Ibm Tam Esso Policiesguide

Tivoli Access Manager for Enterprise Single Sign-On
Version 8.1
Policies Definition Guide

SC23-9694-00
Tivoli Access Manager for Enterprise Single Sign-On
Version 8.1
Policies Definition Guide

SC23-9694-00
Note
Before using this information and the product it supports, read the information in Notices on page 177.
Edition notice
Note: This edition applies to version 8.1 of IBM Tivoli Access Manager for Enterprise Single Sign-On, (product
number 5724V67) and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright International Business Machines Corporation 2002, 2009. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Copyright IBM Corporation 2002, 2009.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
About this publication . . . . . . . . v
Intended audience . . . . . . . . . . v
What this publication contains . . . . . . v
Publications . . . . . . . . . . . . viii
Tivoli Access Manager for Enterprise
Single Sign-On library . . . . . . . viii
Accessing terminology online . . . . . ix
Accessing publications online . . . . . ix
Ordering publications . . . . . . . . ix
Accessibility . . . . . . . . . . . . x
Tivoli technical training . . . . . . . . x
Tivoli user groups . . . . . . . . . . x
Support information . . . . . . . . . x
Conventions used in this publication . . . . xi
Typeface conventions . . . . . . . . xi
Operating system-dependent variables and
paths . . . . . . . . . . . . . xii
Margin icons. . . . . . . . . . . xii
Chapter 1. About Tivoli Access Manager for
Enterprise Single Sign-On . . . . . . . 1
Tivoli Access Manager for Enterprise Single
Sign-On features . . . . . . . . . . . 2
Product components . . . . . . . . . 5
Authentication factors . . . . . . . . . 6
TAM E-SSO Password . . . . . . . . 6
Secrets . . . . . . . . . . . . . 7
Second authentication factors. . . . . . 7
Presence detectors . . . . . . . . . 10
Sign-On usage . . . . . . . . . . . 11
Personal workstation configuration . . . 11
Shared workstation configuration . . . . 11
Sign-On program icons . . . . . . . . 14
Policies, certificates, and other product
concepts . . . . . . . . . . . . . 14
Credentials . . . . . . . . . . . 15
Enterprise identity . . . . . . . . . 15
Enterprise applications . . . . . . . 15
Personal applications . . . . . . . . 16
User, system, and machine policies . . . 16
Chapter 2. About policies . . . . . . . 19
Policy legends . . . . . . . . . . . 21
Copyright IBM Corp. 2002, 2009
Viewing and setting policy priorities .

Viewing policy priorities . . . .
Setting the priorities of a policy .
.
.
.
. 22
. 23
. 24
Chapter 3. AccessAgent configuration

policies . . . . . . . . . . . .
. 27
Chapter 4. Network policies .
. 29
Chapter 5. Session information policies .
. 31
Chapter 6. Log policies.
.
.
.
. 34
Chapter 7. Temporary file policies .
. 35
Chapter 8. Auto-logon policies .
. 38
Chapter 9. Local user session

management policies . . . .
. 48
Chapter 10. Authentication policies
. 49
Chapter 11. Password change policies .
. 52
Chapter 12. Password aging policies .
. 54
Chapter 13. Password strength policies .
. 56
Chapter 14. Self-service password reset

policies . . . . . . . . . . . .
. 58
Chapter 15. Self-service authorization code

policies . . . . . . . . . . . . . 62
Chapter 16. Self-service registration
policies . . . . . . . . . . .
. 63
Chapter 17. Wallet policies
. 73
Chapter 18. Sign-up policies .
. 77
Chapter 19. Policy template policies .
. 79
iii
Chapter 20. ActiveCode policies
. 83
Chapter 21. AccessAssistant and Web

Workplace policies . . . . . . . .
. 88
Chapter 22. AccessAudit policies .
. 89
Chapter 23. AccessAgent policies
.
.
.
.
Chapter 24. Configurable text policies

Chapter 25. Authentication service
policies . . . . . . . . . . .
iv
. 143
160
Chapter 26. Application policies .
. 172
Chapter 27. User-defined policies.
. 173
Chapter 28. Troubleshooting policies .
. 176
Notices . . . . . . . . . . . . . 177
Trademarks . . . . . . . . . . . . 179
Glossary .
. 169
IBM Tivoli Access Manager for Enterprise Single Sign-On: Policies Definition Guide
. 181
About this publication

The IBM Tivoli Access Manager for Enterprise Single Sign-On provides
sign-on and sign-off automation, authentication management, and user
tracking to provide a seamless path to strong digital identity. The IBM Tivoli
Access Manager for Enterprise Single Sign-On Policies Definition Guide provides
information about the policies that can be set for the product. The policies can
be set using either AccessAdmin or by updating registry entries.
Intended audience
This publication is for technical users who understand how Tivoli Access
Manager for Enterprise Single Sign-On can be enhanced and customized for a
specific use for the customer.
This publication is for Administrators and system programmers who need to
perform the following tasks:
v Using policies to enable settings for Tivoli Access Manager for Enterprise
Single Sign-On
v Policy setting and maintenance (for example, modifying system policies and
setting policy priorities)
Readers need to be familiar with the following topics:
v Using AccessAdmin or modifying registry entries
v Information specific to the organization (for example, types of applications
used by the organization, and authentication factors)
What this publication contains

This publication contains the following sections:
v Chapter 1, "About Tivoli Access Manager for Enterprise Single Sign-On"
Provides an overview of the Tivoli Access Manager for Enterprise Single
Sign-On system and its main product components.
v Chapter 2, "About policies"
Provides an overview of policies, how to view and set policy priorities, and
the legends and symbols used for the policies in this guide.
v Chapter 3, "AccessAgent configuration policies
Contains information about policies in relation to AccessAgent setup, such
as supported second authentication factors, display options, and the default
IMS Server name.
v Chapter 4, "Network policies

Contains information about policies on network timeout durations for TCP
socket and SOAP connections.
v Chapter 5, "Session information policies"
Contains information about the policy on displaying AccessAgent session
information.
v Chapter 6, "Log policies"
Contains information about the policies on AccessAgent log files.
v Chapter 7, "Temporary file policies"
Contains information about the policy on storing temporary files for
AccessAgent.
v Chapter 8, "Auto-logon policies"
Contains information about the policies on auto-logon settings for
AccessAgent.
v Chapter 9, " Local user session management policies"
Contains information about the policies for private desktops.
v Chapter 10, "Authentication policies"
Contains information about the authentication policies for the Wallet and
Mobile ActiveCode.
v Chapter 11, "Password change policies"
Contains information about the policies in relation to enabling password
change, enabling password reset, and forcing password change at first
logon.
v Chapter 12, "Password aging policies"
Contains information about password aging policies, such as enabling
password aging, number of days passwords can be used, and password
expiry reminder settings.
v Chapter 13, "Password strength policies"
Contains information about the policies related to password length.
v Chapter 14, "Self-service password reset policies"
Contains information about the policies on the settings for password resets
initiated by users.
v Chapter 15, "Self-service authorization code policies"
Contains information about the policies related to providing authorization
codes for passwords.
v Chapter 16, "Self-service registration policies"
Contains information about the policy for enabling self-service registration
and bypass of second authentication factors.
v Chapter 17, "Wallet policies"
vi
Contains information about the Wallet policies, such as enabling the caching
of Wallets, the maximum number of cached Wallets, and Wallet
synchronization settings.
v Chapter 18, "Sign-up policies"
Contains information about policies on setting secret questions and
answers, registering additional secrets during sign-up, and using a second
authentication factor during sign-up.
v Chapter 19, "Policy template policies"
Contains information about the policies for using the default user and
machine policy templates.
v Chapter 20, "ActiveCode policies"
Contains information about the policies for Mobile ActiveCode.
v Chapter 21, "AccessAssistant and Web Workplace policies"
Contains information about the policies for AccessAssistant and Web
Workplace.
v Chapter 22, "AccessAudit policies"
Contains information about the policy for custom event settings.
v Chapter 23, "AccessAgent policies"
Contains information about AccessAgent policies, such as EnGINA settings,
second authentication factor settings, logon policies, Terminal Server
policies, and so on.
v Chapter 24, "Configurable text policies"
Contains information about the policies for the messages displayed for
EnGINA, computer unlock, RFID, and so on.
v Chapter 25, "Authentication service policies"
Contains information about the authentication service policies for password
fortification, automatic sign-on settings, default user settings, and password
injection settings.
v Chapter 26, "Application policies"
Contains information about the policies for applications used by your
organization.
v Chapter 27, "User-defined policies"
Contains information about user-defined policies.
v Chapter 28, "Troubleshooting policies"
Contains information about the policies on Wallet synchronization, Wallet
deletion, and settings for overriding machine policies.
vii
Publications
This section lists publications in the Tivoli Access Manager for Enterprise
Single Sign-On library. The section also describes how to access Tivoli
publications online and how to order Tivoli publications.
Tivoli Access Manager for Enterprise Single Sign-On library

The following documents are available in the Tivoli Access Manager for
Enterprise Single Sign-On library:
v IBM Tivoli Access Manager for Enterprise Single Sign-On Quick Start Guide,
CF2B1ML
Provides steps that summarize major installation and configuration tasks
for Tivoli Access Manager for Enterprise Single Sign-On.
v IBM Tivoli Access Manager for Enterprise Single Sign-On User Guide,
SC23-9950
Provides information about setting up and understanding the main
functionalities of the product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Administrator Guide,
SC23-9951
Provides the procedures for setting up, administering, and testing the
product and its components. It covers the functionality and setup options of
the product, including internal implementation details.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Deployment Guide,
SC23-9952
Describes how to deploy and test IBM Tivoli Access Manager for Enterprise
Single Sign-On, including other components or external tools.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Help Desk Guide,
SC23-9953
Provides information about providing Help desk services to users.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Context Management
Integration Guide, SC23-9954
Provides information for installing, configuring, and testing the Context
Management integrated solution in each client workstation.
v IBM Tivoli Access Manager for Enterprise Single Sign-On AccessStudio Guide,
SC23-9956
Provides information about setting up and maintaining AccessProfiles using
AccessStudio.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Provisioning
Integration Guide, SC23-9957
Provides information for configuring, managing, and troubleshooting the
provisioning integration solutions for the product.
viii
v IBM Tivoli Access Manager for Enterprise Single Sign-On Installation Guide,
GI11-9309
Provides information about installing the different product components.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Setup Guide,
GC23-9692
Provides information about configuring the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and
Support Guide, GC23-9693
Provides information about troubleshooting the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition
Guide, SC23-9694
Provides information about the policies that can be set for the product. The
policies can be set using either AccessAdmin or by updating registry
entries.
Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical
terms related to Tivoli software. The Tivoli Software Glossary is available at the
following Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM
product libraries in one convenient location. You can access the Terminology
Web site at the following Web address:
http://www.ibm.com/software/globalization/terminology
Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Information Center
Web site at http://www.ibm.com/tivoli/documentation.
Note: If you print PDF documents on other than letter-sized paper, set the
option in the File Print window that allows Adobe Reader to print
letter-sized pages on your local paper.
Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
ix
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative,
perform the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully.
For additional information, see the Accessibility Appendix in the IBM Tivoli
Access Manager for Enterprise Single Sign-On User Guide.
Tivoli technical training

For Tivoli technical training information, See the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that
provide Tivoli users with information to assist them in the implementation of
Tivoli Software solutions. Through these groups, members can share
information and learn from the knowledge and experience of other Tivoli
users. Tivoli user groups include the following members and groups:
v 23,000+ members
v 144+ groups
Access the link for the Tivoli Users Group at www.tivoli-ug.org.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/
software/support/probsub.html and follow the instructions.
IBM Support Assistant
The IBM Support Assistant is a free local software serviceability
workbench that helps you resolve questions and problems with IBM
software products. The IBM Support Assistant provides quick access
to support-related information and serviceability tools for problem
determination. To install the IBM Support Assistant software, go to
http://www.ibm.com/software/support/isa.
Troubleshooting Guide
For more information about resolving problems, see the IBM Tivoli
Access Manager for Enterprise Single Sign-On Troubleshooting and Support
Guide.
Conventions used in this publication

This publication uses several conventions for special terms and actions,
operating system-dependent commands and paths, and margin graphics.
Typeface conventions
This publication uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs,
property sheets), labels (such as Tip:, and Operating system
considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of publications, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the
word that to introduce a restrictive clause."; letters as letters
example: "The LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname
represents....
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are
difficult to distinguish from surrounding text
xi
v Message text and prompts addressed to the user

v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths

This publication uses the UNIX convention for specifying environment
variables and for directory notation.
When using the Windows command line, replace $variable with % variable%
for environment variables and replace each forward slash (/) with a backslash
(\) in directory paths. The names of environment variables are not always the
same in the Windows and UNIX environments. For example, %TEMP% in
Windows environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the
UNIX conventions.
Margin icons
Many procedures in this publication include icons in the left margin. These
icons provide context for performing a step in a procedure. For example, if
you have to perform a step in a procedure by double-clicking a policy region
icon, that icon is displayed in the left margin next to the step.
xii
Chapter 1. About Tivoli Access Manager for Enterprise

Single Sign-On
IBM Tivoli Access Manager for Enterprise Single Sign-On automates access to
corporate information, strengthens security, and enforces compliance at the
enterprise endpoints.
With Tivoli Access Manager for Enterprise Single Sign-On, you can:
v Efficiently manage business risks.
v Achieve regulatory compliance.
v Decrease IT costs.
v Increase user efficiency.
Security compromises occur due to weak passwords. To counter such threats,
enterprises must strengthen access control systems. Passwords are not only
the weakest link in the security chain, they are also expensive to support.
Passwords create a security challenge and a management problem. To reduce
password management costs, enterprises might consider conventional single
sign-on solutions.
Conventional single sign-on reduces password management costs. It also can
increase the vulnerability of an organization by replacing multiple application
passwords with a single password to the single sign-on server.
Weak application passwords and conventional single sign-on are not the right
solutions for the enterprise. These solutions simplify access, but weaken
security. Enterprises need an enterprise access security solution that simplifies,
strengthens, and tracks access for all digital and physical assets.
See the following topics for more information.
v Tivoli Access Manager for Enterprise Single Sign-On features on page 2
v Product components on page 5
v Authentication factors on page 6
v Tivoli Access Manager for Enterprise Single Sign-On usage on page 11
v Tivoli Access Manager for Enterprise Single Sign-On program icons on
page 14
v Policies, certificates, and other product concepts on page 14
Tivoli Access Manager for Enterprise Single Sign-On features

Tivoli Access Manager for Enterprise Single Sign-On delivers the following
capabilities, without changing the existing IT infrastructure.
Enterprise Single Sign-On with workflow automation

You have quick access to all corporate applications such as Web, desktop,
generic computer terminals, legacy applications, and network resources with
the use of a single, strong password on personal and shared workstations.
This feature:
v helps enterprises increase employee productivity.
v lowers IT Help desk costs.
v improves security levels by eliminating passwords and the effort of
managing complex password policies.
Tivoli Access Manager for Enterprise Single Sign-On uses single sign-on and
workflow automation on shared and personal workstations. You can automate
the entire access workflow, such as application login, drive mapping,
application launch, single sign-on, navigation to preferred screens, multistep
logon, and so on.
Single Sign-Off and configurable desktop protection policies ensure protection
of confidential corporate applications from unauthorized access. If you walk
away from a workstation without logging out, Tivoli Access Manager for
Enterprise Single Sign-On can be configured to enforce inactivity timeout
policies. Examples of timeout policies are configurable screen locks,
application logout policies, and graceful logoffs.
Strong authentication for all user groups

Tivoli Access Manager for Enterprise Single Sign-On provides strong
authentication for all user groups (inside and outside the corporate perimeter).
This feature prevents unauthorized access to confidential corporate
information and IT networks.
The solution uses multi-factor authentication devices, such as smart cards,
building access badges, proximity cards, mobile devices, photo badges,
biometrics, and one time password (OTP) tokens.
In addition to comprehensive support for authentication devices, Tivoli Access
Manager for Enterprise Single Sign-On focuses on using existing identification
devices and technologies for authentication.
Tivoli Access Manager for Enterprise Single Sign-On also provides iTag, a
patent-pending technology that can convert any photo badge or personal
object into a proximity device, which can be used for strong authentication.
Comprehensive session management capability

As organizations deploy more shared workstations and kiosks, more users can
roam and access information from anywhere without accessing their personal
computers. Shared and roaming scenarios pose severe security threats.
When you walk away without logging off from workstations or share a
generic logon, you risk exposing confidential information to unauthorized
access. Any attempt to tighten security, enforce unique user logon, and
comply with regulations leads being locked out of workstations, which results
in efficiency losses.
Organizations can increase user convenience and improve information
security through session management or fast user switching capabilities,
depending on the access needs user groups. You can quickly sign on and sign
off to shared workstations without using the Windows domain login process.
You can easily resume your work from where you left off.
You can maintain multiple unique user desktops on the same workstation by
switching from one private desktop to another. This feature preserves your
applications, documents, and network drive mappings, including those
belonging to other users sharing the workstation.
If you walk away from a session without logging out, you can set Tivoli
Access Manager for Enterprise Single Sign-On to enforce inactivity timeout
policies. It also supports hybrid desktops where organizations combine
different session management capabilities to meet the needs of your user
community.
User-centric access tracking for audit and compliance

reporting
The audit and compliance reporting feature assists organizations with data
consolidation, user-centric audit log generation, security, and tamper-evident
audit capabilities across all endpoints (for example, personal or shared
workstations, Citrix, Windows Terminal Services, or Web browsers).
Combined with strong authentication capabilities, the user-centric audit logs
ensure secure access to confidential corporate information and accountability
at all times. The logs provide the meta-information that can guide compliance
and IT Administrators to a more detailed analysis by user, by application, or
by endpoint.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On
The information is collated in a central relational database. These logs

facilitate real-time monitoring and separate reporting with third-party
reporting tools.
Your organization can also use the endpoint automation framework to audit
custom access events for any application without modifying the application or
using the native audit functionality.
Secure remote access for easy, secure access anywhere,

anytime
Secure Remote Access provides Web browser-based single sign-on to all
applications such as legacy, desktop, and Web applications from outside the
firewall.
Your organization can effectively and quickly enable secure remote access for
the mobile workforce without installing any desktop software and modifying
application servers.
Remote workers require only one password and an optional second
authentication factor to access corporate information from remote offices,
home computers, and mobile devices. When granted access, you can single
sign-on to corporate applications by clicking the application links available in
the Tivoli Access Manager for Enterprise Single Sign-On portal. Access can be
further protected through a Secure Sockets Layer (SSL) Virtual Private
Network (VPN).
Integration with user provisioning technologies

Tivoli Access Manager for Enterprise Single Sign-On combines with user
provisioning technologies to provide end-to-end identity lifecycle
management.
New employees, partners, or contractors get fast and easy access to corporate
information after being provisioned. When provisioned, you can use single
sign-on to access all your applications on shared and personal workstations
with one password.
You do not have to register each user name and password, as all your
credentials are automatically provisioned.
Use of Federal Information Processing Standards

A new installation of Tivoli Access Manager for Enterprise Single Sign-On
version 8.1 uses FIPS 140-2 compliant cryptographic algorithms using FIPS
compliant security providers such as GSKit and IBMJCEFIPS. Client
workstations running on Microsoft Windows XP must at least have Service

Pack 3 applied for FIPS 140-2 compliance.
Important: Non-FIPS compliant algorithms are used in version 8.1 only when
it has been upgraded from version 8.0 or 8.0.1.
Product components
This topic describes the main components of Tivoli Access Manager for
Enterprise Single Sign-On.
Table 1 describes each component. A typical installation uses some of these
components.
Table 1. Product components
Component
Description
AccessAgent
The client software that manages user identity, enables

sign-on and sign-off automation, manages sessions, and
manages authentication.
AccessAdmin
The management console that Administrators and the

Help desk officers use to administer the IMS Server, to
manage users, and to manage policies.
AccessAssistant
The Web-based interface that provides password

self-help. Use AccessAssistant to obtain the latest
credentials and to log on to applications. Use the Web
automatic sign-on feature to log on to enterprise Web
applications by clicking links instead of entering
passwords.
AccessStudio
The interface used for creating AccessProfiles that

enables sign on or sign-off automation and fortified
passwords.
IMS Bridge
The IMS Service Modules that enable applications to use

the IMS Server as an authentication server.
IMS Connector
Add on modules to the IMS Server that extend its

capabilities with interfaces to other applications.
IMS Server
The integrated management system that provides a

central point of secure access administration for an
enterprise. It enables centralized management of user
identities, AccessProfiles, and authentication policies. It
also provides loss management, certificate management,
and audit management for the enterprise.
IMS Service Module
Add-on modules that extend the basic services provided

by the IMS Server, such as user management, policy
management, and certificate issuance.
Table 1. Product components (continued)

Component
Description
Web Workplace
The Web-based interface for logging on to enterprise

Web applications by clicking links without entering the
passwords for individual applications. It can be
integrated with your existing portal or SSL VPN.
Note: Antivirus software can interfere with AccessAgent or the IMS Server.
For more information, see the IBM Tivoli Access Manager for Enterprise Single
Sign-On Troubleshooting and Support Guide.
Authentication factors
Authentication factors come in different forms and functions. Except for
password and fingerprint, you can access systems and applications with a
device that works like a key.
Smart cards and RFID cards, for example, are about the same size as credit
cards, and can be easily attached to key rings.
See the following topics for more information.
v TAM E-SSO Password
v Secrets on page 7
v Second authentication factors on page 7
v Presence detectors on page 10
TAM E-SSO Password

The TAM E-SSO Password secures access to your Wallet. The length of the
password ranges from six to 20 characters, depending on the preference of
your organization. When you sign up with AccessAgent, you must specify a
password. You can use the enterprise directory password as your password.
Signing up with AccessAgent entails registering with the IMS Server and
creating a Wallet. All application credentials are stored in your Wallet. Signing
up ensures that your credentials are backed up on the server and are
retrievable when needed.
You can associate your Wallet with a second authentication factor (such as a
smart card, Active Proximity Badge, RFID card, and other devices). The
second authentication factor reinforces your password and protects the
contents of your Wallet.
Use the following guidelines for specifying a TAM E-SSO Password:
v Choose a password that is lengthy, unique, and a combination of upper and

lowercase letters and numbers.
v Do not use any of these as passwords: dictionary words, the name of your
pet, the name of your spouse or friend, or important dates (for example, a
birth date or an anniversary date).
v Never tell anyone your password, not even to the Help desk officer or
Administrator.
v Never write down your password.
v Change your password as often as possible.
AccessAgent locks your Wallet after you attempt to log on five times with an
incorrect password. The number of allowed attempts is set by your
organization.
Secrets
You might be asked to enter a secret after signing up for your Wallet,
depending on the preference of your organization. It is like specifying hints in
case you forget the password for a Web e-mail account.
The secret is something that:
v you would not forget, even if you do not use the secret for a long time.
v is not likely to change.
Note: You can use all the characters in the ISO Latin-1 character set in
creating secrets, except for the following characters:
v
v
When you sign up, you must select one or more questions from a list and
provide answers. If the self-service feature is enabled, you might need to
specify more than one secret.
In case you forget your password, you can use the secret to set a new
password. You can also use the secret and an authorization code to gain
temporary access to your cached Wallet. The Help desk officer gives you the
authorization code.
Second authentication factors

