HP Sure Click Enterprise 4 Guide... · deployments to HP Sure Click Enterprise 4.2. Glossary The...
Transcript of HP Sure Click Enterprise 4 Guide... · deployments to HP Sure Click Enterprise 4.2. Glossary The...
For use with general public
HP Sure Click Enterprise 4.2
UPGRADE GUIDE
ii
Notices
Copyright © 2020 Bromium, Inc. All rights reserved. HP Development Company, L.P. The
information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty.
HP shall not be liable for technical or editorial errors or omissions contained herein.
The software and accompanying written materials are protected by U.S. and International
copyright law. Unauthorized copying of the software, including software that has been modified,
merged, or included with other software, or other written material is expressly forbidden. This
software is provided under the terms of a license between HP and the recipient, and its use is
subject to the terms of that license. Recipient may be held legally responsible for any copyright
infringement that is caused or incurred by recipient’s failure to abide by the terms of the license
agreement. US GOVERNMENT RIGHTS: Terms and Conditions Applicable to Federal Governmental
End Users. The software and documentation are “commercial items” as that term is defined at
FAR 2.101. Please refer to the license agreement between HP and the recipient for additional
terms regarding U.S. Government Rights.
The software and services described in this manual may be protected by one or more U.S. and
International patents.
DISCLAIMER: Bromium, Inc., makes no representations or warranties with respect to the contents
or use of this publication. Further, Bromium, Inc., reserves the right to revise this publication and
to make changes in its contents at any time, without obligation to notify any person or entity of
such revisions or changes.
Intel® Virtualization Technology, Intel® Xeon® processor 5600 series, Intel® Xeon® processor E7
family, and the Intel® Itanium® processor 9300 series are the property of Intel Corporation or its
subsidiaries in the U.S. and/or other countries.
Adobe and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Bromium, the Bromium logo, Bromium micro-VM®, Bromium micro-virtualization, Bromium µVM
and Trustworthy by Design are registered trademarks, and HP Sure Click Enterprise, Bromium
Secure Browser, Bromium Secure Files, Bromium Secure Monitoring are trademarks of Bromium,
Inc.
All other trademarks, service marks, and trade names are the property of their respective
owners. Bromium, Inc., disclaims any proprietary interest in the marks and names of others.
29 July 2020
iii
Notices ................................................................................................................... ii
Introduction ........................................................................................................... 2
Glossary ......................................................................................................................................... 2
Overview of Upgrade Steps ....................................................................................................... 2
Bromium Secure Platform End Of Life Notice ........................................................................ 2
Upgrade Considerations ............................................................................................................. 3
Upgrading the Controller ..................................................................................... 4
Controller Upgrade Considerations .................................................................... 5
Monitoring Catalog Data Retention .......................................................................................... 5
Device Name / Duplicates .......................................................................................................... 5
Dynamic Device Groups .............................................................................................................. 5
(All Devices) ..................................................................................................................................................................................... 6
(Ungrouped) .................................................................................................................................................................................... 6
Example – Only (Ungrouped) .................................................................................................................................................. 7
Example – Not Using (Ungrouped) ........................................................................................................................................ 8
Example – (Ungrouped) and Custom Device Groups ..................................................................................................... 9
Product Name ............................................................................................................................................................................. 10
Secure Browsing Extensions (SBX) ........................................................................................ 10
Advanced Policy Settings ......................................................................................................... 11
MimeHandler.Custom.n.xxx Parameter ............................................................................................................................ 11
Untrusted.IngressApplicationsSettings Parameter (deprecated in SCE 4.2) ...................................................... 11
Upgrading Endpoint Devices ............................................................................ 12
Unchanged Paths....................................................................................................................... 13
Installation with Microsoft Virtualization Based Security (VBS) ........................................ 14
Deprecated Support for Software .......................................................................................... 15
Browser Compatibility .............................................................................................................. 16
Firefox SBX ................................................................................................................................................................................... 16
Microsoft Edge SBX ................................................................................................................................................................... 16
Exclusions ................................................................................................................................... 17
Upgrade Considerations ......................................................................................................................................................... 17
File Exclusions – BSP and SCE .............................................................................................................................................. 18
File Exclusions BSP Only: ........................................................................................................................................................ 19
Directory Exclusions – BSP and SCE ................................................................................................................................... 19
Directory Exclusions – BSP Only .......................................................................................................................................... 19
Firewall Exclusions ................................................................................................................................................................... 19
For use with general public 2
Introduction
The purpose of this guide is to aid customers in migrating existing Bromium Secure Platform
deployments to HP Sure Click Enterprise 4.2.
