2.3 Manually Adding Users

In addition to having the ZENworks PBA automatically capture users (see Enabling User Capturing), you can manually add users to the ZENworks PBA for a device. You cannot manually add smart cards.

As with captured users, users that you manually add exist only on the device; they are not added to the Disk Encryption policy’s user list. Therefore, if the Remove existing users from PBA if not in this list option is enabled in the Disk Encryption policy, the added user is removed after the next login.

You can add users through a ZENworks Control Center Quick Task or through the ZENworks Full Disk Encryption Agent. The following sections cover both methods.

2.3.1 Using a ZENworks Control Center Quick Task

To use a ZENworks Full Disk Encryption Quick Task in ZENworks Control Center, a ZENworks administrator must be assigned the Manage Endpoint Security Settings and Tasks privilege. This privilege is configured through the Quick Tasks rights for administrators and administrator groups. For help configuring Quick Tasks rights, see the ZENworks Administrator Accounts and Rights Reference.

For a user to be added to a device through a Quick Task, the device must be running and have a network connection to the ZENworks Server. Otherwise, the ZENworks Server cannot deliver the Quick Task to the device.

  1. In ZENworks Control Center, click Devices.

  2. In the Devices panel, locate the device for which you want to add a user.

  3. Select the check box next to the device, click Quick Tasks > FDE: Update PBA User to display the Update PBA User dialog box.

  4. Fill in the following fields:

    Replace password if user already exists in PBA: Ignore this option. It only applies if you are updating an existing user’s password.

    User Name: Specify a user name for the PBA user. If single sign-on is active on the device, this user name must be the same as the Windows user name. If single sign-on is not active, the user name does not need to match the Windows user name.

    Domain: Specify a domain name for the PBA user. If single sign-on is active, this must be the Windows domain name (or computer name if the user is not a domain member). If single sign-on is not active, this field is optional. You can leave it blank or use it as another component to distinguish the PBA user name.

    Password: Specify a password for the PBA user. If single sign-on is active, this must be the Windows password. If single sign-on is not active, you can specify any password.

  5. Click OK to display the Quick Task Status dialog box.

  6. In the Quick Task Status dialog box, click Start if you want to use the default options.

    or

    Configure the options as desired, then click Start.

    For information about the options, click the Help icon in the Quick Task Status dialog box.

    As soon as the Quick Task is complete, the new user can authenticate to the ZENworks PBA on the device.

2.3.2 Using the Full Disk Encryption Agent

You can use the Full Disk Encryption Agent to add users to or remove users from the ZENworks PBA.

To add or remove a PBA user, you must know the FDE Administrator password for the policy assigned to the device, or you must know the ZENworks Agent override password or key.

  1. On the device, right-click the ZENworks icon in the notification area, and select Technician Application.

  2. Click Full Disk Encryption in the ZENworks Agent navigation menu.

  3. In the Full Disk Encryption Agent Actions section, click About to display the About dialog box.

  4. Click the Commands button.

  5. Supply the password, then click OK to display the Commands dialog box.

  6. Click the Add/Delete PBA User button.

  7. Provide the username, password, and domain of the user you want to add or delete.

    User Name: Specify a user name for the PBA user. If single sign-on is active on the device, this user name must be the same as the Windows user name. If single sign-on is not active, the user name does not need to match the Windows user name.

    User Password: Specify a password for the PBA user. If single sign-on is active, this must be the Windows password. If single sign-on is not active, you can specify any password.

    User Domain: Specify a domain name for the PBA user. If single sign-on is active, this must be the Windows domain name (or computer name if the user is not a domain member). If single sign-on is not active, this field is optional. You can leave it blank or use it as another component to distinguish the PBA user name.

  8. (Conditional) If you want to delete the user, select the Check to Delete User box.

  9. Click OK to add or delete the user.

    You can verify the change by viewing the agent status and looking at the PBA User List.