User Administration Guide
Version 2.0
Table of Contents
I.
Introduction ............................................................................................ I–3
Users ................................................................................................................................I–3
Groups .............................................................................................................................I–3
Workstations ....................................................................................................................I–4
Applications .....................................................................................................................I–4
Active Directory Integration ............................................................................................I–4
II.
User Manager ....................................................................................... II–5
Adding, Activating, Deactivating and Deleting Users ................................................... II–6
Adding Users to Groups ................................................................................................ II–8
Removing a user from a group ...................................................................................... II–9
Assign Authentication Method to user ........................................................................ II–10
Enrolling User Authentication Method ........................................................................ II–11
Enrolling Users with Fingerprint Biometrics ............................................................... II–12
Re-Enrolling Users Authentication Method ................................................................ II–14
Adding & Removing Applications from User Manager .............................................. II–15
Adding User Application Credentials .......................................................................... II–16
III.
Group Manager ................................................................................. III–17
Creating a new Group ................................................................................................. III–18
Delete a Group ............................................................................................................ III–18
Adding an Attribute to Groups ................................................................................... III–19
Deleting Attributes from Groups ................................................................................ III–20
Adding a user to a Group ............................................................................................ III–21
Removing a user from a Group................................................................................... III–21
Adding Applications to a Group ................................................................................. III–22
Removing Applications from a Group ........................................................................ III–22
IV.
Workstation Manager ...................................................................... IV–23
Adding a workstation to the PrivacyShell system ...................................................... IV–24
Removing a workstation from the PrivacyShell system ............................................. IV–25
Add & Delete Groups from Workstations .................................................................. IV–26
To delete a group from a workstation: ........................................................................ IV–26
Adding an Authenticator to a workstation .................................................................. IV–27
Removing an Authenticator from a workstation ......................................................... IV–27
Setting Authenticator Priority on the Workstation ..................................................... IV–28
V.
Application Manager ..........................................................................V–29
Adding a simple application ........................................................................................ V–29
Deleting an application ................................................................................................ V–31
Copy an existing Single Sign-on Application .............................................................. V–32
Add an Application to a group ..................................................................................... V–32
VI.
Authentication Manager................................................................... VI–33
Managing messages associated with different authenticators ..................................... VI–33
Managing challenge questions for PrivacyShell Password Manager .......................... VI–34
VII.
Report Manager .............................................................................. VII–37
Generating Application Access Reports ................................................................... VII–37
Generating Authentication Reports........................................................................... VII–38
Generating Users Reports ......................................................................................... VII–38
VIII.
System Manager ............................................................................. VIII–40
Add a banner message ............................................................................................. VIII–40
Add Generic Workstation Account information ...................................................... VIII–41
Add user licenses ..................................................................................................... VIII–42
Administrator Security ............................................................................................. VIII–43
IX.
Appendix ............................................................................................ IX–44
Appendix A – Sample Challenge Questions: .............................................. IX–44
I–2
I.
Introduction
This document will explain how to add, delete and manage the basic building blocks
of a PrivacyShell installation:

Users

Groups

Workstations

Applications
Users, Groups and Workstations may be provided to PrivacyShell via integration
with Microsoft Active Directory (AD). General information from AD is populated
within the User, Groups and Workstation General Info tab. Other PrivacyShell
functionality for Users, Groups and Workstations is managed from within
PrivacyShell Administrator.
Users
A user cannot start a PrivacyShell session unless he/she has a user account in
PrivacyShell Administrator. A user account is comprised of four major components

General info – first name, last name, active/inactive, license type and
expiration date.

Groups – what group(s) the user is in defines which applications the user
sees on the PrivacyShell desktop. In PrivacyShell, groups are most
commonly used as application containers.

Authenticators – to start a PrivacyShell session, a user has to pass
through an authenticator. The most common authentication methods
are entering a PrivacyShell user ID and password or using a fingerprint.

Workspace – An administrator can give a user access to an application
either by assigning the user to a group or by assigning an individual
application to the user. If the application is a Single Sign On (SSO)
application, the user’s user ID and password for that application are
stored in their PrivacyShell user account.
Groups
In PrivacyShell, groups are most commonly used to give users access to the
applications in the group. For example, if all nurses need access to Meditech,
Outlook and Pyxis, create a group called NURSES, add those three applications to
the group and put all nurses in that group. By doing so, when a member of the
NURSES group starts a PrivacyShell session, he/she will see icons for only the
applications in the NURSES group. If your application distribution scheme is not as
simple, you may want to create many application groups and add users to these
groups based on the applications they need access to. If a user is a member of two
groups that contain the same application, the user will not see two icons for the
same application.
I–3
Workstations
Every PrivacyShell workstation has to have both the PrivacyShell software installed
on it and needs to have a workstation record in PrivacyShell Administrator. The
workstation record contains the following components:

General information – workstation name, idle time timeout and available
printers.