Glossary
The following abbreviations are used throughout this document:
• BSP – Bromium Secure Platform
• SCE – HP Sure Click Enterprise
• SBX – Secure Browser Extension
Overview of Upgrade Steps
The recommended upgrade path from Bromium Secure Platform to HP Sure Click Enterprise is:
1. First upgrade all Bromium Controllers to Sure Controller 4.2.
2. Second uninstall pre-existing versions of Bromium Secure Platform from endpoint
devices.
3. Third install Sure Click Enterprise on endpoint devices.
In-place upgrades to SCE 4.2 on devices are only supported for devices running BSP 4.1.6 or later
or SCE 4.1.8 Patch 1 or later.
Bromium Secure Platform End Of Life Notice
Bromium Secure Platform will become EOL on November 8, 2020 at which time new hotfixes and
code updates will no longer be released. Bromium Secure Platform will continue to be supported
for assistance with configuration and deployment issues until March 31, 2021. HP recommends
that all customers complete their upgrade to HP Sure Click Enterprise 4.2 prior to March 31,
2021. For a complete list of deprecated features, please refer to the Knowledge Base:
https://support.bromium.com/s/article/Deprecated-Features.
For use with general public 3
Upgrade Considerations
The following considerations must be factored into plans for upgrading from Bromium Secure
Platform to HP Sure Click Enterprise:
• Controller considerations:
o Monitoring catalog data retention
o Non-domain-joined devices
o Dynamic device groups
o Bromium-related AD GPOs
o Custom ingress applications
• Endpoint device considerations:
o Product installation paths
o Desktop Console HP Branding and updates to user experience
o Product registry keys
o Bromium-related scripts
o Deprecated support for software
o Firefox browser upgrade
o Edge browser upgrade
o Exclusions
o VDI Deployments
For use with general public 4
Upgrading the Controller
Upgrading Bromium Controller to Sure Controller before installing SCE on devices ensures:
• Dynamic device group memberships based on the Product Version rule are compatible
with endpoint devices when they are upgraded to SCE
• Access to the policy settings to manage new features of SCE endpoints
• Access to the latest features and enhancements in the Sure Controller
Upgrading Bromium Controller to Sure Controller 4.2 after upgrading endpoint devices may
result in:
• Duplicate devices
• Devices losing group membership (and therefore potentially losing license / policy
assignments)
To avoid any issues, it is strongly recommended to upgrade all Bromium Controllers to Sure
Controller 4.2 before installing SCE on endpoint devices.
For more information about how to upgrade the controller, refer to the Knowledge Base:
https://support.bromium.com/s/article/Upgrading-BEC Always back up the Sure Controller
database before upgrading.
Warning: If the license key is applied within a policy that is only assigned to a Dynamic Group
dependent upon Product Version and devices are upgraded to SCE before the Controller, SCE
devices will not be a member of that group and will not have the associated policies and
license key applied. This could result in SCE endpoint devices becoming disabled and
unlicensed during the upgrade.
Upgrade the Controller first to ensure backwards compatibility of Dynamic Groups which will
ensure devices remain licensed during the upgrade to SCE.
