LMDC Client Helpdesk Runbook and Troubleshooting Guide · Helpdesk Run Book and Troubleshooting...

Liquid Machines Document Control Client Version 7

Helpdesk Run Book and Troubleshooting Guide

OVERVIEW OF LIQUID MACHINES DOCUMENT CONTROL VERSION 7 .........................................................1 FEATURES ........................................................................................................................................................................1

Microsoft Windows Rights Management Services (RMS) .........................................................................................1 Policies and Rights....................................................................................................................................................1 Client.........................................................................................................................................................................1 Policy Service ............................................................................................................................................................1 Automatic Client Updates .........................................................................................................................................2 Auditing and Advanced Dynamic Rights Enforcement .............................................................................................2

WHY IS DOCUMENT PROTECTION NECESSARY?......................................................................................................................2 Liquid Machines Policies ...........................................................................................................................................3 Liquid Machines Policy Rights ...................................................................................................................................3

WINDOWS RMS PROTECTION.............................................................................................................................................4 WORKING WITH PROTECTED DOCUMENTS ........................................................................................................5 OPENING A PROTECTED DOCUMENT .....................................................................................................................................5 WHEN THE LIQUID MACHINES DOCUMENT CONTROL CLIENT SOFTWARE IS INSTALLED AND ENABLED..............................................5 WHEN THE LIQUID MACHINES DOCUMENT CONTROL CLIENT SOFTWARE IS EITHER NOT INSTALLED, DISABLED, OR IN STANDBY MODE6 MODIFYING A PROTECTED DOCUMENT..................................................................................................................................7 PRINTING A PROTECTED DOCUMENT ....................................................................................................................................8 CREATING AN ADOBE ACROBAT PDF ....................................................................................................................................8 USING THE PRINT SCREEN FUNCTION...................................................................................................................................9 MOVING INFORMATION BETWEEN DOCUMENTS......................................................................................................................9

Moving Information from an Unprotected Document ..............................................................................................9 Moving Information within a Policy ........................................................................................................................10 Moving Information between Policies.....................................................................................................................11 Moving Protected Information to an Unprotected Document ................................................................................11 Attempting to Move Protected Information to an Unsecured Application ..............................................................12

MANAGING DOCUMENT PROTECTION WHEN THE CLIENT COMPUTER IS OFFLINE.......................................................................12 Example ..................................................................................................................................................................13

LIQUID MACHINES POLICY DROPLETTM CONTROL..........................................................................................14 EXPANDED POLICY DROPLET CONTROL...............................................................................................................................15 PROTECTING DOCUMENTS ................................................................................................................................................17

Selecting a Policy ....................................................................................................................................................17 Defining an Ad Hoc Policy ......................................................................................................................................18

Changing a Protected Document to Another Policy ...............................................................................................23 Irreversible Change ................................................................................................................................................25 Removing Protection from a Document .................................................................................................................25

COMMON MISTAKES AND TROUBLESHOOTING ...............................................................................................26 CONCEPTS/TRAINING ......................................................................................................................................................26

What Is the Client Console? ...................................................................................................................................26 Operations Are Meant to Be Transparent...............................................................................................................26

TROUBLESHOOTING CLIPBOARD OPERATIONS ......................................................................................................................26 Pasting into Unsupported Applications ...................................................................................................................26 Screen Captures (Print Screen and Alt + Print Screen)..........................................................................................27 Protection is Transferred via Paste Operation ........................................................................................................27 Other Content Moving Operations ..........................................................................................................................27

AVAILABLE POLICIES........................................................................................................................................................27 Policy List in Client Console Is Longer Than the List in the Droplet.......................................................................27 User Cannot Find a Policy to Which They Have Access..........................................................................................28

OPEN WITH UNSUPPORTED APPLICATION............................................................................................................................28 NO POLICY SERVICE IS DEFINED .......................................................................................................................................28 VB SCRIPTS ARE IN USE...................................................................................................................................................28 MANAGING AND TROUBLESHOOTING WITH THE CLIENT CONSOLE...........................................................29 VIEWING POLICIES AND MANAGING POLICY SERVICES ..........................................................................................................30

Viewing Policy Rights..............................................................................................................................................31 Adding a New Policy Service ..................................................................................................................................33 Removing a Policy Service ......................................................................................................................................34 Working with Multiple Policy Services ....................................................................................................................35 Configuring a Policy Service ...................................................................................................................................35 Checking a Policy Service's Connection Status .......................................................................................................36 Checking a Policy Service for an Update ................................................................................................................37 Exporting Policy Service Information......................................................................................................................39 Troubleshooting a Policy Service Connection .........................................................................................................41

MANAGING AUTHENTICATION CREDENTIALS (USERNAME AND PASSWORD) ..............................................................................42 Using Logon Credentials .........................................................................................................................................42 Using Alternate Credentials ....................................................................................................................................43 Changing Authentication Credentials......................................................................................................................43

DISABLING AND ENABLING LIQUID MACHINES DOCUMENT CONTROL .......................................................................................45

Disabling Liquid Machines Document Control ........................................................................................................46 Enabling Liquid Machines Document Control .........................................................................................................48 Putting the Liquid Machines Document Control Client into Standby Mode ............................................................50

MANAGING CONFIGURATION INFORMATION AND THE CLIENT CONNECTION ..............................................................................51 Viewing Configuration Information.........................................................................................................................51 Managing the Client Connection.............................................................................................................................53 Configuring Proxy Server Information ....................................................................................................................54

CLIENT INSTALLATION PROCEDURES................................................................................................................55 INSTALLER PACKAGES ......................................................................................................................................................55 MANUAL INSTALL PROCEDURE...........................................................................................................................................55

Prerequisites ...........................................................................................................................................................55 Specifying a Control Service ...................................................................................................................................55 Installing the Client Software .................................................................................................................................55

ERRORS AND LOGGING .........................................................................................................................................56 LIQUID MACHINES INTERNAL ERROR..................................................................................................................................56 APPLICATION ERRORS......................................................................................................................................................57 DIAGNOSTIC LOGGING .....................................................................................................................................................58 CONTACTING LIQUID MACHINES PRODUCT SUPPORT FOR ASSISTANCE .................................................59 HOW TO GET HELP .........................................................................................................................................................59 PROVIDING INFORMATION TO SUPPORT..............................................................................................................................60

Liquid Machines Document Control Client V7

Helpdesk Run Book and Troubleshooting Guide 1

Overview of Liquid Machines Document Control Version 7

Liquid Machines Document Control enables your company's corporate information to be protected from loss or unauthorized use, regardless of its location or method of distribution. Liquid Machines Document Control provides a security solution with flexibility. It protects documents by providing access only to authorized users and preventing unauthorized use.

Liquid Machines Document Control is activated when the computer is started and remains active unless it is explicitly disabled or put in standby state. If it is in a disabled or standby state, users will not be able to access protected documents from that computer.

Features

Microsoft Windows Rights Management Services (RMS) Liquid Machines Document Control extends Microsoft Windows Rights Management Services (RMS). RMS provides the security capabilities used to encrypt and decrypt policy-protected documents. Office 2003 and 2007 Professional applications are natively able to work with RMS-protected documents. Liquid Machines Document Control adds RMS protection to Office XP, as well as to leading desktop and enterprise applications, such as Adobe Acrobat, Adobe Reader, and Microsoft Visio. Users with the Liquid Machines client will work with the same user interface, the Liquid Machines Policy Droplet control, when working in all of these applications including Office 2003 and 2007 Professional. Through the Liquid Machines Policy Droplet control, users can access content protected with policies on Liquid Machines Document Control policy servers as well as Microsoft RMS policy servers. A document can be protected by either a Liquid Machines Document Control policy or a Microsoft Windows RMS policy, but not by both at the same time.

Policies and Rights To provide access to protected content, Liquid Machines Document Control uses policies that specify each user's rights in protected documents.

An administrator sets up policies that specify user rights on either an RMS policy server or a Liquid Machines policy server. Related policies can be classified into policy groups. The Liquid Machines Document Control client communicates with the Liquid Machines Document Control servers and the Microsoft Windows RMS servers.

Client The Liquid Machines Document Control program that is installed on individual computers is referred to as the client program. The Liquid Machines Document Control client works with desktop applications, so it does not interfere with the user’s usual manner of working.

Liquid Machines Document Control manages document protection so that users can access protected documents, for a predetermined period of time, even when the client computer is not connected to the corporate network.

Policy Service A policy service provides policies and rights information to client computers and receives audit information. At least one policy service is necessary to work with protected documents, but a client computer can interact with multiple policy services. One or more Liquid Machines Document Control servers, an RMS server, or a



combination of both can be specified as policy services. Users can configure Liquid Machines policy services, view policy rights, and check the status of connections through the Policy Service tab of the Client Console.

