The purpose of this technical guide is to outline the various methods of setting up netOctopus administrative security. All of the following information is also available in the netOctopus User's Guide.

Defining a super administrator

To create an administrator hierarchy:

• start with defining a super administrator.
• Then create all other administrator accounts, whether for subadministrators or additional super administrators, and set their access privileges.
• Next, assign administrators to the computers.
• Finally, distribute the netOctopus application and key file to the other administrators.

All of these procedures are described in detail on pages 57-62 of the User's Guide.

Defining a super administrator:

Simply start creating administrator accounts as described below. The first account created automatically becomes the super administrator. For information on how to make another administrator the super administrator, see 'changing the super administrator' on page 59 of the User's Guide.

Creating administrator accounts:

1. Choose Administrators from the Edit menu. If administrators are already defined, at least one of them is the super administrator. See step 4, below, for information on identifying the super administrator.
2. Click New.
3. Enter a name and a password into the dialog. The password must be at least four characters long.
4. If you want the account to be a super administrator account, check the Super administrator checkbox. Super administrators are indicated by a special icon.
5. In the Privileges section, check all privileges you want the subadministrator to have. See "Administrators" on page 233 of the User's Guide for more information on access privileges. Super administrator accounts always have all access privileges, regardless of the settings of the Privileges checkboxes.
6. Check Access. If you do not check this option, the administrator will be unable to use netOctopus to manage computers.

   Note: There must always be a super administrator with access rights. If this is not the case, netOctopus displays an error message.

7. Click Change. Repeat steps 3 through 7 for each additional account you want to create.
8. Check the Access Protection option. If this option is checked, netOctopus asks for an administrator name and password every time it is started up. If it is unchecked, every user, super administrator, and subadministrator is assumed to be a super administrator, i.e., has unlimited access privileges.

   On Macintosh computers on which Apple's Keychain password control software is installed, netOctopus automatically utilizes Keychain. See also "Using keychains" on page 64 of the User's Guide.

9. Click OK to close the Administrators dialog.

   WARNING: Enabling access protection ensures that only persons with the proper passwords can use netOctopus to access your network. Disabling access protection compromises security because everybody with access to a copy of your netOctopus key file can act as the super administrator. This applies to subadministrators, normal users, and even unauthorized persons.

   We therefore strongly recommend that you always enable access protection, except perhaps in a single administrator setting where physical access to the administrator's computer is impossible for unauthorized persons.

Creating additional super adminstrators:

There can be any number of super administrators for each netOctopus package. For security reasons we recommend that their number be restricted to the minimum possible.

To create an additional super administrator, proceed as described below for changing super administrators, but skip steps 5 through 7. If different super administrators are to manage different parts of the network, and not have super administrator privileges in the parts they do not manage, you have to purchase multiple copies of netOctopus and set them up separately.

You also need to be sure that after the installation of the netOctopus Agents, each Agent is first queried by the proper super administrator to ensure that it bonds to the correct one.

Note: You should carefully evaluate whether your requirements are better met with a single administrator hierarchy or multiple hierarchies. While it is possible to switch, doing so may involve a considerable amount of work.

Changing the super administrator:

1. Open the Administrators dialog.
2. Select the administrator who is to be the new super administrator.
3. Check the Super administrator checkbox. Also, make sure that the Access checkbox is checked.
4. Click the Change button.
5. Select the account of the old super administrator.
6. Uncheck the Super administrator checkbox.
7. Click the Change button.
8. Click OK.
9. The Administrators dialog is closed and the changes are saved.

Note that you can only change the super administrator if you are using a super administrator's account or if access protection is disabled.

Assigning administrators to computers

Super administrators always have automatic access to all computers running the netOctopus Agent (except to those whose users have restricted access using the Agent's privacy options).

All other administrators have access only to computers they have expressly been assigned to. Note that you will have to assign administrators to any new computers that are added to the network.