For use with general public 5
Controller Upgrade Considerations
The functionality and organization of the controller remains largely unchanged in Sure Controller
4.2. This section describes changes that require consideration before upgrading the controller.
Monitoring Catalog Data Retention
The Monitoring feature of BSP was deprecated on February 1, 2020. As such, all Monitoring policy
settings and configurations should be deleted prior to upgrading to Sure Controller 4.2.
Deletion of any catalogs should be configured at least 24 hours before upgrading to Sure
Controller 4.2. From the controller navigation pane click Settings and under Monitoring Catalog
Data Retention ensure Delete catalog entries is selected.
Note: The Monitoring Catalog Data Retention setting will be removed after the upgrade to
4.2.1. Entries will continue to be deleted automatically as per this setting.
Device Name / Duplicates
Endpoint devices which are not domain-joined will appear as duplicates in the Sure Controller
after upgrading the device to SCE. Sure Controller will display each upgraded endpoint as an
offline Isolation endpoint and an online Sure Click endpoint. This issue only occurs for endpoints
which are not joined to an Active Directory domain.
If you have configured the Device Data Retention options in the controller settings, offline devices
will be archived and deleted automatically. Alternatively, you can filter the Devices list by
Connectivity Status and/or Isolation Version to identify the offline Isolation endpoints and then
select the relevant endpoint devices and archive them manually.
Dynamic Device Groups
Bromium Controller contains a built-in group named “(Ungrouped)”. Sure Controller 4.2 adds a
new group named “(All Devices)” and begins the phase out of (Ungrouped). The transition from
(Ungrouped) to (All Devices) has been carefully designed to ensure no negative impacts from
these changes occur from the upgrade. Full details are provided in the following sections.
For use with general public 6
(All Devices)
A new dynamic device group named “(All Devices)” is built in to Sure Controller. This group will
contain all devices registered with Sure Controller regardless of other group memberships.
Therefore, any policy assigned to this group will be applied to all endpoint devices. This provides
a convenient group for applying a license key. By default, no policies are assigned to this group.
If a device group named “(All Devices)” already exists, the Sure Controller upgrade will
automatically rename the group to “(All Devices) 2” during the upgrade process to ensure no
conflict with the new built-in (All Devices) group.
(Ungrouped)
The Bromium Controller group named “(Ungrouped)” will be deprecated in a future release but
remains available and supported in the initial release of Sure Controller 4.2. Customers using
(Ungrouped) to manage devices should develop plans to migrate away from its use as soon as
possible.
During the upgrade of Bromium Controller to Sure Controller 4.2, changes affecting the group
(Ungrouped) will be applied as follows:
If Bromium Controller configuration is… Then result after Sure Controller upgrade is…
(Ungrouped) is the only device group. (Ungrouped) is replaced by (All Devices) and
all policies previously assigned to
(Ungrouped) will be assigned to (All Devices).
The group “(Ungrouped)” is deleted and no
longer available.
(Ungrouped) is not the only device group and
(Ungrouped) has no policies assigned.
(Ungrouped) is deleted and no longer
available.
(Ungrouped) has policies assigned with or
without group members.
(Ungrouped) is not changed and continues
working as it did in Bromium Controller 4.1.
Note: The built-in group named “(Ungrouped)” is due to be deprecated in Sure Controller.
Although it is still available in the initial 4.2 Controller release, it will be removed in a future
release.
For use with general public 7
Example – Only (Ungrouped)
In this example, (Ungrouped) is the only device group present. The first image illustrates
(Ungrouped) in Bromium Controller prior to upgrade. The second image illustrates the
replacement by (All Devices) in Sure Controller.
For use with general public 8
Example – Not Using (Ungrouped)
In this example, custom device groups have been created and are in use. (Ungrouped) is not in
use. The first image illustrates (Ungrouped) in Bromium Controller prior to upgrade. The second
image illustrates (Ungrouped) has been deleted and (All Devices) has been created in Sure
Controller.
For use with general public 9
Example – (Ungrouped) and Custom Device Groups
In this example, both (Ungrouped) and custom device groups are in use. The first image
illustrates (Ungrouped) in Bromium Controller prior to upgrade. The second image illustrates
(Ungrouped) remains intact with its original policies and members and (All Devices) has been
created in Sure Controller.
