PBA Override uses the challenge-response methodology. The user provides you with a request ID and challenge sequence that you use to generate a response sequence in ZENworks Control Center. You then provide the user with the response sequence that authorizes the user to bypass the PBA for a set number of times.
By default, the response sequence is calculated by using the Management Zone’s unique override key. Therefore, it works only with devices registered in the zone. If you need to generate a response for a device registered in another zone, you must export a PBA Override file from that zone and use the PBA Override file to generate the correct response. The next three sections provide instructions for both methods.
Super Administrators have rights to perform all tasks in ZENworks Control Center. If a ZENworks administrator is not a Super Administrator, the administrator must be assigned the Manage FDE PBA Override privilege to use the PBA Override feature. If the administrator does not have this privilege, he or she is restricted to view rights for the PBA Override page.
This Manage FDE PBA Override privilege is configured through the Zone rights for individual administrators or administrator groups.
In ZENworks Control Center, click Configuration.
In the Administrators panel, click the administrator or administrator group to which you want to assign the privilege.
You can also use roles to assign the privilege to administrators. For instructions, see Managing Administrator Roles
in the ZENworks Administrator Accounts and Rights Reference.
Click the Rights tab.
In the Assigned Rights panel, click Add > Zone Rights to display the Zone Rights dialog box.
By default, all privileges are set to Allow. Change any privileges you do not want the administrator to have to Deny, and click OK.
Click Apply to apply the changes to the administrator.
In ZENworks Control Center, click Full Disk Encryption, and then click Pre-Boot Authentication Override.
In the Request ID fields, specify the request ID sequence supplied to you by the user.
The request ID sequence must be identical to the sequence presented to the user on his or her device. Your Request ID field A corresponds directly to the user’s Request ID field A and your Request ID field B corresponds to the user’s Request ID field B. Incorrect characters or order cause a sequence mismatch, resulting in an error when generating the response sequence.
In the Challenge fields, specify the challenge sequence supplied to you by the user.
As with the request ID sequence, the challenge sequence you enter must exactly match (characters and order) the user’s challenge sequence.
In the Overrides Allowed field, specify the number of times you want to allow the user to boot the device without providing PBA authentication.
Click Generate Response.
Supply the response sequence to the user.
As with the request ID and challenge sequences you entered earlier, the user must enter the response sequence to exactly match (characters and order) the generated response sequence.
The following instructions assume that you have exported the PBA Override file from another zone and want to use it to create a response for a device from that zone. The PBA Override file contains the override key from the other zone, which is needed to create the correct response for that zone’s devices.
To generate a response:
In ZENworks Control Center, click Full Disk Encryption, then click Pre-Boot Authentication Override.
In the Request ID section, specify the request ID sequence supplied to you by the user.
The request ID sequence must be identical to the sequence presented to the user on his or her device. Your Request ID field A corresponds directly to the user’s Request ID field A and your Request ID field B corresponds to the user’s Request ID field B. Incorrect characters or order cause a sequence mismatch, resulting in an error when generating the response sequence.
In the Challenge section, specify the challenge sequence supplied to you by the user.
As with the request ID sequence, the challenge sequence you enter must exactly match (characters and order) the user’s challenge sequence.
In the Overrides Allowed section, specify the number of times you want to allow the user to boot the device without providing PBA authentication.
In the PBA Override File section, select the Use PBA Override file to generate response option, select the PBA Override (*.hdf) file, then specify the password for the file.
Click Generate Response.
Supply the response sequence to the user.
As with the request ID and challenge sequences you entered earlier, the user must enter the response sequence to exactly match (characters and order) the generated response sequence.