Automatic Client Updates A Liquid Machines Document Control client can be configured to automatically acquire configuration information for the secured applications used and software updates to the Liquid Machines Document Control client. Automatic updates are not required but, during the client installation process, a Liquid Machines Document Control server can be specified to act as a control service that will provide these updates. Users can check the status of their connection to the Liquid Machines Document Control server identified as the control service on the Configuration tab of the Client Console.

If a control service is specified during installation, a policy service is automatically created with the same name. This policy service is referred to as the global policy service. The policy service associated with the control service cannot be deleted as long as the control service is in effect.

Auditing and Advanced Dynamic Rights Enforcement Administrators can enable auditing for a policy to create a trail of all the actions taken on documents it protects. Users must have the Liquid Machines client software installed and enabled for auditing information to be collected when accessing protected documents.

Likewise, when the Liquid Machines Document Control client is used, administrators can enable advanced dynamic rights updates for a policy, so that if your rights in the policy's roles are updated, the client receives the updates. Again, to ensure that users get the latest updates, if this option is enabled for a policy, users must have the Liquid Machines client software installed and enabled to access any documents protected by that policy.

Why is Document Protection Necessary? In today's enterprise, the nature of work is becoming increasingly collaborative, requiring organizations to interact with expanding networks of partners, suppliers, and other third parties to achieve their business goals. This collaboration requires individuals within organizations to exchange information, often very sensitive information, with colleagues inside and outside their workgroups, in unprecedented levels. As more and more organizations use and share information digitally, the risk of improperly sharing information grows as well.

Building larger walls around the organization by using firewalls and restricting access cannot guarantee the protection of sensitive internal documents. The ease of emailing documents or storing them on portable media means that documents can be accidentally or deliberately shared with unauthorized users. Once authorized users open documents, they can do whatever they want with the contents--including accidentally or purposely sharing them with unauthorized parties.

Liquid Machines Document Control provides a security solution that allows corporations to protect and control their sensitive documents wherever they reside. This flexible solution allows organizations to determine which users can select policies to protect documents, change protected documents to other policies, or remove protection.



Liquid Machines Policies

To help protect your organization's sensitive or confidential documents, a policy administrator defines policies that determine how individuals in your company access information. A policy defines the rights each user has for documents protected by the policy. Different people may have different rights for the same policy, so different people will have different rights to the exact same document.

Only one policy can protect a document at a time. After a policy is selected for a document, that policy and its rights protect the document wherever it goes.

A document protected by a Liquid Machines policy can only be used in an application that is managed by Liquid Machines Document Control. Most application features work the same with protected content as they do with unprotected content. However, a few application features have been disabled to fully protect the content.

When a user needs access to a protected document (even when offline) Liquid Machines Document Control automatically checks the user’s identity through a transparent authentication process. It provides the appropriate level of access to the document based on the policy definition.

A Liquid Machines user cannot change a pre-defined policy's rights, but can view them through the Liquid Machines Policy Droplet control and Client Console.

Liquid Machines Policy Rights

In the Policy Droplet control and the Client Console, symbols indicate a user’s rights. Liquid Machines policies include two categories of rights: Content rights and Policy rights.

Content Rights Content rights determine the tasks users can perform on protected documents. A Liquid Machines policy administrator determines which users can perform these tasks:

• Read: View protected content.

• Write: Edit and save protected content.

• Print: Print protected content.

This symbol: Means the Content right is:

Allowed

Denied



Policy Rights Policy rights determine the tasks users can perform relative to a document's protection. A Liquid Machines policy administrator determines which users can perform these tasks:

• Select: Apply the policy to a document via the Policy Droplet control.

• Change: Change a document’s protection from the current policy to another policy. A user can change the document’s protection to any policy listed in the Policy Droplet control.

• Remove: Remove the document’s protection.

This symbol: Means the Policy right is:

Allowed

Denied

Windows RMS Protection For Liquid Machines Document Control users with RMS:

Liquid Machines Document Control extends Microsoft Windows Rights Management Services (RMS) protection by providing the following.

• A broad range of application support: Through its patent-pending auto-integration technology, Liquid Machines extends RMS to leading desktop and enterprise applications, such as Adobe Acrobat and Microsoft Visio. In addition, it enables companies to make optimal use of existing Microsoft investments and use Microsoft Office 2002 (XP) to view and modify RMS-protected documents created in Office 2003 Professional.

• Comprehensive information lifecycle management: Liquid Machines provides users with security-enhanced collaboration of electronic information through a document's lifecycle: from the moment of creation through distribution, editing, storage, and subsequent destruction and disposal. User actions, such as distilling a rights-protected document to Adobe Acrobat or cutting and pasting protected content to an unprotected document, maintain the policy of the original document on the derived file.

• Consistent user interface: The Liquid Machines Policy Droplet control displays protection status in all managed applications. Regardless of whether users are working within Office 2003 Professional, Office XP, Adobe Acrobat or Microsoft Visio, they can easily select policies and view rights through the same, easy-to-use interface.



Working with Protected Documents

In an application that uses Liquid Machines Document Control, the Liquid Machines Policy Droplet control appears on the right side of the application's title bar. The Policy Droplet control displays the current protection state of the document.

With the appropriate rights, a user can work with a protected document in the same way they work with unprotected documents. Depending on the user’s rights in the policy protecting the document, Liquid Machines Document Control may deny access to certain actions. For example, a policy may allow a user to open a document and print it but deny the same user the right to modify its content.

Users can work with protected documents in the following ways.

• Open a protected document

• Modify a protected document

• Print a protected document

• Create an Adobe Acrobat PDF

• Use the print screen function

• Move information between documents

Opening a Protected Document

When the Liquid Machines Document Control client software is installed and enabled If a user needs to open a protected document, they can do so as they would an unprotected document. When the user logs on to the Liquid Machines Document Control client computer, the Liquid Machines Document Control server verifies the user’s identity through a transparent authentication process. Then, if the server determines that the user is an authorized user with the appropriate rights, the document opens.

When a user opens a protected document, the Policy Droplet control displays policy information in the title bar. Users can perform any of the tasks for which they have rights. The expanded Policy Droplet control displays the following information for the selected policy:

• The policy group, if the policy is in a group

• The description and contact information

• Your rights

Note for Liquid Machines Document Control users with RMS: If the document is protected by an Ad Hoc policy, and a user has Full Control access, they can also view or change the policy settings in the Policy Droplet control, if an administrator allows it.

Liquid Machines Document Control provides an additional layer of security above and beyond Windows File System (WFS) protection. For example, if a user is allowed Write access to a document through the document's



WFS security properties, but is also denied Write access through the Liquid Machines policy protecting the document, the user cannot write to the document. In that case the user is warned, upon opening the document, that any changes they make will be discarded. The reverse is also true: if a user is allowed Write access through the Liquid Machines policy, but is also denied access through the WFS, the user cannot write to the document.

If a user is denied access to a document to which they believe they should have access, they should contact the person identified in the Contact section for the policy group or policy in the expanded Policy Droplet control or on the Policy Service tab of the Client Console.

Note: A user may have access to documents that are protected by policies on multiple policy services. If a user opens a document protected by a Liquid Machines policy on a policy service that is not configured for that user, they will be prompted to configure it by entering their authentication credentials.

When the Liquid Machines Document Control client software is either NOT installed, disabled, or in standby mode When a user who does not have the Liquid Machines Document Control client software installed attempts to open a protected document, a message similar to the one shown below will display:

This message is known as the Liquid Machines “friendly file” message. It includes a link for the user to visit to learn more about Liquid Machines software. Versions 6.4.1 and later of the Liquid Machines Document Control client installs a plug-in into the user’s browser that notices when this link is clicked.

If the client software is installed and in standby mode, the plug-in will enable the client and notify that user that it has done so.

If the client software is installed and disabled, the plug-in will display the following message:



Clicking OK will cause the following message to display:

After clicking OK on this message dialog, the user will have to reboot their client computer in order for the Liquid Machines Document Control client to become enabled. If you suspect this plug-in is causing problems in the browser, you can disable it for troubleshooting purposes. To disable the plug-in from within your browser, go to the Tools-> Internet Options -> Programs -> Manage Add-ons. It is the Liquid Machines Browser Helper Object.

Modifying a Protected Document A user can modify a protected document only if the user has Write rights within the policy.

If the user does not have Write rights to a document, they are warned by a message like the one shown below when they open the document.



Liquid Machines Document Control does not prevent users from changing the document as it is displayed, but they cannot save the changes. All changes are discarded when the user closes the document.


Printing a Protected Document If a user needs to print a protected document, they can do so as they would an unprotected document, provided they have Print rights within the selected policy.

If the user is not allowed Print rights for the document, the following message appears.

If the user is denied access to a document to which they believe they should have access, they should contact the person identified in the Contact section for the policy group or policy in the expanded Policy Droplet control or on the Policy Service tab of the Client Console.

