Symantec Endpoint Encryption Installation Guide: Version 11.1.1

Symantec Endpoint
Encryption Installation Guide
Version 11.1.1
Preface
Legal Notice
Copyright © 2016 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, PGP, and Pretty Good Privacy are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and
other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. For more information on the Third Party Programs,
see the Third Party Notice document for this Symantec product that may be available at
http://www.symantec.com/about/profile/policies/eulas/.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Symantec as on premises
or hosted services. Any use, modification, reproduction release, performance, display or
disclosure of the Licensed Software and Documentation by the U.S. Government shall be
solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Document version: 11.1.1
Document release date: May 2016
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base.
The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the
Technical Support group works with Product Engineering and Symantec Security
Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■
A range of support options that give you the flexibility to select the right amount
of service for any size organization
■
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■
Upgrade assurance that delivers software upgrades
■
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our website at
the following URL:
support.symantec.com
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at
the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description:
■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■
Questions regarding product licensing or serialization
■
Product registration updates, such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and support contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
customercare_apac@symantec.com
Europe, Middle-East, and Africa
semea@symantec.com
North America and Latin America
supportsolutions@symantec.com
Contents
Technical Support ............................................................................................... 4
Section 1
Before installing Symantec Endpoint
Encryption .................................................................. 11
Chapter 1
Introducing Symantec Endpoint Encryption ................. 12
About Symantec Endpoint Encryption ............................................... 12
Chapter 2
Symantec Endpoint Encryption system
requirements .................................................................. 14
Symantec Endpoint Encryption protocols and ports .............................
Symantec Endpoint Encryption Management Server system
requirements .........................................................................
Symantec Endpoint Encryption database system requirements ..............
Management Console system requirements .......................................
Operating system requirements for Microsoft Windows clients ...............
Software Requirements for Microsoft Windows clients ..........................
Hardware requirements for Microsoft Windows clients ..........................
Operating system requirements for Mac OS X clients ...........................
Chapter 3
14
16
17
18
19
21
22
28
Symantec Endpoint Encryption prerequisite
tasks ................................................................................. 30
Accounts required by Symantec Endpoint Encryption ...........................
Setting up the rights for the database access account ..........................
About Symantec's Community Quality Program ..................................
Best practices for Microsoft SQL Server database logons .....................
Roles required by Symantec Endpoint Encryption ...............................
About the Management Password ...................................................
Symantec Endpoint Encryption .NET requirements ..............................
Symantec Endpoint Encryption Microsoft SQL Server Feature Pack
requirements .........................................................................
Enabling the prerequisite server roles, features, and tools for the
Symantec Endpoint Encryption Management Server ......................
30
33
34
36
36
37
38
38
39
Contents
About configuring TLS/SSL communications for Symantec Endpoint
Encryption ............................................................................ 41
Installing prerequisite software on your Management Console ............... 43
Section 2
Installing Symantec Endpoint
Encryption .................................................................. 45
Chapter 4
Installing Symantec Endpoint Encryption
Management Server ..................................................... 46
Chapter 5
Installing the server .......................................................................
Configuring the server ...................................................................
Installing a Management Console ....................................................
Adding or removing the Symantec Endpoint Encryption snap-ins ...........
Installing the Autologon Utility (optional) ............................................
Installing the Windows Password Reset snap-in (optional) ....................
Completing the installation .............................................................
46
54
59
62
62
63
64
Creating Symantec Endpoint Encryption client
installers .........................................................................
66
About client installers ....................................................................
About the installation settings wizards ...............................................
Creating a Symantec Endpoint Encryption Client installation
package ...............................................................................
Configuring the Management Agent installation settings .................
Configuring the Drive Encryption installation settings .....................
Configuring the Removable Media Encryption installation
settings ..........................................................................
About enabling features in the Symantec Endpoint Encryption Client
installation package ................................................................
Creating a Symantec Endpoint Encryption for FileVault installation
package ...............................................................................
Creating a Windows Password Reset Utility installation package ............
About the Autologon Utility .............................................................
Creating Autologon MSI files .....................................................
Installing an Autologon MSI file on a client computer ......................
Chapter 6
66
67
69
71
74
80
87
89
90
91
91
92
Deploying new clients ........................................................ 94
Deploying client packages using a third-party tool ............................... 94
Deploying new clients using Group Policy Objects ............................... 95
Installing the client software manually ............................................... 97
8
Contents
Installing the Windows Password Reset Utility on a client
computer .............................................................................. 98
Deploying client installers using the command line .............................. 99
Where to find more information about deploying clients ...................... 100
Section 3
Additional resources ................................................ 101
Chapter 7
Using the Symantec Endpoint Encryption
Management Server Configuration
Manager ........................................................................
About using the Symantec Endpoint Encryption Management Server
Configuration Manager ..........................................................
Symantec Endpoint Encryption Management Server Configuration
Manager - Database Configuration page ...................................
Symantec Endpoint Encryption Management Server Configuration
Manager - Web Server Configuration page ................................
Symantec Endpoint Encryption Management Server Configuration
Manager - Active Directory Configuration page ...........................
Symantec Endpoint Encryption Management Server Configuration
Manager - Active Directory Synchronization Service page .............
Symantec Endpoint Encryption Management Server Configuration
Manager - Community Quality Program page .............................
About Administrative Server Roles .................................................
Configuring Server Roles .............................................................
Editing Server Roles ....................................................................
Disabling Server Roles ................................................................
Symantec Endpoint Encryption Configuration Manager - Server Roles
Configuration page ...............................................................
Symantec Endpoint Encryption Management Server Configuration
Manager - Symantec Encryption Management Server page
(optional) ............................................................................
Chapter 8
102
103
103
105
108
109
111
113
117
119
119
120
123
Certificates and Token Software Settings .................... 125
Using Symantec Endpoint Encryption authentication certificates .......... 125
Using Removable Media Encryption certificates ................................ 126
Recommended token software configuration .................................... 127
9
Contents
Chapter 9
Uninstalling Symantec Endpoint Encryption ............... 128
Uninstalling the Symantec Endpoint Encryption Suite .........................
About repairing or modifying the Symantec Endpoint Encryption Suite
installation ...........................................................................
About uninstalling the Symantec Endpoint Encryption client .................
About uninstalling the Symantec Endpoint Encryption client with a
third-party tool ......................................................................
About uninstalling the Symantec Endpoint Encryption client software
using Group Policy Objects .....................................................
Uninstalling the Symantec Endpoint Encryption Client installation
package using Group Policy Objects .........................................
Deploying uninstallation scripts using Group Policy Objects .................
Uninstalling the Symantec Endpoint Encryption client software using
the Control Panel ..................................................................
Uninstalling the Symantec Endpoint Encryption client software using
the command line .................................................................
Uninstalling Symantec Endpoint Encryption for FileVault .....................
129
130
130
131
132
133
135
136
137
139
Index ................................................................................................................... 141
10
Section
1
Before installing Symantec
Endpoint Encryption
■
Chapter 1. Introducing Symantec Endpoint Encryption
■
Chapter 2. Symantec Endpoint Encryption system requirements
■
Chapter 3. Symantec Endpoint Encryption prerequisite tasks
Chapter
1
Introducing Symantec
Endpoint Encryption
This chapter includes the following topics:
■
About Symantec Endpoint Encryption
About Symantec Endpoint Encryption
Symantec™ Endpoint Encryption v11.1.1 provides full disk encryption, removable
media protection, and centralized management. Powered by PGP technology, the
drive encryption client renders data at rest inaccessible to unauthorized parties on
laptops and desktops. Removable Media Encryption functionality lets end users to
move sensitive data onto USBs, external hard drives, and memory cards while
management includes compliance-based and customizable reporting to let
administrators confirm that systems were protected if a loss or theft occurs.
Key Features:
■
Built PGP Strong – High performing, strong encryption, built with PGP Hybrid
Cryptographic Optimizer (HCO) technology that utilizes AES-NI hardware within
existing operating systems for even faster speeds.
■
Robust Reporting – Compliance-based reports, customizable reporting helps
ease the burden of proof for administrators to auditors and key stakeholders.
■
Automation – Individual and group policies and keys can be synched with
Active Directory to help speed deployments and reduce the burden of
administration.
■
DLP Integration – Blend Symantec’s market-leading Data Loss Prevention
software with removable media encryption for an even stronger, user-friendly
endpoint security solution.
For more information, see http://www.symantec.com/data-loss-prevention
Introducing Symantec Endpoint Encryption
About Symantec Endpoint Encryption
Key Benefits:
■
User-Friendly – Initial encryption speed varies to allow users to continue working
while encryption happens in the background and single-sign-on (SSO) means
less passwords to remember
■
Flexibility – Support for multi-user and non-Active Directory environments
■
Transparent – Invisible installation for end-users, that includes automatic
encryption
13
Chapter
2
Symantec Endpoint
Encryption system
requirements
This chapter includes the following topics:
■
Symantec Endpoint Encryption protocols and ports
■
Symantec Endpoint Encryption Management Server system requirements
■
Symantec Endpoint Encryption database system requirements
■
Management Console system requirements
■
Operating system requirements for Microsoft Windows clients
■
Software Requirements for Microsoft Windows clients
■
Hardware requirements for Microsoft Windows clients
■
Operating system requirements for Mac OS X clients
Symantec Endpoint Encryption protocols and ports
The following table identifies each protocol and port that is used by Symantec
Endpoint Encryption.
Symantec Endpoint Encryption system requirements
Symantec Endpoint Encryption protocols and ports
Table 2-1
Symantec Endpoint Encryption protocols and ports
Application layer
protocol
Communication
protocol
Purpose
Used by
Group Policy Core
Protocols
TCP/IP
Deliver and consume Symantec Endpoint
Group Policy Objects Encryption Client
(GPOs)
Computers
Port
445, 389
Management Console
Computers
SOAP over Hypertext TCP/IP
Transport Protocol
(HTTP)
Communicate
between the clients
and the server
Symantec Endpoint
Encryption Client
Computers
configurable
Symantec Endpoint
Encryption
Management Server
Lightweight Directory
Access Protocol
(LDAP)
TCP/IP
Query Active Directory Symantec Endpoint
and eDirectory
Encryption
directories
Management Server
389, 3268, or
configurable
Tabular Data Stream
(TDS)
TCP/IP
Communicate
between the server
and the database
1433, dynamically
allocated, or
configurable
Symantec Endpoint
Encryption
Management Server
Symantec Endpoint
Encryption database
Management Console
Computers
Transport Layer
TCP/IP
Security (TLS) and/or
Secure Sockets Layer
(SSL)
Optionally encrypt
communications by
layering these
protocols on top of
TDS, LDAP, and/or
HTTP
Symantec Endpoint
Encryption
Management Server
Symantec Endpoint
Encryption database
Management Console
Computers
Symantec Endpoint
Encryption Client
Computers
636, 3269, or
configurable
15
Symantec Endpoint Encryption system requirements
Symantec Endpoint Encryption Management Server system requirements
Symantec Endpoint Encryption Management Server
system requirements
Symantec Endpoint Encryption requires one or more Active Directory domains to
host the Symantec Endpoint Encryption Management Server. You can also
synchronize Symantec Endpoint Encryption with Active Directory.
Supported operating systems
You can install Symantec Endpoint Encryption Management Server on the following
operating systems:
■
Microsoft Windows Server 2012 R2 Datacenter, with updates
■
Microsoft Windows Server 2012 R2 Standard, with updates
■
Microsoft Windows Server 2008 R2 Enterprise SP1
■
Microsoft Windows Server 2008 R2 Standard SP1
These operating systems are supported only with all of the latest hot fixes and
security patches from Microsoft.
For an updated list of system requirements for Symantec Endpoint Encryption
Management Server, see http://www.symantec.com/docs/INFO3168
.NET Framework Requirements
You must make sure that .NET is enabled before you can install the components.
The Symantec Endpoint Encryption Management Server requires .NET 4.5.x or
4.6.1.
Supported virtual computers
You can install Symantec Endpoint Encryption Management Server on the following
virtualized computers:
■
VMware ESXi 5.5
■
VMware ESXi 5.1
Supported cloud hosting services
As of version 11.1.1, you can install and host Symantec Endpoint Encryption
Management Server using Amazon Elastic Compute Cloud (Amazon EC2).
16
Symantec Endpoint Encryption system requirements
Symantec Endpoint Encryption database system requirements
Minimum Hardware Requirements
Processor
1.4 GHz Intel Pentium 4 or higher, or the equivalent.
Symantec recommends that you use a 2.0 GHz or faster
processor.
RAM
1GB
Symantec recommends that you increase the amount memory
as your database size grows.
