68434: Acronis DeviceLock DLP - FAQ

use Google Translate

Applies to: 

    Last update: 25-08-2021

    This article contains frequently asked questions about Acronis DeviceLock DLP and answers to them. If you still have questions left, please contact Acronis support.

     

    General

    Is there a server component of Acronis DeviceLock DLP, and what does it serve as?

    There are two server components in Acronis DeviceLock DLP: DeviceLock Enterprise Server (DLES) and DeviceLock Content Security Server, and both require an SQL Server: Microsoft SQL, SQL Express database or PostgreSQL with some limitations in functionality. They are referred to as “server” components as they generally need to run on Windows “server” class operating systems due to the concurrent connection limitations of “workstation” class clients. They can be hosted on virtual servers and/or piggyback on existing servers that have available user-connection bandwidth during the day (i.e “backup”, “staging”, “patch” servers, etc.).

    The DeviceLock Enterprise Server component is not mandatory to administration, and is only necessary if the customer intends to centrally aggregate audit and shadow data for reporting and forensic analysis. In mid-to-large size environments, generally there would be multiple DLES instances used for performing the collection tasks efficiently.

    The DeviceLock Enterprise Server component can deploy security policies to DeviceLock agents across the organization’s network as an alternative to manually via DeviceLock administrative consoles and/or automatically via Active Directory GPOs. This alternative feature is meant for workgroups or non-AD LDAP environments to mimic Group Policy automation. DeviceLock supports two ways to deliver policy template files from the DLES to agents: "push" (server pushes policy by DL administrator’s request) and "pull" (DeviceLock agent can be configured to query for policy by itself on a schedule or the endpoint user can make ad hoc requests of the DLES for updated policy).

    The customer does not need to purchase licenses for the DeviceLock Enterprise Server component, as it is included with the DeviceLock Core module licensing that is tied to the number of endpoints being managed. The server can be installed and used in any number of instances required for efficient collection of audit and shadow data. DeviceLock agents can have audit data and shadow copies pulled back by any number of DeviceLock Enterprise Servers to the backend SQL and shadow file folder repository. Traffic optimization with stream compression, fastest server response history, and Quality of Service (QoS) settings is included.

    The DeviceLock Content Security Server is an additional component used to perform other security reporting related tasks. There are two optional server functions (DeviceLock Search Server and DeviceLock Discovery) under this Service.

    Can the product control the actions of specific users, or is it simply deployed the same way for all users?

    Yes, while technically all DLP-policies in DeviceLock DLP are computer-based policies by definition, all controlled data egress channel permissions within the policies are actually user-based, i.e. access/audit/etc. permissions are configured for the specific users, specific user groups (recommended), and/ or “BUILT IN” user contexts like “EVERYONE”.

    Why is content analysis important?

    Content analysis technologies are useful and often necessary when basic contextual control of data transfer channels is not sufficient to attain an objective, which leads to a need for an in-depth inspection of transferred data, i.e. checking the data for sensitive information when ports, interfaces, or other transfer channels are otherwise not restricted.

    The content analysis techniques allow checking data flows selectively based also on sender (and in some cases recipient) context, consequently reducing the number of false-positive detections, as well as creating shadow copies of data depending on its verified content.

    Acronis DeviceLock DLP exploits various search and filtering technologies: regular expression (RegEx) patterns with numerical conditions and Boolean combinations of matching criteria and keywords, keyword-based search, true file type determination, predefined pattern groups (credit card numbers, addresses, passport/social insurance numbers, etc.), built-in industry specific dictionaries, file properties (name, size, password protection, date/time, text data), files/document digital fingerprints, on-the-fly Optical Character Recognition (OCR) image-to-text conversion, and more.

    Why are regular expressions or patterns required?

    Perl-based regular expressions (RegEx or RegExp) are one of the most powerful and effective methods of content analysis used by ContentLock and Discovery modules to detect structured data like government-assigned social service numbers, banking codes, health care codes, e-mail addresses, credit/debit cards, document meta data, phone numbers, etc.