Groups – Unless you are using Meditech Magic or another application that
cannot detect that a user has roamed to a new workstation, you will not
need to add workstations to groups.

Authenticators – Workstation authenticators are the ways in which a user
is able to start a PrivacyShell session on that particular workstation. The
most common authenticators are user ID/password and fingerprints.
Applications
In their simplest form, an application in PrivacyShell Administrator is no more
complex than a Windows shortcut. It points to the location of the application
executable on the PrivacyShell server. The path to the executable is saved when an
application is created in PrivacyShell Administrator by any administrator. If the
application is also a Single Sign Application, meaning that PrivacyShell will
remember the user’s ID and password, then setting up the application is more
complex and will be done by nSuite.
Active Directory Integration
PrivacyShell 2.0 contains integration links to Microsoft Active Directory and links
Users, Groups and Workstations listed in Active Directory within PrivacyShell.
Integration with Active Directory links the User’s Active Directory Credentials with
PrivacyShell for user login and authentication. Likewise, Groups and Workstations
are extracted from Active Directory and are utilized for assigning PrivacyShell
functionality to the particular Groups and Workstations.
The greatest benefit to the PrivacyShell Users and Administrators from Active
Directory integration is that all users, groups and workstations are imported from
the Active Directory into PrivacyShell to leverage the existing Active Directory
hierarchies. All relationships for Users, Groups and Workstations imported from
Active Directory are fully accessible within PrivacyShell Administrator and are found
in PrivacyShell Administration under the customer domain folder established during
installation.
Functionality described in this guide for User, Group and Workstation sections is still
applicable for Privacy Shell installations integrated with Active Directory.
nSuite has developed a best practice recommendation to use Active Directory for
managing Users, Groups and Workstations and simply extract that information for
use within PrivacyShell. All Users, Groups and Workstations should first be created
in Active Directory and extracted to PrivacyShell. Allowed changes made within
PrivacyShell are for password changes only, and they will be immediately recorded
in Active Directory.
I–4
II.
User Manager
Use the User node of PrivacyShell Administrator to:

Add, Activate, Deactivate and Delete users.

Add users to groups.

Remove groups from users.

Assign an Authentication method to a user.

Enroll a user’s authentication method.

Enroll a user with Fingerprint Biometrics.

Add & Delete Applications to/from a User Profile.

