Professional Documents
Culture Documents
Version 8.1
SC23-9694-00
Version 8.1
SC23-9694-00
Note
Before using this information and the product it supports, read the information in Notices on page 177.
Edition notice
Note: This edition applies to version 8.1 of IBM Tivoli Access Manager for Enterprise Single Sign-On, (product
number 5724V67) and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright International Business Machines Corporation 2002, 2009. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Copyright IBM Corporation 2002, 2009.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
About this publication . . . . . . . . v
Intended audience . . . . . . . . . . v
What this publication contains . . . . . . v
Publications . . . . . . . . . . . . viii
Tivoli Access Manager for Enterprise
Single Sign-On library . . . . . . . viii
Accessing terminology online . . . . . ix
Accessing publications online . . . . . ix
Ordering publications . . . . . . . . ix
Accessibility . . . . . . . . . . . . x
Tivoli technical training . . . . . . . . x
Tivoli user groups . . . . . . . . . . x
Support information . . . . . . . . . x
Conventions used in this publication . . . . xi
Typeface conventions . . . . . . . . xi
Operating system-dependent variables and
paths . . . . . . . . . . . . . xii
Margin icons. . . . . . . . . . . xii
Chapter 1. About Tivoli Access Manager for
Enterprise Single Sign-On . . . . . . . 1
Tivoli Access Manager for Enterprise Single
Sign-On features . . . . . . . . . . . 2
Product components . . . . . . . . . 5
Authentication factors . . . . . . . . . 6
TAM E-SSO Password . . . . . . . . 6
Secrets . . . . . . . . . . . . . 7
Second authentication factors. . . . . . 7
Presence detectors . . . . . . . . . 10
Tivoli Access Manager for Enterprise Single
Sign-On usage . . . . . . . . . . . 11
Personal workstation configuration . . . 11
Shared workstation configuration . . . . 11
Tivoli Access Manager for Enterprise Single
Sign-On program icons . . . . . . . . 14
Policies, certificates, and other product
concepts . . . . . . . . . . . . . 14
Credentials . . . . . . . . . . . 15
Enterprise identity . . . . . . . . . 15
Enterprise applications . . . . . . . 15
Personal applications . . . . . . . . 16
User, system, and machine policies . . . 16
Chapter 2. About policies . . . . . . . 19
Policy legends . . . . . . . . . . . 21
Copyright IBM Corp. 2002, 2009
.
.
.
. 22
. 23
. 24
. 27
. 29
. 31
.
.
.
. 34
. 35
. 38
. 48
. 49
. 52
. 54
. 56
. 58
. 63
. 73
. 77
. 79
iii
. 83
. 88
. 89
.
.
.
.
iv
. 143
160
. 172
. 173
. 176
Notices . . . . . . . . . . . . . 177
Trademarks . . . . . . . . . . . . 179
Glossary .
. 169
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
. 181
Intended audience
This publication is for technical users who understand how Tivoli Access
Manager for Enterprise Single Sign-On can be enhanced and customized for a
specific use for the customer.
This publication is for Administrators and system programmers who need to
perform the following tasks:
v Using policies to enable settings for Tivoli Access Manager for Enterprise
Single Sign-On
v Policy setting and maintenance (for example, modifying system policies and
setting policy priorities)
Readers need to be familiar with the following topics:
v Using AccessAdmin or modifying registry entries
v Information specific to the organization (for example, types of applications
used by the organization, and authentication factors)
vi
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Contains information about the Wallet policies, such as enabling the caching
of Wallets, the maximum number of cached Wallets, and Wallet
synchronization settings.
v Chapter 18, "Sign-up policies"
Contains information about policies on setting secret questions and
answers, registering additional secrets during sign-up, and using a second
authentication factor during sign-up.
v Chapter 19, "Policy template policies"
Contains information about the policies for using the default user and
machine policy templates.
v Chapter 20, "ActiveCode policies"
Contains information about the policies for Mobile ActiveCode.
v Chapter 21, "AccessAssistant and Web Workplace policies"
Contains information about the policies for AccessAssistant and Web
Workplace.
v Chapter 22, "AccessAudit policies"
Contains information about the policy for custom event settings.
v Chapter 23, "AccessAgent policies"
Contains information about AccessAgent policies, such as EnGINA settings,
second authentication factor settings, logon policies, Terminal Server
policies, and so on.
v Chapter 24, "Configurable text policies"
Contains information about the policies for the messages displayed for
EnGINA, computer unlock, RFID, and so on.
v Chapter 25, "Authentication service policies"
Contains information about the authentication service policies for password
fortification, automatic sign-on settings, default user settings, and password
injection settings.
v Chapter 26, "Application policies"
Contains information about the policies for applications used by your
organization.
v Chapter 27, "User-defined policies"
Contains information about user-defined policies.
v Chapter 28, "Troubleshooting policies"
Contains information about the policies on Wallet synchronization, Wallet
deletion, and settings for overriding machine policies.
vii
Publications
This section lists publications in the Tivoli Access Manager for Enterprise
Single Sign-On library. The section also describes how to access Tivoli
publications online and how to order Tivoli publications.
viii
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
v IBM Tivoli Access Manager for Enterprise Single Sign-On Installation Guide,
GI11-9309
Provides information about installing the different product components.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Setup Guide,
GC23-9692
Provides information about configuring the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and
Support Guide, GC23-9693
Provides information about troubleshooting the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition
Guide, SC23-9694
Provides information about the policies that can be set for the product. The
policies can be set using either AccessAdmin or by updating registry
entries.
Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
About this publication
ix
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative,
perform the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully.
For additional information, see the Accessibility Appendix in the IBM Tivoli
Access Manager for Enterprise Single Sign-On User Guide.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/
software/support/probsub.html and follow the instructions.
IBM Support Assistant
The IBM Support Assistant is a free local software serviceability
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
workbench that helps you resolve questions and problems with IBM
software products. The IBM Support Assistant provides quick access
to support-related information and serviceability tools for problem
determination. To install the IBM Support Assistant software, go to
http://www.ibm.com/software/support/isa.
Troubleshooting Guide
For more information about resolving problems, see the IBM Tivoli
Access Manager for Enterprise Single Sign-On Troubleshooting and Support
Guide.
Typeface conventions
This publication uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs,
property sheets), labels (such as Tip:, and Operating system
considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of publications, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the
word that to introduce a restrictive clause."; letters as letters
example: "The LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname
represents....
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are
difficult to distinguish from surrounding text
xi
Margin icons
Many procedures in this publication include icons in the left margin. These
icons provide context for performing a step in a procedure. For example, if
you have to perform a step in a procedure by double-clicking a policy region
icon, that icon is displayed in the left margin next to the step.
xii
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Tivoli Access Manager for Enterprise Single Sign-On also provides iTag, a
patent-pending technology that can convert any photo badge or personal
object into a proximity device, which can be used for strong authentication.
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Product components
This topic describes the main components of Tivoli Access Manager for
Enterprise Single Sign-On.
Table 1 describes each component. A typical installation uses some of these
components.
Table 1. Product components
Component
Description
AccessAgent
AccessAdmin
AccessAssistant
AccessStudio
IMS Bridge
IMS Connector
IMS Server
Description
Web Workplace
Note: Antivirus software can interfere with AccessAgent or the IMS Server.
For more information, see the IBM Tivoli Access Manager for Enterprise Single
Sign-On Troubleshooting and Support Guide.
Authentication factors
Authentication factors come in different forms and functions. Except for
password and fingerprint, you can access systems and applications with a
device that works like a key.
Smart cards and RFID cards, for example, are about the same size as credit
cards, and can be easily attached to key rings.
See the following topics for more information.
v TAM E-SSO Password
v Secrets on page 7
v Second authentication factors on page 7
v Presence detectors on page 10
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Secrets
You might be asked to enter a secret after signing up for your Wallet,
depending on the preference of your organization. It is like specifying hints in
case you forget the password for a Web e-mail account.
The secret is something that:
v you would not forget, even if you do not use the secret for a long time.
v is not likely to change.
Note: You can use all the characters in the ISO Latin-1 character set in
creating secrets, except for the following characters:
v
v
When you sign up, you must select one or more questions from a list and
provide answers. If the self-service feature is enabled, you might need to
specify more than one secret.
In case you forget your password, you can use the secret to set a new
password. You can also use the secret and an authorization code to gain
temporary access to your cached Wallet. The Help desk officer gives you the
authorization code.
ActiveCode
ActiveCodes are short-term authentication codes controlled by the system.
ActiveCodes enhance the security of traditional password-based
authentication for applications. ActiveCodes are random passwords that can
only be used one time by an authorized user. Combined with alternative
channels and devices, ActiveCodes provide effective second-factor
authentication.
There are two types of ActiveCodes:
v Mobile ActiveCode
A Mobile ActiveCode is a randomly generated, event-based one-time
password (OTP). The Mobile ActiveCode is generated on the IMS Server
and delivered through a secure second channel, such as short message
service (SMS) on mobile phones. It is used for strong authentication.
v Unified ActiveCode
The Unified ActiveCode is a predictive one-time password used for strong
authentication. The Unified ActiveCode generator is built into AccessAgent.
Smart card
A smart card is a pocket-sized card that has an embedded microprocessor.
Smart cards can do cryptographic operations, and are used to store and
process the digital credentials of the users securely.
A smart card can be used as an authentication factor. The product provides
certificate-based strong authentication when you access your Credential Wallet
using a smart card.
Important: The smart card PIN is not related to the TAM E-SSO password.
The product does not manage the smart card PIN.
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Fingerprint identification
The Fingerprint Identification system recognizes your fingerprint as an
authentication factor. The fingerprint reader translates your fingerprint into
encrypted codes, which logs you on to AccessAgent.
Tivoli Access Manager for Enterprise Single Sign-On 8.1 supports the
following biometric service provider and fingerprint readers:
v BIO-key Biometric Service Provider (BSP) 1.9_262
v DigitalPersona 3.2.0
v UPEK 2.0 and UPEK 3.0
The BIO-key Biometric Service Provider (BSP) is a biometric middleware. This
is used so that the product can work with any fingerprint reader that is
already supported by BIO-key. See BIO-key's list of supported devices.
Note: The integration with BIO-key BSP does not support DigitalPersona in
this release.
Presence detectors
A presence detector is a device that detects your presence in its vicinity. When
affixed to a computer, the device can notify AccessAgent when you are in
front of the computer or when you move away. This feature eliminates your
effort of manually locking the computer when you leave the computer for a
short time.
Sonar device
The sonar-based presence detector is used to lock a workstation immediately
when you walk away without waiting for the desktop inactivity timeout. The
device uses 40 kHz ultrasonic sound waves (frequency too high for people to
hear). It can detect from a range of five in. to five feet. You can move in the
zone without triggering a walk-away event.
The device is attached to the USB port of your computer and is configured by
the system as a keyboard. When you move away from the computer, the
device sends keystrokes to your computer. When you approach the computer,
the device can send a different set of keystrokes to your computer.
You can set AccessAgent to intercept these keystrokes and perform
appropriate actions (for example, to lock the computer). The sonar can be
combined with building badges (for example, RFID cards) to create a
foolproof solution.
The sonar device is not used with Active Proximity Badge since the Active
Proximity Badge is also a presence detector.
Any other supported authentication factors can be used with the
pcProx-Sonar, such as:
v Password only
v RFID
v Fingerprint
v Smart card
The behavior of a sonar-based presence detector can be configured to be like
an Active Proximity Badge. However, sonar-based presence detectors cannot
store a unique ID to identify a user.
10
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
11
Shared desktops
Shared desktops allow multiple users to share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
Without shared desktops, switching from User A to User B, causes the
applications of User A to be lost. User A must launch the applications again.
Set up AccessProfiles to automatically log off enterprise applications when
user switching occurs.
RFID, fingerprint readers, and smart cards are the authentication factor for
this usage configuration.
With shared desktops, you can access a workstation by signing up (for
example, from EnGINA, desktop, or a locked computer) and tapping your
RFID card. You can also sign up without your RFID card and register later
when the cards are already available. After completing the sign-up process,
you can then log on to AccessAgent.
When another user taps an RFID card in your desktop, switching is invoked,
either from the desktop or from the locked computer screen.
After the new user supplies a valid password, AccessAgent unlocks your
computer (if locked), logs you off, and then logs on the new user to the
Wallet. If the new user logged on to other computers with the same RFID and
Password in a set time range during the day, the new user might not be
required to enter a password.
Private desktops
Private desktops allow you to have your own Windows desktop in a
workstation. When a previous user returns to the workstation and unlocks it,
AccessAgent switches to the desktop session of the previous user and resumes
the last task.
Your existing desktop might have to be logged off if the workstation runs out
of resources such as, memory, so that another user can log on. If you log on to
another workstation, restart the application.
To manage multiple desktops on a single workstation, the private desktop
scheme uses the Local User Session Management feature of AccessAgent that
uses a component called Desktop Manager.
Logging on from the EnGINA welcome screen is not supported by Local User
Session Management. Workstations are configured to automatically log on to a
generic Windows account upon startup, and then the computer is locked.
12
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Note: This generic Windows account must not be a registered user. Use a
local computer account.
All your users will log on to the workstation from the locked screen. All users
must tap their RFID cards when they sign up. They can also sign up without
the RFID cards and register these second factors later. After completing the
sign-up process, you can then log on to AccessAgent.
Note: You are not logged on to AccessAgent if you are using an auto-admin
account.
When another user taps the RFID card to switch to another desktop, the
current user logs on (if without an existing invisible session) or unlocks the
workstation (if with an existing invisible session).
The following Wallet authentication options are supported:
v Password
v RFID+Password
v Smart card
v Active Proximity Badge+Password
v Fingerprint
If you log on to Windows sessions using your own Active Directory
credentials, Local User Session Management requires that synchronization of
password and Active Directory password must be enabled.
For deployments where smart card logon to Windows is enabled and smart
card logon is enforced, disable Active Directory password synchronization.
Roaming desktops
Roaming desktops have your Windows desktops "roam" to any access point,
from workstation to workstation. You can disconnect from a desktop or
application session at one client, log on to another client, and continue a
desktop or application session at a new client. Roaming desktops give you the
ability to access and preserve your desktops, regardless of which computers
you use.
This scheme requires Terminal Server or Citrix. This setup is especially useful
for a shared workstation environment, where you can roam from one
workstation to another, depending on your current location.
13
Application icons
Icon
Description
This icon represents AccessAgent on the desktop.
Description
No one is logged on to AccessAgent.
14
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
v
v
v
v
Enterprise identity
Enterprise applications
Personal applications on page 16
User, system, and machine policies on page 16
Credentials
Credentials refer to user names, passwords, certificates, and any other
information required for authentication. An authentication factor can serve as
a credential. In Tivoli Access Manager for Enterprise Single Sign-On,
credentials are stored and secured in your Wallet.
Enterprise identity
In an enterprise, you have multiple user accounts for different types of
applications such as e-mail, portal, human resources system, and Web access.
One of these identities is used to authenticate users, and provide access to the
enterprise network.
For example, you might be required to log on to Windows and access the
network by entering your user name and password. This feature is also called
an enterprise identity.
The solution that an enterprise uses for identity management must be
identified. The solution verifies the identities of users logging on with Tivoli
Access Manager for Enterprise Single Sign-On keys. The solution also links
the IMS Server with the enterprise directory that manages your users.
This policy is set before deployment and sets the foundations of how the
system works. You can change the policy later using AccessAdmin. The
enterprise identity binding must be a system or application that the enterprise
identifies as a long-term investment. The system or application must not be
changed, removed, or replaced soon.
Enterprise applications
The enterprise must select the applications to include in the enterprise
application list.
Enterprise applications are specific to the business of an enterprise and
controlled by an Administrator.
