Support Center

Organization Delegate

Last Updated: Dec 13, 2018 06:35PM PST
This article shows you how to download, install, configure, and use SSProtect as an Organization Delegate.
This article provides everything necessary to acquire, install, provision, and use SSProtect as an Organization Delegate. Delegates have significant control over Organization resources, including other Accounts and their permissions. Though some Administrative Tasks are introduced in this article, be sure to review materials in the Administration Topic before making changes to the Organization.

Provisioning requires a Registration Email message which, if not already available, can be acquired by contacting a peer SSProtect Organization Administrator. Refer back to the Quick Start article for role clarification and related materials.
Procedure Summary
SSProtect is a system comprised of multiple components. You install and use the :Foundation Client on your host computer, though it is often more simply referred to as SSProtect. For details, refer to the article, Components and Names.

The :Foundation Client is very small and runs in the background using few system resources. The software is supported on qualified Windows 7/ 10 systems. For other variations/ platforms, refer to the article, System Requirements and/ or contact Support.

The abbreviated procedure specific to your use with managed content follows:
  1. Use your Registration Email to determine which - if any - package to install
  2. If required, download the package specified in your Registration Email
  3. If required, verify the package signature, execute Installing the :Foundation Client
  4. Register your Organization Account using steps in, Using the Registration Email
  5. IMPORTANT: Login and export keys, as described in the article, 1st Time Use
  6. Review the System Overview, proceed with details in, Managing Data w/ SSProtect
  7. Review Components and Names, select components with Adding Feature Components

Administrative insight and introductory tasks include the following:
  1. Managing Organization capabilities with Components and Names and Adding Feature Components
  2. IMPORTANT: Before managing shared resources, read, Administrative Concurrency
  3. Manage Users with details in the article, Managing Organization Users
  4. Manage Administrative Resources, as described in, Administering Client Resources
  5. ​Manage Third Party Trusts with details in, Managing Third Party Trusts

Acquiring the :Foundation Client
Starting with v8.5.2, your Registration Email will tell you if your Organization pre-installs the:Foundation Client on host computers provided to you, and/ or which package your team(s) prefer or expect you to use. When necessary, directions will stipulate use of the Primary or Alternate Package from the Downloads page.

For package detail and/ or older versions of the software, refer to the article, Where do I find the Software?.

Installing the :Foundation Client
When necessary, download and verify the required package's signature before executing the install. When installing the Filesystem Driver, you may need to acknowledge User Account Control prompts. Refer to, Installing the :Foundation Client for details.

NOTE: Do not ignore Reboot notification associated with installation - the software will not function properly until carried out.

Accessing the :Foundation Client UI 
SSProtect integrates with Explorer context menus, and configuration/ management UI capabilities are exposed from a context menu you can access by clicking on the notification tray's DefiniSec, 'D' icon. If not present, instructions for your version of Windows to unhide it, and/ or double-click the SSProtect Desktop Shortcut created during installation. This will recreate the icon and/ or start the application when necessary.

If you have not logged in and access the SSProtect context menu, your options will be limited until you choose, Refresh Login... at which point you provide your Account Password to establish an SSProtect Session that governs managed content and related proceedings.

Getting Help from the :Foundation Client UI
All UI components include a Help button, which redirects you to a specific article on this site. If you prefer to discover things on your own, explore the displays using the context menu, and use the Help button to refer to individual topics that suit your interests.

Provisioning and Administrative Validation
Use your Registration Email and details in the article, 
Using the Registration Email, to provision your Organization Account. You will not be able to proceed until you complete this process, which requires Administrative Validation.

Validation protects against malicious intercept of Account Provisioning email that would otherwise grant the attacker access to shared content. As such, you cannot establish a Login Session (below) until one of your Organization Administrators or Delegates verifies, usually in person, that you were the participating Provisioning resource.

Once Validated, you will receive an email message indicating that your Account is ready for use.

NOTE: Administrative Validation is also required after you execute a Password Reset operation.

Login Sessions
SSProtect uses Login Sessions to manage context. You don't have to explicitly Login - you will be prompted to do so when the software detects activity that requires its' intervention. Use the Profile/ credentials you created during Provisioning.

Login Sessions remain active for a configurable amount of time - initially set to one hour by default. You do not have to enter your password again during this period, and you will be re-prompted with the first subsequently-related activity after a Session expires.

