Welcome to Empower®II. Magna would like to thank you for your interest in Macintosh security. Empower is currently the most comprehensive security product available and we are always working on enhancements.
Every effort has been made to insure the integrity of Empower, however due to the complexity of the configurations available today, it is impossible to test every combination of hardware and software. Therefore, make sure you have a reliable backup of your files before you use Empower. Thoroughly check the compatibility between Empower and your configuration and make backups regularly.
Empower®II v3.0 Enhancements
Multi-Volume
Empower is no longer "System" oriented. Each volume (floppy or hard disk) is considered to be a separate entity to Empower. Each volume now has the ability to have its own set of Preferences, Access Logging, and Users and Groups. In most cases, if more than one volume is mounted, the most secure choice is the overriding option. For example, if two hard disks are attached to a Macintosh and one has "Guests allowed" and the other does not, then Guests are not allowed. The same is true for the Time-Out interval. If one volume is set to time-out after one hour and the other is set for 10 minutes, the Macintosh will time-out after 10 minutes. The preferred implementation is to set all the preferences and users and groups on one volume and only set volume lock and access logging for the other volumes.
Another powerful although possibly confusing feature of multi-volume support is the ability to register as a user defined on any mounted volume. One use is the ability to take a hard disk somewhere else (whether or not it is the System Disk) and still be able to register and access files. Another advantage is to be able to start the Macintosh from a floppy with Empower installed and register with a user name and password defined on the hard disk. For now file server volumes are not supported (stay tuned for details on server volumes).
DES
The ability to encrypt a file using the Data Encryption Standard (DES) has been added to Empower. DES is a very complex and time consuming encryption algorithm, therefore data encrypted with DES cannot be accessed transparently. There are two modes supported. If the data is encrypted with a user specified key, the data must be decrypted with the same key. Specifying the key provides the highest level of security. The downside is the data cannot be shared unless the other users also know the key. Auto key mode eliminates the need for the user to select or remember the key. This allows any user with access to the folder the DES encrypted file resides in to decrypt and access the file. DES files cannot be accessed until they have been manually decrypted and must be manually encrypted to be protected again. DES encryption can be used regardless of the automatic and transparent encryption that Empower provides for protected folders. In other words, files can safely be double encrypted. DES provides for portability of encrypted data. If a file is to be transported by floppy or transferred over a network (i.e., AppleLink) the file could first be encrypted with a user specified key and then decrypted later with the same key.
Time-Out
The Empower key icon in the time-out password confirmation dialog now is a button that closes the confirmation dialog box and returns to the "floating" key. This provides a way to change your mind after moving the mouse or typing a key. This version like past versions will automatically close the dialog box if you do not confirm your password after a few minutes. For example, if desk vibration cause the mouse to move and Empower "wakes up", the Macintosh will automatically re-time-out.
Administrator functions
All of the "Security Administrator" functions have been grouped under one button. The button that was titled "Users" is now titled "Password" and provides a way to quickly change the current registered user's password. The administrator's functions are also volume dependent and the correct volume must be selected before editing users and groups or setting preferences. See the section about Multi-Volume above.
Optional Encryption
Encryption is optional in this release. Most users will want to take advantage of Empower's automatic encryption, however, since it functions effortlessly in the background and offers a high level of security against unwanted access. This feature is found in the Empower 'Preferences' section.
TIP: Holding down the Option-Key while saving access privileges, reverses the volume's auto-Encrypt preference. If auto-Encryption is OFF, the folder WILL be encrypted. If auto-Encryption is ON, the folder WON'T be encrypted.
All Access Privileges
A Security Administrator may give a user 'All Access Privileges' authority. In this case, the user has access to all data regardless of the folder's privileges. This feature is useful for a user who is designated to take back-ups.
Command Key
A command key has been added to bring up the Empower Control Panel as an application under MultiFinder. The command key is preset to Control-E and may be specified under Preferences.
Reassign Users and Groups
It is no longer required to reassign folders when deleting a user or group. If you are deleting a user and do not reassign folders that are owned by that user, the folders will become unowned (in other words owned by <Any User>). If a group is deleted, the folders belonging to that group will no longer belong to a group.
Limit Desk Accessories (DAs)
Security Administrators may now specify which DAs are available to each user of the Macintosh. This allows you to limit the use of powerful DA utilities. In the users and groups dialog, a pull down menu of currently installed DAs allows the Security Administrator to disable specific DAs by user. In the Empower Edit User dialog, a check box and pop-up menu has been added to limit access to the DAs. Uncheck the DA box and the user will not have access to any DAs. To limit specific DAs, use the pop-up menu to check the DAs that you do NOT want the user to access.
NOTE
After enabling or disabling a desk accessory or re-registering as a new user, you may have to restart the Macintosh to correctly highlite the desk accessories in the Apple Menu. However, if a protected DA is not dimmed in the Apple menu, it still cannot be opened. The work around is to access the DAs after launching an application (the menu bar is built anew so the correct DAs are dimmed). Remember that Empower can be launched using hot keys. This is one way to quickly build a menu bar with the correct DAs dimmed.
Access Logging
A logging function has been added to provide an audit trail of most Macintosh activities. There are six major categories that can be enabled or disabled. Within each category there is a pop up menu to select which record types are to be recorded. The recorded data may be saved to a standard text file and can also be exported to applications, i.e. spreadsheets, word processors, etc.
Project Tracking
A part of access logging is a feature to track use by project. A project can be anything meaningful to you. The limitation is a 255 character string. You may find it easier to assign project codes to all of your projects and then just enter the code each time. The last project to be entered will be retained until the next time it is changed. Projects can be changed at startup, by registering or after timing-out. The project is displayed as part of the access log and only if "User activity" is enabled.
Volume Lock
The volume protection feature has gone through a major overhaul, including a name change to Volume Lock. If you have a hard disk that is not compatible, please bring it to our attention. When using this feature, a volume cannot be accessed without Empower. For example, if you try to start the Macintosh from a floppy or another hard disk that does not include Empower, a dialog box will inform you that Empower is required to access that volume and the volume will not appear on the desktop. As part of the volume lock feature, there is the ability to disable startup from the floppy drives. This will insure that someone cannot startup a System that has different utilities installed (or desk accessories). Only Security Administrators can override volume lock and disabled floppy drive startup.
Important note about Empower’s administrator override feature - you can gain access to a volume that has been locked with Empower’s volume lock even when Empower is not active (for example Empower is not in the System folder of the volume you started your Macintosh from). You do this with the administrator override feature. This feature allows an Empower locked volume to be mounted if a valid administrator ID and password is known. It is extremely important to know that Empower is NOT fully active when you start the Macintosh this way. If you have data that has been encrypted it will NOT be decrypted. Do not run backups or other volume maintenance while running your Macintosh in security override state. If you have any questions about what is safe to do while running your Macintosh in administrator override state please call Magna technical support.