See this list for some characteristics of an enterprise application:
v Managed through the IMS Server by the information technology
department of the enterprise
v Passwords are grouped by authenticating directories
v Audit logs are generated and stored in the IMS Server
v User accounts are pre-created
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On
15
Personal applications
The enterprise must specify whether the users can use AccessAgent and Tivoli
Access Manager for Enterprise Single Sign-On keys for personal applications.
Personal applications are applications that users can specify if they want
AccessAgent to store and enter their user names and passwords. Some
examples of personal applications are IBM Lotus Notes, IBM Lotus
Sametime Connect, and online banking sites.
This policy is implemented as a global policy, where users are allowed or not
allowed to use AccessAgent with personal applications. You cannot grant or
deny access to specific users.
16
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
17
This policy defines the default password entry option for a specific
application.
In general, application-specific policies override authentication service-specific
policies, which in turn, override general Wallet policies. In this case, the
Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default) is used when the other two
policies are not defined for a particular authentication service or application.
However, if the Authentication service inject password entry option default
policy (pid_auth_inject_pwd_entry_option_default) is defined for an
authentication service, it overrides the Wallet inject password entry option
default policy (pid_wallet_inject_pwd_entry_option_default) when a default
password entry option is needed for the authentication service.
Similarly, if the Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default) is defined for a particular
application, it overrides the other two policies.
User-specific policies generally override system-wide policies, but this setting
also depends on the current policy priority. If a policy has both user and
system scopes, for example, the Authentication accounts maximum policy
(pid_auth_accounts_max), the user scope setting is always effective if it is
defined. If the user scope setting is not defined for a particular user, the
system scope setting becomes effective.
18
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
19
True. If the latter is set to False, any setting for pid_enc_hot_key_action does
not affect users. The dependencies are described later in this section.
Some groups of policies have overlapping scopes. For example, policies with
system scopes have different ranges of entities that they affect.
v Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default )
This policy defines the default password entry option for all authentication
services and applications.
v Authentication inject password entry option default policy
(pid_auth_inject_pwd_entry_option_default )
This policy defines the default password entry option for a specific
authentication service.
v Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default)
This policy defines the default password entry option for a specific
application.
In general, application-specific policies override authentication service-specific
policies, which in turn, override general Wallet policies. The Wallet inject
password entry option default policy
(pid_wallet_inject_pwd_entry_option_default) is used when the other two
policies are not defined for a particular authentication service or application.
However, if the Authentication service inject password entry option default
policy (pid_auth_inject_pwd_entry_option_default) is defined for an
authentication service, it overrides the Wallet inject password entry option
default policy (pid_wallet_inject_pwd_entry_option_default) when a default
password entry option is needed for the authentication service.
Similarly, if the Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default) is defined for a particular
application, it overrides the other two policies.
User-specific policies generally override system-wide policies, but this setting
also depends on the policy priority. For example, the Authentication accounts
maximum policy (pid_auth_accounts_max) has both user and system scopes.
The user scope setting is always effective if it is defined. If the user scope
setting is not defined for a user, the system scope setting become effective.
Administrators use a command-line tool (CLT) to view and set policy
priorities. For more information, see Viewing and setting policy priorities on
page 22.
20
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Policy legends
Policies can be modified only by Help desk officers and Administrators. These
policies affect the behavior of the whole system and must only be modified
when it is necessary. These policies must be set at deployment and followed
through.
Attribute
Description
Policy ID
Description
Registry
IMS Entry
The entry in the IMS Server for System and User policies.
If this column is blank, the value must be set in the
registry. If not, the value indicates the name of the policy,
which can be set using the IMS Server.
Type
21
Attribute
Description
Values
Scope
22
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
If a policy is defined for two scopes (for example, machine and system, user
and system, machine and user), define a priority in case the timeout value is
different for the scopes. For example, if the policy priority is "machine", then
only the machine policy would be effective.
Policies can be modified only by Help desk officers and Administrators. These
policies affect the behavior of the whole system and must only be modified
when it is necessary.
These policies are set at deployment and followed through. Changes to these
policies are propagated to clients the next time AccessAgent synchronizes
with the IMS Server.
Important: Older versions of AccessAgent will still use the original policy
priorities, and values will not change after upgrading the IMS Server. To
change policy priorities, upgrade all installations of AccessAgent to version
8.0 and above, and then launch the command prompt (Start Run, type cmd).
Procedure
1. Launch the Windows command prompt (Start Run, type cmd).
2. Navigate to the batch file folder.
Enter <IMS installation folder>\bin, then press Enter.
3. Enter managePolPriority.bat to view the information about executing the
batch file, then press Enter.
4. To view the scope and priority of a specific policy, enter
managePolPriority --policyId [name of policy], then press Enter.
Results
The scope and priority of a policy are displayed.
What to do next
Close the command-line prompt window after viewing the information.
23
Procedure
1. Launch the Windows command prompt (Start Run, type cmd).
2. Navigate to the batch file folder.
Enter <IMS installation folder>\bin, then press Enter.
3. To change the scope of the policy, enter the following information.
managePolPriority
--policyId [name of policy]--scope [scp ims or scp machine] --templateId
[template ID]
The scope that is given highest priority is assigned a value of 1, the next
scope is assigned with a value of 2, and so on.
Note: Provide a template ID to specify the assigned template of the
machine, user, or system.
4. Press Enter.
5. Type exit to close the command prompt.
24
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "SecondFactorsSupportedList"
IMS Entry
Type
String list
MULTI_SZ
Values
#RFID
#ARFID
#Smart card
#Fingerprint
(currently, only single value allowed, except for simultaneous
Fingerprint and RFID support)
(refreshed on startup)
Scope
Machine
pid_aa_tray_bubble_display_enabled
Description Whether to enable AccessAgent bubble pop-ups at the Windows
notification area.
Registry
[DO] "AATrayBubbleDisplayEnabled"
IMS Entry
25
pid_aa_tray_bubble_display_enabled
Type
Boolean
DWORD
Values
*#True
#False
#0: No
*#1: Yes
(refreshed on use)
Scope
Machine
pid_aa_feedback_link
Description Enables the Feedback link in AccessAgent user interface to launch an
e-mail client or Web browser.
Note:
v If the policy value is blank, by default, AccessAgent does not show
the Feedback link.
v If the policy value format is mailto:abc@xyz.com, clicking Feedback
launches the default e-mail client of the user and the e-mail is sent to
abc@xyz.com.
v If the policy value format is http://xyz.com, clicking Feedback
launches the default browser of the user and navigates to
http://xyz.com.
Registry
"AAFeedbackLink"
IMS Entry
Type
String
SZ
Values
(refreshed on sync)
Scope
Machine
pid_ims_server_name
Description Default IMS Server name.
Registry
[DIMS] "ImsServerName"
IMS Entry
26
Type
SZ
Values
(refreshed on use)
Scope
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_machine_tag
Description The MachineTag that is used for machine policy template criteria
assignment.
Note:
1. When a machine is registered with the IMS Server, it uses machine
group tag as one of the attributes.
The machine policy templates assignment criteria of the IMS Server
can include machine group tag as an attribute value to be matched.
In this way, the machine group tag can determine how machine
policy templates are assigned.
2. After a machine is registered with the IMS Server, the machine group
tag can still be modified by the Active Directory GPO or any other
registry value push mechanism.
AccessAgent can detect if the machine group tag value changed, and
reregisters the machine with the IMS Server. If the machine matches
another machine policy template assignment criteria, that new
machine policy template is assigned to it.
Registry
[DO] "MachineTag"
IMSEntry
Type
SZ
Value
Scope
Machine
pid_Named_Pipe_Time_Out_Secs
Description Configurable timeout for AccessAgent named Pipe Communication.
Registry
[DO] NamedPipeTimeOutSecs
IMSEntry
Type
DWORD
Value
Scope
Machine
27
28
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "NetSocketTimeoutSecs"
IMS Entry
Type
DWORD
Values
*3
(refreshed on use)
Scope
Machine
pid_net_soap_timeout_secs
Description Timeout duration, in seconds, for SOAP connections.
Registry
[DO] "NetSoapTimeoutSecs"
IMS Entry
Type
DWORD
Values
*20
(refreshed on use)
Scope
Machine
29
30
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "SessionInfoDisplayFreqSecs"
IMS Entry
Type
DWORD
Values
*0
(refreshed on startup)
(0 for no display)
Scope
Machine
31
32
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "LogFileCount"
IMS Entry
Type
DWORD
Values
*10
(refreshed on use)
Scope
Machine
pid_log_file_size
Description Maximum size of the log file in KB (AccessAgent.log). If the maximum
file size is reached, the file is renamed and a file is created to store the
new logs.
Registry
[DO]
"LogFileSize"
IMS Entry
Type
DWORD
Values
*1024
(refreshed on use)
Scope
Machine
pid_log_level
Description Level of log details.
Registry
[DO]
"LogLevel"
IMS Entry
Type
DWORD
33
pid_log_level
Values
*0: No logging
#1: Severe errors only
#2: Basic info
#3: More info, including SOAP logs
#4: Debugging info, including SOAP logs
(refreshed on use)
Scope
Machine
pid_log_path
Description Path to a folder that contains the AccessAgent logs.
Registry
[DO]
"LogPath"
IMS Entry
Type
SZ
Values
*<ProgramDir>\logs
(refreshed on use)
Scope
34
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "TempPath"
IMS Entry
Type
SZ
Values
*<ProgramDir>\temp
(refreshed on use)
Scope
Machine
35
36
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon]
"AutoAdminLogon"
"ForceAutoLogon"
(both entries must be set)
IMS Entry
Type
SZ
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_microsoft_auto_logon_acct
Description Windows account to be used for auto-logon at system startup.
Note:
1. Effective only if pid_microsoft_auto_logon_enabled is enabled.
2. If pid_lusm_session_max is greater than 1, a local machine account
must be used for auto-logon.
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon]
"DefaultDomainName"
"DefaultUserName"
"DefaultPassword"
IMS Entry
Type
SZ
Values
(refreshed on use)
Scope
Machine
37
Upid_win_startup_action
Description Actions on Windows startup.
Note: This is to enable automatic locking of the computer after
AutoAdminLogon or ForceAutoLogon.
Registry
[DO] "WinStartupAction"
IMS Entry
Type
DWORD
Values
*#0: No action
#1: Lock computer
(refreshed on use)
Scope
38
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "LUSMSessionReplacementOption"
IMS Entry
Type
DWORD
Values
Scope
Machine
39
Upid_lusm_sessions_max
Description Maximum number of concurrent user sessions. Set it to 2 or more to
enable private desktop.
Note:
1. Set policy to 1 to disable Local User Session Management.
2. To enable Local User Session Management, a value greater than 1
must be specified for this policy in the DeploymentOptions.reg file
during AccessAgent installation.
If this policy is set to a value greater than 1 only after AccessAgent
is installed, the Log Off and Shut Down buttons, as well as the
Windows hot keys might not be disabled for the first user who logs
on. The buttons and Windows hot keys might also remain disabled
after AccessAgent is uninstalled.
3. If this policy is set to a value higher than what the system resources
can support, the actual number of concurrent user sessions is still
capped by the system resources available.
4. For optimal performance, it must not be set to a value more than 9.
5. If Local User Session Management is enabled,
pid_logoff_manual_action must be set to 1 (Log off Windows) so
that manually logging off AccessAgent is equivalent to logging off
the desktop session of the user.
6. pid_unlock_with_win_option must be set to 0 as unlock using
Windows is not supported for Local User Session Management.
Auto-admin logon to Windows must also be enabled by setting
pid_microsoft_auto_logon_enabled to 1,
pid_microsoft_auto_logon_acct to a local machine log on account,
and pid_win_startup_action to 1, to lock the computer immediately
after logon.
7. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "LUSMSessionsMax"
IMS Entry
Type
DWORD
Values
*1
(refreshed on startup)
(from 1 to 12)
Scope
40
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_lusm_sia_list
Description List of single instance applications (SIA), such as applications that
cannot run multiple simultaneous instances in a computer.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1.
2. When a user starts any application in this list, AccessAgent
performs the action specified by pid_lusm_sia_launch_option (if the
policy value is not 0) or the own launch option of the application.
These actions are only applicable when the application is launched
from a visible desktop and there is another instance of it running in
an invisible desktop. If the other instance is running in the same
visible desktop, the application assumes its normal behavior.
3. For each application, the full path must be the full image path of
the executable file on the disk, ending with .EXE, .BAT, or .COM. It
is not case-sensitive.
4. The long path format must be used. For example, for Company
Messenger, use C:\Program Files\Company\Messenger\
CompanyMessenger.exe instead of C:\progra~1\Company\messenger\
COMPANYM~1.exe.
5. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "LUSMSiaList"
IMS Entry
Type
MULTI_SZ
41
pid_lusm_sia_list
Values
Scope
Machine
pid_lusm_sia_launch_option
Description Action taken by AccessAgent when a user launches a second instance
of a single instance application, such as an application that cannot run
multiple simultaneous instances in a computer.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1.
2. If policy value is 0, the own launch option of each application
(specified in pid_lusm_sia_list) is used.
3. These actions are only applicable when the application is launched
from a visible desktop and there is another instance of it running in
an invisible desktop. If the other instance is running in the same
visible desktop, the application assumes its normal behavior.
4. Modifying this policy requires a machine restart to implement the
changes.
42
Registry
[DO] "LUSMSiaLaunchOption"
IMS Entry
Type
DWORD
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_lusm_sia_launch_option
Values
Scope
Machine
pid_lusm_generic_accounts_enabled
Description Whether to use a pool of generic accounts to create user desktops.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1.
2. If enabled, generic accounts specified in
pid_lusm_generic_accounts_list is used to create user desktops.
This configuration is for deployments where some users might not
exist in Active Directory, or password is not synchronized with the
Active Directory password.
3. If enabled, pid_lusm_default_desktop_preserved_enabled must be
set to 1.
4. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "LUSMGenericAccountsEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on startup)
Scope
Machine
43
pid_lusm_auto_logon_acct_display_enabled
Description Whether the auto-admin logon account should appear in the list of
users displayed in the logon user interface of private desktops.
Note: If enabled, the auto-admin logon account appears in the logon
user interface of private desktops. Then, desktop administrators can
click the auto-admin logon account and provide its password to log on
to the account to perform desktop maintenance as and when necessary.
Registry
[DO] "LUSMAutoLogonAcctDisplayEnabled"
IMS Entry
Type
Boolean
DWORD
Values
*#True (default)
#False (default)
*#1 (default)
#0 (default)
(refreshed on startup)
Scope
44
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_lusm_generic_accounts_list
Description List of generic accounts for creating user desktops.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1 and
pid_lusm_generic_accounts_enabled is enabled.
2. Upon machine startup, AccessAgent writes the obfuscated
password into the fourth line of each account, replacing the third
line with a fixed mask string #####encrypted#####.
3. To add a new account, delete an existing account, or change the
user name, domain, or password of an existing account, the entire
set of values in this policy must be rewritten. AccessAgent will use
the new values after the next machine startup.
4. If a particular account cannot be validated, this account is ignored
and AccessAgent writes #####invalid account##### in the third
line of the account.
5. If there are no valid generic accounts, private desktop is disabled.
6. If there is one valid generic account, the user is shown a message
that indicates only one user can use the private desktop, but
private desktop with generic accounts is still enabled.
7. If the number of valid accounts is less than
pid_lusm_sessions_max, the actual maximum number of
concurrent sessions would be constrained by the number of valid
accounts even though resources might allow for more.
8. Both local machine accounts or domain accounts can be used as
generic accounts, but use domain accounts since these accounts do
not have to be pre-created on each machine. The passwords for
these accounts must never expire or change, since any password
changes require modifications to this policy.
9. Users must not unlock directly using generic account credentials,
as that might lead to an existing desktop being unlocked.
10. For private desktops with Windows 2000 installations: If the
default UPN has been overwritten by the Administrator (not new
UPN suffixes added), offline logon and offline GA accounts with
DNS domain names does not work.
11. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "LUSMGenericAccountsList"
IMS Entry
Type
MULTI_SZ
45
pid_lusm_generic_accounts_list
Values
Scope
Machine
pid_lusm_ad_gpo_scripts_enabled
Description Whether to enable execution of GPO scripts.
Registry
[DO] "LUSMAdGpoScriptsEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
version 8.0.1 - off by default
version 8.1.0 - on by default
Scope
Machine
pid_lusm_ad_gpo_extended_support_enabled
Description Whether to enable support for GPO user admin templates.
Registry
[DO] "LUSMAdGpoExtendedSupportEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
version 8.0.1 - off by default
version 8.1.0 - on by default
Scope
46
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_lusm_ad_gpo_scripts_ext_and_exe_list
Description List of file extensions and the executable files that runs them.
Registry
[DO] "LUSMAdGPOScriptsExtAndExeList"
IMS Entry
Type
Multi-String Value
Values
Default:
v .bat, cmd.exe
v .vbs, wscript.exe
v .js, wscript.exe
v .wsf, wscript.exe
Scope
Machine
pid_lusm_ad_gpo_refresh_timeout
Description Defines GPO refresh process timeout duration in seconds for
subsequent logons to the computer.
Registry
[DO] "LUSMAdGpoRefreshTimeout"
IMS Entry
Type
DWORD
Values
Scope
Machine
pid_lusm_ad_gpo_logon_msg_enabled
Description Defines whether to display legal notice after user logs on to private
desktop.
Registry
[DO] "LUSMAdGpoLogonMsgEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
Scope
Machine
47
pid_lusm_generic_accounts_edir_type
Description Defines whether the enterprise directory for validating Tivoli Access
Manager for Enterprise Single Sign-On users is the Active Directory.
Note:
v Effective only if pid_lusm_sessions_max is greater than 1, and
pid_lusm_generic_accounts_enabled is enabled.
v If the enterprise directory is not the Active Directory, this policy
should be set to 2 for better logon performance.
Registry
[DO] "LUSMGenericAccountsEdirType"
IMS Entry
Type
DWORD
Values
Scope
48
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Values
#1: Password
#2: Password + RFID
#4: Password + Fingerprint
#5: Fingerprint
*#6 Smart Card
(multiple allowed)
(refreshed on log on or unlock by different user, if online)
(refreshed on last sync if offline)
Note: #6 is always enabled. #1 enabled => #2 and #4 are also enabled.
Scope
User
Upid_mac_auth_enabled
Description Whether Mobile ActiveCode authentication is enabled for the user.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on use)
49
Upid_mac_auth_enabled
Scope
50
User
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Values
Scope
System
pid_enc_pwd_reset_option
Description Whether to enable password reset.
Note:
1. For option 2, the links in the EnGINA welcome screen and
AccessAgent UI is removed if no user is logged on.
2. The options only affect AccessAgent. AccessAssistant and Web
Workplace are not affected by the policy.
Registry
IMS Entry
Type
Non-negative integer
51
pid_enc_pwd_reset_option
Values
Scope
System
pid_enc_pwd_change_on_first_logon_enabled
Description Whether provisioned users are forced to change the TAM E-SSO
Password at first logon.
Note:
1. This policy is only effective for provisioned users and if the TAM
E-SSO Password is synchronized with Active Directory password.
2. If the TAM E-SSO Password is synchronized with Active Directory
password, provisioned users are forced to change passwords
according to the Active Directory user setting for User must change
password at next logon.
3. This feature is not supported for fingerprint logon.
Registry
IMS Entry
Type
Boolean
Values
*#True
#False
(refreshed on logon)
Scope
52
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_enc_pwd_change_days
Description Maximum password age, in days. It is the period between two
password changes for a Wallet.
Note: Effective only if password periodic change is enabled.
Registry
IMS Entry
Type
Positive integer
Values
*90
(refreshed on sync)
Scope
System
pid_enc_pwd_expiry_reminder_enabled
Description Whether to remind the user about the expiring password.
Note: Effective only if password periodic change is enabled.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
53
pid_enc_pwd_expiry_reminder_days
Description Number of days before password expiry to start reminding user.
Note: Effective only if password expiry reminder is enabled.
Registry
IMS Entry
Type
Non-negative integers
Values
*5
(from 1 to 10)
(refreshed on sync)
Scope
System
pid_enc_pwd_expiry_change_enforced
Description Whether to enforce password change on expiry by prompting user to
change password before logging on to Tivoli Access Manager for
Enterprise Single Sign-On.
Note: Effective only if password periodic change is enabled.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
54
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Positive integer
Values
*6
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_max_length
Description Maximum length of an acceptable password.
Note: Not effective if password is Active Directory password is
enabled. Active Directory password strength policies are used instead.
Registry
IMS Entry
Type
Positive integer
Values
*20
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_min_numerics_length
Description Minimum number of numeric characters for an acceptable password.
Note: Not effective if password is Active Directory password is
enabled. Active Directory password strength policies are used instead.
Registry
IMS Entry
Type
Non-negative integer
55
pid_enc_pwd_min_numerics_length
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_min_alphabets_length
Description Minimum number of alphabetic characters for an acceptable password.
Note: Not effective if password is Active Directory password is
enabled. Active Directory password strength policies are used instead.
Registry
IMS Entry
Type
Non-negative integer
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_mixed_case_enforced
Description Whether to enforce the use of both uppercase and lowercase characters
for the password.
Note: Not effective if password is Active Directory password is
enabled. Active Directory password strength policies are used instead.
Registry
IMS Entry
Enforce the use of both upper case and lower case characters?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
56
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_secrets_register_for_selfhelp_max
Description The maximum number of secret questions a user must register to
enable self-service capability.
Registry
IMS Entry
Type
Positive integer
Values
*3
(refreshed on sync)
Scope
System
pid_secrets_verify_for_selfhelp
Description The number of secret questions a user needs to answer to use
self-service password reset.
Registry
IMS Entry
Type
Positive integer
Values
*2
(refreshed on sync)
Scope
System
57
pid_secrets_verify_invalid_trial_count_max
Description The maximum number of allowed tries with wrong secret answers
before the self-service function is locked.
Registry
IMS Entry
Type
Positive integer
Values
*6
(refreshed on sync)
Scope
58
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
pid_selfhelp_authcode_request_from_any_phone_enabled
Description Whether to allow self-service authorization code to be requested from
any phone.
Note: Effective only if pid_selfhelp_authcode_enabled is True.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
pid_selfhelp_authcode_invalid_trial_count_max
Description The maximum number of allowed tries using wrong authorization
codes before self-service authorization code request capability gets
locked.
Note: Effective only if pid_selfhelp_authcode_enabled is True.
Registry
IMS Entry
Type
Positive integer
59
pid_selfhelp_authcode_invalid_trial_count_max
Values
*6
(refreshed on use)
Scope
System
pid_selfhelp_authcode_error_msg_text
Description Configurable error message text for self-help authorization code
request.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True.
2. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
Scope
System
pid_selfhelp_authcode_request_help_text
Description Configurable help text for self-service authorization code request.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True.
2. The help text can be sent to the user through the SMS gateway IMS
Bridge, shown by AccessAgent.
3. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
*You can only request for authorization code using your registered
phone. The message format is: UserName UserSecret [RequestCode]
(refreshed on use)
Scope
60
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_selfhelp_authcode_different_phone_issue_msg_text
Description Configurable message text that is sent to the requesting phone for
self-help authorization code if it is different from the registered phone.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True and
pid_selfhelp_authcode_request_from_any_phone_enabled is False.
2. Use $PHONE as placeholder for registered phone number.
3. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
Type
String
IMS Entry
Values
Scope
System
pid_selfhelp_authcode_different_phone_error_msg_text
Description Configurable message text that is sent to the requesting phone for
self-help authorization code. The message is sent if the requesting
phone is different from the registered phone and the policy is that only
the registered phone can be used.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True and
pid_selfhelp_authcode_request_from_any_phone_enabled is False.
2. Use $PHONE as placeholder for registered phone number.
3. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
Scope
System
61
pid_selfhelp_authcode_issue_msg_text
Description Configurable message text for self-help authorization code issuance.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True.
2. Use $AUTHCODE as placeholder for the authorization code.
3. Use $VALIDITY as placeholder for the number of days for which
authorization code is valid.
4. Use $USAGE as placeholder for a string that describes how the
authorization code can be used.
5. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
Scope
System
pid_selfhelp_authcode_wrong_credentials_error_msg_text
Description Configurable message text that is sent to the requesting phone for
self-help authorization code if any of the requesting credentials is
incorrect.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True.
2. Message text is sent if any of the requesting credentials is incorrect
(for example, user name, user secret, request code).
3. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
*Incorrect user name, user secret, or request code. Please try again.
(refreshed on use)
Scope
62
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
63
64
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Non-negative integer
Values
Scope
System
65
pid_wallet_cache_max
Description Maximum number of cached Wallets allowed on the machine.
Note:
1. If the maximum limit of cached Wallets is reached, the least recently
used cached Wallet is deleted before a new Wallet is cached.
2. Setting a limit on the number of cached Wallets for a shared
workstation might improve logon performance.
3. If biometric authentication is used on a shared workstation, the
limit on the number of cached Wallets is set to a certain value. The
value is such that the possibility of false acceptance for the
biometric device is made negligible. False acceptance might lead to
a user logging on to a wrong Wallet.
4. This policy must be used with
pid_wallet_cache_max_inactivity_days so that the deleted cached
Wallets can be automatically revoked on the IMS Server.
5. In some deployments, it might be advisable to disable Wallet
caching on shared workstations due to security reasons. This policy
can be set to 0 to disable caching on a particular machine. In this
case, it overrides pid_wallet_caching_option.
Registry
[DO] "WalletCacheMax"
IMS Entry
Type
DWORD
Values
*999999999
(0 to disable caching)
(999999999 for no max limit)
(refreshed on use)
Scope
Machine
pid_wallet_sync_mins
Description Interval, in minutes, for periodic synchronization of Wallet with the
IMS Server. Synchronization is also performed when user logs on to
AccessAgent.
Registry
IMS Entry
Type
Positive integer
Values
*30
(refreshed on sync)
Scope
66
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_wallet_sync_before_logon_enabled
Description Whether to enable AccessAgent to perform synchronization with the
IMS Server before logging on to the Wallet.
Note: If this policy is set to 1, AccessAgent performs synchronization
before logging on to Windows(for EnGINA log on), and before running
the logon script (for desktop logon and logon from unlock screen).
Registry
[DO] "WalletSyncBeforeLogonEnabled"
IMS Entry
Type
DWORD
Values
*#True
*#False
#0: No
*#1: Yes
(refreshed on use)
Scope
Machine
pid_wallet_cache_max_inactivity_days
Description Maximum period of inactivity, in days, allowed for a cached Wallet.
After which, the cached Wallet is automatically revoked.
Note:
1. The cached Wallet is automatically revoked on the IMS Server if it
has exceeded the maximum number of days for inactivity.
AccessAgent automatically revokes expired cached Wallets during
each periodic synchronization as long as a user is logged on to
AccessAgent.
2. Inactivity is measured from the last synchronization time. Even if
the user logs on to a cached Wallet every day, it can still be revoked
if it has not been synchronized with the IMS Server for an extended
time.
3. If a cached Wallet is revoked, the user can only log on if the IMS
Server is available. There must be no prompt that the Wallet has
been revoked. The option to cache the Wallet depends on
pid_wallet_caching_option.
Registry
IMS Entry
Type
Positive integer
67
pid_wallet_cache_max_inactivity_days
Values
*999999999
(999999999 for infinity, such as cached Wallets do not expire)
(refreshed on sync)
Scope
System
pid_wallet_open_max_tries
Description Maximum number of allowed tries with wrong offline logon before
cached Wallet is locked out.
Registry
IMS Entry
Type
Positive integer
Values
*5
(refreshed on sync)
Scope
System
pid_wallet_editable_items_list
Description List of Wallet items that can be edited by the user through
AccessAgent.
Registry
IMS Entry
Type
Non-negative integer
Values
*#1: Password
*#2: Password entry option
*#4: Application settings
*#8: Delete credential
*#16: Add credential
(multiple allowed)
(refreshed on sync)
Scope
68
User
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_wallet_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option.
Registry
IMS Entry
Type
Positive integer
Values
Scope
System
pid_wallet_enterprise_app_never_option_enabled
Description Whether the Never password entry option is enabled for enterprise
authentication services.
Note: User policy, if defined, overrides system policy.
Registry
IMS Entry
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
User
System
pid_wallet_personal_app_sso_enabled
Description Whether to enable automatic sign-on for personal authentication
services.
Note: If user policy is defined, it overrides system policy.
Registry
IMS Entry
Type
Boolean
Chapter 17. Wallet policies
69
pid_wallet_personal_app_sso_enabled
Values
*#True
#False
(refreshed on use for user policy)
(refreshed on sync for system policy)
Scope
User
System
pid_sso_auto_learn_enabled
Description Whether auto-learning must be enabled for automatic sign-on to
applications.
Registry
IMS Entry
Enable auto-learning?
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_sso_user_control_enabled
Description Whether to allow the user to enable or disable automatic sign-on.
Note: If this policy is disabled, the Enable automatic sign-on and
Disable automatic sign-on options do not appear in the AccessAgent
UI.
Registry
[DO] "SsoUserControlEnabled"
IMS Entry
Type
DWORD
Boolean
Values
#0: No
*#1: Yes
*#True
#False
(refreshed on sync)
70
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_sso_user_control_enabled
Scope
Machine
User
pid_accessagent_pwd_display_option
Description Option for displaying application passwords in the Wallet Manager of
AccessAgent through the Show password option.
Note:
1. The user is asked to enter a password prior to display of passwords.
2. Displaying of passwords is not allowed if the user is logged on
using fingerprint.
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
User
pid_accessagent_pwd_export_option
Description Option for exporting of application passwords in the Wallet Manager of
AccessAgent through the Show password option.
Note: The user is asked to enter password before being allowed to
export passwords.
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
User
71
pid_migration_stage
Description Whether migration from Encentuate Tivoli Information Archive
Manager version 1.x to 3.x is in progress and if so, the current stage of
migration.
Note:
1. The migration involves the upgrade of the IMS Server, AccessAgent,
and Wallets of users.
2. When the IMS Server is upgraded, the installer automatically sets
the policy value to 1.
3. The Administrator must manually set this policy to 2 when all
AccessAgent installations have been upgraded.
4. Wallets of users are upgraded as and when they log on using the
upgraded AccessAgent. After all Wallets are upgraded, the policy
must be set to 0 to optimize the IMS Server and AccessAgent
performance.
5. Migration can be done automatically using a job that checks
whether all Wallets have been upgraded.
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
System
pid_wallet_cache_security_enabled
Description Whether to enable cached Wallet security.
Note:
1. If enabled, user and machine cached Wallets are tied to the machine
which created them (that is, cached Wallets copied from another
machine fails to work).
2. This policy must be disabled if cached Wallets are shared among
several machines. For example, AccessAgent on Citrix servers might
be configured to access the same network folder for storing cached
Wallets.
3. This policy does not affect pid_machine_policy_override_enabled.
72
Registry
[DO] "WalletCacheSecurityEnabled"
IMS Entry
Type
DWORD
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_wallet_cache_security_enabled
Values
*#0: No
#1: Yes
(refreshed on restart)
Scope
Machine
pid_wallet_cleanup_on_caching_enabled
Description Whether to perform a Wallet cleanup activity every time a new Wallet
is cached.
Note:
1. Caching a new Wallet takes a long time.
2. This policy must be set to 0 for machines that have a large number
of cached Wallets.
