1: Machina Console Admin Guide Overview

Welcome to Ionic Security’s Machina Administrator Console Guide. This guide is intended for use by the administrators responsible for managing Machina in your organization.

The Machina Admin Console provides all the tools necessary for managing access and controls for Ionic endpoint end-users in your organization. This includes creating custom user profiles, adding users to groups, creating custom policies for applications, and registering devices to specific end-users.

The available console features depend on your organization's specific needs. For example, if your organization uses only the Ionic Office endpoint, you only need to manage Data Policies.

For details about administrator access to Machina Console features, contact your Ionic Sales representative.

Analytics

The Machina Console provides analytics functionality to give you granular visibility into data access and handling activity, application usage, and user and device management activity occurring across Machina enabled user devices. Analytics is intended for Customer Support specialists, System Analysts, Policy Auditors, and IT professionals to monitor site access through the Ionic platform.

Applications

Applications management allows granular control over users’ access to features of a specific application, or over all applications. Applying policy to an application enables you to limit the risk an application or applications may pose, while allowing employees to use the applications.

Data Policies

Data policy is custom access control of Machina protected data. Data policies determine who, and under what circumstances, can view Ionic-encrypted data. For example, if you create an Adobe Application Policy that includes encryption of personal messages, after the messages are encrypted, end-users, including those with Machina plugins, see only Restricted Content or cipher text. To allow others with Ionic plugins to read encrypted text, create a data policy. Data policy applies only to Ionic-encrypted data. You can apply data policy to all data, marked data, or unmarked data.

Data Markings

Use data markings to classify Machina encrypted data. For example, only certain data is considered sensitive in your organization. You may have three levels of sensitivity, such as restricted content only a few end-users can access, internal content all end-users can access but cannot share outside the organization, and public content that is safe for anyone to access.

Subject Attributes

Subject Attributes are used to apply attributes directly to users and devices. These attributes can then be used in policy decisions to more efficiently create and implement wide sweeping policy for a designated group of users or devices.

Roles

When you create a new Administrative User, you can assign user roles to Administrative Users so that they can perform a group of tasks.

Users

The Users section tracks users in the system. Before deploying Ionic plugins to users, you must create user profiles in the Admin Console. User profiles include details such as user role, first and last name, email address, external ID, domain UPN, and groups associated with the user.

Groups

Create groups and add user profiles to them to apply customized policy rules by department or work group. Groups include details such as the group name, description, and number of users. You can also delete groups, update group information, and add multiple user profiles to a group.

Devices

The Devices section displays a list of all devices configured to an active, registered Machina Console user.

Keyspaces

The Keyspaces section enables you to verify your key servers' connectivity to the Machina Console.

Products

The Products section enables you to configure the products you would like to make available for your users to download.

History

The History section keeps an active record of all changes and updates that have occured on the tenant.

Settings

Configure specific settings in the Admin Console. Configurable options include: Enrollment, Identity Management, Cloud Discovery, and Access Security.

Profile

Displays the current user's profile information, as well as options to change their password, their currently registered devices, their assigned groups, subject attributes, and their login history.

2: Admin Account Management

To create a Machina Console Administrator account, an existing Admin level user must enter your email credentials into the Machina Console. A user account will be created in the Machina Console based on the email credentials provided.

As an Admin user, you can create Admin accounts or end user accounts. See "Creating User Profiles" on page 105 for details about creating users.

Set your password and click Change Password. After setting your password, you will receive a confirmation email in your inbox.

The Machina Console offers the following user password security and account monitoring settings:

        ·    Length of Password: The minimum required length of the password is 10 characters, and can be increased in the Settings > Access Security tab in the console.

        ·    Strength of Password: By default, the password you create requires at least one uppercase letter and at least one number. You can add additional requirements such as lowercase letters, and special characters in the Settings > Access Security tab in the console.

        ·    Invalid Login Attempt Threshold: After a series of incorrect login attempts, your account is locked to protect your account information. If your account is locked, Ionic Security recommends that you change your password using the Forgot Password link on the login screen. You will be presented with the password requirements during the Reset Password process. After you change your password, your account is still locked for 10 minutes unless a Customer Service Administrator unlocks your account.

        ·    Inactivity time out - After 15 minutes of inactivity, you will be logged out of the console. You will be returned to the previous page after logging in following a session timeout.

Password Expiration: Ionic Security does not expire passwords for customer accounts.

If you are logged on as an administrator in the Admin Console, you can unlock another administrator’s account.

Password Reuse: When updating or changing your password, your previous 5 passwords will be queried to ensure that there are no repeats.

To revoke a user's access to the Machina Console, disable or delete the user account on the Users > Manage tab in the console. You can also manage user account access through Machina Tools = APIs. After disabling or deleting a user account, the user is restricted from all Machina resources.

Reset User Password on Email Change

When a user's email is changed, and the user has a password assigned to the account, the old password will be deleted, and a new password reset request will be sent to the new email.

        ·    If the tenant is configured as exclusive SSO (Single Sign-On), no action is required after the password is deleted.

        ·    If the tenant is not configured as exclusive SSO, then an email to reset their password will be sent to the new address.

        ·    If the user does not already have a password, no action is needed.

Use your email account credentials to log in to the Machina Console.

Each section in the console is accessible by clicking the tab associated with each feature.

To log out, click the Logout button in the top right corner.

Please note that any regions that have been flagged by the US Office of Foreign Assets Control (OFAC) will be banned from accessing console and instance information. This currently only applies to OAuth logins (i.e. Facebook, Google, LinkedIn, etc.)

For Administrators that manage multiple tenant accounts in the Ionic Administrator Console, the login page remembers the URLs for all previous tenant logins in that same environment. Click the Tenant selector drop-down list to view the history of saved tenants.

Administrators can click Forget to clear the most recently selected Tenant from the list, or click Forget All to clear all saved Tenants.

To change your password, click on your email address in the top right corner of the interface.

On the Authentication tab, enter your new password and click Change Password.

After you change your password, you will receive a confirmation email in your inbox.

The Machina Console allows you to manage a set of challenge questions for your account, which you can use in the event of a reset password request. The challenge questions can only be set after you create your password and log in for the first time. Currently challenge questions are recommended, but not required.

        ·    If at least one challenge question is created for an account, then the challenge questions will be enforced when the forgot-password function is performed.

        ·    Customer Support can clear all challenge questions and answers to allow a user that is unable to remember any answers to change their password.

Click your email in the top right corner and select the Authentication tab > click Create Challenge Question.

Choose from set of questions, or create your own, and click Submit. You can determine how many questions to create.

You can delete your challenge questions by clicking the Clear Challenge Questions button, and create new questions.

If you forget your password, click the Forgot your password link on the login page.

 

Enter your email address into the space provided, and click Reset Password.

You will receive a Password Reset email in your inbox. Use the link provided to reset your password. After you change your password, you will receive a confirmation email in your inbox.

If you do not have any challenge questions set for your account, enter and confirm your new password.

If you have challenge questions set for your account, enter and confirm your new password, and answer the challenge questions. Then, click Change Password.

After changing your password, you will receive a confirmation email in your inbox.

3: Analytics & Metrics Overview

The Ionic Machina Administrator Console provides detailed analytics and metrics which offer a granular look into the activity, application usage, and user and device management activity occurring across the currently registered Ionic-enabled user devices. Analytics is most useful for Customer Support specialists, System Analysts, Policy Auditors, and IT professionals looking to monitor site access through the Ionic platform.

The Analytics tab contains information about the Metrics, Enrollment, and Activity that has occurred within your Machina instance.

Analytics can be used to assist with monitoring incoming and outgoing data information by users and Ionic-protected devices.

        ·    Metrics - Displays information regarding Key Fetch Requests, Active Users and Devices, and Unique IP Addresses

        ·    Enrollment - Displays information about the total number of Users and Enrollments, The Enrollment Volume, and the User Provision Volume

        ·    Activity - Displays information about Data Policy Activity such as Location, Data Logs, and Top Data Markings

The Application Policy tab must be enabled by a CSA, please contact Ionic Support for information about enabling the Application Policy tab.

The information displayed on the Metrics and Enrollment tabs can be customized to display specific date ranges, as well as a establishing an auto-refresh frequency interval to automatically update the information displayed on the page.

Click the date field, and select a range of time to display in the fields below. The available options are: Last Day, Last Week, Last Month, and Custom Date Range.

If Custom Date Range is selected a Set Custom Date Range window will pop-up. Select the Time Bucket Duration, Start Date Time, and End Date time as necessary.

The Time Bucket Duration drop-down will adapt based on the date range selected using the drop-down menu.

The Auto Refresh drop down can be used to establish how frequently the Analytics information on the Dashboard refreshes. By default, the Auto Refresh function is Disabled.

After clicking the Auto Refresh Frequency drop-down, you can select between Disabled, 30 seconds, 1 minute, or 5 minutes. Any changes made to the Auto Refresh Frequency will be saved upon logging out of the Console.

The information on the Metrics page can be customized to view information based on a user specified time period. Users can also set an auto refresh period to automatically update the information displayed on the Metrics page.

Using the date ranges, information can specified to display broad ranges of information about key requests.

Use the Relative Time drop-down to specify the range of information to be displayed. Your options are Last Day, Last Week, Last Month, and Custom Date Range.

The full Metrics page view is shown below:

You can select the Create Requests, Allowed Requests, and Denied Requests links to navigate to the Device Activity page with a query filter applied to view Create, Allow, or Deny results.

Auto Refresh Frequency Intervals

An auto refresh interval can be set to have the Metrics page automatically refresh using the Auto Refresh Frequency drop-down.

The View Device Activity link can be used to view all device activity that has occurred within the tenant. More information about the Device Activity can be found in the Devices section.

The Enrollment tab of the Analytics section houses information about user enrollments and device enrollments within your tenant. This information is organized into a series of graphs that monitor user enrollment data in real time to provide accurate information based on your selected data range.

The information available on the Enrollment tab includes:

        ·    Users - This graph displays information about the number of users as well as the number of devices enrolled within the selected date range.

        ·    Enrollment Volume - This graph displays information about the total number of enrollment requests.

        ·    User Provision Volume - This graph displays information about the number of users provisioned into your tenant over the course of the selected date range.

More information can be viewed by mousing over a section of a graph which will cause a pop-up with additional information.

The information on the Activity page tracks the number of documents protected as well as the number of key fetch requests that have been allowed and which have been denied. Information about the unique number of IP addresses, as well as the total number of active users and devices.

The information on the Activity page is broken down into the following sections: Overview, Locations, Top Users, Top Data Markings, Top Data Protection & Access by Group, and the Log.

Creating Filters

Create a filter in the Analytics tab to narrow the data to the subset you want to view. Create additional filters by selecting each filter separately from a list of options.

NOTE: The time filter is always present and cannot be removed. By default, the time filter is set to one month.

Filters remain in the URL, enabling you to share a URL with other Machina Console users to view the same set of data. If you add filters on one tab, all relevant filters remain applied to the data when you switch to another tab. Inapplicable filters are temporarily disabled.

All selected filters update across the Data Policy, Application Policy, Access Control, Cloud Discovery, and Registration tabs until you remove them.

               1.    Click the Create a Filter button.

Select the Auto Refresh check box to automatically refresh the data to reflect the selected time filter.

               2.    Select a filter type from the Filter Results By drop-down menu.

Click Show to include your selection in results, or Hide to remove the selection from all results.

Select multiple items for each filter option by creating a new filter for each item. Additional field type and descriptions are listed in the table below:

 

Field Type	Icon	Description	Data Policy	App Policy	Cloud Discovery	Registration
Action		Data Policy Action: Data Accessed or Data Protected	ü
Application		Application Name	ü	ü	ü
Blocked Action Type		App Policy Action Type: Requests Blocked, Uploads Allowed, Uploads Blocked, Downloads Allowed, Downloads Blocked		ü
City		City Name	ü	ü	ü	ü
Data Marking		Data Marking	ü
Data Marking Value		Data Marking Value	ü
Data Policy		Data policy name	ü
Decision		Data Policy Decision: Allow, Deny, Protected, or Error	ü
Denied Policy		Denied policy name	ü
Data Policy Version		Policy version number	ü
Metadata Type		Metadata Type	ü
Plugin		A filter for the Ionic plugin that is used while browsing the web. The current options are: IonicCLI, IE Browser plugin, Mobile plugin, and Ionic Office endpoint.	ü	ü	ü
Plugin Version		Plugin version	ü	ü	ü	ü
Device ID		Unique Device ID	ü	ü	ü	ü
Groups		Group name	ü	ü	ü	ü
File Extension		File Extension; for example, .jpg		ü	ü
IP Address		IP Address	ü	ü	ü	ü
Key ID		Key ID	ü
HTTP Method		HTTP Method: Delete, Options, Post or Put			ü
Operating System		Operating System; for example, Windows 7	ü	ü	ü	ü
Source Domain		The domain that the user's browser is on when data is sent out: for example, Google.com		ü	ü
Target Domain		The domain to which data is sent; for example, YouTube.com		ü	ü
URL		URL, ex. ionic.com		ü	ü
Time		Static time or real time	ü	ü	ü	ü
User Email		User email	ü	ü	ü	ü
User ID		Unique user ID	ü	ü	ü	ü
User Name		User name	ü	ü	ü	ü
Registration Result		Successful or Failed Registrations				ü

 

               3.    Click Add Filter.

The filters display at the top of the Analytics page. To view more accurate data, add and remove filters as needed, or expand the current time range.