2FA is not enabled by default, though when configured, is required with each managed operation. For more information, refer to the articles in the :Access Topic.

1st Time Use
The first time you use the software, you will be prompted to carry out additional tasks. Organization Delegates must export Account and Organization keys. This is described in the article, 1st Time Use.

Remove the exported key file from your system: Never store it on network-connected systems. Also make sure you maintain access to its' password. As an Organization Delegate, you maintain critical Organization Keys that can be used to recover access if the Administrator Account is inaccessible.

For more information regarding SSProtect keys, refer to the article, Credentials, Keys, and 2FA.

Working with Content
The next several sections walk you through basic use, which includes further detail as follows:

Protecting files from within File Explorer
SSProtect extends File Explorer context menus, allowing you to choose up to 15 target files then right-click and choose, SSProtect Activate. This applies protection directly to chosen files. Note that you cannot apply protection to a folder or to certain types of files (i.e. read-only content and certain types of files that are not common for desktop/ application use). Use Bulk Conversion to add entire folders and subfolders of content.

File Explorer Overlay Icons for Protection State

When File Explorer lists files protected by SSProtect, it shows a small Red or Yellow circle on top of the file's display icon (in most lists). A Red overlay is used for files you, "own", while a Yellow overlay indicates that a file is managed by SSProtect though owned by another. Because sharing permissions are governed by Policies that can be changed anytime, the Yellow icon only reflects access uncertainty.

Icon indicators change when you establish new Login Sessions, with Red/ Yellow context associated with the Session's Account.

Using Protected Files w/ In-Place Encryption
Double-clicking a protected file launches its' default application and opens the file, in plaintext, for you to use. This puts the target file in a protected operating mode, which precludes others from reading and writing the source plaintext file while, "opened" in application software. This also prohibits sync and sharing applications from updating cloud content with unprotected plaintext - an inadvertent reality achieved everday by unwilling end-users.

When you Save and Close a protected file, it is re-encrypted before protective isolation is removed. This re-enables normal file operation - move, rename, copy, attach to email messages, coordinate changes with sync and sharing software, etc.

This process extends typical file encryption by removing the need for manual encrypt/ decrypt operation while maintaining protection over plaintext content independent from application data owners. This inhibits, "wait and offload" techniques employed by attackers who compromise hosts computers, wait for you to Login (even w/ 2FA), then proceed to copy unlocked content (slowly/ quietly).

Native Application Access to Managed Content
You can, from within application software, directly, "load/ save" managed content using the software's native UI. This is often in the form of File/ Open menu operation (or similar). So long as the calling application matches the default registered handler for the managed filetype, SSProtect will intercept the request and apply authentication/ protection on the fly, then isolate the application's access to resulting plaintext content (as noted in the previous section).

Default handlers associated filetypes with software application - for example, Microsoft Word for 
.docx files, Reader for .pdf files, etc. SSProtect doesn't, however, interpret access activity from non-default applications. In such cases, the application ends up reading ciphertext directly, which results in an attempt to load a, "corrupted" file.

In-Place Encryption is being extended to provide more flexibility in choosing how applications work with managed content, extending this mechanism such that you can natively access managed content from more than the default application (which can be changed with Windows configuration proceedings).

Authenticating On The Fly
If, when accessing content, you haven't established an SSProtect Login Session, you will be prompted to Login. When 2FA is configured, you must provide the second authentication factor with each request. Whether 2FA requires a physical presence activity or not depends on the method chosen for its' use. Many types of 2FA technologies can be quickly integrated, supporting changing industry dynamics.

Releasing Protections
Release protections by first holding the Shift key then right-clicking up to 15 protected files in File Explorer. Choose, SSProtect Release. This will remove protections, resulting in unmanaged plaintext (and the removal of the Icon Overlay status indicator).

The ability to Release Protections is governed by Account Policy that can be independently controlled for each Organization Account (by any Privileged Organization User).

Sharing Content with Organization Peers
By default, you have access permission to any file (or managed email message) created by anSSProtect Organization Peer. Access requests are centrally controlled by KODiAC Cloud Services, which manages dynamic changes to related Policies.

Note that content isn't automatically transferred to peers, you still have to share content as you did before using the mechanisms you prefer, i.e. email, shared/ mapped server folders, cloud sync and sharing software, etc.

