DataLocker SafeConsole - v5.9.4 - Admin Guide
ZoneBuilder installs a local certificate, when enabled, invoked by policy (enforced or user-configurable),
and unlocked on a computer. The computer can be defined in the Trusted Network policy. The certificate
is installed in the MY STORE certificate store of the user account that no one can export. The presence of
this certificate will treat the device as being in the Trusted Zone. Between this certificate and the Trusted
Network policy, you can configure your Trusted Zone. ZoneBuilder utilizes this certificate to enable
password features that either make the security of the solution more stringent or more convenient. Note
that increased user convenience also may mean a better security posture as adoption rates and
compliance to policies increase.
Once turned on, the feature cannot be fully deactivated, as that would require a device reset to regenerate
certificates. WARNING: Device(s) configured with ZoneBuilder policy may become inoperable if the
SafeConsole server and ZoneBuilder certificate become unavailable. Please take steps to ensure this
does not occur to avoid loss of access to device(s).
ZoneBuilder can enforce higher security with Restricted Device Access:
1. Only allow unlocking when within the configured Trusted Zone as defined by the installed Trusted
Certificate or Trusted Network.
2. Only allow devices to unlock that are currently inside the Trusted Network. This option means that
the device cannot unlock at all outside the network and is a powerful way to allow data transport on
or in between secured networks. This way the courier does not have to be trusted and cannot be
forced to expose the stored data.
ZoneBuilder can, as a convenience, enable Automatic Device Unlock:
1. Allow automatic unlock of the devices on trusted machines. This setup makes the workday much
more convenient for the end-user and increases the adoption rate of the devices. As the users must
authenticate towards their user account, the security remains high. The user will still utilize their
device password when unlocking on other machines.
2. Be employed as a self-service password reset. If a user forgets their password, they can bring back
their device to their trusted user account and they will be able to reset their password. No data is
lost.
3. Be used to unlock on team members’ machines without sharing the device password. By allowing
the user to trust their team members’ user accounts, the user only has to enter the device password
once to enable the trust. They can do this themselves and do not need to expose their password.
The trust can later be revoked from the device control panel. This increases productivity and is ideal
to share data quickly when WiFi is scarce, or the network is tightly locked down.
Note, unlocking the device with a certificate can pose additional security risks. Caution should be used to
secure the certificate’s private key, such as not allowing private key export.
The following configurations are available:
• Enable ZoneBuilder - checkbox
– ZoneBuilder can either be used to automatically unlock devices (mainly for ease of use)
and/or to restrict which computer user accounts the device can be unlocked on (to limit the
usage of the device), based on client certificates. All allowed trusted computer users will
become part of the Trusted Certificates.
– Restrict trusted computers to CA-signed client certificates - selector
• No - Allow device software to generate certificates. Leave as ‘No’ to allow users to
easily link a device with computers of their choice.
© 2023 DataLocker Inc. All rights reserved. 30