The TAM E-SSO Password can be fortified by a second authentication factor.
The combination of the password and an RFID, for example, strengthens
security because both authentication factors must be present to access your
computer.
Based on the security policy of your organization, you might be required to

use one of the following authentication factors.
Important: The USB Key as an authentication factor is no longer supported.
ActiveCode
ActiveCodes are short-term authentication codes controlled by the system.
ActiveCodes enhance the security of traditional password-based
authentication for applications. ActiveCodes are random passwords that can
only be used one time by an authorized user. Combined with alternative
channels and devices, ActiveCodes provide effective second-factor
authentication.
There are two types of ActiveCodes:
v Mobile ActiveCode
A Mobile ActiveCode is a randomly generated, event-based one-time
password (OTP). The Mobile ActiveCode is generated on the IMS Server
and delivered through a secure second channel, such as short message
service (SMS) on mobile phones. It is used for strong authentication.
v Unified ActiveCode
The Unified ActiveCode is a predictive one-time password used for strong
authentication. The Unified ActiveCode generator is built into AccessAgent.
Smart card
A smart card is a pocket-sized card that has an embedded microprocessor.
Smart cards can do cryptographic operations, and are used to store and
process the digital credentials of the users securely.
A smart card can be used as an authentication factor. The product provides
certificate-based strong authentication when you access your Credential Wallet
using a smart card.
Important: The smart card PIN is not related to the TAM E-SSO password.
The product does not manage the smart card PIN.
Radio Frequency Identification (RFID) card

The RFID card is an electronic device that uses radio frequency signals to read
stored identification information. RFID works on the concept of proximity. Tap
the RFID card on the RFID reader to gain access to your credentials.
The RFID reader is an additional hardware you need to install on every

machine using the RFID Card for authentication. The RFID Card does not
have any storage capacity.
An RFID card can also be used for unified access, so you can access a
computer and have access to doors or elevators.
Note: Tivoli Access Manager for Enterprise Single Sign-On has a Service
Provider Interface (SPI) for devices that contain serial numbers, like RFID. The
SPI makes it easier for vendors to integrate any device with serial numbers
and use it as a second factor in AccessAgent. For more information, see the
IBM Tivoli Access Manager for Enterprise Single Sign-On Serial ID SPI Guide at
the Tivoli Access Manager for Enterprise Single Sign-On information center.
Active Proximity Badge

The Active Proximity Badge works almost the same way as a typical RFID
card. The Active Proximity Badge has an RFID, and works with a proximity
reader. However, the Active Proximity Badge differs from an RFID card in the
proximity range.
With a typical RFID card, your card must be close to the reader. With an
Active Proximity Badge, your organization can set the distance for detection.
For example, your Active Proximity Badge can be 2 m. away from the reader,
and it is detected from that distance.
Fingerprint identification
The Fingerprint Identification system recognizes your fingerprint as an
authentication factor. The fingerprint reader translates your fingerprint into
encrypted codes, which logs you on to AccessAgent.
Tivoli Access Manager for Enterprise Single Sign-On 8.1 supports the
following biometric service provider and fingerprint readers:
v BIO-key Biometric Service Provider (BSP) 1.9_262
v DigitalPersona 3.2.0
v UPEK 2.0 and UPEK 3.0
The BIO-key Biometric Service Provider (BSP) is a biometric middleware. This
is used so that the product can work with any fingerprint reader that is
already supported by BIO-key. See BIO-key's list of supported devices.
Note: The integration with BIO-key BSP does not support DigitalPersona in
this release.
Presence detectors
A presence detector is a device that detects your presence in its vicinity. When
affixed to a computer, the device can notify AccessAgent when you are in
front of the computer or when you move away. This feature eliminates your
effort of manually locking the computer when you leave the computer for a
short time.
Sonar device
The sonar-based presence detector is used to lock a workstation immediately
when you walk away without waiting for the desktop inactivity timeout. The
device uses 40 kHz ultrasonic sound waves (frequency too high for people to
hear). It can detect from a range of five in. to five feet. You can move in the
zone without triggering a walk-away event.
The device is attached to the USB port of your computer and is configured by
the system as a keyboard. When you move away from the computer, the
device sends keystrokes to your computer. When you approach the computer,
the device can send a different set of keystrokes to your computer.
You can set AccessAgent to intercept these keystrokes and perform
appropriate actions (for example, to lock the computer). The sonar can be
combined with building badges (for example, RFID cards) to create a
foolproof solution.
The sonar device is not used with Active Proximity Badge since the Active
Proximity Badge is also a presence detector.
Any other supported authentication factors can be used with the
pcProx-Sonar, such as:
v Password only
v RFID
v Fingerprint
v Smart card
The behavior of a sonar-based presence detector can be configured to be like
an Active Proximity Badge. However, sonar-based presence detectors cannot
store a unique ID to identify a user.
Active Proximity Badge as both second factor and presence

detector
The Active Proximity Badge is both a second factor and a presence detector. It
can detect your presence, and you can set AccessAgent to perform specific
actions.
10
Note: The presence detector policies (for example,

pid_presence_detector_enabled) are not applicable to Active Proximity Badge.
Tivoli Access Manager for Enterprise Single Sign-On usage

Tivoli Access Manager for Enterprise Single Sign-On supports two main usage
configurations personal workstation and shared workstation.
For policy settings based on usage configuration, see the IBM Tivoli Access
Manager for Enterprise Single Sign-On Policies Definition Guide.
Personal workstation configuration

The personal workstation configuration is more applicable for organizations
where users are assigned their own workstations. The smart card is the
common authentication factor for this type of usage configuration. The setup
procedure and workflow are the same, regardless of the selected
authentication factor.
You sign up from EnGINA, desktop, or a locked computer at startup, and use
the appropriate authentication factor.
You can also sign up without an authentication factor and register later. For
example, you can sign up without the smart card and log on to AccessAgent
later with the TAM E-SSO Password, provided it is set in your authentication
policy.
To lock the computer, remove or tap your authentication factor. To unlock the
computer, reinsert or tap your authentication factor.
Shared workstation configuration

The shared workstation configuration is for organizations where users share
common workstations. This usage configuration requires efficient switching
between users.
Authentication factors (except the smart card for private and roaming
desktops) are used for this type of usage configuration.
Tivoli Access Manager for Enterprise Single Sign-On supports fast user
switching through the following desktop schemes or modes.
v Shared desktops on page 12
v Private desktops on page 12
v Roaming desktops on page 13
Note: These schemes do not use the Windows XP Fast User Switching feature.
11
Shared desktops
Shared desktops allow multiple users to share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
Without shared desktops, switching from User A to User B, causes the
applications of User A to be lost. User A must launch the applications again.
Set up AccessProfiles to automatically log off enterprise applications when
user switching occurs.
RFID, fingerprint readers, and smart cards are the authentication factor for
this usage configuration.
With shared desktops, you can access a workstation by signing up (for
example, from EnGINA, desktop, or a locked computer) and tapping your
RFID card. You can also sign up without your RFID card and register later
when the cards are already available. After completing the sign-up process,
you can then log on to AccessAgent.
When another user taps an RFID card in your desktop, switching is invoked,
either from the desktop or from the locked computer screen.
After the new user supplies a valid password, AccessAgent unlocks your
computer (if locked), logs you off, and then logs on the new user to the
Wallet. If the new user logged on to other computers with the same RFID and
Password in a set time range during the day, the new user might not be
required to enter a password.
Private desktops
Private desktops allow you to have your own Windows desktop in a
workstation. When a previous user returns to the workstation and unlocks it,
AccessAgent switches to the desktop session of the previous user and resumes
the last task.
Your existing desktop might have to be logged off if the workstation runs out
of resources such as, memory, so that another user can log on. If you log on to
another workstation, restart the application.
To manage multiple desktops on a single workstation, the private desktop
scheme uses the Local User Session Management feature of AccessAgent that
uses a component called Desktop Manager.
Logging on from the EnGINA welcome screen is not supported by Local User
Session Management. Workstations are configured to automatically log on to a
generic Windows account upon startup, and then the computer is locked.
12
Note: This generic Windows account must not be a registered user. Use a
local computer account.
All your users will log on to the workstation from the locked screen. All users
must tap their RFID cards when they sign up. They can also sign up without
the RFID cards and register these second factors later. After completing the
sign-up process, you can then log on to AccessAgent.
Note: You are not logged on to AccessAgent if you are using an auto-admin
account.
When another user taps the RFID card to switch to another desktop, the
current user logs on (if without an existing invisible session) or unlocks the
workstation (if with an existing invisible session).
The following Wallet authentication options are supported:
v Password
v RFID+Password
v Smart card
v Active Proximity Badge+Password
v Fingerprint
If you log on to Windows sessions using your own Active Directory
credentials, Local User Session Management requires that synchronization of
password and Active Directory password must be enabled.
For deployments where smart card logon to Windows is enabled and smart
card logon is enforced, disable Active Directory password synchronization.
Roaming desktops
Roaming desktops have your Windows desktops "roam" to any access point,
from workstation to workstation. You can disconnect from a desktop or
application session at one client, log on to another client, and continue a
desktop or application session at a new client. Roaming desktops give you the
ability to access and preserve your desktops, regardless of which computers
you use.
This scheme requires Terminal Server or Citrix. This setup is especially useful
for a shared workstation environment, where you can roam from one
workstation to another, depending on your current location.
13
Tivoli Access Manager for Enterprise Single Sign-On program icons

The following icons are used in Tivoli Access Manager for Enterprise Single
Sign-On.
Application icons
Icon
Description
This icon represents AccessAgent on the desktop.
This icon represents the IMS Server on the desktop.
Notification area icons

Icon
Description
No one is logged on to AccessAgent.
AccessAgent is operating normally.

When the icon is flashing, AccessAgent is:
v synchronizing an authentication factor with the IMS Server
v logging on the user
Single sign-on or automatic sign-on is currently disabled.
Policies, certificates, and other product concepts

Use this topic to learn more about some of the common terms used by the
product.
Tivoli Access Manager for Enterprise Single Sign-On incrementally moves
enterprise access from password authentication to strong digital identity-based
authentication in the following manner:
v Provide sign-on and sign-off automation to enterprise applications
v Fortify sign-on by using authentication management
v Provide seamless transition from passwords to certificates
See the following sections for definitions of some terms used in Tivoli Access
Manager for Enterprise Single Sign-On.
v Credentials on page 15
14
v
v
v
v
Enterprise identity
Enterprise applications
Personal applications on page 16
User, system, and machine policies on page 16
Credentials
Credentials refer to user names, passwords, certificates, and any other
information required for authentication. An authentication factor can serve as
a credential. In Tivoli Access Manager for Enterprise Single Sign-On,
credentials are stored and secured in your Wallet.
Enterprise identity
In an enterprise, you have multiple user accounts for different types of
applications such as e-mail, portal, human resources system, and Web access.
One of these identities is used to authenticate users, and provide access to the
enterprise network.
For example, you might be required to log on to Windows and access the
network by entering your user name and password. This feature is also called
an enterprise identity.
The solution that an enterprise uses for identity management must be
identified. The solution verifies the identities of users logging on with Tivoli
Access Manager for Enterprise Single Sign-On keys. The solution also links
the IMS Server with the enterprise directory that manages your users.
This policy is set before deployment and sets the foundations of how the
system works. You can change the policy later using AccessAdmin. The
enterprise identity binding must be a system or application that the enterprise
identifies as a long-term investment. The system or application must not be
changed, removed, or replaced soon.
Enterprise applications
The enterprise must select the applications to include in the enterprise
application list.
Enterprise applications are specific to the business of an enterprise and
controlled by an Administrator.
See this list for some characteristics of an enterprise application:
v Managed through the IMS Server by the information technology
department of the enterprise
v Passwords are grouped by authenticating directories
v Audit logs are generated and stored in the IMS Server
v User accounts are pre-created
15
v User account entries cannot be deleted in AccessAgent

v Passwords can be fortified
v Password entries cannot be set to Never in AccessAgent
Examples of enterprise applications are:
v Microsoft Windows
v Active Directory
v SAP
v PeopleSoft
v Oracle
v Novell
Enterprise applications can be added or removed after deployment. However,
these applications are implemented in a global policy, which means all users
have access to the same enterprise applications.
Personal applications
The enterprise must specify whether the users can use AccessAgent and Tivoli
Access Manager for Enterprise Single Sign-On keys for personal applications.
Personal applications are applications that users can specify if they want
AccessAgent to store and enter their user names and passwords. Some
examples of personal applications are IBM Lotus Notes, IBM Lotus
Sametime Connect, and online banking sites.
This policy is implemented as a global policy, where users are allowed or not
allowed to use AccessAgent with personal applications. You cannot grant or
deny access to specific users.
User, system, and machine policies

Tivoli Access Manager for Enterprise Single Sign-On uses policies to control
the behavior of the product components.
These policies are configurable through various means, so the product can
meet specific organizational requirements. Policies have different visibilities
and scopes, and are managed by different roles.
Policies might be applicable system-wide, or only to certain groups of users or
machines. The applicability of a policy is determined by the policy scope such
as the system, user, or machine.
v System: Policy is system-wide
v User: Policy affects only a specific user
v Machine: Policy affects only a specific machine
16
System, machine, and user policies can be configured using AccessAdmin.

Changes to these policies are propagated to clients the next time AccessAgent
synchronizes with the IMS Server (for example, in 30 minutes).
Note: Not all user policies are updated in real time. Some policies require the
machine to be restarted for the changes to take effect.
The IMS Server applies machine policies to machines after they join the IMS
Server, which are then automatically synchronized with AccessAgent.
There can be several machine policy templates defined in the IMS Server. One
of these templates is set as the default.
Through AccessAdmin, system policies and machine policies can be modified
by an Administrator. However, a Help desk officer can only view system and
machine policies. User policies can be modified by either an Administrator or
a Help desk officer.
A policy might be defined for different scopes. For example, the desktop
inactivity policy might define the desktop inactivity time out duration for one
machine or for the entire system. If this policy is defined for both scopes, a
priority is defined, in case the time-out value is different for the machine and
for the entire system.
If the policy priority is "machine", only the machine policy would be effective.
A command-line tool (CLT) allows Administrators to view and set policy
priorities. For more information, see IBM Tivoli Access Manager for Enterprise
Single Sign-On Policies Definition Guide.
Policies might be dependent on other policies. For example, the hot key action
policy is only effective if the hot key is enabled. If the latter is disabled, the
setting for the hot key action policy does not affect users.
Some groups of policies have overlapping scopes. For example, these policies
have a system scope, but the range of entities that they affect are different:
v Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default )
This policy defines the default password entry option for all authentication
services and applications.
v Authentication inject password entry option default policy
(pid_auth_inject_pwd_entry_option_default)
This policy defines the default password entry option for a specific
authentication service.
v Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default)
17
application.
In general, application-specific policies override authentication service-specific
policies, which in turn, override general Wallet policies. In this case, the
Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default) is used when the other two
policies are not defined for a particular authentication service or application.
However, if the Authentication service inject password entry option default
policy (pid_auth_inject_pwd_entry_option_default) is defined for an
authentication service, it overrides the Wallet inject password entry option
default policy (pid_wallet_inject_pwd_entry_option_default) when a default
password entry option is needed for the authentication service.
Similarly, if the Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default) is defined for a particular
application, it overrides the other two policies.
User-specific policies generally override system-wide policies, but this setting
also depends on the current policy priority. If a policy has both user and
system scopes, for example, the Authentication accounts maximum policy
(pid_auth_accounts_max), the user scope setting is always effective if it is
defined. If the user scope setting is not defined for a particular user, the
system scope setting becomes effective.
18
Chapter 2. About policies

Tivoli Access Manager for Enterprise Single Sign-On uses policies to control
the behavior of the product components.
Tivoli Access Manager for Enterprise Single Sign-On policies are configurable
to meet specific organizational requirements. Policies have different visibilities
and scopes, and are managed by different roles.
Each policy is identified by its policy ID with pid in the prefix (for example,
pid_wallet_authentication_option).
Policies are applicable system-wide, or only to certain groups of users or
computers. The applicability of a policy is determined by scope - system, user,
or machine.
v System: The policy is applicable system-wide.
v User: The policy affects a specific user.
v Machine: The policy affects a specific computer.
System, machine, and user policies are configured using AccessAdmin.
Changes to these policies are propagated to thecomponents the next time
AccessAgent synchronizes with the IMS Server.
Machine policies are typically configured in AccessAdmin. You can configure
machine policies using the Windows registry specially when the
pid_machine_policy_override_enabled policy is set to Yes.
An Administrator can modify system and machine policies using
AccessAdmin. A Help desk officer can only view system and machine
policies. An Administrator or Help desk officer can modify user policies.
A policy might be defined for more than one scope. For example,
pid_desktop_inactivity_mins defines the desktop inactivity timeout duration
for a computer or for the entire system.
If this policy is defined for both scopes, set a priority in case the timeout
value is different for the computer and the entire system. For more
information about setting policy priorities, see Viewing and setting policy
priorities on page 22.
Policies might be dependent on other policies. For example,
pid_enc_hot_key_action is only effective if pid_enc_hot_key_enabled is set to
19
True. If the latter is set to False, any setting for pid_enc_hot_key_action does
not affect users. The dependencies are described later in this section.
Some groups of policies have overlapping scopes. For example, policies with
system scopes have different ranges of entities that they affect.
v Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default )
This policy defines the default password entry option for all authentication
services and applications.
v Authentication inject password entry option default policy
(pid_auth_inject_pwd_entry_option_default )
v Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default)
application.
In general, application-specific policies override authentication service-specific
policies, which in turn, override general Wallet policies. The Wallet inject
password entry option default policy
(pid_wallet_inject_pwd_entry_option_default) is used when the other two
policies are not defined for a particular authentication service or application.
However, if the Authentication service inject password entry option default
policy (pid_auth_inject_pwd_entry_option_default) is defined for an
authentication service, it overrides the Wallet inject password entry option
default policy (pid_wallet_inject_pwd_entry_option_default) when a default
password entry option is needed for the authentication service.
Similarly, if the Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default) is defined for a particular
application, it overrides the other two policies.
User-specific policies generally override system-wide policies, but this setting
also depends on the policy priority. For example, the Authentication accounts
maximum policy (pid_auth_accounts_max) has both user and system scopes.
The user scope setting is always effective if it is defined. If the user scope
setting is not defined for a user, the system scope setting become effective.
Administrators use a command-line tool (CLT) to view and set policy
priorities. For more information, see Viewing and setting policy priorities on
page 22.
20
Policy legends
Policies can be modified only by Help desk officers and Administrators. These
policies affect the behavior of the whole system and must only be modified
when it is necessary. These policies must be set at deployment and followed
through.
Attribute
Description
Policy ID
Unique identifier of the policy.
Description
Description of the policy, including a list of the possible

behaviors specified by the policy. The product version that
implements this policy is also indicated.
Registry
The entry in the Windows Registry (for Machine policies)

or the IMS Server (for System, User, and Machine policies):
v [DO] is [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\
DeploymentOptions]
v [DIMS] is [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\
IMSService\DefaultIMSSettings]
v [GIMS] is
[HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\IMSService\
GlobalIMSSettings]
v [T] is [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\Temp]
IMS Entry
The entry in the IMS Server for System and User policies.
If this column is blank, the value must be set in the
registry. If not, the value indicates the name of the policy,
which can be set using the IMS Server.
Type
The data type of this policy in the IMS Server or Windows

Registry.
21
Attribute
Description
Values
Possible values of the policy.

The default value is indicated by an asterisk *. The default
value is used if the policy is not specified or if the
specified value is not correct.
The refresh frequency is also indicated here. This value
indicates when a policy will be effective after it is changed.
v Refreshed on use: Policy read from the IMS Server or
registry every time it is used. Changes, for example, are
effective immediately.
v Refreshed on sync: Policy read from the IMS Server or
registry entry only on the next synchronization with the
IMS Server.
v Refreshed on logon: Policy read from the IMS Server or
registry entry only on the next AccessAgent logon.
v Refreshed on startup: Policy read from the IMS Server
or registry entry only on system startup.
Scope
The scope of applicability of the policy.

