Offline Mode

In This Section: Creating Offline Administrators Configuring an Offline Group Configuring Policy for an Offline Group Editing Pre-boot Users Exporting Packages Deploying Packages Moving from Offline to Online Mode Endpoint Offline Management Tool

Offline Mode lets users get policies and updates from a shared folder, without a connection to an Endpoint Security server. Policies for these Software Blades are supported in Offline Mode:

• Full Disk Encryption
• OneCheck User Settings
• Client Settings

Manage the offline policies for these Software Blades from each Offline Group in the Users and Computers tab. The policies for users in these groups are not configured in the Policy tab and are not included in policy installation.

Workflow to Configure Offline Mode:

1. In the Users and Computers tab, create a new Offline Group and configure the sub-paths and settings.
2. From the Offline Group, configure the policy for each Software Blade.
3. Export the required packages and put them in the configured sub-paths.
4. Instruct users to install the packages from the sub-paths. Make sure they have the required access.

Creating Offline Administrators

Offline administrators can be created one at a time or in groups.

To create offline administrators:

1. Open SmartEndpoint Manager.
2. On the Users and Computers tab, right-click an offline group.
3. Select Create Administrators.

   The Create offline group administrators window opens with these options:

   • Add Single User - Adds one administrator
     • Enter the Logon Name.
     • Configure Authentication credentials, password or dynamic token.

     Note - you must select an existing token.

   • Add Users From File - Imports offline administrators from a CVS file, and shows them in the table.

     Each imported administrator has a Logon Name, Authentication type and status.

     The Status column shows if an Administrator can be imported or not.

     A green V indicates if the offline administrator is ready for import.

     An X icon indicates offline administrators that cannot be imported. See the error message next to it.

   • Remove User - Removes an offline administrator. Select the administrator in the table.
4. Click Import to import the administrators.
5. Click OK.

Configuring an Offline Group

Each Offline Group defines the location for its files and the included policies. Computers that install the package do not show in the tree on the Users and Computers tab.

For each group you configure a root path of the shared location where files for the group are stored, and sub-paths for each type of file. You must manually create each sub-path. Folders for these files are required. The default location is under the root path:

• Updates - Policy updates.
• Client Logs - The location where logs from clients in this group are stored.
• Recovery Files - Full Disk Encryption recovery files.
• Upgrades - Upgrades to new client versions.
• Installation - Complete installation packages.

To create an Offline Group:

1. In the Users and Computers tab navigation tree, right-click on Offline Groups and select New Offline Group.

   The New Offline Group wizard opens

2. Enter this information:
   • Offline group name - A name for the group
   • Root Path - The root path of the shared location where files for this group are stored. This must be a valid UNC path or HTTP/HTTPS path. For example \\server\share\ or http://server/share/. HTTP/HTTPS paths are only supported when the WebDAV extension is enabled on the web server.
   • Description (optional) - Helpful information about the group or policies
3. Click Sub-paths.

   The Sub-path Settings window opens.

4. Select a Category. Each category has a default path under the defined root path. Keep the default or click Add, Edit, or Remove to change the path or add a new one.
5. Click OK.
6. Select a value for each of the Synchronization Settings:
   • Clients sync with shared location every X minutes
   • After a failed connection, clients retry to sync with shared locations every X minutes
   • Clients stop trying to sync with shared location after X failed attempts - This is only active when selected.
7. Click Next to configure the Policies for the group.

Configuring Policy for an Offline Group

Authorize Pre-boot Users

Continue with the New Offline Group wizard or click Authorize Pre-boot Users to configure the users who can log in to computers in the offline group.

• Click Add to add an authorized user
• Click Remove to remove a user

  Note - Removing a user from the Authorized Pre-boot user list will not remove the user from an already installed client. Use the Blocked Users feature to remove users on clients.

• Click Show all users to show the complete list
• Enter text in the Search field to search the list of users
• Click Blocked Users to create a list of users who are blocked from all computers in the offline group

Note - Smart Card authentication is not supported for Offline Pre-boot users. Select password or dynamic token as the authentication method.

Full Disk Encryption Policy

Continue with the New Offline Group wizard or click Full Disk Encryption to configure the Full Disk Encryption policy settings for the group.

OneCheck User Settings Policy

• Continue with the New Offline Group wizard or click OneCheck User Settings to configure the OneCheck User Settings policy settings for the group.

  This policy will be the default OneCheck User Settings policy for acquired users and users created from the deployment users on the computer. The default policy can be updated with a policy Update.

  If users are defined in SmartConsole, you can assign a different OneCheck User Settings policy to them in SmartEndpoint. If users are acquired and not defined in SmartConsole, they always get the default policy.

Client Settings Policy

• Continue with the New Offline Group wizard or click Client Settings to configure the Client Settings policy settings for the group. All authorized users on a computer use the same Client Settings policy.

