48: IGEL Weekly: How to Use IGEL OS Drive Encryption

वेबवीटीटी

1
00:00:02.190 –> 00:00:09.389
Andy Whiteside: hi everyone and welcome to episode 48 of idle weekly, this is one of our Community edition podcast with said.

2
00:00:10.800 –> 00:00:19.890
Andy Whiteside: You know one thing I learned going back and listen to the last one that Patrick hosted was it said, I never said, your last name I always kind of pronounce it English wise pretty shots.

3
00:00:21.030 –> 00:00:26.460
Andy Whiteside: say it in French, the way I would say it and i’ll try to practice it.

4
00:00:27.450 –> 00:00:31.680
Sebastien Perusat: Honestly it’s extremely Jennifer here but you’re definitely not the best with pedroza.

5
00:00:32.010 –> 00:00:32.880
Andy Whiteside: The resume.

6
00:00:33.210 –> 00:00:33.990
Sebastien Perusat: ever so who’s.

7
00:00:35.520 –> 00:00:36.180
Sebastien Perusat: It who’s up.

8
00:00:36.540 –> 00:00:37.350
Andy Whiteside: hey Russa.

9
00:00:37.950 –> 00:00:44.880
Sebastien Perusat: Think about the root directory Peruvian enzyme like satellite that’s what season yeah.

10
00:00:44.970 –> 00:00:45.990
Sebastien Perusat: yeah that’s good.

11
00:00:46.230 –> 00:00:47.400
Andy Whiteside: Well that’s how I do a pair of.

12
00:00:47.430 –> 00:00:48.510
Andy Whiteside: pair of pair of socks.

13
00:00:48.600 –> 00:00:50.220
Sebastien Perusat: that’s how i’ve done in Nice and then.

14
00:00:50.880 –> 00:00:57.990
Andy Whiteside: After we kind of just kind of roll it roll it out very fringe sounding and I was like man, but the most I just call you said because everybody in the ideal world knows.

15
00:00:58.230 –> 00:00:58.680
perfect.

16
00:01:00.600 –> 00:01:08.010
Andy Whiteside: So, Patrick toner is with us on this INTEGRA side, Patrick is one of our solutions architect former employee and knows it inside now it’s.

17
00:01:08.670 –> 00:01:18.570
Andy Whiteside: kind of our secret weapon whole company is INTEGRA is big I Joe fans, we know a lot about it but patrick’s are our top secret weapon when it comes to idle related discussions.

18
00:01:18.960 –> 00:01:29.790
Andy Whiteside: Chris isn’t with us, I think, maybe first one is ever miss but criticism with us he had something else to do day totally understandable heck i’ve missed any of these things, but we, the show must go on is the idea.

19
00:01:30.990 –> 00:01:33.780
Andy Whiteside: said that little pastry behind you is that a patient on the desk finding.

20
00:01:34.800 –> 00:01:35.250
Sebastien Perusat: What.

21
00:01:35.550 –> 00:01:37.200
Andy Whiteside: they’re pastry on the desk behind you.

22
00:01:38.250 –> 00:01:38.880
Sebastien Perusat: pastry.

23
00:01:38.970 –> 00:01:39.420
pastry.

24
00:01:40.680 –> 00:01:42.120
Andy Whiteside: Over there over there yeah.

25
00:01:43.770 –> 00:01:44.340
Sebastien Perusat: it’s a candle.

26
00:01:44.850 –> 00:01:45.720
Sebastien Perusat: candle at holder.

27
00:01:46.980 –> 00:01:48.090
Sebastien Perusat: Is from my wife, I mean.

28
00:01:49.560 –> 00:01:51.450
Sebastien Perusat: For me, as a racing car over there and that’s.

29
00:01:52.020 –> 00:01:56.250
Andy Whiteside: Obviously yeah i’m just giving you a hard time i’m hungry because i’m trying to say.

30
00:01:58.770 –> 00:01:59.250
Andy Whiteside: alright.

31
00:01:59.520 –> 00:02:08.130
Andy Whiteside: So let’s see so the topic this week and I literally guess maybe find this funny had to cut Patrick off because said posted the topic and Patrick got all excited and.

32
00:02:08.430 –> 00:02:11.460
Andy Whiteside: got ready to start talking about like, no, no, we didn’t hit the record button because.

33
00:02:11.850 –> 00:02:24.060
Andy Whiteside: that’s why we’re here take great topics that the group comes up with in this case the Community side so quite often has the idea because he’s been working on it and thinking about it, and so we jumped into it, we jump into it now, but.

34
00:02:24.720 –> 00:02:32.760
Andy Whiteside: We want to do this in front of you guys because it’s going to come off genuine and honest and real, but the blog which in most of the cases it’s a blog.

35
00:02:33.360 –> 00:02:41.280
Andy Whiteside: Which is how to use I Joe os disk encryption and it’s a video set, but together we’re going to talk through and go over the highlights of it.

36
00:02:41.490 –> 00:02:47.580
Andy Whiteside: And then, if you want to watch it just do what I just said, and you will find it in the ideal Community or just go look and I joke many blogs, but.

37
00:02:48.240 –> 00:03:01.080
Andy Whiteside: said, this is a really good topic for me because I often wonder and i’m often pleasantly surprised, maybe 100% pleasantly surprised when I start thinking about you know mainstream enterprise.

38
00:03:01.950 –> 00:03:07.890
Andy Whiteside: endpoint operating systems and what they have in them that I gel, and by that I mean windows.

39
00:03:08.580 –> 00:03:17.730
Andy Whiteside: Almost omniscient windows and what I do has done to make sure those features in this case a security feature shows up in the eye gel product in the form of.

40
00:03:18.150 –> 00:03:25.020
Andy Whiteside: idle taking making Linux do the same things which Linux has it in there, without a doubt Nigel brings it to the surface, makes it easy to manage.

41
00:03:25.350 –> 00:03:33.090
Andy Whiteside: And disk encryption for the operating system drive is one of those things i’ve often wondered, but never asked about so it’s really good that you’re bringing this one forward.

42
00:03:34.620 –> 00:03:42.000
Sebastien Perusat: To do so, and by the way, it’s really hot off the press doctors or it’s a video, I would say 20 minutes ago, so we’re just right on time.