Values:
v System: Policy is system-wide
v Machine: Policy affects only a specific machine
v User: Policy affects only a specific user
System and User policies, as well as selected Machine
policies can be configured using AccessAdmin. If
pid_machine_policy_override_enabled is 1, machine
policies can also be specified as Windows registry entries
on individual machines, and they override the ones
defined using AccessAdmin.
A policy might be defined for different scopes. For
example, pid_desktop_inactivity_mins might define the
desktop inactivity timeout duration for a machine or for a
user. If a policy is defined for both scopes, define a priority
if the timeout value is different for the machine and for the
user. If the policy priority is machine, only the machine
policy would be effective.
Frequently used policies
Viewing and setting policy priorities

Use this topic to view and set policy priorities.
22
If a policy is defined for two scopes (for example, machine and system, user
and system, machine and user), define a priority in case the timeout value is
different for the scopes. For example, if the policy priority is "machine", then
only the machine policy would be effective.
Policies can be modified only by Help desk officers and Administrators. These
policies affect the behavior of the whole system and must only be modified
when it is necessary.
These policies are set at deployment and followed through. Changes to these
policies are propagated to clients the next time AccessAgent synchronizes
with the IMS Server.
Important: Older versions of AccessAgent will still use the original policy
priorities, and values will not change after upgrading the IMS Server. To
change policy priorities, upgrade all installations of AccessAgent to version
8.0 and above, and then launch the command prompt (Start Run, type cmd).
Viewing policy priorities

Use the managePolPriority.bat command-line tool (CLT) to view policy
priorities.
Before you begin

Run setupCmdLine.bat to configure the path to WAS profile where the IMS
Server is installed. Set the value to WAS_PROFILE_HOME.
Procedure
1. Launch the Windows command prompt (Start Run, type cmd).
2. Navigate to the batch file folder.
Enter <IMS installation folder>\bin, then press Enter.
3. Enter managePolPriority.bat to view the information about executing the
batch file, then press Enter.
4. To view the scope and priority of a specific policy, enter
managePolPriority --policyId [name of policy], then press Enter.
Results
The scope and priority of a policy are displayed.
What to do next
Close the command-line prompt window after viewing the information.
23
To change the priorities of a policy, go to Setting the priorities of a policy.
Setting the priorities of a policy

Use the managePolPriority.bat command-line tool (CLT) to view and modify
policy priorities.
About this task

This CLT allows Administrators to retrieve the priority of a given policy, as
well as set its priority by identifying a valid policy ID and scope.
Procedure
1. Launch the Windows command prompt (Start Run, type cmd).
2. Navigate to the batch file folder.
Enter <IMS installation folder>\bin, then press Enter.
3. To change the scope of the policy, enter the following information.
managePolPriority
--policyId [name of policy]--scope [scp ims or scp machine] --templateId
[template ID]
The scope that is given highest priority is assigned a value of 1, the next
scope is assigned with a value of 2, and so on.
Note: Provide a template ID to specify the assigned template of the
machine, user, or system.
4. Press Enter.
5. Type exit to close the command prompt.
24
Chapter 3. AccessAgent configuration policies

pid_second_factors_supported_list
Description The second factors supported on this machine. Controls the Wallet
registration policy. This policy also imposes a constraint on the Wallet
locks available for logon.
Note:
1. If the user decides to switch second factors (for example, from
ARFID to RFID), a machine restart is required.
2. If there is a GINA replacement, this policy is only updated on
machine restart.
3. If there is no GINA replacement, this policy is only updated when a
new Windows session is created (such as, when the user logs on to
Windows, not when the user unlocks a Windows session).
4. Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "SecondFactorsSupportedList"
IMS Entry
Authentication second factors supported
Type
String list
MULTI_SZ
Values
#RFID
#ARFID
#Smart card
#Fingerprint
(currently, only single value allowed, except for simultaneous
Fingerprint and RFID support)
(refreshed on startup)
Scope
Machine
pid_aa_tray_bubble_display_enabled
Description Whether to enable AccessAgent bubble pop-ups at the Windows
notification area.
Registry
[DO] "AATrayBubbleDisplayEnabled"
IMS Entry
Enable bubble pop-ups?
25
pid_aa_tray_bubble_display_enabled
Type
Boolean
DWORD
Values
*#True
#False
#0: No
*#1: Yes
(refreshed on use)
Scope
Machine
pid_aa_feedback_link
Description Enables the Feedback link in AccessAgent user interface to launch an
e-mail client or Web browser.
Note:
v If the policy value is blank, by default, AccessAgent does not show
the Feedback link.
v If the policy value format is mailto:abc@xyz.com, clicking Feedback
launches the default e-mail client of the user and the e-mail is sent to
abc@xyz.com.
v If the policy value format is http://xyz.com, clicking Feedback
launches the default browser of the user and navigates to
http://xyz.com.
Registry
"AAFeedbackLink"
IMS Entry
AccessAgent Feedback link
Type
String
SZ
Values
(refreshed on sync)
Scope
Machine
pid_ims_server_name
Description Default IMS Server name.
Registry
[DIMS] "ImsServerName"
IMS Entry
26
Type
SZ
Values
(refreshed on use)
Scope
Machine
pid_machine_tag
Description The MachineTag that is used for machine policy template criteria
assignment.
Note:
1. When a machine is registered with the IMS Server, it uses machine
group tag as one of the attributes.
The machine policy templates assignment criteria of the IMS Server
can include machine group tag as an attribute value to be matched.
In this way, the machine group tag can determine how machine
policy templates are assigned.
2. After a machine is registered with the IMS Server, the machine group
tag can still be modified by the Active Directory GPO or any other
registry value push mechanism.
AccessAgent can detect if the machine group tag value changed, and
reregisters the machine with the IMS Server. If the machine matches
another machine policy template assignment criteria, that new
machine policy template is assigned to it.
Registry
[DO] "MachineTag"
IMSEntry
Type
SZ
Value
Scope
Machine
pid_Named_Pipe_Time_Out_Secs
Description Configurable timeout for AccessAgent named Pipe Communication.
Registry
[DO] NamedPipeTimeOutSecs
IMSEntry
Type
DWORD
Value
Timeout value in seconds. Default is 10.
Scope
Machine
Chapter 3. AccessAgent configuration policies
27
28
Chapter 4. Network policies

pid_net_socket_timeout_secs
Description Timeout duration, in seconds, for TCP socket connections.
Registry
[DO] "NetSocketTimeoutSecs"
IMS Entry
Type
DWORD
Values
*3
(refreshed on use)
Scope
Machine
pid_net_soap_timeout_secs
Description Timeout duration, in seconds, for SOAP connections.
Registry
[DO] "NetSoapTimeoutSecs"
IMS Entry
Type
DWORD
Values
*20
(refreshed on use)
Scope
Machine
29
30
Chapter 5. Session information policies

pid_session_info_display_freq_secs
Description Frequency for displaying AccessAgent session information in a bubble
pop-up at the Windows notification area. The bubble pops up after
every interval, in seconds, specified by this policy. Disable this feature
by setting it to 0.
Note:
1. Effective only if pid_aa_tray_bubble_display_enabled is 1.
2. Set policy to 0 to disable the displaying of session information.
3. This policy is effective if the value is greater than 15 seconds. If the
value is less than 15 seconds, the pop-up is displayed continuously.
4. The displayed user name format is determined by
pid_logon_user_name_display_option.
5. If the user is logged on with an Active Proximity Badge, a warning
is shown in the same bubble pop-up if battery is low.
changes.
Registry
[DO] "SessionInfoDisplayFreqSecs"
IMS Entry
Interval, in minutes, for displaying session information in bubble

pop-ups
Type
DWORD
Values
*0
(0 for no display)
Scope
Machine
31
32
Chapter 6. Log policies

pid_log_file_count
Description Maximum number of AccessAgent log files allowed. If the maximum
number of log files is reached, the oldest log file is deleted to make
way for the new log file.
Registry
[DO] "LogFileCount"
IMS Entry
Type
DWORD
Values
*10
(refreshed on use)
Scope
Machine
pid_log_file_size
Description Maximum size of the log file in KB (AccessAgent.log). If the maximum
file size is reached, the file is renamed and a file is created to store the
new logs.
Registry
[DO]
"LogFileSize"
IMS Entry
Type
DWORD
Values
*1024
(refreshed on use)
Scope
Machine
pid_log_level
Description Level of log details.
Registry
[DO]
"LogLevel"
IMS Entry
Type
DWORD
33
pid_log_level
Values
*0: No logging
#1: Severe errors only
#2: Basic info
#3: More info, including SOAP logs
#4: Debugging info, including SOAP logs
(refreshed on use)
Scope
Machine
pid_log_path
Description Path to a folder that contains the AccessAgent logs.
Registry
[DO]
"LogPath"
IMS Entry
Type
SZ
Values
*<ProgramDir>\logs
(refreshed on use)
Scope
34
Machine
Chapter 7. Temporary file policies

pid_temp_path
Description Path to a folder that contains the temporary files.
Registry
[DO] "TempPath"
IMS Entry
Type
SZ
Values
*<ProgramDir>\temp
(refreshed on use)
Scope
Machine
35
36
Chapter 8. Auto-logon policies

pid_microsoft_auto_logon_enabled
Description Whether to enable auto-logon to Windows on system startup.
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon]
"AutoAdminLogon"
"ForceAutoLogon"
(both entries must be set)
IMS Entry
Type
SZ
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_microsoft_auto_logon_acct
Description Windows account to be used for auto-logon at system startup.
Note:
1. Effective only if pid_microsoft_auto_logon_enabled is enabled.
2. If pid_lusm_session_max is greater than 1, a local machine account
must be used for auto-logon.
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon]
"DefaultDomainName"
"DefaultUserName"
"DefaultPassword"
IMS Entry
Type
SZ
Values
(refreshed on use)
Scope
Machine
37
Upid_win_startup_action
Description Actions on Windows startup.
Note: This is to enable automatic locking of the computer after
AutoAdminLogon or ForceAutoLogon.
Registry
[DO] "WinStartupAction"
IMS Entry
Windows startup actions
Type
DWORD
Values
*#0: No action
#1: Lock computer
(refreshed on use)
Scope
38
Machine
Chapter 9. Local user session management policies

pid_lusm_session_replacement_option
Description Option for replacing existing user sessions when a new user attempts
to log on while the number of concurrent user sessions has already
reached the maximum allowed.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1.
2. Policy value 2 is useful for machines which are used by users in a
round-robin fashion.
3. For policy value 3, the session that has been unlocked the least
number of times is replaced.
4. For policy value 4, the session that has been least used in terms of
total duration is replaced.
5. Computation of time for all cases is accurate only to the nearest
minute.
changes.
Registry
[DO] "LUSMSessionReplacementOption"
IMS Entry
Session replacement option
Type
DWORD
Values
#0: Disallow new user to log on

*#1: Replace least recently used (LRU) session
#2: Replace most recently used (MRU) session
#3: Replace least frequently used (LFU) session
#4: Replace least used (LU) session
(refreshed on startup for value 0)
(refreshed on use for other values)
Scope
Machine
39
Upid_lusm_sessions_max
Description Maximum number of concurrent user sessions. Set it to 2 or more to
enable private desktop.
Note:
1. Set policy to 1 to disable Local User Session Management.
2. To enable Local User Session Management, a value greater than 1
must be specified for this policy in the DeploymentOptions.reg file
during AccessAgent installation.
If this policy is set to a value greater than 1 only after AccessAgent
is installed, the Log Off and Shut Down buttons, as well as the
Windows hot keys might not be disabled for the first user who logs
on. The buttons and Windows hot keys might also remain disabled
after AccessAgent is uninstalled.
3. If this policy is set to a value higher than what the system resources
can support, the actual number of concurrent user sessions is still
capped by the system resources available.
4. For optimal performance, it must not be set to a value more than 9.
5. If Local User Session Management is enabled,
pid_logoff_manual_action must be set to 1 (Log off Windows) so
that manually logging off AccessAgent is equivalent to logging off
the desktop session of the user.
6. pid_unlock_with_win_option must be set to 0 as unlock using
Windows is not supported for Local User Session Management.
Auto-admin logon to Windows must also be enabled by setting
pid_microsoft_auto_logon_enabled to 1,
pid_microsoft_auto_logon_acct to a local machine log on account,
and pid_win_startup_action to 1, to lock the computer immediately
after logon.
changes.
Registry
[DO] "LUSMSessionsMax"
IMS Entry
Maximum number of concurrent user sessions on a workstation
Type
DWORD
Values
*1
(from 1 to 12)
Scope
40
Machine
pid_lusm_sia_list
Description List of single instance applications (SIA), such as applications that
cannot run multiple simultaneous instances in a computer.
Note:
2. When a user starts any application in this list, AccessAgent
performs the action specified by pid_lusm_sia_launch_option (if the
policy value is not 0) or the own launch option of the application.
These actions are only applicable when the application is launched
from a visible desktop and there is another instance of it running in
an invisible desktop. If the other instance is running in the same
visible desktop, the application assumes its normal behavior.
3. For each application, the full path must be the full image path of
the executable file on the disk, ending with .EXE, .BAT, or .COM. It
is not case-sensitive.
4. The long path format must be used. For example, for Company
Messenger, use C:\Program Files\Company\Messenger\
CompanyMessenger.exe instead of C:\progra~1\Company\messenger\
COMPANYM~1.exe.
changes.
Registry
[DO] "LUSMSiaList"
IMS Entry
Single instance applications list
Type
MULTI_SZ
41
pid_lusm_sia_list
Values
Each application occupies three lines as follows:

Line 1: Full path of the executable file(for example,
C:\Windows\notepad.exe)
Line 2: Launch option (see below)
Line 3: Display name of the application (for example, Notepad)
(empty lines are discarded, and there must be three non-empty lines for
each application)
Launch option is one of the following values:
#1: Disallow second instance to start
*#2: Log off existing instance
#3: Close existing instance
#4: Prompt user whether to log off existing instance
#5: Prompt user whether to close existing instance
Scope
Machine
pid_lusm_sia_launch_option
Description Action taken by AccessAgent when a user launches a second instance
of a single instance application, such as an application that cannot run
multiple simultaneous instances in a computer.
Note:
2. If policy value is 0, the own launch option of each application
(specified in pid_lusm_sia_list) is used.
3. These actions are only applicable when the application is launched
from a visible desktop and there is another instance of it running in
an invisible desktop. If the other instance is running in the same
visible desktop, the application assumes its normal behavior.
changes.
42
Registry
[DO] "LUSMSiaLaunchOption"
IMS Entry
Action on launching a second instance of a single instance application
Type
DWORD
pid_lusm_sia_launch_option
Values
#0: Use application's launch option

#1: Disallow second instance to start
*#2: Log off existing instance
#3: Close existing instance
#4: Prompt user whether to log off existing instance
#5: Prompt user whether to close existing instance
Scope
Machine
pid_lusm_generic_accounts_enabled
Description Whether to use a pool of generic accounts to create user desktops.
Note:
2. If enabled, generic accounts specified in
pid_lusm_generic_accounts_list is used to create user desktops.
This configuration is for deployments where some users might not
exist in Active Directory, or password is not synchronized with the
Active Directory password.
3. If enabled, pid_lusm_default_desktop_preserved_enabled must be
set to 1.
changes.
Registry
[DO] "LUSMGenericAccountsEnabled"
IMS Entry
Enable use of generic accounts to create user desktops?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
Scope
Machine
43
pid_lusm_auto_logon_acct_display_enabled
Description Whether the auto-admin logon account should appear in the list of
users displayed in the logon user interface of private desktops.
Note: If enabled, the auto-admin logon account appears in the logon
user interface of private desktops. Then, desktop administrators can
click the auto-admin logon account and provide its password to log on
to the account to perform desktop maintenance as and when necessary.
Registry
[DO] "LUSMAutoLogonAcctDisplayEnabled"
IMS Entry
Enable use of generic accounts to create user desktops?
Type
Boolean
DWORD
Values
*#True (default)
#False (default)
*#1 (default)
#0 (default)
Scope
44
Machine
pid_lusm_generic_accounts_list
Description List of generic accounts for creating user desktops.
Note:
1. Effective only if pid_lusm_sessions_max is greater than 1 and
pid_lusm_generic_accounts_enabled is enabled.
2. Upon machine startup, AccessAgent writes the obfuscated
password into the fourth line of each account, replacing the third
line with a fixed mask string #####encrypted#####.
3. To add a new account, delete an existing account, or change the
user name, domain, or password of an existing account, the entire
set of values in this policy must be rewritten. AccessAgent will use
the new values after the next machine startup.
4. If a particular account cannot be validated, this account is ignored
and AccessAgent writes #####invalid account##### in the third
line of the account.
5. If there are no valid generic accounts, private desktop is disabled.
6. If there is one valid generic account, the user is shown a message
that indicates only one user can use the private desktop, but
private desktop with generic accounts is still enabled.
7. If the number of valid accounts is less than
pid_lusm_sessions_max, the actual maximum number of
concurrent sessions would be constrained by the number of valid
accounts even though resources might allow for more.
8. Both local machine accounts or domain accounts can be used as
generic accounts, but use domain accounts since these accounts do
not have to be pre-created on each machine. The passwords for
these accounts must never expire or change, since any password
changes require modifications to this policy.
9. Users must not unlock directly using generic account credentials,
as that might lead to an existing desktop being unlocked.
10. For private desktops with Windows 2000 installations: If the
default UPN has been overwritten by the Administrator (not new
UPN suffixes added), offline logon and offline GA accounts with
DNS domain names does not work.
changes.
Registry
[DO] "LUSMGenericAccountsList"
IMS Entry
Type
MULTI_SZ
45
pid_lusm_generic_accounts_list
Values
Each generic account occupies four lines as follows:

Line 1: User name
Line 2: Domain (or machine name for local computer account)
Line 3: Password
Line 4: ==
(empty lines are discarded, and there must be four non-empty lines for
each account)
Scope
Machine
pid_lusm_ad_gpo_scripts_enabled
Description Whether to enable execution of GPO scripts.
Registry
[DO] "LUSMAdGpoScriptsEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
version 8.0.1 - off by default
version 8.1.0 - on by default
Scope
Machine
pid_lusm_ad_gpo_extended_support_enabled
Description Whether to enable support for GPO user admin templates.
Registry
[DO] "LUSMAdGpoExtendedSupportEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
version 8.0.1 - off by default
version 8.1.0 - on by default
Scope
46
Machine
pid_lusm_ad_gpo_scripts_ext_and_exe_list
Description List of file extensions and the executable files that runs them.
Registry
[DO] "LUSMAdGPOScriptsExtAndExeList"
IMS Entry
Type
Multi-String Value
Values
Default:
v .bat, cmd.exe
v .vbs, wscript.exe
v .js, wscript.exe
v .wsf, wscript.exe
Scope
Machine
pid_lusm_ad_gpo_refresh_timeout
Description Defines GPO refresh process timeout duration in seconds for
subsequent logons to the computer.
Registry
[DO] "LUSMAdGpoRefreshTimeout"
IMS Entry
Type
DWORD
Values
#0: Asynchronous by default

#>0: Synchronous with timeout set to value
Scope
Machine
pid_lusm_ad_gpo_logon_msg_enabled
Description Defines whether to display legal notice after user logs on to private
desktop.
Registry
[DO] "LUSMAdGpoLogonMsgEnabled"
IMS Entry
Type
DWORD
Values
#0: No
#1: Yes
Scope
Machine
47
pid_lusm_generic_accounts_edir_type
Description Defines whether the enterprise directory for validating Tivoli Access
Manager for Enterprise Single Sign-On users is the Active Directory.
Note:
v Effective only if pid_lusm_sessions_max is greater than 1, and
pid_lusm_generic_accounts_enabled is enabled.
v If the enterprise directory is not the Active Directory, this policy
should be set to 2 for better logon performance.
Registry
[DO] "LUSMGenericAccountsEdirType"
IMS Entry
Type
DWORD
Values
#1: Enterprise directory is Active Directory

#2: Enterprise directory is not Active Directory
(refreshed on use)
Scope
48
Machine
Chapter 10. Authentication policies

Upid_wallet_authentication_option
Description Authentication policy that enforces the combinations of authentication
factors that can be used for logon.
Note:
1. This policy does not enforce the authentication factors used for
sign-up. The sign-up policy is enforced by
pid_second_factors_supported_list and
pid_second_factor_for_sign_up_required.
2. RFID includes active proximity badges.
Registry
IMS Entry
Wallet authentication policy
Type
Positive integer list
Values
#1: Password
#2: Password + RFID
#4: Password + Fingerprint
#5: Fingerprint
*#6 Smart Card
(multiple allowed)
(refreshed on log on or unlock by different user, if online)
(refreshed on last sync if offline)
Note: #6 is always enabled. #1 enabled => #2 and #4 are also enabled.
Scope
User
Upid_mac_auth_enabled
Description Whether Mobile ActiveCode authentication is enabled for the user.
Registry
IMS Entry
Enable Mobile ActiveCode authentication?
Type
Boolean
Values
#True
*#False
(refreshed on use)
49
Upid_mac_auth_enabled
Scope
50
User
Chapter 11. Password change policies

pid_enc_pwd_change_option
Description Whether to enable changing of password.
Note:
1. For option 2, the links in the EnGINA welcome screen, EnGINA
locked screen, AccessAgent UI, and AccessAgent Tray right-click
menu is removed.
2. If the password is configured to expire, the user is still prompted
for password change during logon.
3. If Active Directory password synchronization is enabled and the
Active Directory password expires, the user is still prompted for
password change.
4. If the password is forced to be changed during initial logon by a
provisioned user, the user still sees the password change prompt
upon initial logon.
5. The options only affect AccessAgent. AccessAssistant and Web
Workplace are not affected by the policy.
Registry
IMS Entry
Enable changing of password?
Type
Values
*#1: Enable password change link

#2: Disable password change link
(refreshed on sync)
Scope
System
pid_enc_pwd_reset_option
Description Whether to enable password reset.
Note:
1. For option 2, the links in the EnGINA welcome screen and
AccessAgent UI is removed if no user is logged on.
2. The options only affect AccessAgent. AccessAssistant and Web
Workplace are not affected by the policy.
Registry
IMS Entry
Enable password reset?
Type
Non-negative integer
51
pid_enc_pwd_reset_option
Values
*#1: Enable password reset link

#2: Disable password reset link
(refreshed on sync)
Scope
System
pid_enc_pwd_change_on_first_logon_enabled
Description Whether provisioned users are forced to change the TAM E-SSO
Password at first logon.
Note:
1. This policy is only effective for provisioned users and if the TAM
E-SSO Password is synchronized with Active Directory password.
2. If the TAM E-SSO Password is synchronized with Active Directory
password, provisioned users are forced to change passwords
according to the Active Directory user setting for User must change
password at next logon.
3. This feature is not supported for fingerprint logon.
Registry
IMS Entry
Force provisioned users to change the password at first logon?
Type
Boolean
Values
*#True
#False
(refreshed on logon)
Scope
52
System
Chapter 12. Password aging policies

pid_enc_pwd_periodic_change_enabled
Description Whether to enable password aging, such as periodic password change.
Registry
IMS Entry
Enable password aging?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_enc_pwd_change_days
Description Maximum password age, in days. It is the period between two
password changes for a Wallet.
Note: Effective only if password periodic change is enabled.
Registry
IMS Entry
Maximum password age, in days
Type
Positive integer
Values
*90
(refreshed on sync)
Scope
System
pid_enc_pwd_expiry_reminder_enabled
Description Whether to remind the user about the expiring password.
Registry
IMS Entry
Enable password change reminder?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
53
pid_enc_pwd_expiry_reminder_days
Description Number of days before password expiry to start reminding user.
Note: Effective only if password expiry reminder is enabled.
Registry
IMS Entry
Number of days before password expiry to start reminding user
Type
Non-negative integers
Values
*5
(from 1 to 10)
(refreshed on sync)
Scope
System
pid_enc_pwd_expiry_change_enforced
Description Whether to enforce password change on expiry by prompting user to
change password before logging on to Tivoli Access Manager for
Enterprise Single Sign-On.
Registry
IMS Entry
Enforce password change on expiry?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
54
System
Chapter 13. Password strength policies

pid_enc_pwd_min_length
Description Minimum length of an acceptable password.
Note: Not effective if password is Active Directory password is
enabled. Active Directory password strength policies are used instead.
Registry
IMS Entry
Minimum password length
Type
Positive integer
Values
*6
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_max_length
Description Maximum length of an acceptable password.
Registry
IMS Entry
Maximum password length
Type
Positive integer
Values
*20
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_min_numerics_length
Description Minimum number of numeric characters for an acceptable password.
Registry
IMS Entry
Minimum number of numeric characters
Type
55
pid_enc_pwd_min_numerics_length
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_min_alphabets_length
Description Minimum number of alphabetic characters for an acceptable password.
Registry
IMS Entry
Minimum number of alphabetic characters
Type
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_enc_pwd_mixed_case_enforced
Description Whether to enforce the use of both uppercase and lowercase characters
for the password.
Registry
IMS Entry
Enforce the use of both upper case and lower case characters?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
56
System
Chapter 14. Self-service password reset policies

Upid_selfhelp_password_reset_enabled
Description Whether to enable self-service password reset.
Registry
IMS Entry
Enable self-service password reset?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_secrets_register_for_selfhelp_max
Description The maximum number of secret questions a user must register to
enable self-service capability.
Registry
IMS Entry
Maximum number of secret questions a user should register to enable

self-service
Type
Positive integer
Values
*3
(refreshed on sync)
Scope
System
pid_secrets_verify_for_selfhelp
Description The number of secret questions a user needs to answer to use
self-service password reset.
Registry
IMS Entry
The number of secret questions a user needs to answer to use

self-service.
Type
Positive integer
Values
*2
(refreshed on sync)
Scope
System
57
pid_secrets_verify_invalid_trial_count_max
Description The maximum number of allowed tries with wrong secret answers
before the self-service function is locked.
Registry
IMS Entry
The maximum number of allowed tries with wrong secret answers

before self-service locks out
Type
Positive integer
Values
*6
(refreshed on sync)
Scope
58
System
Chapter 15. Self-service authorization code policies

pid_selfhelp_authcode_enabled
Description Whether to enable self-service authorization code issuance using a
mobile phone.
Registry
IMS Entry
Enable self-service authorization code issuance?
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
pid_selfhelp_authcode_request_from_any_phone_enabled
Description Whether to allow self-service authorization code to be requested from
any phone.
Note: Effective only if pid_selfhelp_authcode_enabled is True.
Registry
IMS Entry
Allow authorization code request from any phone?
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
pid_selfhelp_authcode_invalid_trial_count_max
Description The maximum number of allowed tries using wrong authorization
codes before self-service authorization code request capability gets
locked.
Note: Effective only if pid_selfhelp_authcode_enabled is True.
Registry
IMS Entry
The maximum number of allowed tries with wrong authorization codes

before self-service authorization code request locks out
Type
Positive integer
59
pid_selfhelp_authcode_invalid_trial_count_max
Values
*6
(refreshed on use)
Scope
System
pid_selfhelp_authcode_error_msg_text
Description Configurable error message text for self-help authorization code
request.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True.
2. This message is available in multiple languages. It is displayed in
the language specified by the user during AccessAgent installation.
Registry
IMS Entry
Error message text for self-help authorization code request
Type
String
Values
*An error has occurred. Please contact your Help desk.

