| 1. Endpoint Data Protection |
| 1.1. EULA |
| 1.2. FAQs |
| 1.2.1. What happens after Cyberoam Endpoint Data Protection License is expired? |
Applicable to Version : 3.20.1130
After the license is expired in Cyberoam Endpoint Data Protection, all the policies would still be applicable for the client agent which were last applied. But the administrator will not be able to login to server console, change the policies or monitor the endpoints. Hence it is recommended to renew the Cyberoam Endpoint Data Protection License. The following screenshot appears once the license is expired:  |
| 1.2.2. If the blocked application is renamed, can Cyberoam Endpoint Data Protection still block it? |
Applicable to Version : 3.20.1130
Yes. It is possible to block renamed application with Cyberoam Endpoint Data Protection. On Endpoint Data Protection console, Go to Basic Policy -à Application policy. Select the application class you want to block from the Application Category dialogue box. Cyberoam Endpoint Data Protection can block the application even if it is renamed.
 |
| 1.2.3. Which network ports are used for Cyberoam Endpoint Data Protection? |
Applicable to Version : 3.20.1130
The network ports used by Cyberoam Endpoint Data Protection Console are as follows:
|
| 1.2.4. Do we issue different keys for each module? |
Applicable to Version : 3.20.1130
No, Cyberoam Endpoint Data Protection issues only one key for all modules. E.g. Suppose the customer has already purchased module1, module2 and now he is willing to purchase module3, then they must give information about existing key as well as information of subscribed modules.A new key would then be provided which would enable module 1, 2 & 3. |
| 1.2.5. How to restrict user or computer to delete or modify the files/folder on network resources? |
Applicable to Version : 3.20.1130
We can achieve this by creating an Advanced Policy for Document as shown in the below screenshot:  As per the policy, the computer Judith will not be able to modify/delete any files/folder on network resources. User will also get a warning message while trying to do so. We can also achieve this for specific server, or specific folder/file on specific server as below:
 With this policy, user will not be able to modify/delete any text file in folder ‘test’ on file server 192.168.1.1. He will also get the warning message on his screen while trying to do so.
|
| 1.2.6. Can I access multiple Endpoint Data Protection servers at remote branches from Head office with single console? |
Applicable to Version : 3.20.1130
Yes, it just needs a single console at head office to access multiple Endpoint Data Protection servers at branch office. The primary requirement is server should be reachable from console.
Note – Only one Endpoint Data Protection server can be accessed with console at a time. You can exit from that and login to another. |
| 1.2.7. If user machine is locked due to policy execution then can it be unlocked if user shutdown or restart that PC? |
Applicable to Version : 3.20.1130
No, it won’t be unlocked on shutdown or restart of that PC. User machine can be unlocked only from Server.
|
| 1.2.8. Is not there any limitation for storing the data (more than 2GB in MSDE), when we talk about Data-Removal (30 days)? |
Applicable to Version : 3.20.1130
Cyberoam Endpoint Data Protection comes up by default with MSDE which is free but max DB file size limit is 2GB. Need not to worry on this limit as Cyberoam Endpoint Data Protection automatically creates multiple DB files for same database. Logic is one file / day (Max 2GB / Day).
One can still go ahead and install MS SQL Express Server which is also free with limit of 4GB DB file size. All you have to do is install MS-SQL Express Server and then install Cyberoam Endpoint Data Protection. |
| 1.2.9. If policy is applied on Computers as well as on User, which one would take precedence? |
Applicable to Version : 3.20.1130
Cyberoam: The policy works in the precedence like User Policy à Computer Policy à Group Policy à The Whole Network Policy whereby User Policy has highest precedence.
|
| 1.2.10. Do I have to purchase separate license keys for each module? |
Applicable to Version : 3.20.1130 No, at the time of purchasing the license for End Point Data Protection, the customer needs to provide the below information:
1. Number of Users.
2. Modules required Based on the above information, Cyberoam will issue a single serial key, which can be registered by the customer.
|
| 1.2.11. How could I restrict the range to be discovered under ‘Remote Installer’ for specific subnet? |
Applicable to Version : 3.20.1130
Under ‘Remote Installer’, Go to File -> Scanning Settings. Specify the range to be discovered as below:  |
| 1.2.12. My machine is not getting listed under ‘Remote Installer’ procedure. What can be the reason? |
Applicable to Version : 3.20.1130
Cyberoam Endpoint Data Protection scans the network, and discovers the host by sending ICMP Request.
