Application Resilience policies for Dell Encryption

You can activate an Application Resilience policy for Dell Encryption to collect information about the functional status of Dell Encryption installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Application Resilience policies for Dell Encryption are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

  • one of the following versions of Dell Encryption:

    • 11.x or higher

      Significant software changes in higher versions may cause health checks to become invalid.

    • 10.x

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • CMGShield (CmgShieldSvc.exe)
  • EMS (EMSService.exe)
 P P

One of the signers entered in the policy configuration

By default, Signers contains "Dell Inc".
Application name

The application uses one of the following names:

  • Dell Encryption 64-bit

  • Dell Encryption

In addition to checking the version, the following table describes the health checks performed:

Report higher versions as Compliant is not available.

Component Test performed
Services Installed Running Signed by
  • CMGShield (CMGShieldSvc.exe)
  • EMS (EMSService.exe)
 P P Dell Inc
Drivers Installed Running Signed by
  • CmgShieldFFE (CmgFFE.sys)
  • CmgPassThrough (CmgShPT.sys)
  • Credant PCS (CmgPCS.sys)
  • CMGShieldReg (CmgShREG.sys)
 P P Dell Inc
Application name

The application uses one of the following names:

  • Dell Encryption 64-bit

  • Dell Encryption

You can configure an Application Resilience policy for Dell Encryption to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Dell Encryption if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue

Resolution
Repair

One or more of the following services aren't running:

  • CMGShield (CmgShieldSvc.exe)
  • EMS (EMSService.exe)

The RAR component restarts each stopped service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • CMGShield (CmgShieldSvc.exe)
  • EMS (EmsService.exe)

The RAR component reinstalls each missing service.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • CMGShield (CmgShieldSvc.exe)
  • EMS (EMSService.exe)

If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application.

A device restart is required after the application is uninstalled. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart and the configured version of the application is downloaded and installed. You can review the report's Status details to determine if a restart is required.
Dell Encryption failed to be repaired, or the expected version isn't installed

You can configure an Application Resilience policy for Dell Encryption to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to reinstall Dell Encryption if it's not functioning or missing.

The Report and repair option isn't supported. Depending on the Absolute product licenses associated with your account, the Report, repair, and reinstall option may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following device drivers aren't installed, or aren't functioning correctly:

  • CmgShieldFFE (CmgFFE.sys)
  • CmgPassThrough (CmgShPT.sys)
  • Credant PCS (CmgPCS.sys)
  • CMGShieldReg (CmgShREG.sys)

If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application.

A device restart is required after the application is uninstalled. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart and the configured version of the application is downloaded and installed. You can review the report's Status details to determine if a restart is required.

One or more of the following services aren't running or aren't installed:

  • CMGShield (CMGShieldSvc.exe)
  • EMS (EMSService.exe)
The expected version of Dell Encryption isn't installed

If you want the Secure Endpoint Agent to reinstall Dell Encryption if it is non-functional or missing, you need to make its installer available for download. The Dell Encryption installer is included in the Dell Data Security master installer. To make the installer available, you need to extract it from the master installer.

To prepare the installer:

  1. Copy the Dell Data Security master installer (DDSSetup.exe) from the installation media to your computer.

  2. Extract the Dell Encryption installer from the master installer by doing the following:

    1. Open a Command prompt and navigate to the location of the DDSSetup.exe file.

    2. Enter:

      Copy 
      DDSSetup.exe /z"\"EXTRACT_INSTALLERS=<destination folder>""

      where <destination folder> is the location where you want to store the extracted installers.

      For example, if <destination folder> is C:\DellEncryption_installer\, enter:

      Copy 
      DDSSetup.exe /z"\"EXTRACT_INSTALLERS=C:\DellEncryption_installer\""
    3. If User Account Control (UAC) is enabled, click Yes to open the InstallShield Wizard and begin extracting the master installer.
    4. When the component installers are extracted, click Finish to close the InstallShield Wizard.

    5. Navigate to the destination folder and open the Encryption folder. The folder contains 32-bit and 64-bit installers.

The EXE files can now be uploaded to the Secure Endpoint Console or hosted on your own server.

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installers DellEncryption.exe

If you want the Secure Endpoint Agent to reinstall Dell Encryption if it is non-functional or missing, you need to make its installer available for download. The Dell Encryption installer is included in the Dell Endpoint Security Suite Enterprise master installer. To make the installer available, you need to extract it from the master installer.