(refreshed on use)
Scope
System
pid_selfhelp_authcode_request_help_text
Description Configurable help text for self-service authorization code request.
Note:
2. The help text can be sent to the user through the SMS gateway IMS
Bridge, shown by AccessAgent.
Registry
IMS Entry
Help text for self-service authorization code request
Type
String
Values
*You can only request for authorization code using your registered
phone. The message format is: UserName UserSecret [RequestCode]
(refreshed on use)
Scope
60
System
pid_selfhelp_authcode_different_phone_issue_msg_text
Description Configurable message text that is sent to the requesting phone for
self-help authorization code if it is different from the registered phone.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True and
pid_selfhelp_authcode_request_from_any_phone_enabled is False.
2. Use $PHONE as placeholder for registered phone number.
Registry
Type
String
IMS Entry
Message text sent to requesting phone if it is different from registered

phone
Values
*An authorization code has been sent to your registered phone

$PHONE.
(refreshed on use)
Scope
System
pid_selfhelp_authcode_different_phone_error_msg_text
self-help authorization code. The message is sent if the requesting
phone is different from the registered phone and the policy is that only
the registered phone can be used.
Note:
1. Effective only if pid_selfhelp_authcode_enabled is True and
pid_selfhelp_authcode_request_from_any_phone_enabled is False.
2. Use $PHONE as placeholder for registered phone number.
Registry
IMS Entry
Message text sent to requesting phone if it is different from registered

phone and only registered phone can be used
Type
String
Values
*Authorization code can only be requested from your registered phone

$PHONE.
(refreshed on use)
Scope
System
Chapter 15. Self-service authorization code policies
61
pid_selfhelp_authcode_issue_msg_text
Description Configurable message text for self-help authorization code issuance.
Note:
2. Use $AUTHCODE as placeholder for the authorization code.
3. Use $VALIDITY as placeholder for the number of days for which
authorization code is valid.
4. Use $USAGE as placeholder for a string that describes how the
authorization code can be used.
Registry
IMS Entry
Message text for self-help authorization code issuance
Type
String
Values
*Your authorization code is $AUTHCODE. You can use it within

$VALIDITY days for $USAGE.
(refreshed on use)
Scope
System
pid_selfhelp_authcode_wrong_credentials_error_msg_text
self-help authorization code if any of the requesting credentials is
incorrect.
Note:
2. Message text is sent if any of the requesting credentials is incorrect
(for example, user name, user secret, request code).
Registry
IMS Entry
Message text sent to requesting phone on incorrect credentials
Type
String
Values
*Incorrect user name, user secret, or request code. Please try again.
(refreshed on use)
Scope
62
System
Chapter 16. Self-service registration policies

Upid_selfhelp_second_factor_registration_and_bypass_enabled
Description Whether to enable self-service registration and bypass of second factor.
Note:
1. If this policy is enabled, the user can bypass the use of a second
factor for logon by providing registered secrets.
2. If an authorization code is required for the registration of second
factors, this policy controls whether a user can perform the action in
a self-service manner by providing registered secrets.
3. If the user cannot provide registered secrets, there is an option to
provide an authorization code and a primary secret.
Registry
IMS Entry
Enable self-service registration and bypass of 2nd factor?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
63
64

pid_wallet_caching_option
Description Option to control the caching of Wallets.
Note:
1. Offline reset capability (f.k.a. BSK) is automatically enabled if Wallet
is cached.
2. Wallet is always cached on a Citrix or Terminal Server.
3. Wallet is always cached if the Encentuate Network Provider is used
(the machine policy pid_en_network_provider_enabled is set to 1).
4. Wallet is always cached if a user logs on with a smart card.
Registry
IMS Entry
Wallet caching option
Type
Values
#0: Disallow caching

*#1: Ask user
#2: Always cache
(refreshed on sync)
Scope
System
65
pid_wallet_cache_max
Description Maximum number of cached Wallets allowed on the machine.
Note:
1. If the maximum limit of cached Wallets is reached, the least recently
used cached Wallet is deleted before a new Wallet is cached.
2. Setting a limit on the number of cached Wallets for a shared
workstation might improve logon performance.
3. If biometric authentication is used on a shared workstation, the
limit on the number of cached Wallets is set to a certain value. The
value is such that the possibility of false acceptance for the
biometric device is made negligible. False acceptance might lead to
a user logging on to a wrong Wallet.
4. This policy must be used with
pid_wallet_cache_max_inactivity_days so that the deleted cached
Wallets can be automatically revoked on the IMS Server.
5. In some deployments, it might be advisable to disable Wallet
caching on shared workstations due to security reasons. This policy
can be set to 0 to disable caching on a particular machine. In this
case, it overrides pid_wallet_caching_option.
Registry
[DO] "WalletCacheMax"
IMS Entry
Maximum number of cached Wallets
Type
DWORD
Values
*999999999
(0 to disable caching)
(999999999 for no max limit)
(refreshed on use)
Scope
Machine
pid_wallet_sync_mins
Description Interval, in minutes, for periodic synchronization of Wallet with the
IMS Server. Synchronization is also performed when user logs on to
AccessAgent.
Registry
IMS Entry
Interval, in minutes, for synchronization of Wallet with IMS Server
Type
Positive integer
Values
*30
(refreshed on sync)
Scope
66
System
pid_wallet_sync_before_logon_enabled
Description Whether to enable AccessAgent to perform synchronization with the
IMS Server before logging on to the Wallet.
Note: If this policy is set to 1, AccessAgent performs synchronization
before logging on to Windows(for EnGINA log on), and before running
the logon script (for desktop logon and logon from unlock screen).
Registry
[DO] "WalletSyncBeforeLogonEnabled"
IMS Entry
Enable Wallet synchronization before logon?
Type
DWORD
Values
*#True
*#False
#0: No
*#1: Yes
(refreshed on use)
Scope
Machine
pid_wallet_cache_max_inactivity_days
Description Maximum period of inactivity, in days, allowed for a cached Wallet.
After which, the cached Wallet is automatically revoked.
Note:
1. The cached Wallet is automatically revoked on the IMS Server if it
has exceeded the maximum number of days for inactivity.
AccessAgent automatically revokes expired cached Wallets during
each periodic synchronization as long as a user is logged on to
AccessAgent.
2. Inactivity is measured from the last synchronization time. Even if
the user logs on to a cached Wallet every day, it can still be revoked
if it has not been synchronized with the IMS Server for an extended
time.
3. If a cached Wallet is revoked, the user can only log on if the IMS
Server is available. There must be no prompt that the Wallet has
been revoked. The option to cache the Wallet depends on
pid_wallet_caching_option.
Registry
IMS Entry
Maximum period of inactivity, in days, allowed for a cached Wallet
Type
Positive integer
67
pid_wallet_cache_max_inactivity_days
Values
*999999999
(999999999 for infinity, such as cached Wallets do not expire)
(refreshed on sync)
Scope
System
pid_wallet_open_max_tries
Description Maximum number of allowed tries with wrong offline logon before
cached Wallet is locked out.
Registry
IMS Entry
Maximum number of allowed tries with wrong offline logon before

cached Wallet is locked out
Type
Positive integer
Values
*5
(refreshed on sync)
Scope
System
pid_wallet_editable_items_list
Description List of Wallet items that can be edited by the user through
AccessAgent.
Registry
IMS Entry
List of Wallet items that can be edited by the user through

AccessAgent.
Type
Values
*#1: Password
*#2: Password entry option
*#4: Application settings
*#8: Delete credential
*#16: Add credential
(multiple allowed)
(refreshed on sync)
Scope
68
User
pid_wallet_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option.
Registry
IMS Entry
Default automatic sign-on password entry option
Type
Positive integer
Values
#1: Automatic log on

*#2: Always
#3: Ask
#4: Never
#5: Certificate
#6: Use application settings
(refreshed on sync)
Scope
System
pid_wallet_enterprise_app_never_option_enabled
Description Whether the Never password entry option is enabled for enterprise
authentication services.
Note: User policy, if defined, overrides system policy.
Registry
IMS Entry
Enable 'Never' for enterprise authentication services?
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
User
System
pid_wallet_personal_app_sso_enabled
Description Whether to enable automatic sign-on for personal authentication
services.
Note: If user policy is defined, it overrides system policy.
Registry
IMS Entry
Enable automatic sign-on for personal authentication services?
Type
Boolean
69
pid_wallet_personal_app_sso_enabled
Values
*#True
#False
(refreshed on use for user policy)
(refreshed on sync for system policy)
Scope
User
System
pid_sso_auto_learn_enabled
Description Whether auto-learning must be enabled for automatic sign-on to
applications.
Registry
IMS Entry
Enable auto-learning?
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_sso_user_control_enabled
Description Whether to allow the user to enable or disable automatic sign-on.
Note: If this policy is disabled, the Enable automatic sign-on and
Disable automatic sign-on options do not appear in the AccessAgent
UI.
Registry
[DO] "SsoUserControlEnabled"
IMS Entry
Allow user to enable/disable automatic sign-on?
Type
DWORD
Boolean
Values
#0: No
*#1: Yes
*#True
#False
(refreshed on sync)
70
pid_sso_user_control_enabled
Scope
Machine
User
pid_accessagent_pwd_display_option
Description Option for displaying application passwords in the Wallet Manager of
AccessAgent through the Show password option.
Note:
1. The user is asked to enter a password prior to display of passwords.
2. Displaying of passwords is not allowed if the user is logged on
using fingerprint.
Registry
IMS Entry
Option for displaying of application passwords in AccessAgent
Type
Values
*#0: Disallow displaying passwords

#1: Allow displaying personal passwords
#2: Allow displaying both enterprise and personal passwords
(refreshed on sync)
Scope
User
pid_accessagent_pwd_export_option
Description Option for exporting of application passwords in the Wallet Manager of
AccessAgent through the Show password option.
Note: The user is asked to enter password before being allowed to
export passwords.
Registry
IMS Entry
Option for exporting of application passwords in AccessAgent
Type
Values
*#0: Disallow exporting passwords

#1: Allow exporting personal passwords
#2: Allow exporting both enterprise and personal passwords
(refreshed on sync)
Scope
User
71
pid_migration_stage
Description Whether migration from Encentuate Tivoli Information Archive
Manager version 1.x to 3.x is in progress and if so, the current stage of
migration.
Note:
1. The migration involves the upgrade of the IMS Server, AccessAgent,
and Wallets of users.
2. When the IMS Server is upgraded, the installer automatically sets
the policy value to 1.
3. The Administrator must manually set this policy to 2 when all
AccessAgent installations have been upgraded.
4. Wallets of users are upgraded as and when they log on using the
upgraded AccessAgent. After all Wallets are upgraded, the policy
must be set to 0 to optimize the IMS Server and AccessAgent
performance.
5. Migration can be done automatically using a job that checks
whether all Wallets have been upgraded.
Registry
IMS Entry
Stage of migration from version 1.x to 3.x
Type
Values
*#0: No migration or migration completed

#1: Upgrading IMS Server and AccessAgent
#2: IMS Server and AccessAgent fully upgraded
(refreshed on sync)
Scope
System
pid_wallet_cache_security_enabled
Description Whether to enable cached Wallet security.
Note:
1. If enabled, user and machine cached Wallets are tied to the machine
which created them (that is, cached Wallets copied from another
machine fails to work).
2. This policy must be disabled if cached Wallets are shared among
several machines. For example, AccessAgent on Citrix servers might
be configured to access the same network folder for storing cached
Wallets.
3. This policy does not affect pid_machine_policy_override_enabled.
72
Registry
[DO] "WalletCacheSecurityEnabled"
IMS Entry
Enable cached Wallet security?
Type
DWORD
pid_wallet_cache_security_enabled
Values
*#0: No
#1: Yes
(refreshed on restart)
Scope
Machine
pid_wallet_cleanup_on_caching_enabled
Description Whether to perform a Wallet cleanup activity every time a new Wallet
is cached.
Note:
1. Caching a new Wallet takes a long time.
2. This policy must be set to 0 for machines that have a large number
of cached Wallets.
3. With policy set to 0:
a. Logon to a cached Wallet when IMS Server is offline is still slow
unless IMS Server is highly available.
b. If cleanup is not initiated, and IMS Server is offline:
v When a user is deleted, the old Wallet of the user is still on
the Citrix server.
v If user caches a new Wallet (same user name), the user might
not be able to log on to the cached Wallet. The user might not
be able to log on because AccessAgent might access the old
Wallet. The old Wallet has a different password from the new
Wallet.
v It is then necessary to run SOCIPruner.exe on a periodic basis
to perform cleanup.
Registry
[DO] "WalletCleanupOnCachingEnabled"
IMS Entry
Type
DWORD
Values
#0: disabled
*#1: enabled
Scope
Machine
73
74
Chapter 18. Sign-up policies

pid_bind_secret_question_list
Description The set of questions that the user chooses from during sign-up to
provide the secret answer.
Note:
1. The system cannot display the entire secret question if it is longer
than the screen width.
Registry
IMS Entry
Question set for secret
Type
String list
Values
*#What is your mother's maiden name?

*#When is your birthday?
(multiple allowed)
(refreshed on sync)
Scope
System
pid_secret_answer_min_length
Description Minimum length of an acceptable secret answer.
Registry
IMS Entry
Minimum length of an acceptable secret answer
Type
Positive integer
Values
*3
(refreshed on sync)
Scope
System
pid_secrets_register_for_selfhelp_at_sign_up
Description Whether to prompt the user to register additional secrets for self-service
during sign-up.
Note: If pid_secrets_verify_for_selfhelp is 1, the user is not
prompted to register additional secrets, since the primary secret would
be sufficient for performing self-service actions. The user can still
choose to register more secrets after logging on by clicking Set
self-service secrets in AccessAgent.
75
pid_secrets_register_for_selfhelp_at_sign_up
Registry
IMS Entry
Prompt user to register additional secrets for self-service during sign

up?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_secret_option
Description Whether the secret is required, must be specified by the user during
sign-up, or automatically specified using a bind task.
Note:
1. This policy applies to users who are signing up or who are logging
on for the first time after their accounts have been pre-provisioned.
2. For policy value 0, user would be assigned a system-defined secret.
The user would not be prompted for a secret when performing
actions that require it (for example, reset password and offline
recovery). The customer must understand the security
vulnerabilities before deciding to implement such a configuration.
3. If the policy value is changed from 1 to 0, user is automatically
migrated to a system-defined secret when the user log on to
AccessAgent. However, there is no support for migration from
policy value 1 to 0.
Registry
IMS Entry
Option for specifying secret
Type
Values
#0: Secret not required

*#1: Secret required, and user must specify during sign-up
(refreshed on sync)
Scope
76
System
pid_second_factor_for_sign_up_required
Description Whether a second factor is required during sign-up.
Note:
1. Effective only if the second factors supported list is not empty. In
this case, any one of the supported second factors can be used for
sign-up. There is one UI dialog that requests the user to present any
one of the supported second factors.
2. If policy value is 1, sign-up fails if the second factor is not
presented.
Registry
[DO] "SecondFactorForSignUpRequired"
IMS Entry
Require authentication second factor during sign-up?
Type
DWORD
Values
#True
*#False
*#0: Not required
#1: Required
(refreshed on use)
Scope
Machine
Upid_automatic_sign_up_enabled
Description Whether to enable automatic sign-up.
Note:
1. This policy must be set to 1 if password is synchronized with Active
Directory password.
2. pid_engina_welcome_text and pid_unlock_text must be modified
accordingly if this policy is set to 1.
3. If this policy is set to 1, the Sign up option is not available on both
the AccessAgent UI and AccessAgent Tray menu. The user is not
prompted to sign up if logging on to an unregistered user name.
The user is not prompted to confirm sign up if an unregistered
second factor is presented.
Registry
[DO] "AutomaticSignUpEnabled"
IMS Entry
Enable automatic sign-up?
Type
DWORD
Chapter 18. Sign-up policies
77
Upid_automatic_sign_up_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
78
Machine
Chapter 19. Policy template policies

pid_policy_template_default
Description The default user policy template to be applied.
Registry
IMS Entry
Default policy template
Type
String
Values
*default user policy template

(refreshed on use)
Scope
System
pid_machine_policy_template_default
Description The default machine policy template to be applied.
Registry
IMS Entry
Default machine policy template
Type
String
Values
*default machine policy template

(refreshed on use)
Scope
System
79
80

pid_mac_max_validity_count
Description Maximum number of Mobile ActiveCodes that might be valid for a
user at any time.
Registry
IMS Entry
Maximum number of Mobile ActiveCodes that might be valid for a

user at any time.
Type
Positive integer
Values
*3
(from 1 to 7)
(refreshed on use)
Scope
System
pid_activecode_bypass_option
Description ActiveCode authentication bypass option.
Note: This option can be used for bypassing both Mobile ActiveCode
and OTP ActiveCode (AccessAgent-OTP and on-board OTP).
Registry
IMS Entry
ActiveCode bypass option
Type
Values
#1: Authorization code and password

#2: Authorization code and enterprise account password
#4: Authorization code and secret
(multiple allowed)
(0 for "No bypass")
(refreshed on use)
Scope
System
pid_activecode_append_secret_option
Description Option for appending a secret to Mobile ActiveCode.
Note: The order is also specified in the policy values.
Registry
81
pid_activecode_append_secret_option
IMS Entry
Option for appending a secret to Mobile ActiveCode
Type
Values
*#0: MAC only (no appending of secret)

#1: MAC + password
#2: MAC + Enterprise account password
#3: MAC + Administrator- assigned secret
#4: password + MAC
#5: Enterprise account password + MAC
#6: Administrator assigned secret + MAC
(refreshed on use)
Scope
System
pid_activecode_admin_assigned_secret_name
Description Identity attribute name of the Administrator-assigned secret, for
appending to ActiveCode.
Note:
1. Can be used for both Mobile ActiveCode and OTP ActiveCode
(AccessAgent-OTP and on-board OTP).
2. Effective only if ActiveCode append secret option is 3.
Registry
IMS Entry
Identity attribute name of the Administrator-assigned secret
Type
String
Values
(refreshed on use)
Scope
System
pid_otp_append_secret_option
Description Option for appending a secret to OTP (time-based) and OTP (OATH).
Note:
1. Not applicable to AA-OTP.
2. The order is also specified in the policy values.
Registry
82
IMS Entry
Option for appending a secret to OTP (time-based) and OTP (OATH)
Type
pid_otp_append_secret_option
Values
*#0: OTP only (no appending of secret)

#1: OTP + password
#2: OTP + Enterprise account password
#3: OTP + Administrator-assigned secret
#4: password + OTP
#5: Enterprise account password + OTP
#6: Administrator-assigned secret + OTP
(refreshed on use)
Scope
System
pid_otp_reset_sample_count
Description Number of consecutive OTPs to be obtained from user for resetting an
OTP (OATH) token.
Registry
IMS Entry
Number of consecutive OTPs needed for resetting an OTP (OATH)

token
Type
Positive integer
Values
*3
(from 1 to 5)
(refreshed on use)
Scope
System
83
84
Chapter 21. AccessAssistant and Web Workplace policies

pid_accessanywhere_enabled
Description Whether the user is allowed to use AccessAssistant.
Registry
IMS Entry
Allow access to Wallet from AccessAssistant?
Type
Boolean
Values
*#True
#False
(refreshed on use)
Scope
User
Upid_accessanywhere_second_factor_enabled
Description Whether the user is required to authenticate using a second factor
when using AccessAssistant.
Registry
IMS Entry
Second factor authentication required for AccessAssistant?
Type
Boolean
Values
*#True
#False
(refreshed on use)
Scope
User
pid_accessanywhere_edit_user_profile_enabled
Description Whether the user profile can be edited by the user in AccessAssistant
and Web Workplace.
Registry
IMS Entry
Enable editing of user profile in AccessAssistant and Web Workplace?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
85
pid_accessanywhere_edit_user_profile_enabled
Scope
System
pid_accessanywhere_personal_app_enabled
Description Whether to display personal authentication services in AccessAssistant
and Web Workplace.
Note:
1. Effective only if pid_accessanywhere_enabled is True.
2. Some personal applications might not be displayed in
AccessAssistant because a Windows account (local computer) and
some authentication services are not created by the Administrator,
and can only exist in the user scope.
Registry
IMS Entry
Display personal authentication services in AccessAssistant and Web

Workplace?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
pid_accessanywhere_password_display_option
Description Option for displaying application passwords in AccessAssistant.
Registry
IMS Entry
Password display option in AccessAssistant
Type
Values
#0: Disable viewing of passwords

