Central Management
Server Software

With SafeConsole, instantly gain complete and granular control over all of your encrypted USB flash drives and portable hard drives.

PortBlocker Diagram

One Platform

Link all your devices across multiple locations
with ultimate control


Enforce policies such as password rules, file-type restrictions or geographic boundaries. Reset passwords, switch devices into read-only mode, and even remotely wipe them in case of loss or theft.


Monitor all your encrypted drives, including their location anywhere in the world. Integrate with Active Directory to track users, assigned devices and connected computers with ease.


See which files are saved to or deleted from your encrypted drives at any given moment. Use a complete audit trail by user, including connections, login failures, resets and loss reports.


Analyze SafeConsoleReady devices. See total connections, device inventory and geolocation chart in one glance. Third Party SIEM integration is available using Splunk or Graylog.

Deployment Options

Put it on the cloud or keep it on your own Windows server

SafeConsole Cloud

  • Up and running in minutes
  • No user content is stored on the cloud
  • Your dedicated server can be hosted in your choice of cities around the globe

SafeConsole Cloud is a single tenant solution, so your custom cloud hosted service is dedicated to only your organization.
You can also choose where to host your server, Amsterdam, Frankfurt, London, New York, San Francisco or Singapore to meet regulatory requirements. All network traffic is encrypted.

PCI Compliance

For SafeConsole Cloud, our data centers have been certified by national and/or international security standards. Also, please note that SafeConsole Cloud is a single tenant solution, meaning that only your company’s service is hosted that specific virtual server. Also, no actual data from the storage products is saved on the cloud. Only SafeConsole, the management console, is hosted on the cloud.


  • New York - SSAE16 SOC-1 Type II
  • Amsterdam - ISO27001:2005, ISO9001
  • San Francisco - SSAE16 SOC-1 Type II
  • Singapore - ISO27001:2005
  • London - ISO9001:2008, ISO27001, SSAE16 / ISAE 3402
  • Frankfurt - ISO9001:2008, ISO27001:2005, ISO22301:2012
  • Toronto - SSAE16 SOC-1, SOC-2

SafeConsole On-Prem

  • Requires a dedicated Windows-based server
  • Log in and manage from anywhere
  • Administrators can authenticate to access SafeConsole with their AD credentials
  • Ideal for deployments of 300+ drives

Minimum Requirements

  • Pentium Quad Core or higher class system
  • 2GHz or faster CPU minimum
  • Windows Server 2003, 2008, 2012 or 2016.
  • 4GB of free RAM
  • 20GB of free hard disk space required

SafeConsole's web portal is supported by major Single Sign-On providers


Additional Features

Keep the productivity benefits of USB storage devices
without the risks of malware, data leaks and breaches


PortBlocker: USB Port Lock Down

  • Limit USB mass storage access to only approved SafeConsole Ready Devices

  • Only whitelisted devices allowed as USB mass storage devices on PortBlocker installed machines

McAfee Powered: Anti-Malware Protection

  • Blocks and removes viruses, ransomware, spyware, and any other malware threats and reports them to SafeConsole

  • No installation required, anti-malware activation is available with your SafeConsole account


SafeConsoleReady® Device Features


Stored data is protected by an enforced password following a strong password policy. Secure password resets are available for administrators to assist users.


Automatic, full hardware encryption of all data, featuring a single on-board security chip that can’t be bypassed and encrypts all data copied to the drive.


Offers true brute-force protection on the chipset, with a password attempt counter built into the hardware in order to protect against password attacks.


User-friendly software is used to unlock the devices. The software does not require any installation or administrator rights and runs on OS X for Mac and Windows.

