Print Download PDF Send Feedback

Previous

Offline Mode

In This Section:

Creating Offline Administrators

Configuring an Offline Group

Configuring Policy for an Offline Group

Editing Pre-boot Users

Exporting Packages

Deploying Packages

Moving from Offline to Online Mode

Endpoint Offline Management Tool

Offline Mode lets users get policies and updates from a shared folder, without a connection to an Endpoint Security server. Policies for these Software Blades are supported in Offline Mode:

Manage the offline policies for these Software Blades from each Offline Group in the Users and Computers tab. The policies for users in these groups are not configured in the Policy tab and are not included in policy installation.

Workflow to Configure Offline Mode:

  1. In the Users and Computers tab, create a new Offline Group and configure the sub-paths and settings.
  2. From the Offline Group, configure the policy for each Software Blade.
  3. Export the required packages and put them in the configured sub-paths.
  4. Instruct users to install the packages from the sub-paths. Make sure they have the required access.

Creating Offline Administrators

Offline administrators can be created one at a time or in groups.

To create offline administrators:

  1. Open SmartEndpoint Manager.
  2. On the Users and Computers tab, right-click an offline group.
  3. Select Create Administrators.

    The Create offline group administrators window opens with these options:

    • Add Single User - Adds one administrator
      • Enter the Logon Name.
      • Configure Authentication credentials, password or dynamic token.

      Note - you must select an existing token.

    • Add Users From File - Imports offline administrators from a CVS file, and shows them in the table.

      Each imported administrator has a Logon Name, Authentication type and status.

      The Status column shows if an Administrator can be imported or not.

      A green V indicates if the offline administrator is ready for import.

      An X icon indicates offline administrators that cannot be imported. See the error message next to it.

    • Remove User - Removes an offline administrator. Select the administrator in the table.
  4. Click Import to import the administrators.
  5. Click OK.

Configuring an Offline Group

Each Offline Group defines the location for its files and the included policies. Computers that install the package do not show in the tree on the Users and Computers tab.

For each group you configure a root path of the shared location where files for the group are stored, and sub-paths for each type of file. You must manually create each sub-path. Folders for these files are required. The default location is under the root path:

To create an Offline Group:

  1. In the Users and Computers tab navigation tree, right-click on Offline Groups and select New Offline Group.

    The New Offline Group wizard opens

  2. Enter this information:
    • Offline group name - A name for the group
    • Root Path - The root path of the shared location where files for this group are stored. This must be a valid UNC path or HTTP/HTTPS path. For example \\server\share\ or http://server/share/. HTTP/HTTPS paths are only supported when the WebDAV extension is enabled on the web server.
    • Description (optional) - Helpful information about the group or policies
  3. Click Sub-paths.

    The Sub-path Settings window opens.

  4. Select a Category. Each category has a default path under the defined root path. Keep the default or click Add, Edit, or Remove to change the path or add a new one.
  5. Click OK.
  6. Select a value for each of the Synchronization Settings:
    • Clients sync with shared location every X minutes
    • After a failed connection, clients retry to sync with shared locations every X minutes
    • Clients stop trying to sync with shared location after X failed attempts - This is only active when selected.
  7. Click Next to configure the Policies for the group.

Configuring Policy for an Offline Group

Authorize Pre-boot Users

Continue with the New Offline Group wizard or click Authorize Pre-boot Users to configure the users who can log in to computers in the offline group.

Note - Smart Card authentication is not supported for Offline Pre-boot users. Select password or dynamic token as the authentication method.

Full Disk Encryption Policy

Continue with the New Offline Group wizard or click Full Disk Encryption to configure the Full Disk Encryption policy settings for the group.

OneCheck User Settings Policy

Client Settings Policy

Completing the Wizard

Note - From the Group Details view, click Pre-boot Users to open:

Editing Pre-boot Users

To edit offline Pre-boot accounts:

  1. From the Users and Computers tab, expand an Offline Group to see the users .
  2. Right-click the user and select User Authentication (OneCheck) > Pre-boot Authentication method.
  3. Select an Authentication Method.
  4. Click Change Password or User Certificates to create a new password or upload certificates, as required for the authentication method.
  5. Click OK.

To edit a deployment Pre-boot account:

  1. From the Users and Computers tab, open Offline Groups.
  2. Select the preboot user account
  3. Select Deployment Pre-boot User Details and click Edit.

To create offline Pre-boot users

  1. From the Users and Computers tab, select an offline group.
  2. In Group Details, click Edit.

    The Group Details window opens.

  3. Click Pre-boot Users.

    The Pre-boot Users Details window opens.

  4. In the Authorized Preboot Users area, click New.

    The Add new preboot user window opens.

  5. Enter a Logon Name
  6. In the Authentication credentials area, select Password or Dynamic Token.
    • A password must contain at least five characters
    • If you select a token as the authentication method, make sure you select an existing token
  7. To set more granular account controls, open Account Details.

In Account Details you can configure the type of use and expirations settings.