43
00:03:42.390 –> 00:03:54.990
Sebastien Perusat: So it’s a really good tutorial recorded last Thursday or last one, the same because of some interest in their community and asking how to deal with that specific topic so it’s really quite new and renew, not to say.

44
00:03:55.320 –> 00:04:02.160
Andy Whiteside: So before we jump into the meat of it let’s go to Patrick first Patrick Why is this important.

45
00:04:03.360 –> 00:04:21.030
Patrick Toner: Well, you know it’s I think it’s important for a few reasons, you know we talked about admin passwords I think it was last podcast or the one before you want you want to you know you want to have a layer of security around you know users being able to access things so this obviously.

46
00:04:21.120 –> 00:04:24.570
Patrick Toner: takes it a step further, where you’re able to set a.

47
00:04:25.200 –> 00:04:32.310
Patrick Toner: password of some sort of encryption on the device itself you don’t have to worry about you know it says here on the screen actually has a sneaking.

48
00:04:32.610 –> 00:04:40.380
Patrick Toner: Something like a ut pocket go missing well it’s fully encrypted it’s got a password set somebody can’t just walk away with it and then use it, so you know.

49
00:04:41.040 –> 00:04:47.220
Patrick Toner: And I was funny I was about to say that said before the start of this was a feature that was on the roadmap for.

50
00:04:47.610 –> 00:04:52.650
Patrick Toner: quite a while, and then, when I moved over my job as INTEGRA I think was around that time that this.

51
00:04:53.220 –> 00:05:04.890
Patrick Toner: released, so this is going to be kind of new to me this feature I haven’t had an opportunity to configure this for the customer, so I dig it looks like i’m i’m excited to kind of see how this works and and learn from set here.

52
00:05:05.730 –> 00:05:20.250
Andy Whiteside: So, I guess, my comment of does, I just have this that you’re you know windows mainstream operating system, I guess that’s timely because it didn’t but, as with many things you guys recognize needs that need to happen and you put it in the product.

53
00:05:21.180 –> 00:05:30.120
Sebastien Perusat: that’s what sometimes in the quiet good old German way so between the time where we see a need and stangl implemented, we are thinking about the topic 10,000 times.

54
00:05:30.480 –> 00:05:40.440
Sebastien Perusat: But, finally, the original product, and I must say I was asked a couple of times in enterprise product, especially can use tpm which kind of encryption are using locally.

55
00:05:40.800 –> 00:05:48.060
Sebastien Perusat: Can we encrypt the operating system partition in general, what happened to the user data if the ud pocket gets stolen.

56
00:05:48.570 –> 00:05:52.560
Sebastien Perusat: And all that stuff brought together finally brought that feature coming up.

57
00:05:53.340 –> 00:06:01.830
Sebastien Perusat: I mean it’s I would say the first version of that feature and i’m pretty sure we might expect some bigger change in next year’s regarding that topic because you know, obviously.

58
00:06:02.280 –> 00:06:13.860
Sebastien Perusat: We are moving away from this hardware when there was a little bit of software aspect to a full blown software product wonder and that’s where I would say, we still have a bit of homework to do.

59
00:06:14.430 –> 00:06:24.480
Sebastien Perusat: What happened to the device gets gets ripped off and or maybe got stolen, how can we wipe that device remotely or that small stuff.

60
00:06:24.990 –> 00:06:34.500
Sebastien Perusat: We are already aware how to do that, we can do that there were specific ways to address this summer to do so that’s definitely a huge step in the right direction for sure for sure.

61
00:06:35.850 –> 00:06:41.520
Andy Whiteside: Okay, so i’ll just hit these real quick on the set them the escape corporate identity, I don’t think I ever.

62
00:06:41.520 –> 00:06:41.670
Sebastien Perusat: Had.

63
00:06:41.730 –> 00:06:49.290
Andy Whiteside: yeah that we’re just now active directory hiding those logins last devices, like a ut pocket or physical device, but those ud pockets right I.

64
00:06:49.590 –> 00:06:58.530
Andy Whiteside: I like the concept I don’t like the idea somebody could just take it, and do, maybe something with me keep in mind, I chose a read only operating system for the most part there’s not a lot of data on it.

65
00:06:58.920 –> 00:07:04.890
Andy Whiteside: But for some organizations, this is a security requirement that is a checkbox and if you don’t have it, you can’t play along.

66
00:07:05.550 –> 00:07:13.680
Andy Whiteside: extraction of local data just talking about interaction with the local os enhance chain of trust and the last one, maybe, most importantly, from a.

67
00:07:14.610 –> 00:07:23.100
Andy Whiteside: From a security team perspective and maybe from a cyber insurance perspective compliance and that last one is becoming more and more common right if you can’t.

68
00:07:23.370 –> 00:07:29.400
Andy Whiteside: check all those cyber security boxes, then you can’t get insurance, you know, without insurance you can’t stay in business.

69
00:07:31.590 –> 00:07:31.890
So.

70
00:07:33.330 –> 00:07:39.630
Andy Whiteside: So, so you may not know the answer this question how often is an enhancement like this, something that.

71
00:07:40.230 –> 00:07:54.000
Andy Whiteside: You guys bring up and the team in Germany he puts into the product at some point, and how often is it that a big customer says, like you, but I can’t use you unless you do this, and the latter is the one that drives the drives the feature coming to market.

72
00:07:54.810 –> 00:08:01.770
Sebastien Perusat: So the most honest answer I could give us, it depends on the size of the project know size of the customer.

73
00:08:02.370 –> 00:08:17.070
Sebastien Perusat: If the huge amount of licenses will be sort I don’t know 1000 less license and one step will will consider more or less every feature questions saying we will implement it or implement them in general, but we will definitely try to do whatever we can.

74
00:08:18.150 –> 00:08:27.570
Sebastien Perusat: On the other hand, if we stay realistic, and we know that the amount of work, we have to put into the development platform is really limited that the.

75
00:08:28.290 –> 00:08:34.530
Sebastien Perusat: impact on the market is high, we can do that, even without a feature request and that’s where the power of community.

