SafeConsole- Central Management Server & USB Management Software
Instantly gain complete and granular control
over all of your encrypted USB flash drives and portable hard drives
with the SafeConsole central management server software:
- Achieve compliance for USB storage usage, with full control and audit.
- Keep the productivity benefits of USB storage devices – without the risks of malware, data leaks and breaches.
Available as an on-premises software or as a DataLocker hosted cloud service with worldwide locations.
SafeConsole Features Overview
SafeConsole USB Management Benefits
3 Major Reasons to Choose SafeConsoleReady Devices
A SafeConsoleReady secure USB drive can be managed by the SafeConsole central device management server software.
- Unsecure USB Drives Spread Malware.
SafeConsoleReady secure USB drives fight malware. - Unsecure USB Drives are Data Leak Tools.
SafeConsoleReady secure USB drives are audited and can be remotely killed by the organization using SafeConsole. - Unsecure USB Drives Cause Data Breaches.
SafeConsoleReady hardware encrypted secure USB drives enforce protection of all stored data.
SafeConsoleReady Devices
DataLocker offers a full range of SafeConsoleReady secure USB flash drives and encrypted hard drives.
SONE[004-128][M*]
* Managed version requires a SafeConsole license (sold separately)
DataLocker – Sentry K300 – SKUs
SK300-[008-256]
DataLocker – DL3 – SKUs
DL[xxxx]V3
DataLocker – DL3FE – SKUs
FE[xxxx][RFID][SSD]
DataLocker – H300 (client 6.0 or later) – SKUs
MXKB1B500G5001-B, MXKB1B001T5001-B, MXKB1B002T5001-B, MXKB1B500G5001-E*, MXKB1B001T5001-E*, MXKB1B002T5001-E*
* Requires IronKey EMS license or SafeConsole license (sold separately)
DataLocker – H350 (client 6.0 or later) – SKUs
MXKB1B500G5001FIPS-B, MXKB1B001T5001FIPS-B, MXKB1B002T5001FIPS-B, MXKB1B500G5001FIPS-E*, MXKB1B001T5001FIPS-E*, MXKB1B002T5001FIPS-E*, DL-H350-0500SSD-B, DL-H350-1000SSD-B, DL-H350-0500SSD-E*, DL-H350-1000SSD-E*
* Requires IronKey EMS license or SafeConsole license (sold separately)
DataLocker – PortBlocker – SKUs
PBM-1, PBM-3
Legacy devices supported – DataLocker Sentry 3 FIPS, DataLocker Sentry EMS (client 6.0 or later), and DataLocker SafeStick
SafeConsoleReady Vendors
DataTraveler 4000 G2 – FIPS 140-2 level 3 – SKUs
DT4000G2DM/4GB, DT4000G2DM/8GB, DT4000G2DM/16GB, DT4000G2DM/32GB, DT4000G2DM/64GB
IronKey D300SM – FIPS 140-2 level 3 – SKUs
IKD300SM/4GB, IKD300SM/8GB, IKD300SM/16GB, IKD300SM/32GB, IKD300SM/64GB, IKD300SM/128GB
IronKey S1000 (client version 6.2.2 or later) – FIPS 140-2 level – SKUs
IKS1000B/4GB, IKS1000B/8GB, IKS1000B/16GB, IKS1000B/32GB, IKS1000B/64GB, IKS1000B/128GB
IKS1000E/4G**B ,IKS1000E/8GB**, IKS1000E/16GB**, IKS1000E/32GB**, IKS1000E/64GB**, IKS1000E/128GB**
** Requires IronKey EMS license or SafeConsole license (sold separately)
Legacy devices supported – DataTraveler Vault Privacy 3.0 and IronKey D300M
SC100 Encrypted USB 3.0 Drive SKUs
SC100-4GB, SC100-8GB, SC100-16GB, SC100-32GB, SC100-64GB
Core Features of a SafeConsole Ready Device
SafeConsole USB Port Lock Down
Managed by SafeConsole, PortBlocker is a simply secure approach to limiting USB mass storage access to allow only approved SafeConsole Ready Devices. DataLocker PortBlocker ensures that nothing except for the whitelisted devices can be used as USB mass storage devices on the machines PortBlocker is installed on. PortBlocker is an add-on feature of SafeConsole. Learn more about locking down USB ports ->
SafeConsole Anti-Malware Protection
SafeConsole Ready Devices are available with antivirus protection powered by McAfee. McAfee blocks viruses, ransomware, spyware, and any other malware threats and reports to SafeConsole when the viruses and malware are removed. With no installation required, anti-malware activation is available as an added feature with your current or new SafeConsole account. Learn more about Anti-malware Protection ->
SafeConsole Supports Single Sign-On (SSO)
SafeConsole’s web portal login supports Single Sign-On. SafeConsole Administrators can now log in through 8 major SSO providers including: Microsoft ADFS, G Suite, Microsoft Azure, OneLogin, Okta, PingIdentity, PingFederate, and Microsoft AD.