SafeConsole Feature Listing

Server Deployment Options
US Based Datacenter
Private Cloud Server SaaS
Available as an On-Prem installation Windows installable,
automigrate from 4.7/4.9
Devices To Manage*
Crossplatform Windows and Select Devices for Mac/Linux
Forced Management Available?
IronKey EMS
  • Sentry ONE
  • IronKey D
  • S Series flash drives
  • DataLocker / Ironkey H300
  • DataLocker / Ironkey H350
  • DataLocker Sentry ONE
  • SafeStick
  • Sentry K300
  • DL3 & DL3 FE
  • H350
  • Origin SC100
  • Kingston DTVP30DM
  • Kingston DT4000DM
  • Kingston D300M
  • Kingston D300SM
General Features
Active Directory Integration
Browser Based Service Interface
Automatic Inventory Directory of All Users and Devices
Self-Service Plug-and-Play Device Deployment
Centrally Enforce Security Policies of Devices
Accessible from Mobile Device
Filter and Sort Data Tables
Search for Devices and Users
Two-Factor Authentication to Management System Mobile text message or token
Information Dashboard
Optimized for Large Enterprises
Admin and Role Management
Multiple Administrator Roles
Dynamic Licensing
Integrated Help Text in the User Interface
Export Data in CSV Format
Automated Server Updates
Server/Device Locked to Organization with a Certificate
Security Features and Configurations
Custom Device Password Policy
Device Remote Password Reset over Phone or Internet
(Challenge/Response - PKI).
Local Device Self-Service Password Reset (PKI)
using ZoneBuilder.
ZoneBuilder (Automatic Unlock on Trusted User Accounts)
Remotely Reassign Device to New User
Manage the Device States. Automate with Rules.
Self-Service Mark a Device as “found” on Successful Unlock
Offline Restrictions for Device Usage
Custom Return-to-Owner Message Displayed on Device if lost
File Restrictions (White-List Accepted File-Types) Anti-Malware
Inactivity Lock Management
Device/User Audit (Excel, XML)
File Audit (Excel, XML, Syslog)
Audit Reports
Backup Integration available
Publisher File Distribution
ZoneBuilder (Restrict Devices to Work on Select Machines)
Autorun Applications
Enable Users to Unlock Drives in Write Protected Mode
Collect and use device user information. Sort and
search based on collected information in the Device Overview.
Customize Device “About” Screen
Manage Portable Antivirus on the Devices McAfee
Geo Location of Devices
Geo Fencing of Devices
Silver Bullet Services
Remotely Reset Device
Remotely Kill Devices Zeroizes Encryption Keys
Remotely Set Device as Disabled
Remotely Set Device as Lost or
to Deny Access to the Device

SafeConsoleReady Vendors


DataLocker – SentryONE and SentryONE Managed* – SKUs SONE[004-128][M*] * Managed version requires a SafeConsole license (sold separately) DataLocker – Sentry K300 – SKUs

DataLocker – DL3 – SKUs

DataLocker – DL3FE – SKUs

DataLocker – H300 (client 6.0 or later) – SKUs
MXKB1B500G5001-B, MXKB1B001T5001-B, MXKB1B002T5001-B, MXKB1B500G5001-E*, MXKB1B001T5001-E*, MXKB1B002T5001-E* * Requires IronKey EMS license or SafeConsole license (sold separately)

DataLocker – H350 (client 6.0 or later) – SKUs
MXKB1B500G5001FIPS-B, MXKB1B001T5001FIPS-B, MXKB1B002T5001FIPS-B, MXKB1B500G5001FIPS-E*, MXKB1B001T5001FIPS-E*, MXKB1B002T5001FIPS-E*, DL-H350-0500SSD-B, DL-H350-1000SSD-B, DL-H350-0500SSD-E*, DL-H350-1000SSD-E* * Requires IronKey EMS license or SafeConsole license (sold separately)

DataLocker – PortBlocker – SKUs
PBM-1, PBM-3

Legacy devices supported – DataLocker Sentry 3 FIPS, DataLocker Sentry EMS (client 6.0 or later), and DataLocker SafeStick

Kingston Digital

Kingston Digital, Inc. (“KDI”) is the Flash memory affiliate of Kingston Technology Company, Inc., the world’s largest independent manufacturer of memory products. Kingston offers two SafeConsoleReady devices. Ensure that you purchase the correct products by double-checking the part number (SKU).