#1: Display password, no option to copy to clipboard
*#2: Display password by default, with option to copy to clipboard
#3: Copy to clipboard by default, with option to display password
(refreshed on sync)
Scope
86
System
pid_accessanywhere_second_factor_default
Description The default second authentication factor for logging on to
AccessAssistant and Web Workplace.
Note:
1. Effective only if pid_accessanywhere_enabled and
pid_accessanywhere_second_factor_enabled are True.
2. After entering the user name and password, AccessAssistant or Web
Workplace will prompt for the default second factor. The user can
still click the links to use other second factors.
3. If the default second factor is MAC, a MAC will automatically be
sent to the user using the preferred channel after entering the user
name and password. A message indicates where the MAC has been
sent, and links for the user to request for an MAC to be sent to
another channel.
4. The user must be able to change to a preferred MAC channel
through the user profile settings page.
Registry
IMS Entry
Default second authentication factor for AccessAssistant and Web

Workplace
Type
Positive integer
Values
*#1: Authorization code

#2: MAC
#3: OTP (timebased)
(refreshed on use)
Scope
User
pid_accessanywhere_app_sso_enabled
Description Whether the user can perform automatic sign-on to applications
through AccessAssistant.
Registry
IMS Entry
Enable automatic sign-on to applications in AccessAssistant?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
Chapter 21. AccessAssistant and Web Workplace policies
87
pid_unlock_account_enabled
Description Whether the user account can be unlocked by the user in
AccessAssistant and Web Workplace.
Registry
IMS Entry
Enable unlocking of account by user in AccessAssistant and Web

Workplace?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
88
System
Chapter 22. AccessAudit policies

pid_audit_custom_events_list
Description List of custom audit event codes and their corresponding display
names.
Note: AccessProfiles must be written to detect the events and submit
appropriate custom audit logs.
Registry
IMS Entry
List of custom audit events
Type
String list
Values
Each custom event is represented by one string of the form:

event_code,display_name
event_code should be a hexadecimal value in the range:
0x43015000 to 0x43015FFF
(multiple allowed)
(refreshed on sync)
Scope
System
89
90

See the following sets of AccessAgent policies.
v EnGINA policies
v Desktop inactivity policies on page 96
v Lock policies on page 99
v Lock/Unlock policies on page 101
v Smart card policies on page 106
v
v
v
v
v
RFID policies on page 108

Active Proximity Badge policies on page 114
Fingerprint policies on page 115
Terminal Server/Roaming session policies on page 119
Log on/Log off policies on page 127
v Tivoli Access Manager for Enterprise Single Sign-On Hot Key policies on
page 134
v Emergency Hot Key policies on page 138
v Presence detector policies on page 139
EnGINA policies
pid_engina_winlogon_option_enabled
Description Whether to enable the option to go to Windows logon directly from
EnGINA.
Registry
[DO] "EnginaWinlogonOptionEnabled"
IMS Entry
Allow log on bypass through Windows?
Type
DWORD
Values
*#True
#False
*#1: Yes
#0: No
(refreshed on use)
Scope
Machine
91
pid_engina_app_launch_enabled
Description Whether to enable the launching of an application from EnGINA
welcome or locked screen.
Registry
[DO] "EnginaAppLaunchEnabled"
IMS Entry
Enable application launch from EnGINA?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_engina_app_launch_label
Description Display label for the link on EnGINA welcome or locked screen, for
launching an application.
Note: Effective only if pid_engina_app_launch_enabled is 1.
Registry
[DO]
IMS Entry
Display label for application launch
Type
SZ
Values
(refreshed on use)
Scope
Machine
"EnginaAppLaunchLabel"
pid_engina_app_launch_cmd
Description Command line for launching an application from an EnGINA welcome
or locked screen.
Note:
1. Effective only if pid_engina_app_launch_enabled is 1.
2. If the application is launched from a welcome screen, the owner of
the process for the application is "System".
3. If the application is launched from a locked screen, the owner of the
process for the application is "currently logged on desktop user".
92
Registry
[DO] "EnginaAppLaunchCmd"
IMS Entry
Command line for application launch
Type
SZ
Values
(refreshed on use)
pid_engina_app_launch_cmd
Scope
Machine
pid_engina_bypass_hot_key_enabled
Note: Modifying this policy requires a machine restart to implement the changes.
Description Whether EnGINA Bypass Hot Key is enabled.
Note:
1. If enabled, user can press the EnGINA Bypass Hot Key sequence to
bypass EnGINA and go to Windows to log on or unlock.
2. Hot Key is accepted at any of the following EnGINA states:
Welcome, Log On, Computer Locked, Unlock This Computer.
3. If Hot Key is pressed at computer locked screen, AccessAgent does
not ask the user for confirmation on whether to log off previous
user, even though there can be a previous user logged on to the
computer. Microsoft GINA is presented to the user, but it allows
unlocking only by the same user or Administrator.
4. This policy is not effective if local user session management is
enabled (for example, pid_lusm_sessions_max is greater than 1).
Registry
[DO] "EnginaBypassHotKeyEnabled"
IMS Entry
Enable EnGINA Bypass Hot Key?
Type
DWORD
Boolean
Values
*#1: Yes
#0: No
*#True
#False
Scope
Machine
System
pid_engina_bypass_hot_key_sequence
Description The EnGINA Bypass Hot Key sequence.
Note:
1. Effective only if pid_engina_bypass_hot_key_enabled is enabled.
changes.
Registry
[DO] "EnginaBypassHotKeySequence"
93
pid_engina_bypass_hot_key_sequence
IMS Entry
EnGINA Bypass Hot Key sequence
Type
MULTI_SZ
String list
Values
*#Ctrl
*#Alt
*#Home
(max 3 keys from set of: Ctrl, Shift, Alt, Ins, Del, Home, End, PgUp,
PgDn, Break E, except for Ctrl-Alt-Del, which is not allowed)
(2 of the keys in this set must be used so that the probability of conflict
with other applications is minimized: Ctrl, Shift, Alt)
Scope
Machine
System
pid_engina_bypass_automatic_enabled
Description Whether automatic EnGINA Bypass is enabled.
Note:
1. If enabled, the IMS Server is not accessible, and the Wallet of the
user is not cached, AccessAgent automatically bypasses EnGINA
and show Microsoft GINA when the user attempts to log on or
unlock. A configurable text message is shown
(pid_engina_bypass_automatic_text) in a prompt with an OK
button.
2. If pid_unlock_option is 4, AccessAgent prompts whether to log off
the previous user. If the user clicks Yes,
pid_enc_pwd_is_ad_pwd_enabled is True, IMS Server is not
accessible, and the Wallet of the user is not cached, AccessAgent
prompts the user with a configurable text message
(pid_engina_bypass_automatic_text). After the user clicks OK,
AccessAgent will log off the previous desktop of the user and
automatically bring the new user to the Microsoft GINA logon
screen.
3. This feature does not support logon with second factors.
changes.
94
Registry
[DO] "EnginaBypassAutomaticEnabled"
IMS Entry
Enable automatic EnGINA bypass?
pid_engina_bypass_automatic_enabled
Type
DWORD
Values
#True
*#False
#1: Yes
*#0: No
Scope
Machine
pid_engina_bypass_automatic_text
Description Configurable text message for automatic EnGINA bypass.
Note: This message is available in multiple languages. It is displayed in
Registry
IMS Entry
Message for automatic EnGINA bypass
Type
String
Values
*AccessAgent is currently unable to connect to the IMS Server to log on

to your Wallet. You can proceed to log on to Windows but automatic
sign-on is disabled.
(refreshed on sync)
Scope
System
pid_engina_ui_enabled
Description Whether to display the Tivoli Access Manager for Enterprise Single
Sign-On UI instead of the Windows UI when Windows is logged off or
locked.
Note: This policy is only applicable for smart card as a supported
second factor on the computer.
Registry
IMS Entry
Enable TAM E-SSO UI when Windows is logged off or locked?
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
Machine
95
Desktop inactivity policies

Upid_desktop_inactivity_mins
Description Desktop inactivity duration, in minutes, after which AccessAgent might
perform a set of actions.
Registry
[DO] "DesktopInactivityMins"
IMS Entry
Desktop inactivity duration, in minutes
Type
DWORD
Positive integer
Values
*30
(refreshed on use for machine policy)
Scope
Machine
System
Upid_desktop_inactivity_action
Description Actions to be performed by AccessAgent after a period of desktop
inactivity.
Note:
1. This policy is ineffective if the computer is already locked. In that
case, the locked inactivity action would be effective.
2. If the user is not logged on to Wallet, the log off Wallet actions for
policy values 2 and 5 is not performed.
Registry
[DO] "DesktopInactivityAction"
IMS Entry
Desktop inactivity actions
Type
DWORD
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
#5: Log off Wallet and lock computer
96
Upid_desktop_inactivity_action
Scope
Machine
System
pid_desktop_inactivity_action_countdown_secs
Description Confirmation countdown duration, in seconds, for desktop inactivity.
Registry
[DO] "DesktopInactivityActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for desktop inactivity
Type
DWORD
Values
*5
(0 to disable confirmation countdown)
Scope
Machine
System
pid_win_screensaver_action
Description Actions to be performed by AccessAgent on Windows screen saver
activation.
Note:
1. This policy is only effective if at least one user is logged on to
AccessAgent.
2. If this policy triggers a computer lock, desktop inactivity action
becomes ineffective.
3. If this policy triggers a screen saver without password protection,
the desktop inactivity action would remain effective while screen
saver is on.
4. This policy allows two-level desktop inactivity behavior. If this
policy is set to 1, desktop inactivity minutes is set to 4, and the
Windows screen saver is set to timeout in 2 minutes and not
password protected, then the computer will show screen saver after
2 minutes of idling and be locked after an additional 2 minutes of
idling.
Important:
v Screensaver action is not supported in Microsoft Windows Vista.
v Option 0 is not supported in Microsoft Windows Vista.
97
pid_win_screensaver_action
Registry
[DO] "WinScreensaverAction"
IMS Entry
Actions on Windows screen saver activation
Type
DWORD
Values
#0: Disable Windows screen saver

#1: If screen saver is password protected, lock computer, else show
normal screen saver
*#2: Lock computer
Scope
Machine
System
pid_locked_computer_inactivity_mins
Description Locked computer inactivity duration, in minutes, after which
AccessAgent might perform a set of actions.
Registry
[DO] "LockedComputerInactivityMins"
IMS Entry
Locked computer inactivity duration, in minutes
Type
DWORD
Positive integer
Values
*30
Scope
Machine
System
pid_locked_computer_inactivity_action
Description Actions to be performed by AccessAgent after a period of desktop
inactivity while the computer is locked and the user is logged on to a
Wallet.
Note:
1. Effective only if pid_lusm_sessions_max is 1.
2. This policy is effective only if the EnGINA screen lock is shown.
98
pid_locked_computer_inactivity_action
Registry
[DO] "LockedComputerInactivityAction"
IMS Entry
Locked computer inactivity actions when user is logged on to Wallet
Type
DWORD
Values
*#0: No action
#1: Log off Windows
Scope
Machine
System
Lock policies
pid_lock_option
Description Type of screen lock to be used when the computer is locked.
Note:
1. If pid_lusm_sessions_max is greater than 1, only policy 1 (EnGINA
screen lock) is supported.
2. From a transparent screen lock, the user can trigger an unlock or
switch user by presenting a second factor.
3. From a transparent screen lock, AccessAgent UI is displayed when
the Tivoli Access Manager for Enterprise Single Sign-On Hot Key is
pressed. From this screen, the user can manually log off from
AccessAgent, which unlocks the computer, and actions specified by
pid_logoff_manual_action is performed. The logoff action is
available regardless of the setting for
pid_logoff_manual_while_locked_option_enabled.
4. Even after transparent screen lock is activated, the action specified
by pid_desktop_inactivity_action will still be carried out after the
period of desktop inactivity has elapsed. Then, set
pid_desktop_inactivity_action to 4.
Important: The transparent screen lock feature is not supported in
Microsoft Windows Vista
Registry
[DO] "LockOption"
IMS Entry
Screen lock option
Type
DWORD
99
pid_lock_option
Values
#1: EnGINA screen lock

#2: Transparent screen lock
(refreshed on use)
Scope
Machine
pid_lock_transparent_text
Description Configurable text for transparent screen lock.
Note: Effective only if pid_lock_option is 2.
Registry
[DO] "LockTransparentText"
IMS Entry
Transparent screen lock message
Type
SZ
Values
*Tap your RFID card or Ctrl-Alt-E to unlock.

(text box takes about 40 chars)
(refreshed on use)
Scope
Machine
pid_lock_transparent_hot_key_enabled
Description Whether the Ctrl-Esc Hot Key sequence is enabled during transparent
screen lock.
Note:
1. Effective only if pid_lock_option is 2 and transparent screen lock is
shown.
2. If enabled, this Hot Key is equivalent to the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key when the computer is
locked. When pressed, AccessAgent UI is shown on the transparent
screen lock.
3. This additional Hot Key is useful for remote access systems (for
example, LANDesk) that can send only limited key sequences.
100
Registry
[DO] "LockTransparentHotKeyEnabled"
IMS Entry
Enable transparent screen lock hot key?
Type
DWORD
pid_lock_transparent_hot_key_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
Lock/Unlock policies
pid_script_lock_enabled
Description Whether to enable the running of the lock script during locking of the
AccessAgent session of the user.
Note:
1. The lock script is only executed if the session of the user is
currently visible during locking. That is, in Local User Session
Management (LUSM), currently invisible user sessions does not
have the lock script executed.
2. The lock script is executed regardless of whether the locking is due
to desktop inactivity or manually triggered (for example, pressing
Win-L or tapping an RFID card).
3. The lock script is useful for closing applications when a "guest"
AccessAgent session is being locked. It can also be used with the
unlock script in a Local User Session Management (LUSM) scenario
to record any single-instance applications that might be running
before locking, which might have to be relaunched during unlock.
Important: When using Microsoft Windows Vista, the lock script is
executed after the machine locks instead of before the machine locks.
If the script is created to display a user interface that prompts the user
for action upon machine lock, the user will not see it in Microsoft
Windows Vista.
Registry
IMS Entry
Enable lock script during locking of the user's AccessAgent session?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
101
pid_script_lock_type
Description Type of lock script to run.
Note:
1. Effective only if pid_script_lock_enabled is enabled.
2. See pid_script_lock_enabled.
Registry
IMS Entry
Lock script type
Type
Positive integer
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_lock_code
Description Source code of lock script to run.
Note:
1. Effective only if pid_script_lock_enabled is enabled.
2. See pid_script_lock_enabled.
Registry
102
IMS Entry
Lock script code
Type
String
Values
(refreshed on sync)
Scope
User
pid_script_unlock_enabled
Description Whether to enable the running of the unlock script when the user
unlocks an existing AccessAgent session.
Note:
1. The unlock script is only executed if the user already has an
existing AccessAgent session and is unlocking it.
2. The unlock script is not executed if the user is unlocking a shared
workstation that is logged on with a generic Windows account, and
not currently logged on to AccessAgent. In this case, the logon
script (see pid_script_logon_enabled) is executed instead.
3. The unlock script can be used in Local User Session Management
(LUSM) to auto-launch single-instance applications that might have
been terminated by other users who are logged on to the same
workstation.
4. The unlock script is not supported if pid_lock_option is 2 (such as
transparent screen lock is used).
Registry
IMS Entry
Enable unlock script when user unlocks an existing AccessAgent

session?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
pid_script_unlock_type
Description Type of unlock script to run.
Note:
1. Effective only if pid_script_unlock_enabled is enabled.
2. See pid_script_unlock_enabled.
Registry
IMS Entry
Unlock script type
Type
Positive integer
Values
*#1: Batch VBScript

#2: VBScript
(refreshed on sync)
Scope
User
103
pid_script_unlock_code
Description Source code of unlock script to run.
Note:
1. Effective only if pid_script_unlock_enabled is enabled.
2. See pid_script_unlock_enabled.
Registry
IMS Entry
Unlock script code
Type
String
Values
(refreshed on sync)
Scope
User
Upid_unlock_option
Description Unlock computer policy for controlling who is allowed to unlock a
computer when it has been locked by a user who is logged on to
AccessAgent.
Note:
1. Effective only if pid_lusm_sessions_max is 1.
2. Same user refers to the same user who locked the computer (such
as, same user name).
3. This policy is ignored if pid_lock_option is 2 (transparent screen
lock). In transparent screen lock mode, any user is always allowed
to unlock the computer.
4. For policy 3, if a different user tries to unlock, AccessAgent unlocks
the computer and brings the user to the current desktop, but it logs
on to new Wallet after logging off the old one.
5. For policy 4, only the same user can unlock computer and return to
the current desktop. For other users, AccessAgent logs off from the
old desktop and logs on to the new Wallet. AccessAgent does not
require a user to present a second factor. If a new Wallet does not
have a desktop account on the computer, the user would also need
to log on to Windows. This option is currently not supported for
ARFID and smart card.
Important: Limitations for Microsoft Windows Vista users:
v Option 3 only works with a Shared Desktop.
v Option 4 logs off current AccessAgent logon session without
attempting to log on again as a second user.
Registry
[DO] "UnlockOption"
IMS Entry
Unlock computer policy
Type
DWORD
Positive integer
104
Upid_unlock_option
Values
#1: Only the same user can unlock

*#3: Any user can unlock
#4: Only the same user can unlock, but different user can log on to
Windows
(refreshed on sync for user policy)
Scope
Machine
User
pid_unlock_different_user_action_countdown_secs
Description Confirmation countdown duration, in seconds, for unlocking by a
different user.
Note:
1. Effective only if pid_lusm_sessions_max is 2
2. Effective when a user attempts to unlock computer while another
user has already been logged on to AccessAgent.
3. If the policy value is not 0, the user can click the prompt to cancel
the switch user. If the user does not confirm, AccessAgent proceeds
to unlock the computer.
Registry
[DO] "UnlockDifferentUserActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for unlocking by a

different user
Type
DWORD
Values
*0
Scope
Machine
User
pid_unlock_user_name_prefill_option
Description Option for prefilling the Tivoli Access Manager for Enterprise Single
Sign-On Windows unlock prompt with a user name.
105
pid_unlock_user_name_prefill_option
Registry
[DO] "UnlockUserNamePrefillOption"
IMS Entry
User name prefill option for unlock prompt
Type
Values
0 - No
1 - Yes
Scope
Machine
pid_win_fast_user_switching_enabled
Description Whether to enable support for Fast User Switching in Microsoft
Windows Vista and above.
Note: Effective only if the client operating system is Microsoft
Windows Vista and above, and if Fast User Switching is enabled.
Registry
[DO] "WinFastUserSwitchingEnabled"
IMS Entry
Enable support for Windows Fast User Switching?
Type
Boolean
Values
#True
*#False (default)
(refreshed on sync)
Scope
Machine
Smart card policies

pid_sc_removal_action
Description Actions to be performed when a smart card is removed.
Registry
IMS Entry
Smart card removal actions
Type
Values
#1: Log off Windows

#2: Log off Wallet
*#4: Lock Computer
Scope
Machine
User
106
pid_sc_map_cert_to_entdir_acc_enabled
Description Whether to automatically identify the enterprise directory account by
using the smart card certificate attributes during sign up. If so, the user
is not asked to provide a user name during sign up.
Registry
IMS Entry
Enable automatic mapping of certificate to enterprise directory account

during sign up?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_sc_win_logon_enabled
Description Whether to allow smart card users to log on to Windows using
certificate-based authentication.
Note:
1. If this policy is enabled, after the user log on to AccessAgent from
the Tivoli Access Manager for Enterprise Single Sign-On Welcome
screen, the user can log on to Windows using the smart card
certificate.
2. This policy is only applicable if thepid_engina_ui_enabled policy is
set. This policy is not supported on Windows Vista.
Registry
IMS Entry
Enable Windows smart card logon?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
Machine
107
RFID policies
Upid_rfid_tap_same_action
Description Actions to be performed by AccessAgent when the currently logged on
user taps the RFID card on the desktop.
Note:
1. This policy is not applicable if the user did not log on using an
RFID.
2. If pid_lusm_sessions_max is greater than 1, AccessAgent with the
policy value 1 (Log off Windows) logs off the desktop session of the
user and shows the computer locked screen.
Registry
[DO] "RfidTapSameAction"
IMS Entry
Actions on tapping same RFID on desktop
Type
DWORD
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
*#4: Lock computer
Scope
Machine
User
pid_rfid_tap_same_action_countdown_secs
Description Confirmation countdown duration, in seconds, for tapping the same
RFID on the desktop.
Registry
[DO] "RfidTapSameActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for tapping same RFID

on desktop
Type
DWORD
108
pid_rfid_tap_same_action_countdown_secs
Values
*5
(0 to disable confirmation countdown: do not set to this value to
prevent accidental double detection of RFID tap)
Scope
Machine
User
Upid_rfid_only_unlock_enabled
Description Whether to allow RFID-only unlock (without password) by the same
user who locked the computer, if unlock happens within the duration
specified by pid_rfid_only_unlock_timeout_secs.
Note: This also applies to Active Proximity Badge. However, if
pid_lusm_sessions_max is greater than 1, the Active Proximity Badge
only unlock is applicable only for the last visible user desktop.
Registry
[DO] "RfidOnlyUnlockEnabled"
IMS Entry
Enable RFID-only unlock?
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
Scope
Machine
User
Upid_rfid_only_unlock_timeout_secs
Description Time expiry, in seconds, for an RFID-only unlock. After this duration
(timed from last lock), RFID-only unlock will not be allowed.
Note:
1. Effective only if pid_rfid_only_unlock_enabled is enabled.
2. Also applies to Active Proximity Badge.
109
Upid_rfid_only_unlock_timeout_secs
Registry
[DO] "RfidOnlyUnlockTimeoutSecs"
IMS Entry
Time expiry, in seconds, for RFID-only unlock
Type
DWORD
Values
*0
(0 to disable expiry, such as always allow RFID-only unlock)
Scope
Machine
User
110
Upid_rfid_only_logon_enabled
Description Whether to allow RFID-only log on (without password) by a user who
has recently logged on using an RFID and password on the same or
another computer, if logon happens within the duration specified by
pid_rfid_only_logon_timeout_mins.
Note:
1. RFID-only log on only works if the IMS Server is online and the
user has an existing cached Wallet on the computer.
2. RFID-only logon is tied to the specific RFID card used for log on. If
user has two RFID cards and card #1 was used to log on, the user
can use RFID-only logon only with card #1. If attempting to log on
with card #2, the user must be prompted for a password.
3. For better security, pid_wallet_cache_max_inactivity_days must be
used to clear inactive Wallets, so that exposure of RFID-only logon
is only limited to those computers that a particular user frequently
uses.
4. RFID-only logon is not supported if pid_lusm_sessions_max is
greater than 1.
5. ARFID is not applicable.
6. If both RFID-only unlock and RFID-only logon features are enabled:
v If a logged on user locks the computer: When the user uses the
RFID to unlock the existing session, the RFID-only unlock feature
is invoked. During unlock, a password is required if the
RFID-only unlock time-out has expired.
v If no user is logged on and the computer is locked: When a user
uses the RFID to unlock the computer, the RFID-only logon
feature is invoked. During logon, a password is required if the
conditions specified in the policy for RFID-only logon are not
met.
Registry
[DO] "RfidOnlyLogonEnabled"
IMS Entry
Enable RFID-only logon?
Type
DWORD
Values
#True
*#False
#1: Yes
*#0: No
(refreshed on use)
Scope
Machine
111
Upid_rfid_only_logon_timeout_mins
Description Time expiry, in minutes, for RFID-only logon. After this duration (timed
from last logon with RFID and password), RFID-only logon will not be
allowed.
Note:
1. Effective only if pid_rfid_only_logon_enabled is enabled.
2. Timeout is refreshed upon every logon to IMS Server with an RFID
and password.
Registry
IMS Entry
Time expiry, in minutes, for RFID-only logon
Type
Values
*480
(0 to disable RFID-only logon)
(refreshed on sync)
Scope
User
pid_rfid_display_utility_enabled
Description Whether to display the registration status of an RFID card that does not
belong to the currently logged on user when it is tapped on desktop.
Note:
1. If the policy value is 1, the policy overrides
pid_rfid_tap_different_action. If the RFID card is registered, the
user name is displayed in a prompt.
2. This display utility only works when AccessAgent is logged on.
Registry
[DO] "RfidDisplayUtilityEnabled"
IMS Entry
Enable RFID display utility?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
112
Machine
Upid_rfid_tap_different_action
Description Actions to be performed by AccessAgent when an RFID card is tapped
on the desktop and does not belong to the currently logged on user.
Note:
1. If pid_rfid_display_utility_enabled is 1, this policy is not
effective.
2. This policy is applicable even if the current user did not use RFID
to log on.
3. For policy value 8, AccessAgent does not require the new user to
tap the RFID again after logging off from Windows.
4. If pid_lusm_sessions_max is greater than 1, AccessAgent with a
policy value of 1 (Log off Windows) logs off the desktop session of
the user and shows the computer locked screen. AccessAgent with a
policy value of 6 (Switch user) attempts to create a user desktop
session for the new user. AccessAgent with a policy value of 8 (Log
off Windows and log on as new user) logs off the desktop session of
the current user and create a user desktop session for the new user.
5. Switch of user is only supported for users who use the same type of
second factor.
Important: Limitation for Microsoft Windows Vista users:
v For option 8, AccessAgent logs off the current logon session without
Registry
[DO] "RfidTapDifferentAction"
IMS Entry
Actions on tapping different RFID on desktop
Type
DWORD
Values
*#0: No action
#4: Lock computer
#6: Switch user
#8: Log off Windows and log on as new user
Scope
Machine
User
113
pid_rfid_tap_different_action_countdown_secs
Description Confirmation countdown duration, in seconds, for tapping a different
RFID on the desktop.
Registry
[DO] "RfidTapDifferentActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for tapping different