Completing the Wizard

• The Wizard shows the version and Software Blades in the latest package.
• Click Finish at the end of the New Offline Group wizard.

  The Offline Group and all of its configurations and policies are saved. If you do not click Finish at the end of the Wizard, the group is not saved.

Note - From the Group Details view, click Pre-boot Users to open:

• The Authorized Pre-boot Users list
• The Blocked Pre-boot Users list.

Editing Pre-boot Users

To edit offline Pre-boot accounts:

1. From the Users and Computers tab, expand an Offline Group to see the users .
2. Right-click the user and select User Authentication (OneCheck) > Pre-boot Authentication method.
3. Select an Authentication Method.
4. Click Change Password or User Certificates to create a new password or upload certificates, as required for the authentication method.
5. Click OK.

To edit a deployment Pre-boot account:

1. From the Users and Computers tab, open Offline Groups.
2. Select the preboot user account
3. Select Deployment Pre-boot User Details and click Edit.

To create offline Pre-boot users

1. From the Users and Computers tab, select an offline group.
2. In Group Details, click Edit.

   The Group Details window opens.

3. Click Pre-boot Users.

   The Pre-boot Users Details window opens.

4. In the Authorized Preboot Users area, click New.

   The Add new preboot user window opens.

5. Enter a Logon Name
6. In the Authentication credentials area, select Password or Dynamic Token.
   • A password must contain at least five characters
   • If you select a token as the authentication method, make sure you select an existing token
7. To set more granular account controls, open Account Details.

In Account Details you can configure the type of use and expirations settings.

• Regular User (default)
  • Do not use device information for Full Disk Encryption remote help - Enables user-bound remote help for the pre-boot user
  • Lock user for preboot - Locks the user for preboot
  • Require change password after first logon - Applies only to password authentication. Select this option to force users to change their password after the first pre-boot logon.
• Deployment User
  • Allow creating X Pre-boot accounts from this account - You can use this account to create new offline Pre-boot accounts. After it creates the maximum numbers of accounts allowed, the account expires.
• Expiration Settings:
  • The user will expire after X logins to Pre-boot
  • The user will be revoked after the selected date.

Exporting Packages

Export the required packages and put them in the configured shared locations.

To export packages:

In the Users and Computers tab, right-click on the Offline Group and select an option.

Option	Description	Notes
Get Update Policy File	Exports a file with policy updates.	This file has CPPOL extension. You must put the CPPOL file in the Updates folder.
Get Offline Management File (cpomf)	Exports a CPOMF file that contains definitions that you can use to log in to the Endpoint Offline Management Tool.	This is for a help desk or contractor environment that needs access to the Tool for Remote Help and creation of recovery media without access to an Endpoint Security server.
Full Disk Encryption > Get Bypass Pre-boot File	When installed, the computer bypasses Pre-boot based on the policy configured in the Pre-boot Protection > Temporary Pre-boot Bypass settings of the Offline group.	You must put the CPPOL file in the Updates folder.
Full Disk Encryption > Get Revert Pre-boot to Policy Configuration File	Returns the computer to the regular Pre-boot policy.	You must put the CPPOL file in the Updates folder.
Deployment > Get Initial Package	Exports a complete MSI with the Offline Policy. This can be used for new client installation.
Deployment > Get Upgrade Package	Exports a package to upgrade an existing offline client, and the updated CPPOL file. The details of the package are shown. Make sure the version is higher than the currently installed client version. You can select the Export update offline policy option to export a CPPOL file with the package.	Put the CPPOL file in the configured Updates folder and put the MSI in the configured Upgrades folder.
Deployment > Get Offline to Online File	Exports a file that converts an offline client to an online client. After installation, the client will connect to the server that the file was exported from.	You must put the CPPOL file in the Updates folder. See Moving from Offline to Online Mode for best practices.

To export all offline administrators:

1. Right click on an offline group and select Get Offline Management File (cpomf) or
2. Select multiple administrators in an Administrator OU under an offline group, right-click, and select Get Offline Management File (cpomf).

To replace the installation policy file for the offline group:

This is only necessary if you installed a client with an installation policy that contains shares that the client cannot access. The client remains in the installation state as the recovery file cannot be uploaded to the share.

1. In the Users and Computers tab, right-click on the Offline Group and select Advanced > Get Install Policy File.
2. Replace the installation policy located in the local Work folder on the client.

   The Work folder with the policy is located in:

   On x64 client:

   %PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\

   On x86 client:

   %PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint Common\Work\

3. Reboot to continue the installation.

Deploying Packages

To deploy packages:

Automatically deploy the offline client on computers or give users instructions to get the packages they require.

To push a policy update for a specified client:

Place the policy in the Work folder locally on the client, for example:
C:\Program Files\CheckPoint\Endpoint Security\Endpoint Common\Work.