               4.    To remove a filter, click the Delete Filter button, or click Clear Filters to clear all filters.

You can create filters using Static Time or Real Time.

Static Time selection is based on an explicit date range, which is saved in the URL. Use Static Time to share an identical view with another user.

Real Time selection displays the latest data. Use this to create a constantly updating interface.

Creating a Filter Using Static Time

To share time-specific data that is constantly updated, copy the Static Time URL link and send it to another Admin Console user. This URL enables the console user to view data in the context of the last x number of minutes. This is a continually updating interface, showing the latest data as it is retrieved. Static Time ensures that you share the same information based on the time frame selected.

               1.    Click the Create a Filter button on the Analytics home page.

               2.    Select the Time option from the drop-down menu.

               3.    Select the Static Time Selection option.

               4.    Complete the Start Date and End Date fields, or use the Quick Static Time Selection option.

               5.    Click the Create Filter button.

Real Time selection displays the latest data when you set an interval in minutes, hours, days, weeks, months, or years. Use Real Time to create a constantly updating interface by enabling the Auto Refresh button.

               1.    On the Analytics page, click the Create a Filter button.

               2.    Select the Time option from the drop-down menu.

               3.    Select the Real Time Selection option.

               4.    Complete the Real Time Selection field, or use the Quick Real Time Selection option.

               5.    To auto refresh the filter, select the Enable Auto Refresh check box, and then select an auto refresh interval from the drop-down list.

               6.    Click the Create Filter button.

 

You can access, create, and update the Time Filter using several additional methods.

               1.    Click the Time Filter  button to quickly display the Create Filter dialog.

This option opens the Update Filter dialog with the Static Time selection and Real Time selection tabs, enabling you to pinpoint an exact time frame.

               2.    Click the drop-down menu on the Analytics page and select Quick Time Filters.

The Quick Time Filters option enables you to select a time filter quickly, instead of building a new one. You can also switch between Static Time and Real Time.

If you select no filters, a default Quick Time Filter of one month is selected for Real Time.

This section describes how you can interpret the results displayed in the Data Policy section of the Analytics page. It is important to understand how policy decisions work, because the results show the actual policy engine's decisions. The policy engine makes decisions by first determining which policy to apply to the data, then evaluating the rules in those policies.

The first phase is to choose which policies to apply by evaluating the data marking values associated with the request. A list of data markings displays on the data marking page (/#/data-policies/data-markings). You can think of the names listed here as folders for the data marking values.

Policies are created in three relationships to data markings. They can either apply to every request going through the system (all data), or in direct relation to a single data marking value, by checking if the request has a specific data marking value, or if a request does not match a specific data marking value. The policy engine uses these matched value checks to gather the list of all policies that are evaluated for a single request. Requests can be tagged with multiple markings and may have any number of policies that are evaluated in the second policy phase.

The second phase of policy decision is to evaluate all policies. Policies are made up of rules, and the combination of the rules' decisions creates the decision for a policy, and the combination of all the policies' decisions makes the final request's decision.

If a single rule's expression is true, it contributes to the decision to allow or deny the request. If the rule is false, it will have no effect. So, if an Allow rule has the expression, Group is Accounting, and the request coming through was sent by a user in the Accounting group, the rule would add a decision of Allow. If the user is not in the group, the decision added is not a deny. It is considered Not Applicable, which is a zero state. It contributes nothing to the total policy decision. The same is true if this were a Deny rule; it can contribute a Deny, or the same zero state of Not Applicable. However, the policy engine by itself is default deny, which means that if there are no explicit Allow decisions, the end result is a deny. If there are any denies, they override the allows, so for a policy to be allowed, there must be no denies and at least one allow.

Understanding the evaluation of policies and rules is key to understanding the second chart, which is a top by chart of all Top Policies. The case below shows the Top Policies chart with a filter applied for only Denies. We still see green, because even though the All Data policy is allowed, it is overridden by the other denies. The Top Policies chart filters out Not Applicable records, to only show records that have contributed a decision to the policy. Lastly, we are not currently showing the decisions for the actual rules, we are only looking at the final policy decisions. Key creations do not display on this chart, because policies are not evaluated on creation.

Viewing Data Policy Data

The Data Policy tab displays analytics about the data policies set in the Admin Console, and how they relate to the creation and decryption of keys when users are working with encrypted data.

The requests can be classified into two main categories: data protection (protected) and data access (allows or denies). For every request, data exists about the specific Data Markings and Policies that are associated with that request, and the results are grouped together in the Data Policy graph.

The following table describes the color breakdown:

 

Color	Description
Blue	Data protected, which occurs the first time that a document is encrypted.
Green	A successful key decryption.
Red	A denied attempt to decrypt.
Dark Red	An error that occurred when a policy created the key, indicating that a key is not created.

 

               1.    Click the Analytics > Data Policy tab.

The chart displays the number of Users that accessed the requests, the amount of Data Protected, the number of Allowed Requests that are approved, and the number of Denied Requests after a user opens a document. For example, six users are allowed 45 requests of key decryption attempts, and denied 3 requests to attempt key decryption. The Data Protected number represents the number of times an item is secured using the Ionic platform, such as a document, file, etc.

               2.    Create and add a filter or several filters to view a more refined custom search of the data. Add and remove filters as needed. See "Creating Filters" on page 16 for details.

               3.    You can view data based on specified search criteria. For example, to view the top users of blocked uploads, navigate to the Top Data Marking Values section.

The default settings for the top charts displayed in the Data Policy section are Top Users and Top Groups.

               4.    To change the display type for the graphs with data selections such as Top Users and Top Groups, click the drop-down list in the Display Type field.

In the example above, you can click the Expand/Shrink button to display or hide the Data Marking Value for the Data Marking.

               5.    Select an option in the Display Type field from the options listed.

               6.    To view the user group creation to user group consumption and production details, scroll down to the Top Data Protection & Access by Group section.

This graphic shows the flow of data access from the group that protects the data to the group or groups that access the data, based on the current set of filters.

Follow the chord that links the two halves to understand the relative number of accesses per document for specific groups. For example, a large, expanding chord such as the one below shows a small number of documents that were accessed many times.

Hovering your mouse over the following sections of the graph creates different focuses for the graphic:

                             ·    The Protected By names or circle arcs highlight the other groups that access the documents.

                             ·    A single chord highlights only the group that protects the documents, and the group that accesses the documents.

                             ·    The Accessed By names or circle arcs highlight the other groups that protect the documents.

               7.    To view the Data Policy Log, scroll down to the Log section located at the bottom of the Analytics page.

               8.    To view specific details for each entry, click the arrow to the left of the entry to expand the selection.

The detailed view includes the following fields:

                             ·    Access Per Day - Displays the range between the date the item is protected, as well as the current date to track the continuous lifecycle using a circle that represents how many times the item is accessed. The size of the circle is based on how many times the item has been accessed that specific day. Multiple circles can occur to display results.

                             ·    Total Access By: Lists up to 10 users or groups that have accessed the item, including how many times they accessed it, and the total number of times the item was accessed.

                             ·    Attributes: We support four distinct categories of key attributes. The definition of each, and the rules for aggregating or overwriting values from each category are below:

 

Category	Source	Description
Internal	Ionic	An attribute is defined as "internal" when it is provided by the Machina Policy Engine itself and should not be overwritten by any client or external value.
Fixed	Client/SDK	An attribute is defined as "fixed" by the client when a key is created or updated.   Once defined, it may not be updated, and it may not exist in either the mutable or external category.   If a "fixed" attribute-id is also defined as mutable or external, those values will not be included in the decision context when policy is considered for a key.
External	Policy Delegate	An attribute is defined as "external" when it is provided by an external, non-client system.   If there are external systems defined to integrate with the policy engine as a policy delegate (PIP or PDP) during a key create/update request, they may provide additional attributes here.   If an attribute is defined as "external" and also exists as a "mutable" attribute, the values will be aggregated. An "external" value should not attempt to overwrite a "fixed" attribute.
Mutable	Client/SDK	An attribute is defined as "mutable" by the client when a key is created or updated. A mutable attribute may be updated after it is created. A mutable attribute may be "promoted" to fixed via a key update, and should be removed from the "mutable" category at that time. Once defined as fixed, it may not be removed or changed.

 

                             ·    Delegated Information: The On-Behalf-Of functionality allows a user to delegate a key request on behalf of another user. The decision to release a key is based on the union of BOTH users. Specifically, the requesting service AND the delegated user MUST both have an ‘ALLOW’ to carry out the action (fetch of the key) via policy. In this way, the service (which is cryptographically verified by its SEP) is never allowed access to more keys than it would otherwise be able to see by policy. Instead, its access to keys can only be restricted by providing the metadata specifying a delegated user.

                             ·    Policies Evaluated: Determines the final decision of the policies using all of the results that are evaluated and how they affect the outcome for this decision. The final decision is set to Deny by default even if only one instance of Deny exists, because Deny overrules every decision. The only possible outcome for a final decision of Allow is if the results do not contain a Deny and at least one Allow. To view a detailed explanation for the result, hover your mouse over the info button.

An example of a final decision that is set to Deny is shown below:

For any policy, three outcomes are possible: Allow, Deny, or N/A (Not Applied). A policy outcome can be hidden if it does not affect the outcome for the policy decision.

               9.    To customize the Data Policy Log table, click the Settings button in the top right corner of the Log table.

The most common table fields are pre-selected by default. Select additional fields or remove pre-selected fields as needed.

             10.    After selecting the fields you want to display, click the Set Visible Fields button.

             11.    To view specific Data Policy History details for each entry, click the icon in the Data Policy Version column in the Log. You will be redirected to the Data Policies > History tab.

             12.    Hover your mouse over the bars on the Overview graph to view a breakdown for the number of requests for a given time.

See the "Locations" on page 45 for details about viewing Data Policy Locations".

 

The Data Lifecycle view provides granular visibility into data usage, access, and handling activity associated with a single piece of Ionic-protected data. Use this view to assess patterns and identify potential risk for mishandling or exposure of enterprise data. If necessary, your organization can adjust the policy associated with the relevant data marking values.

               1.    On the Analytics tab, scroll down to the Log, and click the blue file icon in the Data Key ID column, or drag and drop the Ionic-protected document into the Admin Console Analytics page.

               2.    Scroll through the Data Lifecycle page to locate the details associated with the document.

Each Data Lifecycle page is divided into the following nine categories:

• Data Protected Summary
• Last Request Summary
• Summary Statistics
• Ionic Activity Chart
• Data Markings
• Top Plugin, Top Users, Top Groups, and Top Applications
• Policy Versions and Results
• File Lineage

                     

Provides details about the data that is Ionic-protected including the Key ID, user, application, operating system, and the date and time the file is encrypted.

Provides details about the last access request to the protected data including the policy result, user, application, operating system, date, time, and location from which the request is made.

Provides a summary of when the data is protected, volume of access authorizations, total number of denied access requests to the data, total number of users that successfully access the data, and the total number of locations from which the data is accessed.

The Ionic Activity chart displays the activity associated with Ionic-protected content for which access requests are allowed or denied by day, week, and month that allows for easy pattern recognition.

This graphic explains the usage per day for the current year. Each grey box represents one day, and the color scale of the box is shaded appropriately based on the number of accesses. The top half of the box represents allows (in green), and the bottom half of the box represents denies (in red).

If activity occurs after the protected date, the box for the protected date is greyed out.

Hover your mouse over the colored box to view the Protected Date, Request Date, Total Allowed Access, and Total Denied Access details.

Click a single box to re-direct to the Analytics page to see all accesses for that day.

Displays data sensitivity markings associated with the Ionic-protected data and the corresponding data policies that impact access permissions.

 

Provides a summary of policy versions and results made for each access request for the Ionic-protected information. The policy results are presented in an easy to read sentence, highlighting why the current decision is reached.

By default, this component is a bar graph depicting the ratio of allowed and denied data access requests for the most recent data policy versions. You can view the breakdown of every policy as it is defined for the specific data policy version. This enables you to understand how every policy and rule is interpreted.

Click the plus button to expand the policy breakdown and result for each policy.

Each time someone changes a policy, the results change based on that policy.

The results are based on the actual outcome. For example, if the rule is to allow if user is Jane, and John requests access, the following sentence displays next to the result:

        ·    The rule was not applied because the user is not Jane.

If a rule is not applied, the result statement becomes the opposite of the rule.

Not Applicable (N/A) indicates that the rule does not contribute to a policy decision.

To view details about each policy, click the icon next to the Policy Name. You will be redirected to the Rules tab of the data policy details page.

 

Chart that provides top plugins, users, groups, and applications used to access or attempt to access the Ionic-protected data.

Provides a map that displays the locations of all the access requests made for this piece of Ionic-protected information.

Switch between the views by clicking the Allowed, Denied, and Protected buttons.

The File Lineage chart provides details about the current piece of Ionic-protected data and where it originates from by depicting the user responsible for each save as action that creates a new unique instance of the data over time.

If a user has a document and performs a save or a save as, a child document is created. File Lineage illustrates this relationship, showing exactly how many children documents are saved from the current document. By default, only children that are saved from the current document are shown. To query for more documents, and to continue to expand the tree, click on the plus signs.

The Time and Flat tabs enable you to switch back and forth between the derivative docs, and the time when they are created.

Hover your mouse over the blue circle to view the Time and Key ID details.

The User Lifecycle page provides a single summary view of the user’s application usage and data handling activity.

               1.    Click on the User Lifecycle icon next to any user name on the Log at the bottom of the Analytics page.

               2.    Use the drop-down menu to select a different user as needed.

The top half of the User Lifecycle page displays the User Summary, Top Plugins, and Locations details.