Creating an Adobe Acrobat PDF With Liquid Machines Document Control, users can create a protected Adobe Acrobat PDF from any protected document if they have the appropriate rights. The policy of the original document is automatically applied to the Adobe PDF file. Follow these steps.

1) Open the document in its native application (for example, Word or Excel).

2) Select the option to distill the content to Acrobat (that is, print to Acrobat Distiller, Acrobat PDFWriter, or Adobe PDF).

Alternatively:

1) Open Adobe Acrobat.

2) On the File menu, click Create PDF and then click From File.

3) Open the file.



Using the Print Screen Function Users can use the Windows Print Screen and Alt+Print Screen functions to capture screen content with Liquid Machines Document Control as they would normally, but only when no protected documents are open.

If a protected document is open on a client computer when the user attempts to use the Print Screen or Alt+Print Screen functions, they will be prohibited from pasting the results. When the user attempts to paste the results into an application, the following message appears.

The user must close all protected files and perform the Print Screen or Alt+Print Screen operation once again to capture unprotected screen content.

Moving Information Between Documents Information can be moved between documents by:

• Cutting or copying and pasting, using the Clipboard

• Dragging and dropping

• Inserting files or other objects

A user’s ability to move information between documents depends on their rights and where the information is moving to and from:

• Moving Information from an Unprotected Document

• Moving Information Within a Policy

• Moving Information Between Policies

• Moving Protected Information to an Unprotected Document

• Attempting to Move Protected Information to an Unsecured Application

Moving Information from an Unprotected Document

Users can move content from an unprotected document into a document protected by a policy, but they must have Write rights to save the changes to the protected document.



If a user attempts to move unprotected content to a protected document for which they do not have Write rights, Liquid Machines Document Control does not prevent the user from changing the document as it is displayed, but they cannot save the changes. All changes are discarded when the user closes the document.

If the user is unable to save a changed document and they believe that they should have this right, they should contact the person identified in the Contact section for the policy group or policy in the expanded Policy Droplet control or on the Policy Service tab of the Client Console.

Moving Information within a Policy

Users can move content between documents protected by the same policy, but they must have Write rights to save the changes to the protected document.

Note to RMS users: In certain situations (documents protected by an Ad Hoc policy or policies created outside the Liquid Machines environment), Remove rights are required to paste between protected documents. Users can, however, paste multiple times from one protected document into a document that started out as unprotected (even after it takes on the policy of the source document).

If the user attempt to move content between documents protected by the same policy for which they do not have Write rights, Liquid Machines Document Control does not prevent the user from changing the document as it is displayed, but they cannot save the changes. All changes are discarded when the user closes the document.

If the user is unable to move content into a document, it may be because the policy does not permit the action. If a user is denied access to a document to which they believe they should have access, they should contact the person identified in the Contact section for the policy group or policy in the expanded Policy Droplet control or on the Policy Service tab of the Client Console.



Moving Information between Policies

Users can move content between documents protected by different policies on the same policy service only if your rights allow it: if the policy they are moving content from gives them the right to Change to a different policy.

Users can move content between documents protected by any policy on any policy service if the policy they are moving content from gives them the right to Remove the protection entirely.

The figure below illustrates moving protected content to a document that is protected by a different policy:

• Document 1 is protected by a Liquid Machines policy named Policy A.

• Document 2 is protected by a Liquid Machines policy named Policy B.

Note to RMS users: In certain situations (documents protected by an Ad Hoc policy or policies created outside the Liquid Machines environment), Remove rights are required to paste between protected documents.

If the user’s rights to the document in which the moved information is pasted do not allow Write, the paste action will be allowed, but the user will not be allowed to save the change.

After a user moves protected information to a document that is protected by a different policy, the moved information becomes protected by the policy of the document to which it was moved.


Moving Protected Information to an Unprotected Document

Users can move content from a protected document into an unprotected document if the policy the user is moving content from allows the user Write rights. The unprotected document becomes protected by the same policy as the moved content. Subsequent pastes from the original source document to the same target document will always be allowed.

The figure below illustrates copying protected content to an unprotected document.



If a user’s rights to the document from which the protected information is moved do not allow Write, the paste action will be denied. After the user moves protected information to an unprotected document, the policy of the protected information is immediately selected for the unprotected document, and the Policy Droplet control display changes from Unprotected to the policy name.


Attempting to Move Protected Information to an Unsecured Application

When a document is protected by a policy, a user can only move its content to an application that is not secured by Liquid Machines Document Control if their rights allow them to remove the protection first. The following table describes what happens when a user attempts to move protected content to an unsecured application without removing its protection first.

When the user attempts to: The following occurs:

Paste from the Clipboard A message is pasted instead, specifying that the text is protected by Liquid Machines.

Drag and drop Drag and drop is disabled.

Insert protected text into an unsecured application

The insertion fails.

Liquid Machines Document Control does not support selecting policies for Microsoft Outlook messages. However, Microsoft Outlook allows users to use Microsoft Word as their email editor. If they use Microsoft Word as their email editor within the Liquid Machines environment, the Policy Droplet control does not appear in their email messages, and they cannot protect email content. In addition, they can only copy protected content into the body of an email message if they have the Remove right. In that case, the paste is allowed, and the content pasted into the email will be unprotected. They can, however, attach protected files to your email messages.

Managing Document Protection When the Client Computer is Offline If a user has been granted offline rights within the governing policy, they can access documents that are protected by Liquid Machines Document Control even when their client computer is not connected to the corporate network.



Liquid Machines Document Control manages document protection while offline by storing Liquid Machines policy information on the user’s computer. Each time the Liquid Machines Document Control client and server communicate, updated Liquid Machines policy information is downloaded to the user’s computer. When the user attempts to access a protected document while offline, Liquid Machines Document Control uses the policy information stored on the user’s computer to determine their rights.

Every Liquid Machines policy has two settings that govern when the user can access protected documents. These limits are defined and maintained by the Liquid Machines policy administrator.

• Offline: The user can access protected content when their computer is not connected to the network. Offline access can be limited to a certain number of days before the user is required to connect to the corporate network to obtain updated policy information. Users must have connected to their corporate network at least once before they can work with protected documents offline.

Note for Liquid Machines Document Control users with RMS: Users must be connected to their corporate network the first time they open a protected document.

• Expire: Users can access protected content for a duration (number of days), until a certain date, or with no expiration date. When expiration is specified with a duration, the duration begins on the date on which the document was last saved.

Together, these settings control when protected documents may be accessed.

Example The following example shows how these settings might be configured in a policy to control offline access to documents protected by the policy.

Settings • The number of consecutive days the user can work offline is 3.

• The expiration date of the document is 8 days.

Results • If a document was last saved on September 9, 2008, the user can access the protected

document until September 17, 2008.

• If the user goes offline on September 9, 2008, they will be allowed offline access to documents protected by this policy until September 12, 2008. After that date, they must reconnect to the network before they will be able to work offline with those documents again.

If a user attempts to access a protected document offline after the offline period has expired, a message informs the user that they must connect to the network for updated policy information.



Liquid Machines Policy DropletTM Control The Policy Droplet control appears in the title bar of applications that are secured by Liquid Machines Document Control. The illustration below shows the Policy Droplet control as it appears in Microsoft Word.

The Policy Droplet control displays one of the following, depending on how the document is protected.

Protection Policy Droplet Control Display

Not protected by a policy Unprotected

Protected by a policy policy name

Protected by an Ad Hoc policy Permissions in Effect

Protected by an Ad Hoc policy with RMS before Liquid Machines Document Control was installed

Do Not Distribute

Users should click on the Policy Droplet control to expand it. It displays further information related to the task the user is performing.



Expanded Policy Droplet Control When a user clicks the Policy Droplet control, it expands. With the appropriate rights, they can use the Policy Droplet control for the following tasks.

• Selecting a policy to protect a document.

• Defining an Ad Hoc policy.

• Changing an Ad Hoc policy (if the user have Full Control).

• Changing to another policy to protect a document.

• Removing protection from a document.

The expanded Policy Droplet control contains information specific to the task the user is performing. The following illustration shows its content when the user is selecting a policy.



• To see the policy groups and policies available from a different policy service, select another policy service from the Show Policies From list. Policies can come from three places:

� Liquid Machines policy services

� RMS policy service, labeled RMS Policy Service (server name)

� Ad Hoc policies

• To open the Client Console, click the button with the ellipsis (...).

• To see the policies in a policy group, click the plus (+) sign. To collapse the policy group, click the minus (-) sign.

• To see additional information about a policy group or a policy, click its name. Additional information appears at the bottom to help the user select the appropriate policy for their document. The user can select different policy groups or policies in turn to view the following information:

� A description of the policy group or policy. If no description has been provided, the description box displays, "No description is available."

� Symbols indicating the users rights within the selected policy.