Free disk space
80 GB
Symantec Endpoint Encryption database system
requirements
Microsoft SQL Server
The Symantec Endpoint Encryption database can reside on a dedicated database
server or on the Symantec Endpoint Encryption Management Server. Symantec
recommends that you install your database on a dedicated database server. If you
have located the instance on a dedicated database server, the database server
does not need to belong to an Active Directory domain.
Symantec recommends that you store the data file and log files on separate physical
disks. You should format the disk that stores the log files with the NTFS file system.
You can install the Symantec Endpoint Encryption database on either a physical
computer or a VMware ESXi 5.1 or VMware ESXi 5.5 virtual machine.
Table 2-2
Supported versions of Microsoft SQL Server
SQL Server Version
On the Symantec Endpoint On a dedicated computer
Encryption Management
Server
SQL Server 2014 Enterprise Yes
(64-bit)
Yes
SQL Server 2014 Standard
(64-bit)
Yes
Yes
SQL Server 2014 Express
with Advanced Services
(64-bit)
Yes
No
17
Symantec Endpoint Encryption system requirements
Management Console system requirements
Table 2-2
Supported versions of Microsoft SQL Server (continued)
SQL Server Version
On the Symantec Endpoint On a dedicated computer
Encryption Management
Server
SQL Server 2012 Enterprise, Yes
SP1 (64-bit)
Yes
SQL Server 2012 Standard,
SP1 (64-bit)
Yes
Yes
SQL Server 2012 Express
Yes
with Advanced Services, SP1
(64-bit)
No
SQL Server 2008 R2
Enterprise, SP2 (64-bit)
Yes
Yes
SQL Server 2008 R2
Standard SP2 (64-bit)
Yes
Yes
SQL Server 2008 R2 Express Yes
with Advanced Services SP2
(64-bit)
No
SQL Server 2008 Enterprise, Yes
SP3 (64-bit)
Yes
Management Console system requirements
For an updated list of system requirements for Management Console, see
http://www.symantec.com/docs/INFO3169
The Management Console computer must be a member of an Active Directory
forest or domain.
The Management Console computer requires the Microsoft Remote Server
Administration Tools.
Note: These operating systems are supported only with all of the latest hot fixes
and security patches from Microsoft.
See “Installing prerequisite software on your Management Console” on page 43.
Symantec Endpoint Encryption supports the Management Console on the following
operating systems:
18
Symantec Endpoint Encryption system requirements
Operating system requirements for Microsoft Windows clients
■
Microsoft Windows 10 Enterprise, with updates 32-bit and 64-bit versions
■
Microsoft Windows 10 Pro, with updates, 32-bit and 64-bit versions
■
Microsoft Windows 10 Enterprise, 32-bit and 64-bit versions
■
Microsoft Windows 10 Pro, 32-bit and 64-bit versions
■
Microsoft Windows 8.1 Enterprise, with updates, 32-bit and 64-bit versions
■
Microsoft Windows 8.1 Pro, with updates, 32-bit and 64-bit versions
■
Microsoft Windows 8 Pro, 32-bit and 64-bit versions
■
Microsoft Windows 8 Enterprise, 32-bit and 64-bit versions
■
Microsoft Windows 7 Ultimate SP1, 32-bit and 64-bit versions
■
Microsoft Windows 7 Professional SP1, 32-bit and 64-bit versions
■
Microsoft Windows 7 Enterprise SP1, 32-bit and 64-bit versions
■
Microsoft Windows Server 2012 R2 Datacenter, 64-bit, with updates
■
Microsoft Windows Server 2012 R2 Standard, 64-bit, with updates
■
Microsoft Windows Server 2008 R2 Enterprise SP1, 64-bit
■
Microsoft Windows Server 2008 R2 Standard SP1, 64-bit
.NET Framework Requirements
You must make sure that .NET is enabled before you can install the components.
The Management Console requires .NET 4.5.x or 4.6.1.
Help Desk Recovery and Autologon require .NET 4.5.x or 4.6.1.
Operating system requirements for Microsoft
Windows clients
The Microsoft Windows operating systems that are listed in this topic are supported
only with all of the latest hot fixes and security patches from Microsoft.
For information about supported Mac OS X operating systems for Removable Media
Access Utility, see Operating system requirements for Mac OS X clients.
19
Symantec Endpoint Encryption system requirements
Operating system requirements for Microsoft Windows clients
Supported Microsoft Windows operating systems
Note: For an updated list of system requirements for clients including specific
supported Microsoft Service packs, updates, and the supported firmware interfaces
for Drive Encryption, see the article at: http://www.symantec.com/docs/INFO3170.
■
Microsoft Windows 10 Enterprise, with the November 2015 update
■
Microsoft Windows 10 Pro, with the November 2015 update
■
Microsoft Windows 10 Enterprise
■
Microsoft Windows 10 Pro
■
Microsoft Windows 8.1 Enterprise
■
Microsoft Windows 8.1 Pro
■
Microsoft Windows 8.1
■
Microsoft Windows 8 Enterprise
■
Microsoft Windows 8 Pro
■
Microsoft Windows 7 Ultimate
■
Microsoft Windows 7 Enterprise
■
Microsoft Windows 7 Professional
■
Microsoft Windows Server 2012 R2 Datacenter
■
Microsoft Windows Server 2012 R2 Standard,
■
Microsoft Windows Server 2008 R2 Enterprise
■
Microsoft Windows Server 2008 R2 Standard
Notes:
■
■
For systems that boot in UEFI mode, if you have one of the following situations,
see this Symantec Knowledge Base article about potential boot issues:
http://www.symantec.com/docs/ALERT1923
■
You are installing a Symantec Endpoint Encryption 11 client on a system
running Windows 10
■
You have the Symantec Endpoint Encryption 11 client installed on a system
running Windows 7, 8, or 8.1 and you are upgrading to Windows 10
Starting with Symantec Endpoint Encryption 11.0.1, users are not required to
install the Aero Desktop theme on Microsoft Windows Server 2008 R2 or
Windows Server 2012 R2.
20
Symantec Endpoint Encryption system requirements
Software Requirements for Microsoft Windows clients
■
Symantec Endpoint Encryption Drive Encryption is not compatible with the
Microsoft Windows BitLocker Drive Encryption feature and the Symantec
Endpoint Encryption for BitLocker feature. Do not install both Drive Encryption
and Symantec Endpoint Encryption for BitLocker on the same computer.
■
Symantec Endpoint Encryption does not support a client that you have configured
for Dual Boot (when Microsoft Windows and Linux are both installed in BIOS
mode).
Drive Encryption on Microsoft Windows Servers
Drive Encryption is supported on all of the client versions that are listed above as
well as the following Windows Server versions:
■
Microsoft Windows Server 2012 R2, Datacenter 64-bit, with update with internal
RAID 1 and RAID 5 (UEFI and BIOS boot mode)
■
Microsoft Windows Server 2012 R2,Standard 64-bit, with update with internal
RAID 1 (UEFI boot mode only)
■
Microsoft Windows Server 2008 R2 64-bit Standard SP1, with internal RAID 1
and RAID 5 (UEFI and BIOS boot mode)
■
Microsoft Windows Server 2008 R2 64-bit Enterprise SP1, with internal RAID
1 (BIOS boot mode only)
Note: Dynamic disks and software RAID are not supported.
Note: These operating systems are supported only with all of the latest hot fixes
and security patches from Microsoft.
Software Requirements for Microsoft Windows clients
.NET Framework requirements
Symantec Endpoint Encryption requires .NET 4.5.x.
Supported virtual machines
The Symantec Endpoint Encryption client software for Microsoft Windows supports
the following virtual servers:
■
VMware ESXi 5.1
■
VMware ESXi 5.5
■
VMware ESXi 6.0
21
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
Note: The Removable Media Encryption feature additionally supports VMware
vSphere.
Citrix, Terminal Services and Hypervisor compatibility
Symantec Endpoint Encryption supports the Management Agent feature with the
following terminal services software:
■
Microsoft Windows Server 2008 R2: Remote Desktop Services (SP1), 64-bit
■
Microsoft Windows Server 2012 R2, 64-bit with update
■
Citrix XenDesktop 7.1 and 7.6
■
Citrix XenServer 6.1 Hypervisor
■
VMware vSphere 5.5
Note: Symantec Endpoint Encryption does not support Drive Encryption in the Citrix
and Terminal Services environments.
Symantec Endpoint Encryption for BitLocker support for
Trusted Platform Module (TPM)
Symantec Endpoint Encryption for BitLocker supports TPM version 1.2 and later.
Symantec Data Loss Prevention integration requirements
To integrate Removable Media Encryption with Symantec Data Loss Prevention,
the supported versions of Symantec Data Loss Prevention are 11.5.1, 12.5.x, and
14.0.1.
Note: Integration on Microsoft Windows 10 systems requires Symantec Data Loss
Prevention 14.0.1 or later.
Hardware requirements for Microsoft Windows clients
Supported disk types for Drive Encryption
Following are the supported disk types and file systems for Drive Encryption:
■
Desktop or laptop disks, including solid-state drives (either partitions or an entire
disk)
■
Advanced format drives with 512-byte emulation mode (512e)
■
FAT32, and NTFS formatted disks or partitions
22
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
■
GPT boot disks on Microsoft Windows 8.x, Windows 10, and Windows Server
2012 (UEFI systems only)
Supported Opal v2-compliant drives for Drive Encryption
All systems must be running Windows 8 or greater and boot in UEFI mode.
The following two tables comprise the whitelist for Opal v2-compliant drives, listing:
■
Supported OEM vendors and computer models
■
Supported disk vendors and drive models
Table 2-3
Supported OEM vendors and computer models for Opal v2-compliant
drives
OEM vendor
Computer model
Dell
All laptop models
HP
EliteBook 850 G2
EliteBook 8570p
EliteBook Folio 1040 G1
EliteBook Folio 1040 G2
ProBook 4540s
Lenovo
All laptop models
In addition to the computers listed in the table, any computer is supported that has
these required protocols:
■
ATA_Passthru
■
Secure Storage
23
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
Table 2-4
Supported drive vendors and models for Opal v2-compliant drives
Vendor
Drive model
Firmware
Intel
SSDSC2BF
LTVI
SSDSC2BF
LUDI
SSDSC2BF
TG20
SSDSC2BF120A5
TG20
SSDSC2BF180A5L
LTVI
SSDSC2BF180A5L
LUDI
Kingston
SKC300S
600ABBF0
Micron
M600_MTFD
LN01
M600_MTFD
MU03
MTFDDAV
M1T4
MTFDDAV256MAZ
*
M600_MTFD
LN01
M600_MTFD
MU03
MT (Micron)
MTFDDAV
MTFDDAV256MAZ
Samsung
*
Samsung_SSD_840_EVO_120GB_mSATA EXT41B6Q
SSD_840_EVO
EXT0
SSD_840_EVO
EXT41B6Q
SSD_850_EVO
EMT01B6Q
SSD_850_EVO
EMT21B6Q
SSD_850_EVO
EMT4
SSD_850_EVO_250G
EMT01B6Q
SSD_850_EVO_M.2
EMT21B6Q
SSD_850_PRO_256G
EXM02B6Q
24
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
Table 2-4
Supported drive vendors and models for Opal v2-compliant drives
(continued)
Vendor
Drive model
Firmware
Sandisk
SanDisk_SD7UB3Q128G1122
X2180300
SanDisk_SD7UB3Q256G1122
X2170300
SD7TB3Q
X2180306
SD7TB3Q-256G-100
X2180306
SD7UB3Q
X2170300
SD7UB3Q
X2180300
ST500LM020-1G116
SM73
ST500LM020-1G1162
SM73
ST (Seagate)
* = any firmware
For an Opal v2-compliant drive to be hardware encrypted:
■
The drive must appear on the whitelist, and
■
Drive Encryption must be able to provision the drive in Global Range Mode, if
it is not in Single User Mode.
Otherwise, the drive is software encrypted.
Compatible Microsoft eDrive-support Opal v2-compliant drives
for Drive Encryption
All systems must be running Windows 8 or greater and boot in UEFI mode.
The following two tables comprise the whitelist for Microsoft eDrive support - Opal
v2-compliant drives, listing:
■
Supported OEM vendors and computer models
■
Supported disk vendors and drive models
25
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
Table 2-5
Supported OEM vendors and computer models for Microsoft
eDrive-support Opal v2-compliant drives
OEM vendor
Computer model
Lenovo
ThinkPad T540p
ThinkPad W540
ThinkPad X240
Table 2-6
Supported disk vendors and drive models for Microsoft
eDrive-support Opal v2-compliant drives
Vendor
Drive Model
Firmware
Intel
SSD_Pro_2500
*
Samsung
SSD_840_EVO_mSATA
*
* All firmware is automatically supported for Microsoft eDrive support - Opal v2-compliant
drives.