               3.    Scroll to the bottom of the User Lifecycle page to view the User Daily Activity, and Activity Feed details.

 

The Application Policy tab of the Analytics section enables you to validate that Application Policy is enforced. This tab displays records of attempted uploads blocked by Application Policy for users with the Ionic Security browser endpoint enabled on their devices. For example, if a user uploads information that is unsupported by the access controls you set in the Applications section in the Machina Console, Analytics tracks and displays the blocked uploads and blocked requests.

The following table describes the color breakdown:

 

Color	Description
Dark Red	Requests Blocked
Light Red	Uploads Blocked
Dark Green	Downloads Allowed
Light Green	Uploads Allowed

 

               1.    Select the Application Policy tab.

The Overview graph displays the number of Requests Blocked, File Uploads, File Downloads, and the number of Users. The file uploads and file downloads portions include breakdowns for the allowed and blocked activity. Each of the breakdowns (allowed/blocked), as well as the section header (file uploads/file downloads) add filters upon being clicked that modify the view of the page.

               2.    Create and add a filter or several filters to view a more refined custom search of the data. Add and remove filters as needed. See "Creating Filters" on page 16 for details.

               3.    View data based on the top users of blocked uploads by navigating to the Top Denied Users section.

The default settings for the top charts displayed in the Application Policy section are Top Plugin Versions and Top Users.

               4.    To change the dimensions for the Top Plugin Versions and Top Users sections, click the drop-down arrow in the Display Type field.

               5.    Select an option in the Switch To field from the following options: Action Type - File Upload, Cities, Device IDs, Domains, File Extensions - Only applies to File Upload blocks, Groups, IP Addresses, Operating Systems, Plugins, Plugin Versions, and Users

               6.    To view the Application Policy log, navigate to the Log section at the bottom of the Analytics page.

               7.    To customize the Log table, click the Settings button in the top right corner of the Log.

The most common table fields are pre-selected by default. Select additional fields or remove pre-selected fields as needed.

               8.    After you select the fields you would like displayed, click the Set Visible Fields button.

See the "Locations" on page 45 for details about viewing Application Policy Locations.

SaaS Access Control provides complete control and ownership of all user and device authentication through the utilization of an additional layer of authentication to browser based applications.

The Access Control tab on the Analytics page provides reporting details for each authentication request to configured applications. The Ionic Assertion Provider section lists each Keyspace and the Service Provider associated with the Keyspace over time.

               1.    Select the Access Control tab.

The Access Control section can only report Ionic server-side permitted logins for users enrolled on an Ionic-enabled device, and will never displays login errors. The data for any errors that occur will go to the IdP, and the user configuring it will need to check it. If you see a login error displays, it means the Ionic Keyserver is down.

               2.    To customize the Log table, click the Settings button in the top right corner of the Log.

The most common table fields are pre-selected by default. For example, the Access Control Keyspace and Access Control Service Provider filter options are selected by default. Select additional fields or remove pre-selected fields as needed.

               3.    After you select the fields you would like displayed, click the Set Visible Fields button.

The Registration tab displays registration data based on users who enroll their devices using the Ionic Security browser endpoint. Successful registrations are displayed in green and failed registrations are displayed in red.

               1.    Select the Registration tab.

               2.    Create and add filters to view a refined custom set of data. Add and remove filters as needed. See "Creating Filters" on page 16 for details.

               3.    Filter data based on specified search criteria. For example, to view the top users of blocked uploads, navigate to the Top Groups section.

The default settings for the top charts displayed in the Registration section are Top Users and Top Groups.

Click the x to quickly hide a selection without accessing the filter options dialog.

               4.    To change the display type for the Top Groups section, click the drop-down list in the Display Type field.

               5.    Select an option in the Display Type field.

               6.    To view the Registration Log, navigate to the Log section.

               7.    To customize the Log table, click the Settings button in the top right corner.

The most common table fields are pre-selected by default. Select additional fields as needed.

               8.    Select the fields you want to display, and click the Set Visible Fields button.

See the "Locations" on page 45 for details about viewing Registration Locations.

The Locations feature on the Analytics tab displays users' geographical location. Location is determined using the IP Address. You can view location information for each of the four categories: Data Policy, Application Policy, Cloud Discovery, and Registration.

The states and countries on the map are a solid grey color by default, and are colored after data is collected based on the category you are viewing and how much data is located within its boundaries. States and countries with a larger amount of Total Requests have a darker shade, and states and countries with a smaller amount of Total Requests have lighter shades of the same color. A dot of the same color is displayed in the shaded region of the state or country to display the exact location of the city where the data is collected.

When viewing Data Policy Location information, all allowed requests in a state or country display in green, denied requests display in red, and key creations display in blue. Switch between the dimensions using the multi-toggle tabs. Each toggle represents a singular dimension.

To view the allowed requests, click the Allowed button in the Locations section.

To view the denied requests, click the Denied button in the Locations section.

To view the protected data policies, click the Protected button in the Locations section.

The Locations section of the Application policy tab displays only blocked uploads because all requests are denied on this tab. The states and countries are measured by the amount of Total Requests collected. Select one of the options available from the drop-down list.

In the Cloud Discovery Locations section, the states and countries are measured by the amount of Total Outbound Data collected.

The 2D map displays the location data using darker and lighter shading to represent the amount of data collected, as well as dots of the same color to show where the exact points are located for individual cities. The size of the point represents the size of the aggregation box - there is never an overlap between two points.

Use the zoom feature to view the data more accurately. All zoom levels enable you to view the edges of the map.

Hover your mouse over the state to view the tooltip associated with the state or country. The tooltip changes based on the data represented, and matches the data shown in other sections.

Hover your mouse over the country to display the top cities associated with the country and the total amount of data uploaded.

The 3D map displays the location data using a three-dimensional line. Hover your mouse over the bar to view the tooltip associated with the location to display the Total Outbound Data, Total Requests, and the Top City.

Successful registrations display in green with a green dot indicating the exact location. Failed registrations are displayed in red.

To view successful registrations, click the Successful button in the Locations section.

To view failed registrations, click the Failed button in the Locations section.

The following settings are available on most Machina Console pages:

        ·    "General Machina Console Settings" on page

        ·    "General Machina Console Settings" on page

        ·    Time Filter on History pages

The shareable link option enables you to share links to specific pages in the console with other users. The receiver will be directed to the desired page upon login. From any page or tab, click the Copy shareable link button at the top of the page, and send the link to the appropriate user.

NOTE: If a CSA receives a link from a TA, the CSA must still log into the CSA tenant to retrieve access to the link.

You can customize page sizes in the console. Open a list view such as the Groups page, click the settings button in the bottom right corner of the page, enter a page size of at least 1 and no more than 100, and click Apply.

A Time Filter option is available for all History pages to allow for easier searching. Navigate to a tab that has history records, such as the Groups history page, select the Date option in the first drop-down menu, and select either Before, After or Between in the second drop-down menu.

The Time Filter also displays on the Users > Login History tab, the Users > Email History tab, and the Devices > History tab.

 

Open the date and time drop-down menu, enter a date and time that is before the latest record and click Apply.

Bulk Actions are available for Users, Groups, Device, Roles, Data Policies, Data Markings, Data Marking Values, and Applications list views. Select one or multiple entries from the list, click the Action drop-down list and select an action. Then, click Apply to Selected.

You can select or deselect columns to display on list view pages to show the most valuable information. Select a list view page, and click the gear button in the far right of the table header.

Select the columns you want to display, and click Save.

4: Policies Overview

Data policies control access rights to Machina-protected content. Ionic policy-based protection can be applied to both structured and unstructured data types. Examples of Ionic protection in action can be found on the Ionic Developer website.

The Developer website is regularly updated with tools to better enable you, and sample code to offer guidelines to becoming fully Ionic-enabled. After you have become Ionic enabled, you will be able to create data policies that apply to your protected content.

If you do not create a data policy after applying Ionic encryption to your content, no one can access that content.

Data policy provides custom access control of Ionic-protected data. Data policies determine who can view data that has been either encrypted or marked with Ionic protection, and under what circumstances. For example, a data policy may cover data created in a specific country and enforce controls so that the data is only viewable from within that country. Although the data may travel outside of that country, anyone trying to access it who is not physically located in the specified country will not be able to view it. This enables organizations to comply with laws like the EU’s General Data Protection Regulation (GDPR).

Data policy can be updated whenever necessary and immediately applied. The controls are enforced in real time. For example, a contractor may be granted access to certain types of company data while working on a specific project. When that contractor leaves that project, their access can be revoked. Any files that they may have in their possession related to that project will be inaccessible to them. This protects company data from unauthorized disclosure – only employees, contractors, vendors, etc. with a need to view company data will be able to view it. Even if files or data are copied, emailed or otherwise transferred to another person or location, only authorized persons will be able to view them.

The first step when creating a data policy is to define the category of data that you want the policy to apply to. You can apply data policies to several different categories of data:

        ·    All Data

        ·    Unmarked Data

        ·    Marked with Data Markings

        ·    Marked with Data Marking Values

        ·    Created by Users

        ·    Created by Users in Groups

        ·    Advanced Policy parameters

What are Data Markings?

Data Markings are ways of tagging data so that controls can be easily enforced. Data Markings can be attached to Microsoft Office Excel, PowerPoint, and Word files when they are saved as Ionic-protected files. Data Markings can also be attached to data automatically through the use of the Machina Tools SDK. There are two types of Data Markings available for use in data policy: Administrator-defined Data Markings and Ionic-detected Content. Administrator-defined Data Markings usually align to a company’s organizational and classification schemes.

What Are Rules?

Rules are conditions that must be met to enforce your policy. For example, your policy allows others to read your data, but the rule requires a person to be a member of the Financial Group. So, only members of that group are granted access to your data. You can set conditions based on location, relative date (relative to creation), specific date, user, and group.

Why Can’t I Disable or Delete Certain Policies?

The ionic-embargo-policy and the ionic-expire-policy are preconfigured by IonicAfter saving an Ionic Protected Office document, document creators can select an embargo or expiration date. These dates determine when users can have access to the Ionic Protected Office document. These policies cannot be disabled or deleted as that control is located within the Ionic Office endpoint and cannot be overridden by the Machina Admin Console.

To grant access to Ionic encrypted content, you must first create a data policy. Data policy is the specification of what data can be accessed. You can create a broad policy that applies to all your encrypted content or you can create a more restrictive policy that only applies to certain marked Microsoft Office documents or Machina-detected data. After you create your policy, you need to add rules and create data markings to specify who and under what conditions people can access the specified content.

When you first create a Data Policy, the status of the policy is set to Disabled by default.

        ·    Create an Application that enforces encryption.

To create a data policy

               1.    On the Data Policies > Manage tab, click the +Create Data Policy button.

               2.    Select All Data, Unmarked, Marked With, Created By, or Advanced.

Ionic recommends using All Data for denial situations only. For instance, "Deny access to all data if user is not in the US."

Ionic recommends using Unmarked for granting access in a broader manner. For instance, "Allow all users access to any unmarked data."

Ionic recommends using Marked With for granting access to specific groups. For instance, "Allow the Finance group access to data marked with Classification: Finance."

The Advanced option is explained in detail in the following chapter: "Creating an Advanced Data Policy Rule" on page 67.

               3.    Enter a Policy Name in the text field provided.

               4.    If you select Marked With Data Markings] Enter a data marking or data marking values(s) into the text box provided.

You can create Data Policies and Data Policy Rules with either an “and” or an “or” condition, by selecting all of or any of from the drop-down located in the panel-heading on the Data Policy Builder page.

               5.    [If you select Marked With Data Marking Values] Select a data marking from the drop-down menu, and select a data marking value from the list of options.

If you have not created a value yet, create a value by entering a name into the text field.

If you have selected ionic-detect as your classification, the different values appear when you click inside the text field.

To remove a Data Marking or Data Marking Value, click the - button.

               6.    [If you select Specific Users] Enter a user into the text box provided.

               7.    [If you select Users in Groups] Enter a group into the text box provided.

For information about Advance Policy, see "Creating an Advanced Data Policy Rule" on page 67.

               8.    [If you select Requesting User ] Enter the Data Policy Name into the available field.

               9.    Hover your mouse over the Apply All Rules and Apply Rules in Order icons to display rule algorithm details.

Selecting Apply All Rules means all rules are applied and if any generate an Allow result, then the policy result is Allow. If no rules generate an Allow result, or at least one rule generates a Deny result, then the policy result is Deny.

Selecting Apply Rules in Order means rules are applied in order and terminate after the first rule that generates an authoritative Allow or Deny.

             10.    Click the Create button.

             11.    You must now create a rule to activate your policy. See "Creating Rules" on page 61 for more details.

             12.    After creating several Apply Rules in Order rules, you can arrange the order by selecting Order Rules and dragging and dropping the rules into the desired position.

             13.    To enable a disabled policy, hover your mouse over a created data policy, and click the Enable button that displays.

Setting the Publish Scope

The Publish scope in the Policies section enables definition for more granular policy administration roles, specifically supporting the “four eyes principle” and creation of distinct policy authoring and policy publishing roles.

The Publish scope is also required to perform roll back actions to older policy versions. Users without the Publish scope are not permitted to enable policies or take any action over enabled policies (such as editing, disabling or deleting enabled policies), and will receive this message:

               1.    Select a role to update on the Roles > Manage tab in the Admin Console (ex. New User).

               2.    Scroll down to the Policies section on the Scopes tab.

               3.    Select the publish scope in the Policies section.

After you have created a data policy and determined what Ionic protected content you want to create a policy for, you must determine whether to allow or deny access to that content. You can also apply certain conditions to the access of that content. You can set conditions based on location, relative date (relative to creation), specific date, user, and group.