76
00:08:35.010 –> 00:08:43.110
Sebastien Perusat: is coming up, we have a tool there, which is called nodes where we can propose features which is not a feature request process.

77
00:08:43.470 –> 00:08:48.210
Sebastien Perusat: But people can say hey this future would be cool and people can upload and download that.

78
00:08:48.720 –> 00:08:58.050
Sebastien Perusat: And that’s also an approach, where we are getting feedback from the market and see okay this feature is extremely needed and coming back to your questions device encryption like an example.

79
00:08:58.530 –> 00:09:12.000
Sebastien Perusat: came from myrtle at the press projects, whether it local encryption was mandatory there was no way around, and I must say that that the discussion that we have and it gets Patrick had.

80
00:09:12.630 –> 00:09:22.410
Sebastien Perusat: 10 times is what about antivirus locally, what about encryption locally and that’s a discussion which is quite difficult to to bring up because we’re still.

81
00:09:23.040 –> 00:09:29.160
Sebastien Perusat: An edge operating system, but we have also the ability to store local data So where are the difference between.

82
00:09:29.550 –> 00:09:45.030
Sebastien Perusat: A standard workstation and I think an operating system that’s a move, where we are let’s say going through the last five to eight years and that’s one of the aspects where i’m saying we are becoming an operating system windows and the management platform opposite and.

83
00:09:46.050 –> 00:09:52.230
Andy Whiteside: that’s and that’s good that I gel is customer friendly and under get understands that and to be quite frank.

84
00:09:52.620 –> 00:09:59.190
Andy Whiteside: When you compare microsoft’s development of their operating system, the idea, you can be much more agile and nimble.

85
00:10:00.060 –> 00:10:14.580
Andy Whiteside: I would say the same thing about like a Dell wyse and HP and others too, I mean you know you guys are big with the features, you need, but still a small enough company that can understand customer and vendor and bar partnerships yeah.

86
00:10:15.870 –> 00:10:17.430
Andy Whiteside: Alright, so let’s kind of walk through this.

87
00:10:18.570 –> 00:10:26.820
Andy Whiteside: said we start off talking about the need and i’m going to fast for this, so I can stop it when I need to what’s next in the conversation in the video.

88
00:10:27.810 –> 00:10:36.750
Sebastien Perusat: So next steps that were occurring is speaking about the general approach, how to deal with the the the feature itself.

89
00:10:37.140 –> 00:10:44.580
Sebastien Perusat: What is needed, so that’s where we are going through the process of speaking of the configuration method we have.

90
00:10:45.060 –> 00:10:54.840
Sebastien Perusat: So we have the encryption method which is like everything that we’re doing on the agile as operating platform, we are starting and the agile us, so the news amendments which, which is.

91
00:10:55.410 –> 00:10:59.370
Sebastien Perusat: The management platform for all the configuration that you want to deploy to the endpoint.

92
00:10:59.910 –> 00:11:08.580
Sebastien Perusat: And they are you could say it’s basically just wanted to check boxes that you need so quite a profile and then you have obviously that’s something that I.

93
00:11:09.180 –> 00:11:13.800
Sebastien Perusat: don’t mention every time that we have a podcast but I will just mention it here again.

94
00:11:14.250 –> 00:11:25.530
Sebastien Perusat: If you don’t see that feature in a profile, it might be that the profile you’re looking at as an older firmware or maybe you your message not able to handle that so we always been about the latest public versions.

95
00:11:26.370 –> 00:11:34.170
Sebastien Perusat: So from there, we have on a security already the ability to deliver administrator passports to use math and medication.

96
00:11:34.560 –> 00:11:43.770
Sebastien Perusat: But now, since this feature was introduced, there was a specific money which is called device encryption and that’s where i’m leading you the audience to how to configure it.

97
00:11:46.050 –> 00:11:54.510
Sebastien Perusat: that’s quite easy, I would say, so there was not a big amount of configuration that that you need to contact, if you do that.

98
00:11:54.930 –> 00:12:10.440
Sebastien Perusat: But there was still gives you some some hand so first of all the standards value that is pretty fun is called keep that doesn’t tell you that much, but what say that it will just keep the local configuration of the end part when it comes to improve.

99
00:12:11.700 –> 00:12:14.100
Sebastien Perusat: So, in a standard case disabled.

100
00:12:15.510 –> 00:12:26.730
Sebastien Perusat: or as a user enable it locally or site admin it was keep it activate but that’s obviously not what you want, you want to deploy that setting to order device and forth your user to use encryption.

101
00:12:27.810 –> 00:12:32.640
Andy Whiteside: conversation you’re going to talk about okay so keep means it’s already there, and you want to make sure it stays there.

102
00:12:32.880 –> 00:12:40.500
Andy Whiteside: activate means it wasn’t encrypted now you’re going to encrypt it at some point, this will you talk through you know what to be expected on the input in terms of how much.

103
00:12:40.740 –> 00:12:48.000
Andy Whiteside: overhead and time that this might take, is it is it happen in front of user does it happen in the background, just want to weave that in as you’re talking through this.

104
00:12:48.540 –> 00:12:57.630
Sebastien Perusat: sure that something was, I will you will you might see on the on the video in a bit later on, but yes so as soon as we deploy that setting to an endpoint.

105
00:12:58.110 –> 00:13:06.990
Sebastien Perusat: The endpoint would show up little pop up window, where the users asked to enter one time and then confirm a specific password.

106
00:13:07.560 –> 00:13:17.910
Sebastien Perusat: This battle has to match obviously some criteria that you are delivering in your profile saying that specific special characters allowed or not allowed.

107
00:13:18.780 –> 00:13:27.510
Sebastien Perusat: was saying that you must have a specific land or specific number of characters or numbers is something that was set up in the profile.

108
00:13:28.110 –> 00:13:37.410
Sebastien Perusat: And as soon as you create a profile and that profile to endpoints there will be a pop up so that’s something to consider, by the way, if you push the sitting right now already devices.

109
00:13:37.950 –> 00:13:47.400
Sebastien Perusat: Without saying on next reboot there will be a small pop up, which is called device encryption and from there on the user can say whatever he likes of whatever she likes.