Please make sure your desktop level firewall/EPS/AV is allowing ICMP request. |
| 1.2.13. How does Cyberoam Endpoint Data Protection discover the host? |
Applicable to Version : 3.20.1130
Cyberoam Endpoint Data Protection scans the network, and discovers the host by sending ICMP request.
|
| 1.2.14. What is the limitation of disk space to hold the data of Cyberoam Endpoint Data Protection agent when the machine is offline? |
Applicable to Version : 3.20.1130
If the machine is not connected to the network for few days (For e.g. the user is on a business trip of a week), the agent running on that machine would still be running to capture logs and all policies would still be active.
Now, in case the user is offline for more days, Cyberoam Endpoint Data Protection would detect the HDD available. If space is less than 512MB (Win98: Less than 256MB), the dat files would be compressed. If the available space is still less, all previous logged files would be deleted, and the logging would start again. |
| 1.2.15. What will happen in Cyberoam Endpoint Data Protection agent with imaging solutions like Symantec Ghost, etc? |
Applicable to Version : 3.20.1130
Imaging solution provides operating system migration, operating system and software deployment, computer migration (user settings, data, and profiles), hardware and software inventory, and secures system retirement. It helps restore an operating system image or application onto a computer.
Cyberoam Endpoint Data Protection agent is installed as a system process in the operating system. For the imaging solutions, the agent will also be imaged along with the operating system as it is a part of the system process. So the agent will be carried over in the image and the polices will also be valid for the imaged Operating System. |
| 1.2.16. Can we shut down, restart or log off agent PC from Cyberoam Endpoint Data Protection server? |
Applicable to Version : 3.20.1130 Yes we can shutdown, restart or log off agent PC from Cyberoam Endpoint Data Protection server. This can be done in 2 ways:
 2. Select the particular computer. Go to control tab at the top and then select the particular option:
|
| 1.2.17. What is the difference between UNINSTALL and DELETE functions? |
Applicable to Version : 3.20.1130 UNINSTALL will only uninstall the agent from the computer but cannot release the license from that machine.
DELETE will uninstall the agent from the machine as well as release the license from that machine. Example: Consider the example that customer has purchased a license for 50 agents for all the modules. Customer is having 55 machines in his company. Admin has installed agents on all the 55 machines. As license is for 50 agents only, only 50 machines will be shown in Agent panel. The server which communicates with the agent first will be listed in those 50 machines. All the modules will also be effective on these 50 machines. Go to Tools --> Computers, to see all the agents (With and without licenses).
Now, if administrator wants to release the licenses from 5 machines that are shown in agent panel then it needs to perform following steps.
This will release license and uninstall agent from those five machines. As soon as agent gets uninstalled and licenses released from those machines, they will be removed from agent panel. Now, those five licenses will be automatically applied on the remaining five machines on which agents are installed. Administrator needs to re-logon with console to get it affected in the Agent Panel. |
| 1.2.18. Why I am not able to edit/delete the policy for group/user? |
Applicable to Version : 3.20.1130 The subgroups or computers inherit the policies of their parent group. One cannot modify or delete the inherited policies.
E.g. :- A global policy is applied to ‘Whole Network’ group. Hence, all the computers/subgroups will inherit this policy. One can identify the inherited policies with its different color as shown in below screenshot. It can only be deleted from its native domain i.e. from whole network.
If administrator is not able to delete the policy, then it must be the inherited policy. If administrator doesn’t want to use inherited policy for some users,he has to create a new policy above inherited policy.
 |
| 1.2.19. What is the significance of ‘Only offline’ while creating policies? |
Applicable to Version : 3.20.1130
Offline mode: When agent fails to communicate with the server in last three minutes, the agent is considered to be in Offline mode.
Online mode: When agent is able to communicate with server, it is considered to be in online mode. By default, the policies are applicable to both online and offline mode of user. If we select only offline mode for any policy, then that policy will be applicable during offline activities of user.