SafeConsole Management Software Deployment Options
SafeConsole Cloud – SaaS hosted by DataLocker world-wide
- Up and running in minutes
- No user content is stored on the cloud
- Your dedicated server can be hosted in your choice of cities around the globe
Why SafeConsole Cloud?
The SafeConsole Cloud (SCC) hosted service is the easiest and quickest way to get you organization managing and securing your encrypted SafeConsoleReady® devices.
- SCC is a single tenant solution. Your custom cloud hosted service is dedicated to only your organization.
- You can choose where to host your server, Amsterdam, Frankfurt, London, New York, San Francisco or Singapore to meet regulatory requirements.
- All network traffic is encrypted.
- Absolutely no client data is stored on the service.
PCI Compliance
For SafeConsole Cloud, our data centers have been certified by national and/or international security standards. Also, please note that SafeConsole Cloud is a single tenant solution, meaning that only your company’s service is hosted that specific virtual server. Also, no actual data from the storage products is saved on the cloud. Only SafeConsole, the management console, is hosted on the cloud.
- The New York facility is SSAE16 SOC-1 Type II certified.
- The Amsterdam facility is ISO27001:2005 and ISO9001 certified.
- The San Francisco facility is SSAE16 SOC-1 Type II certified.
- The Singapore facility is ISO27001:2005 certified.
- The London facility is ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.
- The Frankfurt facility is ISO9001:2008, ISO27001:2005, and ISO22301:2012 certified.
- The Toronto facility will be SSAE16 SOC-1 and SOC-2 compliant in December, 2015.
SafeConsole On-Prem – installed on your own Windows server
SafeConsole On-Prem is easy to deploy if your organization requires an on-premises or hybrid cloud solution:
- Requires a dedicated Windows-based server
- Log in and manage from anywhere
- Administrators can authenticate to access SafeConsole with their AD credentials.
- Ideal for deployments of 300+ drives
Minimum Requirements
- Pentium Quad Core or higher class system
- 2GHz or faster CPU minimum
- Windows Server 2003, 2008, 2012 or 2016.
- 4GB of free RAM
- 20GB of free hard disk space required
SafeConsole Central USB Management Features & Resources
Reset passwords remotely over any channel. Administrators can get remote offline users back to work within minutes, without any loss of stored data. The short 8-character recovery codes are easily read over the phone yet maintaining the robust security of a 128-character code using a pre-buffer method. No data is lost and the process is protected against social engineering directed against the helpdesk. The user password is never exposed and there is NO master password. Read the Password Management Best Practice Paper.
Password Policy
Ensure that all data is protected by strong, compliant passwords by enforcing password policies on the devices.
Device auditing makes taking stock of the entire portfolio of SafeConsoleReady devices easy as it creates an automatic inventory list. The logs then include unsuccessful unlocking attempts, device states and log-ins. This gives the administrator a full overview of all drives in use in the organization.
Detailed File Auditing – Achieve Compliance Requirements
Detailed File Auditing is an extension of the Device Audit. It allows an administrator to see what files have been copied to or deleted from the devices, as well as a trail of the files that have had their names changed.
Device State Management – Full Control Over Devices
As an extra security precaution when drives are lost, or to protect your organization’s sensitive information from access by former employees, you can remotely ‘kill’ rogue drives and erase them of all data. In the Device Overview in SafeConsole, an authorized administrator can set the device state to ‘killed’, ‘disabled’ and ‘lost’. Devices can later be recovered using the Remote Password Reset and/or Backup features. SafeConsole can also be set to handle the devices’ states entirely on autopilot. This will require the drives to return to base by connecting to the SafeConsole server within a configurable time period.
Lock down a secure USB drive after a configurable period of inactivity. Forgotten drives that are left behind in a computer will automatically lock down according to the set policy.
File Restrictor – Restrict File Types to be Stored EXE, MP3
A white-list approach prevents the storage of unauthorized file-types. Rogue files cannot reside on a SafeConsoleReady Device as it only allows storage of file-types specified by the administrator in the SafeConsole settings.
Authorized Autorun – Stop Autorun Viruses
The onboard autorun-protection that chokes self-copying viruses such as StuxNet and Conficker – by denying unauthorized autorun files from residing on the drive altogether.
Write Protection – Set Devices in Read-Only Mode
With Write Protection, users can set their drive in a read-only mode when unlocking it on non trusted machines and thereby gain protection from malware trying to infect the drive or its content. It is also possible for an administrator to enforce this protection when a user leaves the company network ensuring that no malware can be copied to the drives and brought back to the company.
