3.3.1 Step 9. Update (modify) the security settings.

The administrator can modify the existing companion.msi and “push” those restrictions to lock down the user’s workstation.

NOTE: You will use the Installation Customization Tool for all of Step 9.

A. Open the Installation Customization Tool, as before.

  1. Log off Windows as the user; log on as the administrator.

  2. Open the Installation Customization Tool, as before:

    In the Windows Run line, enter C:\Reflection\setup.exe /admin

  3. In the Select Customization dialog, select Open an existing Setup customization file or Companion installer. Click OK.

  4. Select the companion msi that you previously customized.

B. Restrict the user from modifying the PAN Redaction Rules.

  1. From the left nav, click Modify user settings.

  2. From the list of Application – Settings, select Workspace Settings, and click Define.

  3. In Reflection Workspace Settings under Trust Center, select Set Up Information Privacy.

  4. Scroll to Primary Account Number (PAN) Redaction Rules, and check the first three boxes.

    Click OK.

  5. From the list of Application - Settings, select Reflection Desktop – application.access, and then click Define.

    The Reflection Desktop Permissions Manager opens in a separate window. (There may be a pause.)

  6. In the Groups drop-down menu, select PCIDSS.

  7. Select these five items one at a time, and change the setting to Restricted for each. The “Restricted” setting requires an administrator logon to change the setting.

    • RecognitionStyle
    • RedactionRules
    • RedactStyle
    • RegularExpressions
    • StoreTypedPANs

  8. Click Next; then click Finish. Continue in the Installation Customization Tool

C. Restrict the user from modifying Centralized Management capabilities.

If Centralized Management is not enabled, the user’s workstation will no longer be managed by Management and Security Server, which defeats the administrator’s goal.

  1. Select Reflection Desktopapplication.access again, and click Define.

  2. In the Permissions Manager Groups drop-down menu, click Application Options.

  3. Select CentralizedManagementEnabled and change the setting to Restricted.

  4. Select CentralizedManagementServerUrl, and change the setting to Restricted.

  5. Click Next; then click Finish. Continue in the Installation Customization Tool.

D. Restrict the user’s ability to change the TLS settings.

  1. Select Reflection Desktop-rd3x.access, and click Define.

  2. In the Groups drop-down menu, select Document\Connection\TN3270Advanced.

  3. On the right, click Restrict All. Click Next; then click Finish.

E. Save the companion file.

  1. Click File > Save. Click Yes to increase the version number.

    The new version number for the same file name will be recognized as a revision, and the resulting package will upgrade the previously deployed file.

  2. Save the companion file using the same name. Click Yes to replace it and increase the version number.

  3. Exit the Installation Customization Tool.