        ·    Create an application that enforces encryption.

        ·    Create a data policy.

        ·    [Optional] Create groups to base conditions on groups.

To create a rule

               1.    Create a data policy or select a data policy on the Data Policies > Manage tab.

               2.    Click the +Create Rule button.

               3.    Click the Allow or Deny side of the toggle, depending on what kind of rule you want to create to control your policy.

               4.    [Optional] Click a condition button to set the conditions for the applied rule.

Condition options include: User, Group, Device, Location, IP Address, Specific Date, Time Elapsed, and Advanced:

                             ·    User: Select user(s) or the data creator to include/exclude.

                             ·    Group: Select a Group(s) to include/exclude.

                             ·    Device: Select a device(s) to include/exclude.

                             ·    Location: Select a location(s) to include/exclude.

                             ·    IP Address: Select IP Address(es) to include/exclude.

                             ·    Specific Date: Select a date and time for access to begin/end.

                             ·    Time Elapsed: Select a specific number of days after the creation date for access to begin/end.

                             ·    Advanced: Select the advanced option to create a data policy that compares any two attributes to determine if access to data is allowed or denied. For more details, see "Creating an Advanced Data Policy Rule" on page 67.

               5.    [Optional] Click an additional condition button to set more conditions for the applied rule.

The User option displays two separate options: Specific users, and Same as data creator.

The Group option displays two separate options: Specific groups, and Same group as data creator.

The Device option displays two separate options: Specific devices, and Device enrollment source.

When you add a rule and create a condition, the Device Enrollment Source will auto-query the list of known enrollment configurations.

               6.    Click the Create button.

Policy Managers have the ability to export a single Policy or the complete set of all Data Policies and associated rules. The Export capability is available under the Manage tab on the Data Policy list page as well as the individual Policy detail page. The export can be saved in a JSON file format that can either be filed for compliance audit purposes or can be imported into another system or used to update, add, or replace existing data policies in the same system.

The Import capability is also available under the Manage tab on the Data Policy list page. For details about importing data policies, see the "Importing Data Policies" on page 67

               1.    Click Export from the Data Policy list view, to export the complete set of Data Policies.

               2.    Click Export from the individual Data Policy detail view, to export a single data policy.

 

               3.    Click either Copy to copy the JSON content to Clipboard or Download to save the export into a JSON file format.

To import data policies, simply use the Import button available on the data policy list page. You can import either JSON or .txt file formats.

There are three options to choose from, during an import: Create and Update, Create Only and Replace All.

Create and Update will compare the import content against the existing set of policies and create a new policy if there is no match, or will update existing policies.

Create Only will still compare against the existing set of policies, and only create new ones. If the policies in the import content already exist in the system, the import will provide an appropriate error message.

Replace All will replace the current set of policies with the imported dataset.

               1.    On the Data Policies > Manage tab, click the Import button.

               2.    Click the Browse button to select a file to import, or manually enter the JSON content.

               3.    Click either Create And Update, Create Only, or Replace All.

The Advanced data policy and rule builder option enables you to create a data policy that compares any two attributes to determine if access to data is allowed or denied. Attributes are generated after Machina-protected data is created; for example, location, time, date, user, device id, etc. Select any attribute from the key request to allow or deny access for the data policy. The attribute you compare against needs to be mapped with one of the available attributes.

The Advanced Data Policy and Rule Builder allows you to:

        ·    Create a Data Policy with an advanced rule - Policy rules will be applied to data access requests that match the conditions you set. For example, if you create an ionic-protected document in Microsoft Excel (ionic-application-name), but the Advanced rule allows access only when ionic-application-name equals custom value: Microsoft Word. You would not be able to access any documents in Microsoft Excel.

        ·    Create an All Data advanced Data Policy rule - Select a data policy, create an advanced rule that either allows or denies access to a tax application. Then, compare the tax application with the user attribute, and if they match, then access is allowed.

               1.    On the Data Policies > Manage tab, click the +Create Data Policy button.

               2.    Click the Advanced option. Click the option multiple times to add additional data policies.

               3.    Click the Show attribute descriptions link to open a table of descriptions for each attribute.

The categories for the exposed attributes are mapped with the corresponding XACML request. The XACML specification for attributes and categories used is defined here: XACML

If you create a new Data Marking, it displays in the attribute list.

               4.    Select either the all of or any of option to indicate if the policy rules will be applied to data access requests that match either all of or any of the conditions listed.

               5.    Select an attribute from the first drop-down list.

               6.    Select an attribute comparison type from the second drop-down list.

Attribute comparison options include: equals, does not equal, contains, starts with, ends with, is greater than, is greater than or equal, is less than, or is less than or equal.

               7.    For example, to create a custom value comparison, select custom values from the third drop-down list.

               8.    Enter the custom attribute value, such as Microsoft Word,

Now, the data policy is only applied when the ionic-application-name is Microsoft Word. If you have an ionic-protected Microsoft Excel document, the data policy is not applied.

If the first selected attribute matches the value of the second attribute being compared, then the result becomes Allow, if the value of the attribute does not match, the result becomes Deny.

               9.    Enter a name for the policy in the Data Policy Name field.

             10.    Click Create.

             11.    To compare string type attributes, select an attribute from the first drop-down list that contains a true/false comparison.

Check the Show attribute descriptions link to determine which attribute contains a true/false comparison.

             12.    Select a string comparison option from the second drop-down list.

String comparison options include: equals, does not equal, is true, or is false. If you select equals, or does not equal, an additional attribute drop-down list displays.

             13.    To create an advanced Data Policy rule using the Advanced option, on the Data Policies > Manage tab, click a data policy, and click the +Create Rule button.

             14.    Click the Advanced option. For this example, create a rule that allows a user that is using a Microsoft Word application to access and ionic-protected document.

             15.    The advanced rule will display in the Rules tab on the data policy detail page.

             16.    Click Create.

The user that is part of the group can now be allowed access.

Update a Data Policy by clicking the data policy you want to edit. You can update the Policy Name, Unmarked Data, Marked Data, Created By data, and Advanced data.

               1.    On the Data Policies > Manage tab, click a policy to update.

               2.    Click the Update button.

               3.    Edit the Data Policy Name, All Data, Unmarked, Marked With, Created By, or Advanced data if necessary.

               4.    Click the Update button.

The Compare option enables you to compare two versions of a data policy, and focus on the changes made to policies over time. You can determine what has changed between the two versions, when and which rules were added, removed, or reordered, as well as the policy manager or user that made the change.

The Overall Data Policy compare history page shows a custom policy comparison.

               1.    Select any two versions of a Policy on the Data Policies > History tab.

               2.    Click Compare.

               3.    Hover over the row, and click the Show Changes button to display the detail data policy comparison view.

The Name column displays the action that occurred - added, updated, created, deleted, etc.

               4.    The Changes dialog displays.

The Detail Data Policy compare history page shows a custom policy comparison for a specific data policy.

               1.    On the Data Policy detail page > History tab, select any two versions of a Policy, and view a side by side comparison by clicking the Compare button.

               2.    Clicking the Compare button takes you to the comparison page showing the difference between the two versions you selected. The left column, Field, shows the field that changed, the middle column shows the older version value, and the right column shows the new version value.

As a Tenant administrator, you can roll back Data Policies to a previous version. You may want to roll back to a previous policy version if users are unable to access data they should have access to and you do not have the time or desire to sort through all of the policies to correct the specific one that is inappropriately blocking users.

               1.    Use the Data Policies > History tab to select a previous version.

               2.    Click the Rollback button associated with that version.

               3.    Review the details on the Confirm Rollback dialog, and click Rollback to confirm.

All changes made to policies subsequent to the selected version are removed.

               1.    Select a policy and use the History tab to select a previous version to restore.

               2.    Review the details on the Confirm Rollback dialog, and click Rollback to confirm.

Changes made to this specific rule subsequent to the selected version are removed.

 

In addition to creating Data Policies and Rules, you can search, update, disable, and delete Data Policy information.

Search for Data Policies by using the search bar on the each corresponding page. Search for policies by Name, Summary, or Data Marking. Select the column you want to search by first, then enter the corresponding information into the search text field.

Hover your mouse over the data policy row to display the Disable, and Delete buttons. Confirm your decision for each request, by clicking Confirm or Cancel.

Disable a data policy by clicking the Disable button.

Delete a data policy by clicking the Delete button.

Filtering Data Policies

Policy Managers can also filter the Data Policy list view by Enabled or Disabled Policies. If a filter is applied, only the filtered policies will be exported.

Permissions allow non-admin users to access and manage certain resources in the Machina Console. Similar to how scopes determine what actions Ionic administrator roles can perform, Permissions are scopes that determine what actions a user can take for a specific resource. A user that has been granted Data Policy Permissions can log in to the console and either manage, read, delete, or update the Data Policy based on the Permissions they have been granted. Users can delegate their same Permissions to others, or delegate more restrictive Permissions.

A user without an administrative role can access the console if the user is assigned a permission to manage at least one Data Policy or Group. The user will receive a permission welcome email with a link to set their password and gain access to manage the Data Policy or Group.

NOTE: Even if the policy is disabled, the user can receive access to the policy.

Creating Data Policy Permissions allows you to assign data policy permissions to other users. You can only assign a permission that you currently have.

               1.    On the Data Policy detail page, click the Permissions tab, search for a user in the search box by typing the name of the user, or selecting the user from the drop-down list.

               2.    Click Add Permission.

               3.    After you click Add Permission, the user displays under the User column of the Permissions tab. The check boxes that display next to the user resemble what displays on the Role detail page. When you select any of the check boxes, use the Save button to save all your changes at once. A Confirm Save Permissions dialog will display; click Save to continue. You can also click the Reset button to revert your selections to the original state.

               4.    In the example below, the user can only Read the Test Data Policy because this is the only Permission the user has. The level of access a user has depends on the user’s Roles and Permissions. Roles are primary, and Permissions are secondary. For example, if a user only has a Permission on a single data policy (without any Roles), then the user will only see that single data policy.

A user only needs a permission to Read one group or one data policy to be able to log in as a simple user with the most limited access.

               5.    The Info tooltips allow you to view the details of a scope before selecting it. Simply hover your mouse over the info icon to view the details.

               6.    After adding the desired permissions for a user, you can access the User detail page, and select the Permissions tab to view all the permissions allowed for this user. The User detail Permissions tab is Read- only and is only visible to users who have that users:read scope.

Editing Data Policy Permissions

You can edit data policy permissions for a user by accessing the Permissions tab on the Data Policy detail page and selecting the desired scopes. You can only assign a permission that you currently have.

Deleting Data Policy Permissions

You can delete data policy permissions for a user by accessing the Permissions tab on the Data Policy detail page, hovering your mouse over the user and clicking Remove. You can only delete a permission if you have all the scopes that the permission has.

NOTE: Users that have been assigned permissions can remove their own permissions. However, they cannot add additional permissions.

The data policy simulator enables you to easily validate your data policies by creating custom simulations. The simulator demonstrates how the policy engine evaluates a policy request against all the existing policies in the selected version, without requiring test data to validate the policy.

The policy simulator enables you to:

        ·    Verify a disabled policy before enabling it.

        ·    Verify another user's access.

        ·    Verify that your data policies satisfy corporate requirements.

        ·    Determine why a user can(not) access the data.

For example, to verify that only John Doe can access documents marked as Classification: Top Secret, you can create (at least) two simulation tests:

        ·    Validate that John Doe is allowed access to a document marked Classification: Top Secret.

        ·    Validate that a user that is not John Doe is denied access to a document marked Classification: Top Secret.

               1.    On the Data Policies > Simulations tab, click the Run Simulation button.

               2.    Click Run Simulation.

The simulator displays a set of customizable settings that can contribute to the final decision of the simulation, such as Requester Attributes, Data Attributes, and Policy Engine Settings.

Be sure you understand the Policy Engine Settings section before running the simulation to have a clear understanding of the different policies applied and how each policy works.

               3.    In the Requester Attributes section, create custom conditions to test with the selected policies by using the drop-down arrows to expand the selections available, and completing the appropriate fields.

               4.    In the Data Attributes section, click the +Add Data Marking button to add data markings and values to your simulation.

Enter any attribute name(s) and value(s) you want to add. These names and values will not be saved as new markings/values as they are when authoring policy.

               5.    To change the selected policy version, expand the Policy Version field, and click the Change button.

               6.    Enter a previous version and click Update.

NOTE: By default, the Use latest check box is selected. To enter a previous data policy version, uncheck the check box.

               7.    Expand the Policies To Apply field to view and customize the selected data policies.

Select the check boxes next to each policy to add or remove any data policies for the selected version, including enabled and disabled data policies.

               8.    Enter a name for your simulation in the Name field.

               9.    Click Simulate.

A simulation result message displays with the detailed policy results.

             10.    You can run any simulation you create repeatedly by clicking the Run Again button. You can make additional changes before running the simulation again.

The number in parenthesis indicates how many times a particular simulation is repeated.

             11.    Click the Show All button in the Detailed Policy Results section of the result page to understand why the result is either Allow or Deny.

             12.    Additionally, you can access the Run Again option by hovering your mouse over an existing simulation.

The simulations you create are logged and stored on the Simulations tab until you delete them.

             13.    You can also run the simulation by selecting a data policy on the Data Policies > Manage tab, and clicking Run Simulation.