Geolocation and Geofencing
Using IP-based location tracking, pinpoint the exact location of your encrypted endpoints anywhere in the world. With SafeConsole, you can also geofence your devices making them accessible only within specific geographic boundaries.
To prevent the spread of autorun malware, SafeConsoleReady devices overwrite the autorun.inf files stored on the encrypted storage volume, choking the effect of viruses such as Conficker. Specify trusted commands to enable authorized applications to autorun off the devices, allowing you to keep the benefits and convenience of autostarting working-tools while blocking gateways for malware infection.
Device User Information
Save time and pain – customize devices with user information for easy identification and secure lost and found.
By defining “token” questions, SafeConsole administrators can ask device users to enter unique information about themselves. The “token” information allows the administrator to create a custom message about the user under the About window to easily identify lost devices without requiring permission to unlock the drive.
Autostart applications that require a password to start can also make use of “token” information by assigning a token as a necessary password. This allows the application to launch without interruption.
The information is collected to the server and can be used to sort and search users and their devices.
Device User Settings
Configure device settings to tailor the SafeConsoleReady device to your needs (e.g. disallow users from factory-resetting their devices). It is also possible to enforce a user interface language and pre-approve the device warranty for quicker device deployment.
ZoneBuilder is a tool to create a “trusted zone” of computers that makes using your SafeConsole managed devices even more Simply Secure.
HOW TO CREATE A TRUSTED ZONE
1 White list the computer IP address in SafeConsole.
2 Plug-in your SafeConsoleReady storage device and enter the device password.
Your computer has been registered into your Trusted Zone!
WITHIN YOUR TRUSTED ZONE YOU CAN
RESTRICT device access to computers inside your Trusted Zone.
AUTO-UNLOCK your storage device eliminating the need to enter your password. It makes sharing files within your Trusted Zone quick and easy. This feature uses RSA client certificates for authentication.
USE CASE: DLP SOLUTION
Prevent your team from copying sensitive data from your Trusted Zone to an unknown computer.
THE BENEFIT
Only approved SafeConsole USB storage devices can be used within your trusted Zone and those devices cannot be used outside the Zone.
USE CASE: SECURE FILE SHARING
Sharing your encrypted device with the team using ‘Auto-unlock’ mode.
THE BENEFIT
The device owner does not have to share the device password when sharing files with other members within the trusted zone.
Feature Listing
SERVER DEPLOYMENT OPTIONS | SafeConsole 5 |
|---|---|
| US based datacenter | ⚫ |
| Private cloud server SaaS | ⚫ |
| World-wide cloud hosting options | ⚫ |
| Available as an On-Prem installation | Yes, Windows installable, automigrate from 4.7/4.9 |
| Compatible Devices | DataLocker Sentry ONE, SafeStick, Sentry K300, DL3 & DL3 FE, H350 hard drives, Origin SC100, Kingston DTVP30DM, DT4000DM, D300M, D300SM |
| Crossplatform Windows and select devices for Mac/ Linux | ⚫ |
| Forced management available? | ⚫ |
| Active directory integration | ⚫ |
| Browser based service interface | ⚫ |
| Automatic inventory directory of all users and devices | ⚫ |
| Self-service plug-and-play device deployment | ⚫ |
| Centrally enforce security policies of devices | ⚫ |
| Accessible from mobile device | ⚫ |
| Filter and sort data tables | ⚫ |
| Search for devices and users | ⚫ |
| Two-factor authentication to management system | Mobile text message or token |
| Deployment Wizard | ⚫ |
| Information Dashboard | ⚫ |
| Optimized for large enterprises | ⚫ |
| Admin and role management | ⚫ |
| Multiple administrator roles | ⚫ |
| Dynamic licensing | ⚫ |
| Integrated help text in the user interface | ⚫ |
| Export data in CSV format | ⚫ |
| Automated server updates | ⚫ |
| Server/device locked to organization with a certificate | ⚫ |
| Custom device password policy | ⚫ |
| Device remote password reset over phone or Internet (Challenge/Response - PKI). | ⚫ |
| Local device self-service password reset (PKI) using ZoneBuilder. | ⚫ |
| ZoneBuilder (automatic unlock on trusted user accounts) | ⚫ |
| Remotely reassign device to new user | ⚫ |
| Manage the device states. Automate with rules. | ⚫ |
| Self-service mark a device as “found” on sucessful unlock. | ⚫ |
| Offline restrictions for device usage | ⚫ |
| Custom return-to-owner message displayed on device if lost. | ⚫ |
| File Restrictions (white-list accepted file-types) anti-malware | ⚫ |
| Inactivity Lock management | ⚫ |
| Device/User audit (Excel, XML) | ⚫ |
| File audit (Excel, XML, Syslog) | ⚫ |
| Audit reports | ⚫ |
| Backup | Integration available |
| Publisher file distribution | ⚫ |
| ZoneBuilder (restrict devices to work on select machines) | ⚫ |
| Autorun applications | ⚫ |
| Enable users to unlock drives in write protected mode | ⚫ |
| Collect and use device user information. Sort and search based on collected information in the Device Overview. | ⚫ |
| Customize device “about” screen | ⚫ |
| Manage portable antivirus on the devices | McAfee |
| Geo location of devices | ⚫ |
| Geo fencing of devices | ⚫ |
| Remotely reset device. | ⚫ |
| Remotely kill devices | Zeroizes encryption keys |
| Remotely set device as disabled. | ⚫ |
| Remotely set device as lost or to deny access to the device. | ⚫ |
Resources
SafeConsole Part Numbers
You can select from three options:
- Base (SCC-BASE) + 1 year (SCC-DEV-1)
- Base(SCC-BASE) + 3 years (SCC-DEV-3) of device license.