    Regular expressions are used to create standard reference patterns to compare files and managed session data with for explicit matches. These are further conditioned by contextual parameters like users and user groups, computers, ports or interfaces, device and channel types, data transfer directions, date/time ranges, numerical thresholds with duplication handling, and 50+ parameters to be used when creating the patterns.

    Can the transfer of data containing i.e. credit card or passport numbers be restricted with Acronis DeviceLock DLP?

    Yes, it can be. The task is performed by the ContentLock add-on analyzing and filtering data content. Meeting this and similar traditional informational security challenges, DeviceLock checks the transferred data against built-in RegEx patterns or the administrator may even customize the appropriate RegEx pattern template copy to detect other variations of the targeted data and flag common attempts to get around the standard pattern rule.

    Is Acronis DeviceLock DLP capable of “passive mode” functioning, i.e. not restricting data transfer, but logging, alerting, and shadow copying?

    Yes, Acronis DeviceLock DLP is capable of functioning in any administrator set mode. We also call this “observation mode”.

    In cases where access to ports, devices, or network protocols is not blocked or content-filtered by policy, logging and data shadowing policy can be actively logging, alerting, and keeping records in audit and shadow logs in “passive mode”.

    If there is a restrictive access policy active, Acronis DeviceLock DLP blocks the transfer and prevents data leakage from a controlled endpoint in real time.

    Is there an option to set various policies for office- and off-hours?

    Yes, there is. An administrator can selectively set hour-of-day and day-of-the-week based intervals of every applied DLP policy. These settings are per user/group and per device type/port/protocol as desired.

    Is there an option to configure various access control policies for laptops in- and out of the corporate office?

    Yes, there is. Acronis DeviceLock DLP does support various online and offline security policies. This way you can have one policy when the laptop is behind the firewall/DMZ and a totally different policy when the laptop is out in the wild.

    What is Online or Offline security policy?

    Those are two different sets of DLP policies, Regular and Offline, which are automatically applied to a controlled endpoint by Acronis DeviceLock DPL agent depending on its network status. The Offline policy can be triggered by the protected computer (e.g. laptop) using either cached or confirmed Windows credential authentication, whether it can connect to any of its known DeviceLock Enterprise Servers, or if in a wired vs. unwired state.

    Can I view user transferred data later?

    Yes, you can. Once an administrator sets up Acronis DeviceLock DLP to make shadow copies, the transferred data is saved to be analyzed. Shadow copies can either be stored on controlled endpoints, or centrally collected to a DeviceLock Enterprise Server central database.

    What is the Shadow Log? Can I search data in it?

    The Shadow Log of the DeviceLock Enterprise Server is a repository generally using both Microsoft SQL for log entries with file pointers and a folder structure for any collected shadowed files. You can search the database either using a built-in viewer filtering and sorting technologies, or by means of full-text Search Server linguistic analysis technologies.

    Does Acronis DeviceLock DLP impact the performance of data copying to removable storage devices operations?

    No, unless content analysis rules apply to the transferred data. In this case, the speed directly depends on the complexity of the effective set of rules, as well as on the size of transferred data. There is an optional pop up message that can be configured to tell users when the delay is due to a content inspection.

    Does Acronis DeviceLock DLP impact the Internet, or network performance in general?

    No, unless content analysis rules apply to the transferred data. In this case, the speed directly depends on the complexity of the effective set of rules, as well as on the size of transferred data. There is an optional pop up message that can be configured to tell users when the delay is due to a content inspection.

    Generally, DeviceLock Agent does not impact local networking performance.

    Audit and shadow data transfers are a background process that can be flexibly configured with the installation of several instances of the DeviceLock Enterprise Server component to improve efficiency of collection.  Having multiple DLES instances help to distribute the network load and provide contingencies if any DLES entities go offline.  The collection process also stream-compresses the data and can use Quality of Service (QoS) priority levels.

    Can a user overcome DeviceLock Agent protection?

     If you are worried about employees with admin access who would also like to overcome DeviceLock security policies by switching off DeviceLock services, tasks, or processes, they will not succeed provided that a DeviceLock administrator properly configures the self-protecting functionality of the feature called the ‘DeviceLock Administrators’ control.

    Can a local administrator disable DeviceLock Agent and stop its functioning?