For a Microsoft eDrive-support Opal v2-compliant drive to be hardware encrypted:
■
The drive must appear on the whitelist, and
■
Default partitions must be created during a default Microsoft Windows installation.
When multiple partitions exist on a drive, the number of ranges must be properly
mapped with the number of partitions.
Otherwise, the drive is software encrypted.
Unsupported disk types for Drive Encryption
Following are the unsupported disk types and file systems for Drive Encryption:
■
Any configuration where the system partition is not on the same disk as the boot
partition
■
Native mode advanced format drives
■
Dynamic disks
■
SCSI drives and controllers
■
Software RAID disks
■
exFAT formatted disks
■
Resilient File System (ReFS)
26
Symantec Endpoint Encryption system requirements
Hardware requirements for Microsoft Windows clients
Smart card support for preboot authentication
Symantec Endpoint Encryption supports the following for preboot authentication
on both BIOS and UEFI systems:
Smart card readers:
■
Any generic USB CCID-compatible readers that you connect to a USB port.
Personal Identity Verification (PIV) cards:
■
G&D Sm@rtCafé Expert 144K DI v3.2
■
G&D Sm@rtCafé Expert 80K DI v3.2
■
Gemalto Cyberflex Access 64K v2c
■
Gemalto ID Prime .NET
■
Gemalto TOP DL GX4 144K FIPS
■
HID Global Crescendo JCOP 21 version 2.4.1 R2 64K
■
Oberthur 64K CosmopolIC v5.2
■
Oberthur CS PIV End Point v1.08 FIPS201 Certified
■
Oberthur ID-One Cosmo 128 v5.5 Dual
■
Oberthur ID-One Cosmo v7.0
On UEFI systems, Symantec Endpoint Encryption requires the following smart card
firmware:
■
AMI
■
HPQ
Note: If you have issues with any of the cards listed, refer to the following Symantec
Knowledge Base article:
http://www.symantec.com/docs/TECH222272
Supported media types for Removable Media Encryption
Following are the supported media types for Removable Media Encryption:
■
USB flash drives
■
USB external hard drives
■
FireWire external hard drives
■
eSATA external hard drives
■
Secure Digital (SD) cards and memory cards
27
Symantec Endpoint Encryption system requirements
Operating system requirements for Mac OS X clients
■
CompactFlash cards
■
NTFS drives that are compressed
■
CD-RW and DVD-RW Blu-Ray
Unsupported media types for Removable Media Encryption
Following are the unsupported media types for Removable Media Encryption:
■
Music devices and digital cameras
■
Diskettes
Microsoft BitLocker hardware encryption on self-encrypting
drives
Symantec Endpoint Encryption for BitLocker has not been tested or certified for
BitLocker hardware encryption using self-encrypting drives.
Tablet support
Symantec Endpoint Encryption supports Microsoft Surface Pro 3 systems that have
an external Type or Touch keyboard.
Note: The external Type or Touch keyboard is required for preboot authentication
on the tablet. The keyboard can be detached once the user authenticates.
Note: You must disable BitLocker to use the Drive Encryption functionality on tablet
computers. Alternatively, you can use the Symantec Endpoint Encryption for
BitLocker feature instead of the Drive Encryption feature.
Operating system requirements for Mac OS X clients
Requirements for Symantec Endpoint Encryption for FileVault
You can install Symantec Endpoint Encryption for FileVault on Macintosh computers
running the following versions of Mac OS X operating systems:
■
Mac OS X 10.9, 10.9.1, 10.9.2, 10.9.3, 10.9.4, 10.9.5
■
Mac OS X 10.10, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5
■
Mac OS X 10.11
28
Symantec Endpoint Encryption system requirements
Operating system requirements for Mac OS X clients
Requirements for the Removable Media Access Utility
The Removable Media Access Utility is supported on the following Mac OS X
platforms:
■
Mac OS X 10.11.4
■
Mac OS X 10.11
■
Mac OS X 10.10.5
■
Mac OS X 10.10.4
■
Mac OS X 10.10
■
Mac OS X 10.9.5
■
Mac OS X 10.9.4
■
Mac OS X 10.9.3
■
Mac OS X 10.9.2
■
Mac OS X 10.9.1
■
Mac OS X 10.9
Note: For information about the supported Microsoft Windows platforms for
Removable Media Access Utility, see Operating system requirements for Microsoft
Windows clients.
29
Chapter
3
Symantec Endpoint
Encryption prerequisite
tasks
This chapter includes the following topics:
■
Accounts required by Symantec Endpoint Encryption
■
Setting up the rights for the database access account
■
About Symantec's Community Quality Program
■
Best practices for Microsoft SQL Server database logons
■
Roles required by Symantec Endpoint Encryption
■
About the Management Password
■
Symantec Endpoint Encryption .NET requirements
■
Symantec Endpoint Encryption Microsoft SQL Server Feature Pack requirements
■
Enabling the prerequisite server roles, features, and tools for the Symantec
Endpoint Encryption Management Server
■
About configuring TLS/SSL communications for Symantec Endpoint Encryption
■
Installing prerequisite software on your Management Console
Accounts required by Symantec Endpoint Encryption
Symantec Endpoint Encryption requires the following accounts:
Symantec Endpoint Encryption prerequisite tasks
Accounts required by Symantec Endpoint Encryption
Table 3-1
Accounts of Symantec Endpoint Encryption
Account
Description
Database creation account
You must have an account that can access Microsoft SQL
Server so that you can install and configure the Symantec
Endpoint Encryption Management Server. You can either
use a Microsoft Windows domain account or a Microsoft SQL
account.
If you use a Microsoft Windows domain account, it must have
local administrator rights on the Symantec Endpoint
Encryption Management Server computer.
If you use Microsoft SQL authentication, Symantec Endpoint
Encryption uses this account to create and configure the
Symantec Endpoint Encryption Management Server database
during installation. Symantec Endpoint Encryption does not
store the credentials for this Microsoft SQL account.
The account login requires the following roles:
■
public
■
sysadmin
31
Symantec Endpoint Encryption prerequisite tasks
Accounts required by Symantec Endpoint Encryption
Table 3-1
Accounts of Symantec Endpoint Encryption (continued)
Account
Description
Database access account
The database access account is used by the Symantec
Endpoint Encryption Services web site (web service) to
interact with the Symantec Endpoint Encryption database.
The Configuration Manager also uses this account.
You can either use Microsoft Windows authentication or
Microsoft SQL authentication. Symantec recommends that
you use Microsoft Windows authentication for your database
access account.
If you use Microsoft Windows authentication you must provide
an existing Microsoft Windows domain account. It should not
be an administrator. It does require privileges on the
database, registry, and the file system.
If you use Microsoft Windows authentication for database
access account, the account is also used as a logon account
for the AD Synchronization service.
If the login that you specify for your database access account
does not exist, the installer creates and configures the login
and the corresponding database user.
If the login already exists, then you have an option to use it.
The installer creates the corresponding database user is
created and configured for you by installer.
The database access account requires the following database
roles:
■
db_datareader
■
db_datawriter
■
public
The installer also grants the database access account
Execute permission.
See “Setting up the rights for the database access account”
on page 33.
IIS client authentication
account
Each client computer shares a single domain user account.
It uses this account for basic authentication to IIS on the
Symantec Endpoint Encryption Management Server. The IIS
client authentication account is a regular domain user account
and does not require specific privileges.
32
Symantec Endpoint Encryption prerequisite tasks
Setting up the rights for the database access account
Table 3-1
Accounts of Symantec Endpoint Encryption (continued)
Account
Description
Policy Administrator account Policy Administrators require read-write access to the
Symantec Endpoint Encryption database. You can use either
a Microsoft Windows or a Microsoft SQL account. This
account lets the Policy Administrator use the snap-ins of the
Management Console.
If you choose to use a Microsoft Windows account for
database access, you can create a Policy Administrators
group to make administration easier.
Active Directory
synchronization account
Synchronization with Active Directory requires a domain
account. The Active Directory synchronization service uses
this account to bind to Active Directory. You may need to
extend the account's privileges to include read permissions
to the deleted objects container in Active Directory.
Note: When you install, if you select the option to use an existing database, make
sure that the database access account (Windows/SQL) conforms to the roles and
permissions that are specified above. If it does not, then you must manually provision
the account.
Setting up the rights for the database access account
If you plan to use Microsoft Windows authentication with your SQL Server instance,
you must provision a Microsoft Windows domain account before you install the
Symantec Endpoint Encryption Management Server. If you use Microsoft SQL
authentication, the installer automatically assigns these rights.
See “Accounts required by Symantec Endpoint Encryption” on page 30.
To set up the rights for the database access account:
1
Give the account read and write access to this registry folder:
HKLM\Software\Symantec\Endpoint Encryption.
2
Give the account read and write access to the log directory. By default the log
is stored at:
C:\Program Files(x86)\Symantec\Symantec Endpoint Encryption
Management Server\Services\Logs
33
Symantec Endpoint Encryption prerequisite tasks
About Symantec's Community Quality Program
3
Add the Microsoft Windows account in SQL Server login accounts and map it
to the Symantec Endpoint Encryption database. It requires the db_datareader,
db_datawriter, and public roles on the Symantec Endpoint Encryption
database.
4
When you run the installer, in the Database Configuration tab you specify
the Symantec Endpoint Encryption Management Server account's user name
and password for database access through Windows Authentication.
About Symantec's Community Quality Program
Symantec Endpoint Encryption offers the Symantec Community Quality Program.
This program submits anonymous system and product information about how you
use this product to Symantec. Involvement in the program is optional. You opt in
to the program using the Symantec Endpoint Encryption Management Server
Configuration Manager.
About the Microsoft SQL Server credential for the Community
Quality Program
Microsoft SQL Server credentials are required to support program participation.
During an installation or upgrade to Symantec Endpoint Encryption 11.1.1, Symantec
Endpoint Encryption creates a Microsoft SQL Server credential. This credential has
minimal access to the Symantec Endpoint Encryption database.
The Community Quality Program requires mixed-mode authentication to your
Microsoft SQL Server database server.
Detailed information about this credential is as follows:
Element
Access
Logon access
SEEMSDb
Module access
Specific to the Community Quality Program module
User account name
see_telemetry_user
Note: This credential is used when you opt in to the program.
If the account name already exists in Microsoft SQL Server,
digits are appended to distinguish individual account names.
34
Symantec Endpoint Encryption prerequisite tasks
About Symantec's Community Quality Program
Element
Access
EXECUTE access
To the following telemetry stored procedures:
■
Telemetry_AdminActivity
■
Telemetry_BacklogItems
■
Telemetry_ClientDataByOS
■
Telemetry_ClientDataByVer
■
Telemetry_ClientEvent
■
Telemetry_PurgeBacklogItems
■
Telemetry_QueryConfigServer
■
Telemetry_ServerDeployment
SELECT, INSERT, UPDATE, To the TelemetryBacklog database table
DELETE, ALTER access
INSERT access
To the GEMSEventLog database table
About the Community Quality Program in a server cluster
environment
The Community Quality Program can operate in a deployment that uses server
clusters.
However, within the server cluster, only one of the servers can have the Telemetry
module sending statistics to the Symantec Central Telemetry server. That server
is the server on which you most recently opted in to the program from the make
sure your preference is preserved by launching Configuration Manager on an active
Symantec Endpoint Encryption Management Server in the deployment. Configuration
Manager.
If you uninstall servers from a cluster, make sure your preference is preserved by
launching the Configuration Manager on an active Symantec Endpoint Encryption
Management Server.
For more information on the Community Quality Program, see the following:
■
For information about the Community Quality Program page in the Symantec
Endpoint Encryption Management Server Configuration Manager, see:
See “Symantec Endpoint Encryption Management Server Configuration Manager
- Community Quality Program page” on page 111.
■
For information about troubleshooting telemetry settings, see:
http://www.symantec.com/docs/HOWTO110233
35
Symantec Endpoint Encryption prerequisite tasks
Best practices for Microsoft SQL Server database logons
Best practices for Microsoft SQL Server database
logons
Symantec recommends the following best practices for Microsoft SQL Server
database logons:
■
Create and use an Active Directory account for Microsoft SQL authentication
(do not use SQL Server credentials).
■
Restrict access on the Microsoft SQL Server database to the minimum number
of users that require access to the Management Console.
■
Computers where you install the Management Console should run an industry
standard security profile.