To prepare the installer:

  1. Copy the Dell Endpoint Security Suite Enterprise master installer (DDSSuite.exe) from the installation media to your computer.

  2. Extract the Dell Encryption installer from the master installer by doing the following:

    1. Open a Command prompt and navigate to the location of the DDSSuite.exe file.

    2. Enter:

      Copy 
      DDSSuite.exe /z"\"EXTRACT_INSTALLERS=<destination folder>""

      where <destination folder> is the location where you want to store the extracted installer.

      For example, if <destination folder> is C:\DellEncryption_installer\, enter:

      Copy 
      DDSSuite.exe /z"\"EXTRACT_INSTALLERS=C:\DellEncryption_installer\""
    3. If User Account Control (UAC) is enabled, click Yes to open the InstallShield Wizard and begin extracting the master installer.
    4. When the installer is extracted, click Finish to close the InstallShield Wizard.

    5. Navigate to the destination folder and open the Encryption folder. The folder contains 32-bit and 64-bit installers.

The EXE files can now be uploaded to the Secure Endpoint Console or hosted on your own server.

The RAR component looks for the following files names when checking pre-cached installers:

Component File name

Installers

 DDPE_XXbit_setup.exe

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the application version:

  1. Under Application Version, select 11.* or higher.

  2. Under Dell Encryption version, enter the version of Dell Encryption that you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version, for example, 11.*, 11.4.*, or 11.4.0.*.

    Make sure the version you are entering is consistent with version 11.x or higher.

If you selected the Report, repair, and reinstall option, you also need to configure this setting in addition to the settings in Configuring Application Resilience policies. Use the installers from Preparing the Dell installers in Configuring Application Resilience policies and configure this additional setting.

To configure the Dell Encryption specific setting:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  2. Under Installation Parameters, enter the following required command-line parameters and any optional command-line parameters required for your configuration:

    • SERVERHOSTNAME: the fully qualified hostname of the Dell Server used for activation

      Copy 
      SERVERHOSTNAME="myserver.myorganization.com"

    • POLICYPROXYHOSTNAME: the fully qualified hostname of the default proxy server used for policies

      Copy 
      POLICYPROXYHOSTNAME="myproxy.myorganization.com"

    • MANAGEDDOMAIN: the name of the Windows domain that the devices in the policy group belong to

      Copy 
      MANAGEDDOMAIN="WORKGROUP"

    • DEVICESERVERURL: the Dell server used for activation, typically the URL includes the Dell server hostname, the port, and /xapi/

      Copy 
      DEVICESERVERURL="https://myserver.myorganization.com:8443/xapi/"

The following example contains the required parameters and two optional parameters:

Copy 
SERVERHOSTNAME="myserver.myorganization.com" POLICYPROXYHOSTNAME="myproxy.myorganization.com" MANAGEDDOMAIN="WORKGROUP" DEVICESERVERURL="https://myserver.myorganization.com:8443/xapi/" HIDESYSTRAYICON="1" HIDEOVERLAYICONS="1"

MACHINEID and SERVERMODE are required parameters. MACHINEID is set to the device's computer name. SERVERMODE is set to 1. There is no need to include these in the Installation Parameters.

For more information about the supported syntax and available optional parameters, refer to the Dell Encryption documentation.

Before you activate an Application Resilience policy you need to configure the policy. If you selected the Report, repair, and reinstall option, use the installers from Preparing the Dell installers in Configuring Application Resilience policies and configure these additional settings.

To configure the Dell Encryption specific settings:

  1. Under Dell Encryption Server Hostname, enter the fully qualified hostname of the Dell Server used for activation. For example:

    Copy 
    myserver.myorganization.com

  2. Under Policy Proxy Hostname, enter the fully qualified hostname of the default proxy server used for policies. For example:

    Copy 
    myproxy.myorganization.com

  3. Under Device Server URL, enter the URL of the Dell server used for activation. Typically the URL includes the Dell server hostname, the port, and /xapi/ For example:

    Copy 
    https://myserver.myorganization.com:8443/xapi/
  4. Under Managed Domain, enter the name of the Windows domain that the devices in the policy group belong to.

  5. [Optional] Under Additional Installer Commands, enter the applicable command-line parameters to configure any settings not covered by the policy configuration. Typically, you'll want to enter the same parameters that were entered when Dell Encryption was initially installed on the devices. For example:

    Copy 
    HIDESYSTRAYICON="1" HIDEOVERLAYICONS="1"

    For more information about the supported syntax for these parameters, refer to the Dell Encryption documentation.