This is helpful to administrator to apply different policies to notebook users when they are outside the network/ on business trip/home use. |
| 1.2.20. How to restore Endpoint Data Protection in case of MSDE? |
Applicable to Version : 3.20.1130
|
| 1.2.21. How to backup Endpoint Data Protection in case of MSDE? |
Applicable to Version : 3.20.1130
|
| 1.2.22. Does Cyberoam Endpoint Data Protection Patch management would Patch Windows Service Pack? Service Pack are OS patches not stability patches. |
Applicable to Version : 3.20.1130
Yes, Cyberoam data protection will Patch service packs along with stability patches.
|
| 1.2.23. How to do remote installation of Agent on Work Group Environment? |
Applicable to Version : 3.20.1130 Remote installation of agents on Work Group PC’s/Laptops is not possible. Remote installation only works for Domain Environment. You need to manually install agents or you can put the agent internally on any PC and ask users to download and install it. You can also host the agent on any internal website and ask users to download and install it. |
| 1.2.24. Endpoint Data Protection is configured to block file delete option but still user is able to do the same using command prompt. |
Applicable to Version : 3.20.1130 Yes, because Endpoint Data Protection works very closely with Windows Kernel and in case of command prompt(cmd or command), one would be able to delete the file using dos commands like "del" or "rm". Endpoint Data Protection will see some function called by cmd or command instead of actual command. Solution: Block cmd or command prompt.
|
| 1.2.25. What does ‘only offline’ option available in the policy configuration do? |
Applicable to Version : 3.20.1130 When the ‘only offline’ option is checked and applied to a computer, the policy will only be active when the agent on a users machine is not able to communicate with the Endpoint Data Protection server which means the agent is offline. |
| 1.2.26. Is the communication between server and agent encrypted? |
|
Applicable to Version : 3.20.1130
The communication between server and agent can be secured using DES (Data Encryption Standard) Algorithm.
Cyberoam Endpoint Data Protection uses combination of DES (Data Encryption Standard) & AES-128 (Advanced Encryption Standards) encryption algorithms as described below to secure communication between server and agent:
Packet header encryption: DES
Packet payload (Data): AES-128
|
| 1.2.27. I have a policy applied to a user, what happens if I move the user to a different group? Which policy takes precedence? |
OR
Which policy takes precedence if the computer is migrated to a different group on which the policy is already applied? Applicable to Version : 3.20.1130
Once a computer is migrated to a different group, the new group policy is appended to the Computer’s profile. It means that the old group policies for the computer takes precedence over the new group policy.
|
| 1.2.28. What modules can one buy? |
Applicable to Version : 3.20.1130 There are four available modules: 1. Asset Management 2. Application Control 3. Data protection & Encryption 4. Device management |
| 1.2.29. Do I need to re-install the agent after I set the checkcode on the server? |
Applicable to Version : 3.20.1130 Yes, if its Direct installation method one needs to create the new Setup and re-install the agent. If it is via Remote installer method one needs to re-install the client from the remote installer utility. |
| 1.2.30. Why I am not able to see the option to enable disk encryption under local removable storage? |
Applicable to Version : 3.20.1130 Disk encryption is only available with the licensed version, so administrator is not able to see enable disk encryption option under local removable storage. |
| 1.2.31. Is it possible to buy the Asset Management module for a few users and all the modules for the rest of the users? |
Applicable to Version : 3.20.1130 No. |
| 1.2.32. Is it possible to install agents from a centralized location in a workgroup environment? |
Applicable to Version : 3.20.1130 Yes, one can use the remote installer utility available with the server to install agents in a workgroup environment. |
| 1.2.33. Is it possible to install the agent on a Linux or Macintosh OS? |
Applicable to Version : 3.20.1130 No. Agent can be installed only for Microsoft windows OS. |
| 1.2.34. For how many days is the demo available? |
Applicable to Version : 3.20.1130 The demo is offered for 30 days with a 10 user license. |
| 1.2.35. Does one require administrator rights of the machine to install the agent in a workgroup environment? |
Applicable to Version : 3.20.1130 Yes. |
| 1.2.36. What is the difference between ‘Alert’ & ‘Warning’? |
Applicable to Version : 3.20.1130 Alert messages are only visible on the Endpoint Data Protection server console while warning messages popup on an agent’s (end users) machine. |
| 1.2.37. How can I view the list of applications that can be blocked by the Endpoint Data Protection solution? |
Applicable to Version : 3.20.1130 To view the list of applications that can be blocked by the Endpoint Data Protection server, on the console go to Tools -> Classes Management -> Application. |
| 1.2.38. How often does the client communicate with the server i.e. the default polling time? |
Applicable to Version : 3.20.1130 The default polling time for the client to communicate with the server is every 5 minutes. |