Sharing Content with Third Party Trusts
You can allow secured access to managed content for other Accounts (Users) outside your Organizationusing something called a Third Party Trust. This requires manual configuration, for your Organization, by an Administrator or Delegate - keeping data access permissions in the hands of Policy makers rather than end-users.

Configuration changes are immediate, and relationships can be temporarily disabled and re-enabled at any time. If you wish to share managed content with those outside your Organization, submit a request to your Organization Administrators.

For more information on this facility, refer to the article, Protected Data Sharing.

Default Capabilities
All Accounts include a basic set of capabilities, as follows:


​A short summary of system components is available in the article, Components and Names.

Optional Capabilities
Additional capabilities can be individually added/ removed for an Organization and sometimes individually enabled/ disabled for Users within the Organization. Configuration is limited to Organization Administrators and Delegates, and includes all optional SSProtect components:

  • :Recover for secure cloud Backup and on-demand Restore and Host Re-Deployment
  • :xRecovery Disaster Recovery w/ offline Account/ Organization :Recover Archives
  • :Respond for Sabotage (Ransomware) Remediation
  • :Respond for On-Demand, Objective Disclosure Risk Reporting
  • :Honeypots that monitor plaintext, "dummy" files for early presence detection

SSProtect :Email
Your Organization can also enable Outlook Email protection, which when authorized, automatically installs and configures the associated Outlook Add-In.

Note that protected email messages to/ from Organization Peers are automatically accessible due to built-in :Policies, described in the :Collaborate Topic articles.

Refer to the articles in the :Email Topic for specifics.

Managing Organization Capabilities
SSProtect Licensing governs the availability and enabling/ disabling of non-default components, summarized in the article, SSProtect Licensing. For a list of components, refer to the article, Components and Names.

Add/ remove features using the details in, License and Components Interface and Adding Feature Components articles. Remember that changes affect the entire Organization, and are often automatically applied to all new Accounts. Some require individual configuration changes, such as :Recover, for existing Accounts. Details are described in details for each component.

Administrative Concurrency
As a Delegate, you have the ability to modify shared resources that other Delegates and the Organization Administrator can modify at the same time. This requires synchronized access to insure data is properly written. This is as a result of the reality in how information is managed - though the change you make may appear to be a single, one-step transaction, from the standpoint of how data is saved, it is a coordinated set of changes across many resources. When this is done by multiple users at the same time, there has to be some mechanism to insure that it is done as a coordinated transaction without interruption.

SSProtect manages this process by requiring Privileged Account holders to acquire exclusive access to shared resources before they can be changed. This is largely automatic, though important to understand for those instances when two people try to make changes at the same time. For details, review the article, Administrative Concurrency.

Provisioning and Managing Organization Users
You have the authority, as a Delegate, to provision and manage other Organization Accounts, with a limited capability to manage the Administrator Account (for example to submit a Password Reset request). For details, refer to the article, Managing Organization Users.

Additional Delegate tasks are described in the Administration Topic.

Enhanced 2FA
Enhanced 2FA is a two-factor authentication capability specific to SSProtect Login, applied to each Organization Account. This can only be configured using your Administrator Account; Delegates cannot make changes. As such, if you intend for your Organization to take advantage of integrated Duo Security authentication, you must provide the configuration as described in the article, Enhanced Login 2FA using Duo Security.

Administrative Resources
Some administrative changes are specific to your Account, such as Exporting Keys, while others are related to the entire Organization, such as the approved Version for Organization Accounts, and LOCKDOWN.

These are managed in the Administrative Resources dialog, described in the associated article. Note that LOCKDOWN requires participation with another qualified Privileged Account, while Duo Security 2FA (Enhaned 2FA) can only be managed by the Organization Administrator.

Managing Third Party Trusts
As an empowered Delegate, you can enable, disable, add, and remove Third Party Trust associations - permissions for Accounts not a part of your Organization - to access content created and managed by your Organization Accounts. This is a one-way association that must be reciprocated to access data from external Accounts. Note that your Organization Accounts can always access changes external Accounts make to data shared with them.

For an explanation of Third Party Trusts, refer to the article, Protected Data Sharing. Procedural guidance is provided in the article, Managing Third Party Trusts.

Additional Resources
You can search this site for more information on various topics, or use 
this link to submit a specific request. You can also send email directly to, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.


This article was updated w/ v8.5.1of the :Foundation Client

Contact Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found