    The ‘DeviceLock Administrators’ feature provides sufficient protection even against local administrative user accounts. No one but authorized DeviceLock Administrators can stop or disable DeviceLock agent when the protection is enabled. This applies to members of local Administrators group as well.

    When “Default Security” is disabled in favor of the “DeviceLock Administrators” settings, the protection of DeviceLock’s service, tasks, files, logs, DeviceLock registry keys, and driver unhook protection (rootkit protection) along with the monitoring of policy consistency and integrity that can automatically modify the policy to meet the master policy, all build a comprehensive self-protection system*. This also protects while in Windows Safe Mode.

    Basic security measures restricting system boot from any source different from the system drive as well as access to BIOS and OS system restores to dates prior to DeviceLock’s introduction, are expected to be taken in order to prevent users from bypassing the protection.

    Does DeviceLock Agent conflict with antivirus software?

    No, it does not in general.

    However, there is a chance that some antivirus software will, since DeviceLock agent functions on the very low core level of operating system called the kernel. If there ever is any conflict, most commercial A/V solutions will have a method of allowing, excluding, or exempting specific applications to operate. Generally, we recommend that administrators add DeviceLock to the list of antivirus software exclusions as a proactive step. DeviceLock also has an undocumented Application White List procedure that is attainable via Support.

    Is it possible to integrate DeviceLock with some Security information and event management (SIEM) system?

    DeviceLock supports SYSLOG standard for message logging, thus it is possible to use SYSLOG as a transport for alerts and audit log events to a SYSLOG receiver (third party SIEMs and other monitoring applications/consoles).

    Besides that, DeviceLock also supports SNMP protocol which can be as well used as transport for alert messages to various SIEM systems.

     

    Data transfer control

    Can I control device write operations by file type?

    Yes, you can. Allow or deny access to specified verified file types regardless of permissions set for a device or a protocol, flexibly set shadow copying policy in order to decrease the volume of server stored data. The definition of file type is signature based and not dependent on file name extension

    What file types are supported by the content analysis system?

    Acronis DeviceLock DLP controls file types on two levels:

    • The first level of control is performed by the core DeviceLock and NetworkLock contextual security components in order to optimize the control process. You can allow or deny access to selected file types regardless of access permissions set for a device or a protocol, as well as set shadow copying policy in order to decrease the volume of server stored data. The definition of file type is binary signature based and not dependent on file name extension. 5,300+ file types are supported.
    • The second level of control is performed by ContentLock add-on analyzing the content of transferred files or data. ContentLock supports more than 100+ parsable file formats and 40+ archives types, textual data (in emails, messages, web forms, etc.), images (OCR processing), unidentified binary data, data objects classified by Boldon James Classifier.

    Can a text-containing images or a graphical scan of a document be analyzed?

    The DeviceLock Agent has a built-in optical character recognition (OCR) engine which allows it to extract and inspect textual data from pictures in documents and graphical files of many image formats on the fly with ContentLock during the attempted data transaction or as scanned data-at-rest by Discovery.

    The DeviceLock Agent can also recognize text embedded in graphics, count its percentage ratio to the overall size of the document, and set relevant control policies.

    The OCR module runs in each of its enforcement-oriented modules: DeviceLock Agent, DeviceLock Discovery Server, and DeviceLock Discovery Agent.

    Can social networks, i.e. Facebook or Twitter, be controlled?

    Yes. The NetworkLock add-on allows for controlling and logging chat session and file data transfers in Google+, Facebook, Twitter, LiveJournal, LinkedIn, and more.

    You can find the actual list at https://www.acronis.com/en-us/products/devicelock/system-requirements/.

    Can Acronis DeviceLock DLP control instant messengers and e-mail?

    Yes, it can. The NetworkLock add-on allows for controlling and logging chat sessions and file or data transfers via e-mail or instant messengers.

    The supported messengers include Skype, ICQ, Jabber, IRC, Viber, WhatsApp, Telegram and Mail.ru Agent.

    E-mail control capabilities include SMTP/SMTP over SSL, Exchange (MAPI), IBM (Lotus) Notes, and listed Web Mail services.