DataTraveler Vault Privacy 3.0 – FIPS197 – SKUs

DataTraveler 4000 G2 – FIPS 140-2 level 3 – SKUs
DT4000G2DM/4GB, DT4000G2DM/8GB, DT4000G2DM/16GB, DT4000G2DM/32GB, DT4000G2DM/64GB

IronKey D300M / D300SM – FIPS 140-2 level 3 – SKUs
IKD300M/4GB, IKD300M/8GB, IKD300M/16GB, IKD300M/32GB, IKD300M/64GB, IKD300M/128GB
IKD300SM/4GB, IKD300SM/8GB, IKD300SM/16GB, IKD300SM/32GB, IKD300SM/64GB, IKD300SM/128GB

Origin Storage

The SC100 is Origin’s own branded flash drive, with 256-bit AES hardware-based encryption. It represents great value for money while providing enterprise-grade protection for your data. Ensure that you purchase the correct product by double-checking the part number (SKU).

SC100 Encrypted USB 3.0 Drive SKUs
SC100-4GB, SC100-8GB, SC100-16GB, SC100-32GB, SC100-64GB

Password Management

Remote Password Reset

Reset passwords remotely over any channel. Administrators can get remote offline users back to work within minutes, without any loss of stored data. The short 8-character recovery codes are easily read over the phone yet maintaining the robust security of a 128-character code using a pre-buffer method. No data is lost and the process is protected against social engineering directed against the helpdesk. The user password is never exposed and there is NO master password.

Password Policy

Ensure that all data is protected by strong, compliant passwords by enforcing password policies on the devices.

Read the Password Management Best Practice Paper.


Device Auditing – See Who Did What, When and Where

Device auditing makes taking stock of the entire portfolio of SafeConsoleReady devices easy as it creates an automatic inventory list. The logs then include unsuccessful unlocking attempts, device states and log-ins. This gives the administrator a full overview of all drives in use in the organization.

Detailed File Auditing – Achieve Compliance Requirements

Detailed File Auditing is an extension of the Device Audit. It allows an administrator to see what files have been copied to or deleted from the devices, as well as a trail of the files that have had their names changed.

Device State Management – Full Control Over Devices

As an extra security precaution when drives are lost, or to protect your organization’s sensitive information from access by former employees, you can remotely ‘kill’ rogue drives and erase them of all data. In the Device Overview in SafeConsole, an authorized administrator can set the device state to ‘killed’, ‘disabled’ and ‘lost’. Devices can later be recovered using the Remote Password Reset and/or Backup features. SafeConsole can also be set to handle the devices’ states entirely on autopilot. This will require the drives to return to base by connecting to the SafeConsole server within a configurable time period.

Device Protection

Inactivity Lock – Forgotten Drives Lock Down

Lock down a secure USB drive after a configurable period of inactivity. Forgotten drives that are left behind in a computer will automatically lock down according to the set policy.

File Restrictor – Restrict File Types to be Stored EXE, MP3

A white-list approach prevents the storage of unauthorized file-types. Rogue files cannot reside on a SafeConsoleReady Device as it only allows storage of file-types specified by the administrator in the SafeConsole settings.

Authorized Autorun – Stop Autorun Viruses

The onboard autorun-protection that chokes self-copying viruses such as StuxNet and Conficker – by denying unauthorized autorun files from residing on the drive altogether.

Write Protection – Set Devices in Read-Only Mode

With Write Protection, users can set their drive in a read-only mode when unlocking it on non trusted machines and thereby gain protection from malware trying to infect the drive or its content. It is also possible for an administrator to enforce this protection when a user leaves the company network ensuring that no malware can be copied to the drives and brought back to the company.

Geolocation and Geofencing

Using IP-based location tracking, pinpoint the exact location of your encrypted endpoints anywhere in the world. With SafeConsole, you can also geofence your devices making them accessible only within specific geographic boundaries.

Administrator Tools

Authorized Autorun – Stop Autorun Viruses

To prevent the spread of autorun malware, SafeConsoleReady devices overwrite the autorun.inf files stored on the encrypted storage volume, choking the effect of viruses such as Conficker. Specify trusted commands to enable authorized applications to autorun off the devices, allowing you to keep the benefits and convenience of autostarting working-tools while blocking gateways for malware infection.