Roles required by Symantec Endpoint Encryption
Symantec Endpoint Encryption requires the following roles:
The policy administrator role
The policy administrator uses the Management Console for centralized administration
of Symantec Endpoint Encryption.
Policy administrators use a Microsoft Windows account to log on to their computer.
Microsoft Windows and Microsoft SQL Server maintain the policy administrator’s
account privileges. Symantec Endpoint Encryption does not manage these accounts.
You can use Microsoft Windows privileges to restrict access to snap-ins of the
Management Console to specific policy administrators.
Policy administrators require access privileges to the Symantec Endpoint Encryption
database.
Policy administrators can do the following:
■
Update and set client policies.
■
Issue the commands to encrypt or decrypt the client computers.
■
Run the reports.
■
Change the Management Password.
■
Run the Help Desk Recovery.
The client administrator role
Client administrators provide local support to Symantec Endpoint Encryption users.
36
Symantec Endpoint Encryption prerequisite tasks
About the Management Password
You manage client administrator accounts from the Management Console. Symantec
Endpoint Encryption manages the client administrator accounts. It manages them
independent of operating system or directory service so that client administrators
can support a wide range of users. Client administrators authenticate with a
password. You manage the password from the Management Console. This
single-source password management lets your client administrators remember only
one password as they move among many client computers.
Client computers must have one default client administrator account. Client
administrators can perform hard disk recovery. You can have up to 1024 total client
administrator accounts on a client computer. These client administrators are counted
separately from the 1024 registered users. If a policy has more 1024 client
administrators, the client registers only the first 1024 client administrators in the
policy.
Client administrators can always authenticate to client computers and can always
initiate encryption. You should trust client administrators according to their assigned
level of privilege.
The user role
Drive Encryption protects the data on the client computer. It requires valid credentials
before it allows the operating system to load. Users set their Symantec Endpoint
Encryption credentials. The credentials let them power on the computer access to
the operating system. Drive Encryption only accepts the credentials of registered
users and client administrators.
The client requires at least one user to register with Symantec Endpoint Encryption.
You can configure the registration process to occur without user intervention. When
you create an installation package, you can allow up to a maximum of 1024 users
per computer. You can manage your users through policies.
Do not define users as local administrators or give users local administrative
privileges.
About the Management Password
The Management Password is an important part of installing and upgrading
Symantec Endpoint Encryption. If you do not already have a Management Password,
you are prompted to create one when you install Symantec Endpoint Encryption
Management Server 11.1.1 for the first time. When you set the Management
Password, it is encrypted and stored in the Symantec Endpoint Encryption database.
You can change the Management Password at any time after installation, in the
Management Console.
You are required to enter the Management Password to:
37
Symantec Endpoint Encryption prerequisite tasks
Symantec Endpoint Encryption .NET requirements
■
Install and upgrade Symantec Endpoint Encryption Management Server
■
Install and upgrade the Management Console
■
Access the Help Desk Recovery snap-in in the Management Console
■
Create the Autologon Utility installation package
■
Create the Windows Password Reset Utility installation package
Do not lose your Management Password. Symantec cannot recover this password
if it is lost. If you lose your Management Password you must reinstall the
Management Server.
Symantec recommends that you protect and store your Management Password in
a safe location. You should establish a protocol within your organization for all
Management Password changes. Use this protocol to prevent situations where
multiple administrators could inadvertently change the Management Password and
prevent other administrators from accessing the functions that they require.
Symantec Endpoint Encryption .NET requirements
Symantec Endpoint Encryption requires you to enable .NET version 4.5.x or 4.6.1
before you can install the components.
For more information about enabling .NET see, http://msdn.microsoft.com/en-US/
Symantec Endpoint Encryption Microsoft SQL Server
Feature Pack requirements
■
Microsoft System CLR Types version 10.3.5500.0 or later for SQL Server 2008
(32-bit)
■
Microsoft SQL Server 2008 (32-bit) Management Objects version 10.3.5500.0
or later
Download the Microsoft SQL Server Feature Pack from:
https://www.microsoft.com/en-in/download/details.aspx?id=26728
38
Symantec Endpoint Encryption prerequisite tasks
Enabling the prerequisite server roles, features, and tools for the Symantec Endpoint Encryption Management Server
Enabling the prerequisite server roles, features, and
tools for the Symantec Endpoint Encryption
Management Server
You must enable the prerequisite server roles, features, and tools to install Symantec
Endpoint Encryption. Do not attempt to install until you complete the steps in this
topic.
On Microsoft Windows Server 2012
To enable the Web service (IIS) role on a Microsoft Windows 2012 Server:
1
Go to Start > Programs > Administrative Tools > Server Manager.
2
In the Dashboard, click Add roles and features.
3
In the Add Roles and Features Wizard, click Next.
4
In the Installation Type page, click Role-based or feature-based installation
and then click Next.
5
In the Server Selection page, make the selection that matches your
environment and then choose your server and click Next.
6
In the Server Roles page, select Web Server (IIS).
7
In the Add Roles and Features Wizard window, click Include management
tools and then click Add Features.
8
Click Next.
9
In the Features page, expand .NET Framework 4.5 Features and check .NET
Framework 4.5 and ASP.NET 4.5.
10 In the Features page, check Group Policy Management.
11 In the Features page, expand Remote Server Administration Tools > Role
Administration Tools and check AD DS and AD LDS Tools.
12 Click Next.
13 In the Web Server Role (IIS) page, click Next.
14 In the Role Services page, expand Web Server > Security and select Basic
Authentication and Windows Authentication.
15 In the Role Services page, expand Web Server > Application Development
and check the following:
■
.NET Extensibility 4.5
■
ASP .NET 4.5
39
Symantec Endpoint Encryption prerequisite tasks
Enabling the prerequisite server roles, features, and tools for the Symantec Endpoint Encryption Management Server
■
ISAPI Extensions
■
ISAPI Filters
16 In the Role Services page, expand Management Tools and check the
following:
■
IIS Management Console
■
IIS 6 Management Compatibility (check all four entries)
■
IIS Management Scripts and Tools
17 Click Next.
18 In the Confirmation page, click Install.
19 In the Results page, click Close.
On Microsoft Windows Server 2008
To enable the web server (IIS) server role and role services on Microsoft Windows
Server 2008:
1
Click Start > Administrative Tools > Server Manager.
2
In the left pane of the Server Manager snap-in, right-click Roles and click Add
roles.
3
On the welcome page of the Add Roles Wizard, click Next.
4
On the Select Server Roles page, select Web Server (IIS).
5
Click Next and then click Next again.
6
On the Select Role Services page, go to Web Server > Application
Development and click ASP.NET.
7
On the Add role services and features required for ASP.NET dialog box,
click Add Required Role Services. Selecting this option also automatically
selects .NET Extensibility, ISAPI Extensions, and ISAPI Filters.
8
Expand the Security option and then click Basic Authentication and Windows
Authentication.
9
Expand Management Tools and check IIS Management Scripts and Tools.
Check IIS 6 Management Compatibility. Make sure all the components under
Management Compatibility are also checked.
10 Click Next and then click Install.
11 After the Add Roles Wizard indicates that the installation is successful, click
Close.
40
Symantec Endpoint Encryption prerequisite tasks
About configuring TLS/SSL communications for Symantec Endpoint Encryption
12 In the left pane of the Server Manager snap-in, right-click Features and click
Add features.
13 In the Select Features window, select .NET Framework 4.5 features.
14 Select Group Policy Management.
15 Expand Remote Server Administration Tools > Role Administration Tools
and select AD DS and AD LDS Tools.
16 Click Next and then click Install.
17 After the Add Roles Wizard indicates that the installation is successful, click
Close.
About configuring TLS/SSL communications for
Symantec Endpoint Encryption
Symantec Endpoint Encryption supports secure communications using TLS/SSL.
The specifics of how you have set up TLS/SSL are dependent on your specific
environment. This section assumes that you are familiar with how your organization
has implemented TLS/SSL. This section lists the requirements that Symantec
Endpoint Encryption has for TLS/SSL communications in addition to your unique
implementation.
About securing communications between the Symantec
Endpoint Encryption Management Server and client computers
You can use TLS/SSL communications to secure the traffic between your client
computers and the Symantec Endpoint Encryption Management Server. To use
TLS/SSL, you must provide a server-side TLS/SSL certificate on the Symantec
Endpoint Encryption Management Server. You must also provide a client-side CA
certificate when you install the Symantec Endpoint Encryption Management Server.
The server-side TLS/SSL certificate must comply with the following requirements:
■
It must be valid for IIS.
■
It must be valid during the period in which you use it.
■
You must enable it for server authentication.
■
It must contain a private key.
■
The common name (CN) must match the name of the Symantec Endpoint
Encryption Management Server exactly. You set this value it in the Web Server
Name field of the Configuration Wizard or the Configuration Manager.
41
Symantec Endpoint Encryption prerequisite tasks
About configuring TLS/SSL communications for Symantec Endpoint Encryption
■
The same certificate authority that issued the client-side CA certificate must
also issue the server-side certificate.
■
You must install it in the local computer personal certificate store of the Symantec
Endpoint Encryption Management Server.
The client-side CA certificate must comply with the following requirements:
■
It must be in the .CER file format.
■
It must be valid during the period in which you use it.
■
It must be the root certificate of the same certificate authority that issued your
server-side TLS/SSL certificate.
About securing communications between the Symantec
Endpoint Encryption Management Server and the database
You can use TLS/SSL communications to secure the traffic between your Symantec
Endpoint Encryption database and the Symantec Endpoint Encryption Management
Server. To use TLS/SSL, you must provide a server-side TLS/SSL certificate on
the Symantec Endpoint Encryption Management Server. You must also provide a
client-side CA certificate when you install the Symantec Endpoint Encryption
Management Server
You use the SQL Server Configuration Manager snap-in to enable SSL encryption
and to assign the TLS/SSL certificate.
If the server hosting the Symantec Endpoint Encryption database is not a domain
member, you must issue the TLS/SSL certificate to the NetBIOS name. You must
also install it in the personal certificate store of the computer that hosts the Symantec
Endpoint Encryption database.
The server-side TLS/SSL certificate must comply with the following requirements:
■
It must be valid during the period in which you use it.
■
You must enable it for server authentication.
■
If the server is a member of the domain, the certificate must contain a private
key. The private key must be issued to the FQDN of the server that hosts the
Symantec Endpoint Encryption database.
About securing communications between Symantec Endpoint
Encryption Management Server and Active Directory
You can use TLS/SSL communications to secure the traffic between your Active
Directory and the Symantec Endpoint Encryption Management Server. To use
TLS/SSL, you must provide a server-side TLS/SSL certificate on the domain
controller.
This certificate must comply with the following requirements:
42
Symantec Endpoint Encryption prerequisite tasks
Installing prerequisite software on your Management Console
■
It must be valid during the period in which you use it.
■
You must enable it for server authentication.
■
It must contain the private key of the domain controller's FQDN. This key is from
the Personal certificate store on the computer that hosts the domain controller.
Best practices for configuring encrypted communications
When configuring encrypted communications, consider the following best practices:
■
Make sure that the SQL Server CA certificate is present in trusted root cert store.
■
Use the common name (CN) string from the server certificate as the Database
server name. The Database server name is required in the Installation Wizards
of the Symantec Endpoint Encryption Management Server, Management
Console, and the Database config tab in the Configuration Manager.
■
The common name (CN) string should appear as a FQDN. You should be able
to resolve its IP address using DNS lookup or hosts file lookup.
Installing prerequisite software on your Management
Console
The Management Console requires the Remote Server Administration Tools, and
it also requires the .NET framework.
See “Symantec Endpoint Encryption .NET requirements” on page 38.
Microsoft SQL Server Feature Pack should be installed on a server class system
(Windows Server 2012 R2 and Windows Server 2008 R2) before installing the
Management Console.
See “Symantec Endpoint Encryption Microsoft SQL Server Feature Pack
requirements” on page 38.
Setting up the Remote Server Administration Tools
You must set up the Remote Server Administration Tools before you install the
Management Console.
To set up the Remote Server administration Tools on Microsoft Windows Server
2012:
◆
Follow the instructions to enable Microsoft Remote Server Administration Tools
for Microsoft Server 2012 at
http://social.technet.microsoft.com/wiki/contents/articles/
2202.remote-server-administration-tools-rsat-forwindows-client-and-windows-server-dsforum2wiki.aspx
43
Symantec Endpoint Encryption prerequisite tasks
Installing prerequisite software on your Management Console
To set up the Remote Server Administration Tools on Microsoft Windows Server
2008 R2
◆
Follow the instructions to enable Microsoft Remote Server Administration Tools
for Microsoft Server 2008 at:
http://technet.microsoft.com/en-us/library/cc816817%28v=ws.10%29.aspx
To set up the Remote Server Administration Tools on Microsoft Windows 8:
◆
Download and install the Microsoft Remote Server Administration Tools for
Microsoft Windows 8 from:
http://www.microsoft.com/en-us/download/details.aspx?id=28972
To set up the Remote Server Administration Tools on Microsoft Windows 7:
◆
Download and install the Microsoft Remote Server Administration Tools for
Microsoft Windows 7 from:
http://www.microsoft.com/downloads/details.aspx?
FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
44
Section
2
Installing Symantec Endpoint
Encryption
■
Chapter 4. Installing Symantec Endpoint Encryption Management Server
■
Chapter 5. Creating Symantec Endpoint Encryption client installers
■
Chapter 6. Deploying new clients
Chapter
4
Installing Symantec
Endpoint Encryption
Management Server
This chapter includes the following topics:
■
Installing the server
■
Configuring the server
■
Installing a Management Console
■
Adding or removing the Symantec Endpoint Encryption snap-ins
■
Installing the Autologon Utility (optional)
■
Installing the Windows Password Reset snap-in (optional)
■
Completing the installation
Installing the server
To install your Symantec Endpoint Encryption Management Server, complete the
following tasks:
Installing Symantec Endpoint Encryption Management Server
Installing the server
Table 4-1
Process for Installing your Symantec Endpoint Encryption
Management Server
Action
Description
Meet the minimum system
requirements
Do the following:
■
■
■
■
Make sure that the Symantec Endpoint Encryption Management Server’s computer
meets the minimum system requirements.
See “Symantec Endpoint Encryption Management Server system requirements”
on page 16.
Make sure that the Symantec Endpoint Encryption database’s server meets the
minimum system requirements before you install the Symantec Endpoint Encryption
Management Server.
See “Symantec Endpoint Encryption database system requirements” on page 17.
Make sure that the Management Console computer meets the minimum system
requirements.
See “Management Console system requirements” on page 18.
Make sure that the Microsoft SQL Server Feature Pack is installed on a server class
system before you install the Symantec Endpoint Encryption Management Server
or Management Console.
See “Symantec Endpoint Encryption Microsoft SQL Server Feature Pack
requirements” on page 38.
Meet the prerequisite services Verify that IIS is installed and enable the web server (IIS) server role and the required
requirements
role services.
See “Enabling the prerequisite server roles, features, and tools for the Symantec
Endpoint Encryption Management Server” on page 39.
Set up encrypted
communications
If you plan to use TLS/SSL encryption for your server communications, you must make
sure that the computer meets the prerequisites.
■
■
■
To encrypt the communication between the Symantec Endpoint Encryption
Management Server and client computers, you must install a TLS/SSL certificate
on the Symantec Endpoint Encryption Management Server. You must provide a
client-side CA certificate.
To encrypt the communication between the Symantec Endpoint Encryption
Management Server and the database, you must install a server-side TLS/SSL
certificate on the server that hosts the Symantec Endpoint Encryption database
To encrypt the directory synchronization traffic, you must install a server-side
TLS/SSL certificate on the domain controller.
See “About configuring TLS/SSL communications for Symantec Endpoint Encryption”
on page 41.
47
Installing Symantec Endpoint Encryption Management Server
Installing the server
Table 4-1
Process for Installing your Symantec Endpoint Encryption
Management Server (continued)
Action
Description
Run the installation wizard
Run the installation wizard to specify your settings for the server.
When you install the Symantec Endpoint Encryption Management Server, you specify
the initial settings for the Symantec Endpoint Encryption database and its
communications. You can later change these settings in the Configuration Manager
utility if you need to.
See the section called “Installing the server” on page 48.
Configure the Server.
You use the configuration wizard to set up your directory service synchronization and
to configure the Web service.
See “Configuring the server” on page 54.
Restart the server
After you finish the steps, restart the computer.
Complete the installation
After finishing the installation wizard and the configuration wizard, verify that you
installed the server correctly and then back up the database.
See “Completing the installation” on page 64.
Installing the server
To install the Symantec Endpoint Encryption Management Server, you run the
Symantec Endpoint Encryption Suite Installation Wizard and then follow the steps
to configure your installation settings.
To install the server
1
Do one of the following:
■
If your database creation account is a Microsoft Windows account, log on
to the server using the account with which you are going to create the
database. The account must have local administrator rights.
■
If your database creation account is a Microsoft SQL account, log on to the
server using a Microsoft Windows domain account. The account must have
local administrator rights.
2
Close all instances of the Microsoft Management Console. The wizard cannot
complete if the console is open.
3
Copy the SEE Server Suite x64.msi file to the local hard disk of the Symantec
Endpoint Encryption Management Server.
4
Do one of the following:
■
Double-click the file to run it.
48
Installing Symantec Endpoint Encryption Management Server
Installing the server
■
Use the command line to run the file as follows:
Click Start > All Programs > Accessories. Right-click Command Prompt, and
then click Run as administrator.
In the command prompt window, run the following command:
MSIEXEC /I "[path]\SEE Server Suite x64.msi" /lvx
"[logpath]\logfile"
[logpath] and \logfile represent the path and name of the output log file.
5
On the Welcome page of the wizard, click Next.
6
In the Symantec Endpoint Encryption Multi-Factor Authentication page,
click Next.
7
In the License agreement page, select I accept the terms in the license
agreement and click Next.
8
On the Setup Type page, you can either accept the default feature set, or
choose the features that you want to enable including:
■
Management Server
■
Management Agent
■
Drive Encryption
■
Removable Media Encryption
Note: When you select Management Agent, the SEE Help Desk, Symantec
Endpoint Encryption for BitLocker, and Symantec Endpoint Encryption for
FileVault features are installed or upgraded by default.
Do one of the following:
■
(Default) To enable all of the features, click Complete.
■
To enable specific features, click Custom. and then configure the following
options for each feature:
49
Installing Symantec Endpoint Encryption Management Server
Installing the server
9
Feature navigation tree
Lets you control how the features are installed. Click
the icon that is next to the feature that you want to
change and then select from the following:
■ This feature will be installed on the local hard
drive
■ This feature, and all sub-features, will be
installed on the local hard drive
■ This feature will not be available
Disk Usage
Lets you view the disk space that is required for the
features. Select the feature that you want to view
and then click Disk Usage.
Destination folder
Lets you change where Symantec Endpoint
Encryption stores its program files. Select the
feature you want to change and then click
destination folder. Browse to the location where you
want to store the files and then click OK.
In the Custom Setup page, click Next.
10 On the Database Location and Credentials page, in the Database Instance
field, provide the location of the database. Symantec recommends that you
use a dedicated server for your Symantec Endpoint Encryption database.
However, you can install the database locally if you install a supported version
of Microsoft SQL Server. You must provide an account for communications
between the Symantec Endpoint Encryption Management Server and the
Symantec Endpoint Encryption database. Use one of the following methods
to either provide a Microsoft SQL account or a Microsoft Windows account.
Click the drop-down menu
Lets you select from a list of local instances.
Click Browse
Lets you select from a list of instances on the network,
Enter the NetBIOS name
Lets you type the name of an instance.
If you use a named instance, you must also include the
name of the instance. For example,
SEEDB-01\NAMEDINSTANCE.
11 To encrypt communication between the server and the database, click Enable
TLS/SSL.
To use this feature, you must meet additional prerequisites.
See “About configuring TLS/SSL communications for Symantec Endpoint
Encryption” on page 41.
50
Installing Symantec Endpoint Encryption Management Server
Installing the server
12 If your database server is configured to use a custom port, select Custom port
number and enter the port number.
13 You must specify the authentication method of your database creation account.
Symantec Endpoint Encryption uses this account for communication between
the server and the database.
To specify the database creation account, select one of the following options:
Windows authentication
This option lets you use the Microsoft Windows domain
account that you are currently logged on with. This
account has the following characteristic:
■
It has permission to the IIS metabase and file
system.
The wizard automatically applies the required database
permissions and roles to this account.
SQL authentication
This option lets you use a Microsoft SQL Server
account.
See “Best practices for Microsoft SQL Server database
logons” on page 36.
14 Click Next.
15 On the Database Access page, do one of the following:
■
Click Create a new database. You can either accept the default database
name or enter a custom name.
■
If you want to use an existing database, click Use existing database.
16 Click Next.
17 On the Database Access page, do one of the following according to your
authentication method:
51
Installing Symantec Endpoint Encryption Management Server
Installing the server
Windows authentication
Specify the Microsoft Windows account on the Symantec
Endpoint Encryption Management Server.
This account has the following characteristics:
■
It is a service account for the Services website.
■
It is a logon account for the synchronization services.
■
It has membership in the IIS_WPG group.
■
Log on as a service
In the User name field, enter the user name and
password account name in NetBIOS format.
After you specify the account, the installer validates it.
A message is displayed indicating that it exists. If the
account is valid, click Yes.
If the Database Access page is displayed, enter your
credentials for the Symantec Endpoint Encryption
database in the User name and Password fields, and
then click Next.
SQL authentication
Choose if you want to create a new login or to use an
existing login. When creating a new database, you can
either specify a new SQL account or use an existing
SQL account. When using an existing database, you
must use an existing SQL account.
■
■
To create a new SQL account, click Create a new
login. Enter the user name, password, and the
password confirmation of the new account.
To use an existing SQL account, click Use existing
login. Enter the credentials of the database
communications account that you created during
your previous installation.
Symantec provides recommendations for setting up
your SQL Server database logins.
See “Best practices for Microsoft SQL Server database
logons” on page 36.
See “Setting up the rights for the database access
account” on page 33.
18 Click Next.
19 In the Database Configuration page, you can specify custom configuration
settings. Symantec recommends that you accept the default configuration
settings. You can change your database configuration settings later by using
the Microsoft SQL Server tool of your choice. Symantec does not recommend
52
Installing Symantec Endpoint Encryption Management Server
Installing the server
the Symantec Endpoint Encryption Configuration Manager for this purpose. It
only lets you increase the size settings but not decrease them. If you change
paths it requires you to detach and reattach the Symantec Endpoint Encryption
database.
Do one of the following:
■
(Recommended) Accept the default database configuration.
Leave the Customize my database configuration check box deselected.
■
Select Customize my database configuration then do the following:
■
Enter the paths for the data file and the log file. The directories in this
path must already exist on the database server. The installer does not
create the directories.
■
Enter the file size values in megabytes for the data and log files. These
sizes include autogrowth size, initial size, and maximum size. Make
sure that the database server has enough space for the data and log
files.
20 Click Next.
21 On the SEE Management Password page, do the following:
■
In the SEE Management Password dialog box and the Confirm Password
dialog box, provide the Symantec Endpoint Encryption Management
Password.
Warning: Do not lose your Management Password.
Symantec cannot recover this password if you lose it. If you lose your
Management Password you must reinstall the Management Server.
Symantec recommends that you protect and store your Management Password
in a safe location.
See “About the Management Password” on page 37.
22 Click Next.
23 On the Token Authentication page, you can indicate the type of token that
client computers use to authenticate to Symantec Endpoint Encryption. The
option that you select affects the settings in your client installation packages.
Do one of the following:
■
If you do not use tokens to authenticate, select None.
■
If you do use token authentication, select the type of token that you use.
53
Installing Symantec Endpoint Encryption Management Server
Configuring the server
24 Click Next.
25 On the Ready to Install the Program page, click Install.
26 On the Installation Wizard Completed page, click Finish.
After the program is installed, the Symantec Endpoint Encryption Management
Server Configuration Wizard automatically launches.
See “Configuring the server” on page 54.
Configuring the server
After you run the Symantec Endpoint Encryption Management Server wizard, the
configuration wizard automatically launches. You use the wizard to set up your
directory service synchronization and to configure the Web service. You can also
manually start the wizard by running the configuration manager program on the
Symantec Endpoint Encryption Management Server. You must complete the wizard
before you can synchronize your directory services and create your client installation
packages. You can use the configuration manager to change these settings later.
You use the wizard to complete the following tasks:
Configure the Web service
You use the wizard to configure the communications between
the Symantec Endpoint Encryption Management Server and
the client computers. You set the protocol and the port that
you use for communication. If you intend to use SSL, then
you must also provide the communication certificates.
Specify the directory service
Directory service synchronization lets you keep the database
current with the information in your directory services.
For example, when computers are added and removed from
Active Directory, the server synchronizes those changes with
the Symantec Endpoint Encryption database. This
synchronization lets you use the Management Console to
apply policies according to your organization's directory
Organizational Units and containers.
See “About configuring TLS/SSL communications for
Symantec Endpoint Encryption” on page 41.