    Check the full list at https://www.acronis.com/en-us/products/devicelock/system-requirements/.

    What Web Mail services can Acronis DeviceLock DLP control?

    The NetworkLock add-on controls and logs email messages and attachments sent and received via Gmail, Yahoo! Mail, Windows Live Mail, AOL Mail, Mail.ru, Yandex Mail, Rambler-Mail, GMX.de, and Web.de services.

    Check the full list at https://www.acronis.com/en-us/products/devicelock/system-requirements/.

    What web sites are Acronis DeviceLock DLP capable of controlling?

    There is no specific URL filtering for  web sites, no allow-list or deny-list control feature implemented in the NetworkLock add-on. Any HTTP/HTTPS traffic, regardless of website category, can be controlled and content-filtered, but popular categories like Social Networks, Web Mails, and File Sharing Services are provided as convenient control groupings in the Suite. Please refer to the product documentation to learn about control capabilities. Being highly numerous and flexible, they cannot be described adequately within the framework of this FAQ.

    Can Acronis DeviceLock DLP intercept data transferred via encrypted SSL channels?

    Yes, it can. The NetworkLock add-on allows for intercepting and analyzing data transferred via SSL protected protocols: HTTPS, FTPS, SMTP over SSL, and number of encrypted messenger protocols.

    Can a specific flash drive be allowed for a specific user account?

    Yes, it can. The “USB Devices WhiteList” feature supports authorization of a USB device, based on either its model number (VID+PID) or its unique internal serial number (VID+PID+DID). Depending on desired settings, even assigned allow-listed USB Removable devices can be content-filtered.

    Can an employee be notified about the reason of an access denial?

    Yes. Acronis DeviceLock DLP has an optional feature of displaying pop-up messages to users when they try to access several controlled channels or send content and are blocked from doing so by policy.

    Is content analysis inside archives or documents supported?

    Yes, it is. Acronis DeviceLock DLP can analyze archives, including nested archives of any depth. This is a setting that must be turned on in order to inspect archives. In case a sub-archive is password protected, an administrator can block the transfer of the whole archive.

    DeviceLock is also capable of analyzing files embedded into MS Office or Adobe PDF documents.

    Can Acronis DeviceLock DLP encrypt flash drives?

    Not itself. DeviceLock agnostically leverages the capabilities of trendsetting third-party and open source encryption products and detect/verify some of their technologies without implementing any proprietary encryption features of our own.  This avoids the otherwise necessary licensing/exportability/cost issues of built-in proprietary encryption technologies, while still allowing the customer to choose from several leading solutions for Removable encryption.

    The DeviceLock Service can detect USB flash drives and other removable media that are encrypted by third-party products and apply special “encrypted” access permissions to them while preventing or mitigating access to otherwise “generic” partitions. This feature allows administrators to define more flexible access control policies and helps to prevent writing sensitive data to unencrypted media.

    DeviceLock supports Windows BitLocker To Go™, Sophos® SafeGuard Easy®, SecurStar® DriveCrypt®, TrueCrypt®, Symantec Drive Encryption, Infotecs SafeDisk®, SafeToGo, Rutoken Disk, and Apple® Mac OS X FileVault for detecting and verifying removable partition encryption.

    Find the list at https://www.acronis.com/en-us/products/devicelock/system-requirements/.

    Can Acronis DeviceLock DLP control network printing?

    Yes, it can. DeviceLock Core module of Acronis DeviceLock DLP controls local, network, and virtual printing from the endpoint’s perspective and can also create shadow copies of printed data. Moreover, content analysis and filtering of printed data is provided as well by ContentLock add-on.

    Do files written to flash drives get shadow copied?

    Yes, they can provided that shadow copying is configured in general or when contingent on file content rules.

    Can the content of files written to flash drives be controlled?

    Yes, it can. ContentLock add-on can analyze and filter data written to removable devices.

    Does Acronis DeviceLock DLP oversee terminal sessions and virtual environments?

    Yes, it does. Microsoft RDS, Citrix XenDesktop/XenApp, Citrix XenServer, VMware Horizon View; VMware Workstation, VMware Player, Oracle VM VirtualBox, Windows Virtual PC are supported.

