Configuring Check Point Full Disk Encryption
Check Point® Full Disk Encryption is supported on Microsoft® Windows® endpoint computers with an Imprivata single-user computer or Imprivata shared kiosk workstation agent.
NOTE: Although no additional Imprivata or Check Point Full Disk Encryption configuration is required to support authentication management, all endpoints must be encrypted before Imprivata agents are deployed.
Imprivata Enterprise Access Management (formerly Imprivata OneSign) desktop authentication supports a Full Disk Encryption blade that is configured with or without pre-boot authentication:
- When pre-boot authentication is enabled, Check Point authenticates the user before loading the operating system. By default, Check Point enables SSO, which streamlines the desktop authentication workflow. See Desktop Authentication Workflows with Check Point SSO Enabled and Desktop Authentication Workflows with CheckPoint SSO Disabled.
NOTE: If you need to disable Check Point SSO, see the following Check Point solution.
- When pre-boot authentication is disabled, there is no user interaction with Check Point, but Check Point does not authenticate users before loading the operating system.
After the Windows desktop opens, Check Point disk encryption does not affect the Imprivata login/logout workflow or the desktop lock/unlock functionality.
Prerequisites
Support for Check Point Full Disk Encryption requires the following minimum versions:
-
EndPoint Security Management Server R77.20.
-
EndPoint Security Clients E80.51 or later installed on Windows endpoint computers.
Desktop Authentication Workflows with Check Point SSO Enabled
By default, Check Point enables single sign-on for user authentication, which streamlines the desktop authentication workflow.
NOTE: The following workflows apply to a Check Point deployment that is synchronized with the same user directory domain controller as the appliance.
Imprivata Single-User Computer Agent on Windows When Check Point SSO is enabled, the user logs into a Windows endpoint computer once:
- The Windows endpoint computer starts.
- The user enters the Check Point credentials in the Full Encryption User Account Identification dialog. SSO Active is selected.
- Check Point authenticates the user. The Logon Successful dialog opens.
- The user clicks Continue.
- The Windows desktop opens.
After the desktop opens, Enterprise Access Management continues to manage the desktop lock and unlock functionality.
Imprivata Shared Kiosk Workstation Agent on Windows When Check Point SSO is enabled, the user logs into a Windows shared kiosk workstation twice:
- The Windows endpoint computer starts.
- The user enters the Check Point credentials in the Full Encryption User Account Identification dialog. SSO Active is selected.
- Check Point authenticates the user. The Logon Successful dialog opens.
- The user clicks Continue.
- The locked Windows desktop opens.
- The user logs in to Imprivata Enterprise Access Management with a user name and password, proximity card, fingerprint, or ID token.
- The Windows desktop opens.
After the desktop opens, Imprivata Enterprise Access Management continues to manage the desktop lock and unlock functionality.
Desktop Authentication Workflows with CheckPoint SSO Disabled
If Check Point SSO is disabled, the number of times a user must log into the endpoint computer increases.
NOTE: The following workflows apply to a Check Point deployment that is synchronized with the same user directory domain controller as the appliance.
Imprivata Single-User Computer Agent on Windows When CheckPoint SSO is disabled, the user logs into a Windows single user endpoint computer twice:
- The Windows endpoint computer starts.
- The user enters the Check Point credentials in the Full Disk Encryption User Account Identification dialog. SSO Active is not selected.
- Check Point authenticates the user. The Logon Successful dialog opens.
- The user clicks Continue.
- The user logs into Imprivata Enterprise Access Management with a user name and password, proximity card, finger print, or ID token.
- The Windows desktop opens.
After the desktop opens, Imprivata Enterprise Access Management continues to manage the desktop lock and unlock functionality.
Imprivata Shared Kiosk Workstation Agent on Windows When Check Point SSO is disabled, the user logs into a Windows shared kiosk workstation three times:
- The Windows endpoint computer starts.
- The user enters the Check Point credentials in the Full Disk Encryption User Account Identification dialog. SSO Active is not selected.
- Check Point authenticates the user. The Logon Successful dialog opens.
- The user clicks Continue.
- The user enters the Windows domain credentials.
- The user logs into Imprivata Enterprise Access Management with a user name and password, proximity card, finger print, or ID token.
- The Windows desktop opens.
After the desktop opens, Imprivata Enterprise Access Management continues to manage the desktop lock and unlock functionality.
Disabling Check Point Pre-Boot Authentication
When you disable Check Point pre-boot authentication, there is no user interaction with Check Point, but Check Point does not authenticate users before loading the operating system. Imprivata Enterprise Access Management authentication management functions normally.
Disabling Check Point pre-boot authentication
- From the Endpoint Security Management Server, log into the SmartConsole (SmartEndpoint) .
- Click Policy.
- In the Actions column, click Authenticate user before OS loads (Pre-boot) > Do not authenticate user before OS loads (Not recommended).
- Review the warning message and click OK.
- On the Policy toolbar, click Save > Install Policy. Endpoint computers download the new policy at the next heartbeat interval or the next time users log in.