54
Installing Symantec Endpoint Encryption Management Server
Configuring the server
Configure directory service
synchronization
If you choose to synchronize your directory service, the
Directory Service Synchronization Configuration page is
displayed.
Use this page to enter the configuration details about your
Active Directory forests. You can add additional forests, and
you can exclude domains from synchronization.
If you selected the Microsoft Active Directory check box
on the Directory Service Synchronization Options page,
the Active Directory Configuration area is available.
To configure the server
1
In the Web Service Configuration dialog box, in the Web Server Name field,
enter the name of the web server.
The name is pre-filled with the NetBIOS name of the computer that hosts the
Symantec Endpoint Encryption Management Server.
If you want to use HTTPS communication between the server and the client
computers, this name must match the common name (CN). You specify the
common name (CN) in the server-side TLS/SSL certificate.
You must modify this field to include the fully qualified domain name (FQDN)
under the following circumstance:
If DNS configuration issues prevent the NetBIOS name from resolving, an
FQDN is more appropriate for your network environment.
2
In the Credentials section, enter the credentials and domain of the IIS client
account.
These fields display the name and domain of the Internet Information Services
(IIS) client account. If you change the IIS client account, you must enter the
credentials for this account.
■
User name
Enter the user name for the IIS client account.
■
Password
Enter the password for the IIS client account.
■
Show password
Select this option to display the characters that you type in the Password
field.
■
Enable Windows Authentication
Select this option to distribute a Removable Media Encryption workgroup
key to your Active Directory computers. To enable Windows authentication,
55
Installing Symantec Endpoint Encryption Management Server
Configuring the server
the Windows authentication server role must be selected from the Add
Roles and Feature Wizard.
After you save your changes, the dialog displays the message, "Changes are
saved successfully." The password characters are obfuscated with symbols.
3
In the Protocol section, do one of the following:
To use HTTP
communications
If you do not want to encrypt client communications with
the Symantec Endpoint Encryption Management Server,
click HTTP.
In the HTTP port field enter the number of the TCP port
on the Symantec Endpoint Encryption Management
Server to use for the unencrypted client
communications. By default, the port is 80.
To use HTTPS
communications
To encrypt client communications with the Symantec
Endpoint Encryption Management Server, click HTTPS.
In the HTTPS port field, enter the TCP port on the
Symantec Endpoint Encryption Management Server to
use for the encrypted client communications. By default,
the port is 443.
The wizard requires a TCP port for unencrypted
communication even if you use HTTPS. IIS requires this
information, but Symantec Endpoint Encryption does
not use this port.
4
(If using HTTPS) In the Client Computer Communications section, next to
the Client-Side CA Certificate field, click Browse.
5
In the Choose SSL certificate file dialog box, the available certificates are
displayed from the personal certificate store of the local computer. Select the
client-side CA certificate that the client computers use for encrypted
communication with the server, and click Open.
After you click Open, the dialog box should display the certificate hash string
under the Browse button.
6
(If using HTTPS) In the Client Computer Communications section, next to
the Server-Side TLS/SSL Certificate field, click Browse.
56
Installing Symantec Endpoint Encryption Management Server
Configuring the server
7
In the Certificate selection dialog box, the available certificates are displayed
from the personal certificate store of the local computer. Select the server-side
TLS/SSL certificate that the server's Web service uses, and click OK.
After you click OK, the dialog box should display the certificate hash string
under the Browse button.
When you select the certificate, you also assign it to the Symantec Endpoint
Encryption Services website through the IIS Manager snap-in.
8
In the wizard, click Next.
9
On the Directory Configuration page, in the Active Directory Forest Name
field, enter the name of the Active Directory forest that you want to configure.
10 In the Preferred Global Catalog Server field, enter the Fully Qualified Domain
Name (FQDN) of a global catalog server for the forest.
11 In the Active Directory User Name, Password, and Confirm Password
fields, enter the credentials of the Active Directory synchronization account.
12 In the User Domain field, enter the NetBIOS name of the Active Directory
synchronization account.
13 To encrypt all synchronization traffic between Active Directory and the Symantec
Endpoint Encryption Management Server, click Enable TLS/SSL . Make sure
that you are in compliance with the prerequisites.
See “About configuring TLS/SSL communications for Symantec Endpoint
Encryption” on page 41.
14 To exclude Active Directory domains from synchronization, click Configure
Domain Filter.
For example, there may be domains within your forests that do not contain
Symantec Endpoint Encryption client computers. To improve performance and
usability, you can exclude these domains from being synchronization.
15 In the Include Computers from column on the left, select a domain that you
want to exclude.
16 To move a domain into the Exclude Computers from column, click >.
When you exclude a parent domain, you also exclude all of the child domains
of that domain. In a typical deployment, you can first exclude the top level of
the domain. You can then only choose to include the child domains that contain
the Symantec Endpoint Encryption client computers.
17 Click OK.
57
Installing Symantec Endpoint Encryption Management Server
Configuring the server
18 To synchronize with additional Active Directory forests, click Add.
The status text on the top-right side of the Active Directory Forest Name field
updates to display the number of this forest and the new total number of forests.
For example, 2/2 AD Forest indicates that the wizard displays the configuration
settings for the second of a total of two forests. Enter the configuration
information for the additional forest.
19 To remove the configuration information for the currently displayed forest, click
Delete.
20 To view the configuration information for the previous forest, click Prev.
21 Click Next.
22 On the Directory Synchronization page, to synchronize your directory service,
click Activate Directory Synchronization.
23 Configure the following Synchronization Settings:
Method
This section lets you to control whether the
synchronization service runs automatically when
Windows starts.
If you want the service to run automatically and
synchronize at boot time, choose Automatic
synchronization.
If you do not want the service to run automatically and
synchronize at boot time, choose On-demand
synchronization.
Server Type
To control whether this server should act as a primary
synchronizer or a secondary synchronizer, use this
section.
If you plan to deploy only one Symantec Endpoint
Encryption Management Server, the server automatically
synchronizes with the directory services. It synchronizes
regardless of whether you configure it to act as a primary
synchronizer or a secondary synchronizer.
Choose either Primary synchronizer or Secondary
synchronizer.
24 Click Finish.
25 Click Restart if prompted.
58
Installing Symantec Endpoint Encryption Management Server
Installing a Management Console
Installing a Management Console
To install and upgrade the Management Console, you run the Symantec Endpoint
Encryption Suite Installation Wizard and then follow the steps to configure your
installation settings. In the wizard, you must indicate if you use token authentication
in your environment, and how the Management Console is to connect to the
Symantec Endpoint Encryption database.
To Install a Management Console:
1
Use your Policy Administrator account to log on to the computer where you
want the Management Console.
See “Accounts required by Symantec Endpoint Encryption” on page 30.
2
Close all instances of the Microsoft Management Console. The wizard cannot
complete if the console is open.
3
Copy the <filename> file to the local hard disk of the Management Console,
where the <filename> is one of the following:
■
If the Management Console computer's operating system is 32-bit: SEE
Server Suite.msi
■
If the Management Console computer's operating system is 64-bit: SEE
Server Suite x64.msi
4
Do one of the following:
■
Double-click the file to run it.
■
Use the command line to run the file as follows:
Click Start > All Programs > Accessories. Right-click Command Prompt,
and then click Run as administrator.
If you are prompted, enter the credentials of a domain administrator account.
In the command prompt window, run the following command:
MSIEXEC /I "[path]\<filename>" /lvx "[logpath]\logfile"
[logpath] and \logfile represent the path and name of the output log
file.
5
In the Welcome page, click Next.
6
In the Symantec Endpoint Encryption Multi-Factor Authentication page,
click Next.
7
In the License agreement page, select I accept the terms in the license
agreement and click Next.
8
On the Setup Type page, to install Management Agent, select Custom.
9
On the Custom Setup page, do the following:
59
Installing Symantec Endpoint Encryption Management Server
Installing a Management Console
■
Deselect Management Server
■
Select Management Agent. Choose the features that you want to enable
in Management Console including:
■
Drive Encryption
■
Removable Media Encryption
Note: When you select Management Agent, the SEE Help Desk, Symantec
Endpoint Encryption for BitLocker, and Symantec Endpoint Encryption for
FileVault features are installed by default.
■
Configure the following options for each feature:
Feature navigation tree
Lets you control how the features are
installed. Click the icon that is next to the
feature that you want to change and then
select from the following:
■ This feature will be installed on the
local hard drive
■ This feature, and all sub-features, will
be installed on the local hard drive
■ This feature will not be available
Disk Usage
Lets you view the disk space that is
required for the features. Select the
feature that you want to view and then
click Disk Usage.
Destination folder
Lets you change where Symantec
Endpoint Encryption stores its program
files. Select the feature you want to
change and then click destination folder.
Browse to the location where you want
to store the files and then click OK.
10 In the Token Authentication page, you can indicate the type of token that
client computers use to authenticate with Symantec Endpoint Encryption. The
option that you select here affects the settings in your client installation
packages.
If you do not plan to use tokens to authenticate, click Next.
If you do plan to use token authentication, select the type of token that you
plan to use and then click Next.
60
Installing Symantec Endpoint Encryption Management Server
Installing a Management Console
11 In the Database Server page, click Use SEE Server to install the Management
Console with the default settings.
12 In the Database Server field, choose the Microsoft SQL Server instance that
hosts the Symantec Endpoint Encryption database. To select from a list of
instances click Browse, or enter the NetBIOS name of the instance.
13 In the Database Name field, do one of the following:
■
Accept the default name SEEMSDb if you created your database with the
default name.
■
If you created your database with a custom name, enter the unique custom
name.
14 Click Enable TLS/SSL if you configured your database to use TLS/SSL
encryption.
See “About configuring TLS/SSL communications for Symantec Endpoint
Encryption” on page 41.
15 If you configured the database server use a custom port, click Custom port
and then enter the custom port number. If you do not use a custom port do not
click Custom port.
16 In the Authentication section, you must enter the credentials of the Policy
Administrator account. Symantec Endpoint Encryption uses this account to
authenticate with the Symantec Endpoint Encryption database.
Do one of the following:
■
To use the credentials of the currently logged on Microsoft Windows user,
click Windows Authentication.
■
To enter the credentials of a SQL account, click SQL Server Authentication
and enter the SQL credentials of the Policy Administrator account.
See “Accounts required by Symantec Endpoint Encryption” on page 30.
17 Click Next.
The installation wizard authenticates to the database server that you specified,
and it verifies that the account credentials are correct.
18 In the SEE Management Password page, you must enter the credentials of
the Management Password. The Management Password is set when you first
install the Symantec Endpoint Encryption Management Server.
See “About the Management Password” on page 37.
19 Click Next.
61
Installing Symantec Endpoint Encryption Management Server
Adding or removing the Symantec Endpoint Encryption snap-ins
20 In the Ready to Install the Program page, click Install.
21 In the Install Wizard Completed page, click Finish.
Adding or removing the Symantec Endpoint
Encryption snap-ins
You can add or remove the Symantec Endpoint Encryption snap-ins that are installed
using the SEE Server Suite file.
Therefore, you can perform the following operations, such as:
■
Add Management Console and Drive Encryption and Removable Media
Encryption snap-ins, if earlier only the Management Server was installed.
■
Remove all the Symantec Endpoint Encryption feature snap-ins, if all the
Symantec Endpoint Encryption features are installed earlier.
To add or remove the Symantec Endpoint Encryption feature snap-ins, do one of
the following:
1
Double-click the SEE Server Suite file to run it, or
2
Use the Add/Remove Programs utility in the Control Panel.
Installing the Autologon Utility (optional)
The Autologon Utility lets policy administrators remotely deploy software to client
computers. You can use this feature if you use preboot authentication. Because
software installations typically require several restarts, the Autologon Utility lets you
bypass preboot authentication.
To install the Autologon snap-in:
1
On the Management Console computer, do one of the following:
■
If the computer's operating system is 32-bit, run the SEE Autologon.MSI
file.
■
If the computer's operating system is 64-bit, run the SEE Autologon
x64.MSI file.
2
In the Welcome page, click Next.
3
In the License agreement page, click I accept the terms in the license
agreement and click Next.
62
Installing Symantec Endpoint Encryption Management Server
Installing the Windows Password Reset snap-in (optional)
4
In the destination folder page, you can change the destination of where the
wizard installs the program files.
To choose a different location to install the program files, click Change, or click
Next to accept the default installation location.
5
In the Ready to Install the Program page, click Install.
6
In the Completed page, click Finish.
Note: After you upgrade your client computers, if you want to use the Autologon
Utility, enable the Autologon policy option. To allow a client administrator to manage
the Autologon Utility using the Administrator Command Line, ensure that you
configure the Autologon only when activated by admin locally policy option.
