A Three Hour Tour

If you’re reading this blog from within the UCLA residence halls, you probably have installed that mysterious little program called TrustedInstaller.exe, SafeConnect, or PolicyKey, all of which are names for the same program, which I will call PolicyKey.  You get this warning, and then download this file.  It doesn’t seem to do anything, and yet magically you suddenly have internet access!  What happens?  How does it work?  And most importantly, what does it do?

If you’re like me, you hesitate to install programs unless you know what they do.  Well search the internet all you want, and there’s very little information about PolicyKey out there, other than it is the Product of Impulse and is a Network Access Control (NAC) product.  What does that mean?

We are blessed with a blazingly-fast on-campus network.  We are better than DSL, Cable, or even Verizon’s FiOs offering.  We are very fortunate in that regard.  Unfortunately, with great speed comes great responsibility, and that means we are also an attractive target for viruses, botnets, and other forms of malicious software.  And because we’re all connected to each other, if one person on your floor has a virus, that virus will quickly spread to everyone unless you are protected.  A virus that has taken over the network is not only dangerous to you, since it could facilitate identity theft (and take out loans in your name, or worse), but it also slows down, attacks, and damages the university’s network.  Therefore it is in everyone’s interest to stop the spread of viruses.

Therefore to use the residential network, you are required to have virus protection software installed.  PolicyKey is the method the university has chosen to enforce this.

Here’s how it works.  When you access a website, your request to view that document goes through a UCLA server, which checks to see if you are a permitted user of that system.  If you are, it lets it through.

If you are not, you will be asked to identify yourself first by logging in with your UCLA username and password.  What happens next depends on your operating system:

• If you are running Windows, you will be asked to download PolicyKey.  Once this software is downloaded and is allowed to communicate with the Impulse servers, you will be unlocked and have full network access.
• If you are running Mac OS X, you have to download PolicyKey as well, however at the time this post is written it does not enforce anything on this platform.
• If you are running a flavor of Linux (Ubuntu, Debian, Kubuntu, Gentoo, or Red Hat just to name a few) then you do not have to install anything; instead you have to periodically log in every couple of hours.

So if you’re running Mac OS X or Linux, you are up and running!  If you’re running Windows, a few more things happen:

1. PolicyKey downloads a list of authorized antivirus programs and rules for how to detect them.  At the time of this writing the list includes at least Sophos, including the free UCLA-provided edition, McAfee, TrendMicro, EZAntivirus, Symantec (Norton), Panda, AVG, AntiVir, Authentium, Avast, Microsoft OneCare, BitDefender, Kaspersky, SpySweeper, Nod32, and ZoneAlarm.
2. PolicyKey also gets a list of required Windows Updates – these include the Windows Firewall and all the latest service packs for the version of Windows you are using.
3. PolicyKey checks to ensure that all virus definitions are up to date.

If all of the following are true, it sends a message to Impulse, identifying your computer and the specific antivirus software you have running.  Impulse then unlocks your computer and you have unrestricted network access for a while.  PolicyKey checks frequently (every second) to ensure that these conditions are still valid, and notifies Impulse if any of these conditions ever fails.  Your computer must check in periodically to maintain this access, which is why the software must be running in the background.

So what’s the take-away from all this?

• At no time does the current version of Impulse PolicyKey access or send any of your private files to anyone – not Impulse, not UCLA, not anyone.
• The only things it enforces are antivirus programs and updates.  It does NOT scan for peer-to-peer filesharing applications, illegally downloaded software, or non-genuine versions of Windows.  HOWEVER, and this is a big disclaimer, this does NOT in any way mean it’s okay to do any of this!  It just means you do so at your own risk.
• The rules it is enforcing are common sense.  Keep your computer up to date and that helps you.  And what’s good for your computer is good for everyone’s computer.

Hopefully this was able to answer some of your questions, or put any suspicions or nagging doubts to rest.  Happy safe computing everyone!