For use with general public 10
Product Name
In Sure Controller, the Product column is one of the default columns displayed when Devices are
listed. Product, previously named Isolation is now named Sure Click. Dynamic Device groups
created using the rule Product is Isolation will automatically be converted to Product is Sure Click
and will be backwards compatible to contain both Isolation and Sure Click endpoint devices.
Secure Browsing Extensions (SBX)
If using Active Directory Group Policy Objects (GPOs) to manage the Bromium Secure Browsing
Extension (SBX) for Chrome, the GPO configurations should be retired after upgrading the
controller. The preferred method is to manage the extensions using the Sure Controller policies.
If AD GPO is still required to manage the Chrome SBX extension, the GPO should be updated to
reference the new HP Sure Click extension GUID: gpmlagmcbcnjhkdjiofoenkfbaclgjkk.
In SCE 4.2, SBX is also loaded into the HP Secure Browser to support the new HP Identity
Protection feature (see Release Notes or the Online Help system for more information).
For use with general public 11
Advanced Policy Settings
Most existing BSP policies are compatible with devices that have been upgraded to SCE and
should require no modification. However, there are a few exceptions relating to the following
advanced parameters:
• MimeHandler.Custom.n.xxx
• Untrusted.IngressApplicationsSettings
If the existing BSP or SCE 4.1.x policies do not contain these advanced parameters then no
further action is required.
MimeHandler.Custom.n.xxx Parameter
Custom mime handlers are used to override the default handling of specific types of files. In SCE,
custom mime handlers are replaced by Untrusted.FileTypePolicies and
Untrusted.FileTypeGroups parameters.
For more information, please contact HP Support ([email protected]) prior to upgrading
endpoint devices to SCE.
Untrusted.IngressApplicationsSettings Parameter (deprecated in SCE 4.2)
Custom Ingress Applications applied with Untrusted.IngressApplicationsSettings
are no longer supported in SCE 4.2.
Note: SCE endpoints will report an “Unsupported configuration” error to the Sure Controller
and will fail to initialize if Untrusted.IngressApplicationsSettings remains in
the policy. You must remove the advanced setting from your policies in order for endpoints to
successfully initialize.
For the latest information on supporting custom ingress applications, visit the HP Security
Knowledge Base https://support.bromium.com/s/article/Controller-Management-Action-
Unsupported-configuration or contact HP Support ([email protected]) prior to upgrading
endpoint devices to SCE.
For use with general public 12
Upgrading Endpoint Devices
It is recommended that previous versions of BSP are removed from devices before installing SCE
as the installation path of SCE is determined by whether the installation is a new installation or an
upgrade of an existing endpoint device. Uninstalling previous versions of BSP prior to installing
SCE ensures all endpoint devices have a consistent install path.
1. To uninstall previous versions of BSP, specify the parameter value of “CLEANALL=YES” as
part of the msiexec command. For more information, see page 17 of the Bromium Secure
Platform 4.1 Update 8 Installation and Deployment Guide.
2. In-place upgrades to HP Sure Click Enterprise on devices are supported for the following
versions of Bromium Secure Platform:
o Bromium Secure Platform 4.1.6 or later
o HP Sure Click Advanced 4.1.8 Patch 1 or later
Attempts to install SCE 4.2 on endpoint devices with BSP versions older than 4.1.6 will result in
the installer exiting with the following error:
When performing an in-place upgrade of a BSP endpoint to SCE, the existing installation path will
be used. The default installation paths are as follows:
New installation of SCE – C:\Program Files\HP\Sure Click
Upgrade from BSP – C:\Program Files\Bromium\vSentry
For use with general public 13
Unchanged Paths
The following paths do not change regardless of upgrade method:
In the file system:
• %UserProfile%\AppData\Local\Bromium
• %UserProfile%\AppData\LocalLow\Bromium
In the registry:
• HKLM\SOFTWARE\Bromium
• HKCU\Software\Bromium
Note: The system environment variables %brs% and %brb% will remain the same with either
upgrade method and will resolve to the correct directory for the installation. Additionally, the
command line tool brmanage.exe is available and unchanged.