RFID on desktop
Type
DWORD
Values
*5
(0 to disable confirmation countdown: set to this value only when RFID
tap different action is 6, to prevent accidental double detection of RFID
tap)
Scope
Machine
User
Active Proximity Badge policies

pid_arfid_presentation_range_max
Description Maximum range for recognizing that an active proximity badge is
presented.
Registry
[DO] "ArfidPresentationRangeMax"
IMS Entry
Maximum range for recognizing that an active proximity badge is

presented
Type
Positive integer
Values
*3
(from 1 to 16)
(should be Active Proximity Badge removal range minimum - 3)
(3 for near, 5 for medium, 7 for far)
(refreshed on use)
Scope
Machine
System
114
pid_arfid_removal_range_min
Description Minimum range for recognizing that an active proximity badge is
removed.
Registry
[DO] "ArfidRemovalRangeMin"
IMS Entry
Minimum range for recognizing that an active proximity badge is

removed
Type
Positive integer
Values
*7
(from 4 to 19)
(should be Active Proximity Badge presentation range max + 3)
(7 for near, 9 for medium, 13 for far)
(refreshed on use)
Scope
Machine
System
Fingerprint policies
Upid_fingerprint_tap_same_action
Description Actions to be performed by AccessAgent when the currently logged on
user places a finger on the reader.
Note:
1. This policy is not applicable if the user did not log on using a
fingerprint.
2. Currently, this policy is supported only if pid_lusm_sessions_max is
1. For future versions, if pid_lusm_sessions_max is greater than 1,
AccessAgent with a policy value of 1 (Log off Windows) will log off
the desktop session of the user and show the computer locked
screen.
Registry
[DO] "FingerprintTapSameAction"
IMS Entry
Actions on tapping same finger on desktop
Type
DWORD
115
Upid_fingerprint_tap_same_action
Values
*#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
Scope
Machine
User
pid_fingerprint_tap_same_action_countdown_secs
Description Confirmation countdown duration, in seconds, for placing the same
finger on the fingerprint reader.
Registry
[DO] "FingerprintTapSameActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for tapping same finger

on desktop
Type
DWORD
Values
*5:
(0 to disable confirmation countdown: do not set to this value to
prevent accidental double detection of finger tap)
Scope
Machine
User
116
Upid_fingerprint_tap_different_action
Description Actions to be performed by AccessAgent when a finger is tapped on
desktop and does not belong to the currently logged on user.
Note:
1. This policy is applicable even if the current user did not use a
fingerprint to log on.
2. For policy value 8, AccessAgent does not require the new user to
tap an RFID again after logging off from Windows.
3. This policy is supported only if pid_lusm_sessions_max is 1. For
future versions, If pid_lusm_sessions_max is greater than 1,
AccessAgent with policy value 1 (Log off Windows) logs off the
desktop session of the user and shows the computer locked screen.
AccessAgent with a policy value of 6 (Switch user) attempts to
create a user desktop session for the new user. AccessAgent with a
policy value of 8 (Log off Windows and log on as new user) logs off
the desktop session of the current user and creates a user desktop
session for the new user.
Important: Limitation for Microsoft Windows Vista users:
v For option 8, AccessAgent logs off the current logon session without
Registry
[DO] "FingerprintTap DifferentAction"
IMS Entry
Actions on tapping different finger on desktop
Type
DWORD
Values
*#0: No action
#4: Lock computer
#6: Switch user
#8: Log off Windows and log on as new user
Scope
Machine
User
pid_fingerprint_tap_different_action_countdown_secs
Description Confirmation countdown duration, in seconds, for placing a different
finger on the fingerprint reader.
117
pid_fingerprint_tap_different_action_countdown_secs
Registry
[DO] "FingerprintTapDifferentActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for tapping different

finger on desktop
Type
DWORD
Values
*5
(0 to disable confirmation countdown: set to this value only when
fingerprint tap different action is 6, to prevent accidental double
detection of finger tap)
Scope
Machine
User
pid_fingerprint_registration_max
Description Maximum number of fingerprints that each user is allowed to register.
Note: If the value of this policy is reduced, a user who has already
registered more fingerprints than allowed by the new policy value is
allowed to log on with any of the fingerprints that have been
registered. However, if attempting to register a new fingerprint, an
existing fingerprint has to be replaced. The user cannot increase the
number of fingerprints registered.
Registry
IMS Entry
Maximum number of fingerprints that can be registered per user
Type
Positive integer
Values
(from 1 to 10)
(refreshed on sync)
Scope
118
System
Terminal Server/Roaming session policies

pid_machine_type_ts
Note:
Description Whether the machine is a Terminal Server or Citrix server.
Note:
1. This policy must be set to 1 on the remote AccessAgent (such as, on
the Terminal Server or Citrix server).
2. If this policy is 1, AccessAgent behaves as a remote AccessAgent:
v It synchronizes itself with the local AccessAgent.
v The second factors supported list is not effective. It is treated as
an empty list.
v Lock computer options from the WNA and AccessAgent UI are
disabled, if logon to remote AccessAgent is performed using
credentials submitted by local AccessAgent.
v Uses Terminal Service second factor bypass option to determine
its behavior when the authentication policy of the user requires a
second factor for logon.
v
3. The following combinations of policy settings are not supported
(behavior is unpredictable):
v policy value 0 on a Terminal Server or Citrix server installation
v policy value 1 on a client machine installation.
Modifying this policy requires a machine restart to implement the
changes.
Registry
[DO] "MachineTypeTS"
IMS Entry
Type
DWORD
Values
#1: Machine is Terminal Server

*#0: Machine is not Terminal Server
Scope
Machine
pid_ts_logon_prompt_enabled
Description Whether to launch the AccessAgent logon dialog if AccessAgent is not
logged on while a Terminal Server session or Citrix application is
launched.
Note: This policy must be set on the remote AccessAgent (such as on
Registry
[DO] "TSLogonPromptEnabled"
119
pid_ts_logon_prompt_enabled
IMS Entry
Enable auto-launching of AccessAgent log on prompt?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_logon_cache_enabled
Description Whether to cache the Wallet logon credentials in the AD roaming
profile so that AccessAgent can automatically log on to the Wallet.
Note: This policy must be set on the remote AccessAgent (such as on
Registry
[DO] "TSLogonCacheEnabled"
IMS Entry
Enable caching of Wallet log on credentials?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_lock_local_computer_action
Description Option to disconnect the Terminal Server or Citrix session, or log off
the remote AccessAgent while locking the local computer.
Registry
120
IMS Entry
Actions on remote session while locking local computer
Type
pid_ts_lock_local_computer_action
Values
*#0: No action
#1: Disconnect remote session
#2: Log off remote AccessAgent and disconnect remote session
#3: Log off remote session
#4: Log off remote AccessAgent
(refreshed on sync)
Scope
User
pid_ts_logoff_local_session_action
Description Option to disconnect the Terminal Server or Citrix session, or log off
from the remote AccessAgent before logging off from the local
AccessAgent.
Registry
IMS Entry
Actions on remote session before logging off local session
Type
Values
#0: No action
#1: Disconnect remote session
*#2: Log off remote AccessAgent and disconnect remote session
#3: Log off remote session
#4: Log off remote AccessAgent
(refreshed on sync)
Scope
User
pid_ts_engina_logon_no_local_session_enabled
Description Whether to use EnGINA logon or Microsoft GINA logon for the
Terminal Server session, when there is no local AccessAgent session.
Note:
1. This policy must be set on the remote AccessAgent (such as on the
Terminal Server or Citrix server).
2. Set the policy to 0 on Citrix servers.
Registry
[DO] "TSEnginaLogonNoLocalSessionEnabled"
IMS Entry
Use EnGINA log on when there is no local AccessAgent session?
Type
DWORD
121
pid_ts_engina_logon_no_local_session_enabled
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_ts_logoff_on_reconnect_no_local_session_enabled
Description Whether to log off the remote AccessAgent when the user, with no local
AccessAgent session, reconnects to an existing session on a Terminal
Server or Citrix server.
Note:
2. This policy is effective only if there is no local AccessAgent session
on the client machine of the user.
3. Set the policy to 1 if users use a generic Windows account to log on
to remote session. Logging off the remote AccessAgent ensures that
the next user cannot use the Wallet and applications of the previous
user.
4. The typical logoff actions (auto-logoff of applications and running of
logoff script) are performed when the remote AccessAgent is logged
off.
5. If pid_ts_logon_prompt_enabled is set to 1, the remote AccessAgent
prompts user to log on after the previous user has been logged off.
Registry
[DO] "TSLogoffOnReconnectNoLocalSessionEnabled"
IMS Entry
Log off remote AccessAgent when reconnecting from workstation

without local AccessAgent session?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
122
Machine
pid_ts_delay_app_launch_exe_list
Description The list of applications which delayed from launching until the remote
AccessAgent is ready to perform automatic sign-on.
Note:
Citrix server).
2. Effective only if pid_ts_delay_app_launch_enabled is enabled.
3. Each application must be indicated by its executable name (for
example, notepad.exe).
4. This feature is not supported in AccessAdmin. To enable this
feature, edit the values manually in the Windows registry.
Registry
[DO] "TSDelayAppLaunchExeList"
IMS Entry
Type
MULTI_SZ
Values
(refreshed on use)
Scope
Machine
pid_ts_delay_app_launch_enabled
Description Whether to enable the delaying of application launch for Citrix server.
Note:
1. This feature is only applicable to Citrix. It is not applicable to
Terminal Server access using RDP.
Citrix server).
3. If this feature is not enabled for an application, the user might first
see the logon prompt of the application before the remote
AccessAgent is ready to perform automatic sign-on. This result
might cause some confusion to the user. Enabling this feature for an
application ensures that the remote AccessAgent is ready to perform
automatic sign-on when the user sees the logon prompt.
4. This feature is only applicable to a local AccessAgent automatically
logging on to remote AccessAgent. If there is no local AccessAgent
or local AccessAgent is not logged on, application launch is not
delayed even if this feature is enabled.
Registry
[DO] "TSDelayAppLaunchEnabled"
IMS Entry
Type
DWORD
123
pid_ts_delay_app_launch_enabled
Values
#True
*#False
#1: Yes
*#0: No
(refreshed on use)
Scope
Machine
pid_ts_start_aa_no_local_aa_enabled
Description Whether to start remote AccessAgent while a published application is
launched through Terminal Server or Citrix, and if local AccessAgent is
not present.
Note:
2. This policy only applies to launching of published applications. If a
remote desktop is launched, the remote AccessAgent is always
started.
3. For policy value 0, users cannot log on to remote AccessAgent from
machines that do not have local AccessAgent installed (for example,
home or Internet caf).
Registry
[DO] "TSStartAANoLocalAAEnabled"
IMS Entry
Launch remote AccessAgent even if local AccessAgent is not present?
Type
DWORD
Values
*#True
#False
#0: No
*#1: Yes
(refreshed on use)
Scope
124
Machine
pid_ts_delay_app_launch_timeout_secs
Description Timeout, in seconds, for delaying of application launch.
Note:
Citrix server).
2. Effective only if pid_ts_delay_app_launch_enabled is enabled.
3. Remote AccessAgent first waits for connection to be established
with a local AccessAgent. If connection is not established within the
timeout duration, the application proceeds to launch.
4. If a local AccessAgent manages to establish connection with a
remote AccessAgent, the remote AccessAgent waits for another
timeout period for automatic sign-on to be ready. If a remote
AccessAgent is not ready for automatic sign-on within the timeout
duration, the application proceeds to launch.
5. The user might potentially have to wait up to two times the timeout
duration if the local AccessAgent manages to establish a connection
with a remote AccessAgent just before the first timeout duration
lapses.
Registry
[DO] "TSDelayAppLaunchTimeoutSecs"
IMS Entry
Type
DWORD
Values
*10
(refreshed on use)
Scope
Machine
pid_ts_aa_menu_option
Description Whether to display menu options on AccessAdmin user interface in a
Terminal Server or Citrix session.
Note:
1. If the policy value is 1, only Remote session information is
displayed when there is a local AccessAdmin session. Full menu
options are displayed when there is no local AccessAdmin session.
The same applies to right-click menu options for AccessAdmin icon
at Windows notification area.
2. If policy value is 2, all menu options are displayed except for Lock
this computer when there is local AccessAdmin session. Full menu
options are displayed when there is no local AccessAdmin session.
Same applies to right-click menu options for AccessAdmin icon at
Windows notification area. Use this option for Roaming Desktop
configurations.
125
pid_ts_aa_menu_option
Registry
[DO] "TSAaMenuOption"
IMS Entry
Option for displaying menu options on remote AccessAdmin
Type
DWORD
Values
*#1: Display menu options only if there is no local AccessAdmin

sessions
#2: Always display all menu options
Scope
Machine
pid_com_redir_enabled
Description Whether the device monitoring mechanism must perform COM port
redirection from the client machine (connecting to the Terminal Server)
to the Terminal Server.
Note:
1. If enabled for AccessAgent on Terminal Server or Citrix server,
authentication devices on remote client machines (for example, for
thin clients where there is no AccessAgent installed) can be
monitored. AccessAgent would map a virtual COM port
(pid_com_redir_local_virtual_port) on the Terminal Server or
Citrix server to a physical COM port
(pid_com_redir_remote_physical_port) on the remote client.
changes.
Registry
[DO] "ComRedirEnabled"
IMS Entry
Enable COM port redirection?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
Scope
Machine
pid_com_redir_local_virtual_port
Description Virtual COM port on the Terminal Server to which data from the client
COM port is redirected.
Note: Effective only if pid_com_redir_enabled is 1.
Registry
126
[DO] "ComRedirLocalVirtualPort"
pid_com_redir_local_virtual_port
IMS Entry
Virtual COM port on Terminal Server
Type
DWORD
Values
*1
(from 1 to 8)
Scope
Machine
pid_com_redir_remote_physical_port
Description Physical COM port on the client to which the authentication device (for
example, RFID reader) is connected. The redirection takes place from
this port to the virtual COM port of the Terminal Server
Note:
1. Effective only if pid_com_redir_enabled is 1.
changes.
Registry
[DO] "ComRedirRemotePhysicalPort"
IMS Entry
Physical COM port on client machine
Type
DWORD
Values
*1
(min 1)
Scope
Machine
Log on/Log off policies

pid_script_logon_enabled
Description Whether to enable the running of a logon script during user logon.
Registry
IMS Entry
Enable logon script during user logon?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
127
pid_script_logon_type
Description Type of logon script to run.
Note: Effective only if script logon is enabled.
Registry
IMS Entry
Logon script type
Type
Positive integer
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_logon_code
Description Source code of logon script to run.
Note: Effective only if script logon is enabled.
Registry
IMS Entry
Logon script code
Type
String
Values
(refreshed on sync)
Scope
User
pid_script_logoff_enabled
Description Whether to enable the running of a logoff script during user logoff.
Registry
IMS Entry
Enable logoff script during user logoff?
Type
Boolean
Values
#True
*#False (refreshed on sync)
Scope
User
pid_script_logoff_type
Description Type of logoff script to run.
Note: Effective only if script logoff is enabled.
Registry
128
IMS Entry
Logoff script type
Type
Positive integer
pid_script_logoff_type
Values
*#1: Batch
#2: VBScript
(refreshed on sync)
Scope
User
pid_script_logoff_code
Description Source code of logoff script to run.
Note: Effective only if script logoff is enabled.
Registry
IMS Entry
Logoff script code
Type
String
Values
(refreshed on sync)
Scope
User
pid_logoff_manual_enabled
Description Whether to allow user to manually log off from AccessAgent.
Note: If this policy is disabled, the Log off AccessAgent option does
not appear in any part of AccessAgent UI.
Registry
[DO] "LogoffManualEnabled"
IMS Entry
Allow user to manually log off AccessAgent?
Type
DWORD
Boolean
Values
#0: No
*#1: Yes
*#True
#False (refreshed on sync)
Scope
Machine
User
129
Upid_logoff_manual_action
Description Actions to be performed by AccessAgent on manual logoff by the user.
Note:
1. Effective when a user manually logs off from the Wallet from a
desktop or transparent screen lock.
2. If pid_lusm_sessions_max is greater than 1, AccessAgent with policy
value 1 (Log off Windows) logs off the desktop session of the user
and shows the computer locked screen. Use this policy value for
Local User Session Management. If the policy value is 2,
AccessAgent is logged off. However, the user cannot log on to
AccessAgent unless Ctrl-Alt-Del is pressed to log on from the Tivoli
Access Manager for Enterprise Single Sign-On replaced Windows
security dialog.
Registry
[DO] "LogoffManualAction"
IMS Entry
Actions on manual logoff by user
Type
DWORD
Positive integer
Values
#1: Log off Windows

*#2: Log off Wallet
Scope
Machine
User
pid_logoff_manual_action_countdown_secs
Description Confirmation countdown duration, in seconds, for manual logoff by a
user.
Note:
1. Effective when the user manually logs off from the Wallet from a
desktop or locked computer window.
2. If policy value is not zero, the user has to click the prompt to
confirm logoff. If user does not confirm, AccessAgent does not
proceed with the logoff.
130
Registry
[DO] "LogoffManualActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for manual logoff by

user
pid_logoff_manual_action_countdown_secs
Type
DWORD
Values
*30
Scope
Machine
User
pid_en_network_provider_enabled
Description Whether to enable the Encentuate Network Provider
(EnNetworkProvider).
Note:
1. Second factor authentication is not supported by this feature.
2. Effective only if EnNetworkProvider has been installed by
AccessAgent installer.
3. If enabled, AccessAgent attempts to automatically log on to itself
using the credentials provided at Microsoft GINA. It works with the
Active Directory password synchronization feature so that the same
password can be used to log on to Windows as well as
AccessAgent.
Registry
[DO] "EnNetworkProviderEnabled"
IMS Entry
Enable Encentuate Network Provider?
Type
DWORD
Values
#True
*#False
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
131
pid_logon_user_name_prefill_option
Description Option for pre-filling the Tivoli Access Manager for Enterprise Single
Sign-On log on prompt with a user name.
Note:
1. Set this policy to 0 for shared desktops with many users.
2. Set this policy to 1 for personal desktops or shared desktops with
few users.
3. Set this policy to 2 for Terminal Server or Citrix Server. For policy
value 2 to work properly, the following Microsoft registry value
must be set to 0:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system]"dontdisplaylastusername"
Registry
[DO] "LogonUserNamePrefillOption"
IMS Entry
User name pre-fill option
Type
DWORD
Values
#0: Do not pre-fill

*#1: Pre-fill with last logged on user name
#2: Pre-fill with currently logged on Windows user name
(refreshed on use)
Scope
Machine
pid_logoff_app_timeout_secs
Description Timeout, in seconds, for logging off from applications.
Note:
1. When AccessAgent logs off from a Wallet (during manual logoff or
switch user), logging off applications might occur (depends on
configuration). This policy specifies a configurable timeout for
logging off applications.
2. If an application is not successfully terminated by its AccessProfile
after the timeout, it can be forced to terminate by setting the
Terminate on time-out and time-out attributes of the
gen_sign_out_trigger appropriately.
Registry
[DO] "LogoffAppTimeoutSecs"
IMS Entry
Timeout, in seconds, for application logoff
Type
DWORD
Values
*5
(from 0 to 60)
(refreshed on use)
132
pid_logoff_app_timeout_secs
Scope
Machine
pid_wallet_logoff_action_for_apps_default
Description Default action to take for all applications when a user logs off from
AccessAgent.
Note:
1. If the policy value is 1, AccessAgent attempts to log off all instances
of applications. The AccessProfile for each application must contain
a logoff action, otherwise the application logoff is not performed.
2. If the policy value is 2, AccessAgent closes all instances of
applications that are monitored by AccessAgent. All applications
that have AccessProfiles are monitored, regardless of whether
AccessAgent is used to log on to the application.
3. This policy is effective whenever a user is logged off from
AccessAgent, for example, during a switch user operation.
Registry
IMS Entry
Default action for applications, when user logs off AccessAgent
Type
Positive integer
Values
#1: Log off the application