Additionally, click the +Create Rule button on the data policy page to run a simulation based on the rule you create.

The rules and conditions are automatically populated into the simulator, without creating a new simulation. Add additional criteria to the simulation as needed.

 

The Acceptable-Use tab on the Data Policy detail page enables you to manage acceptable-use actions for a data policy by configuring the acceptable-use obligations.

When Offline Storage is enabled, a successfully fetched key may be stored locally and used offline by a client.

               1.    Access the Data Policy detail page.

               2.    Click ENABLE, and specify the duration you want that key to be available offline.

               3.    To disable Offline Storage, click DISABLE.

               4.    Click the Clear button for Offline Storage to clear the inputs and hide the offline duration option.

The initial default value for the offline timeout duration obligation attribute is set to 1 day.

The Conditional Protection field allows administrators to specify the conditions surrounding the client choice in regards to encryption. The available options are:

        ·    Allow - Clients have the choice to encrypt data

        ·    Prefer - Clients are encouraged to encrypt data

        ·    Always - Clients are required to encrypt data

On the Acceptable Use Obligations tab users can Enable or Disable labeling to determine whether or not a client will require encryption to tag and track rules changes.

Use the available buttons to Enable or Disable labeling for the selected data policy.

When Labeling has been enabled, the drop-down can be used to select which Attribute Name to add to the selected rule as a label. After selecting an Attribute Name, select the value and the attribute will be added to the rule.

The Add symbol can be used to add additional values to the select rule.

 

NOTE: The acceptable-use obligations defined here are provided to clients when a key request is allowed by this policy. The client is obligated to enforce the settings. If there is more than one policy that produces an acceptable-use obligation, precedence will be applied to provide the most restrictive value to the client.

You can manage acceptable-use actions for a Data Policy rule by configuring acceptable-use options. Acceptable-use policies are only applied for rules with an "Allow" effect. When the effect is "Deny" for a rule, you cannot edit any acceptable use policies.

               1.    From the Data Policy detail page, select the Acceptable Use tab > click the Configure Per Rule button to display the configuration dialog.

               2.    Click the arrow under the Rule Acceptable-Use section to expand the options. Configure the settings as needed.

               3.    Click Save.

There are two possible values for offline storage time communicated on the precedence level. The minimum value will take precedence.

The initial default value for the offline timeout duration obligation attribute is set to 1 day.

5: Data Markings Overview

Data Markings are used to classify Machina encrypted data. For example, only certain data is considered sensitive in your organization. You may have three levels of sensitivity, such as restricted content only a few end-users can access, internal content all end-users can access but cannot share outside the organization, and public content that is safe for anyone to access. You can set these levels of classification in the Machina Console using data markings.

You can create custom data markings or use the Machina data markings (Classification and Machina Detected Content). Currently, only the Machina Detected Content data markings are detected in web browser content. Machina Detected Content data markings are not detected in Ionic protected Office documents.

Data Marking Values are classification levels or types. For instance, Ionic automatically creates a data marking category of Classification with no values. If you create a value of Financial Data and add that data value to a Word document, you can now create a policy that dictates who can have access to the data in that document based on that Classification value. Currently, user created data markings only apply to Ionic protected Office documents. When you create a value in an Office document you must first enter the Classification data marking followed by a colon and your data value, for example Classification: Financial Data.

Machina also provides a data marking category of Machina Detected with several values. Ionic Detected data markings include values such as CCN (credit card number), IP-address-v4 (IP address), ip-address-v6 (IPv6 address), usa-federal-ssn (social security number –USA), usa-federal-passport-number (passport number-USA), and usa-federal-taxid (tax ID-USA). These values are automatically detected in your Ionic encrypted content when placed in a web browser. So you can create policy to limit who should have access to these types of data.

For information about viewing the history log associated with Data Markings, see "Admin Console Logging Record History" on page 161.

When creating a data policy, you can narrow the policy’s scope to only include certain types of data. Data Markings are how you can distinguish which types of data to encrypt. Ionic provides two data markings: Classification and Ionic Detected Content. The Classification data marking applies to encrypted content in Microsoft Office Ionic Protected documents and the Ionic Detected Content data marking applies to Internet Explorer Ionic Protected content. At this time, the only data marking that can be applied to content in the Internet Explorer browser is the Ionic Detected Content data marking. If you create a new data marking, it can only be applied to Microsoft Office Ionic Protected documents. The documents must have the data marking applied for the data policy to be enforced.

        ·    Create an Application that enforces encryption in Microsoft Office documents.

To create a data marking

               1.    On the Data Markings > Manage tab, click the +Create Data Marking button.

               2.    Enter a Name for your Data Marking in the text field provided.

The Data Marking Name is used to create the Data Policy and tag the Microsoft Word Ionic Protected Document.

               3.    Enter a Description for your Data Marking in the text field provided.

               4.    [Optional] You can designate a value of a public data marking as the preferred default value to be used by an Ionic-enabled client to make the end-user experience easier, while also encouraging a standard classification on all protected data. For example, enter a Default Value of 'High'.

                             ·    Only one value of a public data marking can be set as the default value

                             ·    Setting a default value is not required

The new Default Value will be generated and will display in the Values section of the Data Marking detail page.

When you go back to update the Default Value, a drop-down menu will become available to select a value from the list. You can also clear the value by clicking the x.

               5.    Select either Hidden or Visible in the Access field to determine if the Data Marking will be visible or hidden to Ionic-enabled applications.

               6.    Click the Create button.

               7.    To view and access the policies that are referencing individual Data Markings, select a data marking, and click the link either to Relevant or Referenced Policies from the Data Marking Values table.

               8.    To view previous versions of data markings, select a data marking, and click the History tab.

               9.    To view the Data Marking history details, hover your mouse over the Data Marking history record and click Inspect.

To use the Classification Data Marking or a newly created Data Marking, you must create values. Data Marking Values are groupings or categories of data. For instance, for the Classification data marking you might add a value of Restricted. Then you can set a data policy allowing only certain people access privileges to that document or any document with that data marking and value. You can also create Values while creating a Data Policy by entering a value in the text field provided. Furthermore, values can be created upon saving a Microsoft Ionic Protected Document in the Save As dialog.

The Ionic Detected Content data marking comes with five values: CCN (credit card number), ip-address-v4 (internet provider address), ip-address-v6 (IPv6 address), usa-federal-ssn (social security number – USA), and usa-federal-taxid (tax identification number – usa). These values are automatically detected in content entered into an Internet Explorer browser and be encrypted if encryption is being enforced through Application Policy.

        ·    Create an Application that enforces encryption.

To create a value

               1.    On the Data Markings > Manage tab, select a data marking.

               2.    Click the +Create Data Marking Value button.

               3.    Enter a Name for the Value.

Name is a required category.

               4.    [Optional] Enter a Description for the Value.

               5.    Click the Create button.

You can delete data marking values that are no longer needed.

To delete values

               1.    Select one or multiple values from the data marking detail page.

               2.    Select Delete from the Action drop-down list.

               3.    Click Apply to Selected.

Administrators can order data markings to control what the users see in the client application. The order will be taken into consideration when creating, editing or simulating Data Policies.

               1.    Select a Data Marking and click the Order Data Markings button to order the list of data markings.

               2.    The Order Data Markings dialog displays where you can drag and drop each data marking into the desired order.

Administrators can order the values associated with data markings. The order will be taken into consideration when creating, editing or simulating Data Policies.

               1.    Select a Data Marking and click the Order Values button to order the list of created values.

               2.    The Order Values dialog displays where you can drag and drop each data marking value into the desired order.

 

Data Markings can be updated by accessing the Data Markings page in the Admin Console. You can update the Name, Description, Access, Admin Control, as well as order values.

               1.    On the Data Markings > Manage tab, hover your mouse over a policy, and click the Update button that displays.

[Optional] You can also click on the blue name of the data marking you want to edit, and click the Update button in the top right corner of the data marking page.

               2.    Update the Name, Description, Access, or Admin Control fields.

               3.    Click the Update button.

To delete a data marking, hover your mouse over the data marking row, and click the Delete button.

A detailed error report can be accessed when trying to delete Data Markings, Users or User Groups that are referenced by Data Policies, with information on the Data Policy referencing the item marked for deletion.

View the example below:

When deleting a data marking

               1.    On the Data Markings > Manage tab, hover over a Data Marking, click Delete, and click Confirm.

               2.    Read the Error Report to determine why the data marking cannot be deleted.

               3.    In addition to the Error Details tab, you can also view the Resource and Response Body details.

6: Subject Attributes Overview

The Subject Attribute section displays all of the current subject attributes currently created within your Machina Console.

Subject attributes allow you to assign attributes directly to users and devices. These attributes can then be used in policy making decisions to include or exclude users or devices with the selected attributes. As an example a subject attribute can be added to a user to help sort them within an organization. That role can then be later used in policy making to easily sort users and develop policy.

Creating Subject Attributes

You can create Subject Attributes to add to organize users and devices into groups . Your created Subject Attributes can be viewed from the Manage tab.

To create a subject attribute

               1.    Select the Subject Attribute tab, then click the Create Subject Attribute button. 

               2.    Enter the Name and Description of the new subject attribute into the available fields.

Individual attribute names can only be up to 256 characters long.

               3.    Use the Collect Values checkbox to determine whether or not the new subject attribute will also include the values of the users and devices associated with the attribute.

When Collect Values is enabled, there is a limit of 51 values per attribute that can be collected.

               4.    After creating and configuring your subject attribute, click the Create button.

Customer supplied attributes have a size limit of 20 kb.

Managing Subject Attributes

Any created subject attributes can be viewed on the Manage tab. The Manage tab is selected by default when accessing the Subject Attributes tab. You can edit existing subject attributes using the Update function.

Click the pen icon to open the Update Subject Attribute window where you can change the selected subject attribute's name and description. You can also toggle whether or not the selected attribute will collect value information with the Collect Values check-box.

After making the appropriate updates, click Update to apply your changes to the selected subject attribute.

Deleting Subject Attributes

To delete a subject attribute, highlight it and select the trash icon.

Click Yes in the Confirmation window to delete the selected subject attribute.

After a Subject Attribute has been created you can select it from the subject attribute list and modify it's information. After selecting a subject attribute from the list you will be taken to the subject attribute's page where you can create new values, or modify the existing information for the subject attribute.

When modifying a subject attribute, the available modifications will be based on the Data Type current assigned to the subject attribute. The available data types, as well as a brief explanation is listed below:

Boolean - Displays radio buttons of "true" or "false" for the subject attribute.

Integer - Displays an input that only accepts integers for the subject attribute.

Double - Displays an input that only accepts doubles for the subject attribute.

IP Address - Displays an input that only accepts IP addresses for the subject attribute.

Date and Time - Displays an input that only accepts date and time values for the subject attribute.

Date - Displays an input that only accepts date values for the subject attribute.

Time - Displays an input that only accepts time values for the subject attribute.

Duration - Displays an input that only accepts duration values for the subject attribute.

Year and Month Duration - Displays an input that only accepts day/time duration

When modifying an exsiting Subject Attributes you can use the Create Subject Attribute Value button to add an new value to the subject attribute.

Once the Create Subject Attribute Value window is open, you can input information into the available fields. Please note that the appearance Create Subject Attribute window will vary based on the Data Type associated with the Subject Attribute.

7: Roles Overview

When you create a new Administrative User, you can assign user roles to Administrative Users so that they can perform a group of tasks.

Machina Predefined Roles

Machina has designed eight (8) predefined roles which already have a set of predefined permissions. See the list of the Ionic Predefined Roles and their meanings below.

        ·    API Administrator - Allows administrative access to Ionic’s APIs.

        ·    Application Manager – Allows full access to manage the Applications page (create, read, update, delete). All other Ionic Admin Console pages are Read-Only.

        ·    Dashboard Administrator – Allows full access to everything in the Ionic Admin Console. Only Admin Console Administrators can assign API Administrator, Application, Policy and User Manager roles to users.

        ·    Dashboard Read Access – Restricts Ionic Admin Console access to Read-Only.

        ·    Policy Manager – Allows full access to manage the Data Policies and Data Markings pages (create, read, update, delete). All other Ionic Admin Console pages are Read-Only.

        ·    User Manager - Allows full access to manage the Users, Groups, Settings and Devices pages (create, read, update, delete). All other Ionic Admin Console pages are Read-Only.

        ·    Role Manager – Allows a level of access to be able to create and update roles. This is a very powerful permission.

        ·    Tenant Manager - Allows a level of access to be able to create and manage tenants within the user's organization.

        ·    Billing Manager - Allows access to the Billing tab on the Settings page of the Machina console. This role can be assigned via a Tenant Manager , or assumed during the self-service portal sign-up.

Users can be assigned multiple roles.

Selecting a role is optional, and it only applies to Administrators. Ionic Users can be created with no Ionic Admin Console administrative roles.

Users within the Tenant Manager role will only be able to view, access, and manage tenants within their organization.

Administrators and Role Managers can create, update, and delete Custom Roles. A Custom Role is a role that is best suitable to your company's needs. The Custom Roles functionality allows you to name the role, describe the role, choose the level of permissions (scopes) for the role, and manage the role by updating it. Custom Roles will be displayed on the Create User and Update User dialogs after they are successfully created. The Roles section contains a History tab which keeps a record of all previous actions made under your Ionic Admin Console Tenant. Existing Ionic Predefined Roles are stored on the Roles > Manage tab.