For use with general public 14
Installation with Microsoft Virtualization Based Security (VBS)
Upgrading to SCE 4.2 on a device running on Windows 10 1809 (RS5) or older with VBS enabled
will use the Bromium hypervisor (AX). Upgrading to SCE 4.2 on a device running on Windows 10
1903 (19H1) or newer with VBS enabled will use the Windows Hypervisor Platform (WHP).
The status of the devices can be checked in the Sure Controller from the Device details page
Properties tab. The following values are returned according to the configuration:
Windows Release WHP Running? Sure Controller Status
≤ Windows 10 1809 (RS5) False Not enabled
≤ Windows 10 1809 (RS5) True Not enabled 1
≥ Windows 10 1903 (19H1) False Not enabled
≥ Windows 10 1903 (19H1) True Enabled
1 Sure Controller will report “False” even when WHP is running as it is not used in this release.
Example Device Properties in the controller:
For use with general public 15
Deprecated Support for Software
The following table details the key features which are no longer supported on endpoint devices
beginning with HP Sure Click Enterprise 4.2.
Feature Recommendation for SCE 4.2
Adobe Acrobat Standard and Pro Install supported version of Adobe Acrobat Reader DC 1
Bromium Secure Browser 32-bit Upgrade to HP Secure Browser 64-bit
SBX for Firefox (32-bit) Upgrade Firefox to latest 64-bit version
SBX for Edge (legacy) Upgrade legacy Edge to new Edge (Chromium)
Microsoft Office 2010 Upgrade to Microsoft Office 2013 or later
Windows 7 and Windows 8.1 Upgrade to Windows 10 64-bit
1 Opening or editing of PDF documents in Adobe Acrobat Standard or Professional is no longer
supported. Acrobat Reader DC will continue to be supported. Electronic signature, highlighting
and other Adobe Reader DC features are still supported.
For a complete list of deprecated features, please refer to the Knowledge Base:
https://support.bromium.com/s/article/Deprecated-Features.
For use with general public 16
Browser Compatibility
Browser protection for Internet Explorer, Chrome, Firefox, and Edge is continued in SCE. There are
additional considerations for devices using Firefox and Edge browsers.
Firefox SBX
The Secure Browsing Extension (SBX) is only compatible with 64-bit versions of Firefox. HP
supports SBX on the latest ESR and non-ESR 64-bit versions of Firefox.
Microsoft Edge SBX
Limited support of Microsoft Edge (non-Chromium) was provided with BSP 4.1.x. Microsoft
recently replaced the Edge browser with a new version based on Chromium. Therefore, SCE 4.2
provides compatibility and support for SBX with Edge (Chromium). In SCE 4.2, SBX is not
compatible with the legacy Edge (non-Chromium) browser. Therefore, when planning to migrate
endpoint devices that use SBX for Edge from BSP to SCE, it is necessary to also upgrade Microsoft
Edge to Edge (Chromium) during the upgrade to ensure a seamless user experience. The high-
level steps are as follows:
1. Upgrade Bromium Controller to Sure Controller
2. Uninstall BSP with CLEANALL=YES parameter/value
3. Upgrade Edge to Edge (Chromium)
4. Install SCE 4.2
Note that, in most deployments, the Bromium Controller will be upgraded to Sure Controller days
or weeks prior to completing the upgrade of all endpoint devices to Sure Click Enterprise 4.2. As
noted in the images below, the policy setting for enabling SBX for Edge is different than the policy
setting for enabling SBX for Edge (Chromium). In order to ensure BSP 4.1.x endpoint devices with
SBX enabled for Edge continue to work as expected while connected to a Sure Controller, any
BSP policies with “Enable for Edge” set are automatically updated with an advanced parameter
“Enabled for Microsoft Edge Legacy” during the upgrade of Bromium Controller to Sure
Controller. This automatic update applies to both bespoke policies as well as the Bromium/HP
Supplied Policies (built-in).
