Forum Home Forum Home > User Discussions and Community Support > Operations and Usage
  New Posts New Posts RSS Feed - Training for end users
  FAQ FAQ  Forum Search   Register Register  Login Login

Training for end users

 Post Reply Post Reply
Author
Message
Dave Opitz View Drop Down
Newbie
Newbie


Joined: 21 Mar 2011
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dave Opitz Quote  Post ReplyReply Direct Link To This Post Topic: Training for end users
    Posted: 21 Mar 2011 at 11:08am
We are preparing to start pushing Identity Finder out to our campus (over 1,000 computers).  The users range from highly technical to not very technical.  The plan is that I will manage the server, but users should do scans and remdiation themselves.  I want to roll out Identity Finder in a way so that I do not get swamped by phone calls of users with questions, thus I would like the simplest possible version of Identity Finder client.
 
Ideally, after we push it out, I would like Identity Finder to display one button that says "scan" and nothing else.  IT should use the settings I have selected on the server to decide what to search for.  Currently, on my test computers, the "start" scan button appears as the only button on the main page that is not greyed out, but there are all sorts of options that users can select under the other tabs (identity, locations, configuration, tools).  Can I disable those tabs so that everything under them is greyed out?  As we decide to use additional features,such as the Password Vault, I would like to enable it on a case by case basis - perhaps for one user or more likely for a group of users using our AD OU's and Groups.  The simpler the configuration, the easy it will be for new users to figure out how to use it.
 
Even if I configure Identity Finder so that it is a simple to use as possible, the users are going to have to interpret the results of their scans.  If the scan says something like "there are SSNs in the file c:\ssns.doc", users can handle that.  But there are other much more compliated results that will be displayed that will require users to determine if it is a false positive, or perhaps to understand the use of different file types.  I don't have the time to talk to every single user.  Is there some document already available that is both easy to understand (i.e. short), but also explains to users how to interpret the results of their scans?
 
Thanks.
Dave
Back to Top
dwoodruff View Drop Down
Groupie
Groupie


Joined: 24 Nov 2010
Location: Rochester, NY
Status: Offline
Points: 71
Post Options Post Options   Thanks (0) Thanks(0)   Quote dwoodruff Quote  Post ReplyReply Direct Link To This Post Posted: 21 Mar 2011 at 2:33pm
We've taken a very similar approach to the one you are pursuing. We also want the users to do the searches and remediation themselves so they can see the value of the software. It is proving to be a challenge to keep track of all the endpoints and who is responsible for them, but we're trying to keep the process structured (and our console organized!) by rolling out a department at a time. I've trained our help desk and provided basic troubleshooting documentation in the form of FAQs. If the help desk can't resolve a problem, they will escalate it to me, so as we roll out to more people, that will cut down on the amount of time I need to spend.

Regarding your second paragraph, we have created our environment exactly that way - by default, don't give users any options. Just allow them to run the search and remediate. The way I accomplished this was through a system policy that is applied to the "All Endpoints" tag. The policy forces the use of the guest profile, disabling prompts to create their own profile and password. Many (probably 60-70%) of all possible settings have been explicitly defined in the policy so that the user cannot change them. You can't grey out the other ribbons at the top of the client, but you can configure each setting so that they are not changeable.

When you want to enable other features for a specific set of users, just create another system policy that is higher in priority in the list of policies with the specific settings defined. Then apply that policy either to an AD tag or specific endpoints and the higher priority policy will override the All Endpoints policy. The only problem with this approach using the guest profile is that if a setting is applied in a system policy, it cannot be overridden by a user policy in the case where you would want an option to be available to the user, but set a specific way by default.

For example - let's say by default I want to disable scanning of network drives to prevent heavy load on file servers. I specify OnlySearchLocalDrivesWhenSearchingMyComputer to be true in the policy I have applied to All Endpoints and that works fine. Then let's say a specific department wants to give their users the option of searching their network shares. I would have to create another system policy applied to that department, and it would set OnlySearchLocalDrivesWhenSearchingMyComputer to false. The setting would be greyed out in the user interface. It would not give them the option to select one way or the other and all endpoints assigned that policy would then search network drives. Overriding the setting in a user policy would have no affect on guest profile. If you were using profiles, you would be able to use the user policy to set the default but let the client to override. This was the case at least since the last time I tried it and was told by support that is the way this functions. Make sense, or clear as mud?

Regarding educating users how to interpret and deal with the results, it may be best to create a document with a lot of screenshots that explains the interface and the specific responsibilities they have when sensitive data is found. That way you can tailor it to your environment and requirements. We've done something like that, but not to as deep a level as it seems you would be looking for.

Dan
Back to Top
Dave Opitz View Drop Down
Newbie
Newbie


Joined: 21 Mar 2011
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dave Opitz Quote  Post ReplyReply Direct Link To This Post Posted: 23 Mar 2011 at 9:26am
Dan - thanks for the pointers.  It sounds like I'm on the right track but I have to do all the prep work myself.  I'm now working through all the settings to createa default Enterprise policy - there sure are a lot of them.  It would be nice if they built in a few optional policies of typical settings for different scenarios.
 
Letting users do the scan and remediate seems like the obvious way to use the tool, so documentation for end users seems like something that should be provided.  I guess I'll work on that next.  I'm worried about how to explain false positives to end users.  I can easily recognize what is real data, but I'm not that regular users will be able to.
Back to Top
rwarner1 View Drop Down
Groupie
Groupie


Joined: 30 Nov 2010
Location: Chicago
Status: Offline
Points: 23
Post Options Post Options   Thanks (0) Thanks(0)   Quote rwarner1 Quote  Post ReplyReply Direct Link To This Post Posted: 06 May 2011 at 12:37pm
Hello Dave,

We are doing the same thing. Using a System Policy, we are limiting the search down to SSN's and CC#'s in a Guest Profile, and are also excluding a few directories like Program Files, Windows, SYSTEM VOLUME INFORMATION(hidden). However, the way ours is setup, users have the ability to make changes to the parameters, but these changes will not persist once Identity Finder is closed. This way, the users don't have to remember the default settings. They can just reopen the program and start another scan with all the defaults, but they can also modify the settings to create a "personal" scan.

In regards to the policy settings, there are a large numbers of settings that will pretty much allow you to customized the search and remediation how ever you want. It may take some time and tweaking, but it's well worth it.

Reggie.

"For the things we have to learn before we can do them, we learn by doing them." - Aristotle
Back to Top
Dave Opitz View Drop Down
Newbie
Newbie


Joined: 21 Mar 2011
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dave Opitz Quote  Post ReplyReply Direct Link To This Post Posted: 19 May 2011 at 3:34pm
Reggie - thanks, that's good advice.  I'm (attempted to) skip scanning the directories you list.
 
I created a policy where I attempted make things as simple as possible.  Pretty much everything is disabled for the user except the green "start" arrow.  I exported my settings and attempted to post them here, but it created a post that was too long to be accepted by this Forum.  I thought that would be really helpful to others starting out since it was quite a bit of work for me to figure it out on my own.
 
I think they should do some work to create a few standard configurations that could be used for fast roll outs and then people could dig into the settings and refine them for their own particular needs.  Having to figure out all the settings from scratch is pretty tricky and makes this product difficult to use.  Like, they could have one that says "schedule a monthly search to only search for SSNs in the %USERPROFILE% folder." 
 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down