| 1.2.39. Is it possible to log emails sent via webmail like Yahoo mail or Hotmail? |
Applicable to Version : 3.20.1130 Yes, it is possible to log emails sent via webmails. |
| 1.2.40. How to control the network from getting flooded when the agent has a lot of data to transfer to the Endpoint Data Protection server? |
Applicable to Version : 3.20.1130 Administrator can enforce bandwidth restriction on the transfer of data between client and server. On the console go to Tools -> Options -> Connection and apply the bandwidth restrictions. |
| 1.2.41. Is it possible to archive the files being transferred via Instant Messengers? |
Applicable to Version : 3.20.1130 Yes. Check the ‘Backup’ option in the ‘IM file’ policy available under ‘Advanced Policy’ to archive the files being transferred via Instant Messengers. |
| 1.2.42. Which databases are compatible with Endpoint Data Protection server? |
Applicable to Version : 3.20.1130 Endpoint Data Protection server is compatible with SQL server. |
| 1.2.43. Can I use Endpoint Data Protection even if I do not have a database server? |
Applicable to Version : 3.20.1130 If one does not have a database server, they can use MSDE which comes in with the installer. |
| 1.2.44. How can I change the console password? |
Applicable to Version : 3.20.1130 To change the console password, go to Tools -> Change Password. |
| 1.2.45. Is it possible for the user to uninstall the agent if they have administrator rights of the computer? |
Applicable to Version : 3.20.1130 No, the agent can only be uninstalled by the administrator from the console. |
| 1.2.46. Why am I not able to see the Endpoint Data Protection service in my task manager? |
Applicable to Version : 3.20.1130 The Endpoint Data Protection service is installed as a kernel level service and appears as RunDLL32 service in the Task Manager. |
| 1.3. How Tos |
| 1.3.1. Change Cyberoam Endpoint Data Protection Data Directory |
Applicable to all versions above 3.20.1130
Article describes procedure to change Cyberoam Endpoint Data Protection Data Directory. This document has 3 sections In Cyberoam Endpoint Data Protection, data will be classified into three categories:
Basic data refers to the basic information of agent computers, policy information, category information and setting information. This data is stored in Microsoft SQL SERVER and named as OCULAR3.
The database has two corresponding database files named OCULAR3.MDF and OCULAR3_LOG.LDF.
Log data refers to all the operation logs recorded from the agent computers and are stored in Microsoft SQL SERVER. The database name is composed of two parts: OCULAR3_DATA and log’s Date.
It also has two corresponding database files named OCULAR3_DATA.yyyymmdd.MDF and OCULAR3_DATA.yyyymmdd_Log.LDF. E.g. :- All the data of June 22, 2009 will be stored in the database named OCULAR3_DATA.20090622 and the two corresponding database files are OCULAR3_DATA.20090622.MDF and OCULAR3_DATA.20090622_Log.LDF. There exist many databases with the same structure because daily data will be stored in a separate database.
The data gathered from the agent computers will be stored in temporary files on the server computer. The maximum size of each temporary file is 100 MB.
Once the data is accessed by server and written to the databases, the data and temporary files will be deleted automatically.
Note: SQL Server 2000 Desktop Engine (MSDE 2000) does not have graphical management tool for managing SQL Server. Please download from the following link and install a free SQL Server Management Studio Express. Step 1 Stop the Cyberoam Endpoint Data Protection server. Step 2 Execute the SQL query -"Select name, filename from ocular3.dbo.sysfiles” to query the location of OCULAR3 corresponding database files named OCULAR3.MDF and OCULAR3_LOG.LDF.  Step 3
Detach the OCULAR3 in SQLSERVER.  Step 4
Step 5
In SQLSERVER, Attach database for OCULAR3 from the target directory’s OCULAR3.MDF OR OCULAR3_DATA.MDF.  Step 1
Log on to Cyberoam Endpoint Data Protection console and go to Tools --> Options. A new window will be opened. Select Directory à Data Directory which shows the log’s directory. Cache Directory shows the temporary file’s directory. Select the object you want to change and click
 to change the directory. Step 2 After you change the directory, STOP the Cyberoam Endpoint Data Protection server and SQLSERVER. Step 3
Move the files from former Data Directory (OCULAR_DATA.yyyymmdd.mdf, OCULAR_ DATA.yyyymmdd_Log.ldf) or former Cache Directory to new Data Directory or new Cache Directory. Step 4 Restart SQL SERVER and Cyberoam Endpoint Data Protection Server. When Cyberoam Endpoint Data Protection Server restarts, it will detach all former databases and attach the log data in the new folder. Document Version: - 1.0/15/12/2010
|
| 1.3.2. Integrate Active Directory with Cyberoam Endpoint Data Protection server |
Applicable to Version : 3.20.1130
Active Directory Domain Importfeature enables to pre-group the computers and users connected to Cyberoam Endpoint Data Protection Server in the domain. Once the agent computers connect to the Cyberoam Endpoint Data Protection server, they will be automatically assigned to the groups which have been set before. Below are the steps to integrate the Active Directory with Cyberoam Endpoint Data Protection server.