Assigning administrators to computers:

1. In the Computers window, select all computers to which you want to assign an administrator. See "Listing computers running the netOctopus Agent" on page 87 of the User's Guide for information on listing computers in the Computers window.
2. Choose Appoint Administrators from the Commands menu. The Appoint Administrators dialog opens.
3. Select all administrators you want to assign to the selected computers. You can select any number of administrators. You must select all administrators that are to be able to manage these computers.
4. Click OK.
5. Repeat steps 1 through 4 until you have assigned administrators to all computers

Distributing netOctopus to other administrators

All administrators need their own copies of netOctopus to manage the computers assigned to them. Your license allows you to make as many copies of the netOctopus application as you want, as long as they are used to administer only as many computers as your license allows.

All account and password information is stored in the netOctopus Admin Key file in the netOctopus Preferencesƒ folder inside the Preferences folder. To distribute any changes you have made to other administrators, you can simply distribute this key file.

When netOctopus is distributed to administrators for the first time, you can distribute either the installer files or a completely installed application. Make sure, however, that you send every administrator the key file from your computer, after you have completed creating all the accounts and configuring their access privileges.

Only super administrators should enter key information on their computers. When you subsequently change account information, you just need to redistribute the key file. The most elegant way to do this is to use netOctopus itself to update the key files.

To maximize security, you can store the key file on a file server and put an alias to it into the netOctopus preferences folders of all administrators. Set the 'Don't Copy' flag of the key file on the server to prevent anybody from copying it. This way, all accounts and privileges can be updated immediately in a single step simply by replacing the key file. At the same time, the risk of unauthorized access is minimized.

Of course, the server volume on which the key file is located must be accessible only to the administrators.

Tip: You can also mix both approaches, i.e., have the majority of administrators use a server-based key file and copy a key file to the hard disks of some others. While you lose some of the security benefits this way, it allows you to accommodate administrators who have no access or only intermittent access to the server.

WARNING: Knowledge of your key number - the number you have to enter the first time you use netOctopus - allows everybody with access to the netOctopus Installer to create a copy of netOctopus that can access all of your Agents.

To prevent this from happening, make sure that only trusted persons have access to the key number. This also goes for other administrators: Normally, they have no need to know the key number and the fewer know, the better the security. If your subadministrators are to support PCs on IPX networks, make sure to also distribute the MacIPX files. See IPX support on page 14 of the User's Guide for more information.

Changing administrator information

Note that all changes to administrator information, except for assignments of administrators to computers, are initially restricted to your copy of netOctopus.

Redistribute the netOctopus key file to all other administrators after making the changes to propagate them through the administrator hierarchy. See Distributing netOctopus to other administrators on page 61 of the User's Guide for details.

Changing the name, password, or access privileges

1. Choose Administrators from the Edit menu. The Administrators dialog opens.
2. Select the administrator whose account information you want to edit.
3. Enter a new name and/or password and/or change access privileges. Note: The password can also be changed from netOctopus' login dialog. See "Changing the password when logging in," below, for details.
4. Click the Change button.
5. Repeat steps 2 through 4 for the next administrator or click OK to close the dialog and save the changes.
6. Distribute the netOctopus Admin Key file in the netOctopus Preferencesƒ folder inside the Preferences folder to all other administrators.

Changing the password when logging in:

To change your password when logging into the application:

1. In the login dialog, click the Change Password button. This opens the Change Password dialog. Note: When keychain access is enabled on your Macintosh and the currently unlocked keychain contains a valid administrator name and password, the login dialog is not normally displayed. To be able to change the password regardless, hold down the Shift key while starting netOctopus.
2. Enter the current password into the Old password field. Note that all passwords and administrator names are case sensitive, i.e., it matters whether upper-case or lower-case letters are used.
3. Enter the new password into the New password field. Passwords must be at least four characters long.
4. To guard against typos, enter the new password again into the Verification field. If both new passwords are not identical, netOctopus displays an error message and refuses to accept the password change.
5. If you want to add this name and password to the active key-chain, check the Add to Keychain option. When a keychain is currently unlocked, the new password is added to that keychain. If there is no unlocked keychain, you are prompted to choose and unlock a keychain.
6. Click OK to close the dialog. From now on, you must use the new password when logging in.