The following images illustrate the difference in SBX for Edge policy settings before and after
upgrading the Controller from Bromium Controller to Sure Controller:
For use with general public 17
The following image illustrates a bespoke policy after upgrading Bromium Controller to Sure
Controller:
Exclusions
The continuous scanning of known trusted files by third-party security tools can cause
performance and stability issues with other products including Sure Click Enterprise. Exclusions
should be implemented to support Sure Click Enterprise. In general, these exclusions should be
implemented with all security products including but not limited to Symantec Endpoint
Protection, McAfee Virus Scan, McAfee HIPS, Digital Guardian, Trend Micro, and Windows
Defender. Please consult the Third-Party Software Interoperability Guide for the most current
recommendations.
Upgrade Considerations
Pre-existing exclusions implemented to support Bromium Secure Platform will need to be
amended due to changes in file paths and the deprecation of several executables.
For use with general public 18
The default installation paths are as follows:
• New installation – C:\Program Files\HP\Sure Click
• Upgrade from BSP – C:\Program Files\Bromium\vSentry
If performing in-place upgrades from BSP to SCE, both file paths will need to be accounted for as
it is likely that, over time, endpoint devices will be replaced or re-imaged and begin using the new
file paths.
Exclusions can be applied at a directory or file level depending on the third-party application
requirements.
File Exclusions – BSP and SCE
The following file exclusions can be implemented with both BSP and SCE:
ax_installer.exe Br-init-l.exe
BemAgent.exe Br-init-n.exe
bemk*.sys Br-init-o.exe
BemMan.exe Br-init-w.exe
BemReporter.exe BrInstallerPopup.exe
BemSession.exe BrLauncher.exe
BemSvc.exe BrLogMgr.exe
BrAxService.exe BrManage.exe
BrChrome.exe BrNav.exe
BrConsole.exe BrPrintHelper.exe
BrDesktopConsole.exe BrProgressDialog.exe
BrDownloadManager.exe BrRemoteManagement.exe
BrExeScanner.exe BrRemoteMgmtSvc.exe
BrExeScanner.exe BrService.exe
brfilter_* BrStatusMonitor.exe
BrGPUCheck.exe Br-uxendm.exe
Br-hostconfig.exe BrWinFile.exe
BrHostDrvSup.exe dpinst.exe
BrHostSvr.exe getcaps.exe
For use with general public 19
Br-init-a.exe uxenctx.exe
Br-init-b.exe HostPcapDump.exe uxenctl.exe
Br-init-c.exe uxendm.exe
File Exclusions BSP Only:
The following file exclusions can only be implemented with BSP and are not supported on SCE:
Autonomyhelper32.exe
Bemsup.exe
BrDeprivilege.exe
BrIEHelper64.exe
BrInstaller.exe
BrPolicy.exe
BrPreCheck.exe
BrReporter.exe
BrSecurityAlertInspector.exe
Bruxenctx.exe
vhd-util.exe
xenctx.exe
Directory Exclusions – BSP and SCE
The following directory exclusions can be implemented with both BSP and SCE:
%UserProfile%\AppData\Local\Bromium
%UserProfile%\AppData\LocalLow\Bromium
%ProgramData%\Bromium
%ProgramFiles%\HP\Sure Click
Directory Exclusions – BSP Only
The following directory exclusions can only be implemented with BSP and is not supported on
SCE:
%ProgramFiles%\Bromium
Firewall Exclusions
Windows Firewall – There are no differences between BSP and SCE; however, some changes for
Symantec (and other third-party applications) may be required.
Note: For more information about HP Sure Click Enterprise contact your local HP Inc. field
representative or visit https://www.hp.com/enterprisesecurity.