Step 1 Logon Domain
System would request to input details such as domain you want to logon, server, account and password on the domain logon window. Click Log On to continue.
 Click Default to get the local domain name automatically, if the computer has console installed and has joined the domain.
Step 2
Import Domain Organization
Click the Log On button and the Domain Organization dialogue box will pop up with two tab pages: User Organization tab and Computer Organization tab.
You can import specific domain to Server based on your management needs. In addition, the title of the dialogue box will display the name of the target domain.
 Step 3
Select Domain Node
Check the nodes in the domain you want to import to the Cyberoam Endpoint Data Protection Server one by one, or check the checkbox before Select all, Select new nodes or Select imported nodes to quickly select the nodes you want to import to Cyberoam Endpoint Data Protection server.
2. Select Target Node
Click
 to select the target computer group or user group that you want to import the nodes to and click OK button.  3. Import Click Import User or Import Computer to execute the operation. If the nodes you want to import have been imported to a different target place, a Conflict Resolution dialogue box will pop up to ask you to confirm your operation. Click Execute to replace the old configuration and click Cancel to ignore the replace operation as shown in the below screenshot.
 Step 4
View Synchronization Configuration Info
If you want to view the synchronization information, there are two ways.
 Note
Nodes which have been imported can be deleted from the View Synchronization Configuration window. Also, the imported configuration can be cleared from this window.
Step 5 After importing the computers in the Cyberoam Endpoint Data Protection server we need to install the Endpoint Data Protection agents in the Domain computers. There are two ways of doing it:-
1) Agent Remote Installer. 2) Agent Installation Generator.  (i) Once the Agent is installed in the domain machines, they will be visible in the Cyberoam Endpoint Data Protection server console.
 (ii) When the Domain user will login in the agent machine they will be visible in the Cyberoam Endpoint Data Protection server.
 (iii) You can configure different policies on the users as per the requirement.
 Document Version : 1.0-29/06/2010
|
| 1.3.3. Export Agent List |
Applicable to Version : 3.20.1130
Requirement To export the entire list of computer where the agent is installed.
Solution
Steps
1. Logon to Cyberoam Endpoint Data Protection server through Web Admin console. 2. Go to tools menu and then click on computers.   3. Click on the export icon (green colored button under refresh button) and you get the option to export it in various formats:
 Note - The file is exported in html. You can select xls or csv file also.
4. Open the file after exporting and it will give you the list of all the computers where the agent is installed. In this list the ones with the certificate icon
next to their name are licensed. If they do not have the license but have the agent installed they would not be visible in the console.  In this way you can export from the console the entire list of computer where the agent is installed and can also take a print of this exported list. The benefit of exporting this agent list is that you can have printed records of the computers where agents have been installed but you can only manage those computers where licenses are installed.
Document Version:1.0-07/03/2010 |
| 1.3.4. Install the Cyberoam Endpoint Data Protection Agent using Logon Script |
Applicable to Version : 3.20.1130
Cyberoam Endpoint Data Protection facilitates to push the Agent under domain environment having Active Directory with Logon Script. Use the following procedure for installing Cyberoam Endpoint Data Protection Agent. Step 1: Create a Setup File using ‘Agent Installation Generator’.
Navigate to “Agent Installation Generator” under Start --> All Programs --> Cyberoam Endpoint Data Protection Suite. 
Step 2: Copy the Agent.
Note: Netlogon folder can be found at \\adsservername\\netlogon. Replace <adsservername> with Active Directory’s Server name or IP.
Step 3: Configure Logon Script. Please, follow Step 3.1 if you do not have a logon script.