#2: Close the application
*#3: Do nothing
(refreshed on sync)
Scope
System
pid_ad_verification_on_logon_option
Description Option for verifying AD credentials when logging on to AccessAgent.
Note:
1. Effective only if pid_enc_pwd_is_ad_pwd_enabled is True.
2. AD verification involves checking with the AD server on whether:
v the account is disabled
v the account has expired
v the password has expired
v the password is correct
3. For policy value 1, AccessAgent always perform an AD verification.
If AD verification fails, user is not allowed to log on.
4. For policy value 2, AccessAgent performs AD verification only if the
AD server can be contacted over the network. If not, AccessAgent
allows the user to log on without verifying with the AD server.
133
pid_ad_verification_on_logon_option
Registry
[DO] "ADVerificationOnLogonOption"
IMS Entry
Type
DWORD
Values
#0: Do not verify

#1: Always verify
*#2: Verify if AD server is contactable (refreshed on use)
Scope
Machine
Tivoli Access Manager for Enterprise Single Sign-On Hot Key

policies
pid_enc_hot_key_enabled
Description Whether the Tivoli Access Manager for Enterprise Single Sign-On Hot
Key is enabled.
Note:
1. At EnGINA, Hot Key brings user to the logon screen.
2. At locked screen, Hot Key brings user to unlock screen.
3. At desktop, if AccessAgent is not logged on, Hot Key launches log
on screen.
4. At desktop, if AccessAgent is logged on, behavior if the Hot Key is
defined by Tivoli Access Manager for Enterprise Single Sign-On Hot
Key action.
Registry
[DO] "EncHotKeyEnabled"
IMS Entry
Enable Hot Key?
Type
DWORD
Boolean
Values
*#1: Yes
#0: No
*#True
#False
Scope
Machine
System
134
pid_enc_hot_key_action_countdown_secs
Description Confirmation countdown duration, in seconds, for pressing theTivoli
Access Manager for Enterprise Single Sign-On Hot Key.
Note:
1. Effective only if pid_enc_hot_key_enabled is enabled.
2. Effective only if Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed while AccessAgent is logged on and
computer is not locked.
Registry
[DO] "EncHotKeyActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, for pressing TAM E-SSO

Hot Key
Type
DWORD
Values
*5
Scope
Machine
System
pid_enc_hot_key_sequence
Description The Tivoli Access Manager for Enterprise Single Sign-On Hot Key
sequence.
Note:
changes.
Registry
[DO] "EncHotKeySequence"
IMS Entry
TAM E-SSO Hot Key sequence
Type
MULTI_SZ
String list
135
pid_enc_hot_key_sequence
Values
*#Ctrl
*#Alt
*#E
PgDn, Break, E)
(2 of the keys in this set should be used so that the probability of
conflict with other applications is minimized: Ctrl, Shift, Alt)
Scope
Machine
System
pid_enc_hot_key_not_logged_on_action
Description Actions to be performed by AccessAgent if the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key is pressed at the desktop while
AccessAgent is not logged on.
Note:
2. Effective only if the Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed while AccessAgent is logged on and
computer is not locked.
and shows the computer locked screen. However, if the desktop is
the default desktop, whether it can be logged off is determined by
pid_lusm_default_desktop_preserved_enabled.
Registry
[DO] "EncHotKeyNotLoggedOnAction"
IMS Entry
Tivoli Access Manager for Enterprise Single Sign-On Hot Key press
actions at desktop when AccessAgent is not logged on
Type
DWORD
136
pid_enc_hot_key_not_logged_on_action
Values
#0: No action
#1: Log off Windows
#4: Lock computer
*#9: Launch AccessAgent window
Scope
Machine
System
pid_enc_hot_key_action
Description Actions to be performed by AccessAgent if the Tivoli Access Manager
for Enterprise Single Sign-On Hot Key is pressed at desktop while
AccessAgent is logged on.
Note:
2. Effective only if Tivoli Access Manager for Enterprise Single
Sign-On Hot Key is pressed at desktop while AccessAgent is logged
on.
and shows the computer locked screen.
Registry
[DO] "EncHotKeyAction"
IMS Entry
Tivoli Access Manager for Enterprise Single Sign-On Hot Key press
actions at desktop when AccessAgent is logged on
Type
DWORD
137
pid_enc_hot_key_action
Values
#0: No action
#1: Log off Windows
#2: Log off Wallet
#4: Lock computer
*#9: Launch AccessAgent window
Scope
Machine
System
Emergency Hot Key policies

pid_emergency_hot_key_enabled
Description Whether Emergency Hot Key is enabled.
Note:
1. If user presses this Hot Key at the computer locked screen,
AccessAgent unlocks the computer without any credentials but will
log off AccessAgent, if logged on.
2. To use the Emergency Hot Key, the unlock option must be set to 3.
3. The use of the Emergency Hot Key is subject to proper behavior of
auto-logoff from applications.
Registry
[DO] "EmergencyHotKeyEnabled"
IMS Entry
Enable Emergency Hot Key?
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
138
pid_emergency_hot_key_enabled
Scope
Machine
System
pid_emergency_hot_key_sequence
Description The Emergency Hot Key sequence.
Note:
1. Effective only if Emergency Hot Key is enabled.
changes.
Important: Emergency bypass unlock is not supported in Microsoft
Windows Vista.
Registry
[DO] "EmergencyHotKeySequence"
IMS Entry
Emergency Hot Key sequence
Type
MULTI_SZ
String list
Values
*#Ctrl
*#Alt
*#End
PgDn, Break, E)
Scope
Machine
System
Presence detector policies

pid_presence_detector_enabled
Description Whether presence detector is enabled.
Note:
1. This policy does not automatically enabled or disable the
third-party presence detector hardware and software.
changes.
139
pid_presence_detector_enabled
Registry
[DO] "PresenceDetectorEnabled"
IMS Entry
Enable presence detector?
Type
DWORD
Boolean
Values
#1: Yes
*#0: No
#True
*#False
Scope
Machine
System
pid_presence_detector_walk_away_key_sequence
Description The key sequence that the presence detector sends when a user walks
away from it.
Note:
1. Effective only if pid_presence_detector_enabled is enabled.
2. The same key sequence must be configured on the presence detector
by using vendor software. For RF IDeas pcProx-Sonar, configure the
Walkaway Keystrokes using the pcProx-Sonar Configuration Utility.
changes.
Registry
[DO] "PresenceDetectorWalkAwayKeySequence"
IMS Entry
Key sequence sent by presence detector when user walks away
Type
MULTI_SZ
String list
140
pid_presence_detector_walk_away_key_sequence
Values
*#Ctrl
*#Alt
*#PgDn
PgDn, Break, E)
Scope
Machine
System
pid_presence_detector_walk_away_action
Description Actions to be performed by AccessAgent when presence detector
detects a user walking away while no user is logged on.
Note:
1. Effective only if pid_presence_detector_enabled is enabled.
2. This is supported only if pid_lusm_sessions_max is 1. In future
versions, if pid_lusm_sessions_max is greater than 1, AccessAgent
with a policy value of 1 (Log off Windows) logs off the desktop
session of the user and shows the computer locked screen.
Registry
[DO] "PresenceDetectorWalkAwayAction"
IMS Entry
Actions performed by AccessAgent when presence detector detects user

walking away while no user is logged on
Type
DWORD
Values
#0: No action
#1: Log off Windows
#2: Log off Wallet
*#4: Lock computer
141
pid_presence_detector_walk_away_action
Scope
Machine
System
pid_presence_detector_walk_away_action_countdown_secs
Description Confirmation countdown duration, in seconds, when the presence
detector detects a user walking away.
Note: Effective only if pid_presence_detector_enabled is enabled.
Registry
[DO] "PresenceDetectorWalkAwayActionCountdownSecs"
IMS Entry
Confirmation countdown duration, in seconds, when presence detector

detects user walking away
Type
DWORD
Values
*5
Scope
Machine
System
pid_audit_log_by_aa_enabled
Description Whether to enable audit logging by AccessAgent.
Registry
[DO] "AuditLogByAAEnabled"
IMS Entry
Enable audit logging by AccessAgent?
Type
DWORD
Values
#0: No
* #1: Yes
(refreshed on sync)
Scope
Machine
Note: You cannot use the pid_machine_policy_override_enabled policy to

override the pid_audit_log_by_aa_enabled policy.
142
pid_memory_reduction_freq_secs
Description Interval, in seconds, for periodic calls to reduce the physical memory
used by various AccessAgent components.
Note:
1. A policy value of 0 means that this feature is disabled.
changes.
Registry
[DO] "MemoryReductionFreqSecs"
IMS Entry
Type
DWORD
Values
*0
Scope
Machine
143
144

The values in configurable text policies are stored in multiple languages
depending on the language specified by the user during AccessAgent
installation.
See the following sets of configurable text policies.
v EnGINA text policies
v Unlock text policies on page 149
v RFID text policies on page 159
v Sign up text policies on page 159
v AccessAssistant and Web Workplace text policies on page 160
EnGINA text policies

pid_engina_welcome_text
Description Configurable text for EnGINA welcome message.
Note:
1. This message is displayed followed by a blank line and then the
messages in one of the listed configurable text policies (depending
on the list of supported second factors).
2. Consecutive strings are separated by a blank line.
3. "\n\n" can be added if more blank lines are necessary.
4. If automatic sign-up is enabled, line 2 of the message is If you are
here for the first time, click 'Log on' to get started.
Registry
IMS Entry
Welcome message (Maximum 2 lines)
Type
String list
Values
*#This computer is protected by TAM E-SSO AccessAgent.

*#If you are here for the first time, click 'Sign up' to get started.
(2 strings max)
(text box takes 15 lines max, about 40 chars per line)
(refreshed on sync)
Scope
System
145
pid_engina_logon_with_pwd_text
Description Configurable text for password logon.
Note: See pid_engina_welcome_text.
Registry
IMS Entry
Instructions for password log on (Maximum 2 lines)
Type
String list
Values
*#To log on, click Log onor press Ctrl+Alt+Del.

(2 strings max)
(refreshed on sync)
Scope
System
pid_engina_logon_with_rfid_text
Description Configurable text for RFID logon.
Registry
IMS Entry
Instructions for RFID log on (Maximum 2 lines)
Type
String list
Values
*#To log on, tap your RFID card.

*#If you do not have your RFID card, click Log onor press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_engina_logon_with_sc_text
Description Configurable text for smart card logon.
Registry
146
IMS Entry
Instructions for smart card logon
Type
String list
pid_engina_logon_with_sc_text
Values
*#To log on, insert your smart card.

If you have already inserted your smart card and are not prompted for
a PIN, remove your smart card and insert it again, or press
Ctrl+Alt+Del. If you do not have your smart card, click Log onor press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_engina_logon_with_arfid_text
Description Configurable text for active proximity badge logon.
Registry
IMS Entry
Instructions for active proximity badge logon (Maximum 2 lines)
Type
String list
Values
*#To log on, present your active proximity badge.

*#To log on without active proximity badge, click Log onor press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_engina_logon_with_fingerprint_text
Description Configurable text for fingerprint logon.
Registry
IMS Entry
Instructions for fingerprint log on (Maximum 2 lines)
Type
String list
147
pid_engina_logon_with_fingerprint_text
Values
*#To log on, place your registered finger on the sensor.

*#To log on without fingerprint, click Log onor press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_engina_logon_with_fingerprint_or_rfid_text
Description Configurable text for fingerprint or RFID logon.
Registry
IMS Entry
Instructions for fingerprint or RFID log on (Maximum 2 lines)
Type
String list
Values
*#To log on, place your registered finger on the sensor or tap your
RFID card.
*#To log on without fingerprint or RFID card, click Log onor press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_logon_credentials_text
Description Configurable text that is displayed right above the log on credentials
when user clicks Log on.
Note:
1. If pid_enc_pwd_is_ad_pwd_enabled is set to True, this policy must be
modified accordingly, for example, Enter your Windows domain user
name and password to log on.
Registry
148
IMS Entry
Log on credentials message (Maximum 1 line)
Type
String list
pid_logon_credentials_text
Values
*#Enter your user name and password to log on.

(1 string max)
(refreshed on sync)
Scope
System
Unlock text policies

pid_unlock_text
Description Configurable text for a computer locked message.
Note:
1. This message is displayed, followed by a blank line, and then
messages in one of the configurable unlock text policies (depending
on current Wallet and pid_unlock_option).
2. Consecutive strings are separated by a blank line.
3. "\n\n" can be added if more blank lines are necessary.
Registry
IMS Entry
Locked computer message (Maximum 1 line)
Type
String list
Values
*#This computer is protected by TAM E-SSO AccessAgent, and has

been locked.
(1 string max)
(refreshed on sync)
Scope
System
pid_unlock_with_pwd_option_1_text
Description Configurable text for unlocking with password when the computer is
locked and pid_unlock_option is 1.
Note: See pid_unlock text.
Registry
IMS Entry
Instructions for unlocking with password when unlock policy is 'only

the same user can unlock' (Maximum 2 lines)
Type
String list
149
Values
*#To unlock, click Unlock this computer or press Ctrl+Alt+Del.

(2 strings max)
(refreshed on sync)
Scope
System
Registry
IMS Entry
Instructions for unlocking with password when unlock policy is 'any

user with or without current desktop account in Wallet can unlock'
(Maximum 2 lines)
Type
String list
Values

(2 strings max)
(refreshed on sync)
Scope
System
Registry
IMS Entry
Instructions for unlocking with password when unlock policy is 'only

the same user can unlock, but different user can relog on to Windows'
(Maximum 2 lines)
Type
String list
Values

(2 strings max)
(refreshed on sync)
150
Scope
System
pid_unlock_with_sc_option_1_text
Description Configurable text for unlocking with smart card when the computer is
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'only
the same user can unlock'
Type
String list
Values
*#To unlock, insert your smart card.

*#If you already inserted your smart card and are not prompted for a
PIN, remove your smart card and insert it again, or press press
Ctrl+Alt+Del. If you do not have your smart card, click 'Unlock this
computer' or press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'any
Type
String list
151
Values

If you have inserted your smart card and are not prompted for a PIN,
remove your smart card and insert it again, or press press
Ctrl+Alt+Del. If you do not have your smart card, click 'Unlock this
(2 strings max)
(refreshed on sync)
Scope
System
locked and pid_unlock option is 4.
Registry
IMS Entry
Instructions for unlocking with smart card when unlock policy is 'only
the same user can unlock, but different user can re-log on to Windows'
Type
String list
Values

If you already inserted your smart card and are not prompted for PIN,
remove your smart card and insert it again, or press Ctrl+Alt+Del. If
you do not have your smart card, click 'Unlock this computer' or press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_unlock_with_rfid_option_1_text
Description Configurable text for unlocking with RFID when the computer is
Registry
IMS Entry
152
Instructions for unlocking with RFID when unlock policy is 'only the
same user can unlock' (Maximum 2 lines)
Type
String list
Values
*#To unlock, tap your RFID card.

If you do not have your RFID card, click Unlock this computer or
press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Description Configurable text for unlocking with RFID when the computer is
Registry
IMS Entry
Instructions for unlocking with RFID when unlock policy is 'any user
with or without current desktop account in Wallet can unlock'
(Maximum 2 lines)
Type
String list
Values

press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Description Configurable text for unlocking with RFID when computer locked and
pid_unlock_option is 4.
Registry
IMS Entry
Instructions for unlocking with RFID when unlock policy is 'only the
same user can unlock, but different user can re-log on to Windows'
(Maximum 2 lines)
Type
String list
153
Values

press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_unlock_with_arfid_option_1_text
Description Configurable text for unlocking with active proximity badge when the
computer is locked and pid_unlock_option is 1.
Registry
IMS Entry
Instructions for unlocking with active proximity badge when unlock

policy is 'only the same user can unlock' (Maximum 2 lines)
Type
String list
Values
*#To unlock, present your active proximity badge.

*#To unlock without active proximity badge, click Unlock this
computer or press Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Description Configurable text for unlocking with active proximity badge when
computer locked and pid_unlock_option is 3.
Registry
154
IMS Entry

policy is 'any user with or without current desktop account in Wallet
can unlock' (Maximum 2 lines)
Type
String list
Values

(2 strings max)
(refreshed on sync)
Scope
System
Description Configurable text for unlocking with active proximity badge when the
Registry
IMS Entry

policy is 'only the same user can unlock, but different user can re-log
on to Windows' (Maximum 2 lines)
Type
String list
Values

(2 strings max)
(refreshed on sync)
Scope
System
pid_unlock_with_fingerprint_option_1_text
Description Configurable text for unlocking with fingerprint when the computer is
Registry
IMS Entry
Instructions for unlocking with fingerprint when unlock policy is 'only

the same user can unlock' (Maximum 2 lines)
Type
String list
155
Values
*#To unlock, place your registered finger on the sensor.

*#To unlock without fingerprint, click Unlock this computer or press
Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Registry
IMS Entry
Instructions for unlocking with fingerprint when unlock policy is 'any

(Maximum 2 lines)
Type
String list
Values

Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
Registry
156
IMS Entry
Instructions for unlocking with fingerprint when unlock policy is 'only

the same user can unlock, but different user can re-log on to Windows'
(Maximum 2 lines)
Type
String list
Values

Ctrl+Alt+Del.
(2 strings max)
(refreshed on sync)
Scope
System
pid_unlock_with_fingerprint_or_rfid_option_1_text
Description Configurable text for unlocking with fingerprint or RFID when the
Registry
Type
String list
IMS Entry
Instructions for unlocking with fingerprint or RFID when unlock policy

is 'only the same user can unlock' (Maximum 2 lines)
Values
*#To unlock, place your registered finger on the sensor or tap your
RFID card.
*#To unlock without fingerprint or RFID card, click Unlock this
(2 strings max)
(refreshed on sync)
Scope
System
Registry
IMS Entry

is 'any user with or without current desktop account in Wallet can
unlock' (Maximum 2 lines)
Type
String list
157
Values
RFID card.
*#To unlock without fingerprint or RFID card, click Unlock this
(2 strings max)
(refreshed on sync)
Scope
System
computer is locked and pid_unlock option is 4.
Registry
IMS Entry

is 'only the same user can unlock, but different user can relog on to
Windows' (Maximum 2 lines)
Type
String list
Values
RFID card.
*#To unlock without fingerprint or RFID card, click 'Unlock this
(2 strings max)
(refreshed on sync)
Scope
System
pid_unlock_credentials_text
Description Configurable text to be displayed right above the unlock credentials
when the user clicks Unlock this computer.
Note:
1. If password is Active Directory password is set to True, this policy
must be modified accordingly, for example, Enter your Windows
domain user name and password to unlock.
158
pid_unlock_credentials_text
Registry
IMS Entry
Unlock credentials message (Maximum 1 line)
Type
String list
Values
*#Enter your user name and password to unlock.

(1 string max)
(refreshed on sync)
Scope
System
RFID text policies

pid_rfid_name_text
Description Configurable text for RFID name (for example, RFID card).
Note: This message is available in multiple languages. It is displayed in
Registry
IMS Entry
RFID name
Type
String
Values
*RFID card
(refreshed on sync)
Scope
System
Sign up text policies

pid_bind_display_template
Description The template to be used for displaying the sign-up dialog.
Note:
1. The Domain field is also shown if and only if the enterprise
directory is Active Directory.
2. Other than the domain, the template can only support either 1 or 2
fields. To display only one field, set the Label of one of the fields to
a blank entry. The field with the blank Label is not displayed.
Registry
IMS Entry
Template for sign-up dialogBind template*
Type
Bind template
159
pid_bind_display_template
Values
#Enter your domain user name and password for identity verification.
*#User name
*#Password
(refreshed on sync)
Scope
System
AccessAssistant and Web Workplace text policies

pid_accessanywhere_otp_reset_link_text
Description Configurable text for the OTP (OATH) reset link on AccessAssistant
and Web Workplace.
Note: Effective only if pid_auth_authentication_option for
AccessAnywhere contains OTP (OATH).
Registry
IMS Entry
Text for the OTP (OATH) reset link on AccessAssistant and Web
Workplace.
Type
String
Values
*Reset OTP token

(refreshed on sync)
Scope
160
System
Chapter 25. Authentication service policies

See the following sets of authentication policies.
v Password policies (authentication service)
v Authentication policies (authentication service) on page 166
v User-defined policies (authentication service) on page 169
Password policies (authentication service)

pid_auth_reauth_with_enc_pwd_enabled
Description Whether another password authentication is required before performing
automatic sign-on for the authentication service.
Note: Effective only if pid_auth_is_enterprise is enabled for the
Registry
IMS Entry
Require re-authentication before performing automatic sign-on?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_pwd_is_ad_pwd
Description Whether the authentication service is displayed as a Windows user
account in AccessAdmin.
Registry
IMS Entry
Is the password the Windows log on password?
Type
Boolean
Values
#True
*#False
(refreshed on use)
Scope
System
161
pid_auth_fortification_pwd_min_length
Description Minimum length of an acceptable password for the authentication
service.
Note: Effective if pid_auth_fortification_random_pwd_enabled is
enabled.
Registry
IMS Entry
Minimum password length
Type
Positive integer
Values
*6
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_max_length
Description Maximum length of an acceptable password for the authentication
service.
enabled.
Registry
IMS Entry
Maximum password length
Type
Positive integer
Values
*20
(from 1 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_numerics_length
Description Minimum number of numeric characters for an acceptable password for
the authentication service.
enabled.
Registry
162
IMS Entry
Minimum number of numeric characters
Type
pid_auth_fortification_pwd_min_numerics_length
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_alphabets_length
Description Minimum number of alphabetic characters for an acceptable password
for the authentication service.
enabled.
Registry
IMS Entry
Minimum number of alphabetic characters
Type
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_min_special_chars_length
Description Minimum number of special characters for an acceptable password for
enabled.
Registry
IMS Entry
Minimum number of special characters
Type
Values
*0
(from 0 to 99)
(refreshed on sync)
Scope
System
163
pid_auth_fortification_pwd_max_numerics_length
Description Maximum number of numeric characters for an acceptable password
enabled.
Registry
IMS Entry
Maximum number of numeric characters
Type
Values
*10
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_max_alphabets_length
Description Maximum number of alphabetic characters for an acceptable password
enabled.
Registry
IMS Entry
Maximum number of alphabetic characters
Type
Values
*10
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_max_special_chars_length
Description Maximum number of special characters for an acceptable password for
enabled.
Registry
164
IMS Entry
Maximum number of special characters
Type
pid_auth_fortification_max_special_chars_length
Values
*10
(from 0 to 99)
(refreshed on sync)
Scope
System
pid_auth_fortification_pwd_mixed_case_enforced
Description Whether to enforce the use of both uppercase and lowercase characters
for the password of the authentication service.
enabled.
Registry
IMS Entry
Enforce the use of both upper case and lower case characters?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_fortification_random_pwd_enabled
Description Whether manual password change with random password is enabled
Registry
IMS Entry
Enable manual password change with random password?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
User
165
Authentication policies (authentication service)

pid_auth_is_enterprise
Description Whether an authentication service is an enterprise authentication
service.
Registry
IMS Entry
Is it an enterprise authentication service?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_auth_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option for the authentication
service.
Note:
1. Effective only if pid_auth_is_enterprise is enabled for the
2. Overrides Wallet inject password entry option default.
Registry
IMS Entry
Default automatic sign-on password entry option for the authentication

service
Type
Positive integer
Values

*#2: Always
#3: Ask
#4: Never
#5: Certificate
(refreshed on sync)
Scope
166
System
pid_auth_sso_enabled
Description Whether to enable automatic sign-on for the authentication service.
Registry
IMS Entry
Enable automatic sign-on?
Type
Boolean
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_auth_authentication_option
Description Option to control what authentication modes AccessAgent must
support for the authentication service.
Registry
IMS Entry
Authentication modes to be supported
Type
Positive integer
Values
*#1: Password
#2: SCR
#4: CAPI
#8: OTP
#16: MAC
#32: CCOW
(multiple allowed)
(refreshed on sync)
Scope
System
167
pid_auth_capture_prompt_enabled
Description Whether the user must be prompted during auto-capture of password
Note:
1. Effective only if pid_auth_is_enterprise is enabled for the
2. If the policy value is False, if a user is already logged on and
another user wants to use the same computer, the application
passwords of the second user might be auto-captured into the
Wallet of the first user. If pid_auth_capture_prompt_enabled is set to
False for an authentication service, set pid_auth_account_max to 1
for the same authentication service.
Registry
Type
Boolean
IMS Entry
Prompt user on auto-capture of password?
Values
*#True
#False
(refreshed on sync)
Scope
System
pid_auth_accounts_max
Description Maximum number of accounts that a user can store for the
Note:
1. When the number of accounts has reached or exceeded the
maximum specified by this policy:
a. AccessAgent does not capture new accounts for this
b. If the user clicks Add new user in Wallet Manager, AccessAgent
displays a prompt that the number of accounts has reached the
limit.
2. User policy, if defined, overrides system policy.
3. This policy is only applicable to AccessAgent.
Registry
IMS Entry
Maximum number of accounts allowed for the authentication service
Type
168
pid_auth_accounts_max
Values
*0
(from 0 to 10)
(refreshed on sync)
Scope
User
System
User-defined policies (authentication service)

pid_auth_inject_user_default
Description Default user of injection policy per authentication service.
Registry
IMS Entry
Type
Account data for policy object
Values
(refreshed on sync)
Scope
User
pid_auth_inject_pwd_entry_option
Description Password entry of injection policy per authentication service.
Registry
IMS Entry
Type
Positive integer
Values

