot userand/or is not physically present toenter password.

End User will need to contact theservice desk to get theirtemporary SafeBoot Passwordand have the service desk walkthem thru logging in


24/32







3.4 Recovering a Computer with Unknown SafeBoot Credentials (Boot Once)

This option is used in case the user name is forgotten or the end user or technician is not assigned to thebusiness computer and the business computer is in the pre boot environment. In this instance you will need to

initiate a process to boot the business computer into Windows. An example of an instance to use thisprocess would be when a new Local Support User needs to log onto a business computer that has not beensynchronized for an extended period of time, thus the new support user does not have valid credentials on themachine.

NOTE: This process should never be used with an End User.







SafeBoot Web Helpdesk Recovery pageappears. NOTE: If you see a 4 alongthe left edge of the screen, this isexpected it just confirms that you areusing Ver 4 of SafeBoot.

3Select PC/Laptop/User Recovery Web Helpdesk Logon page appears


25/32









appears

5Have End User boot computer to the SafeBoot LoginScreen. Instruct them to leave the User Name and

SafeBoot Password fields blank and then click on

Options.

SafeBoot Options screen appears.

6Have End User click on Recover. The End User will be presented with a

16 digit key on their screen.


26/32








7Have End User read this 16 digit User Code fromtheir screen to you.

User code is read and verified

8On the Web Helpdesk User Challenge screen, enterthe code in the Challenge (from end users screen)space. Select the Boot Machine Once option.Click Next.

You will be presented with the WebHelpdesk User Recovery Responsescreen.

9From the Web Helpdesk User Recovery Response

screen, read Line 1 of the recovery code (this will be a17 digit code) to the end user. Instruct the End User toclick Next on their screen.

End User will receive a screen with a

blank Recovery Code.

10User enters code and verifies code back Code is verified


27/32








11Click on Enter Challenge line at top of screen.

You will be taken back to the UserChallenge screen.

12 Instruct End User to click on Next. The End User will see a message on theirscreen that says, SafeBoot is now readyto recover your machine. To proceed,click Finish.

13Instruct them to ClickFinish

End User receives a message that says,Recovery completed successfully.


28/32








14Instruct them to Click OK End User will receive a message that the

business computer will Boot Once.

Business computer will restart, windowswill load and End User will be presentedwith a SafeBoot login prompt that will lookdifferent than the normal prompt.

15Have End User click Recoveron the SafeBoot Loginin prompt.

They will receive a screen with another 16digit User Code.

16Have the End User read the 16 digit User Codefrom the screen to you. Enter the 16 digit Code intothe Challenge box, verify the code, Select the CancelScreen Saver option and click on Next.

User Code is read and verified.

17Instruct the End User to click on Next on their screen. End User will receive a screen with a

blank Recovery Code.


29/32








18Read the Recovery Code Line 1 to the End User whowill enter it into the Recovery Code field.

Code is verified and entered

19Instruct the End User to clickNext End User will see a message on their

screen that says, SafeBoot is now readyto recover the business computer. Toproceed, click Finish.

20Have the End User clickFinish A message appears on End User screen

that says, Recovery completedsuccessfully.


30/32








21 Have End User to ClickOK End User will be prompted with theiPass logon.

22 NOTE: If the End User is not connected to the Lilly network, they will need to connect via

Ethernet or make a connection via iPASS at this point. To bring valid credentials down to thebusiness computer it must connect with the SafeBoot server. If you are only trying to access thebusiness computer to retrieve data you do not need to be connected to the network.

If Then Result

If already connected viaEthernet to the Lilly network(i.e. at an affiliate)

Click No to iPASS prompt. End User will beprompted with the SecurityAuthentication screen

If working remotely and inlocation where they can makean iPASS connection

Click on Yes to make aniPASS connection to Lilly

End User will be promptedto login into iPASS andenter iPASS informationand presented with the

Security Authorizationscreen.

If unable to connect to the Lillynetwork or just needing toaccess business computer tomove data

Click No to iPASS prompt. End User will be promptedwith the SecurityAuthentication screen

23Click OK to the Security Authorization screen

Windows Logon screen appears

24Have End User enter valid Windows logoncredentials to logon the business computer (if they arenot connected to the network, these credentials willneed to be cached on machine or they will not be ableto log in.)

Windows will load. Connection toSafeBoot server is made, if connected tonetwork, and valid credentials are added.

25 Have End User open the SafeBoot status icon andverify SafeBoot synchronization occurred in ActivityLog

End User credentials are verified inactivity log.

26Have End User restart business computer End User will be prompted with the

normal login prompt for SafeBoot

27Have End User login to SafeBoot with valid SafeBootcredentials

End User will be prompted for Windowscredentials and Windows desktop willappear


31/32







4. TRAINING

Training on this procedure includes reading this document and understanding the contents therein. If thisreading is included as a part of your training curriculum, please utilize the electronic trainingacknowledgement process to record the training. If the electronic training acknowledgement process is notavailable, complete a hardcopy training acknowledgement form and forward it to the local TrainingCoordinator. Retain a copy of the training acknowledgement form for your records


32/32