Add a user’s Application Credentials.
If PrivacyShell is integrated with Microsoft Active Directory, the entire Active
Directory hierarchy of folders may be found within PrivacyShell Administrator under
the customer domain folder established during installation. The User node is
replaced by the Active Directory folders located within the customer domain folder
in PrivacyShell Administrator. Active Directory Users are listed within the customer
domain folder.
A PrivacyShell best practice is to add new Users to Active Directory first, before
assigning functionality to the Users within PrivacyShell Administrator.
II–5
Adding, Activating, Deactivating and Deleting Users
1. Click the Users node in the console tree of PrivacyShell Administrator
and click <add user>; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Enter user Login ID, First Name, Last Name (pre-populated with AD)
4. Enter ‘Login Startup App Name’ under Workspace tab to launch a
specific application every time this user starts a new PrivacyShell
session.
5. Check ‘Deny Remote Drive Mapping’ on Workspace tab which locks a
user from accessing the workstation’s local drives.
6. To Activate a user, click the Active check box.
7. Enter Effective Date Start & End (optional)
8. Check the appropriate license that the user will need.
9. Configure as Default: only applicable for early release of PrivacyShell
Remote. Do not select this box unless advised by nSuite.
10. Click ‘Add’. Once the User is listed in PrivacyShell, any changes may be
made by changing the appropriate data, and click ‘Update’.
11. To Deactivate a User, uncheck the ‘Active’ check box; click ‘Update’
12. To Delete a User from PrivacyShell, click the ‘Delete’ button.
13. To end a User’s PrivacyShell session, click ‘Terminate User’s
Session(s)’ button.
II–6
II–7
Adding Users to Groups
Adding a user to a group gives the user access to the applications contained
in the group. The icons a user sees on his/her PrivacyShell desktop are all of
the applications that are contained in the groups he/she is a member of plus
individual applications that have been added to the user’s account.
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on Groups tab
4. Select the group from Available Groups.
5. Click ‘Add’ and the group will be moved to the Assigned Groups list.
II–8
Removing a user from a group
To remove a user’s access to applications, remove the user from group that
contains the applications. The next time the user starts a PrivacyShell session, the
user will not see that group’s application icons on his/her PrivacyShell desktop.
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on Groups tab
4. Select desired group from the Assigned Groups menu
5.
Click ‘Remove’ and the group will be moved to the Available Groups list
II–9
Assign Authentication Method to user
To start or rejoin a PrivacyShell session, a user has to authenticate to PrivacyShell.
A user’s authentication methods are the ways in which a user can gain access to
PrivacyShell.
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Authenticators tab
4. Select Authenticator from Available Authenticators menu.
5. Click ‘Add’ and authenticator will be moved to the Assigned
Authenticators list.
II–10
Enrolling User Authentication Method
To allow a user to start using a particular authenticator, the user must first be
enrolled to use the selected authenticator. To enroll an authenticator:
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Authenticators tab
4. Select one of the assigned authenticators from the Assigned
Authenticators list.
5. Click ‘Enroll User’
6. Follow the enrollment instructions given to you by the authentication
enrollment screens. For an example, see “Enrolling Users with Finger
Print Biometrics” below.
7. To re-enroll users or change passwords in PrivacyShell; click the
authenticator from the Assigned Authenticators list; click ‘Re-enroll
User’ and follow the instructions for the authenticator selected.
II–11
Enrolling Users with Fingerprint Biometrics
Before a user can use his/her fingerprint to log in to PrivacyShell, first he/she must
enroll their fingerprint information in their user account through Enrollment.
To enroll an end user for fingerprint authentication:
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Authenticator tab
4. Select appropriate Biometric Authenticator from the Assigned
Authenticators list.
5. Click ‘Enroll User’
6. Place and Remove two different fingers, three times each, on the
Biometric Device as requested by the enrollment screen, from each user.
Follow the instructions on the enrollment screens to capture the user’s
fingerprint image.
7. When enrollment is complete, a pop up window stating that the
enrollment was successful will appear.
II–12
II–13
Re-Enrolling Users Authentication Method
It is possible that the fingerprint that is stored in a user’s account is not clear
enough and the user may be having trouble authenticating with their fingerprint.
Dry or very small fingers can cause this. You may wish to re-enroll this user at a
later date or time or with a different finger so that the fingerprints in the
PrivacyShell database are clearer. To do so:
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Authenticator tab
4. Select the authenticator from the Assigned Authenticators list that you
want to re-enroll.
5. Click ‘Re-Enroll User’ and follow the instructions for the authenticator
selected.
6. Place and Remove two different fingers, three times each, on the
Biometric Device as requested by the enrollment screen, from each user.
Follow the instructions on the enrollment screens to capture the user’s
fingerprint image.
7. When enrollment is complete, a pop up window stating that the
enrollment was successful will appear.
II–14
Adding & Removing Applications from User Manager
It is easiest to add and remove applications by adding or removing a user to or
from groups. But it is also possible to add or remove applications individually. To
do so:
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Workspace tab
4. Select the application to add from the Available Applications list.
5. Click ‘Add’ changes will appear at next Login.
To delete an application
1. Select Application in the Assigned Applications list to delete
2. Click ‘Delete’.
II–15
Adding User Application Credentials
Application credentials are only saved in a user profile for Single Sign On (SSO)
applications. An SSO application is one that PrivacyShell will log into automatically
once the user has provided his/her user ID and password once. To manually add or
change these credentials:
1. Click the Users node in the console tree of PrivacyShell Administrator
and click on the user ID to change; OR
2. Click the PrivacyShell Icon; enter the user’s login ID; click ‘Find’ and
click on the User link.
3. Click on the Workspace tab.
4. Select the application you want to add/change credentials from the
Assigned Application list.
5. Enter User ID in Login UID Field
6. Enter Password in Login Password Field
7. Enter Password in Confirm Login Password Field
8. Click ‘Update’
The next time a user starts this application in PrivacyShell, the credentials
that were just entered will be passed to the application.
II–16
III.
Group Manager
Use the Group node of PrivacyShell Administrator to:

Create a Group within PrivacyShell.

Delete a Group within PrivacyShell.