Installing the Windows Password Reset snap-in
(optional)
The Symantec Endpoint Encryption Windows Password Reset snap-in lets you
assist users who have forgotten their Microsoft Windows password. You use the
Symantec Endpoint Encryption Windows Password Reset snap-in to create the
Windows Password Reset Utility client installer. The Windows Password Reset
Utility is installed on Drive Encryption client computers and enables users to reset
their Windows password when they use Drive Encryption Self-Recovery.
You run the SEE Windows Password Reset.MSI file to install the Symantec Endpoint
Encryption Windows Password Reset snap-in into the Management Console.
To install the Symantec Endpoint Encryption Windows Password Reset snap-in:
1
On the Management Console computer, do one of the following:
■
If the computer's operating system is 32-bit, run the SEE Windows Password
Reset.MSI file.
■
If the computer's operating system is 64-bit, run the SEE Windows Password
Reset x64.MSI file.
2
On the Welcome page, click Next.
3
On the License agreement page, click I accept the terms in the license
agreement and click Next.
63
Installing Symantec Endpoint Encryption Management Server
Completing the installation
4
On the destination folder page, you can change the destination of where the
wizard installs the Symantec Endpoint Encryption Windows Password Reset
snap-in files.
Click Change to choose a different location, or click Next to accept the default
installation location.
5
On the Ready to Install the Program page, click Install.
6
On the Completed page, click Finish.
Completing the installation
After you finish the wizards, verify that you have set up the server and database
correctly. Then, schedule regularly occurring backups of the database.
Do the following:
■
Verify your server installation:
■
Verify your database installation
■
Back up your database
Verify your server installation:
To verify your server installation:
1
Open the Internet Information Service (IIS) Manager snap-in.
2
Expand the node for the Symantec Endpoint Encryption Management Server
computer.
3
Expand Sites, then right-click Symantec Endpoint Encryption Services and
click Switch to Content View.
4
Click Symantec Endpoint Encryption Services.
5
Verify that the snap-in lists the Symantec Endpoint Encryption Services
website and that the service status is started. If the website's status is stopped,
it indicates that the port number that you specified for communications with
the client computers is already in use.
Verify that the right pane contains the following items:
■
The bin subfolder
■
The GECommunicationWS.asmx file
64
Installing Symantec Endpoint Encryption Management Server
Completing the installation
■
6
The web.config file
Open the Event Viewer snap-in and examine the Application event log. Verify
that there are no errors generated by the event sources ADSyncService.
If you ran the MSI from the command line and enabled logging, you have logged
each step of the installation process. The command line stores the log file at
the path that you specified. If you did not specify a path, the files are stored in
the working directory that was current when you issued the command.
Verify your database installation
To verify your database installation:
1
Access the Symantec Endpoint Encryption database with the Microsoft SQL
Server Management Studio.
2
Use administrator-level privileges to verify the following:
■
The installer created a new database by the name that you specified or the
default name of SEEMSDb.
■
The installer added the Symantec Endpoint Encryption Management Server
account that you specified as a user of the new database.
■
The installer populated the new database with Symantec Endpoint
Encryption–specific tables. For example, dbo.GEMSEventLog.
■
Open the Windows Event Viewer on the computer that hosts the Symantec
Endpoint Encryption database. The viewer logs the events that are related
to the creation of the Symantec Endpoint Encryption database in the
Application category with the source MSSQLSERVER. Make sure that it
displays no error messages.
Back up your database
After you install and verify the Symantec Endpoint Encryption Management Server,
Symantec recommends that you run a complete backup of the Symantec Endpoint
Encryption database.
Symantec also recommends that you schedule regular backups of the Symantec
Endpoint Encryption database.
65
Chapter
5
Creating Symantec
Endpoint Encryption client
installers
This chapter includes the following topics:
■
About client installers
■
About the installation settings wizards
■
Creating a Symantec Endpoint Encryption Client installation package
■
About enabling features in the Symantec Endpoint Encryption Client installation
package
■
Creating a Symantec Endpoint Encryption for FileVault installation package
■
Creating a Windows Password Reset Utility installation package
■
About the Autologon Utility
About client installers
Purpose
The Symantec Endpoint Encryption client installation packages deliver the client
software and initial settings to the client computers. For the Microsoft Windows
client computers, the installation package contains the Management Agent, either
Drive Encryption or Symantec Endpoint Encryption for BitLocker, and Removable
Media Encryption. For the Macintosh client computers, the installation package
contains the Symantec Endpoint Encryption for FileVault.
Creating Symantec Endpoint Encryption client installers
About the installation settings wizards
Note: The Symantec Endpoint Encryption Client installation package also installs
the Symantec Endpoint Encryption Client Administrator Console.
You create the Symantec Endpoint Encryption client installation packages from the
Management Console.
Client installer package contents
The client installation packages consist of the following installers, and log files for
Management Agent and the Drive Encryption and Removable Media Encryption
features. Each log file documents the feature-specific contents of the installer and
includes the file name and the date and time that the installer was created.
■
DriveEncryptionSettings month_day_year-hour.minute.sec.log
■
ManagementAgentSettings month_day_year-hour.minute.sec.log
■
RemovableMediaEncryptionSettings month_day_year-hour.minute.sec.log
■
SEE Client.msi
■
SEE Client_x64.msi
■
SEEInstaller.zip
Note: The SEEInstaller.zip folder is created to install Symantec Endpoint
Encryption for FileVault on the Macintosh computers. The compressed folder
consists of the SEEInstaller-<version number of the release>.<build number>.pkg
and MacSettings.xml files.
Note: Dual management console functionality requires at least Symantec Endpoint
Encryption 8.2.1 MP14: If you use Symantec Endpoint Encryption 11.1.1 with dual
management consoles, your 8.2.1 environment requires at least Symantec Endpoint
Encryption 8.2.1 MP14 if you want to generate MSIs for SEE Full Disk or SEE
Removable Storage clients.
About the installation settings wizards
You can create the Symantec Endpoint Encryption Client installation package by
running the Windows Client installation settings wizard from the Management
Console. The wizard enables you to define policy settings for the following features:
■
Management Agent
■
Drive Encryption
67
Creating Symantec Endpoint Encryption client installers
About the installation settings wizards
■
Removable Media Encryption
Note: The Windows Client installation settings wizard enables you to select the
Symantec Endpoint Encryption for BitLocker feature, but there are no configurable
installation settings for the Symantec Endpoint Encryption for BitLocker feature.
You can create the Symantec Endpoint Encryption for FileVault installation package
by running the Symantec Endpoint Encryption for FileVault installation settings
wizard from the Management Console.
Note: The Symantec Endpoint Encryption for FileVault installation package does
not change any policy settings. The client installation package identifies the client
computers to the Symantec Endpoint Encryption Management Server for tracking
and reporting purposes and for computer access recovery. Policy settings are
defined using a GPO only.
On the final page of each wizard, you are prompted for a location to save the client
installation settings MSI package.
For Symantec Endpoint Encryption Client, two MSI packages are saved, for 32and 64-bit Windows editions. The 64-bit package is appended with _x64.
For Symantec Endpoint Encryption for FileVault, shown in the Management Console
user interface as Mac FileVault Client, the MSI package is saved as a .zip folder.
The SEEInstaller.zip folder consists of the SEEInstaller-<version number of the
release>.<build number>.pkg and MacSettings.xml files.
Save the package in a shared network location, such as the SYSVOL folder on the
domain controller.
You cannot load a previously created client installation package to examine the
settings. You can know the contents of each MSI, however, in two ways:
■
Save each client installer package with a descriptive name. A descriptive name
is helpful if you plan to deploy multiple sets of packages throughout your
organization.
■
View the log files that Symantec Endpoint Encryption creates with each MSI.
Note: No log file exists for the Symantec Endpoint Encryption for BitLocker
feature.
The individual settings that you selected for a given feature are saved in a dateand time-stamped log file. An example of a log file name is
“ManagementAgentSettings 3_27_2014-18.21.59.log.”
68
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
The log file is created in the same location that you specified when you saved
the package.
■
The log file does not show the contents of password fields. You should
separately record and store in a secure location all passwords that you
specify in an installation package.
Creating a Symantec Endpoint Encryption Client
installation package
The Windows Client Installation Settings wizard walks you through a series of
panels, where you choose the features that you want to include in the Symantec
Endpoint Encryption Client installation package. Then, you configure the initial policy
settings that are applied when Symantec Endpoint Encryption Client is installed.
See “About enabling features in the Symantec Endpoint Encryption Client installation
package” on page 87.
Note: The Symantec Endpoint Encryption Client installation package always installs
Management Agent. If you choose to include the Drive Encryption feature in the
Symantec Endpoint Encryption Client installation package, the package also installs
the Symantec Endpoint Encryption Client Administrator Console and the
Administrator Command Line without any additional policy configuration.
Perform the following procedure to create an Symantec Endpoint Encryption Client
installation package.
69
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
To create an Symantec Endpoint Encryption Client installation package
1
In the left pane, click Symantec Endpoint Encryption Software Setup >
Windows Client.
2
On the Windows Client Installation Settings – Features page, select the
features that you want to enable in the Symantec Endpoint Encryption Client
installation package. Some features might not be available for selection
depending upon whether they were disabled during the Symantec Endpoint
Encryption Management Server installation.
Note: For the Disk encryption option, you can select either the Drive Encryption
feature, or Symantec Endpoint Encryption for BitLocker. If you select Drive
Encryption, ensure that the Microsoft BitLocker feature is disabled on the
Microsoft Windows computers on which you want to install Symantec Endpoint
Encryption Client. If you select Symantec Endpoint Encryption for BitLocker,
ensure that you install Symantec Endpoint Encryption Client on Windows
computers that support the BitLocker feature.
3
Click Next.
4
On the Windows Client Installation Settings –Management Agent page,
click Next.
5
Perform the procedure to configure the Management Agent installation settings
in Configuring the Management Agent installation settings.
6
(Optional) If you chose to enable Drive Encryption, on the Windows Client
Installation Settings –Drive Encryption page, click Next. Then, perform the
procedure to configure the Drive Encryption installation settings in Configuring
the Drive Encryption installation settings.
Alternatively, if you chose to enable Symantec Endpoint Encryption for BitLocker
instead of Drive Encryption, on the Windows Client Installation Settings –
BitLocker page, click Next.
Note: Symantec Endpoint Encryption for BitLocker does not have any installation
settings. If you enable Symantec Endpoint Encryption for BitLocker instead of
Drive Encryption, the Windows Client Installation Settings wizard does not
display any Symantec Endpoint Encryption for BitLocker policy settings.
70
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
7
(Optional) If you chose to enable Removable Media Encryption, on the
Windows Client Installation Settings –Removable Media Encryption page,
click Next.
Then, perform the procedure to configure the Removable Media Encryption
installation settings in Configuring the Removable Media Encryption installation
settings.
8
Click Finish.
9
In the Save MSI Package dialog box, navigate to the location where you want
to save the Symantec Endpoint Encryption Client installation package.
10 (Optional) Change the default package name to a name of your choice.
11 Click Save to create the Symantec Endpoint Encryption Client installation
package at the selected location.
Configuring the Management Agent installation settings
After you select the Symantec Endpoint Encryption features that you want to enable,
the Windows Client installation settings wizard walks you through a series of panels,
where you choose your Management Agent settings. This section contains the
basic steps and information to configure the Management Agent installation settings
in the Windows Client installation package. To learn more about any of the options,
click the link at the end of each procedure.
To configure the Management Agent installation settings
Management Agent Installation Settings – Password Authentication page
1
On the Windows Client Installation Settings – Management Agent page,
click Next.
2
On the Management Agent Installation Settings – Password Authentication
page, do the following:
■
In the Simple Authentication section:
■
Select the Enable simple authentication option to let users authenticate
at the preboot login screen using only a password.
Note: If more than one user is registered on a client computer, simple
authentication is not used; the detailed login screen appears, which
requires a user name and domain as well.
71
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
Note: If a user with simple authentication enabled forgets their password
and invokes Drive Encryption Self-Recovery, they are prompted for their
user name. This ensures that the self-recovery questions belong to that
user.
■
In the Password Attempts section:
■
■
The Limit password attempts option is selected by default.
This option configures a logon delay to protect against Dictionary attack
tools. When the option is selected, it enables After <x> incorrect
attempts and pause for <x> minutes between further attempts. You
can change the number of incorrect attempts and the pause duration.
After the maximum number of consecutive incorrect attempts is reached,
there is a delay of one minute, by default. You can change the default
value for Drive Encryption. The delay time is 20 seconds for Removable
Media Encryption and you cannot change this default value.