� Information about the contact person for the selected policy group or policy. If the user is denied access to a function in a protected document to which they believe they should have access, they should contact this person. If no contact information has been provided, the contact box displays, "No contact information is available."

� Information about offline access and expiration.

• To save any changes and collapse the Policy Droplet control, click the OK button.

• To collapse the Policy Droplet control without making any changes, either click the Cancel button or click the Policy Droplet control in the title bar again.

• To access Help for information on how to use Liquid Machines Document Control to protect documents, click the Help button.

• To see information about the Liquid Machines Document Control client, click the About button.

Note to Liquid Machines Document Control users with RMS: In the Policy Droplet control, although users can modify Ad Hoc policy settings for documents they have authored, they cannot modify Liquid Machines policy settings.



Protecting Documents In the Liquid Machines Policy Droplet Control, they can:

1) Select a policy for a document.

2) Change to another policy.

3) Remove protection from a document.

Selecting a Policy

When users create a new document or open an existing unprotected document in an application that is secured by Liquid Machines Document Control, the Policy Droplet control appears in the title bar. Users can protect an unprotected document by selecting a policy for it, as long as they have the appropriate rights.

• Click the Policy Droplet control to expand it.



In the expanded Policy Droplet control, users may see one or more policy group names and policy names. If not, they do not belong to policies that allow the user to select them for their documents on the selected policy service. In that case, they can select another policy service or they must leave their document unprotected.

If the user does not belong to a policy to which they believe they should, they should contact their server administrator.

• Click the arrow next to the Show Policies From list and select the policy service from the list. The policy service name is the label given to the server on which the policy information resides.

Note to Liquid Machines Document Control users with RMS: If an administrator allows, users can also define an Ad Hoc policy.

• If the policy is in a policy group, click the plus (+) sign to the left of the policy group name to display its policies.

• Click the policy name to select it. Users can select only one policy for their document at a time. Selecting a policy also selects the Restrict permission to this document check box.

• Click the OK button. The Policy Droplet control collapses to display the name of the selected policy, and Liquid Machines Document Control protection takes effect immediately, unless the policy selection is irreversible.

Liquid Machines users cannot change the policy's rights settings, but they can view them in the expanded Policy Droplet control or on the Policy Service tab of the Client Console.

Defining an Ad Hoc Policy Note: This function is only available to Liquid Machines Document Control users with RMS.

If a system administrator has enabled this option, users can define an Ad Hoc policy to limit access to a document to specific users. When the Ad Hoc Policies policy service is selected in the Policy Droplet control the contents of the Policy Droplet control changes, so users can define the details of the policy by identifying users and their permissions. Users can define an Ad Hoc policy’s users with:

• Read permission, who can only read the document.

• Change permission, who can read, edit, and save the document.



To define an Ad Hoc policy for the document, follow these steps.

1) Select the Ad Hoc Policies policy service in the Policy Droplet control.

2) Select the Restrict permission to this document check box.

3) To specify users with Read permission for the document, enter email addresses in the box to the right of the Read button. Use one of these methods:

a) Click the Read button and select email addresses from an Outlook address book.

b) Type email addresses in the box, separated by semicolons.

c) To include everyone, click .

4) To specify users with Change permission for the document, enter email addresses in the box to the right of the Change button. Use one of these methods:



a) Click the Change button and select email addresses from an Outlook address book.

b) Type email addresses in the box, separated by semicolons.

c) To include everyone, click .

5) To define additional permissions and administrative settings for the document, click the More Options button.

6) To confirm your selection, click the OK button. The Policy Droplet control in the title bar of the document displays Permissions in Effect.

Selecting Email Addresses from An Outlook Address Book When a user defines an Ad Hoc policy, they can select email addresses for Read and Change permissions from an Outlook Address book. When they click the Read button or the Change button on the Policy Droplet control, the Select Names window appears.

• To search for a user, type the name in the Type Name or Select from List box.



• To change the source of the name list, click the arrow next to the Show Names from list.

• To select a user for Read permission, click the user name in the list, and then click the Read button. The email address appears in the Read box.

• To select a user for Change permission, click the user name in the list, and then click the Change button. The email address appears in the Change box.

• To confirm your selections, click the OK button. The Select Names window closes, and the Policy Droplet control includes the user’s selections in the appropriate boxes.

Defining Additional Permissions and Administrative Settings When a user defines an Ad Hoc policy, they can set additional permissions and administrative settings for the document. When the user clicks the More Options button on the Policy Droplet control, the Permission window appears. In the Permission window, users with Full Control can specify settings for expiration, printing, copying, and accessing content programmatically. Users with Full Control can also enter contact information and connection requirements.



To add or remove users:

• To add a user or users with Read, Change, or Full Control rights click the Add button.

• To remove a user, select the user in the list and click the Remove button.

To select any of the following additional permissions or settings:

• To set an expiration date for the document, select the This document expires on check box and type or select an expiration date in the box.

• To allow users to print the protected content, select the Print content check box. Any user who has any type of access to the document will be able to print the protected content.

• To allow users to access data in the protected document through application scripts, select the Access content programmatically check box. Any user who has any type of access to the document can access the protected content



programmatically.

• To allow users with Read permission to use Windows Clipboard functions to move content from the protected document, select the Allow Read users without the Liquid Machines client to use the clipboard check box. Users should keep in mind that if they allow these users to use the clipboard, any information they copy will be unprotected.

Note: Users with Change permission can always move protected content using Clipboard functions.

• To inform users of an email address to which they can submit requests for additional permissions, select the Users can request additional permissions from check box and enter a contact email address. Only a user with Full Control access to the document can change permissions.

• To force users to verify their permission by connecting to the Windows Rights Management server every time they attempt to access the document, select the Require a connection to verify a user's permission check box.

• To confirm the selections, click the OK button. The Permission window closes.

Changing a Protected Document to Another Policy

Once a Liquid Machines policy has been selected to protect a document, users can change it to a different policy, as long as they have the appropriate rights in both policies. To change from one Liquid Machines policy to another, users must have the Change right in the original policy, and the policy must appear as an option in the Policy Droplet control, as shown below.

1) Click the Policy Droplet control to expand it.



In the expanded Policy Droplet control, users might see one or more policy group names or policy names. If they see only the current policy, then they may not have Change rights to the policy or they may not have any available policies in the current policy service. If other policy services are available, the user may be able to change to a policy on another policy service. If no additional policies are shown, then the user cannot change the policy.

If a user does not belong to a policy to which they believe they should, they should contact their policy administrator.

1) To select a policy from a different policy service, click the arrow next to the Show Policies From list and select the policy service from the list. The policy service is the name of the server on which the policy information resides.

Note: Users must have Remove rights for the policy that currently protects the document to change it to a policy on a different policy service.

2) If the policy is in a policy group, click the plus (+) sign to the left of the policy group name to display its policies.



3) Click the policy name to select it. Only one policy can protect a document at a time. Selecting a policy also checks the Restrict permission to this document check box.

4) Click the OK button. The Policy Droplet control collapses to display the name of the selected policy, and Liquid Machines Document Control protection takes effect immediately, unless the change is irreversible.

Irreversible Change

A policy selection is considered irreversible if, after the new policy settings are applied, the user cannot return the document to its previous protection state (a selected policy or unprotected) using the Policy Droplet control. When the user makes an irreversible change, Liquid Machines displays the following warning message.

1) To proceed with the policy selection, click the Yes button. The new policy settings are applied to the document, the message box closes, and the Policy Droplet control collapses. The Policy Droplet control in the title bar of the application displays the name of the policy selected for the document.

2) To close the message window, click the No button. The user is returned to the Policy Droplet control, where they may select a different policy or close the Policy Droplet control.

Removing Protection from a Document

A user can remove protection from a policy-protected document, if they have the Change and Remove rights within that policy.

1) Click the Policy Droplet control to expand it.

2) Click the Restrict permission to this document check box to clear it. If the check box is grayed out, the user’s rights in the policy do not allow them to remove protection from documents.

3) Click the OK button. Liquid Machines Document Control immediately removes any protection from the document content and changes the Policy Droplet control value to Unprotected.



Common Mistakes and Troubleshooting The configuration and training necessary to address the issues below is covered in the product documentation. This list is meant to alert you to the most common issues that may arise, why they happen, and how to resolve them.

In general, you will find that the Liquid Machines Document Control Client is a robust, transparent, and simple application. Often, your main focus will not be problems with the client software, but helping users build process and add value around enterprise rights management and encrypted documents.

Concepts/Training

What Is the Client Console? The Client Console is meant to help configure, troubleshoot, and gather information about the Liquid Machines Client. It is not necessary for users to be aware of the Client Console or how to use it. The interfaces with which users interact during normal operation are the Policy Droplet and the application, such as Microsoft Word or Adobe Acrobat, itself.