    By supporting Application Virtualization and Application Steaming technologies, DeviceLock can control access of any application (any user working with an application) to any data transfer channel regardless of the transport used by an application. DeviceLock’s agent would be installed on the computer host where the application is executed, and the policy rules will then govern the user’s access, auditing, and shadowing just as though the user was locally authenticated.

     

    Installation and management

    How many endpoints can be controlled by an instance of DeviceLock Enterprise Server?

    Unlimited. The server components of DeviceLock do not carry any load of managing the agents while, unlike many other DLP systems, the entire volume of network egress traffic content inspections is controlled on endpoints and not at a bottlenecked gateway or perimeter appliance/server solution.

    How many accounts can Acronis DeviceLock DLP control?

    Unlimited. The largest DeviceLock installation is over 80,000 endpoints in one enterprise.

    Are there central management capabilities in Acronis DeviceLock DLP?

    Definitely. The DeviceLock Agents’ deployment, installation, uninstallation or update, and DLP policy management can be performed remotely and centrally using traditional DeviceLock consoles. The most powerful and effective way to manage DeviceLock centrally, however, is via Active Directory Group Policy with DeviceLock’s MMC snap-in console to the Microsoft GPMC or ADUC interfaces. Alternatively, an administrator can now use the DeviceLock Enterprise Server component for centralized agents installation and policy management across the organization’s network which can be essential for larger non-AD environments.

    Is there a need to install DeviceLock agents to controlled computers?

    Yes, there is. Access to peripheral I/O ports, devices and network protocols is controlled at the very moment of an attempt to access them. Moreover, external device control is impossible to ensure without a locally installed agent. Hence, installing DeviceLock agents to controlled endpoints is a must.  One exception, the Acronis DeviceLock Discovery may be used in agent-mode or agentless-mode.

    Is there a need to install DeviceLock agents to endpoints in order to control network protocols?

    Yes, there is. The NetworkLock add-on controlling network protocols is integrated into the DeviceLock Agent platform and gets installed to endpoints with the Core module agent. It is dormant unless licensed and configured, but already “deployed” and ready to use.

    Is there a need to reboot an endpoint after DeviceLock Agent has been installed?

    No, there typically is not a need to reboot, but that often depends on the installation method (Group Policy MSI, SCCM, DLEM console, other software distribution tools, etc.).

    Can DeviceLock Agent be installed automatically (without user interference)?

    Yes, it can. Run DeviceLock setup with the “/s” parameter (e.g. ‘setup.exe /s’).

    Learn more about unattended (silent) setup in the User Guide.

    Can I install DeviceLock Agent without local administrative privileges?

    No, you cannot. Local administrative privileges are required to install DeviceLock. In a domain, you will need domain administrative privileges as well.

    What are recommended hardware requirements for a computer to install an instance of DeviceLock Enterprise Server (DLES)?

    This is unique to each customer and implementation. It is not generally possible to precisely identify hardware and storage requirements due to customer-specific variables they control (access/audit/shadowing settings) and those over which they do not have much control (type of information collected, number, type, and size of files shadowed), as well as network architecture, number of DLES collection agents employed, and SQL server configuration. This means that it is only possible to define the requirements when testing the product in every specific case over a relevant time period to accurately forecast these specifications. However, there are general recommendations for effective performance of DeviceLock Enterprise Server (DLES).

    Windows Server Operating Systems can generally handle approximately 150 concurrent service-to-service agent connections (instances of DeviceLock Service installed and running on controlled client computers where log+shadow data is being collected). It is usually recommended to at least start with two DLES instances for the ability to load balance and have contingencies if one instance is down or too busy. Where possible due to the network or domain architecture, these should preferably all point back to the same central SQL and folder repositories. This configuration requires 1 GB of RAM if there is no SQL Server running on the same computer, and twice as much memory if SQL Server (or SQL Express) is installed and running when files are stored on the disk (i.e., 2GB RAM). In case files are stored in SQL database (not the default or recommended setting), the value will have to be multiplied by 2 (i.e., 4 GB RAM). NOTE: It is best to store shadow files in a folder repository (default setting) and the Shadow Log entries simply link to these file locations.

