Protecting firmware configuration

Image definition files (IDF) are provided on the web server in an eLux container. They must be specified in the device configuration under Firmware in order for the devices to access the intended image in the event of an update request. Depending on the object rights defined, in the Firmware configuration, administrators are allowed to enter individual IDF names as free text or need to select one of the predefined IDFs from the list-field. The same applies to the software container (Path field) in the Firmware configuration.

To protect such critical firmware configuration parameters, the IDFs and the container paths to be selected or configured for a firmware update can be defined in advance. In combination with the relevant object rights, operational administrators can then only choose between predefined values.

For Scout 15 2107 and later versions, the firmware of UEFI systems1 can be updated via the same mechanism as the software (firmware update). Therefore, an UEFI file field can be found in the same dialog that behaves accordingly.

Setting object rights for firmware configuration fields

The object rights for the Image file, Path, and UEFI file fields are each divided into predefined and user-defined. If you grant an administrator both rights, he can add new entries as free text as an alternative to selecting a predefined entry from the list-field.

Requires

Administrator policies are enabled.

  1. For the relevant OU, from the context menu, choose Object rights...

  2. Select the relevant administrator /administrator group and click Edit object rights...

  3. For Device configuration > Firmware, change the object rights as required by double-clicking or pressing the Space bar:

    Image file (predefined) The administrator can only select one of the IDFs provided in the Image file list-field on the Firmware tab.

    The list-field contains predefined IDFs (see below). If predefined IDFs are missing, the list-field shows the recently used IDFs.

    Image file (user-defined) The administrator is allowed to enter any IDF name into the text field.
    Path (predefined) The administrator can only select one of the paths provided in the Path list-field.

    The list-field contains predefined paths (see below). If predefined paths are missing, the list-field shows the recently used paths.

    Path (user-defined) The administrator is allowed to enter any path into the text field.

    The path must correspond to a software container on the web server.

    UEFI file (predefined) The administrator can only select one of the files provided in the UEFI file list-field.

    The list-field contains predefined UEFI files (see below). If predefined files are missing, the list-field shows the recently used UEFI files.

    UEFI file (user-defined) The administrator is allowed to enter any UEFI file name into the text field.
  4. Confirm with OK.

For further information, see Administrator policy.

Predefining Firmware configuration values

  1. On the menu, click Options > Advanced options > Predefined IDFs.

  2. To add additional IDF names, click the Add button and edit the new entry. Note that the spelling must match the actual names.

  3. For all entries you want to share in the firmware configuration, select the Valid option.

  4. Confirm with Apply and OK.

All valid IDFs, container paths and UEFI files are provided in the device configuration under Firmware and can be used by authorized administrators.

Scout does not check the physical existence of files or container paths on the web server.

For further information, see Predefined IDFs and containers.