The Client Console is accessible from the Windows “Start Menu.” This means that users may discover it and be curious about it. You may choose as part of training to ask users to ignore the console, to inform them that you will show them how to use it in the event you need to troubleshoot a problem, or to fully familiarize them with the console’s elements. Choose the best course of action based on company policy and the skill of your users.

Operations Are Meant to Be Transparent The Liquid Machines Client is designed to make workflow with protected documents as transparent as possible. The only actions users take is to add protections to a new document, or change or remove protections on an existing document. All other user actions happen “transparently” by interacting with the regular application interface.

The transparency of Liquid Machines can have the effect that users “forget” that Liquid Machines is installed. When a special protected document behavior occurs, for example the blocking of a print or cut-and-paste operation, users may “forget” why it happens, and will report the behavior as a problem to the helpdesk. Reminding users that Liquid Machines is installed and is protecting those operations and documents may be all that is needed.

Troubleshooting Clipboard Operations

Pasting into Unsupported Applications When the receiving application in a cut and paste operation is one that Liquid Machines does not support, the document that was intended to receive the pasted content instead receives a message similar to the following text:

“The data on the clipboard is protected by a Liquid Machines policy (//Corporate Baseline/Corporate Default) and cannot be pasted into this document.”

This is normal behavior, but users are sometimes confused or startled by the message. Familiarize yourself with the message so you can quickly recognize and explain it, and train your users to recognize it, too.



Screen Captures (Print Screen and Alt + Print Screen) When a user tries to paste a Windows screen capture while any protected document is open, an error graphic that is similar to that which is shown below will be displayed. The error displays even when the content of a protected document is not visible on the screen.

Simply have the user close all protected documents and try the screen capture again. Once all protected documents are closed the screen capture will behave as expected.

Protection is Transferred via Paste Operation If a user pastes information from a protected document into a new or existing unprotected document within a Liquid Machines-supported application, the unprotected document will become automatically protected with the same protections as the document from which the information was copied.

Users sometimes are unaware of the change, and do not understand how the document to which the information was pasted became protected.

Other Content Moving Operations Some other methods of moving content between applications, for example dragging and dropping from one Office application to another, will simply fail silently and without warning when the protections prevent copy and paste.

Available Policies

Policy List in Client Console Is Longer Than the List in the Droplet A user may discover in the list of policies to which they have rights in the Client Console has more policies in it than the list they can see in the Policy Droplet control.

Since the Droplet is used to apply policies to documents, it contains only policies in which a user’s role allows “Select” rights.

By default, the Policy Service tab of the Client Console lists all policies in which the user has role membership. Selecting the Selectable in Policy Droplet radio button in the Policy Service tab changes the view to list only those policies that would display in the Policy Droplet. The list should match the list they can see in the Policy Droplet.



User Cannot Find a Policy to Which They Have Access Users may sometimes be aware that they should have access to a certain policy, but they don’t see it in the Droplet or in the Client Console. There are a number of reasons this may happen:

The user does not have role membership to the Policy. At the server level, the user has not in fact been given role membership to the policy. You will need to contact a server administrator or a business administrator who has access to change the policy, in order to verify that the user should have access and then give them role membership to the policy.

The user’s role membership is recent and the client has not yet received an update from the server. You may learn that the user does in fact already have role membership to the policy, but still the policy does not appear in the users Policy Droplet control or Client Console. The user may have been recently added as a role member to the policy and that change has not yet been reflected on the client because a client/server communication has not occurred since the change was made. Requesting an update from the server by clicking the Update Now button on the Policy Service tab of the Client Console will resolve the problem in this case.

You may find that after requesting the update, the client console shows the policy but the droplet does not. This will happen appropriately when the user does not have Select rights to the policy. It may also happen when the user does in fact have Select rights but a Liquid Machines-supported application is open when a client/server communication occurs. Close all supported applications (including Outlook if Word is used as the email editor) and then reopen a Liquid-Machines supported application. The droplet should show the policy.

Open with Unsupported Application If the user opened a protected document in an unsupported application, they will be able to view the encrypted byte stream, which looks like a bunch of random characters and symbols. Users are sometimes confused or startled by this behavior.

No Policy Service is Defined When the user expands the Policy Droplet, they should see the Liquid Machines server defined at the top, near the label Show policies from:. If this is not the case, try the following:

Have the user logoff and then logon again

Reboot the client computer

They may have forgotten to specify the Liquid Machines service when installing the client. Refer to the Client Installation Procedures section of this document on page 55.

VB Scripts are in Use If a policy denies scripting, then the Liquid Machines Document Control Client will try to block all VB scripting functionality. If scripting is allowed by a policy, then there are still certain actions that are accessible via scripting that may be blocked by other policy settings (e.g., printing and saving). In addition, the 6.4 version of the LMDC Client introduced a feature whereby scripting integration can be disabled in the Liquid Machines Document Control Client, resulting in scripting being fully functional, regardless of the policy settings. This new feature is intended to be used in cases where the client scripting integration is interfering with scripting in unacceptable ways. It should be used only if a problem with scripting is observed and should be thought of as



script-only "Standby" feature. Liquid Machines Product Support can assist you with the use of this feature if it is necessary to troubleshoot a problem.

Managing and Troubleshooting with the Client Console

If your organization is using a Liquid Machines Document Control server, the Liquid Machines Document Control Client Console can be used for troubleshooting purposes. It provides you with tools and information that allow you to manage Liquid Machines Document Control and troubleshoot unexpected behavior.

The Client Console includes the following:

• Policy Service tab: To view policy information and manage Liquid Machines policy services.

• Client State tab: To control the operation of Liquid Machines Document Control on your computer.

• Configuration tab: To view configuration information and manage the client connection.

To open the Liquid Machines Document Control Client Console, use one of these methods:

• In the expanded Policy Droplet control, click the button labeled with the ellipsis (...).



• From the Windows Start menu:

� On the Windows task bar, click the Start button.

� Click All Programs or Programs.

� Click Liquid Machines.

� Click Client Console.

Viewing Policies and Managing Policy Services On the Policy Service tab of the Client Console, users can:

• View their rights in a selected policy.

• Add a new policy service using the Add button.

• Remove a policy service using the Remove button.

• Check the status of the connection to a policy service or export policy service information to an XML file using the Details… button.

• Request an update from the selected policy service using the Update Now button.

• Change the authentication credentials (username and password) used to access a Liquid Machines policy service using the Change… button.



Viewing Policy Rights

On the Policy Service tab of the Client Console, users can view the rights they are allowed under a policy.



• Select the policy service from the Show Policies From list.

• Select a radio button for the policies you want to show:

� All policies

� Only the policies that are selectable in the Policy Droplet control

• If the policy is in a policy group, click the plus (+) sign to the left of the policy group name to display its policies.

• To select the appropriate policy, click the policy name.

• When a policy group or policy is selected, the lower section of the Policy Service tab window displays additional information about the selected policy or policy group. Users can select different policy groups or policies in turn to view the following information:

� A description of the policy group or policy. If no description has been provided, the description box displays, "No description is available."

� Information about the contact person for the selected policy group or policy.



� Symbols indicating the user’s Content and Policy rights in the selected policy group or policy.

� Information about whether documents protected by the selected policy are audited, the user’s offline access to the policy group or policy, and expiration for documents protected by the policy.

Adding a New Policy Service

If a user needs access to policies on a policy service that has not been configured for their computer, they can add a new policy service.

• On the Policy Service tab of the Client Console, click the Add button. The New Policy Service dialog box appears.

• In the New Service Address box, enter the name of the server location where policies are stored. For example: servername.domainname.com. If you need more information, contact the server administrator or the source of the protected document(s) to which the user needs access.

• Select an option for authentication credentials, the username and password used to access the policy service.

Users who are members of a corporate directory configured at the server and are logged into the computer with their credentials for that directory, can authenticate to the Liquid Machines policy service using their normal domain logon credentials via the Use Logon Credentials option.

Members of a corporate directory configured at the server can select the Use Alternate Credentials option to log on to a domain-resident computer under different domain logon credentials, or to log on from a non-domain-resident computer using their domain credentials.



• Click the OK button. The Client Console connects to the new policy service and attempts to authenticate the credentials provided. If authentication is successful, a dialog box indicates that the policy service connection is complete. If authentication fails, a dialog box indicates the failure.

There is a delay while the policy service is contacted. Policy services cannot be added if the client computer is offline or if the policy service is unavailable.

Removing a Policy Service

If a user no longer need to access policies on a policy service, they can remove the policy service from the Policy Service tab of the Client Console.

Note: Users cannot remove a policy service while Liquid Machines-secured applications are open. If the user uses Microsoft Word as their editor for Outlook, then Outlook must also be closed. Users cannot remove the global policy service, that is the policy service associated with the control service.

1) Select the policy service from the Show Policies From list.

2) Click the Remove button.



3) A dialog box asks if the user if they want to remove the policy service. To confirm, click the OK button.

4) The Policy Service tab reappears with the policy service removed from the list.

