Lenovo ThinkVantage (Hardware Password Manager Deployment Guide) User Manual

5. If you selected With expiration, select Duration, and then select the beginning and end time for the

access to Hardware Password Manager devices; or select Login count remaining, and then select the
number of logins; or select Number of days allowed per machine, and then specify the number of days.

6. Click OK.

To associate devices with a group:

1. Click HPM Groups in the toolbox (or click Tools ➙ ThinkVantage Hardware Password Manager ➙

HPM Groups).

2. Drag the device from the network view (either from All devices or from Hardware Password Manager

devices - Computers) to the group name in the LDAP tree view.

3. To view the devices associated with a group, click the group name and click View computers on the

toolbar. To view users associated with a group, click the group name and click View LDAP Users on
the toolbar.

The dialog box displays the LDAP distinguished name of the group and lists the devices or users associated
with the group. Members of the group can log in to all devices listed here, unless you have defined the group
as a Service Tech group with an expiration on group access, and the association has expired.

Managing remote actions and policy settings for Hardware Password
Manager devices

Remote actions are changes to a Hardware Password Manager device’s settings that are applied to one
or more devices by the administrator. Actions include credential management, registering or deregistering
devices, and enrolling or removing users.

Remote actions are not applied immediately to Hardware Password Manager devices. After the administrator
applies one or more remote actions to a device, the actions are pending until the next time the device is
powered on. The device then connects to the Hardware Password Manager server and requests any
pending actions. The actions are completed by the client and the new settings are in effect.

One remote action is to change policy settings on the Hardware Password Manager device. There are
two types of policies: those applied at the operating system level (Windows policies) and those applied
at the BIOS level (BIOS policies). Policies determine how the device manages credentials, and determine
whether registration and user enrollment are automatically started when the device is powered on. They
also determine whether multiple users can be enrolled on a Hardware Password Manager device and how
user login is handled for the BIOS menu.

When you manage remote actions, you can apply actions individually or globally. When the Remote Actions
and Policy Settings tool is open, you can drag Hardware Password Manager devices from the network view
and drop them onto specific remote actions. Or you can use buttons on the toolbar to apply actions globally.

Remote actions include the following:

• Renew Hardware Account: replaces the BIOS hardware passwords with a new set of credentials that

are generated by the Hardware Password Manager server. The new credentials are stored in the hardware
account, a secure area of non-volatile memory that can only be accessed by the computer’s BIOS.

• Restore Hardware Account: restores the BIOS hardware passwords in the hardware account with the

backup credentials stored in the Hardware Password Manager server. This includes system and user
password backups.

• Deregister PC: clears the hardware passwords and changes the status in the BIOS of the client device

from Registered to Enabled and removes the device from the list of registered Hardware Password
Manager devices in the console.

Chapter 3

.

Managing Hardware Password Manager devices with ThinkManagement Console

13