If the client finds an update policy in the Work folder, the client makes sure that the update is new, imports it, and deletes the update from the Work folder.

The client then continues to use the normal update interval as configured.

To update policies on specified clients:

To update a specified computer, you can put an update policy in the client's folder located in the Updates sub-path. When the client connects to the share it will check the Updates sub-path for new updates, but it will also check its own folder, located in the Clients folder. The client automatically creates this folder the first time it connects. The name of the folder is its hostname.

Client Connections to Network Shares

Clients use the currently logged-in user to connect to the defined shares and search for update policies and to upload recovery files, logs, and status files. If there is no user logged-in or if multiple users are logged-in, the connection to the share is not available.

The logged-in user on the client must have these permissions on the share to be able to update and download files:

Location	Required Permissions
	Read	Write	List	Execute	Modify	Delete	Create
Update Directory
Recovery Files Directory
Client Log Directory

Moving from Offline to Online Mode

During the conversion from offline to online mode, all users acquired on the offline client are deleted. Users must be pre-authorized for the online client to make sure that there are authorized users on the client. If you move clients from offline mode to online mode, we recommend that you use these best practices:

• Configure at least one user that will be an authorized Pre-boot user on the client before and after the move to online mode. This will make sure there is an authorized Pre-boot user during the whole transition. This user can be removed after successful transition.
• If the logged-in authorized Pre-boot user is removed on the client during the move to online mode, a restart window opens. Wait for the automatic restart to occur.
• If no user has been authorized for Pre-boot for the online client, current offline users are not removed. These users remain with the OneCheck policy enforced in offline mode. When the first user for the online client is authorized for Pre-boot, the remaining offline users are removed. It can take up to 15 minutes before all offline users are removed.

  Note - The move from offline to online Mode is permanent. It is not possible for an online client to move to offline Mode.

Endpoint Offline Management Tool

The Endpoint Offline Management Tool lets administrators manage offline mode users and give them password assistance and disk recovery. It does not require access to the Endpoint Security Management Server.

Double click the OfflineMgmtTool.msi file to install the tool.

Get the files from the Server Release information section of the Endpoint Security homepage.

Logging In to the Offline Tool

To log in to the tool, you must have a CPOMF file that contains at least one administrator with a password, or token authentication. To get the CPOMF file from SmartEndpoint, see: Get Offline Management File in Exporting Packages.

1. Open the Offline Tool.
2. In the Login window:
   • CPOMF File - Browse to the location of the CPOMF file
   • Login Name - Enter an offline administrator name
   • Password/Token - According to the authentication method of the offline administrator, enter a password or token response.

     Note - If the authentication method is a token with a response length of 16 digits and you are authenticating with a response that is 8 digits long, you will be prompted to complete an additional challenge-response phase.

   • Click Login.

Password Assistance

To help a user log in to a locked computer click Password Assistance.

• Select Recovery Mode - Select the type of Full Disk Encryption Remote Help that is necessary:
  • One Time Logon - Lets users access using an assumed identity for one session, without resetting the password. Users who lose their Smart Cards must use this option.
  • Password Change - This option is applicable for users with fixed passwords who are locked out.
• Select Recovery File - The recovery file is a CPREC file that is uploaded from each client computer. The files are located in the Recovery Files shared folder.

  Click Browse to locate the file for the computer in the offline group that requires recovery.

• Click Next.

  Note - Each offline group is cryptographically independent. The CPOMF file for one group does not work for a different group.

Selecting a User

• Select a user that has Pre-boot permissions on the computer. You can enter the username manually in the format domain\username.
• Click Next.

Challenge from User

• Response One - Tell the user to enter the Response One text string in the Remote Help window on the locked computer.

  The endpoint computer shows a challenge code.

• Challenge - Enter the challenge code that the user gives you.

Response to User

• Response Two - Tell the user to enter the Response Two text string in the Remote Help window on the locked computer.

  Make sure that the user changes the password or has one-time access to the computer before ending the Remote Help session.

• Try Again - Click this to start the password recovery process again for a different user.

Disk Recovery

To help a user unencrypt a disk click Disk Recovery.

• Select Recovery File - The recovery file is a CPREC file that is uploaded from each client computer. The files are located in the Recovery Files shared folder.

  Click Browse to locate the file for the computer in the offline group that requires recovery.

• Click Next.

  Note - Each offline group is cryptographically independent. The recovery file for one group does not work for a different group.

Select a User Account

• Click Add to manually enter a new temporary user that will log in with the recovery media.
• Click Next.

Select Media

• Select the type of recovery media to generate:
  • ISO file
  • REC file
  • USB media

  If you select ISO or REC, select the storage location.

  If you select USB, choose the drive to use.

• Click Create Media.

  Note - To create USB media, the tool must run with administrator privileges and the Media Encryption & Port Protection must be disabled