Deploy Axiad AirLock to Your Windows Machines

Deployment Considerations

Before proceeding with an Axiad AirLock deployment, you should consider the objectives, both short and long term. The following questions should be answered as they directly translate into configurable parameters and should be considered for any AirLock deployment:

• What subset of users will be in the scope of AirLock enforcement? Both initially and in the end-state?

• What subset of users should always be exempt from AirLock enforcement?

• Is there a desire to enforce AirLock when a user’s device is offline?

• Is there a desire to enforce certificate renewal when a user logs in with a certificate?

  • If so, when should we remind the user, and when should a renewal be mandatory?

Deployment Methods

Enterprise Deployment through Group Policy Object (GPO)

1. Import the ADMX files for AirLock so that you can manage configuration settings through GPO

   1. Within the AirLock install package, there is a GPO folder containing the following ADMX files:

      • Axiad - Airlock.admx

      • Axiad.admx

   2. Extract the files to your domain controller’s central store

2. After the extraction, create a new GPO

3. Verify that the AirLock section is present in the new GPO

   • If it is not, then it is likely that the ADMX files were not imported or replicated to all domain controllers yet

Note

GPO settings write corresponding registry keys to HKLM\Software\Policies\Axiad\AirLock

4. Before you can configure AirLock settings, first you must deploy the AirLock binary:

   1. Copy the AirLock MSI installer to a network share, similar to other automated installation methods in your organization

   2. Navigate to the Computer Configuration > Policies > Software Settings > Software Installation section of the GPO

   3. Select New > Package and reference the location of the MSI package from step 4a

      • Deployment can be left in assigned mode without any extra settings as the default is a silent install

5. Within the same GPO, navigate to Computer Configuration > Policies > Administrative Templates > Axiad Airlock

6. Configure the GPO options according to your AirLock strategy

Tip

Visit the AirLock Configuration article to view some example scenarios and their configurations

7. When your configuration is complete, we recommend scoping your GPO to a test group to ensure its accuracy

8. Target AirLock and the associated policies to the workstations that fall into the scope of your deployment

Enterprise Deployment through Intune

1. Locate the .intunewin file within the AirLock installation package

2. Navigate to the Intune portal under Apps > Windows, and add a Windows app (Win32)

3. Click Next and upload the .intunewin file, then click OK

4. Configure the installation options, particularly the device restart behavior, as desired

5. Modify the next sections as per your organizations software rollout policies

Note

As a best practice, AirLock should only be installed on devices where it is intended to be used. Keep this in mind when assigning the application to devices in the Assignments section.

Tip

Visit the AirLock Configuration article to view the registry keys as well as some example scenarios and their configurations

Sample-Airlock.reg from the AirLock installation package includes a tempalte for all configurable parameters and is recommended for non-GPO deployments

Enterprise Deployment through Scripted Installation

If GPO is not possible or not desired, then you can deploy the MSI package via any common scripting language.

The following script can be used to deploy the MSI package on startup in a batch file:

msiexec /i <path to Airlock MSI.msi> /qn

Tip

Visit the AirLock Configuration article to view the registry keys as well as some example scenarios and their configurations

Sample-Airlock.reg from the AirLock installation package includes a tempalte for all configurable parameters and is recommended for non-GPO deployments