    If there are thousands of controlled computers in your network, it is strongly recommended to install two or more DeviceLock Enterprise Servers with the Many-To-One DLES instances-to-single-SQL-instance scenario described above (see DeviceLock User Manual for details). In this case, you do not need to install another instance of SQL Server, provided that there already is one instance installed on another computer (that with 2 GB of RAM, minimum).

    The computer on which you install DeviceLock Enterprise Server must meet the system requirements listed in the specifications.

    Actually, every DeviceLock Agent initially gathers audit and shadow logs to its local storage on the host computer. When the local storage is almost full, Agent calls to the DLES server or servers (according to Agent’s configuration) and the DLES server with the best network connection to the Agent puts its call into the collecting queue and then, according to the order in the queue, receives logs from the Agent. Therefore, in real practice the total number of DeviceLock Agents concurrently sending logs to a DLES server is usually in the range of a few dozens and very rarely reaches up to 100-150.

    The following recommendations are based on our modern experience. Due to security concerns and in line with their corporate IT security policies or state regulations, no one from mid-size (~1,000+ seats) and large (>5,000 seats) customers has ever provided DeviceLock with detailed information on their corporate network infrastructure, as well as on the structure of DeviceLock-based solution they use. Indirectly, based on the analysis of information received by our Technical Support in the scope of their services to customers we can conclude that in large DeviceLock installations a single DLES server in a network with high-bandwidth connections between OUs can be used to collect logs from up to 10,000-15,000 DeviceLock Agents. Alternatively, when the inter-regional network channels in the corporate network are rather slow, customers prefer using DLES servers distributed over OU’s geographical locations in order to decrease the network traffic consumption for collecting shadow logs. This is the approach we recommend for this project given the network channels between the sites can be slow: use several DLES servers and manage DeviceLock Agents based on the OU infrastructure in order to decrease the traffic consumption in external networks between different geographical units of the customer network. 

    For the sake of load balancing, performance, and fault tolerance, multiple standalone DeviceLock Enterprise Servers can be configured to forward the log data from them to a “central collection server” to consolidate the logs.

    This “central collection” DeviceLock Enterprise Server can be used as a central storage for DeviceLock logs from other servers, which are referred to as “remote servers”.

    Remote servers can send copies of their logs to the central collection server on a scheduled basis. Configuration options allow the selection of which logs to send, and when. The central collection server can be located on an on-premises computer or in the cloud (see Appendix: Consolidating the Logs in the Cloud Using OpenVPN).

    The consolidation of logs enables the implementation of a data/traffic management scenario where the remote servers accumulate logs during working hours, and at night they forward the accumulated data to the central collection server.

    Based on our technical support experience, 8GB RAM would be sufficient for a DLES server to handle log collection from 5,000 DeviceLock Agents provided that the server has powerful network interface cards. In order to collect logs from 10,000-15,000 DeviceLock Agents, we would recommend using a server with 32GB RAM.

    In real practice, the most critical parameter for normal DLES operations becomes not its RAM size but actually the size of shadow files centralized storage. The required storage size depends on the data shadowing completeness (i.e. how many potential leakage scenarios are controlled with data shadowing), the average size of data objects collected in shadow logs (i.e. shadows copies of a file has the same size as the file), and the time period of keeping shadow logs in the central database. Given these considerations, it is unrealistic to make a more or less accurate forecast regarding the size of DeviceLock shadow files storage required. In our customer practice, accurate size estimations of necessary log storages could be made after the first 1-2 months of DeviceLock production operations.

    As a real life example based on the DeviceLock deployment on 30,000_Agents, we recommend the following recommendations for DLES: MS Windows Server 2012 R2 (64-bit) on 8-CPU server with 16GB RAM and 1+TB RAID. 

    How much free space is required for a shadow database?

    This is highly customer or project specific with many variables controlled by the customer’s configuration. There are correlations between selected DLP access/audit/shadow policy, channels shadowed, traffic generated by controlled employees, size of files, and retention period.

    In our customer practice, accurate size estimations of necessary log storages could be made after the first 1-2 months of DeviceLock production operations.