Manage Group attributes.

Add users to Groups.

Delete users from Groups.
If PrivacyShell is integrated with Microsoft Active Directory, the entire Active
Directory hierarchy of folders may be found within PrivacyShell Administrator under
the customer domain folder established during installation. The Group node is
replaced by the Active Directory folders within the customer domain folder within
PrivacyShell Administrator. Active Directory Groups are listed within the customer
domain folder.
A PrivacyShell best practice is to add new Groups to Active Directory first, before
assigning functionality to the Groups within PrivacyShell Administrator.
III–17
Creating a new Group
In PrivacyShell, Groups are most commonly used as application containers. You
can create a Group to give Users access to applications. For example, you could
create a Group named Microsoft Office and put all the Office applications in the
Group. Then if you want to give Users access to Microsoft Office, just add the Users
to the group. The next time the Users log in, they will see the Office icons on their
PrivacyShell desktop.
To create a new Group:
1. Select the Group node in PrivacyShell Administrator.
2. Click on <add group>.
3. Enter Group Name in Group Name field.
4. Enter Description in Description field.
5. Click the ‘Add’ button.
Delete a Group
To delete a Group:
1. Select the Group node in PrivacyShell Administrator.
2. Select the Group to be deleted.
3. Click the ‘Delete’ button.
III–18
Adding an Attribute to Groups
To add attributes to groups:
1.
Select the Group node in PrivacyShell Administrator click on the
Group you want to manage. OR
2.
Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3.
Select the General tab.
4.
Select the attribute from Available Attribute drop down list.
5.
Click the ‘Add’ button.
6.
Available Attributes:
i. User – LastName; FirstName; Has Census; LoginStartup
ii. Workstation – UseSystemLogin; TSLogout; Mnemonic;
Printer; DenyPrintMapping; DisconnectMsgTime;
DefaultPrinter
III–19
Deleting Attributes from Groups
To delete an attribute for a Group:
1. Select the Group node in PrivacyShell Administrator and click on the
Group you want to manage. OR
2. Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3. Select the General tab.
4. Place a check in the delete box associated with the attribute.
5. Click the ‘Update’ button.
III–20
Adding a user to a Group
1. Select the Group node in PrivacyShell Administrator and click on the
Group you want to edit. OR
2. Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3. Select Users tab.
4. Select User from Available Users.
5. Click the ‘Add’ button.
Removing a user from a Group
1. Select the Group node in PrivacyShell Administrator and click on the
Group you want to edit. OR
2. Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3. Select Users tab
4. Select user from the Assigned Users list.
5. Click the ‘Remove’ button
III–21
Adding Applications to a Group
To add an Application to a Group:
1. Select the Group node in PrivacyShell Administrator and click on the
Group you want to edit. OR
2. Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3. Select Workspace tab
4. Select an application from Available Applications list
5.
Click the ‘Add’ button.
Removing Applications from a Group
To remove an Application from a Group:
1. Select the Group node in PrivacyShell Administrator and click on the
Group you want to edit. OR
2. Click the PrivacyShell Icon; enter the Group name; select Group from
the drop-down menu; click ‘Find’ and click on the Group link.
3. Select Workspace tab
4. Select an application from Assigned Applications list.
5.
Click the ‘Remove’ button.
III–22
IV.
Workstation Manager
The Workstation node allows workstations to be added to the PrivacyShell System,
assign authenticators to a workstation, set auto timeout of workstation and
determine which PrivacyShell desktop view will render on this workstation.
Use the Workstation node of PrivacyShell Administrator to:

Add a workstation to the PrivacyShell system.