3. With policy set to 0:
a. Logon to a cached Wallet when IMS Server is offline is still slow
unless IMS Server is highly available.
b. If cleanup is not initiated, and IMS Server is offline:
v When a user is deleted, the old Wallet of the user is still on
the Citrix server.
v If user caches a new Wallet (same user name), the user might
not be able to log on to the cached Wallet. The user might not
be able to log on because AccessAgent might access the old
Wallet. The old Wallet has a different password from the new
Wallet.
v It is then necessary to run SOCIPruner.exe on a periodic basis
to perform cleanup.
Registry
[DO] "WalletCleanupOnCachingEnabled"
IMS Entry
Type
DWORD
Values
#0: disabled
*#1: enabled
Scope
Machine
73
74
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
String list
Values
Scope
System
pid_secret_answer_min_length
Description Minimum length of an acceptable secret answer.
Registry
IMS Entry
Type
Positive integer
Values
*3
(refreshed on sync)
Scope
System
pid_secrets_register_for_selfhelp_at_sign_up
Description Whether to prompt the user to register additional secrets for self-service
during sign-up.
Note: If pid_secrets_verify_for_selfhelp is 1, the user is not
prompted to register additional secrets, since the primary secret would
be sufficient for performing self-service actions. The user can still
choose to register more secrets after logging on by clicking Set
self-service secrets in AccessAgent.
75
pid_secrets_register_for_selfhelp_at_sign_up
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_secret_option
Description Whether the secret is required, must be specified by the user during
sign-up, or automatically specified using a bind task.
Note:
1. This policy applies to users who are signing up or who are logging
on for the first time after their accounts have been pre-provisioned.
2. For policy value 0, user would be assigned a system-defined secret.
The user would not be prompted for a secret when performing
actions that require it (for example, reset password and offline
recovery). The customer must understand the security
vulnerabilities before deciding to implement such a configuration.
3. If the policy value is changed from 1 to 0, user is automatically
migrated to a system-defined secret when the user log on to
AccessAgent. However, there is no support for migration from
policy value 1 to 0.
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
76
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_second_factor_for_sign_up_required
Description Whether a second factor is required during sign-up.
Note:
1. Effective only if the second factors supported list is not empty. In
this case, any one of the supported second factors can be used for
sign-up. There is one UI dialog that requests the user to present any
one of the supported second factors.
2. If policy value is 1, sign-up fails if the second factor is not
presented.
Registry
[DO] "SecondFactorForSignUpRequired"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: Not required
#1: Required
(refreshed on use)
Scope
Machine
Upid_automatic_sign_up_enabled
Description Whether to enable automatic sign-up.
Note:
1. This policy must be set to 1 if password is synchronized with Active
Directory password.
2. pid_engina_welcome_text and pid_unlock_text must be modified
accordingly if this policy is set to 1.
3. If this policy is set to 1, the Sign up option is not available on both
the AccessAgent UI and AccessAgent Tray menu. The user is not
prompted to sign up if logging on to an unregistered user name.
The user is not prompted to confirm sign up if an unregistered
second factor is presented.
Registry
[DO] "AutomaticSignUpEnabled"
IMS Entry
Type
DWORD
77
Upid_automatic_sign_up_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
78
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
String
Values
Scope
System
pid_machine_policy_template_default
Description The default machine policy template to be applied.
Registry
IMS Entry
Type
String
Values
Scope
System
79
80
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Positive integer
Values
*3
(from 1 to 7)
(refreshed on use)
Scope
System
pid_activecode_bypass_option
Description ActiveCode authentication bypass option.
Note: This option can be used for bypassing both Mobile ActiveCode
and OTP ActiveCode (AccessAgent-OTP and on-board OTP).
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
System
pid_activecode_append_secret_option
Description Option for appending a secret to Mobile ActiveCode.
Note: The order is also specified in the policy values.
Registry
81
pid_activecode_append_secret_option
IMS Entry
Type
Non-negative integer
Values
Scope
System
pid_activecode_admin_assigned_secret_name
Description Identity attribute name of the Administrator-assigned secret, for
appending to ActiveCode.
Note:
1. Can be used for both Mobile ActiveCode and OTP ActiveCode
(AccessAgent-OTP and on-board OTP).
2. Effective only if ActiveCode append secret option is 3.
Registry
IMS Entry
Type
String
Values
(refreshed on use)
Scope
System
pid_otp_append_secret_option
Description Option for appending a secret to OTP (time-based) and OTP (OATH).
Note:
1. Not applicable to AA-OTP.
2. The order is also specified in the policy values.
Registry
82
IMS Entry
Type
Non-negative integer
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_otp_append_secret_option
Values
Scope
System
pid_otp_reset_sample_count
Description Number of consecutive OTPs to be obtained from user for resetting an
OTP (OATH) token.
Registry
IMS Entry
Type
Positive integer
Values
*3
(from 1 to 5)
(refreshed on use)
Scope
System
83
84
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
*#True
#False
(refreshed on use)
Scope
User
Upid_accessanywhere_second_factor_enabled
Description Whether the user is required to authenticate using a second factor
when using AccessAssistant.
Registry
IMS Entry
Type
Boolean
Values
*#True
#False
(refreshed on use)
Scope
User
pid_accessanywhere_edit_user_profile_enabled
Description Whether the user profile can be edited by the user in AccessAssistant
and Web Workplace.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
85
pid_accessanywhere_edit_user_profile_enabled
Scope
System
pid_accessanywhere_personal_app_enabled
Description Whether to display personal authentication services in AccessAssistant
and Web Workplace.
Note:
1. Effective only if pid_accessanywhere_enabled is True.
2. Some personal applications might not be displayed in
AccessAssistant because a Windows account (local computer) and
some authentication services are not created by the Administrator,
and can only exist in the user scope.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
pid_accessanywhere_password_display_option
Description Option for displaying application passwords in AccessAssistant.
Registry
IMS Entry
Type
Non-negative integer
Values
Scope
86
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_accessanywhere_second_factor_default
Description The default second authentication factor for logging on to
AccessAssistant and Web Workplace.
Note:
1. Effective only if pid_accessanywhere_enabled and
pid_accessanywhere_second_factor_enabled are True.
2. After entering the user name and password, AccessAssistant or Web
Workplace will prompt for the default second factor. The user can
still click the links to use other second factors.
3. If the default second factor is MAC, a MAC will automatically be
sent to the user using the preferred channel after entering the user
name and password. A message indicates where the MAC has been
sent, and links for the user to request for an MAC to be sent to
another channel.
4. The user must be able to change to a preferred MAC channel
through the user profile settings page.
Registry
IMS Entry
Type
Positive integer
Values
Scope
User
pid_accessanywhere_app_sso_enabled
Description Whether the user can perform automatic sign-on to applications
through AccessAssistant.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
87
pid_unlock_account_enabled
Description Whether the user account can be unlocked by the user in
AccessAssistant and Web Workplace.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
88
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
String list
Values
Scope
System
89
90
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
v Tivoli Access Manager for Enterprise Single Sign-On Hot Key policies on
page 134
v Emergency Hot Key policies on page 138
v Presence detector policies on page 139
EnGINA policies
pid_engina_winlogon_option_enabled
Description Whether to enable the option to go to Windows logon directly from
EnGINA.
Registry
[DO] "EnginaWinlogonOptionEnabled"
IMS Entry
Type
DWORD
Values
*#True
#False
*#1: Yes
#0: No
(refreshed on use)
Scope
Machine
91
pid_engina_app_launch_enabled
Description Whether to enable the launching of an application from EnGINA
welcome or locked screen.
Registry
[DO] "EnginaAppLaunchEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_engina_app_launch_label
Description Display label for the link on EnGINA welcome or locked screen, for
launching an application.
Note: Effective only if pid_engina_app_launch_enabled is 1.
Registry
[DO]
IMS Entry
Type
SZ
Values
(refreshed on use)
Scope
Machine
"EnginaAppLaunchLabel"
pid_engina_app_launch_cmd
Description Command line for launching an application from an EnGINA welcome
or locked screen.
Note:
1. Effective only if pid_engina_app_launch_enabled is 1.
2. If the application is launched from a welcome screen, the owner of
the process for the application is "System".
3. If the application is launched from a locked screen, the owner of the
process for the application is "currently logged on desktop user".
92
Registry
[DO] "EnginaAppLaunchCmd"
IMS Entry
Type
SZ
Values
(refreshed on use)
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_engina_app_launch_cmd
Scope
Machine
pid_engina_bypass_hot_key_enabled
Note: Modifying this policy requires a machine restart to implement the changes.
Description Whether EnGINA Bypass Hot Key is enabled.
Note:
1. If enabled, user can press the EnGINA Bypass Hot Key sequence to
bypass EnGINA and go to Windows to log on or unlock.
2. Hot Key is accepted at any of the following EnGINA states:
Welcome, Log On, Computer Locked, Unlock This Computer.
3. If Hot Key is pressed at computer locked screen, AccessAgent does
not ask the user for confirmation on whether to log off previous
user, even though there can be a previous user logged on to the
computer. Microsoft GINA is presented to the user, but it allows
unlocking only by the same user or Administrator.
4. This policy is not effective if local user session management is
enabled (for example, pid_lusm_sessions_max is greater than 1).
Registry
[DO] "EnginaBypassHotKeyEnabled"
IMS Entry
Type
DWORD
Boolean
Values
*#1: Yes
#0: No
*#True
#False
(refreshed on startup)
Scope
Machine
System
pid_engina_bypass_hot_key_sequence
Description The EnGINA Bypass Hot Key sequence.
Note:
1. Effective only if pid_engina_bypass_hot_key_enabled is enabled.
2. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "EnginaBypassHotKeySequence"
93
pid_engina_bypass_hot_key_sequence
IMS Entry
Type
MULTI_SZ
String list
Values
*#Ctrl
*#Alt
*#Home
(max 3 keys from set of: Ctrl, Shift, Alt, Ins, Del, Home, End, PgUp,
PgDn, Break E, except for Ctrl-Alt-Del, which is not allowed)
(2 of the keys in this set must be used so that the probability of conflict
with other applications is minimized: Ctrl, Shift, Alt)
(refreshed on startup)
Scope
Machine
System
pid_engina_bypass_automatic_enabled
Description Whether automatic EnGINA Bypass is enabled.
Note:
1. If enabled, the IMS Server is not accessible, and the Wallet of the
user is not cached, AccessAgent automatically bypasses EnGINA
and show Microsoft GINA when the user attempts to log on or
unlock. A configurable text message is shown
(pid_engina_bypass_automatic_text) in a prompt with an OK
button.
2. If pid_unlock_option is 4, AccessAgent prompts whether to log off
the previous user. If the user clicks Yes,
pid_enc_pwd_is_ad_pwd_enabled is True, IMS Server is not
accessible, and the Wallet of the user is not cached, AccessAgent
prompts the user with a configurable text message
(pid_engina_bypass_automatic_text). After the user clicks OK,
AccessAgent will log off the previous desktop of the user and
automatically bring the new user to the Microsoft GINA logon
screen.
3. This feature does not support logon with second factors.
4. Modifying this policy requires a machine restart to implement the
changes.
94
Registry
[DO] "EnginaBypassAutomaticEnabled"
IMS Entry
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_engina_bypass_automatic_enabled
Type
DWORD
Values
#True
*#False
#1: Yes
*#0: No
(refreshed on startup)
Scope
Machine
pid_engina_bypass_automatic_text
Description Configurable text message for automatic EnGINA bypass.
Note: This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Type
String
Values
Scope
System
pid_engina_ui_enabled
Description Whether to display the Tivoli Access Manager for Enterprise Single
Sign-On UI instead of the Windows UI when Windows is logged off or
locked.
Note: This policy is only applicable for smart card as a supported
second factor on the computer.
Registry
IMS Entry
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
Machine
95
[DO] "DesktopInactivityMins"
IMS Entry
Type
DWORD
Positive integer
Values
*30
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
Upid_desktop_inactivity_action
Description Actions to be performed by AccessAgent after a period of desktop
inactivity.
Note:
1. This policy is ineffective if the computer is already locked. In that
case, the locked inactivity action would be effective.
2. If the user is not logged on to Wallet, the log off Wallet actions for
policy values 2 and 5 is not performed.
Registry
[DO] "DesktopInactivityAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
#5: Log off Wallet and lock computer
(refreshed on sync for system policy)
(refreshed on use for machine policy)
96
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Upid_desktop_inactivity_action
Scope
Machine
System
pid_desktop_inactivity_action_countdown_secs
Description Confirmation countdown duration, in seconds, for desktop inactivity.
Registry
[DO] "DesktopInactivityActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5
(0 to disable confirmation countdown)
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
pid_win_screensaver_action
Description Actions to be performed by AccessAgent on Windows screen saver
activation.
Note:
1. This policy is only effective if at least one user is logged on to
AccessAgent.
2. If this policy triggers a computer lock, desktop inactivity action
becomes ineffective.
3. If this policy triggers a screen saver without password protection,
the desktop inactivity action would remain effective while screen
saver is on.
4. This policy allows two-level desktop inactivity behavior. If this
policy is set to 1, desktop inactivity minutes is set to 4, and the
Windows screen saver is set to timeout in 2 minutes and not
password protected, then the computer will show screen saver after
2 minutes of idling and be locked after an additional 2 minutes of
idling.
Important:
v Screensaver action is not supported in Microsoft Windows Vista.
v Option 0 is not supported in Microsoft Windows Vista.
97
pid_win_screensaver_action
Registry
[DO] "WinScreensaverAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
Scope
Machine
System
pid_locked_computer_inactivity_mins
Description Locked computer inactivity duration, in minutes, after which
AccessAgent might perform a set of actions.
Registry
[DO] "LockedComputerInactivityMins"
IMS Entry
Type
DWORD
Positive integer
Values
*30
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
pid_locked_computer_inactivity_action
Description Actions to be performed by AccessAgent after a period of desktop
inactivity while the computer is locked and the user is logged on to a
Wallet.
Note:
1. Effective only if pid_lusm_sessions_max is 1.
2. This policy is effective only if the EnGINA screen lock is shown.
98
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_locked_computer_inactivity_action
Registry
[DO] "LockedComputerInactivityAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
*#0: No action
#1: Log off Windows
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
Lock policies
pid_lock_option
Description Type of screen lock to be used when the computer is locked.
Note:
1. If pid_lusm_sessions_max is greater than 1, only policy 1 (EnGINA
screen lock) is supported.
2. From a transparent screen lock, the user can trigger an unlock or
switch user by presenting a second factor.
3. From a transparent screen lock, AccessAgent UI is displayed when
the Tivoli Access Manager for Enterprise Single Sign-On Hot Key is
pressed. From this screen, the user can manually log off from
AccessAgent, which unlocks the computer, and actions specified by
pid_logoff_manual_action is performed. The logoff action is
available regardless of the setting for
pid_logoff_manual_while_locked_option_enabled.
4. Even after transparent screen lock is activated, the action specified
by pid_desktop_inactivity_action will still be carried out after the
period of desktop inactivity has elapsed. Then, set
pid_desktop_inactivity_action to 4.
Important: The transparent screen lock feature is not supported in
Microsoft Windows Vista
Registry
[DO] "LockOption"
IMS Entry
Type
DWORD
99
pid_lock_option
Values
Scope
Machine
pid_lock_transparent_text
Description Configurable text for transparent screen lock.
Note: Effective only if pid_lock_option is 2.
Registry
[DO] "LockTransparentText"
IMS Entry
Type
SZ
Values
Scope
Machine
pid_lock_transparent_hot_key_enabled
Description Whether the Ctrl-Esc Hot Key sequence is enabled during transparent
screen lock.
Note:
1. Effective only if pid_lock_option is 2 and transparent screen lock is
shown.
2. If enabled, this Hot Key is equivalent to the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key when the computer is
locked. When pressed, AccessAgent UI is shown on the transparent
screen lock.
