Ivanti Device Control Encrypted Device Integration

This document provides instructions on how to configure a Kiosk device to decrypt and work with Ivanti Encrypted devices

Prepare and deploy Ivant client

In order for Kiosk device to decrypt the Ivanti-encrypted device, Ivanti client must be installed on the Kiosk device. Here are the steps to prepare and deploy client using the offline method, which does not require any network connection between the Kiosk device and the Ivanti Device Control Server

Step 1. Create a new package for deployment

• Open IDAC client Deployment Tool. Change the deployment directory
• New package > choose the client MSI > create package name > click OK
• Confirm that there is a package folder created, with minimum an the client MSI and your MST (and, if applicable, the public key file sx-public.key used by the client to establish trust with your server)

Step 2. Prepare the package folder

• Import public key (if need) to the package
• Set the license file to the package
• Set the policies from the server
• Confirm that there is a package folder created, with minimum an the client MSI, MST, .lic file and the policies.dat (and, if applicable, the public key file sx-public.key used by the client to establish trust with your server).

• Zip the entire package folder and copy to the machine need to deploy client.

Step 3. Copy the .zip and run the install the Ivanti client

• Copy the .zip file to the Kiosk machine, and extract the .zip file

• Run the following with Administrator right:

  • client.exe /exenoui /qn TRANSFORMS=Client.x64.mst /L*v %TMP%\setupcltsu.log

Enable Ivanti device decryption option in Kiosk

Step 1. Configure Ivanti Device and Application Control path

• From Kiosk console, navigate to Configuration > Advanced > Scanning
• Provide the Ivanti application path in Ivanti Device and Application Control Path. By default, it is "C:\Program Files\Ivanti\Device and Application Control\Client"

Step 2. place the needed files in %PROGRAMDATA%\OPSWAT\Ivanti\

• A license file (named endpoint.lic) is required to use Ivanti features.
• If the required encryption files to unlock the USB are not embedded on the medium, they should be copied to that path, Kiosk will look up in the same folder for the key.

Step 3. Scan the Ivanti encrypted device with Kiosk

• Start the Kiosk UI and proceed the scanning with Ivanti encrypted device as usual. Kiosk will prompt for password to decrypt the device. Once provided, you can proceed with the scanning process.

Additional settings for Air-gapped Environment

Due to the nature of the integration between Ivanti and Kiosk, we will try to run the IDC cmd from Kiosk. This raise the security concern of the file integrity, there for Kiosk will implement a signature check for the HSDC64Cmd.exe file before usage

The signature validation include:

• Certificate validation
• File integrity validation

In air gapped environment, when the Kiosk machine never had access to the Internet, certificate check will fail with error: CERT_TRUST_REVOCATION_STATUS_UNKNOWN

Sample error log: IDCMedium.cpp#244 IDCMediumCmd::GetRemovableInfo(): {EEEEF1DE-8DC6-4F04-AA2C-3D5F16D8FF8D} Ivanti device control client executable digital signature is not valid: Invalid digital signature: CERT_TRUST_REVOCATION_STATUS_UNKNOWN;Other error status: 0x1000000;

__

• Reason: Checking if the cert has been revoked by the CA → Try to access CA’s certificate revocation list → Fail to access due to completely offline environment
• How to resolve: Manually download and import the CRL to the local machine.