Device User Information

Save time and pain – customize devices with user information for easy identification and secure lost and found. By defining “token” questions, SafeConsole administrators can ask device users to enter unique information about themselves. The “token” information allows the administrator to create a custom message about the user under the About window to easily identify lost devices without requiring permission to unlock the drive. Autostart applications that require a password to start can also make use of “token” information by assigning a token as a necessary password. This allows the application to launch without interruption. The information is collected to the server and can be used to sort and search users and their devices.

Device User Settings

Configure device settings to tailor the SafeConsoleReady device to your needs (e.g. disallow users from factory-resetting their devices). It is also possible to enforce a user interface language and pre-approve the device warranty for quicker device deployment.


ZoneBuilder is a tool to create a “trusted zone” of computers that makes using your SafeConsole managed devices even more Simply Secure.

How to Create a Trusted Zone
  1. White list the computer IP address in SafeConsole.
  2. Plug-in your SafeConsoleReady storage device and enter the device password.
  3. Your computer has been registered into your Trusted Zone!
Within Your Trusted Zone You Can
  • RESTRICT device access to computers inside your Trusted Zone.
  • AUTO-UNLOCK your storage device eliminating the need to enter your password. It makes sharing files within your Trusted Zone quick and easy. This feature uses RSA client certificates for authentication.

Use Case 1: DLP Solution

Prevent your team from copying sensitive data from your Trusted Zone to an unknown computer.

The Benefit

Only approved SafeConsole USB storage devices can be used within your trusted Zone and those devices cannot be used outside the Zone.

Use Case 2: Secure File Sharing

Sharing your encrypted device with the team using ‘Auto-unlock’ mode.

The Benefit

The device owner does not have to share the device password when sharing files with other members within the trusted zone.


Safeconsole Cloud
Device Name License Duration Part No. Renewal Part No.
SafeConsole Cloud Base One-time Starter SCC-BASE N/A
SafeConsole Cloud Device License 1 year SCC-DEV-1 SCC-DEV-1R
SafeConsole Cloud Device License 3 years SCC-DEV-3 SCC-DEV-3R

Anti-Malware for SafeConsole Cloud
Device Name License Duration Part No. Renewal Part No.
Anti-Malware for SafeConsole Cloud (per device)* 1 year AMSCC-1 AMSCC-1R
Anti-Malware for SafeConsole Cloud (per device)* 3 years AMSCC-3 AMSCC-3R

* of Anti-MalwareService for a SafeConsole Ready Device. A new or existing SafeConsole license is required for each device.

SafeConsole Cloud + Anti-Malware
Device Name License Duration Part No. Renewal Part No.
SafeConsole Cloud with Anti-Malware (per device)* 1 year SCCAM-1 SCCAM-1R
SafeConsole Cloud with Anti-Malware (per device)* 3 years SCCAM-3 SCCAM-3R

* plus Anti-Malware for a SafeConsole Ready Device.

SafeConsole On-Prem

A one time On-Prem Starter (base) + Device Licenses are REQUIRED for SafeConsole On-Premises. The Base is a 'one-time' starter. A new account form is REQUIRED.

Device Name License Duration Part No. Renewal Part No.
SafeConsole On-Prem One-time Starter SCOP-BASE N/A
SafeConsole On-Prem Device License 1 year SCOP-DEV-1 SCOP-DEV-1R
SafeConsole On-Prem Device License 3 years SCOP-DEV-3 SCOP-DEV-3R

Anti-Malware for SafeConsole On-Prem
Device Name License Duration Part No. Renewal Part No.
Anti-Malware for SafeConsole On-Prem (per device)* 1 year AMSCOP-1 AMSCOP-1R
Anti-Malware for SafeConsole On-Prem (per device)* 3 years AMSCOP-3 AMSCOP-3R

* of Anti-Malware Service for a SafeConsole Ready Device. New or existing SafeConsole license required for each device.

SafeConsole On-Prem + Anti-Malware
Device Name License Duration Part No. Renewal Part No.
SafeConsole On-Prem with Anti-Malware (per device)* 1 year SCOPAM-1 SCOPAM-1R
SafeConsole On-Prem with Anti-Malware (per device)* 3 years SCOPAM-3 SCOPAM-3R

* plus Anti-Malware for a SafeConsole Ready Device

Request a demo today!

Get Started