HP Sure Click Enterprise 4.2.6 - Sure Controller Online Help
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
For use with general public HP Sure Click Enterprise 4.2.6
Table of Contents
Notices ................................................................................................................... 2
Introduction ........................................................................................................... 3
Sure Click Enterprise Requirements......................................................................................... 4
Required Software for Installation ........................................................................................... 5
Additional Isolation Requirements ........................................................................................... 5
Supported Software .................................................................................................................... 5
Supported Languages .............................................................................................................. 10
Controller Requirements .................................................................................. 11
HP Sure Controller Requirements .......................................................................................... 11
Supported Browsers ................................................................................................................................................................. 12
SQL Database Requirements .................................................................................................. 12
What’s New in 4.2 .............................................................................................. 13
Bromium Acquisition by HP ..................................................................................................... 13
End of Sale (EOS) / End of Life (EOL) Updates...................................................................... 13
Sure Click Enterprise 4.2 Updates .......................................................................................... 14
Upgrade Guide ............................................................................................................................................................................ 14
Online Help ................................................................................................................................................................................... 14
Isolation Support for Google Chrome version 88......................................................................................................... 14
Updates to Application Support ........................................................................................................................................... 14
Secure Browser Extension (SBX) for Microsoft Edge Legacy .................................................................................... 14
Microsoft Windows Operating System Support............................................................................................................. 15
Initial installation....................................................................................................................................................................... 16
Performance Improvements ................................................................................................................................................. 16
HP Branding in Sure Click Enterprise 4.2.......................................................................................................................... 17
Additional Branding updates in 4.2 .................................................................................................................................... 17
Feature Updates ................................................................................................ 18
Identity Protection ..................................................................................................................................................................... 18
All Devices Group ....................................................................................................................................................................... 19
Policy Settings ............................................................................................................................................................................. 19
HP Policy Sync ............................................................................................................................................................................. 20
Automatically Trust Office/Microsoft 365 or Google GSuite Documents............................................................ 20
Limitations .......................................................................................................... 21
General ........................................................................................................................................ 21
Web Browsing with Internet Explorer .................................................................................... 22
Web Browsing with Chrome .................................................................................................... 22
iiWeb Browsing with Firefox ...................................................................................................... 22
Documents.................................................................................................................................. 23
Controller .................................................................................................................................... 23
Issues Fixed in 4.2.6 .......................................................................................... 24
Issues Fixed in 4.2.5 .......................................................................................... 25
Issues Fixed in 4.2.4 .......................................................................................... 26
Issues Fixed in 4.2.2 .......................................................................................... 27
Issues Fixed in 4.2.1 .......................................................................................... 28
HP Sure Click Enterprise End of Life (EOL) Dates ........................................... 29
Deprecated Features and Platforms ............................................................... 30
Getting Help........................................................................................................ 31
iiiNotices
Copyright © 2020, 2021 HP Development Company, L.P. The information contained herein is subject
to change without notice. The only warranties for HP products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
or omissions contained herein.
The software and accompanying written materials are protected by U.S. and International copyright
law. Unauthorized copying of the software, including software that has been modified, merged, or
included with other software, or other written material is expressly forbidden. This software is
provided under the terms of a license between HP and the recipient, and its use is subject to the terms
of that license. Recipient may be held legally responsible for any copyright infringement that is caused
or incurred by recipient’s failure to abide by the terms of the license agreement. US GOVERNMENT
RIGHTS: Terms and Conditions Applicable to Federal Governmental End Users. The software and
documentation are “commercial items” as that term is defined at FAR 2.101. Please refer to the
license agreement between HP and the recipient for additional terms regarding U.S. Government
Rights.
The software and services described in this manual may be protected by one or more U.S. and
International patents.
DISCLAIMER: HP Inc., makes no representations or warranties with respect to the contents or use of
this publication. Further, HP Inc., reserves the right to revise this publication and to make changes in
its contents at any time, without obligation to notify any person or entity of such revisions or changes.
Intel® Virtualization Technology, Intel® Xeon® processor 5600 series, Intel® Xeon® processor E7
family, and the Intel® Itanium® processor 9300 series are the property of Intel Corporation or its
subsidiaries in the U.S. and/or other countries.
Adobe and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
All other trademarks, service marks, and trade names are the property of their respective owners. HP
Inc., disclaims any proprietary interest in the marks and names of others.
28th April 2021
2Introduction
The Release Notes cover the latest HP Sure Click Enterprise 4.2 product release, and
subsequent updates, providing information about new functionality and the requirements for
Sure Click Enterprise.
3Sure Click Enterprise Requirements
Sure Click Enterprise requires the following hardware and software for this release:
Hardware orSoftware Description
CPU Intel Core i3, i5, i7 with Intel Virtualization Technology (Intel VT) and
Extended Page Tables (EPT) enabled in the system BIOS.
Single socket Intel XEON workstation class processors with a maximum of
32 logical processors (LCPU)
AMD processor with Rapid Virtualization Indexing (RVI). Sure Click
Enterprise supports most enterprise class AMD CPUs sold since 2011.