Note: If the user attempts to remove the policy service associated with the control service the operation will not be permitted and the following message will be displayed:

Working with Multiple Policy Services

Users may have access to protected documents on more than one policy service, or they may want to protect documents with policies from different policy services. With the appropriate rights, they can access documents on any policy service.

Users can see and select the policy services to which they have access in the Show Policies From list in the expanded Policy Droplet control.

Users might need to access a protected document on a policy service that is not already configured for their computer. In that case, they can configure the policy service.

Configuring a Policy Service

When a user is working with multiple policy services, they might need to configure a policy service.

Reactive Policy Service Configuration If a user tries to access a document that is protected by a policy on a policy service that is not already configured for their computer, they are automatically prompted to add that policy service. When they attempt to open the document, they are asked to enter their authentication credentials (either logon username and password or alternate credentials). The credentials are validated and added for the policy service, and the user can access the document according to their rights in the policy that protects the document.

After logging on to the policy service the first time, the user does not need to enter their credentials again; the policy service and their authentication credentials are now known to the Liquid Machines client.

Manual Policy Service Configuration Alternatively, users can select a policy from a policy service that is not configured for their client computer by adding the new policy service using the Client Console as described in the Adding a New Policy Service section on page 33.



Checking a Policy Service's Connection Status

The Liquid Machines Document Control server communicates with the computers that use the Liquid Machines client on a regular basis. The Liquid Machines server administrator sets the frequency of those communications, also known as the polling frequency. During those communications, the server passes along policy and rights information. On the Policy Service tab of the Client Console, you can check the status of the connection to a policy service.

1) Select the policy service from the Show Policies From list.

2) The Connection Status appears at the bottom of the tab.

OK = The connection was successful.

Failed = The connection was unsuccessful.

For more information, click the Details button. The Policy Service Details dialog box appears.



It contains the following information:

Note: All dates and times are specified in local client time.

• Last Successful Update: The date and time the last successful server update was received.

• Last Update Attempt: The date and time the last server update was attempted. Ideally, this would be the same date and time as the Last Successful Update.

• Last Update Status: A brief description of the status of the last server update attempt:

o Succeeded

o Failed - reason for the failure

• Next Scheduled Update: The date and time the next server update will be attempted.

Users can also check a policy service for an update by clicking the Update Now button.

Note: Users can check the status of the Liquid Machines Document Control control service on the Configuration tab of the Client Console.

Checking a Policy Service for an Update

A policy service update causes the Liquid Machines policy service to pass new policy information and information about policy changes to the Liquid Machines Document Control client. Policy service communications are scheduled regularly, but a user can also request an update to a Liquid Machines policy service outside of the regular schedule on the Policy Service tab of the Client Console. For example, if a policy administrator has just updated a user’s rights, the user may want to immediately request a policy service update so these rights will be downloaded to the client.



• Select the policy service from the Show Policies From list.

• To request an immediate policy service update, do one of the following:

� Click the Update Now button, next to the Connection Status.

� Click the Details button at the bottom of the tab.



On the Policy Service Details dialog box, click the Update Now button, next to Check Service for Update.

If any Liquid Machines-protected applications (including Microsoft Outlook, if Word is used as the email editor) are open during the policy service update, the user must close them and then reopen them after the update to reflect any updated policy information.

A message confirms a successful update or provides a reason for a failed update.

Exporting Policy Service Information

Users can export policy service information to an XML file, which can be used by the Help Desk or Liquid Machines Product Support for troubleshooting.



• On the Policy Service tab of the Client Console, select the policy service from the Show Policies From list.

• Click the Details button at the bottom of the tab. The Policy Service Details dialog box appears.



1) To export the information for the policy service to a file, click the Export button, next to Export Service Info to File.

2) In the Liquid Machines File Export Window, select a location and enter an appropriate file name.

3) Click the Save button.

Troubleshooting a Policy Service Connection

When a policy service update fails, there are some steps you can take to determine if the problem is due to a problem with the network or something else.

• Any user should be able to attempt to login to the Liquid Machines Document Control Server web admin console. If the user is a server administrator, they will be allowed access. If the user is not a server administrator, they should be denied access with a specific message indicating they are not privileged to administer the server. Any other result means that something is wrong with the authentication infrastructure and you may need to involve a server administrator. (Unless a name and password was forgotten, an account locked out, something like that.)

• Always check connectivity to the server using a web browser and ensure that the proxy settings in the LMDC Client Console make sense given how they are set in the web browser.

• Try to ping the Liquid Machines Document Control Server’s IP address from the computer that is experiencing the problem. An unsuccessful result means that there is a problem with the network in general.

• If in the Client Console, when you try the "Update" button for a given policy service or on the "Configuration" tab, you get an "application protocol error," gather verbose dci_log*.txt files and send them to Liquid Machines Product Support. This message



indicates that something has going wrong with the data that the client and server are trading back and forth.

Managing Authentication Credentials (Username and Password) Authentication credentials are the username and password used to access a policy service. Users must enter their authentication credentials when they configure a new policy service or when they first attempt to access a document that is protected by a policy on a policy service that is not yet configured on their computer.

• If the user is a member of a corporate directory configured at the Liquid Machines Document Control server and is logged on to the client computer with their credentials for the directory, they can authenticate to the Liquid Machines policy service using their normal domain logon credentials.

• If the user is a member of a corporate directory configured at the Liquid Machines Document Control server, they can use alternate credentials to authenticate to the Liquid Machines policy service via a domain-resident computer under different domain logon credentials, or from a non-domain-resident computer using their domain credentials.

• Users can change their authentication credentials only while online.

Using Logon Credentials If a user is a member of a corporate directory configured at the Liquid Machines Document Control server, they can set up their authentication credentials so that their computer authenticates their domain username and password against the policy service.

1) In the Authentication Credentials dialog box, select Use Logon Credentials. The user’s credentials appear to the right.



2) Click the OK button. The Client Console attempts to connect to the policy service with the logon credentials provided. If authentication is successful, a dialog box indicates that the policy service connection is complete. If authentication fails, a dialog box indicates the failure.

There is a delay while the policy service is contacted.

Using Alternate Credentials When a user wants to log on to a policy service with authentication credentials that are different from the logon credentials used to log on to the client computer, they can use alternate credentials.

If the user is a member of a corporate directory configured in the Liquid Machines Document Control server and they want authenticate to the Liquid Machines policy service via a domain-resident computer under different domain logon credentials, or via a non-domain-resident computer using their own domain credentials, they can use alternate credentials.

To set up alternate credentials, follow these steps.

• In the Authentication Credentials dialog box, select Use Alternate Credentials.

• Enter the user’s username and password.

• Click the OK button at the bottom of the tab.

Note: If the user is using their domain credentials from a non-domain computer or other domain logon credentials on a domain computer, they must specify the fully qualified domain name in the username field. Example: [email protected]

Changing Authentication Credentials On the Policy Service tab of the Client Console, a user can change their authentication credentials, that is, the username and password they use to access a policy service.

The user can only change authentication credentials while they are online, because the policy service must be contacted to verify the credentials.



Note: A user cannot change their authentication credentials for a policy service while any Liquid Machines-secured applications are open. If they use Microsoft Word as their editor for Outlook, then Outlook must also be closed.

• At the top of the tab, click the Change button. The Authentication Credentials dialog box appears.



In the Authentication Credentials dialog box, do one of the following:

• Select Use Logon Credentials. The user’s current login credentials appear to the right.

• Select Use Alternate Credentials and enter the username and password.

Note: If the user is using their domain credentials from a non-domain client computer or other domain logon credentials on a domain computer, they must specify the fully-qualified domain name in the username field.

Example: [email protected]

• Click the OK button. The Client Console attempts to connect to the policy service with the logon credentials provided. If authentication is successful, a dialog box indicates that the policy service connection is complete. If authentication fails, a dialog box indicates the failure.

There is a delay while the policy service is contacted.

Disabling and Enabling Liquid Machines Document Control From the Client State tab of the Liquid Machines Client Console, users can:

• Disable the Liquid Machines client for troubleshooting or in the event of unexpected behavior.

• Enable the Liquid Machines client after it has been stopped.

• Put the Liquid Machines client into Standby mode for troubleshooting purposes or to use only when needed.



• When Liquid Machines Document Control is enabled, the Standby and Disable buttons are active and the Enable button is grayed out.

• When Liquid Machines Document Control is Disabled, the Enable button is active and the Standby and Disable buttons are grayed out.

• When Liquid Machines Document Control is in Standby mode, the Enable and Disable buttons are active and the Standby button is grayed out.

Disabling Liquid Machines Document Control The Liquid Machines Document Control client must sometimes be disabled and enabled for troubleshooting or in the event of unexpected behavior.