110
00:13:48.330 –> 00:14:03.780
Sebastien Perusat: And like on most password configuration dialogues, you will also have a path of strength bar, which is changing from red to yellow to green saying that your password is strong enough or not to Mexico tears.

111
00:14:04.830 –> 00:14:19.920
Sebastien Perusat: And as soon as you click apply on that window the encryption step will start we do recommend obviously to not reboot the device during that time to power, the devaluing the time because then you development really got wrapped up.

112
00:14:21.090 –> 00:14:30.600
Sebastien Perusat: But if you stay there, almost hardware have seen it takes from two minutes to 15 or 20 minutes but not more than that.

113
00:14:31.950 –> 00:14:41.400
Sebastien Perusat: And since we are considering Nigel operating system we’re not speaking about an operating system which is 30 gigabyte big or 40 and hopefully it will stay at that stage, like that.

114
00:14:42.120 –> 00:14:52.080
Sebastien Perusat: But you have between I don’t know one dot five to four gigabyte approximately of disk space, you are using and the standout.

115
00:14:52.740 –> 00:14:58.590
Sebastien Perusat: petition size that we’re using is something between two and four gigabytes so it’s pretty fast for the equipment, sir.

116
00:14:59.160 –> 00:15:14.520
Sebastien Perusat: and obviously we didn’t mention it, but we’re not speaking about a full disk encryption, but only about an operating system partition so we’re not encrypting 500 gigabytes of data of sectors, but we need what we are needing for the operating system.

117
00:15:18.300 –> 00:15:21.540
Sebastien Perusat: that’s where we are on this on this configuration window.

118
00:15:22.770 –> 00:15:28.320
Sebastien Perusat: Obviously, like on every agile step, everything is described so you will never have something which is.

119
00:15:28.920 –> 00:15:46.470
Sebastien Perusat: disappearing or going to the background, you always have the ability to see where it happens, and if it takes too long you’re allowed to start a session and working para I just would have an eye on if you’re using a laptop that you have enough power supply to do that, during the step.

120
00:15:46.980 –> 00:15:53.550
Andy Whiteside: hey okay good really good point about the laptop so if it died in the middle of it that’d be really bad day I assume right yeah.

121
00:15:54.240 –> 00:16:00.930
Sebastien Perusat: I mean it’s Angeles right, so you can refresh it quite easily but still something that you have to keep in mind right.

122
00:16:01.590 –> 00:16:02.790
Andy Whiteside: And as far as.

123
00:16:04.890 –> 00:16:17.550
Andy Whiteside: All the passwords setting in Patrick I do want to chime in here, you probably have a lot of comments or questions is it up to the person sitting in front of screen to set that password or can you set that password systematically from the US.

124
00:16:18.480 –> 00:16:26.100
Sebastien Perusat: For the moment, it’s only user based, so the user has to set the password and that’s what I mentioned at the beginning.

125
00:16:26.760 –> 00:16:40.200
Sebastien Perusat: it’s a first step of that product right, so we might expect some changes like setting up a general password or maybe having a password which can be reset by the user them if you want to change encryption, but for the moment it’s really user based.

126
00:16:41.220 –> 00:16:50.700
Patrick Toner: yeah that was that was the one question I get it was already here to my head from customers, what if my employee forgets the password so it’s a total refresh at that point.

127
00:16:51.990 –> 00:16:53.520
Sebastien Perusat: that’s what we do recommend right now.

128
00:16:53.550 –> 00:16:54.480
Sebastien Perusat: yeah so.

129
00:16:55.800 –> 00:16:56.430
Andy Whiteside: That would be.

130
00:16:56.460 –> 00:16:58.140
Andy Whiteside: So guys have a question, so if you.

131
00:16:58.140 –> 00:17:09.480
Andy Whiteside: have to reset that they can said you alluded to it a minute ago if you had to re image it because it’s encrypted that’s okay we’re just going to overwrite the encryption at that point, or is it just unusable.

132
00:17:10.500 –> 00:17:25.530
Sebastien Perusat: No, no, you can definitely flesh it and that’s why I had to turn the situation in the last month as well happened, where the customer could recover the device obviously you don’t have to migrate, the old settings that gets it a specific.

133
00:17:26.940 –> 00:17:40.500
Sebastien Perusat: Specific switch that you have to switch on or off if you have to keep on or discard them and the os creator process of reimagine of the device but that’s something which was pretty funny.

134
00:17:44.310 –> 00:17:53.340
Patrick Toner: said, this is a, this is a one to one device type of configuration right, you know so customers who have shared devices, this is not not in play, unless they would.

135
00:17:53.370 –> 00:17:53.850
Sebastien Perusat: Get you know.

136
00:17:54.000 –> 00:17:55.860
Patrick Toner: The sharing of password amongst the team doesn’t.

137
00:17:57.630 –> 00:17:58.320
Sebastien Perusat: make practical.

138
00:17:59.250 –> 00:18:00.990
Sebastien Perusat: or write it on the poster yep exactly.

139
00:18:01.140 –> 00:18:02.160
Patrick Toner: yeah posted oh no.

140
00:18:03.240 –> 00:18:04.710
Patrick Toner: that’s where security really comes in.

141
00:18:04.740 –> 00:18:09.780
Andy Whiteside: Post, it notes yeah so guys have a question, this is version one, I understand that.

142
00:18:10.650 –> 00:18:23.880
Andy Whiteside: You know, in the world of say windows, the sun this disk encryption stuff kind of happens under the scenes and and the user users plural, in this case wouldn’t know it is that, where this is headed, or is this the intent of the product, the way it is today.

143
00:18:26.070 –> 00:18:35.070
Sebastien Perusat: If you asked me just myself, I would say it’s not the final version since we’re missing specific steps lexi remote recovery like.

144
00:18:35.700 –> 00:18:46.710
Sebastien Perusat: What happened with device just the APP is so somewhere under the desk and never restarted down the the device went over to another employee I couldn’t remember password.

145
00:18:47.370 –> 00:18:56.910
Sebastien Perusat: that’s something that’s the steps way i’m saying as soon as we are speaking about the upcoming versions of the US and was what might expect some when this year.