3. This additional Hot Key is useful for remote access systems (for
example, LANDesk) that can send only limited key sequences.
100
Registry
[DO] "LockTransparentHotKeyEnabled"
IMS Entry
Type
DWORD
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_lock_transparent_hot_key_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
Lock/Unlock policies
pid_script_lock_enabled
Description Whether to enable the running of the lock script during locking of the
AccessAgent session of the user.
Note:
1. The lock script is only executed if the session of the user is
currently visible during locking. That is, in Local User Session
Management (LUSM), currently invisible user sessions does not
have the lock script executed.
2. The lock script is executed regardless of whether the locking is due
to desktop inactivity or manually triggered (for example, pressing
Win-L or tapping an RFID card).
3. The lock script is useful for closing applications when a "guest"
AccessAgent session is being locked. It can also be used with the
unlock script in a Local User Session Management (LUSM) scenario
to record any single-instance applications that might be running
before locking, which might have to be relaunched during unlock.
Important: When using Microsoft Windows Vista, the lock script is
executed after the machine locks instead of before the machine locks.
If the script is created to display a user interface that prompts the user
for action upon machine lock, the user will not see it in Microsoft
Windows Vista.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
Chapter 23. AccessAgent policies
101
pid_script_lock_type
Description Type of lock script to run.
Note:
1. Effective only if pid_script_lock_enabled is enabled.
2. See pid_script_lock_enabled.
Registry
IMS Entry
Type
Positive integer
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_lock_code
Description Source code of lock script to run.
Note:
1. Effective only if pid_script_lock_enabled is enabled.
2. See pid_script_lock_enabled.
Registry
102
IMS Entry
Type
String
Values
(refreshed on sync)
Scope
User
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_script_unlock_enabled
Description Whether to enable the running of the unlock script when the user
unlocks an existing AccessAgent session.
Note:
1. The unlock script is only executed if the user already has an
existing AccessAgent session and is unlocking it.
2. The unlock script is not executed if the user is unlocking a shared
workstation that is logged on with a generic Windows account, and
not currently logged on to AccessAgent. In this case, the logon
script (see pid_script_logon_enabled) is executed instead.
3. The unlock script can be used in Local User Session Management
(LUSM) to auto-launch single-instance applications that might have
been terminated by other users who are logged on to the same
workstation.
4. The unlock script is not supported if pid_lock_option is 2 (such as
transparent screen lock is used).
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
pid_script_unlock_type
Description Type of unlock script to run.
Note:
1. Effective only if pid_script_unlock_enabled is enabled.
2. See pid_script_unlock_enabled.
Registry
IMS Entry
Type
Positive integer
Values
Scope
User
103
pid_script_unlock_code
Description Source code of unlock script to run.
Note:
1. Effective only if pid_script_unlock_enabled is enabled.
2. See pid_script_unlock_enabled.
Registry
IMS Entry
Type
String
Values
(refreshed on sync)
Scope
User
Upid_unlock_option
Description Unlock computer policy for controlling who is allowed to unlock a
computer when it has been locked by a user who is logged on to
AccessAgent.
Note:
1. Effective only if pid_lusm_sessions_max is 1.
2. Same user refers to the same user who locked the computer (such
as, same user name).
3. This policy is ignored if pid_lock_option is 2 (transparent screen
lock). In transparent screen lock mode, any user is always allowed
to unlock the computer.
4. For policy 3, if a different user tries to unlock, AccessAgent unlocks
the computer and brings the user to the current desktop, but it logs
on to new Wallet after logging off the old one.
5. For policy 4, only the same user can unlock computer and return to
the current desktop. For other users, AccessAgent logs off from the
old desktop and logs on to the new Wallet. AccessAgent does not
require a user to present a second factor. If a new Wallet does not
have a desktop account on the computer, the user would also need
to log on to Windows. This option is currently not supported for
ARFID and smart card.
Important: Limitations for Microsoft Windows Vista users:
v Option 3 only works with a Shared Desktop.
v Option 4 logs off current AccessAgent logon session without
attempting to log on again as a second user.
Registry
[DO] "UnlockOption"
IMS Entry
Type
DWORD
Positive integer
104
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Upid_unlock_option
Values
Scope
Machine
User
pid_unlock_different_user_action_countdown_secs
Description Confirmation countdown duration, in seconds, for unlocking by a
different user.
Note:
1. Effective only if pid_lusm_sessions_max is 2
2. Effective when a user attempts to unlock computer while another
user has already been logged on to AccessAgent.
3. If the policy value is not 0, the user can click the prompt to cancel
the switch user. If the user does not confirm, AccessAgent proceeds
to unlock the computer.
Registry
[DO] "UnlockDifferentUserActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*0
(0 to disable confirmation countdown)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_unlock_user_name_prefill_option
Description Option for prefilling the Tivoli Access Manager for Enterprise Single
Sign-On Windows unlock prompt with a user name.
105
pid_unlock_user_name_prefill_option
Registry
[DO] "UnlockUserNamePrefillOption"
IMS Entry
Type
Non-negative integer
Values
0 - No
1 - Yes
Scope
Machine
pid_win_fast_user_switching_enabled
Description Whether to enable support for Fast User Switching in Microsoft
Windows Vista and above.
Note: Effective only if the client operating system is Microsoft
Windows Vista and above, and if Fast User Switching is enabled.
Registry
[DO] "WinFastUserSwitchingEnabled"
IMS Entry
Type
Boolean
Values
#True
*#False (default)
(refreshed on sync)
Scope
Machine
Type
Non-negative integer
Values
Scope
Machine
User
106
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_sc_map_cert_to_entdir_acc_enabled
Description Whether to automatically identify the enterprise directory account by
using the smart card certificate attributes during sign up. If so, the user
is not asked to provide a user name during sign up.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_sc_win_logon_enabled
Description Whether to allow smart card users to log on to Windows using
certificate-based authentication.
Note:
1. If this policy is enabled, after the user log on to AccessAgent from
the Tivoli Access Manager for Enterprise Single Sign-On Welcome
screen, the user can log on to Windows using the smart card
certificate.
2. This policy is only applicable if thepid_engina_ui_enabled policy is
set. This policy is not supported on Windows Vista.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
Machine
107
RFID policies
Upid_rfid_tap_same_action
Description Actions to be performed by AccessAgent when the currently logged on
user taps the RFID card on the desktop.
Note:
1. This policy is not applicable if the user did not log on using an
RFID.
2. If pid_lusm_sessions_max is greater than 1, AccessAgent with the
policy value 1 (Log off Windows) logs off the desktop session of the
user and shows the computer locked screen.
Registry
[DO] "RfidTapSameAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
*#4: Lock computer
#5: Log off Wallet and lock computer
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_rfid_tap_same_action_countdown_secs
Description Confirmation countdown duration, in seconds, for tapping the same
RFID on the desktop.
Registry
[DO] "RfidTapSameActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
108
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_rfid_tap_same_action_countdown_secs
Values
*5
(0 to disable confirmation countdown: do not set to this value to
prevent accidental double detection of RFID tap)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
Upid_rfid_only_unlock_enabled
Description Whether to allow RFID-only unlock (without password) by the same
user who locked the computer, if unlock happens within the duration
specified by pid_rfid_only_unlock_timeout_secs.
Note: This also applies to Active Proximity Badge. However, if
pid_lusm_sessions_max is greater than 1, the Active Proximity Badge
only unlock is applicable only for the last visible user desktop.
Registry
[DO] "RfidOnlyUnlockEnabled"
IMS Entry
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
Upid_rfid_only_unlock_timeout_secs
Description Time expiry, in seconds, for an RFID-only unlock. After this duration
(timed from last lock), RFID-only unlock will not be allowed.
Note:
1. Effective only if pid_rfid_only_unlock_enabled is enabled.
2. Also applies to Active Proximity Badge.
Chapter 23. AccessAgent policies
109
Upid_rfid_only_unlock_timeout_secs
Registry
[DO] "RfidOnlyUnlockTimeoutSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*0
(0 to disable expiry, such as always allow RFID-only unlock)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
110
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Upid_rfid_only_logon_enabled
Description Whether to allow RFID-only log on (without password) by a user who
has recently logged on using an RFID and password on the same or
another computer, if logon happens within the duration specified by
pid_rfid_only_logon_timeout_mins.
Note:
1. RFID-only log on only works if the IMS Server is online and the
user has an existing cached Wallet on the computer.
2. RFID-only logon is tied to the specific RFID card used for log on. If
user has two RFID cards and card #1 was used to log on, the user
can use RFID-only logon only with card #1. If attempting to log on
with card #2, the user must be prompted for a password.
3. For better security, pid_wallet_cache_max_inactivity_days must be
used to clear inactive Wallets, so that exposure of RFID-only logon
is only limited to those computers that a particular user frequently
uses.
4. RFID-only logon is not supported if pid_lusm_sessions_max is
greater than 1.
5. ARFID is not applicable.
6. If both RFID-only unlock and RFID-only logon features are enabled:
v If a logged on user locks the computer: When the user uses the
RFID to unlock the existing session, the RFID-only unlock feature
is invoked. During unlock, a password is required if the
RFID-only unlock time-out has expired.
v If no user is logged on and the computer is locked: When a user
uses the RFID to unlock the computer, the RFID-only logon
feature is invoked. During logon, a password is required if the
conditions specified in the policy for RFID-only logon are not
met.
Registry
[DO] "RfidOnlyLogonEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
#1: Yes
*#0: No
(refreshed on use)
Scope
Machine
111
Upid_rfid_only_logon_timeout_mins
Description Time expiry, in minutes, for RFID-only logon. After this duration (timed
from last logon with RFID and password), RFID-only logon will not be
allowed.
Note:
1. Effective only if pid_rfid_only_logon_enabled is enabled.
2. Timeout is refreshed upon every logon to IMS Server with an RFID
and password.
Registry
IMS Entry
Type
Non-negative integer
Values
*480
(0 to disable RFID-only logon)
(refreshed on sync)
Scope
User
pid_rfid_display_utility_enabled
Description Whether to display the registration status of an RFID card that does not
belong to the currently logged on user when it is tapped on desktop.
Note:
1. If the policy value is 1, the policy overrides
pid_rfid_tap_different_action. If the RFID card is registered, the
user name is displayed in a prompt.
2. This display utility only works when AccessAgent is logged on.
Registry
[DO] "RfidDisplayUtilityEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
112
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Upid_rfid_tap_different_action
Description Actions to be performed by AccessAgent when an RFID card is tapped
on the desktop and does not belong to the currently logged on user.
Note:
1. If pid_rfid_display_utility_enabled is 1, this policy is not
effective.
2. This policy is applicable even if the current user did not use RFID
to log on.
3. For policy value 8, AccessAgent does not require the new user to
tap the RFID again after logging off from Windows.
4. If pid_lusm_sessions_max is greater than 1, AccessAgent with a
policy value of 1 (Log off Windows) logs off the desktop session of
the user and shows the computer locked screen. AccessAgent with a
policy value of 6 (Switch user) attempts to create a user desktop
session for the new user. AccessAgent with a policy value of 8 (Log
off Windows and log on as new user) logs off the desktop session of
the current user and create a user desktop session for the new user.
5. Switch of user is only supported for users who use the same type of
second factor.
Important: Limitation for Microsoft Windows Vista users:
v For option 8, AccessAgent logs off the current logon session without
attempting to log on again as a second user.
Registry
[DO] "RfidTapDifferentAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
*#0: No action
#4: Lock computer
#5: Log off Wallet and lock computer
#6: Switch user
#8: Log off Windows and log on as new user
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
113
pid_rfid_tap_different_action_countdown_secs
Description Confirmation countdown duration, in seconds, for tapping a different
RFID on the desktop.
Registry
[DO] "RfidTapDifferentActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5
(0 to disable confirmation countdown: set to this value only when RFID
tap different action is 6, to prevent accidental double detection of RFID
tap)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
[DO] "ArfidPresentationRangeMax"
IMS Entry
Type
Positive integer
Values
*3
(from 1 to 16)
(should be Active Proximity Badge removal range minimum - 3)
(3 for near, 5 for medium, 7 for far)
(refreshed on use)
Scope
Machine
System
114
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_arfid_removal_range_min
Description Minimum range for recognizing that an active proximity badge is
removed.
Registry
[DO] "ArfidRemovalRangeMin"
IMS Entry
Type
Positive integer
Values
*7
(from 4 to 19)
(should be Active Proximity Badge presentation range max + 3)
(7 for near, 9 for medium, 13 for far)
(refreshed on use)
Scope
Machine
System
Fingerprint policies
Upid_fingerprint_tap_same_action
Description Actions to be performed by AccessAgent when the currently logged on
user places a finger on the reader.
Note:
1. This policy is not applicable if the user did not log on using a
fingerprint.
2. Currently, this policy is supported only if pid_lusm_sessions_max is
1. For future versions, if pid_lusm_sessions_max is greater than 1,
AccessAgent with a policy value of 1 (Log off Windows) will log off
the desktop session of the user and show the computer locked
screen.
Registry
[DO] "FingerprintTapSameAction"
IMS Entry
Type
DWORD
Non-negative integer
115
Upid_fingerprint_tap_same_action
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
#5: Log off Wallet and lock computer
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_fingerprint_tap_same_action_countdown_secs
Description Confirmation countdown duration, in seconds, for placing the same
finger on the fingerprint reader.
Registry
[DO] "FingerprintTapSameActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5:
(0 to disable confirmation countdown: do not set to this value to
prevent accidental double detection of finger tap)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
116
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Upid_fingerprint_tap_different_action
Description Actions to be performed by AccessAgent when a finger is tapped on
desktop and does not belong to the currently logged on user.
Note:
1. This policy is applicable even if the current user did not use a
fingerprint to log on.
2. For policy value 8, AccessAgent does not require the new user to
tap an RFID again after logging off from Windows.
3. This policy is supported only if pid_lusm_sessions_max is 1. For
future versions, If pid_lusm_sessions_max is greater than 1,
AccessAgent with policy value 1 (Log off Windows) logs off the
desktop session of the user and shows the computer locked screen.
AccessAgent with a policy value of 6 (Switch user) attempts to
create a user desktop session for the new user. AccessAgent with a
policy value of 8 (Log off Windows and log on as new user) logs off
the desktop session of the current user and creates a user desktop
session for the new user.
Important: Limitation for Microsoft Windows Vista users:
v For option 8, AccessAgent logs off the current logon session without
attempting to log on again as a second user.
Registry
IMS Entry
Type
DWORD
Non-negative integer
Values
*#0: No action
#4: Lock computer
#5: Log off Wallet and lock computer
#6: Switch user
#8: Log off Windows and log on as new user
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_fingerprint_tap_different_action_countdown_secs
Description Confirmation countdown duration, in seconds, for placing a different
finger on the fingerprint reader.
117
pid_fingerprint_tap_different_action_countdown_secs
Registry
[DO] "FingerprintTapDifferentActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5
(0 to disable confirmation countdown: set to this value only when
fingerprint tap different action is 6, to prevent accidental double
detection of finger tap)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_fingerprint_registration_max
Description Maximum number of fingerprints that each user is allowed to register.
Note: If the value of this policy is reduced, a user who has already
registered more fingerprints than allowed by the new policy value is
allowed to log on with any of the fingerprints that have been
registered. However, if attempting to register a new fingerprint, an
existing fingerprint has to be replaced. The user cannot increase the
number of fingerprints registered.
Registry
IMS Entry
Type
Positive integer
Values
(from 1 to 10)
(refreshed on sync)
Scope
118
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[DO] "MachineTypeTS"
IMS Entry
Type
DWORD
Values
Scope
Machine
pid_ts_logon_prompt_enabled
Description Whether to launch the AccessAgent logon dialog if AccessAgent is not
logged on while a Terminal Server session or Citrix application is
launched.
Note: This policy must be set on the remote AccessAgent (such as on
the Terminal Server or Citrix server).