The Base is a ‘one-time’ starter. A new account form is REQUIRED
| SafeConsole Cloud Base – one-time starter | SCC-BASE |
| SafeConsole Cloud Device License – 1 year | SCC-DEV-1 |
| SafeConsole Cloud Device License – 3 years | SCC-DEV-3 |
| SafeConsole Cloud Device License Renewal- 1 year | SCC-DEV-1R |
| SafeConsole Cloud Device License Renewal- 3 years | SCC-DEV-3R |
| Anti-Malware for SafeConsole Cloud (per device) – 1 year of Anti-MalwareService for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCC-1 |
| Anti-Malware for SafeConsole Cloud (per device) – 3 years of Anti-MalwareService for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCC-3 |
| RENEWAL: Anti-Malware for SafeConsole Cloud (per device) – 1 year of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCC-1R |
| RENEWAL: Anti-Malware for SafeConsole Cloud (per device) – 3 years of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCC-3R |
| SafeConsole Cloud with Anti-Malware (per device) – 1 year device license plus Anti-Malware for a SafeConsole Ready Device. | SCCAM-1 |
| SafeConsole Cloud with Anti-Malware (per device) – 3 years device license plus Anti-Malware for a SafeConsole Ready Device. | SCCAM-3 |
| RENEWAL: SafeConsole Cloud with Anti-Malware (per device) – 1 year device license plus Anti-Malware for a SafeConsole Ready Device | SCCAM-1R |
| RENEWAL: SafeConsole Cloud with Anti-Malware (per device) – 3 years device license plus Anti-Malware for a SafeConsole Ready Device. | SCCAM-3R |
You can select from three options:
- Base (SCOP-BASE) + 1 year (SCOP-DEV-1)
- Base(SCOP-BASE) + 3 years (SCOP-DEV-3) of device license.
The Base is a ‘one-time’ starter. A new account form is REQUIRED.
| SafeConsole On-Prem – one-time starter | SCOP-BASE |
| SafeConsole On-Prem Device License – 1 year | SCOP-DEV-1 |
| SafeConsole On-Prem Device License – 3 years | SCOP-DEV-3 |
| SafeConsole On-Prem Device License Renewal- 1 year | SCOP-DEV-1R |
| SafeConsole On-Prem Device License Renewal- 3 years | SCOP-DEV-3R |
| Anti-Malware for SafeConsole On-Prem (per device) – 1 year of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCOP-1 |
| Anti-Malware for SafeConsole On-Prem (per device) – 3 years of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. |
AMSCOP-3 |
| RENEWAL: Anti-Malware for SafeConsole On-Prem (per device) – 1 year of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. | AMSCOP-1R |
| RENEWAL: Anti-Malware for SafeConsole On-Prem (per device) – 3 years of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device. | AMSCOP-3R |
| SafeConsole On-Prem with Anti-Malware (per device) – 1 year device license plus Anti-Malware for a SafeConsole Ready Device. | SCOPAM-1 |
| SafeConsole On-Prem with Anti-Malware (per device) – 3 years device license plus Anti-Malware for a SafeConsole Ready Device. | SCOPAM-3 |
| RENEWAL: SafeConsole On-Prem with Anti-Malware (per device) – 1 year device license plus Anti-Malware for a SafeConsole Ready Device. | SCOPAM-1R |
| RENEWAL: SafeConsole On-Prem with Anti-Malware (per device) – 3 years device license plus Anti-Malware for a SafeConsole Ready Device. | SCOPAM-3R |