146
00:18:57.660 –> 00:19:07.560
Sebastien Perusat: will make definitely expected there you change that behavior that’s what i’ve been told, so, for the first step for the was 11 burden and you’re my six or 10 that’s what we that’s why we are.

147
00:19:08.220 –> 00:19:24.000
Sebastien Perusat: At from all the windows or MAC os based administrators for might already have used that for their fighter boat or a bit locker please expect that it will get smarter than it is at the moment, definitely yeah okay.

148
00:19:24.330 –> 00:19:33.270
Andy Whiteside: One some cases, because I just so security, and this is just a matter of checking boxes, but I also get it hey um so I maybe I missed it but let’s say you’re using.

149
00:19:34.350 –> 00:19:40.770
Andy Whiteside: workplace okay so you’re going to be it’s going to come up you’re gonna have to enter that password now and then you then would enter your.

150
00:19:41.700 –> 00:19:52.050
Andy Whiteside: username and password let’s say your ad you don’t log in as an end user, that would be a second currently login at that point or your citrix login would be a second login something would be a second one.

151
00:19:52.770 –> 00:20:04.500
Sebastien Perusat: Okay, yes, that the short answer and I would add, so the main goal is because that’s what I have been asked, on my projects from from customers.

152
00:20:05.010 –> 00:20:16.080
Sebastien Perusat: hey we’re deploying corporate identity files like a wallpaper like a specific session name so citrix I can enjoy the depth is already holding company data because yeah they are used to.

153
00:20:16.710 –> 00:20:23.310
Sebastien Perusat: or they’re having specific customer logos already in the start menu, and whatever just think of regarding corporate identity.

154
00:20:23.940 –> 00:20:36.030
Sebastien Perusat: yeah that’s, the first thing that we’re trying to deal with you boot up a device that you find someone on the street, I mean speaking about you, the package don’t find laptop that often on the street, but if you wouldn’t be the pocket on another PC.

155
00:20:36.420 –> 00:20:40.590
Sebastien Perusat: You will not want to see the customer name, you will see his wallpaper So if you want to tag it.

156
00:20:40.680 –> 00:20:52.380
Sebastien Perusat: This this environment you’re already a first information that they’re using citrix the name of the maybe the names of the customer, because you say the last username and the citrix workspace the plan might be.

157
00:20:52.830 –> 00:21:01.740
Sebastien Perusat: And then you can go wider that’s what we’re trying to avoid with the pre boot authentication that’s my best.

158
00:21:02.970 –> 00:21:09.360
Sebastien Perusat: name for the developing country because it pre boot authentication covers it a bit better than the courtroom LP.

159
00:21:09.960 –> 00:21:20.700
Sebastien Perusat: Because when you boot up the device what we activating today in the in the tutorial and on the on the podcast is private authentication which was then decrypt your desk.

160
00:21:21.120 –> 00:21:30.270
Sebastien Perusat: So what decrypt your petition to be more precise, so you have before you even see something you would get a device encryption is active window.

161
00:21:30.540 –> 00:21:46.170
Sebastien Perusat: where you have to enter your password you don’t have to use the user just a path of that’s really fun and then from there as soon as we hit enter or the little arrow it will decrypt and start the rest of the operating system to the desktop alters the active directory login screen.

162
00:21:48.180 –> 00:21:48.690
Patrick Toner: instead.

163
00:21:49.800 –> 00:21:55.860
Patrick Toner: The device boots up so every every time you do a reboot or start the device after the first time.

164
00:21:56.400 –> 00:21:57.360
Sebastien Perusat: User we’re going to.

165
00:21:58.470 –> 00:22:02.460
Sebastien Perusat: reboot it will cover the reboot and the the culprit both of them.

166
00:22:03.120 –> 00:22:03.510
Patrick Toner: got it.

167
00:22:04.620 –> 00:22:11.370
Sebastien Perusat: So yeah we can call it, maybe to secure sometimes but that’s not the case at the moment.

168
00:22:12.810 –> 00:22:24.270
Patrick Toner: Are you guys seeing you know and i’m just not sure about this, are you guys seeing requirements in you know gdpr over in Europe at this or like you know, is it more customer driven what you know what have you seen with that.

169
00:22:25.710 –> 00:22:27.420
Sebastien Perusat: At the moment, mostly customer room.

170
00:22:28.560 –> 00:22:45.720
Sebastien Perusat: Especially if we, I mean because it because must work out where wasn’t worth were mostly military and banks and insurance has to be it yeah to be even more precise that was it three kind of verticals where this requirement was not an option, but was mandatory.

171
00:22:47.010 –> 00:22:56.580
Sebastien Perusat: And their first goal was encryption and then we told them all the agile story and said okay make sense for us, but still, we have to rely on encryption.

172
00:22:57.030 –> 00:23:04.620
Sebastien Perusat: and on something which will office obfuscate so hide any kind of company data if the device got found.

173
00:23:05.130 –> 00:23:13.530
Sebastien Perusat: And that’s where this small window, which is not really good looking but it doesn’t have to a bit locker pin entry window isn’t looking good either.

174
00:23:14.100 –> 00:23:24.900
Sebastien Perusat: or firewall so you don’t even have an agile over there you just have good luck, the the password field, and then, which is pretty cool, I must say.

175
00:23:25.380 –> 00:23:33.120
Sebastien Perusat: A failed login attempts windows showing up so that’s something we didn’t mention to know, but, as already mentioned in the video to.

176
00:23:33.570 –> 00:23:45.210
Sebastien Perusat: If you enter the password one, two or three times again wrongly, it will increase accountable, so you may be already have that on your rental rate or ios smart smartphone or.

177
00:23:46.170 –> 00:23:54.630
Sebastien Perusat: Bad well if you enter your password to often it will delays, an x Ray would add even more than X sweater etc so that’s something that we already covered there too.

178
00:23:55.650 –> 00:24:01.680
Sebastien Perusat: And just because I made that mistake on a bit locker in the early days.

179
00:24:02.700 –> 00:24:14.910
Sebastien Perusat: bit locker is at least it wasn’t that time what tested it on American layout so I had not a pin but we pass a full the bit locker and the puzzle that was containing some some specific characters.