Registry
[DO] "TSLogonPromptEnabled"
119
pid_ts_logon_prompt_enabled
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_logon_cache_enabled
Description Whether to cache the Wallet logon credentials in the AD roaming
profile so that AccessAgent can automatically log on to the Wallet.
Note: This policy must be set on the remote AccessAgent (such as on
the Terminal Server or Citrix server).
Registry
[DO] "TSLogonCacheEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_lock_local_computer_action
Description Option to disconnect the Terminal Server or Citrix session, or log off
the remote AccessAgent while locking the local computer.
Registry
120
IMS Entry
Type
Non-negative integer
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_ts_lock_local_computer_action
Values
*#0: No action
#1: Disconnect remote session
#2: Log off remote AccessAgent and disconnect remote session
#3: Log off remote session
#4: Log off remote AccessAgent
(refreshed on sync)
Scope
User
pid_ts_logoff_local_session_action
Description Option to disconnect the Terminal Server or Citrix session, or log off
from the remote AccessAgent before logging off from the local
AccessAgent.
Registry
IMS Entry
Type
Non-negative integer
Values
#0: No action
#1: Disconnect remote session
*#2: Log off remote AccessAgent and disconnect remote session
#3: Log off remote session
#4: Log off remote AccessAgent
(refreshed on sync)
Scope
User
pid_ts_engina_logon_no_local_session_enabled
Description Whether to use EnGINA logon or Microsoft GINA logon for the
Terminal Server session, when there is no local AccessAgent session.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Terminal Server or Citrix server).
2. Set the policy to 0 on Citrix servers.
Registry
[DO] "TSEnginaLogonNoLocalSessionEnabled"
IMS Entry
Type
DWORD
121
pid_ts_engina_logon_no_local_session_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_logoff_on_reconnect_no_local_session_enabled
Description Whether to log off the remote AccessAgent when the user, with no local
AccessAgent session, reconnects to an existing session on a Terminal
Server or Citrix server.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Terminal Server or Citrix server).
2. This policy is effective only if there is no local AccessAgent session
on the client machine of the user.
3. Set the policy to 1 if users use a generic Windows account to log on
to remote session. Logging off the remote AccessAgent ensures that
the next user cannot use the Wallet and applications of the previous
user.
4. The typical logoff actions (auto-logoff of applications and running of
logoff script) are performed when the remote AccessAgent is logged
off.
5. If pid_ts_logon_prompt_enabled is set to 1, the remote AccessAgent
prompts user to log on after the previous user has been logged off.
Registry
[DO] "TSLogoffOnReconnectNoLocalSessionEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
122
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_ts_delay_app_launch_exe_list
Description The list of applications which delayed from launching until the remote
AccessAgent is ready to perform automatic sign-on.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Citrix server).
2. Effective only if pid_ts_delay_app_launch_enabled is enabled.
3. Each application must be indicated by its executable name (for
example, notepad.exe).
4. This feature is not supported in AccessAdmin. To enable this
feature, edit the values manually in the Windows registry.
Registry
[DO] "TSDelayAppLaunchExeList"
IMS Entry
Type
MULTI_SZ
Values
(refreshed on use)
Scope
Machine
pid_ts_delay_app_launch_enabled
Description Whether to enable the delaying of application launch for Citrix server.
Note:
1. This feature is only applicable to Citrix. It is not applicable to
Terminal Server access using RDP.
2. This policy must be set on the remote AccessAgent (such as on the
Citrix server).
3. If this feature is not enabled for an application, the user might first
see the logon prompt of the application before the remote
AccessAgent is ready to perform automatic sign-on. This result
might cause some confusion to the user. Enabling this feature for an
application ensures that the remote AccessAgent is ready to perform
automatic sign-on when the user sees the logon prompt.
4. This feature is only applicable to a local AccessAgent automatically
logging on to remote AccessAgent. If there is no local AccessAgent
or local AccessAgent is not logged on, application launch is not
delayed even if this feature is enabled.
5. This feature is not supported in AccessAdmin. To enable this
feature, edit the values manually in the Windows registry.
Registry
[DO] "TSDelayAppLaunchEnabled"
IMS Entry
Type
DWORD
123
pid_ts_delay_app_launch_enabled
Values
#True
*#False
#1: Yes
*#0: No
(refreshed on use)
Scope
Machine
pid_ts_start_aa_no_local_aa_enabled
Description Whether to start remote AccessAgent while a published application is
launched through Terminal Server or Citrix, and if local AccessAgent is
not present.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Terminal Server or Citrix server).
2. This policy only applies to launching of published applications. If a
remote desktop is launched, the remote AccessAgent is always
started.
3. For policy value 0, users cannot log on to remote AccessAgent from
machines that do not have local AccessAgent installed (for example,
home or Internet caf).
Registry
[DO] "TSStartAANoLocalAAEnabled"
IMS Entry
Type
DWORD
Values
*#True
#False
#0: No
*#1: Yes
(refreshed on use)
Scope
124
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_ts_delay_app_launch_timeout_secs
Description Timeout, in seconds, for delaying of application launch.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Citrix server).
2. Effective only if pid_ts_delay_app_launch_enabled is enabled.
3. Remote AccessAgent first waits for connection to be established
with a local AccessAgent. If connection is not established within the
timeout duration, the application proceeds to launch.
4. If a local AccessAgent manages to establish connection with a
remote AccessAgent, the remote AccessAgent waits for another
timeout period for automatic sign-on to be ready. If a remote
AccessAgent is not ready for automatic sign-on within the timeout
duration, the application proceeds to launch.
5. The user might potentially have to wait up to two times the timeout
duration if the local AccessAgent manages to establish a connection
with a remote AccessAgent just before the first timeout duration
lapses.
6. This feature is not supported in AccessAdmin. To enable this
feature, edit the values manually in the Windows registry.
Registry
[DO] "TSDelayAppLaunchTimeoutSecs"
IMS Entry
Type
DWORD
Values
*10
(refreshed on use)
Scope
Machine
pid_ts_aa_menu_option
Description Whether to display menu options on AccessAdmin user interface in a
Terminal Server or Citrix session.
Note:
1. If the policy value is 1, only Remote session information is
displayed when there is a local AccessAdmin session. Full menu
options are displayed when there is no local AccessAdmin session.
The same applies to right-click menu options for AccessAdmin icon
at Windows notification area.
2. If policy value is 2, all menu options are displayed except for Lock
this computer when there is local AccessAdmin session. Full menu
options are displayed when there is no local AccessAdmin session.
Same applies to right-click menu options for AccessAdmin icon at
Windows notification area. Use this option for Roaming Desktop
configurations.
125
pid_ts_aa_menu_option
Registry
[DO] "TSAaMenuOption"
IMS Entry
Type
DWORD
Values
Scope
Machine
pid_com_redir_enabled
Description Whether the device monitoring mechanism must perform COM port
redirection from the client machine (connecting to the Terminal Server)
to the Terminal Server.
Note:
1. If enabled for AccessAgent on Terminal Server or Citrix server,
authentication devices on remote client machines (for example, for
thin clients where there is no AccessAgent installed) can be
monitored. AccessAgent would map a virtual COM port
(pid_com_redir_local_virtual_port) on the Terminal Server or
Citrix server to a physical COM port
(pid_com_redir_remote_physical_port) on the remote client.
2. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "ComRedirEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on startup)
Scope
Machine
pid_com_redir_local_virtual_port
Description Virtual COM port on the Terminal Server to which data from the client
COM port is redirected.
Note: Effective only if pid_com_redir_enabled is 1.
Registry
126
[DO] "ComRedirLocalVirtualPort"
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_com_redir_local_virtual_port
IMS Entry
Type
DWORD
Values
*1
(from 1 to 8)
(refreshed on startup)
Scope
Machine
pid_com_redir_remote_physical_port
Description Physical COM port on the client to which the authentication device (for
example, RFID reader) is connected. The redirection takes place from
this port to the virtual COM port of the Terminal Server
Note:
1. Effective only if pid_com_redir_enabled is 1.
2. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "ComRedirRemotePhysicalPort"
IMS Entry
Type
DWORD
Values
*1
(refreshed on startup)
(min 1)
Scope
Machine
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
127
pid_script_logon_type
Description Type of logon script to run.
Note: Effective only if script logon is enabled.
Registry
IMS Entry
Type
Positive integer
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_logon_code
Description Source code of logon script to run.
Note: Effective only if script logon is enabled.
Registry
IMS Entry
Type
String
Values
(refreshed on sync)
Scope
User
pid_script_logoff_enabled
Description Whether to enable the running of a logoff script during user logoff.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False (refreshed on sync)
Scope
User
pid_script_logoff_type
Description Type of logoff script to run.
Note: Effective only if script logoff is enabled.
Registry
128
IMS Entry
Type
Positive integer
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_script_logoff_type
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_logoff_code
Description Source code of logoff script to run.
Note: Effective only if script logoff is enabled.
Registry
IMS Entry
Type
String
Values
(refreshed on sync)
Scope
User
pid_logoff_manual_enabled
Description Whether to allow user to manually log off from AccessAgent.
Note: If this policy is disabled, the Log off AccessAgent option does
not appear in any part of AccessAgent UI.
Registry
[DO] "LogoffManualEnabled"
IMS Entry
Type
DWORD
Boolean
Values
#0: No
*#1: Yes
*#True
#False (refreshed on sync)
Scope
Machine
User
129
Upid_logoff_manual_action
Description Actions to be performed by AccessAgent on manual logoff by the user.
Note:
1. Effective when a user manually logs off from the Wallet from a
desktop or transparent screen lock.
2. If pid_lusm_sessions_max is greater than 1, AccessAgent with policy
value 1 (Log off Windows) logs off the desktop session of the user
and shows the computer locked screen. Use this policy value for
Local User Session Management. If the policy value is 2,
AccessAgent is logged off. However, the user cannot log on to
AccessAgent unless Ctrl-Alt-Del is pressed to log on from the Tivoli
Access Manager for Enterprise Single Sign-On replaced Windows
security dialog.
Registry
[DO] "LogoffManualAction"
IMS Entry
Type
DWORD
Positive integer
Values
Scope
Machine
User
pid_logoff_manual_action_countdown_secs
Description Confirmation countdown duration, in seconds, for manual logoff by a
user.
Note:
1. Effective when the user manually logs off from the Wallet from a
desktop or locked computer window.
2. If policy value is not zero, the user has to click the prompt to
confirm logoff. If user does not confirm, AccessAgent does not
proceed with the logoff.
130
Registry
[DO] "LogoffManualActionCountdownSecs"
IMS Entry
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_logoff_manual_action_countdown_secs
Type
DWORD
Non-negative integer
Values
*30
(0 to disable confirmation countdown)
(refreshed on sync for user policy)
(refreshed on use for machine policy)
Scope
Machine
User
pid_en_network_provider_enabled
Description Whether to enable the Encentuate Network Provider
(EnNetworkProvider).
Note:
1. Second factor authentication is not supported by this feature.
2. Effective only if EnNetworkProvider has been installed by
AccessAgent installer.
3. If enabled, AccessAgent attempts to automatically log on to itself
using the credentials provided at Microsoft GINA. It works with the
Active Directory password synchronization feature so that the same
password can be used to log on to Windows as well as
AccessAgent.
Registry
[DO] "EnNetworkProviderEnabled"
IMS Entry
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
131
pid_logon_user_name_prefill_option
Description Option for pre-filling the Tivoli Access Manager for Enterprise Single
Sign-On log on prompt with a user name.
Note:
1. Set this policy to 0 for shared desktops with many users.
2. Set this policy to 1 for personal desktops or shared desktops with
few users.
3. Set this policy to 2 for Terminal Server or Citrix Server. For policy
value 2 to work properly, the following Microsoft registry value
must be set to 0:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system]"dontdisplaylastusername"
Registry
[DO] "LogonUserNamePrefillOption"
IMS Entry
Type
DWORD
Values
Scope
Machine
pid_logoff_app_timeout_secs
Description Timeout, in seconds, for logging off from applications.
Note:
1. When AccessAgent logs off from a Wallet (during manual logoff or
switch user), logging off applications might occur (depends on
configuration). This policy specifies a configurable timeout for
logging off applications.
2. If an application is not successfully terminated by its AccessProfile
after the timeout, it can be forced to terminate by setting the
Terminate on time-out and time-out attributes of the
gen_sign_out_trigger appropriately.
Registry
[DO] "LogoffAppTimeoutSecs"
IMS Entry
Type
DWORD
Values
*5
(from 0 to 60)
(refreshed on use)
132
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_logoff_app_timeout_secs
Scope
Machine
pid_wallet_logoff_action_for_apps_default
Description Default action to take for all applications when a user logs off from
AccessAgent.
Note:
1. If the policy value is 1, AccessAgent attempts to log off all instances
of applications. The AccessProfile for each application must contain
a logoff action, otherwise the application logoff is not performed.
2. If the policy value is 2, AccessAgent closes all instances of
applications that are monitored by AccessAgent. All applications
that have AccessProfiles are monitored, regardless of whether
AccessAgent is used to log on to the application.
3. This policy is effective whenever a user is logged off from
AccessAgent, for example, during a switch user operation.
Registry
IMS Entry
Type
Positive integer
Values
Scope
System
pid_ad_verification_on_logon_option
Description Option for verifying AD credentials when logging on to AccessAgent.
Note:
1. Effective only if pid_enc_pwd_is_ad_pwd_enabled is True.
2. AD verification involves checking with the AD server on whether:
v the account is disabled
v the account has expired
v the password has expired
v the password is correct
3. For policy value 1, AccessAgent always perform an AD verification.
If AD verification fails, user is not allowed to log on.
4. For policy value 2, AccessAgent performs AD verification only if the
AD server can be contacted over the network. If not, AccessAgent
allows the user to log on without verifying with the AD server.
133
pid_ad_verification_on_logon_option
Registry
[DO] "ADVerificationOnLogonOption"
IMS Entry
Type
DWORD
Values
Scope
Machine
[DO] "EncHotKeyEnabled"
IMS Entry
Type
DWORD
Boolean
Values
*#1: Yes
#0: No
*#True
#False
(refreshed on startup)
Scope
Machine
System
134
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_enc_hot_key_action_countdown_secs
Description Confirmation countdown duration, in seconds, for pressing theTivoli
Access Manager for Enterprise Single Sign-On Hot Key.
Note:
1. Effective only if pid_enc_hot_key_enabled is enabled.
2. Effective only if Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed while AccessAgent is logged on and
computer is not locked.
Registry
[DO] "EncHotKeyActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5
(0 to disable confirmation countdown)
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
pid_enc_hot_key_sequence
Description The Tivoli Access Manager for Enterprise Single Sign-On Hot Key
sequence.
Note:
1. Effective only if pid_enc_hot_key_enabled is enabled.
2. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "EncHotKeySequence"
IMS Entry
Type
MULTI_SZ
String list
135
pid_enc_hot_key_sequence
Values
*#Ctrl
*#Alt
*#E
(max 3 keys from set of: Ctrl, Shift, Alt, Ins, Del, Home, End, PgUp,
PgDn, Break, E)
(2 of the keys in this set should be used so that the probability of
conflict with other applications is minimized: Ctrl, Shift, Alt)
(refreshed on startup)
Scope
Machine
System
pid_enc_hot_key_not_logged_on_action
Description Actions to be performed by AccessAgent if the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key is pressed at the desktop while
AccessAgent is not logged on.
Note:
1. Effective only if pid_enc_hot_key_enabled is enabled.
2. Effective only if the Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed while AccessAgent is logged on and
computer is not locked.
3. If pid_lusm_sessions_max is greater than 1, AccessAgent with policy
value 1 (Log off Windows) logs off the desktop session of the user
and shows the computer locked screen. However, if the desktop is
the default desktop, whether it can be logged off is determined by
pid_lusm_default_desktop_preserved_enabled.