Supported models are the Ryzen range of CPUs, and models that are of
type A4/A6/A8/A10 (followed by a four-digit number in which the first digit
is not 3.) HP recommends quad-core AMD CPUs for optimal performance.
In VDI / nested virtualization environments, Sure Click Enterprise supports
Intel CPUs only.
Computers with vPro chipsets are highly recommended.
Memory Minimum: 8 GB RAM
It is recommended that you check the amount of available memory by
logging into a device after it has been powered on for a minimum of 30
minutes and before any applications have been launched. As a baseline,
HP recommends that a typical device have the following amount of
memory available before installing and enabling isolation:
Windows 10 64-bit with 1800 MB available memory prior to installation
Disk 6 GB free disk space
Operating System Microsoft Windows 10 versions are supported as documented in the HP
Sure Click Enterprise Windows 10 Support policy:
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-
Life-Policy-EOL
You must ensure that HP Sure Click Enterprise is upgraded to the latest
version prior to updating to a new version of Windows and you have
checked the latest version supports the version of the operating system
you are upgrading to.
The HP Sure Click Enterprise EOL policy can also be referenced here:
https://enterprisesecurity.hp.com/s/article/Bromium-Windows-10-
Support-Policy
Note: If you are using msiexec to install Sure Click Enterprise remotely, ensure you include the
SERVERURL setting, otherwise installation will fail.
4Required Software for Installation
• Microsoft .NET Framework 4.5 (minimum, this is normally built-in to Windows 10)
• Visual Basic for Applications (a shared feature in Microsoft Office installation for secure printing
from Office)
• XPS Services must be enabled and the Microsoft XPS Document Writer must be present to use
secure printing
Additional Isolation Requirements
HP Sure Click Enterprise installation requires the following:
• Local administrator privileges (if installing on specific machines for evaluation)
• Active Directory administrator privileges (if installing in the enterprise for production use)
• A license provided by your HP Sales or Customer Support representative.
• To run isolation in a virtualized environment using:
o Minimum supported versions:
▪ Citrix Hypervisor 7.6
▪ VMWare ESX 6.0
o While customers can run HP Sure Click Enterprise on the minimum supported versions of
the above hypervisors, HP always recommends the latest versions of hypervisors as they
generally improve performance and stability.
Supported Software
• Sure Click Secure Browsing Extension for Chrome (Chrome SBX) supports the latest Google-
recommended version of Google Chrome
• Sure Click Secure Browsing Extension for Firefox (Firefox SBX) supports the latest Mozilla-
recommended version of Firefox (ESR or non-ESR, 64-bit only)
• Sure Click Secure Browsing Extension for Edge (Edge SBX) supports the latest version of the
Microsoft Edge Chromium browser only
• Sure Click Chrome Isolation is supported with an N-3 policy such that the current shipping version,
and the 3 prior versions of Chrome are Supported. Chrome support is detailed in the Sure Click
Enterprise Support Knowledge Base:
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-Life-Policy-EOL
• Click Firefox Isolation supports Mozilla Firefox ESR 60 (32-bit) release. HP is currently working on
supporting newer 64-bit ESR releases. Support will be announced in a future version of Sure Click
Enterprise
https://www.mozilla.org/en-US/firefox/organizations/
5• Microsoft Office 2013 Service Pack 1, MSI x64/x86:
o Standard, ProPlus
• Microsoft Office 2013 Service Pack 1, Click-to-Run x64/x86:
o Standard, ProPlus, Home Business, Home Student, Personal, Professional, O365 ProPlus,
O365 Business, O365 Small Business Premium, O365 Home Premium
• Microsoft Office 2016, MSI, x64/x86:
o Standard, ProPlus
• Microsoft Office 2016, Click-to-Run, x64/x86:
o Standard, ProPlus, Home Business, Home Student, Personal, Professional, O365 ProPlus,
O365 Business, O365 Small Business Premium, O365 Home Premium
• Microsoft Office 2019, Click-to-Run, x64/x86 (Office 365 / Microsoft 365):
o Standard, ProPlus, Home Business, Home Student, Personal, Professional, 365 ProPlus,
365 Business, 365 Small Business Premium, 365 Home Premium
Note: Microsoft Office shared computer activation licensing is supported; however, on some
systems, when opening an isolated Word document, users may temporarily see a banner stating
Office has not been activated.
6• Microsoft Internet Explorer version 11
o Beginning January 12, 2016, only the most current version of Internet Explorer available
for a supported operating system receives technical support and security updates from
Microsoft (see https://support.microsoft.com/en-gb/help/17454/lifecycle-faq-internet-
explorer)
o As such, versions of Internet Explorer earlier than 11 are no longer supported on Desktop
Operating Systems with HP Sure Click Enterprise 4.2.1 and later.