180
00:24:15.690 –> 00:24:19.320
Sebastien Perusat: And it was just locked out because I didn’t thought about these American layer

181
00:24:19.950 –> 00:24:26.610
Sebastien Perusat: that’s not the case here the agile operating system is such an intelligent, I must say that you have already.

182
00:24:27.030 –> 00:24:33.720
Sebastien Perusat: on the screen and drop down menu, where you can choose every keyboard layout that’s in our operating system.

183
00:24:34.260 –> 00:24:44.460
Sebastien Perusat: No matter if it was configured in a profile or not that’s not the case, just call everything, because you might connect you, with your pocket to the device, where I don’t know Chinese that keyboard isn’t.

184
00:24:45.030 –> 00:24:52.860
Sebastien Perusat: Connected okay training might not be the best a better limitless a DNS or Swedish of Canadian layout.

185
00:24:53.880 –> 00:25:04.620
Sebastien Perusat: And you might fail because you don’t have your typical characters that’s something that we covered and then you might ask what about touchscreens it’s all there too, so you’ve already have the ability to open.

186
00:25:06.120 –> 00:25:08.850
Sebastien Perusat: A touch screen keyboard there so that’s pretty cool.

187
00:25:11.700 –> 00:25:19.470
Patrick Toner: So you know we talked earlier said about it’s not a fit everywhere, like one to one you know it’s got to be a one to one device so.

188
00:25:20.040 –> 00:25:29.880
Patrick Toner: What would your recommendation be for you know, an organization, where they say Okay, we want our work from home users that use this feature, but all of our on site thin clients.

189
00:25:30.870 –> 00:25:39.600
Patrick Toner: You know they’re they’re going to be just you know, no, no, no, local encryption they’re sharing maybe they’re doing hoteling they’re sharing devices what’s your what’s your suggestion there.

190
00:25:42.000 –> 00:25:49.380
Sebastien Perusat: Of that’s a tough topic obviously i’m which kind of specific use case way to think about that well in that case.

191
00:25:49.800 –> 00:25:58.020
Patrick Toner: Well, you know i’m thinking like, if you so I guess, if you so this is set by profile right, so you could you could in theory separate this out.

192
00:25:59.220 –> 00:26:07.470
Patrick Toner: You know by directory right So if you have worked from home user let’s say 200 work from home users, you could just in only implement this for those hundred correct.

193
00:26:07.800 –> 00:26:08.760
Sebastien Perusat: yeah absolutely.

194
00:26:09.210 –> 00:26:09.870
बिल्कुल।

195
00:26:11.460 –> 00:26:15.150
Sebastien Perusat: that’s if some someone might be interesting that approach.

196
00:26:15.750 –> 00:26:26.460
Sebastien Perusat: We have a couple of features inside of the agile management platform which are called default territory routes, it just one example, but we have a couple of other products that might be the most common one.

197
00:26:26.940 –> 00:26:33.600
Sebastien Perusat: And thing as soon as a teddy worker is studying his device when I speak about the device and continue studying with device.

198
00:26:34.050 –> 00:26:50.460
Sebastien Perusat: It will usually connect via the ice so data cloud gateway which creates a connection between Alto devices and your internal your mess measurement system so from there, you can say if the devices started the other nice EG don’t put that don’t put that.

199
00:26:51.480 –> 00:27:00.840
Sebastien Perusat: Specific policy on or, if you want to you can activate it there are saying, if the devices holding a public IP address and do that.

200
00:27:02.100 –> 00:27:03.750
Sebastien Perusat: So yes, got it.

201
00:27:05.610 –> 00:27:17.190
Andy Whiteside: He said how likely and capable, is it How likely is it somebody want to unencrypted How likely is it how capable, is it of unencrypted.

202
00:27:19.980 –> 00:27:31.740
Sebastien Perusat: will not say that it’s impossible because nothing is impossible in the in the in the IT world out it’s highly improbable for standouts persons like you and I.

203
00:27:32.670 –> 00:27:42.960
Sebastien Perusat: If you’re using extremely powerful in via decryption systems which are used by intelligence etc by army intelligence and.

204
00:27:43.530 –> 00:27:49.950
Sebastien Perusat: Also, obviously it can take a few days and then you’re you’re out, but we still have to think about the aspect.

205
00:27:50.520 –> 00:27:58.590
Sebastien Perusat: What would be the use case the person would have them an operating system, which is still secure what’s the password the password our.

206
00:27:59.040 –> 00:28:06.360
Sebastien Perusat: hash are encrypted where the configuration and data is not stored locally, but still on your citrix farm so.

207
00:28:07.260 –> 00:28:23.820
Sebastien Perusat: Even there if someone would really want to do that in mind, definitely, but I would say that the amount of time and effort that he needs to deliver to do that is not in relation to what you would get but it’s it would definitely be a toy, yes, so it is not impossible, but highly improbable.

208
00:28:24.180 –> 00:28:39.930
Andy Whiteside: And the reality of is probably going to want to just factory reset or not reset but actually related to the device any way to overcome that yeah exactly he quick quick one off you guys should make this wallpaper you have here part of the idol os built in wallpapers.

209
00:28:41.580 –> 00:28:42.360
Yes, pretty sweet.

210
00:28:43.500 –> 00:28:57.120
Andy Whiteside: Baby i’ll describe it for people who may be listening at some point it’s a it’s a some Vikings it looks like a cartoonish Vikings throwing a windows and apple and other operating systems off the side of a cliff because they just don’t need them anymore.

211
00:28:58.440 –> 00:29:05.850
Sebastien Perusat: If it was one of the first word papers I use an unknown seven years ago, something that when I had to.

212
00:29:06.240 –> 00:29:11.220
Sebastien Perusat: Do Internet trainings and, since then, if I don’t have to do something with a specific partner.

213
00:29:11.610 –> 00:29:20.340
Sebastien Perusat: We have to put them the logo etc in my my room and i’m using just something more fun because they’re mostly speaking to people to achieve folks to administrators.

214
00:29:21.090 –> 00:29:28.680
Sebastien Perusat: Will alike in such kind of jokes and mostly are not obviously some really windows or MAC related so it’s always fun to see that.

215
00:29:31.380 –> 00:29:34.080
Andy Whiteside: yeah if you would share that with us that’d be awesome I love, now that one so.

