In This Section: |
Offline Mode lets users get policies and updates from a shared folder, without a connection to an Endpoint Security server. Policies for these components are supported in Offline Mode:
Manage the offline policies for these components from each Offline Group in the Users and Computers tab. The policies for users in these groups are not configured in the Policy tab and are not included in policy installation.
Workflow to Configure Offline Mode:
Offline administrators can be created one at a time or in groups.
To create offline administrators:
The Create offline group administrators window opens with these options:
Note - you must select an existing token.
Each imported administrator has a Logon Name, Authentication type and status.
The Status column shows if an Administrator can be imported or not.
A green V indicates if the offline administrator is ready for import.
An X icon indicates offline administrators that cannot be imported. See the error message next to it.
Each Offline Group defines the location for its files and the included policies. Computers that install the package do not show in the tree on the Users and Computers tab.
For each group you configure a root path of the shared location where files for the group are stored, and sub-paths for each type of file. You must manually create each sub-path. Folders for these files are required. The default location is under the root path:
To create an Offline Group:
The New Offline Group wizard opens
\\server\share\
or http://server/share/
. HTTP/HTTPS paths are only supported when the WebDAV extension is enabled on the web server.The Sub-path Settings window opens.
Authorize Pre-boot Users
Continue with the New Offline Group wizard or click Authorize Pre-boot Users to configure the users who can log in to computers in the offline group.
Note - Removing a user from the Authorized Pre-boot user list will not remove the user from an already installed client. Use the Blocked Users feature to remove users on clients.
Note - Smart Card authentication is not supported for Offline Pre-boot users. Select password or dynamic token as the authentication method.
Full Disk Encryption Policy
OneCheck User Settings Policy
This policy will be the default OneCheck User Settings policy for acquired users and users created from the deployment users on the computer. The default policy can be updated with a policy Update.
If users are defined in SmartConsole, you can assign a different OneCheck User Settings policy to them in SmartEndpoint. If users are acquired and not defined in SmartConsole, they always get the default policy.
Client Settings Policy
Completing the Wizard
The Offline Group and all of its configurations and policies are saved. If you do not click Finish at the end of the Wizard, the group is not saved.
Note - From the Group Details view, click Pre-boot Users to open:
To edit offline Pre-boot accounts:
To edit a deployment Pre-boot account:
To create offline Pre-boot users
The Group Details window opens.
The Pre-boot Users Details window opens.
The Add new preboot user window opens.
In Account Details you can configure the type of use and expirations settings.
Export the required packages and put them in the configured shared locations.
To export packages:
In the Users and Computers tab, right-click on the Offline Group and select an option.
Option |
Description |
Notes |
---|---|---|
Get Update Policy File |
Exports a file with policy updates. |
This file has CPPOL extension. You must put the CPPOL file in the Updates folder. |
Get Offline Management File (cpomf) |
Exports a CPOMF file that contains definitions that you can use to log in to the Endpoint Offline Management Tool. |
This is for a help desk or contractor environment that needs access to the Tool for Remote Help and creation of recovery media without access to an Endpoint Security server. |
Full Disk Encryption > Get Bypass Pre-boot File |
When installed, the computer bypasses Pre-boot based on the policy configured in the Pre-boot Protection > Temporary Pre-boot Bypass settings of the Offline group. |
You must put the CPPOL file in the Updates folder. |
Full Disk Encryption > Get Revert Pre-boot to Policy Configuration File |
Returns the computer to the regular Pre-boot policy. |
You must put the CPPOL file in the Updates folder. |
Deployment > Get Initial Package |
Exports a complete MSI with the Offline Policy. This can be used for new client installation. |
|
Deployment > Get Upgrade Package |
Exports a package to upgrade an existing offline client, and the updated CPPOL file. The details of the package are shown. Make sure the version is higher than the currently installed client version. You can select the Export update offline policy option to export a CPPOL file with the package. |
Put the CPPOL file in the configured Updates folder and put the MSI in the configured Upgrades folder. |
Deployment > Get Offline to Online File |
Exports a file that converts an offline client to an online client. After installation, the client will connect to the server that the file was exported from. |
You must put the CPPOL file in the Updates folder. See Moving from Offline to Online Mode for best practices. |
To export all offline administrators:
To replace the installation policy file for the offline group:
This is only necessary if you installed a client with an installation policy that contains shares that the client cannot access. The client remains in the installation state as the recovery file cannot be uploaded to the share.
The Work folder with the policy is located in:
On x64 client:
%PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\
On x86 client:
%PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint Common\Work\
To deploy packages:
Automatically deploy the offline client on computers or give users instructions to get the packages they require.
To push a policy update for a specified client:
Place the policy in the Work folder locally on the client, for example: C:\Program Files\CheckPoint\Endpoint Security\Endpoint Common\Work
.
If the client finds an update policy in the Work folder, the client makes sure that the update is new, imports it, and deletes the update from the Work folder.
The client then continues to use the normal update interval as configured.
To update policies on specified clients:
To update a specified computer, you can put an update policy in the client's folder located in the Updates sub-path. When the client connects to the share it will check the Updates sub-path for new updates, but it will also check its own folder, located in the Clients folder. The client automatically creates this folder the first time it connects. The name of the folder is its hostname.
Client Connections to Network Shares
Clients use the currently logged-in user to connect to the defined shares and search for update policies and to upload recovery files, logs, and status files. If there is no user logged-in or if multiple users are logged-in, the connection to the share is not available.
The logged-in user on the client must have these permissions on the share to be able to update and download files:
Location |
Required Permissions |
||||||
---|---|---|---|---|---|---|---|
|
Read |
Write |
List |
Execute |
Modify |
Delete |
Create |
Update Directory |
|
|
|
||||
Recovery Files Directory |
|||||||
Client Log Directory |
During the conversion from offline to online mode, all users acquired on the offline client are deleted. Users must be pre-authorized for the online client to make sure that there are authorized users on the client. If you move clients from offline mode to online mode, we recommend that you use these best practices:
Note - The move from offline to online Mode is permanent. It is not possible for an online client to move to offline Mode. |
The Endpoint Offline Management Tool lets administrators manage offline mode users and give them password assistance and disk recovery. It does not require access to the Endpoint Security Management Server.
Double click the OfflineMgmtTool.msi
file to install the tool.
Get the files from the Server Release information section of the Endpoint Security homepage.
To log in to the tool, you must have a CPOMF file that contains at least one administrator with a password, or token authentication. To get the CPOMF file from SmartEndpoint, see: Get Offline Management File in Exporting Packages.
Note - If the authentication method is a token with a response length of 16 digits and you are authenticating with a response that is 8 digits long, you will be prompted to complete an additional challenge-response phase.
To help a user log in to a locked computer click Password Assistance.
Click Browse to locate the file for the computer in the offline group that requires recovery.
Note - Each offline group is cryptographically independent. The CPOMF file for one group does not work for a different group. |
The endpoint computer shows a challenge code.
Make sure that the user changes the password or has one-time access to the computer before ending the Remote Help session.
To help a user unencrypt a disk click Disk Recovery.
Click Browse to locate the file for the computer in the offline group that requires recovery.
Note - Each offline group is cryptographically independent. The recovery file for one group does not work for a different group. |
If you select ISO or REC, select the storage location.
If you select USB, choose the drive to use.
Note - To create USB media, the tool must run with administrator privileges and the Media Encryption & Port Protection must be disabled |