Lost SAST USB Token - how to recover

Unanswered Question
Oct 23rd, 2009

We are in the middle of upgrading from 4.1 to 6 and do not have the SAST token is there a way around this - if we removes the CTL security from the servers then reboot, will we manually have to log out or re-register all the phones ? Anyone had to do this before ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jonathan Schulenberg Sat, 10/24/2009 - 14:23

If you have lost both tokens (you needed at least two to generate the CTL), you will need to manually erase the CTL from every phone. This is done within Settings > Security. View the CTL and unlock the config. It will give you an option to erase it. The phone will restart and attempt to download it again. Make sure that it can't. If you generated an LSC you will need to delete that from each phone as well.

barker_man Sun, 10/25/2009 - 09:09

Thanks for your reply. We have circa 4000 devices on site is this possible to remove the file using scripting, as the last thing i want to do is have to go to each of them and manually erase. Will the phone remained logged on as the user after the restart, as again, i dont really want to log everyone out then they all have to log back in. Much thanks for your reply.

Jonathan Schulenberg Wed, 10/28/2009 - 19:23

To my knowledge there is no way to remove this from the phone remotely. If there was it would be a huge security problem. If you could just tell the phone to erase the CTL and then download a new one, it would be relatively simple to make it download a fake CTL and become a TLS proxy for that phone. The security guide states that LSC enrollment is supposed to happen over a trusted network only. Depending on your environment, "trusted network" is one of those magic terms (e.g. government/military).

As for extension mobility: I believe an EM login will persist across restarts. I would test one or two phones to confirm though.

Sounds like it is time to buy new walking shoes. :)


This Discussion