Registry
[DO] "EncHotKeyNotLoggedOnAction"
IMS Entry
Tivoli Access Manager for Enterprise Single Sign-On Hot Key press
actions at desktop when AccessAgent is not logged on
Type
DWORD
Non-negative integer
136
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_enc_hot_key_not_logged_on_action
Values
#0: No action
#1: Log off Windows
#4: Lock computer
*#9: Launch AccessAgent window
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
pid_enc_hot_key_action
Description Actions to be performed by AccessAgent if the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key is pressed at desktop while
AccessAgent is logged on.
Note:
1. Effective only if pid_enc_hot_key_enabled is enabled.
2. Effective only if Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed at desktop while AccessAgent is logged
on.
3. If pid_lusm_sessions_max is greater than 1, AccessAgent with policy
value 1 (Log off Windows) logs off the desktop session of the user
and shows the computer locked screen.
Registry
[DO] "EncHotKeyAction"
IMS Entry
Tivoli Access Manager for Enterprise Single Sign-On Hot Key press
actions at desktop when AccessAgent is logged on
Type
DWORD
Non-negative integer
137
pid_enc_hot_key_action
Values
#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
#5: Log off Wallet and lock computer
*#9: Launch AccessAgent window
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
[DO] "EmergencyHotKeyEnabled"
IMS Entry
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
(refreshed on startup)
138
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_emergency_hot_key_enabled
Scope
Machine
System
pid_emergency_hot_key_sequence
Description The Emergency Hot Key sequence.
Note:
1. Effective only if Emergency Hot Key is enabled.
2. Modifying this policy requires a machine restart to implement the
changes.
Important: Emergency bypass unlock is not supported in Microsoft
Windows Vista.
Registry
[DO] "EmergencyHotKeySequence"
IMS Entry
Type
MULTI_SZ
String list
Values
*#Ctrl
*#Alt
*#End
(max 3 keys from set of: Ctrl, Shift, Alt, Ins, Del, Home, End, PgUp,
PgDn, Break, E)
(2 of the keys in this set should be used so that the probability of
conflict with other applications is minimized: Ctrl, Shift, Alt)
(refreshed on startup)
Scope
Machine
System
139
pid_presence_detector_enabled
Registry
[DO] "PresenceDetectorEnabled"
IMS Entry
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
(refreshed on startup)
Scope
Machine
System
pid_presence_detector_walk_away_key_sequence
Description The key sequence that the presence detector sends when a user walks
away from it.
Note:
1. Effective only if pid_presence_detector_enabled is enabled.
2. The same key sequence must be configured on the presence detector
by using vendor software. For RF IDeas pcProx-Sonar, configure the
Walkaway Keystrokes using the pcProx-Sonar Configuration Utility.
3. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "PresenceDetectorWalkAwayKeySequence"
IMS Entry
Type
MULTI_SZ
String list
140
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_presence_detector_walk_away_key_sequence
Values
*#Ctrl
*#Alt
*#PgDn
(max 3 keys from set of: Ctrl, Shift, Alt, Ins, Del, Home, End, PgUp,
PgDn, Break, E)
(2 of the keys in this set should be used so that the probability of
conflict with other applications is minimized: Ctrl, Shift, Alt)
(refreshed on startup)
Scope
Machine
System
pid_presence_detector_walk_away_action
Description Actions to be performed by AccessAgent when presence detector
detects a user walking away while no user is logged on.
Note:
1. Effective only if pid_presence_detector_enabled is enabled.
2. This is supported only if pid_lusm_sessions_max is 1. In future
versions, if pid_lusm_sessions_max is greater than 1, AccessAgent
with a policy value of 1 (Log off Windows) logs off the desktop
session of the user and shows the computer locked screen.
Registry
[DO] "PresenceDetectorWalkAwayAction"
IMS Entry
Type
DWORD
Non-negative integer
Values
#0: No action
#1: Log off Windows
#2: Log off Wallet
*#4: Lock computer
#5: Log off Wallet and lock computer
(refreshed on sync for system policy)
(refreshed on use for machine policy)
141
pid_presence_detector_walk_away_action
Scope
Machine
System
pid_presence_detector_walk_away_action_countdown_secs
Description Confirmation countdown duration, in seconds, when the presence
detector detects a user walking away.
Note: Effective only if pid_presence_detector_enabled is enabled.
Registry
[DO] "PresenceDetectorWalkAwayActionCountdownSecs"
IMS Entry
Type
DWORD
Non-negative integer
Values
*5
(0 to disable confirmation countdown)
(refreshed on sync for system policy)
(refreshed on use for machine policy)
Scope
Machine
System
pid_audit_log_by_aa_enabled
Description Whether to enable audit logging by AccessAgent.
Registry
[DO] "AuditLogByAAEnabled"
IMS Entry
Type
DWORD
Values
#0: No
* #1: Yes
(refreshed on sync)
Scope
Machine
142
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_memory_reduction_freq_secs
Description Interval, in seconds, for periodic calls to reduce the physical memory
used by various AccessAgent components.
Note:
1. A policy value of 0 means that this feature is disabled.
2. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "MemoryReductionFreqSecs"
IMS Entry
Type
DWORD
Values
*0
(refreshed on startup)
Scope
Machine
143
144
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
String list
Values
Scope
System
145
pid_engina_logon_with_pwd_text
Description Configurable text for password logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_engina_logon_with_rfid_text
Description Configurable text for RFID logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_engina_logon_with_sc_text
Description Configurable text for smart card logon.
Note: See pid_engina_welcome_text.
Registry
146
IMS Entry
Type
String list
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_engina_logon_with_sc_text
Values
Scope
System
pid_engina_logon_with_arfid_text
Description Configurable text for active proximity badge logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_engina_logon_with_fingerprint_text
Description Configurable text for fingerprint logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Type
String list
147
pid_engina_logon_with_fingerprint_text
Values
Scope
System
pid_engina_logon_with_fingerprint_or_rfid_text
Description Configurable text for fingerprint or RFID logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Type
String list
Values
*#To log on, place your registered finger on the sensor or tap your
RFID card.
*#To log on without fingerprint or RFID card, click Log onor press
Ctrl+Alt+Del.
(2 strings max)
(text box takes 15 lines max, about 40 chars per line)
(refreshed on sync)
Scope
System
pid_logon_credentials_text
Description Configurable text that is displayed right above the log on credentials
when user clicks Log on.
Note:
1. If pid_enc_pwd_is_ad_pwd_enabled is set to True, this policy must be
modified accordingly, for example, Enter your Windows domain user
name and password to log on.
2. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
148
IMS Entry
Type
String list
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_logon_credentials_text
Values
Scope
System
Type
String list
Values
Scope
System
pid_unlock_with_pwd_option_1_text
Description Configurable text for unlocking with password when the computer is
locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Chapter 24. Configurable text policies
149
pid_unlock_with_pwd_option_1_text
Values
Scope
System
pid_unlock_with_pwd_option_3_text
Description Configurable text for unlocking with password when the computer is
locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_unlock_with_pwd_option_4_text
Description Configurable text for unlocking with password when the computer is
locked and pid_unlock_option is 4.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
150
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_unlock_with_pwd_option_4_text
Scope
System
pid_unlock_with_sc_option_1_text
Description Configurable text for unlocking with smart card when the computer is
locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'only
the same user can unlock'
Type
String list
Values
Scope
System
pid_unlock_with_sc_option_3_text
Description Configurable text for unlocking with smart card when the computer is
locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'any
user with or without current desktop account in Wallet can unlock'
Type
String list
151
pid_unlock_with_sc_option_3_text
Values
Scope
System
pid_unlock_with_sc_option_4_text
Description Configurable text for unlocking with smart card when the computer is
locked and pid_unlock option is 4.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'only
the same user can unlock, but different user can re-log on to Windows'
Type
String list
Values
Scope
System
pid_unlock_with_rfid_option_1_text
Description Configurable text for unlocking with RFID when the computer is
locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
152
Instructions for unlocking with RFID when unlock policy is 'only the
same user can unlock' (Maximum 2 lines)
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_unlock_with_rfid_option_1_text
Type
String list
Values
Scope
System
pid_unlock_with_rfid_option_3_text
Description Configurable text for unlocking with RFID when the computer is
locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with RFID when unlock policy is 'any user
with or without current desktop account in Wallet can unlock'
(Maximum 2 lines)
Type
String list
Values
Scope
System
pid_unlock_with_rfid_option_4_text
Description Configurable text for unlocking with RFID when computer locked and
pid_unlock_option is 4.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with RFID when unlock policy is 'only the
same user can unlock, but different user can re-log on to Windows'
(Maximum 2 lines)
Type
String list
Chapter 24. Configurable text policies
153
pid_unlock_with_rfid_option_4_text
Values
Scope
System
pid_unlock_with_arfid_option_1_text
Description Configurable text for unlocking with active proximity badge when the
computer is locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_unlock_with_arfid_option_3_text
Description Configurable text for unlocking with active proximity badge when
computer locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
154
IMS Entry
Type
String list
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_unlock_with_arfid_option_3_text
Values
Scope
System
pid_unlock_with_arfid_option_4_text
Description Configurable text for unlocking with active proximity badge when the
computer is locked and pid_unlock_option is 4.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_unlock_with_fingerprint_option_1_text
Description Configurable text for unlocking with fingerprint when the computer is
locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
155
pid_unlock_with_fingerprint_option_1_text
Values
Scope
System
pid_unlock_with_fingerprint_option_3_text
Description Configurable text for unlocking with fingerprint when the computer is
locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
Scope
System
pid_unlock_with_fingerprint_option_4_text
Description Configurable text for unlocking with fingerprint when the computer is
locked and pid_unlock_option is 4.
Note: See pid_unlock text.
Registry
156
IMS Entry
Type
String list
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_unlock_with_fingerprint_option_4_text
Values
Scope
System
pid_unlock_with_fingerprint_or_rfid_option_1_text
Description Configurable text for unlocking with fingerprint or RFID when the
computer is locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
Type
String list
IMS Entry
Values
*#To unlock, place your registered finger on the sensor or tap your
RFID card.
*#To unlock without fingerprint or RFID card, click Unlock this
computer or press Ctrl+Alt+Del.
(2 strings max)
(text box takes 15 lines max, about 40 chars per line)
(refreshed on sync)
Scope
System
pid_unlock_with_fingerprint_or_rfid_option_3_text
Description Configurable text for unlocking with fingerprint or RFID when the
computer is locked and pid_unlock_option is 3.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
157
pid_unlock_with_fingerprint_or_rfid_option_3_text
Values
*#To unlock, place your registered finger on the sensor or tap your
RFID card.
*#To unlock without fingerprint or RFID card, click Unlock this
computer or press Ctrl+Alt+Del.
(2 strings max)
(text box takes 15 lines max, about 40 chars per line)
(refreshed on sync)
Scope
System
pid_unlock_with_fingerprint_or_rfid_option_4_text
Description Configurable text for unlocking with fingerprint or RFID when the
computer is locked and pid_unlock option is 4.
Note: See pid_unlock text.
Registry
IMS Entry
Type
String list
Values
*#To unlock, place your registered finger on the sensor or tap your
RFID card.
*#To unlock without fingerprint or RFID card, click 'Unlock this
computer' or press Ctrl+Alt+Del.
(2 strings max)
(text box takes 15 lines max, about 40 chars per line)
(refreshed on sync)
Scope
System
pid_unlock_credentials_text
Description Configurable text to be displayed right above the unlock credentials
when the user clicks Unlock this computer.
Note:
1. If password is Active Directory password is set to True, this policy
must be modified accordingly, for example, Enter your Windows
domain user name and password to unlock.
2. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
158
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_unlock_credentials_text
Registry
IMS Entry
Type
String list
Values
Scope
System
RFID name
Type
String
Values
*RFID card
(refreshed on sync)
Scope
System
Type
Bind template
159
pid_bind_display_template
Values
#Enter your domain user name and password for identity verification.
*#User name
*#Password
(refreshed on sync)
Scope
System
Text for the OTP (OATH) reset link on AccessAssistant and Web
Workplace.
Type
String
Values
Scope
160
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_pwd_is_ad_pwd
Description Whether the authentication service is displayed as a Windows user
account in AccessAdmin.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
161
pid_auth_fortification_pwd_min_length
Description Minimum length of an acceptable password for the authentication
service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Positive integer
Values
*6
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_max_length
Description Maximum length of an acceptable password for the authentication
service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Positive integer
Values
*20
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_numerics_length
Description Minimum number of numeric characters for an acceptable password for
the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
162
IMS Entry
Type
Non-negative integer
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_auth_fortification_pwd_min_numerics_length
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_alphabets_length
Description Minimum number of alphabetic characters for an acceptable password
for the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Non-negative integer
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_special_chars_length
Description Minimum number of special characters for an acceptable password for
the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Non-negative integer
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
163
pid_auth_fortification_pwd_max_numerics_length
Description Maximum number of numeric characters for an acceptable password
for the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Non-negative integer
Values
*10
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_max_alphabets_length
Description Maximum number of alphabetic characters for an acceptable password
for the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Type
Non-negative integer
Values
*10
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_max_special_chars_length
Description Maximum number of special characters for an acceptable password for
the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
164
IMS Entry
Type
Non-negative integer
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_auth_fortification_max_special_chars_length
Values
*10
(from 0 to 99)
(0 for no max limit)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_mixed_case_enforced
Description Whether to enforce the use of both uppercase and lowercase characters
for the password of the authentication service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Enforce the use of both upper case and lower case characters?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_fortification_random_pwd_enabled
Description Whether manual password change with random password is enabled
for the authentication service.
Registry
IMS Entry
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
165
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option for the authentication
service.
Note:
1. Effective only if pid_auth_is_enterprise is enabled for the
authentication service.
2. Overrides Wallet inject password entry option default.
Registry
IMS Entry
Type
Positive integer
Values
Scope
166
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_auth_sso_enabled
Description Whether to enable automatic sign-on for the authentication service.
Note: Effective only if pid_auth_is_enterprise is enabled for the
authentication service.
Registry
IMS Entry
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_auth_authentication_option
Description Option to control what authentication modes AccessAgent must
support for the authentication service.
Note: Effective only if pid_auth_is_enterprise is enabled for the
authentication service.
Registry
IMS Entry
Type
Positive integer
Values
*#1: Password
#2: SCR
#4: CAPI
#8: OTP
#16: MAC
#32: CCOW
(multiple allowed)
(refreshed on sync)
Scope
System
167
pid_auth_capture_prompt_enabled
Description Whether the user must be prompted during auto-capture of password
for the authentication service.
Note:
1. Effective only if pid_auth_is_enterprise is enabled for the
authentication service.
2. If the policy value is False, if a user is already logged on and
another user wants to use the same computer, the application
passwords of the second user might be auto-captured into the
Wallet of the first user. If pid_auth_capture_prompt_enabled is set to
False for an authentication service, set pid_auth_account_max to 1
for the same authentication service.
Registry
Type
Boolean
IMS Entry
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_auth_accounts_max
Description Maximum number of accounts that a user can store for the
authentication service.
Note:
1. When the number of accounts has reached or exceeded the
maximum specified by this policy:
a. AccessAgent does not capture new accounts for this
authentication service.
b. If the user clicks Add new user in Wallet Manager, AccessAgent
displays a prompt that the number of accounts has reached the
limit.
2. User policy, if defined, overrides system policy.
3. This policy is only applicable to AccessAgent.
Registry
Non-negative integer
IMS Entry
Type
168
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
pid_auth_accounts_max
Values
*0
(from 0 to 10)
(0 for no max limit)
(refreshed on sync)
Scope
User
System
Values
(refreshed on sync)
Scope
User
pid_auth_inject_pwd_entry_option
Description Password entry of injection policy per authentication service.