Warning! Only disable the Liquid Machines Document Control client when asked to do so by internal Help Desk or Liquid Machines Product Support staff for troubleshooting. While the Liquid Machines Document Control client is disabled, protected documents are inaccessible to all users who use the client computer. A reboot is required to enable the Liquid Machines Document Control client from a disabled state.

To disable the Liquid Machines Document Control client, click the Disable button. The following message appears.



To proceed with disabling the Liquid Machines Document Control client, click the OK button.

Under certain conditions, Liquid Machines Document Control cannot be disabled. When the user attempts to disable Liquid Machines under these conditions, the following messages may appear.

• When additional users are logged on to the client computer, the following message appears.

To close the message, click the OK button. When the additional users have logged off, the user can attempt to disable the Liquid Machines Document Control client.

• When protected files are open, the following message appears.

To close the message, click the OK button. Close the protected files that were identified in the message. When the protected files have been closed, the user can attempt to disable the Liquid Machines Document Control client.

• When Liquid Machines Document Control is disabled, protected data that has been copied to the Windows Clipboard through a copy or cut operation is removed from the Clipboard. The following message warns the user that the protected Clipboard data will



be lost.

To close the message, click the OK button. When the Liquid Machines Document Control client is successfully disabled, the following message appears.

To close the message, click the OK button.

After troubleshooting or resolving the unexpected behavior, enable Liquid Machines Document Control.

Enabling Liquid Machines Document Control The Liquid Machines Document Control client sometimes must be put in a standby state for use as needed, or disabled and enabled for troubleshooting or in the event of unexpected behavior.

Enabling from Standby state: When the client has been put in a standby state, to re-enable Liquid Machines Document Control, click the Enable button. The following message appears, asking the user to confirm their request to enable the client:

To enable the Liquid Machines client, click the OK button. Liquid Machines Document Control will automatically become active. The following message appears, confirming that the client is now enabled.



Enabling from a Disabled state: When the client has been disabled, to re-enable Liquid Machines Document Control, click the Enable button. For Liquid Machines Document Control to become active, the computer must be restarted. The following message appears, informing the user that the Liquid Machines client is enabled and asking if the user wants to reboot now.

To enable the Liquid Machines client, click the OK button. The following message appears, requesting that the user restart their computer.

• To restart the user’s computer immediately, click the Yes button.

• To restart the user’s computer at a later time, click the No button.

After the user restarts their computer, Liquid Machines Document Control is activated at logon, and the Enable Liquid Machines Client button of the Client State tab is grayed out.



Putting the Liquid Machines Document Control Client into Standby Mode

Standby mode sets the Client to stop "injecting" any of the supported applications. The client process is still running and integrated into the login sessions, but the droplet no longer appears in supported applications such as Word and Excel.

Standby mode can be turned on and off from the Client Console and does not require the user to reboot or logout to take effect. Users should close all protected documents before switching in and out of standby mode otherwise a message dialog will appears asking them to do so. If unprotected documents are open when standby mode is enabled, the droplet will disappear from open applications. When the client is enabled from standby mode, the droplet will not reappear in open applications without first closing and reopening the applications. On the troubleshooting side, Standby mode allows you to quickly eliminate Liquid Machines as a variable when dealing with issues at the application level. Is Excel crashing? Enable standby mode and see if the problem goes away. Standby does not address login issues, so if for example a login session hangs half way through the login sequence, standby will not help – you would have to disable the client completely to determine if Liquid Machines is involved in that behavior. On the roll-out side, standby mode allows you to deploy the Client in its least invasive mode, and users can turn it on later as they need to protect content or access protected content. To install the Client in standby mode, include the flag CLIENTSTATE=STANDBY in the installer command line. The status is also indicated and controlled in the Windows Registry by the expanded string value "Client State" in the key HKEY_LOCAL_MACHINE\Software\Liquid Machines\Client\Client State. We do not recommend you manipulate this registry setting though, as the Client will not trigger a state change merely because the registry value has changed. That is to say, it does not monitor the event of the value being changed.

• To put the Liquid Machines Document Control client into a Standby state, click the Standby button. The following message appears.

• To proceed with putting the Liquid Machines Document Control client in a standby state, click the OK button. The following message appears:



• To close the message, click the OK button.

When the Liquid Machines Document Control client is needed to apply Liquid Machines protection to a document or access a document that has already been protected by Liquid Machines, you’ll need to re-enable Liquid Machines Document Control.

Managing Configuration Information and the Client Connection On the Configuration tab of the Client Console, users can view information about the Liquid Machines Document Control client. They can also check the status of the client connection, request a control service update, and configure proxy server information.

Viewing Configuration Information

To find information about the Liquid Machines Document Control client, on the Client Console, click the Configuration tab. Help Desk staff or Liquid Machines Product Support staff may request this information for troubleshooting.



The Client Console Configuration tab includes the following information.

• Version: The version of the Liquid Machines Client software.

• Installed Bundles: The application bundles that are currently installed.

• Control Service: The name of the control service specified for the client and connection status information.

• Proxy Server: The name and port to be used when a proxy server is in use.



Managing the Client Connection

A Liquid Machines Document Control client can be configured to automatically acquire configuration information for the secured applications used and software updates from a control service. In that case, users can check the status of their connection to the Liquid Machines Document Control control service and request an update.

On the Client Console, click the Configuration tab.

Under Control Service, the Client Console Configuration tab includes the following information.

• The name of the current control service, if one is specified.

Note: All dates and times are specified in local time.

• Last Update: The date and time the last control service update was received.

• Update Status: A brief description of the status of the last server update:

� Succeeded

� Failed - reason for the failure



• Next Update: The date and time of the next server update.

Update Now button: To update the control service and receive Liquid Machines Document Control client software updates, click this button.

Note: Users can check the connection status of a policy service on the Policy Service tab.

Configuring Proxy Server Information

In some organizations, the Liquid Machines Document Control client must communicate with the Liquid Machines Document Control server through a proxy server. When this is the case, users must configure the Liquid Machines Document Control client so it is aware of the proxy server.

On the Client Console, click the Configuration tab. Then click the Configure button that is located in the Proxy Settings section.

In the Proxy Settings window, select the setting that is appropriate to your organization as follows:

• Use Direct Connection to Policy Services. When this option is selected, the Liquid Machines Document Control client will connect to the server via a direct network connection regardless of whether a proxy is available.

• Auto-detect Proxy Settings. When this option is selected, the client computer’s proxy settings will be checked. If a proxy is available, the method used to access the policy service will mirror that which is specified in the proxy’s settings. For example, the proxy’s settings may state that a direct connection should always be attempted first - if it fails, then try the proxy server.

• Manual Proxy Configuration. When this option is selected, connection to the server will always be via the proxy server. This option requires the user to provide a Host for the proxy server and the port to be used as described below:

o HOST: The fully-qualified DNS name for the proxy server as servername.domainname.com Example: prxysrv1.acmecorp.com

o Port: The port over which communications should occur. Example: 80



Use Proxy only if Direct Connection Fails checkbox: When the Manual Proxy Configuration option is selected, this checkbox may be checked to indicate a direct connection must be attempted before a connection through the specified host. In this case the specified host is only attempted when the direct connection attempt results in a failure.

Client Installation Procedures

Installer Packages Refer to Knowledge Base articleKD-621: Using the Microsoft Windows Installer to Customize the Liquid Machines Client Installation located in the Liquid Machine Customer Care Center at http://www.liquidmachines.com/content621.html . Valid authentication credentials are required to access the Liquid Machines Customer Care Center.

Manual Install Procedure Under normal circumstances the Liquid Machines client should be installed according to your IT department’s standard practices. This “manual” procedure is provided for reference only

Prerequisites In addition to Windows 2000, Windows XP SP2, Windows Vista, or Windows 2003 Server (for terminal services installations), in order to use the client users will need to have applications that can be managed by Liquid Machines Document Control also installed. Applications that are currently supported by Liquid Machines Document Control 7.x include:

• Microsoft Office 2003 Professional • Microsoft Office XP • Microsoft Office 2007 • Adobe Acrobat 6 and 7 • Adobe Reader 7 and 8

Specifying a Control Service As part of the client installation a control service may be specified.

Installing the Client Software 1) Double-click on the lmdc-client-x86.msi (for 32-bit computers) or lmdc-client-x64.msi (for 64-bit

computers) file located in the Client folder to start the client installation wizard. The Preparing to

Install window will display.

2) Follow the installation wizard through the process. The bullets below describe each of the

windows displayed during the installation and the action required:

a) License Agreement: Review the license agreement text.



b) Click the I Accept button to accept the terms of the agreement and proceed

with the installation. If you do not accept the terms of the agreement, click the

Cancel button. The installation process will be terminated.

c) Customer Information: Enter a User Name and your Company Name in the

spaces provided. Click the Next button to continue.

d) Setup Type: Choose the type of installation to be performed. Choose

Standard if no Liquid Machines Document Control control service is to be used.