               1.    On the Roles > Manage tab, click the +Create Role button.

               2.    Enter the Name, Display Name, and Description for the role.

               3.    Click Create.

The only required field is the Name field. All other fields are optional.

The new role will display on the Roles > Manage tab as well as the Create User dialog when you create a new user in the Users section.

               4.    Select the check boxes under each category under the Scopes tab to define the proper scopes (permissions) for the role. Click Save after you make your selections.

The custom role created can only have access to the scopes listed next to the check boxes for each of the following categories: Access, Read, Analytics, Applications, Devices, Groups, Keyspaces, Policies, Roles, Settings, and Users. For example, the custom role can only have Read access to Keyspaces and Roles.

When you select the Read:all check box, all other read check boxes are automatically selected for each category. Several other scopes also have associated check boxes to support features that belong with a role and will be automatically selected.

When you select the manage check box, all other check boxes in that category are automatically selected. See the example below. You can also view the tooltips outlining the privileges provided by each feature scope by hovering your mouse over the info button. Confirmation dialogues will display when changes affect multiple scopes.

If you make changes to a custom role and click away before saving the changes, an Unsaved Changes notification displays to notify you that all changes will be lost.

               5.    To update or delete a custom role you created, hover your mouse over the custom role, and click Update or Delete.

You cannot delete or update Ionic Predefined Roles that already exist in the system.

               6.    Select the History tab to view a log of all previously Created, Updated, or Deleted user actions performed under your Admin Console Tenant.

Administrators have the ability to create new custom roles derived from existing roles by copying an existing role and modifying only the needed scopes. A Copy button is available when hovering your mouse over the list of Roles or on any role details page.

               1.    On the Roles > Manage tab, hover your mouse over the role you want to copy, and click the Copy button.

               2.    When you click Copy, the Copy Role dialog displays, and the fields are auto-populated. You can change the Name, Display Name, and Description.

               3.    Click Copy.

8: Billing Overview

The Billing function in the Machina Console allows administrators to input financial information into the Dashboard to enable billing for both the Pro and Enterprise versions of the Machina Console.

By default, the Pro and Enterprise versions of Machina provisions a set number of free transactions per month, with a per-transaction fee once the free transaction limit has been reached.

Information about the current pricing per tier can be found at www.ionic.com/pricing

9: User Profiles Overview

The Users section tracks users in the system. Before deploying Ionic plugins to users, you must first create user profiles in the Machina Console. User profiles include details such as user role, first and last name, email address, external ID, domain UPN, and groups associated with the user.

User Roles determine what kind of access users have to the Machina Console. The console offers two types of user roles: administrators and users. The Roles page provides certain Administrative Users the ability to easily create and manage Custom Roles.

Administrators

Administrators have access to the Machina Console, can install and register a plugin, and their profiles require password credentials to access the console.

Users

Users only access the Machina Console to install and register plugins, and their profiles do not require a console login credentials as they do not have access to the majority of the console.

Create user profiles by accessing the Users section of the console and either manually entering user information or automatically importing a Comma Separated Value (CSV) spreadsheet of users into the console. Additionally, create user profiles through User Management API (SCIM).

What Can I Update?

Update user profiles by hovering your mouse over the user profile you want to edit and clicking the update button. First Names, Last Names, email addresses, external IDs, Domain UPNs, and Groups can be updated. You cannot update administrators’ passwords or user profiles’ roles.

In the Users section of the Machina Console, search for specific user profiles by user name, email address, and group. You can also disable or delete specific user profiles. Furthermore, you can add user profiles to groups to organize your users, so that you can apply customized policy rules to particular groups within your organization. Additionally, manage user profiles through User Management API (SCIM).

How are Admins Authenticated?

When Ionic creates a new tenant, we also create an intial admin in the Machina Console instance for that tenant. An email is automatically sent to this admin with a link to the console. After clicking on the link in the email, admins are required to set their password for accessing the console. This password can now be used to log in to the console. If admins forget their password, a similar process is available to reset it. Authentication can also be completed using SAML Identity Providers. This is configured in the Identity Management section of the settings.

User profiles tracks users in the system. Before deploying Ionic plugins to users, you must create user profiles in the Machina Console. User profiles include details such as user role, first and last name, email address, domain UPN, and groups associated with the user. You may want to manually create user profiles if you are only creating a few profiles.

When you create a user profile, at least one of the identifying fields must be completed i.e. email, Domain UPN, or an External ID.

There is a limit of 1000 External IDs per Machina Console instance.

        ·    [Optional] Create Groups in the Ionic Admin Console.

To create a user profile

               1.    On the Users > Manage tab, click the +Create User button.

               2.    Enter the First Name and Last Name of the user.

First and last names should be less than 20 characters each & cannot contain a colon (:) character.

               3.    Select one or multiple check boxes next to any role(s) you want to assign to the user to assign the type of administrator privileges each user receives. Use the descriptions below to classify the user:

Selecting a role is optional, and it only applies to Administrators. Ionic users can be created without Machina Console administrative roles.

                             ·    API Access - This role can be combined with other roles like "User Manager," for example, to grant API access to an account.

                             ·    API Administrator – Allows administrators access to Ionic’s APIs. (Password Required). See our API documentation for additional information.

                             ·    Application Manager – Allows full access to manage the Applications page (create, read, update, delete). All other Admin Console pages are Read-Only.

                             ·    Dashboard Administrator – Allows full access to everything. Only Console Administrators can assign API Administrator, Application, Policy and User Manager roles to users.

                             ·    Dashboard Read Access – Restricts Ionic Administrator Console access to Read-Only.

 

                             ·    Policy Manager – Allows full access to manage the Data Policies and Data Markings pages (create, read, update, delete). All other Admin Console pages are Read-Only.

                             ·    User Manager - Allows full access to manage the Users, Groups, and Devices pages (create, read, update, delete). All other Machina Console pages are Read-Only. The User Manager can only create and assign User Managers and Dashboard Read Access roles to users.

               4.    Enter the user’s Email address.

               5.    [Optional] Enter the users External ID.

This field is optional and can be used to provide the unique identifier for the user in your enterprise's internal directory.

               6.    Enter the user’s Domain UPN (User Principle Name). By default, the Use email address check box is selected.

               7.    [Optional] Type a Group name(s) into the appropriate field and if the group(s) exists, the group displays below the field, otherwise create the new group(s) by hitting enter.

A user group can be added or removed from the profile after it has been created.

Click on the X in the corner of the Group title(s) to remove it(them).

               8.    Click the Create button to save the user profile.

The Admin label in the Roles column name indicates the type of administrative privileges the user is assigned to.

 

You can import users in bulk with a Comma Separated Value (CSV) file. User profile information should be entered into five columns in the following order: First Name, Last Name, Email address, external ID, Domain UPN, Groups, and admin status (enter "yes" if admin, leave blank if not). If any of the users in the CSV file already exist in the system, those users are not imported. Currently, only user importing is supported; Administrators must be added manually. For more information on manually creating user profiles, see "Creating User Profiles" on page 105.

        ·    Create a CSV file with user information in the correct format.

To import user profiles

               1.    On the Users > Imports tab, click the Upload File button.

               2.    Click the Upload File button.

               3.    [Optional] Click the download template link to download an Excel template.

               4.    [Optional] Enter the users into the Excel template, then save the file to your computer.

Group Name and External ID are optional columns on the CSV file. All other columns are required. If the Domain UPN is the same as the user's email, leave the column blank.

You can add several groups to a user profile - see screenshot below.

The CSV template contains the following headings (in order):

                             ·    First Name

                             ·    Last Name

                             ·    Email

                             ·    Domain UPN (leave blank if same as email)

                             ·    Group Names (comma-separated)

                             ·    Roles (comma-separated, or use "true" for dashboard admin): accepts a "true" or "false" value, and also allows the specification of the different administrative roles available.

                             ·    External ID (optional)

                             ·    Delete (use "delete"): Specifying the word Delete in the Delete column, will result in the deletion of the user specified in that row. Note: A user will not be deleted if there is a Data Policy that is referencing that user.

If a role that does not exist is specified in the CSV file, the role will still be associated with the user during import. The admin will need to create the role later to provide meaning. This situation is not considered an error condition at this time.

The previous version of the CSV import template remains backwards compatible. However, the new format has been updated in the Machina Console and should be used to take advantage of the new functionality.

CSV imports have been validated to support up to 9000 users at once. Anything higher may result in a timeout and may need to be re-imported or broken down into smaller groups.

               5.    Click the Browse button and select the file from your documents.

               6.    After you select a file to upload, a list of additional options displays.

               7.    Select Yes or No to update existing users with the new information from the imported file.

               8.    Select the type of method that is used to match existing users by clicking the drop-down list.

               9.    Click the Upload button.

You can also export user profiles to a Comma Separated Value (CSV) file. The export function is present on the Manage, History, Logins, Emails, and Import tabs of the User section of the Ionic Admin Dashboard.

This procedure describes manually exporting user profiles in the Machina Console. For details about importing an updated CSV file, see "Importing User Profiles" on page 107.

               1.    1. In the Users section, select a tab that contains information you wish to export.

               2.    2. Select the Export to CSV option.

               3.    3. Determine which columns you want to include in your exported CSV file using the columns check boxes.

               4.    4. Once your columns are selected, click the Export button to begin the export process.

               5.    5. Open the exported CSV file using the appropriate column to view the information.

User profiles can be updated in one of three ways: manually in the Machina Console, importing an updated CSV file, or User Management API. First Names, Last Names, Email addresses, Domain UPNs, and Groups can be updated. You cannot update administrators’ passwords or user profiles’ roles.

This procedure describes manually updating user profiles in the the console. For details about importing an updated CSV file, see "Importing User Profiles" on page 107. For details about User Management API, see .

               1.    On the Users > Manage tab, search for a user profile in the Search By field.

               2.    Search by Name, Email, Domain UPN, External ID or Role.

               3.    Hover your mouse over a user profile, and click the Update button.

               4.    Update the information you want to edit.

First Names, Last Names, Email addresses, External IDs, Domain UPNs, and Groups can be updated.

You can add more than one group in the Groups field.

You cannot update Administrators' passwords or user profiles' roles.

               5.    Click the Update button.

               6.    [Optional] To resend a deployment email to a user, select a user from the main Users page.

Administrators can add custom subject attributes to existing users. These attributes can be used in policy decisions to provide more context about a user involved in a policy making decision.

 

               1.    On the Users > Manager tab, select a user to add subject attributes to.

               2.    Click the Subject Attributes tab.

               3.    Click the +Create Subject Attribute button.

               4.    Enter the Name and Value to add to the user profile in the available fields.

               5.    Click Create to add the subject attributes to the profile.

 

In addition to creating, importing, and updating user profiles, you can search, disable, and delete user profiles. Furthermore, you can add user profiles to groups.

Search for user profiles by using the search bar on the main Users page. Search by user name, email address, External ID, Domain UPN, role, status, or enrollment status. First, click the drop-down menu to select the category you want to search by, then enter the profile information into the search text field.

The user's authentication provider will be displayed in the Identity Providers colum on the User's tab. This column will display "None" if no OAuth login was used.

Update the user profile role, first name, last name, email, External ID, Domain UPN, and groups by clicking the Update button.

Hover your mouse over the user profile to display the Update, Disable, and Delete buttons.

Confirm your decision for each request by clicking Confirm or Cancel.

To disable user profiles

A user profile can be disabled by clicking the Disable button.

To delete user profiles

Authorized and permitted administrators can Delete, Enable, or Disable one or multiple user profiles.

               1.    On the Users > Manage tab select the user(s) and clicking Action drop-down list,

               2.    Select the Delete, Enable, or Disable option.

               3.    A Confirm Delete Usersmessage displays. Click Confirm to proceed.

               4.    To add users to groups, select the user(s), select Add to Groups from the Action drop-down list, and select a Group from the Groups menu that displays. Then, click Apply to Selected.

               5.    The administrator can also bulk select and Delete, Enable, or Disable all users on the page by selecting the check box next to the Name column header and clicking the Delete Selected button that displays.

The Action drop-down list only displays if a check box is selected.

The bulk delete function only works in the active page. If you select users on multiple pages, the Delete Selected option only deletes the users on the active page.

You can add one or more user profiles to groups. Adding user profiles to groups is helpful when you apply customized policy rules by department or work group. User profiles can be associated with several groups. If a user profile belongs to a group that is attached to an application, that application is applied to the user when using that application. If a user belongs to multiple groups - and a policy conflict arises - the policy service becomes the default to the policy that is the opposite of the default policy for that application. For example, if the default policy for LinkedIn is to deny access and the user belongs to two groups - the first group allows access to LinkedIn and the second group denies access - the user can access LinkedIn. Similarly, if the default policy for LinkedIn is to allow access and the user belongs to two groups - the first group allows access to LinkedIn and the second group denies access - the user is denied access to LinkedIn.

               1.    On the Users > Manage tab, select the check boxe(s) to the left of the user(s) you want to add to a group.

To select all users, select the check box next to Name.

After you select a check box, an Add Selected Users To Groups text box displays.

               2.    Click inside the text box to display a list of group options, and select one or multiple group names from the list.

If you have not created any groups yet, create a group by entering a group name into the text field.

As you type the name of a preexisting group name into the text field, a list of group options displays.

You can enter more than one group name into the text field.

               3.    Click the Add Selected to Group button.

               4.    To delete mutliple users, select the users, and click the Delete Selected button.

Each User Profile page displays a Devices, Scopes, History, Login History, and Email History tab. The details in both tabs enable you to keep track of the devices assigned to specific users, as well as any activity associated with each user.