Exporting Packages

Export the required packages and put them in the configured shared locations.

To export packages:

In the Users and Computers tab, right-click on the Offline Group and select an option.

Option

Description

Notes

Get Update Policy File

Exports a file with policy updates.

This file has CPPOL extension. You must put the CPPOL file in the Updates folder.

Get Offline Management File (cpomf)

Exports a CPOMF file that contains definitions that you can use to log in to the Endpoint Offline Management Tool.

This is for a help desk or contractor environment that needs access to the Tool for Remote Help and creation of recovery media without access to an Endpoint Security server.

Full Disk Encryption > Get Bypass Pre-boot File

When installed, the computer bypasses Pre-boot based on the policy configured in the Pre-boot Protection > Temporary Pre-boot Bypass settings of the Offline group.

You must put the CPPOL file in the Updates folder.

Full Disk Encryption > Get Revert Pre-boot to Policy Configuration File

Returns the computer to the regular Pre-boot policy.

You must put the CPPOL file in the Updates folder.

Deployment > Get Initial Package

Exports a complete MSI with the Offline Policy. This can be used for new client installation.

 

Deployment > Get Upgrade Package

Exports a package to upgrade an existing offline client, and the updated CPPOL file. The details of the package are shown. Make sure the version is higher than the currently installed client version. You can select the Export update offline policy option to export a CPPOL file with the package.

Put the CPPOL file in the configured Updates folder and put the MSI in the configured Upgrades folder.

Deployment > Get Offline to Online File

Exports a file that converts an offline client to an online client. After installation, the client will connect to the server that the file was exported from.

You must put the CPPOL file in the Updates folder.

See Moving from Offline to Online Mode for best practices.

To export all offline administrators:

  1. Right click on an offline group and select Get Offline Management File (cpomf) or
  2. Select multiple administrators in an Administrator OU under an offline group, right-click, and select Get Offline Management File (cpomf).

To replace the installation policy file for the offline group:

This is only necessary if you installed a client with an installation policy that contains shares that the client cannot access. The client remains in the installation state as the recovery file cannot be uploaded to the share.

  1. In the Users and Computers tab, right-click on the Offline Group and select Advanced > Get Install Policy File.
  2. Replace the installation policy located in the local Work folder on the client.

    The Work folder with the policy is located in:

    On x64 client:

    %PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\

    On x86 client:

    %PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint Common\Work\

  3. Reboot to continue the installation.

Deploying Packages

To deploy packages:

Automatically deploy the offline client on computers or give users instructions to get the packages they require.

To push a policy update for a specified client:

Place the policy in the Work folder locally on the client, for example:
C:\Program Files\CheckPoint\Endpoint Security\Endpoint Common\Work.

If the client finds an update policy in the Work folder, the client makes sure that the update is new, imports it, and deletes the update from the Work folder.

The client then continues to use the normal update interval as configured.

To update policies on specified clients:

To update a specified computer, you can put an update policy in the client's folder located in the Updates sub-path. When the client connects to the share it will check the Updates sub-path for new updates, but it will also check its own folder, located in the Clients folder. The client automatically creates this folder the first time it connects. The name of the folder is its hostname.

Client Connections to Network Shares

Clients use the currently logged-in user to connect to the defined shares and search for update policies and to upload recovery files, logs, and status files. If there is no user logged-in or if multiple users are logged-in, the connection to the share is not available.

The logged-in user on the client must have these permissions on the share to be able to update and download files:

Location

Required Permissions

 

Read

Write

List

Execute

Modify

Delete

Create

Update Directory

 

 

 

Recovery Files Directory

Client Log Directory

Moving from Offline to Online Mode

During the conversion from offline to online mode, all users acquired on the offline client are deleted. Users must be pre-authorized for the online client to make sure that there are authorized users on the client. If you move clients from offline mode to online mode, we recommend that you use these best practices:

Endpoint Offline Management Tool

The Endpoint Offline Management Tool lets administrators manage offline mode users and give them password assistance and disk recovery. It does not require access to the Endpoint Security Management Server.

Double click the OfflineMgmtTool.msi file to install the tool.

Get the files from the Server Release information section of the Endpoint Security homepage.

Logging In to the Offline Tool

To log in to the tool, you must have a CPOMF file that contains at least one administrator with a password, or token authentication. To get the CPOMF file from SmartEndpoint, see: Get Offline Management File in Exporting Packages.

  1. Open the Offline Tool.
  2. In the Login window:
    • CPOMF File - Browse to the location of the CPOMF file
    • Login Name - Enter an offline administrator name
    • Password/Token - According to the authentication method of the offline administrator, enter a password or token response.

      Note - If the authentication method is a token with a response length of 16 digits and you are authenticating with a response that is 8 digits long, you will be prompted to complete an additional challenge-response phase.

    • Click Login.

Password Assistance

To help a user log in to a locked computer click Password Assistance.

Selecting a User

Challenge from User

Response to User

Disk Recovery

To help a user unencrypt a disk click Disk Recovery.

Select a User Account

Select Media