Manual / Using Conseal Server / Working with Devices / Access control

This page allows you to create rules specifying who can unlock the device, where they have to be, which computer they have to use, and when. It is accessible by users from the My Devices page, or by administrators from the All Devices page.

The different types of rules supported are each laid out in the sections below. If rules are set in two or more sections then access attempts must adhere to every rule.

The rule types are as follows:

Network rules

Network rules allow you to limit where the device can be unlocked from. Any attempts to unlock the device from an address outside of the specified ranges will be rejected. Note: this refers to the client's IP address as seen by the server. If the server is reached via the Internet, this will be an external address; if it is reachable across an intranet then it will be a local address (for example 10.x.x.x or 192.168.x.x).

To add a network range to the list, enter the starting and ending IPs in dotted decimal format (x.x.x.x) and click "add network". If no networks are added then access is permitted from any network.

Domain rules

Domain rules offer a similar facility to network rules, but for domain names. Specify a list of domain names; then any access attempt which comes from an address outside of that domain will be rejected.

Technical note: the server performs a reverse DNS lookup to determine the client's domain name. For added security it also confirms the name given by performing a forward lookup on it. If the name does not resolve to the client's IP then it is rejected. This is necessary because reverse DNS names can be spoofed. (Explain further).

To add a domain name to the list, enter the domain name and click "add domain". If no domain names are added then access is permitted from any domain.

Time rules

Time rules allow device administrators to specify when a device can be unlocked. Conseal Server supports two types of time rules - daily recurring and fixed period.

Daily recurring rules are used to allow devices to be unlocked between certain times on certain days. This is useful for example if devices are to be made available during working hours only.

To set a daily recurring rule, use these controls:

Select the days from the first drop down list, and the time period for which the device should be made available from the following two.

Fixed period rules allow devices to be unlocked between two dates and times, and not otherwise. This is helpful for example if the device is to be mailed - any threat it poses while in transit can be neutralised.

To set a fixed time period, use these controls:

Select the start of the period using the top line of controls and the end of the period using the bottom line.

Computer rules

Computer rules allow administrators to prevent protected devices from being used on all but specifically authorised computers. Computers are defined by their network card serial number (MAC address) and primary hard disk serial number. To find out these values for a computer, click the computerid.exe link to download and run a small application which will tell you.

Contents

Frequently Asked Questions

Installation

Using Conseal Server

Conseal Server Concepts