Delete a workstation

Add Groups to Workstations

Add an Authenticator to a workstation

Delete an Authenticator from a workstation

Set Authenticator Priority on the Workstation.
If PrivacyShell is integrated with Microsoft Active Directory, the entire Active
Directory hierarchy of folders may be found within PrivacyShell Administrator under
the customer domain folder established during installation. The Workstation node is
replaced by the Active Directory folders within the customer domain folder within
PrivacyShell Administrator. Active Directory Workstations are listed within the
customer domain folder.
A PrivacyShell best practice is to add new Workstations to Active Directory first,
before assigning functionality to the Workstations within PrivacyShell Administrator.
IV–23
Adding a workstation to the PrivacyShell system
If a workstation does not have a record in PrivacyShell Admin, it will not be able to
run PrivacyShell. During PrivacyShell workstation install, you will have the option
to let the install program create the workstation record automatically. The
workstation parameters are set according to an INI file in the installs\client folder
on the PrivacyShell server. To add a workstation to PrivacyShell Administrator
manually:
1. Click the Workstation node in PrivacyShell Administrator.
2. Select <add a workstation>.
3. Enter workstation name into Computer Name Field
4. Select ‘Full Shell Mode’ to activate Full Shell desktop view
5. Select ‘Remote Desktop Shell’.
6. Logout/Disconnect is the workstation idle time timeout in minutes. If
this is set to 15 then after 15 minutes of idle time on this workstation,
the PrivacyShell session will disconnect. This time may be adjusted for
each Workstation running PrivacyShell.
7. Configure as Default: only check this box for the workstation that will
be referenced for workstation settings for PrivacyShell Remote. Generally
the Remote Desktop Logout time is much shorter for PrivacyShell
Remote users.
8. Select ‘Use System Workstation Login’ – this will apply the Generic
Workstation Account settings to this workstation when the User logs in to
this workstation. See more about required PrivacyShell accounts in the
PrivacyShell Server installation instructions.
9. Remote Desktop Logout is the terminal server timeout in minutes.
Once a PrivacyShell session has been disconnected either by reaching the
idle timeout or by clicking the Disconnect button, the Remote Desktop
Logout timeout starts to count down. Once this time expires, the
disconnected session is terminated. This time may be adjusted for each
Workstation running PrivacyShell.
10. The Deny Remote Printer Mapping field, when unchecked, makes
network printers and local printers installed on the workstation available
in PrivacyShell. If the check box is selected, it is set to Deny, the
network and local printers installed on the workstation will not be
available in PrivacyShell.
PrivacyShell manages printers for workstations by selecting Deny
Remote Printer Mapping and listing in PrivacyShell the Default
Printer and any additional Printers for each workstation in PrivacyShell
Administrator (format is \\printserver\printername).
All printer drivers must be installed on the PrivacyShell servers in order
for PrivacyShell to manage individual printers for each workstation.
11. Display Disconnect Message is the number of seconds the disconnect
message is displayed when the User select ‘Disconnect’. The message
will read: ‘This session will remain active for XX minutes.’ This message
is displayed for the number of seconds in the Display Disconnect Message
field.
IV–24
12. Default Printer and Printer: enter printer name for PrivacyShell to
manage for each workstation (format \\printerserver\printername).
All printer drivers must be installed on the PrivacyShell servers in order
for PrivacyShell to manage individual printers for each workstation.
13. Click the ‘Update’ button.
Removing a workstation from the PrivacyShell system
To remove a workstation:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select the workstation to be deleted.
4. Click the ‘Delete’ button.
IV–25
Add & Delete Groups from Workstations
To add a Group to a Workstation:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select Groups tab
4. In the Available Groups list, select which group you want to add the
workstation to
5. Click the ‘Add’ button.
To delete a group from a workstation:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select the ‘Groups’ tab.
4. In the Assigned Groups list, select which group you want to delete
5. Click the ‘Remove’ button.
IV–26
Adding an Authenticator to a workstation
In the workstation record, the authenticators in the Available Authenticators list are
the only ways in which a user can start a PrivacyShell session on this workstation.
The most common authenticators in this list are Password and Biometric. To add an
Authenticator to a workstation:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select the ‘Authenticators’ tab.
4. Select Authenticator from Available Authenticators List
5. Click the ‘Add’ button.
Removing an Authenticator from a workstation
To Remove an Authenticator from a workstation:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select the ‘Authenticators’ tab.
4. Select Authenticator from Assigned Authenticators List
5. Click the ‘Remove’ button.
IV–27
Setting Authenticator Priority on the Workstation
When a user clicks LOGIN on a PrivacyShell workstation, the workstation will look to