Using keychains:

When Apple's Keychain access technology is active on the Macintosh, netOctopus can automatically take advantage of it. Once you have added a netOctopus administrator account to a keychain, you can log in to netOctopus automatically, as long as that keychain is unlocked.

Note: Keychain support is only available when access protection has been enabled in netOctopus' Administrators dialog. See step 8 of the "Creating administrator accounts" procedure on page 58 of the User's Guide.

Adding an administrator account to a keychain Enabling Keychain to control access to netOctopus is very simple: Just check the "Add to Keychain" option when logging in to netOctopus. Doing so adds the administrator name and password information entered into the login dialog to the active keychain.

Adding an administrator account to the keychain removes any other netOctopus account which may have been added to the same keychain earlier. One keychain can never hold more than a single netOctopus administrator account.

Note: It is entirely possible to have several different keychains on a computer, each of which can contain a netOctopus administrator account. Only one of these keychains can be open at any time, however.

Logging in to netOctopus using the Keychain

Automatic login using a keychain is only available if an administrator account has been added to it (see Adding an administrator account to a keychain, above).

When you start netOctopus and a keychain is unlocked, the netOctopus account information contained in that keychain is used to log you in to netOctopus. No login dialog is displayed; in fact, starting netOctopus is as easy as if access protection were disabled.

Note: If the currently open keychain contains an administrator account, but you do not want to use it, see "Logging in with a different account," below. When no keychain is currently unlocked, you are prompted to unlock a keychain. You can either do so, in which case no further login information is required after the keychain is unlocked. Or you can decline to unlock a keychain, in which case you proceed with the normal login dialog as described in netOctopus' login dialog on page 236 of the User's Guide.

Logging in with a different account

You may want to log in to netOctopus using an account different from the one contained in the currently open keychain. There are two ways to do so: Lock the keychain or force netOctopus to display the login dialog.

Locking a keychain is described in Apple's Keychain documentation. When you are starting netOctopus while there is no unlocked keychain, the Unlock Keychain dialog will come up. Click Cancel in this dialog to open the standard netOctopus login dialog.

To force netOctopus to display the login dialog, even though a keychain containing an administrator name and password is currently open, hold down the Shift key while starting netOctopus.

Changing passwords

When you log in to netOctopus using the keychain, you can no longer change your password when logging in, as the login dialog is not displayed any more. You have to use the Change Password menu command instead.

To change your password when you have logged in automatically using a keychain:

1. Choose Change Password from the Edit menu. The Change Password dialog opens.
2. Continue as described in Changing the password when logging in on page 63 of the User's Guide, starting with step 2 of that procedure.

Removing an account from a keychain

Removing netOctopus administrator accounts from a keychain is done in the Keychain software itself, rather than from within netOctopus. See Apple's Keychain documentation for details.

Assigning other administrators to a computer

Assigning other administrators to a particular computer or group of computers is done exactly like the initial assignment. Any new assignment overwrites the previous one. See Assigning administrators to computers on page 60 of the User's Guide for further information.

Deactivating an aminisitrator account

To temporarily deactivate an administrator account:

1. Choose Administrators from the Edit menu. The Administrators dialog opens.
2. Click the Access checkbox to uncheck it. Note: There must always remain at least one super administrator with access rights. If this is not the case, netOctopus displays an error message.
3. Click the Change button.
4. If there are several administrators at your site, distribute the netOctopus Admin Key file in the netOctopus Preferencesƒ folder inside the Preferences folder to all of them.

When you are ready to grant the administrator access again, simply repeat this procedure, checking the Access checkbox in step 3.

To permanently deactivate an account, you should delete it:

1. Choose Administrators from the Edit menu. The Administrators dialog opens.
2. Select the administrator whose account you want to delete.
3. Click the Delete button. The administrator account disappears from the Administrator list.
4. Click OK to close the Administrators dialog and save the changes.
5. If there are several administrators at your site, distribute the netOctopus Admin Key file in the netOctopus Preferencesƒ folder inside the Preferences folder to all of them.