216
00:29:34.140 –> 00:29:34.770
Sebastien Perusat: Oh yeah sure.

217
00:29:35.310 –> 00:29:40.290
Andy Whiteside: you’re in a section of the video called debugging what, why are you here, why are you doing this.

218
00:29:42.180 –> 00:29:57.120
Sebastien Perusat: Just for one simple reason every every encryption step hold also some some risks, nothing will happen on an encryption without having a small piece of yeah of danger.

219
00:29:57.870 –> 00:30:02.970
Sebastien Perusat: So the first thing that I would like to mention to every listener is.

220
00:30:03.840 –> 00:30:21.900
Sebastien Perusat: There already all the use cases where it’s extremely important to have time and date set properly the our nighttime protocols sort of caught NTP there are plenty of them from certificate verification code communication is a G, so the agile cloud gateway configuration and use it.

221
00:30:22.920 –> 00:30:33.300
Sebastien Perusat: But never forget that you also have a virus, or you a fee where you have also time and it’s a locally and I wouldn’t say it’s happened 10,000 times that will be alive.

222
00:30:34.170 –> 00:30:39.240
Sebastien Perusat: But I had one time situation, the Community where, after setting the password.

223
00:30:39.780 –> 00:30:50.550
Sebastien Perusat: correctly, the device couldn’t be decrypted because of time and date on the bias was just wrapped up, so it was I don’t know something like 2004 and February, when wasn’t July so.

224
00:30:50.910 –> 00:31:01.050
Sebastien Perusat: Nothing was was good, we suspect that the symbols battery was done and wasn’t able to hold the the actual data and configurations justice fiction.

225
00:31:01.500 –> 00:31:11.880
Sebastien Perusat: So that’s something that i’m trying to teach in the video which kind of debugging steps, I will try to follow as someone is asking what can I do if it fails, I mean.

226
00:31:12.360 –> 00:31:24.990
Sebastien Perusat: you’re not in most cases, you might not recover the device, we have a few of them, we might work, but in most cases, you would do you would just know where it happened, and we are with issues coming from.

227
00:31:27.030 –> 00:31:34.530
Andy Whiteside: Okay, so anything specific that call out in the motions of watching walking through it now.

228
00:31:36.630 –> 00:31:39.600
Andy Whiteside: you’re going to factory default you’re just nuking it basically right.

229
00:31:40.470 –> 00:31:48.810
Sebastien Perusat: Right, so we have already the ability to check in the pre boot authentication method which steps and done before it fades.

230
00:31:49.290 –> 00:32:01.140
Sebastien Perusat: So that’s why already covered another tutorial with you guys the variable Bu which is giving where the algebra system is just showing a black screen or showing a logo.

231
00:32:01.680 –> 00:32:18.300
Sebastien Perusat: Their stuff happening behind the scenes, obviously, because it’s not just showing a black display we are showing something in the background and to get that specific kind of information you have to move beyond the actual operating system boot menu, which was the key escape on your keyboard.

232
00:32:19.320 –> 00:32:26.010
Sebastien Perusat: There we had to start into the Bible school and you would see if something before the passwords critics showing up.

233
00:32:26.850 –> 00:32:34.920
Sebastien Perusat: tells you something I mean there was no real recommendation that I have just check that maybe you will find something that leads to an error.

234
00:32:35.400 –> 00:32:46.470
Sebastien Perusat: And from there, you can also enter the password from the command line perspective, so it has a little bit to better understand where the device hangs or even if, after the encryption.

235
00:32:47.490 –> 00:32:56.400
Sebastien Perusat: password entry the device will not vote that might also be the case that’s where the verbose but would definitely help you to find the root cause of the issue.

236
00:32:58.710 –> 00:33:05.490
Patrick Toner: You got me thinking to hear said so and so you’re saying on a kind of a similar on a related but different note.

237
00:33:05.880 –> 00:33:17.640
Patrick Toner: If somebody wants to reset this to factory default what happens first do they get prompted with the Bu decryption first, or are they able to reset to factory default and then, if if they get to their doesn’t prompt them for that password.

238
00:33:18.780 –> 00:33:26.790
Sebastien Perusat: Unfortunately, you cannot reset it to factory defaults on there, so you will still be asked for the for the pre boot authentication password.

239
00:33:27.390 –> 00:33:30.990
Sebastien Perusat: The broken one is the first thing I tried to be honest, because I just wanted to know.

240
00:33:31.020 –> 00:33:43.230
Sebastien Perusat: How, how does it work and then case even the recovery path of that you can use for the administrator password international presence will not work so that’s where we have to rely on the refreshing.

241
00:33:44.610 –> 00:33:49.770
Patrick Toner: So that’s that’s that’s booting to an OSC crater stick yep and totally flashing okay.

242
00:33:50.070 –> 00:33:50.400
हाँ।

243
00:33:54.840 –> 00:33:57.840
Andy Whiteside: I said what’s left in the video see if I go here.

244
00:33:58.770 –> 00:34:06.030
Sebastien Perusat: We are almost almost done, he said, one thing because we spoke all the time about activating the future, but what about these activating it.

245
00:34:07.800 –> 00:34:11.340
Sebastien Perusat: You might have a situation where you tested it and you want to disable the setting.

246
00:34:12.600 –> 00:34:14.550
Sebastien Perusat: So just removing the profile.

247
00:34:15.600 –> 00:34:28.320
Sebastien Perusat: would not be enough for the reason that we mentioned the beginning of the story, the standard setting is usually keep So even if you created a profile somewhere where you activate the standard setting it will just keep rockin and cookie.

248
00:34:29.490 –> 00:34:34.320
Sebastien Perusat: So my recommendation is low locally or insert a profile saying.

249
00:34:35.400 –> 00:34:43.920
Sebastien Perusat: Where you activate as a feature where you said, instead of keep activate and deactivate save a sense of progress of the endpoint.

250
00:34:44.430 –> 00:34:54.240
Sebastien Perusat: And the same manner, like the pop up showed up for the encryption password entry the user will get a notification saying hey you want to decrypt.