Registry
IMS Entry
Type
Positive integer
Values
Scope
User
169
170
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_app_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option for the application.
Note: Overrides authentication inject password entry option default
and Wallet inject password entry option default.
Registry
IMS Entry
Type
Positive integer
Values
Scope
System
171
pid_app_wallet_logoff_action
Description Action to take for the application when the user logs off from
AccessAgent.
Note:
1. This policy overrides Wallet logoff action for applications default.
2. See the notes for Wallet logoff action for applications default.
3. For web applications, each URL is considered an application.
Internet Explorer (IE) is also considered an application. In this
context, the web application policy overrides the IE policy, which
overrides Wallet logoff action for applications default.
4. Set the policy to 2 and 3 for Internet Explorer and Windows
Explorer.
5. This policy is set to 3 for Windows logon (application GINA) when
the IMS Server is installed.
Registry
IMS Entry
Type
Positive integer
Values
Scope
172
System
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Positive integer
Values
Scope
User
pid_app_auth_inject_user_default
Description Default user of injection policy per application per authentication
service.
Registry
IMS Entry
Type
Values
(refreshed on use)
Scope
User
173
174
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
[T] "WalletSyncManualEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_wallet_delete_enabled
Description
Registry
[T]
"WalletDeleteEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
175
pid_machine_policy_override_enabled
Description Whether to override machine policies using registry values.
Note:
1. If enabled, machine policies can be overridden for this machine by
specifying their values in the registry key [HKEY_LOCAL_MACHINE\
SOFTWARE\Encentuate\DeploymentOptions]. For example,
pid_second_factors_supported_list can be specified using the
registry value SecondFactorsSupportedList.
2. This temporary policy is useful for troubleshooting, especially if
there is no Administrator access to the IMS Server. Disable this
policy after testing is completed, so that the machine can continue
to be managed through AccessAdmin.
3. This policy does not affect pid_wallet_cache_security_enabled.
Registry
[T]
"MachinePolicyOverrideEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
176
Machine
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Notices
This information was developed for products and services offered in the
U.S.A.
IBM may not offer the products, services, or features discussed in this
document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe
any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant
you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in
writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow
disclaimer of express or implied warranties in certain transactions, therefore,
this statement may not apply to you.
Copyright IBM Corp. 2002, 2009
177
178
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on
their first occurrence in this information with a trademark symbol ( or ),
these symbols indicate U.S. registered or common law trademarks owned by
IBM at the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at Copyright and trademark information
(www.ibm.com/legal/copytrade.shtml).
Adobe, the Adobe logo, PostScript, and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the
United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer
and Telecommunications Agency, which is now part of the Office of
Government Commerce.
Notices
179
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel
Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other
countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the
Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc.
in the United States, other countries, or both and is used under license
therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and
other countries.
Other company, product, or service names may be trademarks or service
marks of others.
180
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Glossary
AccessAdmin. The management used by individuals with the Administrator Role and/or the Help
desk Role to administer IMS Server, and to manage users and policies.
AccessAgent. AccessAgent, or AA, is the client software that manages the user's identity, enabling
sign-on/sign-off automation and authentication management.
AccessAssistant. The Web-based interface used to provide password self-help for users to obtain the
latest credentials to logon to their applications.
AccessProfiles. Short, structured XML files that enable single sign-on or sign-off automation for
applications. AccessStudio can be used to generate AccessProfiles.
AccessStudio. The interface used to create AccessProfiles required to support end-point automation,
including single sign-on, single sign-off, and customizable audit tracking.
account data. The logon information required for verification against an authentication service. Most of
the time, it refers to the user name, password and the authentication service which the logon
information is stored.
action. An act that can be performed in response to a trigger. For example, automatic filling of user
name and password details as soon as a sign-on window displays. See also Trigger.
ActiveCode. Short-lived authentication codes that are controlled by Tivoli Access Manager for
Enterprise Single Sign-On system. There are two types of ActiveCodes: random ActiveCodes and
predictive ActiveCodes.
The generation of ActiveCodes can be triggered in one of two ways: time-based (for example, every
minute or every day) or event-based (for example, pressing a button).
Combined with alternative channels or devices, ActiveCodes provide effective second-factor
authentication.
Active Proximity Badge. Similar to an RFID card, but differs in its ability to be detected by a proximity
reader from a considerably longer distance (such as two meters away).
ARFID (Active RFID). ARFID is both a second factor and a presence detector. It can detect the
presence of a user, and AccessAgent can be configured to perform specific actions.
AD. Microsoft Active Directory
application. In AccessStudio, it refers to the system that provides the user interface for reading or
entering the authentication credentials.
application policy. A collection of attributes governing access to applications. Application policies can
include (but are not limited to):
v Password policies govern frequency of password change and strength of passwords.
v Audit policies determine if audit trails must be kept.
181
v Management policies determine the degree of control the user has over password auto-fill. This
replaces personal versus enterprise applications.
Privacy policies define when and what type of information is captured and backed-up in the Wallet.
authentication factor. The different devices, biometrics, or secrets required as credentials for validating
digital identities (for example, passwords, smart card, RFID, biometrics, and one-time password tokens).
authentication service. Verifies the validity of an account; Applications authenticate against their own
user store or against a corporate directory.
authorization code. An alphanumeric code generated by an IBM Help desk user for administrative
functions, such as password resets or authentication factors for the Wallet; might be used one or more
times based on policy.
auto-capture. A function that allows the system to remember user credentials (such as user names and
passwords) for different applications. These credentials are captured as they are being used for the first
time, and then stored and secured in the Wallet for future use.
biometrics. The identification of a user based on a physical characteristic of the user, such as a
fingerprint, iris, face, voice or handwriting.
CAPI. Microsoft Cryptography API
certificate authority (CA). A trusted third-party organization or company that issues the digital
certificates. The certificate authority typically verifies the identity of the individuals who are granted the
unique certificate.
CLT. Command Line Tool
control. Any field on a screen. Examples are a user name text box or an OK button on a Web page.
conventional single sign-on. Refers to Web-based single sign-on systems and typically requires
server-side integration, with a centralized architecture.
credentials. See user names, passwords, certificates, and any other information that is required for
authentication. An authentication factor can serve as a credential. In Tivoli Access Manager for
Enterprise Single Sign-On , credentials are stored and secured in the Wallet.
Desktop Manager. Manages concurrent user desktops on a single workstation
directory. A structured repository of information on people and resources within an organization,
facilitating management and communication.
DNS. Domain Name System. The distributed database system that maps domain names to IP addresses
EnGINA. Tivoli Access Manager for Enterprise Single Sign-On GINA, which replaces the Microsoft
GINA. EnGINA provides a user interface that is tightly integrated with authentication factors and
provide password resets and second factor bypass options.
Enterprise Access Security (EAS). A technology that enables enterprises to simplify, strengthen and
track access to digital assets and physical infrastructure.
182
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Simplifying access means time-to-information, user productivity, and convenience. Strengthening access
allows stronger security and better risk management. Tracking access enables compliance.
EAS solutions are a new generation of identity management security products that reflect the
convergence of logon or logoff automation, authentication management, centralized user access
administration, the unification of logical (information), and physical (building) access control systems.
Enterprise Single Sign-On (E-SSO). A mechanism that allows users to log on to all applications
deployed in the enterprise by entering a user ID and other credentials (such as a password). Many
E-SSO products use sign-on automation technologies to achieve SSOusers logon to the sign-on
automation system and the system logs on the user to all other applications.
FIPS. Federal Information Processing Standard. A standard produced by the National Institute of
Standards and Technology when national and international standards are nonexistent or inadequate to
satisfy the U.S. government requirements.
fortified password. An application password that is automatically changed by the system and not the
user. In Tivoli Access Manager for Enterprise Single Sign-On , passwords might be fortified with Tivoli
Access Manager for Enterprise Single Sign-On ActiveCodes.
GINA. Graphical Identification and Authentication
GPO. Group Policy Object of Active Directory
hybrid desktop. A term used to describe how organizations combine different session management
capabilities to meet the needs of the user community.
IMS Bridge. For extending functionalities of third party programs, allowing them to communicate with
IMS Server.
IMS Connector. Add-ons to the IMS Server that enable the IMS Server to interface with other
applications as a client, extending the capability of the IMS Server. Examples include IMS Connectors for
password change.
IMS Server. An integrated management system that provides a central point of secure access
administration for an enterprise. It enables centralized management of user identities, AccessProfiles,
authentication policies, provides loss management, certificate management, and audit management for
the enterprise.
IMS Server Certificate. Used in Tivoli Access Manager for Enterprise Single Sign-On. the IMS Server
Certificate is used to identify an IMS Server.
IMS Service Modules. Add-on modules that extend the basic services provided by the IMS Server (for
example, user management, policy management, and certificate issuance).
iTag. A patent-pending technology that can convert any photo badge or personal object into a
proximity device, which can be used for strong authentication
ITAM (IBM Tivoli Access Manager). An integrated solution that provides a wide range of
authorization and management solutions. This product can be used on various operating systems
platforms such as Unix (AIX, Solaris, HP-UX), Linux, and Windows.
Glossary
183
LUSM. Local User Session Management. A method for managing multiple desktops on a single
workstation.
Mobile ActiveCode (MAC). A one-time password that is randomly generated, event-based, and
delivered through a secure second channel (for example, SMS on mobile phones).
One-Time Password (OTP). A one-use password generated for an authentication event (for example,
password reset), sometimes communicated between the client and the server through a secure channel
(for example, mobile phones).
password. A sequence of characters used to determine that a user requesting access to a system is the
appropriate user.
password fortification. The process of strengthening application passwords through regular password
changes and stronger password requirements.
password reset. Allows the user to reset the password of the Wallet, and requires an authorization
code.
personal applications. Windows and Web-based applications that AccessAgent can store and enter
credentials. Some enterprises might not allow the use of a Tivoli Access Manager for Enterprise Single
Sign-On Key with personal applications. Password fortification also does not happen for personal
applications.
Some examples of personal applications are Web-based mail sites such as Company Mail, Internet
banking sites, Online shopping sites, chat or instant messaging programs and the like.
Personal Identification Number (PIN). A password, typically of digits, entered through a telephone
keypad or automatic teller machine.
policy. Governs the operation of Tivoli Access Manager for Enterprise Single Sign-On Enterprise,
comprising of two main sets: machine policies (managed through Windows GPO) and IMS-managed
policies (managed through AccessAdmin).
Policy ID. Each policy is identified by its policy ID with pid in the prefix (for example,
pid_wallet_authentication_option).
policy template. A predefined policy form that helps users define a policy by providing the fixed
policy elements that cannot be changed and the variable policy elements that can be changed.
presence detector. When affixed to a computer, this device detects when a person moves away from it,
thus eliminating the need to manually lock the computer upon leaving it for a short time.
private desktop. Under this desktop scheme, users have their own Windows desktops in a workstation.
When a previous user returns to the workstation and unlocks it, AccessAgent switches to the desktop
session of the previous user and resumes the last task.
private key. An encryption or decryption key that is kept secret by its owner. It is one of a pair of two
keys used for encryption and decryption in public key cryptography.
Radio Frequency Identification (RFID). A wireless technology that transmits product serial numbers
from tags to a scanner, without human intervention.
184
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
random passwords. Generated passwords used to increase authentication security between clients and
servers. Random password change is the process of modifying access codes between a client and a
server using a random sequence of characters. This change can only happen when the client and the
server are sharing a secured session as the random sequence has to be communicated between the two
parties. The new random password can then be used to re-establish a secured session the next time the
client needs to access the server.
RDP. Remote Desktop Protocol
register. Signing up for a Tivoli Access Manager for Enterprise Single Sign-On account, and registering
a second factor (for example, smart card, RFID) with the IMS Server.
registry. Machine policies are typically configured in AccessAdmin, but can also be configured using
the Windows registry when necessary. This configuration is especially true if the
pid_machine_policy_override_enabled policy is set to Yes, which means Administrators must use the
Windows registry to modify machine policies.
reset. Refers to resetting the authentication factors for an Wallet (offline or online). Offline resets allow
a user to reset his Wallet while offline.
revoke. Refers to removing access to a Tivoli Access Manager for Enterprise Single Sign-On Key so it
can no longer be used as an authentication factor for a Wallet.
roaming desktops. Under this desktop scheme, a user can disconnect from a desktop or application
session at one client, log on to another client, and continue a desktop or application session at that new
client.
scope. A reference to the applicability of a policy, be it at the system, user, or machine level.
secret. Information known only to the user.
secret question. A question where the answer is known only to the user. As part of Tivoli Access
Manager for Enterprise Single Sign-On's Knowledge-based authentication, users are asked a number of
secret questions.
Secure Remote Access. The solution that provides Web browser-based single sign-on to all applications
(for example, legacy, desktop, and Web) from outside the firewall.
security officer. An officer that defines the identity Wallet security policies and other application
policies.
serial number. A unique number embedded in the Tivoli Access Manager for Enterprise Single Sign-On
Keys, which is unique to each Key and cannot be changed.
service locator. Refers to the address or path or URL of any logical system that provides back-end
shared computing services. AccessStudio uses the service locator to differentiate between different
services that a user might be accessing, some of which might use the same client-side application.
Service Provider Interface (SPI). Designed for devices that contain serial numbers, like RFID, the SPI
makes it easier for vendors to integrate any device with serial numbers and use it as a second factor in
AccessAgent.
Glossary
185
session. A logical or virtual connection between two stations, software programs, or devices on a
network that allows the two elements to communicate and exchange data.
shared desktops. Under this desktop scheme, multiple users share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
sign-up. Requesting for an account with the IMS Server. As part of the process, users are issued an
Wallet. They can subsequently register one or more second factors with the IMS Server.
signature. Unique identification information for any application, window, or field.
single sign-on. A capability that allows a user to enter a user ID and password to access multiple
applications.
smart card. A smart card is a pocket-sized card which is built to handle data using a network of
embedded circuits. Smart cards can receive input from applications, and can also send out information
(such as logon information).
SOAP. Simple Object Access Protocol
SSL. Secure Sockets Layer
states. Refers to Advanced AccessProfiles in AccessStudio. See Advanced AccessProfiles.
strong authentication. A solution that utilizes multi-factor authentication devices (such as smart cards)
to prevent unauthorized access to confidential corporate information and IT networks, both inside and
outside the corporate perimeter.
strong digital identity. An online persona that is difficult to impersonate, possibly secured by private
keys on a smart card. These identities typically have to be supported by physicalized authentication
factors.
TAM E-SSO Password. The password that secures access to your Wallet. The length of the password
ranges from six to 20 characters, depending on the preference of your organization. The assumption is
that only the authentic user will have the passwords to access their accounts.
token. A small, highly portable hardware device that the owner carries to authorize access to digital
systems and, or physical assets.
trigger. Events that cause transitions between states in a states engine, for example, the loading of a
Web page or the appearance of window on the desktop.
TTY. Terminal emulator, terminal application. A program that emulates a video terminal within some
other display architecture. Though typically synonymous with a command line shell or text terminal, the
term terminal covers all remote terminals, including graphical interfaces. A terminal emulator inside a
graphical user interface is often called a terminal window.
Virtual Private Network (VPN). An extension of a company intranet over the existing framework of
either a public or private network. A VPN ensures that the data that is sent between the two endpoints
of its connection remains secure.
Wallet. An identity Wallet that stores a user's access credentials and related information (including user
IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.
186
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Web Workplace. An identity Wallet that stores a user's access credentials and related information
(including user IDs, passwords, certificates, encryption keys), each acting as the user's personal
meta-directory.A web-based interface that provides the ability to log on to enterprise Web applications
by clicking links without entering the passwords for individual applications. This interface can be
integrated with the existing portal or SSL VPN of the customer.
WNA. Windows Notification Area
Glossary
187
188
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
Printed in USA
SC23-9694-00