Unicon documentation migration is in progress. You might find some broken links or experience minor issues in the documentation. We are working on resolving these issues.
X
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
TPM 20 support
A TPM 2.0 chip built into a device can be used for basic security functions:
- Encryption of the setup partition and system partition
The setup partition on a device’s flash memory contains the device configuration, application definitions, and certificate store. The system partition holds the software packages of the firmware.
In order to protect the system from manipulation, in addition to encryption, the disk is sealed with security measurements.
- Store the private key of a SCEP client certificate inside the TPM 2.0 module
To store the key inside the TPM 2.0 module, a scep.ini entry is required. For further information, see Certificates for SCEP in the SCEP guide.
Note:
If you want to use TPM 2.0 via WLAN, note the special parameters in the configuration file
wpa.conf. For further information, see Configuring WPA supplicant in the IEEE 802.1X short guide.
Requirements for disk encryption
- The devices are provided with a TPM 2.0 module.
- The devices are started in UEFI mode.
Disk encryption via TPM 2.0
If the device-side requirements are met, encryption can be enabled using two different mechanisms:
-
Via the configuration parameter DiskEncryption
-
Via the feature package Partition encryption installed with the image
If you install the BaseOS package on the devices with the feature package Partition encryption enabled, the system will automatically be encrypted. The parameter DiskEncryption is then ignored.
The feature package Partition encryption is enabled by default.
To encrypt the disk, the partitions must first be formatted. Therefore - as soon as the encryption is activated - a firmware update with previous formatting for the relevant devices is forced.
Encrypting the disk via parameter
-
In the Scout Console, for the relevant devices, open Advanced device configuration > Advanced file entries.
-
Define the following entry:
File /setup/terminal.iniSection SecurityEntry DiskEncryptionValue true: Default ValuefalseFor further information, see Advanced file entries.
For the relevant devices, a firmware update is forced with previous disk formatting.
The configuration parameter has no effect on devices without TPM 2.0.
Note:
You can find information on whether the disk of the device is encrypted in the Properties window.
When new devices with TPM 2.0 chip are on-boarded to the Scout infrastructure and the destination OU is configured with DiskEncryption, it is ensured that the configuration data stored in the [Scout Console] is only saved locally on the device after the setup partition has been encrypted.
Update from earlier versions with disk encryption
Updates with disk encryption can only be performed from eLux RP 6.x. Upgrades from eLux RP 5 are not supported.
If you enable encryption when updating to a current eLux RP 6 version, one more update may be required on the next device restart. This is due to the partition formatting that is required for encryption.
Error handling
If a device fulfills the above-mentioned requirements for encryption and disk encryption still fails during the update, the setup partition will be partially cleaned like it is for a factory reset, without deleting the Scout Server address. The device status in the Scout Console is then displayed with a yellow icon (initialization).
Resetting the disk encryption
Requires
The feature package [Partition encryption] must be uninstalled on the relevant devices. This requires modifying the image definition file on the web server via ELIAS.
- Set the advanced file entry
DiskEncryptionto the valuefalse.
or
- Perform a factory reset for the devices. To do so, use the Remote factory reset command with the option Delete Scout Server address on the device.
During the restart of the relevant devices, the disk is decrypted. That is why the start up process takes longer.
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.