251
00:34:54.630 –> 00:35:10.050
Sebastien Perusat: Your brain aneurysm no big deal does enter your password to be sure that you’re allowed to Bam and then the decryption process is starting and then the same recommendations are applying be careful to not pull off your device or just breaking it off, and then you are good.

252
00:35:12.210 –> 00:35:16.080
Andy Whiteside: And Kim between the two you smart guys tell me a situation where you think.

253
00:35:17.190 –> 00:35:19.380
Andy Whiteside: That would ever happen, where they actually tried has decrypted.

254
00:35:23.130 –> 00:35:23.940
Sebastien Perusat: Whatever if you first.

255
00:35:25.050 –> 00:35:27.510
Patrick Toner: say no, you know you never know right there’s customers out there.

256
00:35:27.510 –> 00:35:35.760
Patrick Toner: They you know, maybe the user start complaining they don’t like doing this, every time and they say you know what we’re going to just remove the setting and.

257
00:35:36.540 –> 00:35:46.650
Patrick Toner: You know so to do that, it sounds like said they would have to push the profile to deactivate and each user would have to enter the password one final time correct gotta.

258
00:35:47.220 –> 00:35:48.930
Patrick Toner: I could see that I can see that by now for sure.

259
00:35:49.920 –> 00:35:52.980
Andy Whiteside: It maybe they got through their security audit now they want to unencrypted those.

260
00:35:54.480 –> 00:35:56.940
Patrick Toner: They checked the box now now they gonna.

261
00:35:57.120 –> 00:35:59.850
Andy Whiteside: We laugh, but I am certain that’s happened sometimes.

262
00:35:59.910 –> 00:36:00.540
Sebastien Perusat: That might be.

263
00:36:01.440 –> 00:36:09.180
Sebastien Perusat: Alright, I would say what what does add maybe some performance issues that you’re facing maybe and you want to be sure that it’s not related to.

264
00:36:09.630 –> 00:36:18.060
Sebastien Perusat: Local encryption process which is taking, which is not the case, but not taking too much performance I don’t know that might be also one approach so yeah.

265
00:36:18.930 –> 00:36:19.530
Sebastien Perusat: You should.

266
00:36:19.920 –> 00:36:30.210
Andy Whiteside: You I think you talked about the performance required to encrypt it is there a performance degradation that we should expect for using an encrypted system.

267
00:36:32.430 –> 00:36:50.580
Sebastien Perusat: that’s a really good question, I must say that I didn’t notice anything but i’m mostly working in virtual environments even my you discern but it’s still quite powerful device I didn’t seen something like that, if you ask me just myself just my my stomach feeling.

268
00:36:51.660 –> 00:37:03.030
Sebastien Perusat: If you’re using the odd to have the actual ut to I would maybe avoid to you that there just because the device are already quite thin in terms of performance.

269
00:37:03.600 –> 00:37:12.570
Sebastien Perusat: And if you’re using any kind of unified communication immunizations the device is already at 100% cpu and Ram usage not exactly what most cases.

270
00:37:13.110 –> 00:37:21.810
Sebastien Perusat: So that’s something that wouldn’t do that, since the device encryption mostly hits OSC or you the pocket devices.

271
00:37:22.260 –> 00:37:34.110
Sebastien Perusat: I must say that nearly every device which is a standard laptop shouldn’t shouldn’t see any kind of have to have degradation, but that’s a good question that I count on that 100% at the moment.

272
00:37:34.710 –> 00:37:38.730
Andy Whiteside: In theory, there has to be some, but whether it’s noticeable about human being.

273
00:37:39.030 –> 00:37:51.480
Andy Whiteside: yeah that’s the question, especially in a scenario where you’re maybe connecting to a citrix vmware Microsoft and you have this middle layer which is really absorbing most of the heavy lifting you probably shouldn’t even knows.

274
00:37:52.110 –> 00:37:53.010
Sebastien Perusat: yeah I agree.

275
00:37:54.210 –> 00:37:57.030
Andy Whiteside: Patrick any a take on that one.

276
00:37:57.270 –> 00:38:02.130
Patrick Toner: yeah I agree, I mean I was thinking you know, in theory, you should have more of a.

277
00:38:03.510 –> 00:38:09.660
Patrick Toner: You know degradation in performance if it’s a fat client right and if you’re if you’re doing all of your data is local your workloads are local.

278
00:38:11.280 –> 00:38:24.570
Patrick Toner: yeah i’d imagine you’re you know you’re going to see it more there, but because I just connecting the Center so it’s connecting to vmware you know add, whatever the workload is being done somewhere else it’s really just kind of streaming that experience to you yeah.

279
00:38:25.170 –> 00:38:30.900
Andy Whiteside: yeah I mean it’s an asynchronous solution there is impact on the endpoint side, whether it’s noticeable.

280
00:38:32.460 –> 00:38:33.390
Andy Whiteside: don’t know Probably not.

281
00:38:34.740 –> 00:38:45.090
Andy Whiteside: supposed to be using a machine to begin with, for using that 18 year old device it every once in a while someone will try to convert aka me improve it still works, you might notice it then.

282
00:38:47.400 –> 00:38:55.950
Andy Whiteside: and going back to the some of the original comments it’s read only to begin with, it has very little data local To begin with, you know don’t just turn it on because you can.

283
00:38:57.120 –> 00:39:01.860
Andy Whiteside: Consider not turning it on unless you need to turn it on yeah yeah.

284
00:39:02.130 –> 00:39:02.820
Sebastien Perusat: he’s a tight.

285
00:39:03.390 –> 00:39:20.880
Andy Whiteside: guys that’s kind of a wrap I appreciate you joining and helping with this topic always good so been extremely thankful that you show up every time with something timely and important to cover it’s makes my life easy and makes the podcast relevant.

286
00:39:21.690 –> 00:39:22.530
Sebastien Perusat: My pleasure guys.

287
00:39:23.940 –> 00:39:25.470
Andy Whiteside: With that will wrap it up, have a good week.

288
00:39:26.580 –> 00:39:26.730
Sebastien Perusat: You.

289
00:39:26.850 –> 00:39:27.180
Sebastien Perusat: guys.

290
00:39:27.210 –> 00:39:28.290
you’re going to see you soon.