Home

ZENworks Full Disk Encryption


Product-Specific Information

Micro Focus ZENworks® Full Disk Encryption is a part of the ZENworks 11 platform, but is limited with respect to which devices it can deploy security policies to (effectively a sub-set of all ZENworks 11 the managed devices). This means that it shares a common agent, server and web-based console with all other ZENworks 11 products (ZENworks Configuration Management 11, ZENworks Asset Management 11, ZENworks Patch Management 11). However, the specific capabilities of ZENworks Endpoint Security Management 11 are limited to the managed devices noted here.


System Requirements

The "Managed Device Requirements" in "ZENworks 11 SP3 System Requirements" provides a list of software and hardware requirements that must be met to install the ZENworks Adaptive Agent on a device. Devices that you want to use for ZENworks Full Disk Encryption must meet those requirements.

Any additions or exceptions to those requirements are provided in the following list:

Operating Systems

  • Windows XP Professional (x86) with SP3
  • Windows Vista (x86 and x86-64) with SP1 or SP2—Business, Ultimate, and Enterprise versions only
  • Windows 7 (x86 and x86-64) with or without SP1—Professional, Ultimate, and Enterprise versions only
  • Windows 8 (x86 and x86-64)—Professional and Enterprise versions only
  • Supported with Windows 8.1 Update for ZENworks 11 SP3:
    • Windows 8.1 (x86 and x86-64)—Professional and Enterprise versions only

Firmware

BIOS firmware is required. UEFI firmware is not supported.


Hard Disks: Standard (no self-encrypting mechanism)

Disks:

  • IDE, SATA, and PATA hard disks are supported. SCSI and RAID hard disks are not supported.
  • Multiple standard disks (one primary and multiple secondary) are supported in one device. When using multiple disks, all disks must be the same (for example, all IDE or all SATA).
  • Encryption of both standard and self-encrypting hard disks in the same device is not supported. A device can have standard disks or it can have self-encrypting disks, but it cannot have both.

Disk communication modes:

  • ATAPI and AHCI are supported.
  • When using ZENworks Pre-Boot Authentication, we strongly recommend that you use the standard Microsoft drivers. Other drivers can cause issues such as CD and DVD drives disappearing.

Supported disk types:

  • Basic disks are supported. Dynamic disks and other disk types are not supported.

Supported file system:

  • NTFS is supported. FAT32 and all other file system formats are not supported.

Partition tables and partitions:

  • All disks must use a master boot record (MBR) partition table. GUID partition tables (GPT) are not supported.
  • ZENworks Full Disk Encryption creates a primary partition (referred to as the ZENworks primary partition) on the system disk to store files required for encryption and pre-boot authentication. Windows supports a maximum of four primary partitions; one primary partition must be available for ZENworks Full Disk Encryption. If all four primary partitions already exist, ZENworks Full Disk Encryption cannot create the required ZENworks primary partition and encryption fails.
  • A maximum of 10 partitions can be encrypted. The partitions can be on one disk or spread across multiple disks.

Disk space:

  • 100 MB of free disk space on the primary (system) hard disk for the ZENworks primary partition that is created when the Disk Encryption policy is applied. To create the 100 MB partition, 300 MB of disk space must be available or the creation process will fail.
  • 140 MB of free disk space on the system volume for ZENworks Full Disk Encryption software files.

Hard Disks: Self-Encrypting

  • Self-encrypting hard disks that use TCG Opal 1.0 or 2.0 technology. However, because Opal can be implemented differently by different drive manufacturers, not all TCG Opal 1.0 and 2.0 disks are compatible with ZENworks Full Disk Encryption. When deploying Full Disk Encryption to other drive models, you should ensure compatibility by testing one drive before deploying to multiple drives.
  • 140 MB of free disk space on the system volume for ZENworks Full Disk Encryption software files.
  • Encryption of both standard and self-encrypting hard disks in the same device is not supported. A device can have standard disks or it can have self-encrypting disks, but it cannot have both.

Drivers

When using ZENworks Pre-Boot Authentication, we strongly recommend that you use the Microsoft IDE/SATA drivers. Other drivers can cause issues such as CD and DVD drives disappearing.


Virtual Machines

Virtual machines must meet the requirements listed above and in "Managed Device Requirements" in the "ZENworks 11 SP3 System Requirements", with the following exception:

  • VMs can have only one hard disk. Virtual machines with multiple hard disks are not supported.

IMPORTANT: SCSI is typically the default disk type when creating a virtual machine. SCSI is not supported; the disk type must be IDE.


Smart Cards

ZENworks Pre-Boot Authentication (PBA) supports smart card authentication. For a list of supported smart card solutions, see Section A.0, Supported Smart Card Terminals and Tokens.


Single Sign-On

ZENworks Pre-Boot Authentication (PBA) supports single sign-on with Windows via both the Windows Client and OES Windows Client. When using OES Windows Client, the following requirements apply:

  • OES Windows Client 2 SP3 IR5 or later is required on Windows Vista/7/8.
  • When using user ID/password authentication with the OES Windows Client and DLU, the user needs to log in to the Client once before single sign-on will work. During single sign-on, the ZENworks PBA passes the user ID and password to the OES Windows Client. However, the client requires other details (tree, server, context, and so forth) that are available only if the user has populated the details during a previous log in.
  • When using smart card authentication with the OES Windows Client, NESCM, and DLU, the user needs to be the last user to have logged in to the OES Windows Client. During single sign-on, the ZENworks PBA passes the pin to the OES Windows Client. However, the client requires other details (tree, server, context, and so forth) that are available only if the user was the last smart card user to log in to the client.
  • Smart card authentication with the OES Windows Client, NESCM, and Disconnected Workstation Only mode is not supported.

Primary Server Requirements

Windows Servers:

  • Windows Server 2003 SP2 x86_64 (Enterprise and Standard editions)
  • Windows Server 2003 R2 SP2 x86_64 (Enterprise and Standard editions)
  • Windows Server 2008 SP2 x86_64 (Enterprise and Standard editions)
  • Windows Server 2008 R2 x86_64 (Enterprise and Standard editions)
  • Windows Server 2008 R2 SP1 x86_64 (Enterprise and Standard editions)
  • Windows 2012 Server x86_64 (Foundation, Essential, Standard, and Datacenter editions)
  • Windows 2012 Server R2 x86_64 (Foundation, Essential, Standard, and Datacenter editions)

Linux Servers:

  • SLES 11 SP2/SP3 x86_64 (Intel and AMD Opteron processors)
  • SLES 11 SP2 and SP3 for VMware X86_64
  • Red Hat Enterprise Linux 5.8, 5.9 x86_64
  • Red Hat Enterprise Linux 6.0, 6.1, 6.2, 6.3, 6.4 x86_64

Database Support

  • Microsoft SQL Server 2008 R2 (and latest SP)
  • Microsoft SQL Server 2008 SP2 (and latest SP)
  • Microsoft SQL Server 2012 (and latest SP)
  • Sybase SQL Anywhere 12
  • Oracle 11.2.0.4 Standard and Enterprise Edition (and latest patch set)

© Micro Focus