Step 3.1 Create a batch file (logonscript.bat) in the Netlogon folder on the server and paste the below lines in the batch file. START \\adsservername\netlogon\agent.exe
Note: Replace the <adsservername> with the Active Directory’s Computer Name or IP.
If you already have a logon script please, follow Step 3.2.
Step 3.2 Update the existing logon script with the below line. START \\adsservername\netlogon\agent.exe
Note: Replace the <adsservername> with the Active Directory’s Computer Name or IP. Step 4
Attach logonscript.bat to Profile if the script is not already attached. On the next login attempt by the user, the agent will be installed on the end user’s machine and would be visible in the Endpoint Data Protection Console after a few minutes.
Document Version : 1.0-05/04/2010 |
| 1.3.5. Creating another Admin user |
|
Applicable to Version : 3.20.1130
As shown in below screenshot, we have 3 Computer Groups defined and there is a PC with agent installed under the group Cyberoam.
  Document Version : 1.0 - 26/03/2010 |
| 1.3.6. Allow access to Specific/Trusted USBs and Deny the rest | ||||||||||||||
Applicable to Version : 3.20.1130
Cyberoam End Point Data Protection helps to allow/deny specific USBs to be used when the machine is within or outside the Corporate.
Requirement Allows/Blocks Specific USBs when the machine is inside/outside the Corporate
Prerequisite
Data Protection & Encryption module subscribed
Solution
Categorization of Trusted/Non-Trusted USBs
Steps
1. Logon to Web Admin Console and go to Tools -> Classes Management -> Removable Storage to categorize the USBs under Classified and Unclassified Group.
 2. By default, Cyberoam End Point Data Protection populates all the USBs under Unclassified Group.
Note – Cyberoam End Point Data Protection identifies all the USB’s connected. Even though the machines are not currently connected to
the server, it identifies all the USB’s and include it under Unclassified Group when the machine is connected back. 3. Define a new group named ‘Trusted ’as below. Drag and drop the allowed USBs to the new group (trusted) from Unclassified Group.
 Define a Policy to Allow Specific USBs
1. Logon to Web Admin Console and go to Advanced Policy à Removable Storage.
2. Enter name of the policy 3. Configure Removable Storage policy with the following values
 Define a Policy to Deny all other USBs 1. Logon to Web Admin Console and go to Advanced Policy à Removable Storage. 2. Define the unwanted/denied USBs to be accessible by disabling ‘Read’.
 created when the machine was online) after implementing the above steps, the USB would be detected but on trying to access it below message would be displayed.  Document Version : 1.0 - 26/03/2010
|
| 1.3.7. Block access of applications for User/Group/Whole network | ||||||||||||||||||||||||||||||||||||
Applicable to Version : 3.20.1130
Cyberoam Endpoint Data Protection Application Control offers granular policy-based controls, enabling organizations to prevent and control access to web, instant messengers, P2P, gaming, and more. Organizations can thus, protect sensitive data while enhancing employee productivity. Requirement Block access of applications for User/Group/Whole network
E.g. :- Block Yahoo messenger for User1. Prerequisite Application Control module subscribed Solution 1st Method
2. Go to Tools à Classes Management à Application to select the application that you want to block for User1.
 3. This will open a new window. Right click on Application Class. Then Click on ADD and Name that new class as ‘Yahoo’.
 Endpoint Data Protection Agent scans the applications running on the user’s machine, and sends it to the Server. The Endpoint Data Protection Server would then group it all in ‘Unclassified’ Class. From there we can move applications to custom class. Unclassified is a default class. Click on unclassified class, and select the applications ‘Yahoo’ to be blocked for User1, and move them to separate class i.e. Yahoo.  2nd Method
This way to block application is called the ‘STRING’. In the Application Setting windows, click the button to input the application name directly. For E.g. YahooMessenger.exe If the user changes the application name to YahooMessenger123.exe the policy is not effective anymore because the input only matches with a string. To avoid this problem, use the earlier method of application class. Refer the below screenshot. Define a Policy to Block Application for the User
 If we select whole network here then this policy will be applicable to all the users. 2. Navigate to Basic policy in Main menu and click on ‘Application’, and then click on ADD icon to create a new policy as shown above. 3. Configure the Application Control Policy with the following values
Note- By default this policy is applicable to offline and online mode of user. If we click on only offline here, then this policy will be effective only if user machine is not reachable to server i.e. Offline mode.