Choose Custom in order to specify a Liquid Machines Document Control control

service. Click the Next button to continue.

e) If a custom setup is selected, eEnter the Liquid Machines Document Control 7.x

control service as servername.domainname.com. Click the Next button to

continue.

f) If a custom setup is selected, the Custom Setup window will display. Click the

Next button to continue.

g) Ready to Install the Program: Click the Install button to continue. A series

of progress bars will be displayed while the Liquid Machines Document Control

7.x client software is installed.

h) InstallShield Wizard Complete: The appearance of this window indicates that

the installation process is completed. Click the Finish button to continue.

When the software installation process is completed, you will be prompted to restart the computer.

To begin using the Liquid Machines Document Control Client immediately, click the Yes button to

restart your computer. To restart at a later time, click the No button.

Errors and Logging

Liquid Machines Internal Error The only error that will display for a user, and which happens very rarely, is a Liquid Machines Internal Error. The Liquid Machines Client will present a Liquid Machines Internal Error dialog as shown below when such an error occurs.



The dialog will indicate that the current application must be shut down, or that the Liquid Machines Client itself has been shut down in which case a reboot is required. For debugging purposes, the Liquid Machines Internal Error is also known as an “invariant” error.

If a user receives an invariant error, see if the user can reproduce the error by repeating the same actions that were performed when the error occurred. If the behavior can be easily reproduced, report the error along with specific steps to reproduce the behavior to Liquid Machines Product Support.

Liquid Machines Product Support will ask you to explain the steps used to reproduce the error, including what applications and operating system are installed on the computer, and what version of each was in use (including service packs). They may also ask to you enable diagnostic logging and gather logs files according the procedures below.

When this type of error occurs, an entry is always written to the lqmi_invariant_failures.txt file, located in

• C:\Program Data\Liquid Machines\Client\App Logging on Windows Vista machines

• C:\Program Data (x86)\Liquid Machines\Client\App Logging on 64-bit machines

• C:\Documents and Settings\All Users\Application Data\Liquid Machines\Client\App Logging on all other operating systems.

This file is usually small, so it is easy to pick out the error, especially if you know what time it occurred.

Application Errors It is possible that the Liquid Machines Client could cause another application that it manages, for example Microsoft Word or Microsoft Excel, to experience an error. If a user experiences such an error after the Liquid Machines Client is installed, put the Client in standby mode from the Client Console as per instructions in the Putting the Liquid Machines Document Control Client into Standby section of this document on page 50.

Does the error go away? If so, enable the Client again from the Console as per the instructions in the Enabling Liquid Machines Document Control section of this document on page 48, reboot the machine, and see if the error returns again. If it does, contact Liquid Machines Product Support.



Diagnostic Logging

Diagnostic logging is enabled through a series of Windows registry entries. Which registry entries are useful often depends on the nature of the problem that is occurring. To set diagnostic logging:

• In the Windows registry key HKEY_LOCAL_MACHINE\Software\Liquid Machines\Client\Diagnostic Logging, create a subkey named after the executable you want to diagnose. So for example, for the "DCI" service, you would create a key for lmdci.exe. For supported applications such as Word, Excel or Adobe Reader, you would create keys for winword.exe, excel.exe, or acrord32.exe accordingly. We also integrate with the Windows logon process, which is winlogon.exe.

• In the key, create a string value called Severity and set it to ALL. • If specific logging is required, Liquid Machines Product Support may supply you with registry files

that will set the registry key values appropriately. If you use the regedit program to view the Windows registry values that are set, you may see strings containing values that look like:

::lqmi::agency::agents::minet::impl::minet_treq ::lqmi::agency::mstorage

These roughly correspond to object classes and class hierarchies in the Liquid Machines code. We call these “channels” in the context of diagnostic logging. When our developers have narrowed down the place in code where an issue is occurring and needs logging from additional troubleshooting steps, they may ask us to set the “scopes” so that the log contains only the information they need, and is clear of any other noise. There is no way for Helpdesk or Support to predict what will be the appropriate channels for a given issue, so the best process is simply to log ALL for submitting the issue as described above, and let our engineering team guide whether scopes need to be set for any subsequent logs gathered.

Diagnostic logs can be found in

• C:\Program Data\Liquid Machines\Client on Windows Vista machines

• C:\Program Data (x86)\Liquid Machines\Client on 64-bit machines

• C:\Documents and Settings\All Users\Application Data\Liquid Machines\Client on all other operating systems.

• In this folder are a number of log files with names that are of the form “dci_log_yyyymmdd-n.log”. Where yyyymmdd is the date on which the log file was created and –n is the sequence number used to distinguish between multiple log files when more than one file is created for a specific date.

• All files in the App Logging sub-folder are also log files.

• When you send us diagnostic files, send any files that have the name dci_log_*.txt or guard_log*.txt from



• C:\Program Data\Liquid Machines\Client on Windows Vista machines

• C:\Program Data (x86)\Liquid Machines\Client on 64-bit machines

• C:\Documents and Settings\All Users\Application Data\Liquid Machines\Client on all other operating systems.

You should send only those files that logged information during the time period in which the error occurred.

You should also send any files that are larger than 0 bytes in size, in particular lqmi_invariant_failures.txt, from

• C:\Program Data\Liquid Machines\Client\App Logging on Windows Vista machines

• C:\Program Data (x86)\Liquid Machines\Client\App Logging on 64-bit machines

• C:\Documents and Settings\All Users\Application Data\Liquid Machines\Client\App Logging on all other operating systems.

When you set logging for a specific application, the logging is written to the dci_log_*.txt files.

In addition to diagnostic logging, the Liquid Machines Document Control client can be configured to produce “mini-dumps” as a diagnostic tool. This is a stack trace with debug symbols that our Engineering team can load into a debugger to determine what is happening. The information produced by the mini-dump tool is similar to what Microsoft’s Dr. Watson tool collects. To help facilitate the diagnostic process, you can include a mini-dump whenever you send diagnostic files to Liquid Machines Product Support.

To produce mini dump output:

• Create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Liquid Machines\Client\Diagnostic Logging\ProcessDump and in it make a DWORD called Active and set it to "1".

• The default location of the dump file is C:\, but you can also control this location with the string value "Location" in the same registry key.

• The mini-dump output will be written to a file that is named with an lqmi_ prefix and a .dmp extension.

Contacting Liquid Machines Product Support for Assistance

How to Get Help To receive help from Liquid Machines Product Support, you must have been identified as a support contact for your organization. Pre-named support contacts can contact Liquid Machines Product Support in any of the following ways:



• Via phone 877.885.4784 or 781.693.3600, select option #3

• Via email at [email protected]

• Via the web at http://www.liquidmachines.com/support . Valid authentication credentials are required.

Liquid Machines Product Support is available from Monday through Friday between the hours of 8:00AM and 8:00PM US Eastern Time, excluding Liquid Machines-recognized holidays. For a full list of the holidays that are recognized by Liquid Machines, go to http://www.liquidmachines.com/extranet/holidays.php .

Providing Information to Support Liquid Machines Product Support will require information in order to effectively troubleshoot your issue. Exactly what information will be required depends on the nature of the issue you’re reporting. Some commonly-requested information is listed below.

• About your Liquid Machines software o Product involved

o Version of product involved

• About the computer that is experiencing the problem

o Operating system, including service packs

o Version of supported applications involved, including service packs where applicable

o An .nfo file which details the software and hardware configuration of the computer involved. This file can be created from within any Microsoft Office application by selecting Help > About > System Information from the menu and saving the resulting report.

• About the issue. Note: Not all of the information listed here will be necessary for every issue. This list is intended to give you an idea of what types of information might be useful and requested.

o For some issues it may be useful to obtain a tree view of the installation directory. This is created from the command line via the following command: tree /f /a "c:\program files\liquid machines\client" > installtreeoutput.txt

o For some issues, a permission dump of the DCI state directory may be useful. One utility that can do this is available here: http://setacl.sourcefourge.net. The command syntax would be:

setacl -on "c:\documents and settings\all users\application data\liquid machines\client\dcistate" -ot file -actn list -rec cont_obj -lst "f:tab;w:d,s;i:y;s:y" -bckp stacloutput.txt -silent

o It may be important to know whether the process "lmdci.exe" was in fact running at the time the behavior occurred.

o If you are able to reproduce behavior, the exact series of key strokes, mouse clicks, file names, files themselves (if possible), and any other environmental conditions that seem relevant, are always helpful.



o It is always useful to know what date and time window, and in what time zone, the behavior occurred, for the purposes of seeking out the relevant information in the log files.

o The Windows utility "Process Explorer" can be used to see what DLL's a particular process or application has loaded. Knowing whether DLL's with names of form lqmb*.dll have loaded by the affected process can be helpful.

Date post:	09-May-2020
Category:	Documents
Upload:	others
View:	56 times
Download:	0 times