*#2: Always
#3: Ask
#4: Never
#5: Certificate
(refreshed on use)
Scope
User
169
170
Chapter 26. Application policies

pid_app_reauth_with_enc_pwd_enabled
Description Whether another password authentication is required before performing
automatic sign-on for the application.
Note: Override authentication or authenticate again with password.
Registry
IMS Entry
Require re-authentication before performing automatic sign-on?
Type
Boolean
Values
#True
*#False
(refreshed on sync)
Scope
System
pid_app_inject_pwd_entry_option_default
Description Default automatic sign-on password entry option for the application.
Note: Overrides authentication inject password entry option default
and Wallet inject password entry option default.
Registry
IMS Entry
Default automatic sign-on password entry option for the application
Type
Positive integer
Values

*#2: Always
#3: Ask
#4: Never
#5: Certificate
(refreshed on sync)
Scope
System
171
pid_app_wallet_logoff_action
Description Action to take for the application when the user logs off from
AccessAgent.
Note:
1. This policy overrides Wallet logoff action for applications default.
2. See the notes for Wallet logoff action for applications default.
3. For web applications, each URL is considered an application.
Internet Explorer (IE) is also considered an application. In this
context, the web application policy overrides the IE policy, which
overrides Wallet logoff action for applications default.
4. Set the policy to 2 and 3 for Internet Explorer and Windows
Explorer.
5. This policy is set to 3 for Windows logon (application GINA) when
the IMS Server is installed.
Registry
IMS Entry
Action for the application, when user logs off AccessAgent
Type
Positive integer
Values
#1: Log off the application

#2: Close the application
*#3: Do nothing
(refreshed on use)
Scope
172
System
Chapter 27. User-defined policies

pid_app_auth_inject_pwd_entry_option
Description Password entry of injection policy per application per authentication
service.
Registry
IMS Entry
Type
Positive integer
Values

*#2: Always
#3: Ask
#4: Never
#5: Certificate
(refreshed on use)
Scope
User
pid_app_auth_inject_user_default
Description Default user of injection policy per application per authentication
service.
Registry
IMS Entry
Type
Account data for policy object
Values
(refreshed on use)
Scope
User
173
174
Chapter 28. Troubleshooting policies

pid_wallet_sync_manual_enabled
Description Whether to enable the Synchronize with IMS option by right-clicking
the AccessAgent icon in WNA.
Registry
[T] "WalletSyncManualEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
pid_wallet_delete_enabled
Description
Whether to enable a Delete user Wallets option by right-clicking on the

AccessAgent icon in WNA.
Note:
1. This menu item is only available when no user is logged on to
AccessAgent.
2. This menu item deletes all user Wallets, but not the machine Wallet.
3. If this feature is used on a Citrix or Terminal Server or a
workstation with Local User Session Management (LUSM) enabled,
make sure that only one desktop session is running while deleting
the Wallets. If multiple sessions are running, the behavior of
AccessAgent in other sessions after deleting the Wallets is
unpredictable.
Registry
[T]
"WalletDeleteEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
Machine
175
pid_machine_policy_override_enabled
Description Whether to override machine policies using registry values.
Note:
1. If enabled, machine policies can be overridden for this machine by
specifying their values in the registry key [HKEY_LOCAL_MACHINE\
SOFTWARE\Encentuate\DeploymentOptions]. For example,
pid_second_factors_supported_list can be specified using the
registry value SecondFactorsSupportedList.
2. This temporary policy is useful for troubleshooting, especially if
there is no Administrator access to the IMS Server. Disable this
policy after testing is completed, so that the machine can continue
to be managed through AccessAdmin.
3. This policy does not affect pid_wallet_cache_security_enabled.
Registry
[T]
"MachinePolicyOverrideEnabled"
IMS Entry
Type
DWORD
Values
*#0: No
#1: Yes
(refreshed on use)
Scope
176
Machine
Notices
This information was developed for products and services offered in the
U.S.A.
IBM may not offer the products, services, or features discussed in this
document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe
any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant
you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in
writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow
disclaimer of express or implied warranties in certain transactions, therefore,
this statement may not apply to you.
177
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will
be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for
this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the
purpose of enabling: (i) the exchange of information between independently
created programs and other programs (including this one) and (ii) the mutual
use of the information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and
conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer
Agreement, IBM International Program License Agreement or any equivalent
agreement between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their
specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy
of performance, compatibility or any other claims related to non-IBM
178
products. Questions on the capabilities of non-IBM products should be

addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change
or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include
the names of individuals, companies, brands, and products. All of these
names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language,
which illustrate programming techniques on various operating platforms. You
may copy, modify, and distribute these sample programs in any form without
payment to IBM, for the purposes of developing, using, marketing or
distributing application programs conforming to the application programming
interface for the operating platform for which the sample programs are
written. These examples have not been thoroughly tested under all conditions.
IBM, therefore, cannot guarantee or imply reliability, serviceability, or function
of these programs.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on
their first occurrence in this information with a trademark symbol ( or ),
these symbols indicate U.S. registered or common law trademarks owned by
IBM at the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at Copyright and trademark information
(www.ibm.com/legal/copytrade.shtml).
Adobe, the Adobe logo, PostScript, and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the
United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer
and Telecommunications Agency, which is now part of the Office of
Government Commerce.
Notices
179
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel
Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other
countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the
Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc.
in the United States, other countries, or both and is used under license
therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and
other countries.
Other company, product, or service names may be trademarks or service
marks of others.
180
Glossary
AccessAdmin. The management used by individuals with the Administrator Role and/or the Help
desk Role to administer IMS Server, and to manage users and policies.
AccessAgent. AccessAgent, or AA, is the client software that manages the user's identity, enabling
sign-on/sign-off automation and authentication management.
AccessAssistant. The Web-based interface used to provide password self-help for users to obtain the
latest credentials to logon to their applications.
AccessProfiles. Short, structured XML files that enable single sign-on or sign-off automation for
applications. AccessStudio can be used to generate AccessProfiles.
AccessStudio. The interface used to create AccessProfiles required to support end-point automation,
including single sign-on, single sign-off, and customizable audit tracking.
account data. The logon information required for verification against an authentication service. Most of
the time, it refers to the user name, password and the authentication service which the logon
information is stored.
action. An act that can be performed in response to a trigger. For example, automatic filling of user
name and password details as soon as a sign-on window displays. See also Trigger.
ActiveCode. Short-lived authentication codes that are controlled by Tivoli Access Manager for
Enterprise Single Sign-On system. There are two types of ActiveCodes: random ActiveCodes and
predictive ActiveCodes.
The generation of ActiveCodes can be triggered in one of two ways: time-based (for example, every
minute or every day) or event-based (for example, pressing a button).
Combined with alternative channels or devices, ActiveCodes provide effective second-factor
authentication.
Active Proximity Badge. Similar to an RFID card, but differs in its ability to be detected by a proximity
reader from a considerably longer distance (such as two meters away).
ARFID (Active RFID). ARFID is both a second factor and a presence detector. It can detect the
presence of a user, and AccessAgent can be configured to perform specific actions.
AD. Microsoft Active Directory
application. In AccessStudio, it refers to the system that provides the user interface for reading or
entering the authentication credentials.
application policy. A collection of attributes governing access to applications. Application policies can
include (but are not limited to):
v Password policies govern frequency of password change and strength of passwords.
v Audit policies determine if audit trails must be kept.
181
v Management policies determine the degree of control the user has over password auto-fill. This
replaces personal versus enterprise applications.
Privacy policies define when and what type of information is captured and backed-up in the Wallet.
authentication factor. The different devices, biometrics, or secrets required as credentials for validating
digital identities (for example, passwords, smart card, RFID, biometrics, and one-time password tokens).
authentication service. Verifies the validity of an account; Applications authenticate against their own
user store or against a corporate directory.
authorization code. An alphanumeric code generated by an IBM Help desk user for administrative
functions, such as password resets or authentication factors for the Wallet; might be used one or more
times based on policy.
auto-capture. A function that allows the system to remember user credentials (such as user names and
passwords) for different applications. These credentials are captured as they are being used for the first
time, and then stored and secured in the Wallet for future use.
biometrics. The identification of a user based on a physical characteristic of the user, such as a
fingerprint, iris, face, voice or handwriting.
CAPI. Microsoft Cryptography API
certificate authority (CA). A trusted third-party organization or company that issues the digital
certificates. The certificate authority typically verifies the identity of the individuals who are granted the
unique certificate.
CLT. Command Line Tool
control. Any field on a screen. Examples are a user name text box or an OK button on a Web page.
conventional single sign-on. Refers to Web-based single sign-on systems and typically requires
server-side integration, with a centralized architecture.
credentials. See user names, passwords, certificates, and any other information that is required for
authentication. An authentication factor can serve as a credential. In Tivoli Access Manager for
Enterprise Single Sign-On , credentials are stored and secured in the Wallet.
Desktop Manager. Manages concurrent user desktops on a single workstation
directory. A structured repository of information on people and resources within an organization,
facilitating management and communication.
DNS. Domain Name System. The distributed database system that maps domain names to IP addresses
EnGINA. Tivoli Access Manager for Enterprise Single Sign-On GINA, which replaces the Microsoft
GINA. EnGINA provides a user interface that is tightly integrated with authentication factors and
provide password resets and second factor bypass options.
Enterprise Access Security (EAS). A technology that enables enterprises to simplify, strengthen and
track access to digital assets and physical infrastructure.
182
Simplifying access means time-to-information, user productivity, and convenience. Strengthening access
allows stronger security and better risk management. Tracking access enables compliance.
EAS solutions are a new generation of identity management security products that reflect the
convergence of logon or logoff automation, authentication management, centralized user access
administration, the unification of logical (information), and physical (building) access control systems.
Enterprise Single Sign-On (E-SSO). A mechanism that allows users to log on to all applications
deployed in the enterprise by entering a user ID and other credentials (such as a password). Many
E-SSO products use sign-on automation technologies to achieve SSOusers logon to the sign-on
automation system and the system logs on the user to all other applications.
FIPS. Federal Information Processing Standard. A standard produced by the National Institute of
Standards and Technology when national and international standards are nonexistent or inadequate to
satisfy the U.S. government requirements.
fortified password. An application password that is automatically changed by the system and not the
user. In Tivoli Access Manager for Enterprise Single Sign-On , passwords might be fortified with Tivoli
Access Manager for Enterprise Single Sign-On ActiveCodes.
GINA. Graphical Identification and Authentication
GPO. Group Policy Object of Active Directory
hybrid desktop. A term used to describe how organizations combine different session management
capabilities to meet the needs of the user community.
IMS Bridge. For extending functionalities of third party programs, allowing them to communicate with
IMS Server.
IMS Connector. Add-ons to the IMS Server that enable the IMS Server to interface with other
applications as a client, extending the capability of the IMS Server. Examples include IMS Connectors for
password change.
IMS Server. An integrated management system that provides a central point of secure access
administration for an enterprise. It enables centralized management of user identities, AccessProfiles,
authentication policies, provides loss management, certificate management, and audit management for
the enterprise.
IMS Server Certificate. Used in Tivoli Access Manager for Enterprise Single Sign-On. the IMS Server
Certificate is used to identify an IMS Server.
IMS Service Modules. Add-on modules that extend the basic services provided by the IMS Server (for
example, user management, policy management, and certificate issuance).
iTag. A patent-pending technology that can convert any photo badge or personal object into a
proximity device, which can be used for strong authentication
ITAM (IBM Tivoli Access Manager). An integrated solution that provides a wide range of
authorization and management solutions. This product can be used on various operating systems
platforms such as Unix (AIX, Solaris, HP-UX), Linux, and Windows.
Glossary
183
LUSM. Local User Session Management. A method for managing multiple desktops on a single
workstation.
Mobile ActiveCode (MAC). A one-time password that is randomly generated, event-based, and
delivered through a secure second channel (for example, SMS on mobile phones).
One-Time Password (OTP). A one-use password generated for an authentication event (for example,
password reset), sometimes communicated between the client and the server through a secure channel
(for example, mobile phones).
password. A sequence of characters used to determine that a user requesting access to a system is the
appropriate user.
password fortification. The process of strengthening application passwords through regular password
changes and stronger password requirements.
password reset. Allows the user to reset the password of the Wallet, and requires an authorization
code.
personal applications. Windows and Web-based applications that AccessAgent can store and enter
credentials. Some enterprises might not allow the use of a Tivoli Access Manager for Enterprise Single
Sign-On Key with personal applications. Password fortification also does not happen for personal
applications.
Some examples of personal applications are Web-based mail sites such as Company Mail, Internet
banking sites, Online shopping sites, chat or instant messaging programs and the like.
Personal Identification Number (PIN). A password, typically of digits, entered through a telephone
keypad or automatic teller machine.
policy. Governs the operation of Tivoli Access Manager for Enterprise Single Sign-On Enterprise,
comprising of two main sets: machine policies (managed through Windows GPO) and IMS-managed
policies (managed through AccessAdmin).
Policy ID. Each policy is identified by its policy ID with pid in the prefix (for example,
pid_wallet_authentication_option).
policy template. A predefined policy form that helps users define a policy by providing the fixed
policy elements that cannot be changed and the variable policy elements that can be changed.
presence detector. When affixed to a computer, this device detects when a person moves away from it,
thus eliminating the need to manually lock the computer upon leaving it for a short time.
private desktop. Under this desktop scheme, users have their own Windows desktops in a workstation.
When a previous user returns to the workstation and unlocks it, AccessAgent switches to the desktop
session of the previous user and resumes the last task.
private key. An encryption or decryption key that is kept secret by its owner. It is one of a pair of two
keys used for encryption and decryption in public key cryptography.
Radio Frequency Identification (RFID). A wireless technology that transmits product serial numbers
from tags to a scanner, without human intervention.
184
random passwords. Generated passwords used to increase authentication security between clients and
servers. Random password change is the process of modifying access codes between a client and a
server using a random sequence of characters. This change can only happen when the client and the
server are sharing a secured session as the random sequence has to be communicated between the two
parties. The new random password can then be used to re-establish a secured session the next time the
client needs to access the server.
RDP. Remote Desktop Protocol
register. Signing up for a Tivoli Access Manager for Enterprise Single Sign-On account, and registering
a second factor (for example, smart card, RFID) with the IMS Server.
registry. Machine policies are typically configured in AccessAdmin, but can also be configured using
the Windows registry when necessary. This configuration is especially true if the
pid_machine_policy_override_enabled policy is set to Yes, which means Administrators must use the
Windows registry to modify machine policies.
reset. Refers to resetting the authentication factors for an Wallet (offline or online). Offline resets allow
a user to reset his Wallet while offline.
revoke. Refers to removing access to a Tivoli Access Manager for Enterprise Single Sign-On Key so it
can no longer be used as an authentication factor for a Wallet.
roaming desktops. Under this desktop scheme, a user can disconnect from a desktop or application
session at one client, log on to another client, and continue a desktop or application session at that new
client.
scope. A reference to the applicability of a policy, be it at the system, user, or machine level.
secret. Information known only to the user.
secret question. A question where the answer is known only to the user. As part of Tivoli Access
Manager for Enterprise Single Sign-On's Knowledge-based authentication, users are asked a number of
secret questions.
Secure Remote Access. The solution that provides Web browser-based single sign-on to all applications
(for example, legacy, desktop, and Web) from outside the firewall.
security officer. An officer that defines the identity Wallet security policies and other application
policies.
serial number. A unique number embedded in the Tivoli Access Manager for Enterprise Single Sign-On
Keys, which is unique to each Key and cannot be changed.
service locator. Refers to the address or path or URL of any logical system that provides back-end
shared computing services. AccessStudio uses the service locator to differentiate between different
services that a user might be accessing, some of which might use the same client-side application.
Service Provider Interface (SPI). Designed for devices that contain serial numbers, like RFID, the SPI
makes it easier for vendors to integrate any device with serial numbers and use it as a second factor in
AccessAgent.
Glossary
185
session. A logical or virtual connection between two stations, software programs, or devices on a
network that allows the two elements to communicate and exchange data.
shared desktops. Under this desktop scheme, multiple users share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
sign-up. Requesting for an account with the IMS Server. As part of the process, users are issued an
Wallet. They can subsequently register one or more second factors with the IMS Server.
signature. Unique identification information for any application, window, or field.
single sign-on. A capability that allows a user to enter a user ID and password to access multiple
applications.
smart card. A smart card is a pocket-sized card which is built to handle data using a network of
embedded circuits. Smart cards can receive input from applications, and can also send out information
(such as logon information).
SOAP. Simple Object Access Protocol
SSL. Secure Sockets Layer
states. Refers to Advanced AccessProfiles in AccessStudio. See Advanced AccessProfiles.
strong authentication. A solution that utilizes multi-factor authentication devices (such as smart cards)
to prevent unauthorized access to confidential corporate information and IT networks, both inside and
outside the corporate perimeter.
strong digital identity. An online persona that is difficult to impersonate, possibly secured by private
keys on a smart card. These identities typically have to be supported by physicalized authentication
factors.
TAM E-SSO Password. The password that secures access to your Wallet. The length of the password
ranges from six to 20 characters, depending on the preference of your organization. The assumption is
that only the authentic user will have the passwords to access their accounts.
token. A small, highly portable hardware device that the owner carries to authorize access to digital
systems and, or physical assets.
trigger. Events that cause transitions between states in a states engine, for example, the loading of a
Web page or the appearance of window on the desktop.
TTY. Terminal emulator, terminal application. A program that emulates a video terminal within some
other display architecture. Though typically synonymous with a command line shell or text terminal, the
term terminal covers all remote terminals, including graphical interfaces. A terminal emulator inside a
graphical user interface is often called a terminal window.
Virtual Private Network (VPN). An extension of a company intranet over the existing framework of
either a public or private network. A VPN ensures that the data that is sent between the two endpoints
of its connection remains secure.
Wallet. An identity Wallet that stores a user's access credentials and related information (including user
IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.
186
Web Workplace. An identity Wallet that stores a user's access credentials and related information
(including user IDs, passwords, certificates, encryption keys), each acting as the user's personal
meta-directory.A web-based interface that provides the ability to log on to enterprise Web applications
by clicking links without entering the passwords for individual applications. This interface can be
integrated with the existing portal or SSL VPN of the customer.
WNA. Windows Notification Area
Glossary
187
188

Printed in USA
SC23-9694-00

Ibm Tam Esso Policiesguide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ibm Tam Esso Policiesguide

Uploaded by

Copyright:

Available Formats

Tivoli Access Manager for Enterprise Single Sign-On

Policies Definition Guide

Tivoli Access Manager for Enterprise Single Sign-On

Policies Definition Guide

Viewing and setting policy priorities .

Chapter 3. AccessAgent configuration

Chapter 4. Network policies .

Chapter 5. Session information policies .

Chapter 6. Log policies.

Chapter 7. Temporary file policies .

Chapter 8. Auto-logon policies .

Chapter 9. Local user session

Chapter 10. Authentication policies

Chapter 11. Password change policies .

Chapter 12. Password aging policies .

Chapter 13. Password strength policies .

Chapter 14. Self-service password reset

Chapter 15. Self-service authorization code

Chapter 17. Wallet policies

Chapter 18. Sign-up policies .

Chapter 19. Policy template policies .

Chapter 20. ActiveCode policies

Chapter 21. AccessAssistant and Web

Chapter 22. AccessAudit policies .

Chapter 23. AccessAgent policies

Chapter 24. Configurable text policies

Chapter 26. Application policies .

Chapter 27. User-defined policies.

Chapter 28. Troubleshooting policies .

About this publication

What this publication contains

v Chapter 4, "Network policies

About this publication

Tivoli Access Manager for Enterprise Single Sign-On library

Accessing terminology online

Accessing publications online

Tivoli technical training

Tivoli user groups

Conventions used in this publication

About this publication

v Message text and prompts addressed to the user

Operating system-dependent variables and paths

Chapter 1. About Tivoli Access Manager for Enterprise

Copyright IBM Corp. 2002, 2009

Tivoli Access Manager for Enterprise Single Sign-On features

Enterprise Single Sign-On with workflow automation

Strong authentication for all user groups

Comprehensive session management capability

User-centric access tracking for audit and compliance

The information is collated in a central relational database. These logs

Secure remote access for easy, secure access anywhere,

Integration with user provisioning technologies

Use of Federal Information Processing Standards

workstations running on Microsoft Windows XP must at least have Service

The client software that manages user identity, enables

The management console that Administrators and the

The Web-based interface that provides password

The interface used for creating AccessProfiles that

The IMS Service Modules that enable applications to use

Add on modules to the IMS Server that extend its

The integrated management system that provides a

IMS Service Module

Add-on modules that extend the basic services provided

Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On