  4. Save this policy.  When user will try to access Yahoo application warning message will be displayed on user PC. User Machine  Document Version : 1.0-25/03/2010
|
| 1.3.8. Preventing Users to change their IP/MAC property |
Applicable to Version : 3.20.1130
Requirement
Solution To achieve this requirement, we need to create two policies.
Scenario 1 Define policy to prevent users to change their IP/MAC while they are in office. 1. Logon to Cyberoam Endpoint Data Protection server through Web Admin console.
2. Go to Agent Panel, and click on the user for which you want to apply the policy.
3. In Main Menu, go to Basic Policy à Basic. Create a new policy as below.
As per the below configuration, it will not allow user to change his/her IP/MAC property during both online (In office while Agent is able to communicate with sever) and offline mode (Out of office while agent is not able reach server). By default policy is applicable to both online and offline mode.
 Scenario 2
Define policy to allow users to change their IP/MAC while they are out of office. 1. Logon to Cyberoam Endpoint Data Protection server through Web Admin console. 2. Go to Agent Panel, and click on the user for which you want to apply the policy. 3. In Main Menu, go to Basic PolicyàBasic. Create a new policy as below. For the same user, we want to allow that user to change his IP/MAC property when user is not in office i.e. during OFFLINE mode. For that we need to create one more policy as below. This policy is only applicable when user is out of office i.e. offline i.e. when agent is not able to communicate with server.
  Note
Policies are executed from top to bottom. Case 1: In Office In this case, user is in office hence, policy at the top will not be applicable, as user is online and not offline. Hence, policy at the bottom will be applicable, and according to that user will not be able to change IP/MAC setting. Case 2 Out of office In this case, user is out of office i.e. in offline mode. Hence, policy at the top will be executed, and according to that user will be able to change the IP/MAC setting.
Document Version : 1.0 - 25/03/2010
|
| 1.3.9. Unlock Computer | ||||||||||||||||||||||||
Applicable to Version - 3.20.1130 Requirement
Lock computer when a user tries to access the application denied to him.
Prerequisite
Data Protection & Encryption Module subscribed
1. Logon to Cyberoam Endpoint Data Protection server through Web Admin Console. 2. Navigate to Basic policy in Main menu and click on ‘Application’, and then click on ADD icon to create a new policy. E.g:- Administrator has configured a policy that computer will be locked when user tries to access Skype. 3. Configure the Application Control Policy with the following values
Note* - By default this policy is applicable to offline and online mode of user. If we click on only offline here, then this policy will be
effective only if user machine is not reachable to server i.e. Offline mode.   4. Save this policy.  When user will try to access Skype application, a warning message will be displayed on user PC and notification message
will be sent by server that the user’s PC has been locked. User Machine
Notification Message from server
Once this policy is configured and pushed on to agent computer, next time when user accesses skype, his computer will be locked by server.
The user will also get the message from the server that his/her computer is locked due to the policy applied.
 Steps to unlock computer from server
1. Logon to Cyberoam Endpoint Data Protection server through Console.
    After the policy is executed, user can retain the access of keyboard and mouse on that computer.
Document Version: 1.0-17/03/2010 |
| 1.3.10. Encrypt / Decrypt Files Copied over USB Devices | ||||||||||||||||
Applicable to Version - 3.20.1130
This article describes how to encrypt / decrypt files copied over USB devices.
Requirement
Allows encrypting and decrypting files copied over USB devices
Prerequisite
Data Protection & Encryption module subscribed
Solution
Steps
1. Logon to Web admin console and go to Advanced Policy àRemovable Storage 2. Enter name of the policy. 3. Configure Removable Storage Policy with the following values
 Encrypted File  Note * - The above file can be decrypted only by computers who have the 'Decrypt when Reading' rights.
Document Version: 1.0-17/03/2010 |
| 1.3.11. Block Files Transferred over Instant Messengers | ||||||||||||||||||||||
Applicable to Version : 3.20.1130 Follow the below given steps from Web Admin Console for configuration:
1. Logon to Web admin console and go to Advanced Policy à IM File 2. Enter name of the policy. 3. Configure IM File Policy with the following values.
 Figure 1.1 – IM File Control Policy
 Figure 1.2 – IM Control Policy – Warning Message  Figure 1.3 – IM Control Policy – Alert Message
Document Version: 1.0-16/03/2010
|
| 1.4. Techsheet & Datasheets |