The Devices tab lists the devices that have been successfully registered for a user with the Ionic plugin installed on their device.

               1.    On the Users > Manage tab, select a user.

               2.    Click the Devices tab.

Update the name of the device or disable the device by hovering your mouse over the device row, and clicking the Update button or Disable button that displays.

               3.    Click on the blue name of the device.

The Configuration tab displays all applications that are configured with the selected device.

The History tab displays device updates.

The Groups tab on the user detail page to displays a list of Groups for each user. The Groups tab is paginated and is very useful if you have hundreds or thousands of groups. You can assign a user to a group directly from the Groups tab.

               1.    On the user details page, click the Groups tab.

               2.    Select a group from the search box and click Add Group.

 

The permissions for each user are displayed under the Scopes tab. After clicking on a user's name on the main Users page, authorized and permitted administrators can use this tab to see all of the privileges assigned to an individual user.

               1.    On the user detail page, click the Scopes tab.

               2.    Scroll down to the bottom of the page to view all scopes.

The History tab lists any information that has been created, updated, or deleted associated with a particular user.

               1.    On the user detail page, click the History tab.

               2.    Click the Inspect button to display additional details about the type of action performed.

               1.    On the Users page, click the Login History tab.

               2.    Use the Search By field to search by Username or Action.

If you search by Action, select either All, Success, Failure, or Lockout from the list of options.

               3.    Click the Add Search button to add an additional search filter.

               1.    On the Users page, click the Email History tab.

               2.    Create a custom search by typing the subject line in the Search By field.

The Analytics tab in the Users section tracks the user activity associated with each user account.

               1.    On the Users page, click the Analytics tab.

               2.    Hover your mouse over the green bars to display the number of active users recorded on a specific date.

A user is considered active if they report any data from an Ionic plugin.

A user is considered enrolled if they have successfully registered a device with Ionic.

This chart only covers data from the last 30 days.

10: Groups Overview

You can create groups and add user profiles to groups in the Machina Console. Adding user profiles to groups is helpful when you apply customized policy rules by department or work group. Groups include details such as the group name, description, and number of users. You can also delete groups, update group information, and add several user profiles to a group.

User profiles can be associated with several groups. If a user profile is associated with a group with a policy that is opposite to the default policy for a particular application, the group policy overrides the application’s default policy. For example, if a user profile is associated with a group that allows users to access LinkedIn, even if the default policy for LinkedIn is to deny access, the user is allowed access.

In the Groups section of the Machina Console, you can view and disable the user profiles associated with a group. You can also search for specific groups by group name, delete groups, and update a group's name, description, and external ID. Furthermore, you can add user profiles to groups to organize your users, so that you can apply customized policy rules to particular groups within your organization.

You can remove user profiles from groups in one of two ways. From the Groups page, click on the group's blue title and then locate the Delete button in the top right corner, or hover your mouse over the group row, and click the Delete button that displays.

For information about viewing the history log associated with Groups, see "Admin Console Logging Record History" on page 161.

You may want to manually create groups if you are only creating a few groups. Groups are helpful when you create customized policies by work group, department, or other categories.

               1.    On the Groups > Manage tab, click the + Create Group button.

               2.    Enter the Name of the group.

               3.    [Optional] Enter the Description of the group.

               4.    [Optional] Enter the External ID for the group.

This field is optional and can be used to provide the unique identifier for the group in your enterprise's internal directory.

               5.    Click the Create button.

Add user profiles to groups to create customized policies by group. You can also add user profiles to groups when adding or importing user profiles. You can also remove a user or multiple users from a group if necessary.

Before adding users to groups

        ·    Create user profiles.

               1.    On the Groups > Manage tab, select a group by clicking the blue title.

               2.    Click the +Add Users button.

               3.    Enter the name(s) of the user(s) you want to add to the group.

               4.    Click the Add Users button.

               5.    To view details about the users that are added to a group, click the History tab of the Group, hover your mouse over the row, and click the Inspect button that displays.

The Changes tab shows group membership changes. The Field column displays the value that was changed – ex. members. The After column displays the User ID that was added. You can see if you have added 1 or 1,000 users to a group.

The Compare to Previous tab shows what changed between the current and previous version.

The Request Body tab shows the value and user ID details.

               6.    To remove a user from a group, select a group to display the group detail page. From the Users tab, select a user or multiple users, click the Action drop-down list, select Remove, and click Apply to Selected.

Permissions allow non-admin users to access and manage certain resources in the Machina Console. Similar to how scopes determine what actions Ionic administrator roles can perform, Permissions are scopes that determine what actions a user can take for a specific resource. The first resource where Permissions are being used is the management of Groups. A user that has been granted Group Permissions can login to the console and either manage, read, delete, or update the Group based on the Permissions they have been granted. Users can delegate their same Permissions to others, or delegate more restrictive Permissions.

Creating Group Permissions

Creating Group Permissions allows you to assign group permissions to other users. You can only assign a permission that you currently have.

               1.    On the Group detail page, click the Permissions tab, search for a user in the search box by typing the name of the user, or selecting the user from the drop-down list, and click Add Permission.

               2.    After you click Add Permission, the user will be added under the User column of the Permissions tab. The check boxes that display next to the user resemble what displays on the Role detail page. When you select any of the check boxes, your changes will automatically be saved, and a green success message displays in the bottom right corner.

               3.    In the example below, the user can only Read and Update the Finance Group because this is the only Permission that the user has. The level of access a user has depends on the user’s Roles and Permissions. Roles are primary, and Permissions are secondary. For example, if a user only has a Permission on a single group (without any Roles), then the user will only see that single group.

The user is not required to have a role to log into the Machina Console, and only needs a permission to read one group to be able to log in as a simple user with the most limited access.

               4.    The Info tooltips allow you to view the details of a scope before selecting it. Simply hover your mouse over the info icon to view the details.

               5.    After adding the desired permissions for a user, you can access the User detail page, and select the Permissions tab to view all the permissions allowed for this user. The User detail Permissions tab is Read- only and is only visible to users who have that users:read scope.

 

You can edit group permissions for a user by accessing the Permissions tab on the Group detail page and selecting the desired scopes. You can only assign a permission that you currently have.

You can delete group permissions for a user by accessing the Permissions tab on the Group detail page, hovering your mouse over the user and clicking Remove. You can only delete a permission if you have all the scopes that the permission has. In this case, you must have the ability to update a group (group:update) and the ability to delete a group (group:delete).

Update a group by clicking on the blue name of the group you want to edit. You can update the group Name and Description.

               1.    On the Groups > Manage tab, click a group, or hover your mouse over the group row and click the Update button that displays.

               2.    Edit the Name and Description if necessary.

               3.    Click the Update button.

In addition to creating, importing, and updating groups, you can search for groups, delete groups, and view the history log. Furthermore, you can add and remove user profiles from groups.

Search for groups by using the search bar on the main Groups page.

Update the group Name, Description, and External ID by hovering your mouse over the group name, and clicking the Update button.

Delete a group by hovering your mouse over the group name, and clicking the Delete button.

Click the History tab on the Groups page. The resource link on the history record inspect dialog points to the versioned resource, and links to the corresponding page.

11: Managing Device Configuration

The Devices section contains a list of all devices that have been configured to an active, registered Ionic user. The device only displays in the list when it is successfully registered. You can determine the users that do not have the latest device configuration. If the device is not configured with the latest application policies, a message displays informing you when the last time an update was requested.

You can search entries by Name (Device ID), User, Operating System, or Application. You can only change the Name of a device and Disable a device so it can no longer fetch or create keys, or retrieve a device configuration.

If you are using a Chrome browser plugin, and an IE browser plugin on the same device, they are logged as two separate devices and are registered separately.

Users must be registered before managing device configuration.

               1.    On the Devices > Manage tab, select a device.

               2.    To update the name of the device, hover your mouse over a device row, and click the Update button that displays.

To disable the device, click the Disable button.

               3.    Click the Enrollment tab to view detailed enrollment configuration information for a specific device.

               4.    To view device configuration and application policy settings by device, navigate to Devices, Select the specific Device ID you are targeting, and select the Configuration tab.

               5.    On the device detail page, select the History tab to view the history details associated with a device.

               6.    To view additional details, hover your mouse over a history record, and click the Inspect button.

               7.    To sort by most recently registered devices, click the arrow next to the Enrolled column.

               8.    Users with Policies:read and Devices:read scopes can access the device Activity view. Navigate to the Devices page and click the Activity tab.

               9.    The User column on the Devices > Activity page indicates the actions that a device has performed, either directly, or actions that another service has performed on behalf of that device.

 

 

             10.    To view device activity details, click the Activity tab, hover your mouse over a device activity record, and click the Inspect button that displays.

             11.    From the History tab, you can filter devices by Action, such as Created, Updated, Delete, or Error, by selecting Action from the first drop-down list, and using the search menu drop-down list to select an Action.

             12.    To view device configuration and application policy settings by device, navigate to Devices, select the specific Device ID you are targeting, and select the Configuration tab.

 

               1.    On the Devices > Manage tab, authorized and permitted administrators can delete one or multiple devices by selecting the device(s), selecting Delete from the Action drop-down list, and clicking the Apply to Selected button.

               2.    The administrator can also bulk select and enable or disable one or multiple devices on the page by selecting the device(s), selecting either Enable or Disable from the Action drop-down list, and clicking the Apply to Selected button.

               3.    A Confirm Delete Devices message displays. Click Delete to proceed.

The Apply to Selected button only displays if a check box is selected.

The bulk delete function only works in the active page. If you select users on multiple pages, the Apply to Selected option only deletes the users on the active page.

               4.    Administrators can also bulk delete devices from a user's detail page on the Devices tab.

12: Managing Keyspaces

The keyspaces section enables you to verify your key servers' connectivity to the Machina Console. Your company (or a third-party hosting service) operates multiple key servers — often located in more than one data center for redundancy — in conjunction with the console. As long as at least one key server is connected, your users can enroll, create and read secure documents. On the keyspaces page, you can view which of your key servers are online, how many connections they each have to the console, as well as other status details such as server up-time and running key server software versions.

Each key server has a unique secret used to establish secure communications shared with the console. This key is needed once, at deployment time. As a tenant administrator, you can view this secret, which must be shared with your IT team. This secret should be treated as confidential — the way you would protect a password or bank card PIN. You can show or hide the key server’s shared secret.

               1.    On the Keyspaces > Manage tab, select a keyspace.

               2.    To access the detail page for any key server, click on any of the key server links to reveal the key server’s shared secret, and enrollment portal and key server public keys.

               3.    To create a new key server, click the +Create Key Server button, and confirm.

               4.    Administrators can export the public key for the key servers and enrollment portal by clicking the copy button. These public keys are used to support some advanced configurations that most Ionic customers may not use.

                             ·    Enrollment Portal Public Key: Used at deployment time to configure the enrollment portal of another key space to trust this enrollment portal for user enrollment purposes.

                             ·    Key Server Public Key: Used by certain web applications to verify that a user is using an Ionic-enabled web client.

After you copy the key, a green success message displays in the bottom right corner.

               5.    [Enrollment Portal Public Key] Paste the key into a configuration file for another enrollment portal.

               6.    [Key Server Public Key] Paste into the configuration file of a web application.

               7.    To view the connection status for each key server, hover your mouse over the number in the Connections column.

When viewing the information for a Keyserver, the key server state can be modified using the Requested State drop-down option. These options allow users who have been assigned the correct scopes to alter the state of the selected Keyserver.

Information regarding the available states are listed below:

In Service - Read/Write: The selected Key Server is in Service and actively being used to read and write incoming key requests as necessary.

In Service - Read Only: The selected Key Server is in service and actively reading incoming requests but cannot write key requests.

Out of Service - Requested: The selected key server has been taken out of service and is not active.

Visibility into the keyspaces and key servers sections can be defined via separate scopes, allowing certain Admin users to view their assigned keyspaces, while keeping the detailed key server information hidden from other users.

Select a role to update under the Roles > Manage tab in the Machina Console to define the following scopes:

The Read and creds read Scopes under Keyservers enables granular access controls to the information available under the Keyservers section of the console.

The Read Scope under keyspaces provides read only access to Keyspace information. If this scope is not enabled, users will not see the Keyspaces section.

13: History Overview

The History page keeps a record of all activity on the currently selected tenant. The entries are stored by version. If an update occurs to a resource, the previous version, as well as the current version, will be accessible from the links on the History page.

After accessing the History function, a table will show the recent activity that has occurred for the current tenant. The resources shown can be used to view the resource's information in the Ionic Dashboard.

The History page keeps a record of the Resource Type, Action taken, Date, Changed By, and method of Access used. If an error is listed in the Action column, the error code, as well as an explanation of the error code will be listed in the column.

Resources are displayed under the Name column . Clicking a resource link takes you directly to the resources page in the Ionic Dashboard.

The resources are stored according to their version number, which allows you to access previous states for the listed resources.

Resources that have been deleted will be marked with Deleted in the Action column.

Deleted resources can still be accessed with the History page, however the resource page will note that the current version of the resource has been deleted.

Deleted Resources can be viewed, but not edited.

14: Settings Overview

You can configure specific settings in the Machina Console. Configurable options include: Enrollment, Identity Management, Cloud Discovery, and Access Security.

