By default, Atakama's security guarantees are grounded in user access to multiple physical devices.
In some enterprise deployments (e.g., roaming profiles), users are unable to re-join Security Groups whenever they are logging in on a different workstation. In such situations, Atakama can be configured to enable roaming of the user's private keys.
In order to make this change, you can set the roaming or DataDir registry entries underneath the HKLM\Software\Atakama LLC\Atakama key.
If Roaming is set to 1, the user's roaming profile will be used for all Atakama settings, allowing the user to roam.
If DataDir is set to a specific path, then that folder will be used for all Atakama settings. If that drive is always available to the user, then the user's Atakama installation will roam.
This registry change can be distributed via GPO.
In addition, you need to enable Credentials Roaming in you Active Directory Group policy manager, and you need to check the box to allow DPAPI to roam.
Options for Setting Atakama Registry Entries
Either the roaming or the DataDir entries can be used, but not both. Roaming must be a DWORD and currently the only valid value is 1, Enable Roaming. DataDir must be a REG_SZ and should point to the directory, usually a mapped user drive, where the files should be stored.
1. Manually editing a registry entry:
2. Using command line to edit a registry entry:
3. Using Group Policy Registry Wizard to set roaming and DataDir options on all machines in a domain:
Walkthrough for setting Group Policy credentials roaming.
Credentials Roaming must be enabled. DPAPI keys and non-certificate keys must also be configured to allow roaming.
1. Navigate to your default or relevant domain policy. Right click the policy and hit Edit.
2. Navigate to your User/Policies/Windows/Security/Public Key Policies, and enable credentials roaming.
Notice the "filters" tab...
3. Click the Filters tab and check the boxes to allow the DPAPI keys to roam.