Due to the availability of new Edge and removal of Edge Legacy, Microsoft considers
Internet Explorer 11 as feature complete and no longer releases new features or bug
fixes, only critical security fixes for this browser. Microsoft has announced it is removing
support for Internet Explorer 11 from Microsoft Teams and Microsoft Office 365 in 2021
and it is expected other tools and platforms will follow. HP has adopted the same
position in its support of Internet Explorer 11 isolation. In Sure Click Enterprise 4.2.x,
Internet Explorer 11 is considered feature complete. While no additional features will be
added, critical security fixes will be released if required as part of our standard release
process.
o HP will be deprecating the support for IE11 in Sure Click Enterprise during 2021 based on
latest updates and guidance from Microsoft.
Note: If you configure enterprise mode using the EMIE site list, ensure you do the following:
If the EMIE site list is configured to be on a network path, that network path should be marked as
trusted.
If the EMIE site list is hosted on a web URL, the TLD should be trusted.
• Adobe Reader versions:
o DC Classic 2017
o DC Continuous: Latest Adobe Supported Release (32-bit and 64-bit)
• Windows Media Player 12 (32-bit and 64-bit)
• Oracle Java 8 (32-bit)
• Oracle VirtualBox
o While Oracle VirtualBox claims to have nested-VT support, it is implemented in such a way
as to be incompatible with HP Sure Click Enterprise and thus running HP Sure Click
Enterprise in a guest VM inside VirtualBox is not supported.
o HP Sure Click Enterprise can run alongside Oracle VirtualBox on the host, but only on Intel
CPUs and only if Microsoft Hyper-V is disabled.
7• Support for endpoints running Windows Hypervisor Platform (WHP / HyperV) and Virtualization-
Based Security (VBS) with the following configuration:
o Windows Hypervisor Platform - WHP (on Windows 10 1903 and above)
o Windows 10 64-bit with virtualization-based security (VBS) enabled
o UEFI Secure Boot enabled
o The Fast Startup power option in Windows must be disabled
• Intel vPro 4th generation Core (i3/i5/i7) and newer or AMD Ryzen
• Trusted Platform Module (TPM) is recommended
• Support for non-vPro Intel chipsets
Note: Sure Click Enterprise previously required vPro chipsets supporting Intel VMCS Shadowing, a
feature that improves performance of hypervisors running nested virtual machines by reducing
nesting-induced VM exits. Bromium 4.1.4 introduced support for Intel-based chipsets without this
technology. Running Sure Click Enterprise without VMCS Shadowing will result in performance
degradations vs. vPro systems, however HP has taken steps to mitigate performance differentials
to all extents possible.
Limitations of support for non-vPro chipsets:
Hibernation / S4 capabilities are disabled and hidden on the host
8• VDI deployments on:
o VMWare Horizon View 7.x (last validated with version 7.3 with ESX 6.5)
o Citrix Virtual Desktops 7.x (last validated with version 7.18 with Citrix Hypervisor 7.6)
o Intel CPUs are fully supported when running the above hypervisors using nested
virtualization (nested VT)
o AMD CPUs running the above hypervisors are considered by HP to be in BETA support. HP
has validated the solution works at a functional level using AMD CPUs. HP is continuing to
test this configuration and hopes to fully support AMD CPUs and nested virtualization in a
future release.
• SINA WorkStation S 3.3 by Secunet Security Networks
o Solution verified on SINA Workstation S 3.3.9.1
• Windows Defender Credential Guard
• McAfee DLP for Internet Explorer
• Symantec DLP
• Customers are encouraged to review HP Sure Click Enterprise KB system for the latest updates on
3rd party support, whitelisting and exclusions
• Configure Exclusions and Whitelisting for Third-Party Security Software (hp.com)
Important: Ensure you create appropriate exclusions in the configuration of installed endpoint
security products so as not to interfere with or prevent the normal operation of HP products.
Necessary actions may consist of excluding all HP Sure Click Enterprise processes and binaries
from the third-party endpoint security product. To create exclusions, refer to your third-party
product documentation. The absence of exclusions may result in failed Sure Click Enterprise
initialization and slow or blocked browsing and opening of isolated documents. Refer to the HP
Sure Click Enterprise Installation and Deployment Guide for information about creating exclusions.
9Supported Languages
• HP Sure Click Enterprise endpoint software supports the following languages on the specified
version of Windows:
o English US (en-US), all supported versions of Windows
o English UK (en-GB), all supported versions of Windows
o French (fr-FR), all supported versions of Windows
o French Canadian (fr-CA), all supported versions of Windows
o German (de-DE), all supported versions of Windows
o Spanish (es-ES), all supported versions of Windows
o Swedish (sv-SE), all supported versions of Windows
o Italian (it-IT), all supported versions of Windows
o Brazilian Portuguese (pt-BR), all supported versions of Windows
o Japanese (ja-JP). all supported versions of Windows
Note: HP Sure Click Enterprise supports all Windows locales.
10Controller Requirements
The following tables list the hardware and software requirements for the server running the controller
and the SQL database on which it relies.
Important: Before installing a new version of the HP Sure Controller, make sure to back up your
current database.
HP Sure Controller Requirements
Hardware or Software Description
CPU Sandy Bridge Intel Xeon Quad-core or better
Disk 1 TB free disk space
Network Port 443 on the web server must be available for the endpoints to
communicate to the controller.
Internet Controller is recommended to have https (port 443) access to the HP
Cloud Service in order to receive HP Rules File updates, as well as Threat
Intelligence Reports, Malware names and recent attack information. For
more information see https://support.bromium.com/s/article/Bromium-
Threat-Intelligence-Cloud-Service for more information
Operating System Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,
Windows Server 2019
Memory 16 GB RAM
Software Microsoft IIS 7.5+ with CGI module, IIS Manager, static content, and
anonymous authentication installed
.NET 4 Extended (server)
SSL Valid SSL certificate trusted by endpoints
(For testing only, the server may be configured insecurely to run in HTTP
mode)
11Supported Browsers
The Controller Web Interface is supported on the latest versions of Internet Explorer, Edge Chromium,
Chrome, and Firefox ESR.
SQL Database Requirements
Hardware or Software Description
Performance 200 IOPS sustained per 1000 endpoints
Software SQL Server 2012 SP4+
SQL Server 2014 SP3+
SQL Server 2016 SP2+
SQL Server 2017+
SQL Server 2019+
Standard and Enterprise editions are supported
Server Management Studio (SSMS) as the management suite for the
controller database
SQL Express should be used in a limited test or evaluation environment
only
Storage Space 1 TB available space
12What’s New in 4.2
Bromium Acquisition by HP
• After the acquisition of Bromium by HP in Q4 2019, the Bromium Secure Platform has ceased to
exist after the 4.1 Update 8 release cycle completed on 31st March 2021. Bromium Secure
Platform has been replaced by HP Sure Click Enterprise, starting with the 4.2 release.
• If you are still using Bromium Secure Platform after March 21st 2021, please contact your HP
account team, HP Support, or consult the Sure Click Enterprise 4.2 Upgrade guide for the latest
information on upgrading to the HP Sure Click Enterprise platform.
End of Sale (EOS) / End of Life (EOL) Updates
• Per HP Sure Click Enterprise EOL policy (https://support.bromium.com/s/article/Product-Support-
and-End-of-Life-Policy-EOL), EOL is the process of discontinuing sales, support and maintenance
for a specific version of the Product. EOS means that product can be used, but customers are
expected to try to replicate any reported issue on the latest version of the software. Any fixes
released will be applicable to the latest version only and code fixes will not be applied to any
version that is already EOS or EOL. Code fixes and patches will only be released for the latest GA
versions.
• Updates to the End of Life Policy triggered by the 4.2.6 release are show below:
• HP Sure Click Enterprise
o HP Sure Click Enterprise 4.2.x replaces Bromium Secure Platform
• Bromium Secure Platform 4.1 Update 8
o EOL: 31 Mar 2021
13Sure Click Enterprise 4.2 Updates
Upgrade Guide
• With Sure Click Enterprise 4.2, a separate upgrade guide is available for all customers and
partners. This document details considerations in upgrading from Bromium Secure Platform to
HP Sure Click Enterprise. This is available on the Product Documentation site.
• While the architectural changes are minimal, changes to some advanced configuration options
may affect your existing deployment and configuration if used with Sure Click Enterprise 4.2
without change.
• This guide lists everything you need to know regarding the upgrade, and is available in the
Product Documentation section of our customer portal. If you require additional support in
planning your upgrade, please contact your technical representative or HP Sure Click Enterprise
Support for additional information and assistance.
Online Help
• The Online Help system has been updated and edited for the latest Sure Click Enterprise and Sure
Controller information for 4.2, you can find more about this help system here:
o https://documentation.bromium.com/4_2
Isolation Support for Google Chrome version 88
• HP Sure Click Enterprise 4.2.6 supports Google Chrome version 88 when using the HP Secure
Browser.
Updates to Application Support
• Adobe Flash (all versions) is no longer supported as it is now EOL
o See: Adobe Flash Player End of Life
Secure Browser Extension (SBX) for Microsoft Edge Legacy
• Microsoft have stopped all development on their own Edge Legacy architecture and have based
the new Edge (released in early 2020) on the Google Chromium framework. This new Edge was
introduced in the first quarter of 2020.
https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-
better-through-more-open-source-collaboration
What this means for customers:
• Edge Legacy is no longer supported by the Secure Browsing Extension and was removed in 4.2.2
You can read more about Edge support on the knowledgebase here:
https://enterprisesecurity.hp.com/s/article/Bromium-Secure-Browser-Extension-SBX-for-
Microsoft-Edge
14Microsoft Windows Operating System Support
• HP regularly updates which operating system versions are supported based on the latest
information from Microsoft: https://docs.microsoft.com/en-gb/windows/release-information/
• The overall HP Sure Click Enterprise Windows 10 support policy:
https://enterprisesecurity.hp.com/s/article/Bromium-Windows-10-Support-Policy
Updates in this 4.2 Release:
Supported:
o Windows 10 (Threshold 1) Version 1507 (OS Build 10240) (LTSC ONLY)
o Windows 10 (Redstone 1) Version 1607 (OS Build 14393) (LTSC ONLY)
o Windows 10 (Redstone 4) Version 1803 (OS Build 17134)
o Windows 10 (Redstone 5) Version 1809 (OS Build 17763)
o Windows 10 (19H2) Version 1909 (OS Build 18363)
o Windows 10 (20H1) Version 2004 (OS Build 19041)
o Windows 10 (20H2) Version 2009 (OS Build 19042)
No longer supported:
o Windows 7 (x86 & x64)
o Windows 8.1 (x86 & x64)
o Windows 10 (Threshold 2) Version 1511 (OS build 10586)
o Windows 10 (Redstone 2) Version 1703 (OS build 15063)
o Windows 10 (Redstone 3) Version 1709 (OS build 16299)
o Windows 10 (19H1) Version 1903 (OS Build 17134)
15Initial installation
• By default, the initial installation of the endpoint software will result in the software being
disabled and unconfigured. As a result, the endpoint must connect to an HP Sure Controller to
receive its configuration and license which may happen during installation (at the prompt or using
msiexec parameters) or post-installation using the “brmanage” command: “brmanage
management-server ”.
• Until the endpoint receives a license, the software will remain in a disabled state. Once the
endpoint has been correctly configured to communicate with an HP Sure Controller, it will receive
a license and initial configuration via policy. At this point, the endpoint software will initialize and
will then be available for use (unless marked explicitly as disabled).
• This allows the administration team to roll out the endpoint software onto all endpoints in a
benign state. The administrator is then able to move devices into Device Groups to receive their
license and configuration. This allows an admin to see the entire endpoint estate with
enabled/disabled devices in one simple view. This allows customers to complete a single rollout,
but phased enablement of software as all disabled devices will appear in the Controller.
Performance Improvements
• HP Sure Click Enterprise 4.2 includes some significant additional performance and efficiency
improvements over previous releases to reduce the impact on the base system as well as
providing an improved user experience.
o Performance improvements to the intialisation process to allow the initialised vm to
“settle” better, thus improving post initialisation launch times.
o Improved logic to decided when a template has reached peak settling in order to improve
post template performance.
o Better memory management and use of memory on endpoints which have more RAM
available.
o uVMs will load more quickly on all platforms but particularly on machines running WHP.
o Secure Browsing performance has generally been improved.
o Initialisation may take significantly longer on some machines. This is the result of
additional steps being taken during initialisation to improve the performance of uVMs.
o Improved user responsiveness when switching between multiple untrusted applications
o Reduced user disruption when loading all types of untrusted applications into uVM
o Faster loading of all types of untrusted applications when introspection is enabled on
some machines
o Reduced impact on host processes when accessing 1000s of directories. Ensure audio
from a uVM is automatically resumed after being paused due to low memory conditions.
16HP Branding in Sure Click Enterprise 4.2
• Since acquisition by HP Inc., the Bromium Secure Platform has been rebranded to HP Sure Click
Enterprise. As part of the HP Sure family of security features, this also means the Controller has
now been renamed to HP Sure Controller. Both the HP Sure Controller and the endpoint software
have been rebranded. This affects Sure Controller, and all endpoint software user interfaces such
as the Desktop Console. Specifically, the orange icon used to differentiate untrusted documents
from trusted ones, this is now a blue HP logo.
Additional Branding updates in 4.2
• With the release of 4.2.2, customers will see some user focused changes in the branding of Sure
Click Enterprise. Sure Click Enterprise falls under a new HP Wolf Security branding, which has
been updated in this release.
• Places you will see branding updates:
• Desktop Console title bar
• Desktop Console Support Page
• Windows Start Menu
• System tray icon:
• All other areas of the product menu items, right click context menus and controller ui remains
unchanged in this release.
17Feature Updates
Identity Protection
HP Sure Click 4.2 includes a new anti-phishing feature which allows customers to provide better
protection from phishing attacks when using Sure Click Enterprise. This feature is enabled using the
policy configuration UI in the Sure Controller in the new “Identity Protection” tab.
Once enabled, the product will install a new browsing extension into the supported browsers:
• HP Secure Browser
• Microsoft Edge Chromium
• Google Chrome
• *Firefox is NOT supported in the initial release, but will be in an upcoming version.
The anti-phishing feature uses live information from the HP Cloud to make instant decisions on the
reputation of sites while a user is browsing. If a user attempts to login to a known phishing site, they
will be blocked and an alert sent to the Sure Controller. If the site has a good reputation, the user is
not impacted and is allowed to login with no alerts being issued. If a user tries to login to a unknown
site then the administration team can decide what happens and whether the user is allowed to login
etc.
For more information on the feature, user experience and how to triage the identity protection alerts,
please review the feature information in the new Sure Click Enterprise Online Help system: Identity
Protection Overview.
As with isolation threats, when you have opted in to forwarding the alerts to the HP Cloud, HP will
automatically triage these alerts based on the latest available information using a variety of 3rd party
services and proprietary information. As the internet is continually changing on a minute by minute
basis, we highly recommend using this service to keep the sites triaged appropriately.
While customers can triage the lists of allowed and blocked sites manually using this feature, they can
quickly get out of date and not represent the current state of the internet and reputation of some
pages. To provide the best user experience, we recommend opting into the threat forwarding and
automatic triaging service provided as part of the Sure Click Enterprise product line. Please contact
your technical account team if you wish to learn more about this feature and its use of the HP Cloud
Service.
Even if you decide not to use the HP Cloud Service for the automatic triage of the identity protection
alerts, the Identity Protection extension will connect to the cloud service to obtain the reputation
information for a website to make an up to date decision to help protect the user from phishing sites.
If you do not want the extension to query the HP Cloud Service, we do not recommend enabling this
feature.
18All Devices Group
In Sure Click Enterprise 4.2, the “ungrouped” device group mechanism is deprecated.
In previous versions, the ungrouped device group would automatically contain devices not pulled into
other groups either manually or when using the automatic device grouping rules, thus allowing you to
apply isolation and policy configuration to endpoints, even if they were not specifically grouped.
4.2 introduces a new “All Devices Group” which contains ALL devices, irrespective as to other group
memberships. This group will automatically contain ALL devices and is perfect for apply a base
configuration policy to capture new devices. This allows for additional device groups to use delta
policies when specific changes in policy are required and allows for a simpler configuration.
You will be given an option to remove the “ungrouped” group from the UI when it no longer has any
policies applied to it. Those devices in the ungrouped group, will already be in the new “All devices
group”.
No policies will be automatically applied to the all devices group on upgrade.
Policy Settings
The policy UI now contains badges showing you how many settings are active for a given policy tab
making it easier to drill into specific tabs to identify and change settings as required.
19HP Policy Sync
If you have enabled HP Cloud Services in your controller settings in order to benefit from automatic
threat triaging and BRF updates to the introspection engine, then you will now also benefit from
automatic policy sync.
The Sure Controller comes with some built in policies to help customers get configured easily and
quickly with features and security recommendations. These used to be updated every product release
to make sure they kept pace with the ever-changing security landscape. With Sure Controller 4.2, we
have introduced a way to keep these built-in policies up to date without requiring a customer to
upgrade the controller. These policies will automatically be kept up to date with the HP Cloud Service,
thus providing the latest security recommendations and configurations direct to a customer’s Sure
Controller.
The status of the cloud sync can be seen on the policy page:
Automatically Trust Office/Microsoft 365 or Google GSuite Documents
In addition to the new policy sync feature described above, HP have provided two additional built-in
policies with Sure Controller 4.2:
• Trust Microsoft Office 365
• Trust Google G Suite
These policies, when selected will allow customers to automatically trust downloads and documents
from Office or GSuite deployments, thus removing some user friction. Both Microsoft and Google
regularly change, add to, or update the URLs used in these products, so keeping up to date can be
challenging. These policies will be kept up to date for you, using the cloud sync feature. When either
company changes the URLs for their products, your policy will automatically be kept in sync with the
latest edits. These policies should be applied with care, please contact your support or professional
services contact if you wish to use.
20Limitations
General
• Excel 2019 files shared using ‘Send as PDF’ file sends the email with a text file attachment instead
of a PDF
• Applications opened in isolation (that is, in a micro-VM) are not available to assistive technology
such as JAWS and ZoomText Magnifier/Reader
• Do not install Sure Click Enterprise software from a removable drive, such as a USB drive.
Removable drives are not trusted by default and, when the initialization stage occurs, the installer
will fail because it can no longer read the data on the removable drive
• On some systems, the isolation Desktop Console and Live View user interfaces can take over 30
seconds to open. If you experience slow display times on a system running Windows Presentation
Foundation, open the Services management window and disable Windows Presentation
Foundation Font Cache 3.0.0.0. You can also purge the font cache as described in
http://support.microsoft.com/kb/937135
• If you are using RDP to access a physical system, you may not be able to interact with the Sure
Click Enterprise Desktop Console, Download Manager or Live View because they are "transparent."
To resolve this issue, install .NET 4.0 on the endpoint
• Some online meeting websites such as WebEx, Adobe Connect Pro and Live Meeting may not work
when opened in isolation. This is because these websites attempt to run executable content on
the desktop that is blocked by isolation. To allow these websites to work, mark them as trusted
• Saving to and opening from the cloud is not supported for Office 2013/ 2016 / O365
• If isolation is not already initialized on the system, users that have roaming profiles will see
initialization occur the first time they log in to the system
• To install Symantec Endpoint Protection after Sure Click Enterprise, restart the machine first
• Temporary trust operation will not trust sites that use “guce-advertising.com” redirect
capabilities. The redirects used by this advertising network break lots of web and software
workflows. HP is working to resolve this, but it is a workflow introduced by Verizon Media on most
of their web properties.
https://www.verizonmedia.com/policies/ie/en/verizonmedia/privacy/topics/adserving/index.html
• Older versions of Microsoft Office/365 which support Japanese might sometimes show an office
licensing error. This has been seen with older versions (ie, 16.0.12527.20880) but has not been
seen on newer versions.(ie, 16.0.13127.21336).
First recommendation is to make sure Office/365 is completely up to date. If the warning
remains, customers are requested to raise a ticket with HP Support who are aware of the issue
and can offer a workaround for some situtations
21Web Browsing with Internet Explorer
• On Windows 10, Internet Explorer is not automatically set to the default browser, even when
Browser.CheckDefaultBrowser is set to 1. To avoid this issue, configure your file
associations using group policy. Refer to https://technet.microsoft.com/en-
us/library/mt269907.aspx and https://technet.microsoft.com/en-
us/library/hh825038.aspx?f=255&MSPPError=-2147217396 for more information about
configuring group policy for default browsers
• Isolated websites are not permitted to run ActiveX controls. If a website does not work due to an
ActiveX error and the site is known to be trustworthy, it can be added to the trusted websites list
so that it will be run on the local system without isolation
• Site pinning is not supported
• Some Internet Explorer settings cannot be modified. If a setting is unavailable, a message is
displayed to the user
• Isolated websites that use a custom file download or upload manager may not work. If the
download/upload manager on a website fails and the site is known to be trustworthy, it can be
added to the trusted websites list so that it will be run on the local system without isolation. Refer
to the HP Sure Click Enterprise Installation and Deployment Guide for details
• Isolation does not support TabProcGrowth settings in Internet Explorer
• Browsing with isolation does not work if Internet Explorer security settings are set to High or if file
downloads are disabled
• Browser.IEAltDownloadAddresses was deprecated in version 4.1.7. If this is set to a list of
domains, this is unsupported and should be removed so the product can use its defaults.
• SBX doesn't see navigations to sites which are configured to open in IE mode in Edge Chromium
and so won't block any navigations to these sites and may not block navigations from these sites.
Also the right click "Open in Secure Browser" option doesn't work. This is a limitation of extension
support in Edge for IE mode tabs and not an SCE limitation.
Web Browsing with Chrome
• Skype extension is not supported
Web Browsing with Firefox
• If Firefox is already installed on endpoints and has not been launched prior to installing Sure Click
Enterprise, you must do the following to ensure browser sessions are isolated in a micro-VM:
o Launch Firefox to create a new profile for the user. If you have multiple users or if you
create new users, you must launch Firefox for each new or additional user
o Close Firefox and restart Sure Click Enterprise
o You can now launch Firefox in an isolated micro-VM
• These steps also need to be performed if you create more than one Firefox profile per user
22Documents
• Isolation prevents users from opening any isolated files that cannot be opened by one of the
supported applications. If a downloaded file is not currently supported but is known to be
trustworthy, right-click the file and select the “Remove Protection” file menu option
Note: This operation may require administrative access.
• Sure Click Enterprise isolates documents from accessing corporate resources or files stored on
the desktop or intranet. As a result, if a document open in isolation attempts to connect to a
database on the intranet or a linked file on the desktop, it will fail and produce an error. To enable
this functionality, you must remove Sure Click Enterprise protection from the document
• ASX video files and Windows Update Standalone Installer (MSU) files cannot be opened in micro-
VMs
• Isolation does not support multiple, simultaneous Microsoft Office installations of the same
version
• Users may receive an error when opening an isolated file with paths containing more than 214
characters
Controller
• The controller continues to display last known device health status even when the device has not
been recently reconnected.
23Issues Fixed in 4.2.6
Issue ID Description
60801 / 61137 Fixed an issue where creating a standby-VM could be delayed by copying files
required to allow PDF signing.
61228 Performance improvement to reduce the time taken when waiting for a newly
created vm template to settle down.
65053 / 65322 / Resolved an internal issue which could stop a user from removing protection on
61658 a specific file when it responded with an incorrect ID
64695 / 65246 Resolved an issue which could cause an XCOPY operation to fail in certain
circumstances
65028 Fixed a bug where a report that Sure Click had not been added to Windows
Defender exclusion list could be sent in error
65033 / 63743 Various fixes and improvements to Microsoft Office/365 initialisation and
licensing warnings
65654 Resolved in an incompatibility with a Microsoft KB released out of band from
normal release cycles
24Issues Fixed in 4.2.5
Issue ID Description
63052 Resolved an issue which could lead to Chromium default search engine changing
to Bing from Google.
61924 Fixed an initialisation issue seen on some specific models of workstation
61915 Fixed an issue which could lead to some office applications appearing to be
unlicnsed and not intiialised into the template
64954 Resolved an initialisation issue where a recent Microsoft update to Redstone 1
(14393) LTSC release wouldn’t initialise.
65189 Resolved a problem where builds were unable to be pushed out from the
Controller using the “Remote Install” command due to an expired certificate.
25Issues Fixed in 4.2.4
Issue ID Description
37326 Improvements to the responsiveness inside a uVM by increasing available
memory to the uVM by default
42202 Fixed an issue where printing an untrusted document might come out at the
incorrect size
45033 Secure Browsing Extension (SBX) now supports IP ranges when “trust intranet” is
selected
46543 HP SCE WMI provider sometimes didn’t register properly on a silent install.
58513 Fixed an issue where email attachments could become untrusted depending on
workflow
61868 Significant performance improvements for isolated applications using uVM. This
does increase initialisation time on some platforms.
62083 Added “Remove Protection” when sharing an untrusted document in Office
sharing feature
62673 Resolved an issue where an GPO could conflict with SBX when
“ExtensionInstallForceList” regkey was used
66317 Resolved an issue where IE was put into the template but didn’t have
connectivity to an external proxy
66318 Fixed an issue where java registry was unable to be exported after an upgrade
63426 Resolved a situtation where some email attachments saved to network shares
were not alwways trusted
64252 Resolved an issue with initialisation and IE11 where Flash had been included but
was EOL.
26Issues Fixed in 4.2.2
Issue ID Description
9376 Supported office applications can fail to resize if cursor is not outside window
17820 Added ability to delete unused AD connections on the controller
42285 Resolved issue with DVD burning from restricted paths
54262 Default controller view updated to 100 lines
59274 Removed excessive event logs due to Windows defender and untrusted
documents in recycling bin
60766 Resolved application launch issues with thousands of items in the recycling bin
61176 Resolve issue where untrusted doc was unable to be closed in certain situations
61217 Resolved problem where controller health stats were not being updated
61241 Fixed issue where document comparisons on DFS shares wouldn’t work
61416 Resolved an issue when a customer sets ExtensionInstallForcelist registry key
61619 Fixed a PDF opening issue with certain user privs on a DFS share
61925 Resolved an issue where office exports can fail due to Registry API
62817 Removed old Bromium branding on controller management actions when only
Sure Click Enterprise is used.
62966 Resolved an issue while opening a PPTX file in specific resource constrained
environments
27Issues Fixed in 4.2.1
Issue ID Description
36926 SCE didn’t allow presenter view in .PPTX files
53104 Sure controller would show 403 errors when deleting large numbers of events
55752 SCE could break office automation in some testing tools
56844 SCE could crash when a specific document contains mixed languages
56992 Right click context menu could show incorrect information
57210 Untrusted PDF files could be handed over to host Adobe application
57317 Modification of conditional formatting rule in untrusted documents
57423 Default spell check language could change in PowerPoint
57514 Untrusting an office document could take longer than required
57851 SCE could crash when printing with comments enabled on an untrusted document
58187 High severity events could arrive with no indicators in specific situations
58302 SCE timeout when additional forensics were enabled
58810 Specific office update could lead to office updates crashing
58882 User initialization blocked and failed on a specific configuration / machine
58937 Corrupted VDI guest WMI settings could cause initialization failures
59015 Webex downloads were untrusted in Chrome
59212 File not escaped due to policy precedence
59275 Webpage slow to start up in some circumstances on customer network
59787 SBX could affect SSO with URL writing
60283 BRF sync could be disabled for on-prem Sure Controller customers
60403 Browser links could be modified by SBX
Release notes are available from https://enterprisesecurity.hp.com/s/documentation/
28HP Sure Click Enterprise End of Life (EOL) Dates
Versions are classified as follows:
• Major Version [DOT] Minor Version [DOT] Update version. (e.g. 4.2.6)
Product Support Policy
• The latest update of the current Major Version of the Product is Supported.
Product Name Release Date EOS Date EOL Date Status
HP Sure Click Enterprise 4.2.6 28 Apr 2021 GA / Current
HP Sure Click Enterprise 4.2.5 04 Mar 2021 28 Apr 2021 04 Oct 2021 EOS
HP Sure Click Enterprise 4.2.4 21 Jan 2021 04 Mar 2021 04 Sep 2021 EOS
HP Sure Click Enterprise 4.2.3 20 Dec 2021 21 Jan 2021 21 Jul 2021 EOS
HP Sure Click Enterprise 4.2.2 12 Nov 2020 21 Jan 2021 21 Jul 2021 EOS
HP Sure Click Enterprise 4.2.1 28 Aug 2020 05 Nov 2020 05 May 2021 EOS
Bromium Secure Platform v4.1 02 Jun 2020 08 Nov 2020 31 Mar 2021 EOS
Update 8 Patch 5
Bromium Secure Platform v4.1 Bromium Secure Platform
Update 7 and earlier 4.1 Update 7 and earlier versions are all End of Life
All vSentry releases 4.0 and Bromium vSentry
earlier 4.0 and earlier versions are all End of Life
Full Product Support and End of Life Policy (EOL):
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-Life-Policy-EOL
29Deprecated Features and Platforms
• We are deprecating older platforms and features from the latest versions of the Bromium Secure
Platform and HP Sure Click Enterprise. Customers should read the KB article that explains the
platforms and features being deprecated and the timeframes/versions in scope.
• Specific examples of removed platforms are Microsoft Windows 7 and all x86 platforms.
• The latest information regarding deprecated features and platforms:
• https://enterprisesecurity.hp.com/s/article/Deprecated-Features
30Getting Help
• If you have questions that are not covered in the documentation, please contact HP Support:
• Visit https://support.bromium.com. If you need an account, please contact your Account Executive
or Customer Support.
• Email questions to support@bromium.com
• Call HP / Bromium Customer Support at 1-800-518-0845
• Call your technical account representative directly
31You can also read