Each category contains options that are configurable:

Enrollment

        ·    Global Just-In-Time User Enrollment

        ·    Enrollment Manager URL

Identity Management

        ·    Ionic Admin Console SAML Authentication settings

Cloud Discovery

        ·    Enable Cloud Discovery

Access Security

        ·    Password Strength

        ·    Session Timeout

        ·    Account Lockout Threshold for Invalid Login Attempts

The Enrollment settings tab enables you to add an Enrollment Manager URL. The Enrollment URL assigns a key space ID to the plugin so that when the plugin goes in to start swapping keys, a key space ID is already assigned. All enrollment information and key information is held by the company and encrypted.

               1.    Click the Enrollment tab in the Settings section.

               2.    Enter an Enrollment Manager URL into the field provided.

               3.    Click the Save button in the top right corner of the Enrollment tab.

You must click the Save button to save your changes.

To refresh the page back to the default setting, click the Reset button.

A list of all enrollment configurations across all tenant keyspaces displays on the Enrollment tab and links directly to the selected Keyspace's Enrollment Configurations tab.

SCIM Authentication

Access to the SCIM interface is controlled using Basic Authentication over HTTPS. Create an API Access Account and Manage API Access Accounts in the Identity Management section of the Settings tab in the Admin Console.

               1.    Click the Identity Management tab in the Settings section.

               2.    In the SCIM Authentication section, click the Create API Access Account button.

               3.    Complete the required fields using the specifications provided.

               4.    Click the Create button.

               1.    In the SCIM Authentication section, click the Manage API Access Accounts button.

After you click the Manage API Access Accounts button, you are re-directed to the Users page in the Admin Console to manage API access accounts.

               2.    To update an API access account, hover your mouse over the access account to display the Update, Disable, and Delete buttons.

               3.    Hover your mouse over the user row, and click the Update button to display the Update User dialog.

               4.    Update the corresponding fields.

               5.    Click the Update button.

               6.    To disable an API access account, click the Disable button.

               7.    To delete an API access account, click the Delete button.

Confirm your request to disable or delete an API access account by clicking Confirm or Cancel.

 

Exclusive SAML SSO Dashboard Authentication

If this setting is enabled, then tenant administrators will be required to login to the dashboard through SAML SSO. The ability to login through Ionic's email/password combination will be removed.

               1.    In the Exclusive SAML SSO Dashboard Authentication section of the Identity Management tab, select the Enable Exclusive SAML SSO Dashboard Authentication check box.

When SAML Single Sign On is not enabled, Tenant Administrators will not be allowed to enable Exclusive SAML SSO. This prevents Administrators from being locked out of the Admin Console with no ability to log in.

               2.    Click Save.

Ionic User Identity Field

The field in the user record stored by Ionic that is used to uniquely identify a user when matching a SAML 2.0 assertion (see the SAML 2.0 Assertion Identity Field Name section below) or managing users via the SCIM API.

               1.    In the Ionic User Identity Field section of the Identity Management tab, click the up/down arrowbutton to display a list of options.

               2.    Select an option from the list.

               3.    Click the Save button in the top right corner of the Identity Management tab.

You must click the Save button to save your changes.

To refresh the page back to the default setting, click the Reset button.

SAML 2.0 Assertion Identity Field Name

The name of the field in the SAML 2.0 assertion that Ionic Security uses to identify the user; the value of this field must match the value of the Ionic User Identity Field (see the Ionic User Identity Field section above).

               1.    In the SAML 2.0 Assertion Identity Field Name section of the Identity Management tab, enter the name of the field.

               2.    Click the Save button in the top right corner of the Identity Management tab.

You must click the Save button to save your changes.

 

SAML 2.0 Identify Provider Metadata XML

This configuration is used to set up SAML based authentication with an identity provider for Machina Console logins. The Metadata XML can be obtained from the Identity Provider and pasted directly into the console. If the Identity Provider endpoint is available, an option to use Enterprise Single Sign On displays when signing into the console.

               1.    In the SAML 2.0 Identify Provider Metadata XML section of the Identity Management tab, you can view the configuration information.

               2.    Edit the configuration information to match your Identity Provider configuration needs.

The Access Security tab enables you to change the password strength requirements by length and composition. You can require passwords to include lowercase and/or uppercase letters, numbers, and/or special characters. After the password requirements are set, they are in effect the next time an administrator creates a new password.

               1.    Click the Settings > Access Security tab.

               2.    Enter a number in the Minimum Length field.

                             ·    The minimum required length of the password is 10 characters.

               3.    Select the corresponding check boxes to require lowercase or uppercase letters, numbers, or special characters.

                             ·    By default, the password you create requires at least one uppercase letter and at least one number.

               4.    In the Session > Timeout field, set the timeout parameter in minute increments.

                             ·    The default setting for Session Timeout is 15 minutes.

                             ·    The minimum value for Session Timeout is 1 minute.

                             ·    The maximum value for Session Timeout is 60 minutes.

               5.    In the Max Login Attempts field, set the Lockout Threshold; the number of sequential times an Administrator can enter the wrong password before their login permissions are suspended (i.e., they are "locked out").

                             ·    The recommended setting for Lockout Threshold is 3 attempts.

                             ·    The minimum value for Lockout Threshold is 1 attempt (lockout on any incorrect password).

               6.    In the Lockout Duration field, set the Lockout Reset time; the amount of time that an Administrator has to wait until their account is automatically unlocked and they can try to log back in again.

                             ·    The recommended Lockout Reset time is 24 hours.

                             ·    The minimum value for Lockout Reset time is 1 minute.

               7.    Click the Save button in the top right corner of the Access Security tab.

 

You can configure the products you would like to make available for your users to download.

It may take several minutes for saved changes to take effect.

               1.    Click the Products tab from the Main menu.

               2.    On the Manage tab, make your selections in the Version column using the drop-down lists.

Use the search bar to find specific products.

               3.    When you select a version from the drop-down list, a Confirm Change Product Version dialog displays. Click Change to continue.

               4.    To disable a product, hover your mouse over the product row, and click the Disable button.

               5.    You will be asked to confirm when enabling or disabling a product.

Cloud Discovery measures the amount of outbound data sent through Internet Explorer, Firefox, or Chrome by users with the Ionic Security plugin installed on their device. Enable or disable tracking for Cloud Discovery in the Settings section of the Machina Console.

               1.    Click the Settings > Cloud Discovery tab.

               2.    Select the Enable Cloud Discovery check box.

               3.    To disable tracking for Cloud Discovery, deselect the Enable Cloud Discovery check box.

               4.    Click the Save button.

You must click the Save button to save your changes.

By default, the Enable Cloud Discovery check box is selected.

To refresh the page back to the default setting, click the Reset button.

With the Billing tab in the Settings portion of the Machina Console, users can view and configure the current billing information for your Machina Instance.

Navigate to the Settings tab and select Billing to view the Instance's current account information.

The Account Standing, Tier, Product, and Product Description information all reflect the current standing of your user account. Additional information about these fields can be found below:

The Account Standing field will display one of the following statuses:

Good - All credit card information is accurate and valid and not exceeding any transaction levels

Warn - Account is nearing its transaction limit

Read Only - Account is in the read only state

Disabled - Account has been disabled to CC expiration or problems etc.

The Tier field indicates which level of Machina your instance is currently enrolled in:

Pro - This instance has been created using the Start for Free portal - this tier is free up until 1000 transactions, and then pricing is based on the model listed on ionic.com

Enterprise - An instance based on a direct contract with Ionic

The billing settings of the Machina Console can be accessed from the Settings tab of the Machina Console. Select Billing to view the current Billing information for the selected Machina Console.

The Billing tab displays information about the current account associated with the Machina Console as well as the payment method form for billing purposes.

You can enter your credit card information into the form.

Entering your credit card information into the billing form will be saved, and billed according to your usage of the Machina Console and it's features. More information about this billing structure, the prices, and the current usage thresholds can be found at www.ionic.com/pricing.

Please note that the info bar at the top of the Machina Console will persist until an upgrade to the paid version of the is detected. The text can also be used to immediately navigate to the Billing tab.

15: Enrollment Configurations

The Enrollment Configurations tab on the Keyspace detail page displays the enrollment configurations in a list. Each of the enrollment configurations have a corresponding detail page.

               1.    Click the Keyspaces > Manage tab > select a Keyspace > click the Enrollment Configurations tab.

               2.    When you select an enrollment configuration from the list, the detail page displays. The detail page contains three tabs – User Management, Enrollments, and History.

The Source field indicates how the device was registered.

An enrollment configuration will only display after a device has successfully been enrolled using that authentication source. This is commonly done during enrollment configuration testing.

If New User Creation is ENABLED, and the User Identity Field in the Settings tab does not match the Assign User Fields mappings, a warning message will display on the Enrollment Configuration detail page. For example, if you change the User Identity Field setting on the Settings > Identity Management tab to External ID, but the Assign User Fields section is missing the External ID mapping, the Save button becomes disabled, and the following warning message displays: “You are missing the mapping of an assertion field to the Ionic user identity field External ID. New users will not be able to be created!”

In this case, every new user will fail to be created because this mapping is missing. When you add the External ID mapping back to the Assign User Fields section, the Save button becomes enabled.

The Create New Users toggle can only be enabled when a valid mapping exists.

               3.    Use the drop-down lists in the Assign User Fields section to map Assertion Fields to User fields. After selecting the fields, click +Add Mapping.

Assertion fields and User Identity fields are populated from the Settings > Identity Management tab.

You can delete a mapped entry by hovering over the row and clicking Remove Mapping.

               4.    Use the drop-down lists in the Assign User Groups section to assign user groups. After selecting the group, click +Add Group. When a device enrolled, the associated user will be assigned to the groups selected.

When you Assign User Groups, and then try to delete the group from the Groups page, an Error Report message will display stating that the group is referenced by an enrollment configuration and cannot be deleted.

You can either click the toaster message to view the error report, or access the Groups > History tab and click View Error Report.

The Error Report includes the Error Details, Resource, and Response Body tabs.

               5.    To view the recent enrollments in a list format, click the Enrollments tab. Each enrollment you select links to the device detail page of the associated device.

               6.    To view additional enrollment details, hover your mouse over the enrollment, and click the Inspect button that displays.

Enrollment errors will be returned in the Enrollment Configuration. You can also view the enrollment errors on the Device > History tab.

               7.    To view Enrollment Configuration history details, click the History tab, hover your mouse over the row, and click the Inspect button that displays.

This view includes the Compare to Previous and Request Body tabs.

               8.    Select the Show unchanged fields check box to expand the view and compare the current version to a previous version.

               9.    To update an enrollment configuration, hover your mouse over the row and click the Update button that displays.

             10.    On the Update Enrollment Configuration dialog, edit the fields, and click Update.

The Notifications setting allows an administrator that has the ability to manage Enrollment Configurations for a keyspace to enable or disable device enrollment notifications. This setting is enabled by default.

When the Enabled check box is selected, a notification email will be sent to the user every time a device is enrolled and associated with their account.

You may want to disable notifications if numerous headless endpoints are connected to the same user account, or when rolling out enrollment to users in a silent manner.

ID

The ID field is created by default when a new enrollment configuration is created. It specifies the keyspace, authentication method type, tenant ID, and authentication method instance devices enrolling with this configuration have.

Display Name

The Display Name is created by default when a new enrollment configuration is created. This can be modified by updating the Enrollment Configuration.

Match Existing Users

When devices are being enrolled and associated to users in Ionic, the identity source may return assertions or tokens that contain attributes about the user. These assertion attributes are mapped to user attributes in the Machina Console so that the device is associated to the correct user. The Assertion Field is configured with the name of the assertion attribute containing the value for a user identifier. The User Field can be set to either Email, Domain UPN, or External ID depending on which field maps to the assertion attribute.

Existing User Update

When enabled, this feature will update an existing user in the Admin Console with the values returned in the assertion attributes.

New User Creation

When enabled, this feature will automatically create a user in the Machina Console and associate the device being enrolled to that user. The user attributes provided in the assertion will be used to populate the user fields in Ionic.com.

We support multiple values for an assertion attribute that can be mapped to an Ionic user attribute. Ionic.com will attempt to match an existing Ionic user using any one of the values that is returned in the assertion attribute. Ionic can also support an assertion attribute that has encoded Comma Separated Values (CSV).

16: Admin Console Logging Record History

The History feature enables you to keep a record of all tasks that an Machina Console user has performed on a given date for a specific record. It contains general information for the history of items that have been created, deleted, or updated in the console. Furthermore, if an error occurs, view the details associated with the error by inspecting the data that was processed.

               1.    Select one of the following sections: Applications, Data Policies, Data Markings, Roles, Users, Groups, or Devices.

               2.    Click the History tab.

The Changed By field is the user that created, updated, or deleted a record. The Name field is the actual record, such as the application, data policy, data marking, user, or group.

Create a custom search by typing: created, updated, deleted, or error in the Search By field.

The Applications and Data Policies sections also include a Version column.

               3.    Hover your mouse over a record, and click the Inspect button.

An example detailed view of a created user profile is shown below:

An example detailed view of an error that occurred is shown below:

The Compare to Previous tab displays on the Users, Groups, and Roles inspect modal accessed from the History tab, and only displays for versions greater than 1.

The resource link on the history record inspect dialog points to the versioned resource, and links to the corresponding page.

You can configure the products you would like to make available for your users to download.

It may take several minutes for saved changes to take effect.

               1.    Click the Products tab from the Main menu.

               2.    On the Manage tab, make your selections in the Version column using the drop-down lists.

Use the search bar to find specific products.

               3.    When you select a version from the drop-down list, a Confirm Change Product Version dialog displays. Click Change to continue.

               4.    To disable a product, hover your mouse over the product row, and click the Disable button.

               5.    You will be asked to confirm when enabling or disabling a product.