its workstation record in PrivacyShell Administrator and find which of its available
authenticators is set to priority 1. If Password is set to priority 1, the user will see
a password prompt. If a biometric device is set to priority 1, then the user will be
prompted to provide his/her fingerprint to log in. If you are adding or removing an
authenticator, you may need to change the priority of an authenticator. To do so:
1. Select the Workstation node in PrivacyShell Administrator and click on
the Workstation you want to edit. OR
2. Click the PrivacyShell Icon; enter the Workstation name; select
‘Workstation’ from the drop-down menu; click ‘Find’ and click on the
Workstation link.
3. Select the ‘Authenticators’ tab.
4. In the Assigned Authenticators list, select an authenticator to set the
priority.
5. Select the priority in the Priority drop down menu.
6. Click the ‘Update’ button.
IV–28
V.
Application Manager
Adding a simple application
For simple applications that do not require user credentials, like Calculator or
Microsoft Word, adding a PrivacyShell application is no more complex than creating
a new shortcut icon on a Windows desktop. To add a simple application:
1. Open PrivacyShell Administrator and click Applications in the left margin.
2. Click <add application>.
3. Enter a name and description in the Name and Description fields. The name
will be used internally in PrivacyShell and the Description will be visible to
users.
4. Set TYPE to ‘EXE that doesn’t require login’. The other settings are for
adding applications that require login credentials.
5. Confirm ‘Disable password prompt’ and ‘Disable autogen password’
are unchecked. This will ensure User’s will be prompted for password
changes from SSO applications.
6. If you don’t want to use the default icon for the application, check ‘Use
Icon File’ and enter a path or navigate to a BMP file in the Icon File field.
7. In the OS sections, find the section that corresponds to the OS of your
PrivacyShell server.
a. In the Executable field, enter the path or navigate to the application
executable on the PrivacyShell server. Environment variables are
allowed.
b. The command line is used if there are any additional parameters that
need to be entered after the executable. For example, if the full
command line to start your application was ‘c:\windows\calc.exe –u’
then enter ‘-u’ in the ‘command line’ field.
8. Click the ‘Add’ button.
9. Additional Fields for applications:
a. App Msg – displays a broadcast message when application is
launched. Select ‘View/Edit RTF’ and enter broadcast message to
be displayed. Select checkbox for Broadcast Message to enable.
To broadcast a message to all users, select the domain application
and create a message for that application, which will be displayed to
all Users.
b. Compatibility: executes an application as if the OS is Windows 2003.
Allowed values: WIN2000, WINXP, WIN95, WIN98, and NT4SP5.
c. Local Execute: Select checkbox to launch application on local
computer instead of running on PrivacyShell servers.
d. Remote Execute: Select checkbox to launch application on remote
computer instead of running on PrivacyShell servers.
e. Separate WOW: launches a 16-bit environment for an application.
V–29
f.
Shell Execute: uses Windows ShellExecute command to launch
application – for applications that are not executables, but depend on
executables to launch.
g. Show Window: allowed values are normal, minimized, maximized –
passed to the startup of the application. Not applicable to all apps.
h. Start In Dir: to startup an application when an application uses DLL’s
in other directories. Most applications have all components in the
application directory specified.
i.
Map Network Drive: enables application to map to a network drive.
i. Select drive letter from dropdown menu.
ii. Enter Folder to map to within shared drive.\
iii. Select credentials to access drive from another application, or
enter user name and password.
10. Select ‘Update’ to save any changes to the application in PrivacyShell
Administrator.
V–30
Deleting an application
To delete an application:
1. Select Applications in PrivacyShell Administrator
2. Click the application you wish to delete.
3. Click the ‘Delete’ button.
V–31
Copy an existing Single Sign-on Application
To copy an existing single sign-on application from an existing application:
1. Open PrivacyShell Administrator and click Applications in the left pane.
2. Click the application from the list of applications in the left pane.
3. Export the application by scrolling to the bottom and click on the
‘Export’ button – name and save the single sign-on file to the desktop.
4. Create the new application, following steps 3 & 4 in Adding a simple
application above.
5. Add any Credential sharing and save changes
6. Select ‘Import’, navigate to the existing single sign-on file to import.
7. Click ‘OK’ to import the file.
8. Click the ‘Update’ button.
Add an Application to a group
Groups are mostly used as application containers. If you have a new application
that you would like to give to a group of users, all you have to do is create the
application and add it to a group. The next time users in that group start a
PrivacyShell session, they will see an icon for the new application on their
PrivacyShell desktop.
To add an application to a group, refer to the section Adding an application to a
Group in the Groups Manager section, page III-20.
V–32
VI.
Authentication Manager
In this section, we will introduce the most common Authentication Manager tasks
that administrators will execute. These are:

Managing messages associated with different Authenticators.

Managing challenge questions for PrivacyShell password manager.
The majority of the items in this section is pre-set for Users and requires NO
changes or modifications. Any changes or modifications may result in authenticators
not operating as configured when installed and may impact system performance.
Please do NOT change any settings other then those listed in the sections below.
Managing messages associated with different authenticators
System messages to prompt users for entering passwords and positioning fingers
for improved biometric performance are contained within this section of PrivacyShell
Administrator. Generally, these messages are not changed during an installation as
they provide adequate guidance to the Users during normal system operation.
To change the message to a User to prompt them to change their password:
1. Select ‘Authenticators’ in PrivacyShell Administrator in the left pane.
2. Select ‘Client’; Select ‘AUIs’; Select ‘Password’
3. Click ‘Attributes’
4. Select ‘View/Edit RTF’
5. Enter message to display to Users to change their password.
6. Click ‘OK’ and click ‘Update’
VI–33
To change the messages to a User to position fingers for improved biometric
performance:
1. Select ‘Authenticators’ in PrivacyShell Administrator in the left pane.
2. Select ‘Client’; Select ‘AUIs’; Select ‘Sagem’
3. Click ‘Attributes’
4. Enter message to display to Users for particular message to improve
biometric performance.
5. Click ‘Update’
Managing challenge questions for PrivacyShell Password Manager
PrivacyShell contains a Password Manager capability to enable a User to change
their password without any assistance from a HelpDesk. This is accomplished by
capturing User specific information to Challenge Questions managed from
PrivacyShell Administrator for all system users. If the User is able to provide
answers matching their previously stored answers to their Challenge Questions, the
User will be able to change their password and enter PrivacyShell using the new
password. This feature is particularly helpful for PrivacyShell Remote Users if they
forget their current password and are able to reset their password by answering
their Challenge Questions correctly.
VI–34
Once the Challenge Questions are entered – previously enrolled users will be asked
to answer the Challenge Questions. For new users – when they are enrolled they
will be asked to answer the challenge questions.
To add Challenge Questions to PrivacyShell for each user to answer to enable the
PrivacyShell Password Manager:
1. Select ‘Authenticators’ in PrivacyShell Administrator in the left pane.
2. Select ‘Server’; Select ‘Password’
3. Select the ‘Enroll Attributes’ tab
4. Enter questions for Users to answer for authenticating themselves
i. Enter as many questions as you would like. A sample list of Challenge
Questions is attached in Appendix A.
ii. A PrivacyShell Best Practice is to provide more Challenge Questions
for a User to answer then the minimum number of Challenge
Questions a User must answer
5. Enter a value for “# of Challenge Questions for Pwd Reset:” – this
number corresponds to the number of questions a user MUST answer
during the enrollment process.
6. Click the ‘Update’ button.
7. Select the ‘Auth Attributes’ tab
VI–35
8. Enter a value for ‘# of Challenge Questions for Pwd Reset:’ – this
number corresponds to the number of questions a user must answer
when attempting to reset their password. This number must be equal or
less than the number of Challenge Questions the User answered during
the enrollment process.
9. Click the ‘Update’ button.
VI–36
VII. Report Manager
The Report Manager is a flexible reporting tool that captures User activity within
PrivacyShell. All reports track User activities and are generated from data compiled
within PrivacyShell. All Reports may be viewed within PrivacyShell Administrator or
may be exported to Microsoft Excel for further analysis.
In this section, we will introduce the most common Report Manager tasks that
administrators will execute. These are:

Generating Application Access Reports

Generating Authentication Reports

Generating User Audit Data Reports
Generating Application Access Reports
This report generates Application Access history for all PrivacyShell Applications for
a specific period (Hourly, Daily, Monthly, Quarterly, Yearly). The report may be
customized to a specific time period, by Workstation, Login ID, by Pass/Fail, or a
combination of these settings.
To generate an Application Access Report:
1. Select ‘Reports’ in PrivacyShell Administrator in the left pane.
2. Select ‘Application Access’
3. Select the time period for the report (Daily, Detail, Hourly, Monthly,
Quarterly, Yearly)
4. Select specific criteria for specific report from the drop down menus
5. Click ‘Run Report’ (report will generate in an browser window) or click
‘Export to Excel’ (report will generate in Excel format)
VII–37
Generating Authentication Reports
This report generates Authentication history for all PrivacyShell Users that
authenticate with PrivacyShell for a specific period (Hourly, Daily, Monthly,
Quarterly, Yearly). The report may be customized to a specific time period, by
Workstation, Login ID, by Pass/Fail, by Authenticator, or a combination of these
settings.
To generate an Application Access Report:
1. Select ‘Reports’ in PrivacyShell Administrator in the left pane.
2. Select ‘Authentication Report’
3. Select the time period for the report (Daily, Detail, Hourly, Monthly,
Quarterly, Yearly)
4. Select specific criteria for specific report from the drop down menus
5. Click ‘Run Report’ (report will generate in an browser window) or click
‘Export to Excel’ (report will generate in Excel format)
Generating Users Reports
This report generates User history for all PrivacyShell Users that authenticate with
PrivacyShell. Specific reports are available for Active Users, Enrolled Users and
period (Hourly, Daily, Monthly, Quarterly, Yearly). The report may be customized to
a specific time period, by Workstation, Login ID, by Pass/Fail, by Authenticator, or a
combination of these settings.
To generate an Application Access Report:
1. Select ‘Reports’ in PrivacyShell Administrator in the left pane.
VII–38
2. Select ‘Users Report’
3. Select the specific report type (Active, Enrolled, User Audit Data)
4. Select specific criteria for specific report from the drop down menus
5. Click ‘Run Report’ (report will generate in an browser window) or click
‘Export to Excel’ (report will generate in Excel format)
VII–39
VIII. System Manager
In this section, we will introduce the most common System Manager tasks that
administrators will execute. These are:

Add a PrivacyShell banner message

Add Generic Workstation Account User ID and Password to PrivacyShell

Add user licenses

Manage the modules individual PrivacyShell administrators have access
to.
Add a banner message
The banner message will appear for all users in the top margin of the PrivacyShell
login box. Only one banner message at a time is active. All users will see this
banner message when they log in. To add a banner message:
1. Select ‘System Manager’ in PrivacyShell Administrator in the left pane
2. Select the ‘System Manager’ document
3. Click the ‘Edit’ button adjacent to Banner Message on the General Tab.
4. The Banner Edit Dialog window will appear as above. Click on ‘Add
New’ to access the Insert Message window
5. Enter banner message text in the New Text field. You can click FONT to
change the font, color and size of the characters.
6. Click OK when you are done.
7. In the Banner Edit Dialog box, you can change the speed and height of
the banner using the speed and height parameters. You can also change
the background color by clicking on the Background button and selecting
a color. When you are finished, click ‘OK’.
VIII–40
If a banner message exists, it will be displayed in the PrivacyShell login window. To
stop the message from being displayed, you must select the message and click
Delete.
Add Generic Workstation Account information
The Generic Workstation Account is used in PrivacyShell to generically log in to all
PrivacyShell workstations. This account should be set-up in Active Directory or in
PrivacyShell Administrator in advance. User ID and Password information is entered
in the System Manager screens in PrivacyShell Administrator.
To enter the Generic Workstation Account User ID and Password:
1. Select ‘System Manager’ in PrivacyShell Administrator in the left pane
2. Select the ‘System Manager’ document
3. Enter the Generic Workstation Account User ID adjacent to Workstation
Login UID on the General Tab.
4. Enter the Generic Workstation Account Password adjacent to Workstation
Login Pwd on the General Tab.
5. Click the ‘Update’ button.
a. To apply the Generic Workstation Account settings to workstation
running PrivacyShell, check the check-box next to the ‘Use System
Workstation Login on the General tab of the Workstation Manager.
VIII–41
Add user licenses
When you purchase PrivacyShell licenses, nSuite will give you an alphanumeric
license key. To add a license key:
1. First, you need to have received a license key from nSuite. nSuite will
generate specific license keys for each PrivacyShell product purchased
2. Select ‘Systems Manager’; ‘System Manager’ node in PrivacyShell
Administrator.
3. Click on ‘Licenses’ tab.
4. Enter License key into License Key Field
5. Click the ‘Update’ button
VIII–42
Administrator Security
It is possible to manage which modules of PrivacyShell Administrator individual
administrators can see and edit. To set admin security:
1. Click the Systems Manager node in PrivacyShell Administrator.
2. Click on Admin Security.
3. Select a user
4. Select Security attribute for user
5. Click the ‘Update’ Button
VIII–43
IX.
Appendix
Appendix A – Sample Challenge Questions:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
What is your birth year?
What was your first car?
What is your mother’s maiden name?
What are the last four digits of your SSN#?
In what town were you born?
What is your oldest child’s name?
What is your Hospital badge #?
What year did you graduate medical school?
What year did you graduate nursing school?
What year did you graduate high school?
What was your elementary school name?
What was the name of your High School?
What was the team mascot of your high school?
What is your favorite pet’s name?
Where did you do your residency?
What was your first job?
Who is your favorite superhero?
Appendix B – Client Registry Settings
IX–44