    Thus, for example if it is necessary during a year to store shadow copies of all outgoing emails and attachments which take 1GB per day, you need at least 250GB of free space in the storage.

    Is there support of Group Policy in a Windows domain?

    Yes, there is. It is one of our primary differentiating architectural features vs. other solutions. Moreover, DeviceLock is fully integrated, meaning an administrator can deploy/update/uninstall DeviceLock agents via Group Policy (including auto-deployment when a computer joins the domain), update DLP policy (DeviceLock policy objects transform into Group Policy objects), manage DeviceLock with the DeviceLock Group Policy Manager snap-in console integrated into the Group Policy Management Console, Active Directory Users & Computers interface, or the Group Policy Object Editor.

    DeviceLock agents can be installed to remote computers with a predefined set of DLP policy by deploying a custom installation package (MSI). An administrator can create the package using the DeviceLock Management Console (DLMC). This method is only recommended for new installations and not as a policy update or upgrade method.

    Domain/OU Administrators can check currently applied security policy, or security policy to be applied using the standard Resultant Set of Policy (RSoP) snap-in.

    Managing DeviceLock via Active Directory Group Policy is the most convenient and scalable method in networks of any size.

    Is it required to install and manage DeviceLock agents via an Active Directory domain?

    No, it isn’t. DeviceLock Agent can function in a non-domain environment just as it does in a domain setting. In case there is no AD domain environment, an administrator can now use a DeviceLock Enterprise Server component for centralized Agents installation and policy management across the organization’s network as an alternative to manually via DeviceLock administrative consoles and/or automatically via Active Directory GPOs. This feature is meant for workgroups or non-AD LDAP environments. DeviceLock supports two ways to deliver policy template files from the DLES to agents: "push" (server pushes policy by DL administrator’s request) and "pull" (DeviceLock agent can be configured to query for policy by itself on a schedule or the endpoint user can make ad hoc requests of the DLES for updated policy).

    Additionally, the DeviceLock Enterprise Manager (DLEM) console can be used to centrally manage DeviceLock policy on controlled endpoints in non-domain environments, including various LDAP environments like Novell eDirectory, Open LDAP, etc. or even workgroups. RPC functionality is necessary with this method.

    Can DeviceLock agents be installed via Microsoft Systems Management Server (SMS) or Microsoft System Center Configuration Manager (SCCM)?

    Yes, it can. Find the special DeviceLock.pdf (for SMS 1.x) or DeviceLock.sms (for SMS 2.0 and higher) packages archived in ‘sms.zip’ file in DeviceLock setup package.

    Can DeviceLock Agent be installed on Mac OS X endpoints?

    Yes, it can – we offer the special edition “DeviceLock Agent for Mac”. Check the list of supported OS at https://www.acronis.com/en-us/products/devicelock/system-requirements/.

    The limitations are:

    • One can only install DeviceLock Service agents on Mac computers; DeviceLock consoles and other components can only be installed on Windows computers;
    • ContentLock, NetworkLock, and User Activity Monitor are not yet supported in for Macs.

    How can I upgrade Acronis DeviceLock DLP components?

     Please refer to description given in the Knowledgebase Article “Acronis DeviceLock DLP: How to install or upgrade an entire DeviceLock DLP environment” (https://kb.acronis.com/content/66439)

    Where can I find the number of used licenses?

    Please refer to description given in the Knowledgebase Article “Acronis DeviceLock DLP: How to find information about the number of used DeviceLock licenses” (https://kb.acronis.com/node/67273)

    How can I locate which computers have DeviceLock Service installed and which version?

    Please refer to description given in the Knowledgebase Article “Acronis DeviceLock DLP: How to find information about which computers have DeviceLock Service installed” (https://kb.acronis.com/node/67275/)

    I have installed the licenses, but in the ‘About Program’ window it still says about Trial mode?

    Please refer to description given in the Knowledgebase Articles “Acronis DeviceLock DLP: License status: Trial mode” (https://kb.acronis.com/content/66637) and “Acronis DeviceLock DLP: How to activate DeviceLock license files” (https://kb.acronis.com/content/66418).

    Tags: