1. General Information

IDERI note is a product for secure one-to-many communication of time-controlled and prioritized text messages in a Windows® based network. It is primarily targeted towards enterprise environments with an Active Directory® (AD) infrastructure, but can also be used in workgroups or home environments.

“Secure” basically means three things:

  • Only authorized personnel can create or modify messages (Authorization).
  • Clients will know who created or last modified a message (Authenticity).
  • Only designated clients (users) will receive a message (Authorization). If clients acknowledged the reception of a message, this can optionally be recorded on the secure server (Non repudiation).

“Time-controlled” means that messages created and sent with IDERI note have a lifetime, consisting of a start date and an end date. A message is only displayed to users during its lifetime and can be scheduled to appear on a user’s desktop at any point in time in the future. This feature makes IDERI note ideal for announcing temporary or scheduled downtimes of IT infrastructure elements like servers or for sending alerts to users. The IDERI note client components receive all information about a message that is scheduled to be displayed in the future as soon as they connect to the IDERI note server. This way, messages are downloaded by the client soon after creation and will be displayed to users even if they are currently offline while the message is due.

“Prioritized” means that messages fall into one of three categories of ascending priority: “information”, “warning” and “alert”. Messages with higher priorities are always displayed before messages of lower priority are displayed. Alerts can optionally be displayed immediately on clients, using a message push model, provided that certain client configuration conditions are met.

“One-to-many” means that only privileged users will be able to create or modify messages which are then typically sent to many clients in the network. The rules that govern who is allowed to create or modify messages or who is to receive a certain message follow the strict semantics of Windows® integrated security. This way it is easily possible to send messages to a certain group or distinct users in AD, or to configure IDERI note in such a way that only members of a certain group can create or modify messages while others cannot. To illustrate this tight integration into Windows® security, all security settings of IDERI note configuration or message creation use the built-in standard security dialogs of the operating system which should be familiar to every Windows® system administrator.

However, “secure” also means a plethora of other things, and as the following list shows, IDERI note employs the latest security technology available for the Windows® platform:

  • Usage of Kerberos as the authentication protocol of choice. NTLM is only used in environments where Kerberos is not available and therefore an automatic fallback to NTLM is performed (using the builtin Windows® authentication pseudo-protocol named “Negotiate”). Using Kerberos, not only clients are authenticated to the server side as legitimate clients (which is also the case with NTLM), but also servers are authenticated to the clients (so clients do not connect to a rogue server).
  • All network communication is “signed and sealed”, meaning that wiretappers cannot decipher the text messages sent to clients, at least not using today’s technology.
  • The IDERI note server service runs by default with least privileges. On Windows® XP or later OS versions this means that the inotesvc service runs as Network Service (“Network Service” is not an administrative account and authenticates to remote computers as the machine account in AD).

Apart from the security features, deployment and licensing of the IDERI note components are exceptionally easy. All components of IDERI note are packaged as MSI setups that can either be invoked manually or can easily be deployed across the network using Group Policy or PC lifecycle management solutions. In addition, IDERI provides a wizard for administrative users that allows for easy creation of a transform file for the IDERI note client MSI package in order to create customized installations. In addition, all per-machine settings for the IDERI note client components can be managed with fully managed AD group policies. Customized adm files for this purpose, alongside with the transform wizard, are available as part of the IDERI note Administrative Tools package. All licensing is done with license keys combined with a licensee name which are both only kept on the secure server that hosts the IDERI note service. If you download and install the IDERI note server components, the server automatically works for 5 free simultaneous client connections. Pricing for additional client licenses or an unlimited number of simultaneous clients can be obtained from the IDERI web site or inquired from the IDERI sales department. Time-limited licenses for a certain number of client licenses can be requested from IDERI as well.

In addition, IDERI note comes as a multilingual software package: All administrative user interface aspects of IDERI note are available out-of-the-box in German and English. The client user interface is available out-of-the-box in English, German, French, Spanish, Portuguese, Russian, Polish, Slovenian and Croatian.

Just in order to emphasize the tight technical integration of IDERI note into an AD environment, it should be noted at this point that an IDERI note server can optionally be registered as a service connection point in AD. A service connection point allows clients in AD to retrieve services in AD via an AD query. This allows an IDERI note client to optionally retrieve the server name that it should connect to via a simple AD query instead of having to use a hardcoded server name that is difficult to change once the client has been deployed.