In the Password Complexity section:
■
In the Minimum password length box, type the number of characters
users' Removable Media Encryption file encryption passwords must
contain. The default value is 8.
■
Provide values for the options available under the Password must
contain at least box to bring more complexity to the user password.
The options are Non-alphanumeric characters, UPPERCASE letters,
lowercase letters, and digits.
Add any non-alphanumeric characters that you want to allow in the
password in the Non-alphanumeric characters allowed in password
box. At any time, you can click Restore Default to remove the characters
you have added manually.
The Password Complexity settings are enforced only for Removable Media
Encryption file encryption passwords.
■
■
In the Maximum Password Age section:
■
If you do not want Removable Media Encryption file encryption
passwords to expire, select Password never expires.
■
To set an expiration date on Removable Media Encryption file encryption
passwords:
■
Select Password expires every <x> days. In the Password expires
every <x> days box, type the number of days after which users'
passwords expire.
72
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
In the Warn users <x> before their passwords expire box, type
the number of days in advance users are prompted to change their
expiring passwords.
The Maximum Password Age settings are enforced only for Removable
Media Encryption file encryption passwords.
■
In the Password History section:
■
To allow users to use any previously used Removable Media Encryption
file encryption passwords, leave the default selection of Any previous
password can be used.
To define a password history restriction, select The last <x> passwords
cannot be reused. In The last <x> passwords cannot be reused box,
type the number of different passwords that users must use before
reverting to old passwords.
The Password History settings are enforced only for Removable Media
Encryption file encryption passwords.
■
3
Click Next.
Management Agent Installation Settings – Communication page
1
2
On the Management Agent Installation Settings – Communication page,
do the following:
■
In the Send status updates every <x> minutes box, specify how frequently
the client should send status updates to Symantec Endpoint Encryption
Management Server. The communication interval is set to 60 minutes by
default.
■
Verify the Connection Name, Server, Name, Domain, and type the
password in the Password box under the Communication information
section.
Click Next and then do one of the following:
■
Configure the Drive Encryption installation settings.
See “Configuring the Drive Encryption installation settings” on page 74.
■
On the Windows Client Installation Settings – BitLocker page, click
Next.
■
Configure the Removable Media Encryption installation settings.
See “Configuring the Removable Media Encryption installation settings”
on page 80.
Alternatively, if you chose to enable only Symantec Endpoint Encryption for
BitLocker, on the Windows Client Installation Settings – BitLocker page,click
Finish, and then do the following:
73
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
In the Save MSI Package dialog box, navigate to the location where you
want to save the Symantec Endpoint Encryption Client installation package.
■
(Optional) Change the default package name to a name of your choice.
Note: If you use a custom folder location, make sure that you install the
Windows Password Reset Utility at the same location as Drive Encryption
is installed.
■
Click Save to create the Symantec Endpoint Encryption Client installation
package at the selected location.
Configuring the Drive Encryption installation settings
The Windows Client installation settings wizard walks you through a series of panels,
where you choose your installation settings for the features that you chose to enable.
This section contains the basic steps and information to configure the Drive
Encryption installation settings in the Symantec Endpoint Encryption Client
installation package. To learn more about any of the options, click the link at the
end of each procedure.
Note: By default, the Symantec Endpoint Encryption Client installation package
also installs the Symantec Endpoint Encryption Client Administrator Console and
the Drive Encryption Administrator Command Line. No additional configuration is
required to enable these features.
To configure the Drive Encryption installation settings
Drive Encryption Installation Settings – Client Administrators page
1
On the Windows Client Installation Settings – Drive Encryption page, click
Next.
2
On the Drive Encryption Installation Settings – Client Administrators page,
do one of the following
■
Click Add to add a client administrator. Type the client administrator details
in the Account Name, Password, and Confirm Password boxes.
Check the administrative privileges that you want to assign to the client
administrator. By default, the Default admin is checked that includes all of
the available administrative privileges. To provide limited administrative
privileges, uncheck Default admin and check one or more privileges that
you want to assign from Admin Privileges. Click OK to save the newly
added client administrator.
74
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
You need to add a minimum of one client administrator to proceed to the
next page of the Windows Client installation settings wizard.
3
■
Select an existing client administrator, and click Edit to edit an existing
client administrator.
■
Select an existing client administrator, and click Delete to delete an existing
client administrator. You must have at least one client administrator in the
list to proceed to the next page.
■
The Action List makes available the options to Load client administrators
from installation, Import client administrators from csv, and Export
client administrators to csv. Click the link at the end of this procedure to
see the Client Administrators policy options details for how to use these
actions.
Click Next.
Drive Encryption Installation Settings – Registered Users page
1
2
On the Drive Encryption Installation Settings - Registered Users page,
under Authentication Method, select an option from the Require registered
users to authenticate with box to configure authentication method for Drive
Encryption users.
■
(Default) To have users authenticate with a password, click a password.
■
To have users authenticate with a token, click a token.
■
To have users authenticate using either a password or a token, click
password or token.
Under User Registration, select a user registration option to configure the
user registration method for Drive Encryption users.
■
(Default) To allow users to authenticate and register using a Windows user
name and a Windows password or token, click Using Windows user
authentication credentials.
Note: The single sign-on policy is applicable only to this type of users.
■
To allow users to authenticate and register using a Windows user name
and a Drive Encryption password, click Using Windows user name,
non-Windows password.
75
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
Note: This option is not available if you have selected either a token, or
password or token, from the Require registered users to authenticate with
list box.
■
To allow users to authenticate and register using a Drive Encryption user
name and a Drive Encryption password, click Using non-Windows
username, non-Windows password.
Note: This option is not available if you have selected either a token, or
password or token, from the Require registered users to authenticate with
list box.
3
Click Next.
Drive Encryption Installation Settings – Single Sign-On page
1
On the Drive Encryption Installation Settings - Single Sign-On page, the
Enable Single Sign-On option is checked by default. The selection of this
option enables you to allow users to authenticate at preboot and directly access
the client computer without authenticating at the Windows logon screen.
2
Click Next.
Drive Encryption Installation Settings – Self-Recovery page
1
On the Drive Encryption Installation Settings - Self-Recovery page, the
Enable Self-Recovery option is checked by default. The selection of this option
enables you to provide values for the Minimum answer length, Predefined
questions, and Number of user-defined questions required boxes.
2
Click Next.
If you update this policy and your users no longer comply, the user is prompted to
reconfigure their self-recovery question and answers. The prompt follows the
following conditions:
■
If the user has configured two questions and the policy is changed so that two
questions come from the server, then the user is prompted to reconfigure their
Drive Encryption self-recovery questions.
■
If the user has configured two questions, and the policy is changed so that three
questions are necessary, then the user is prompted to reconfigure their Drive
Encryption self-recovery questions.
■
If the user has configured three questions and now the policy has changed so
that two questions are necessary, then the user is not prompted.
76
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
Drive Encryption Installation Settings – Startup page
1
In the Preboot Splash Screen section of the Drive Encryption Installation
Settings - Startup page, do the following:
■
Click A custom image or The SEE logo to select the image that a user
should see in the Drive Encryption startup screen. Alternatively, click None
if you do not want a startup screen to precede the preboot authentication
screen.
■
(Optional) If you selected A custom image, click Browse to select a custom
image that is in the .xpm file format.
■
In the Text Color menu, click Black (default) or White to set the color of
the legal notice text that appears on the startup screen. You can skip this
step if you do not want to display a startup screen or a legal notice.
■
Enter the Legal Notice text that you want to display on the startup screen.
By default, the Legal notice box contains a standard notice from Symantec.
■
Type the startup logon message in the Logon Message box that you want
to display to registered users as they authenticate to Drive Encryption.
The maximum number of characters displayed in the login screen is 80. In
the Japanese version, the maximum is 40 because the double-byte
characters occupy double the width of Latin characters.
Note: The maximum number of characters displayed in the preboot startup
screen is 1024. There is also a limit of 19 lines of text; therefore, not all 1024
characters may be displayed as some longer words can cause lines to wrap
early.
In the Chinese, Japanese, and Korean versions, the maximum number of
characters displayed in the preboot splash screen is 512, instead of 1024. This
is due to the double-byte characters occupying double the width of Latin
characters when displayed.
2
In the Preboot Login Screen section, do the following:
■
Click A custom image or The SEE logo to select the image that a user
should see in the Drive Encryption login screen. Alternatively, click None
if you do not want a startup screen to precede the preboot authentication
screen.
■
(Optional) If you selected A custom image, click Browse to select a custom
image that is in the .xpm file format.
■
In the Text Color menu, click Black (default) or White to set the color of
the logon message text that appears on the login screen.
77
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
3
In the Logon Customization section, type the logon message that you want
to display at startup in the Logon Message box.
Note: The maximum number of characters displayed in the login screen is 80.
In the Chinese, Japanese, and Korean versions, the maximum number of
characters displayed in the login splash screen is 40, instead of 80. This is due
to the double-byte characters occupying double the width of Latin characters
when displayed.
4
Click Next.
Drive Encryption Installation Settings – Logon History page
1
2
On the Drive Encryption Installation Settings - Logon History page, do the
following:
■
Check or uncheck User name.
■
After you check this option, Domain disables, and prefills the Symantec
Endpoint Encryption logon screen with the name and domain of the most
recently logged on user.
Click Next.
Drive Encryption Installation Settings – Encryption page
1
On the Drive Encryption Installation Settings - Encryption page, do the
following:
■
Click 128-bit or 256-bit to specify the AES encryption strength in the AES
encryption strength box. 256-bit is selected by default.
■
Select Encrypt boot disk only or Encrypt all disks to specify which disks
you want to encrypt.
■
Check or uncheck Include unused disk space when encrypting disks
and partitions. This check box is selected by default. After the selection
of this option, Drive Encryption includes the encryption of the unused disk
space when you encrypt the disks and partitions.
Note: Client administrators can use the Administrator Command Line to
issue an encrypt command with a --skip-unused-space option,
independent of this policy setting.
■
Check or uncheck Double-write sectors during encryption or decryption
(May significantly increase encryption and decryption time). After you
78
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
check this option, every data sector is double-written during fixed disk
encryption or decryption and may significantly increase encryption and
decryption time.
2
Click Next.
Drive Encryption Installation Settings – Client Monitor page
1
2
On the Drive Encryption Installation Settings - Client Monitor page, do one
of the following:
■
The Do not enforce a minimum contact period with the SEE
Management Server option is selected by default. After the selection of
this option, you cannot enforce a regular network contact.
■
Click Lock computer after <x> days without contact to force a computer
lockout after a specified number of days without network contact. If you
select this option, you can specify the number of days a computer may
remain without network contact, from 1–365. Type the number of days in
advance, from 0–364 that users are warned to connect to the network and
avoid a lockout in the Warn users <x> days before locking computer
box.
Click Next.
Drive Encryption Installation Settings – Help Desk Recovery page
1
2
On the Drive Encryption Installation Settings - Help Desk Recovery page,
do the following:
■
The Enable Help Desk Recovery option is selected by default. The
selection of this option enables you to make this pre-Windows authentication
assistance method available to Drive Encryption users.
■
Check or uncheck Help Desk Recovery Communication Unlock. After
you check this option, it enables the users who have been locked out of
their computers for a failure to communicate to regain access using the
Help Desk Recovery Program.
Click Next.
79
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
Drive Encryption Installation Settings – Self-Encrypting Drives page
1
On the Drive Encryption Installation Settings - Self-Encrypting Drives
page, the Use hardware encryption for compatible Opal-compliant drives
option is checked by default. The selection of this option allows hardware
encryption on Opal v2 compliant drives using an Opal drive's built-in encryption
capability.
For a detailed description of qualifying conditions that Opal v2 compliant drives
must meet, see: http://www.symantec.com/docs/TECH226779.
2
If you chose to enable Removable Media Encryption, click Next to configure
the Removable Media Encryption installation settings.
See “Configuring the Removable Media Encryption installation settings”
on page 80.
Alternatively, if you chose not to enable Removable Media Encryption, click
Finish, and then do the following:
■
In the Save MSI Package dialog box, navigate to the location where you
want to save the Symantec Endpoint Encryption Client installation package.
■
(Optional) Change the default package name to a name of your choice.
■
Click Save to create the Symantec Endpoint Encryption Client installation
package at the selected location.
Configuring the Removable Media Encryption installation settings
The Windows Client installation settings wizard walks you through a series of panels,
where you choose your installation settings for the features that you chose to enable.
This section contains the basic steps and information to configure the Removable
Media Encryption installation settings in the Symantec Endpoint Encryption Client
installation package. To learn more about any of the options, click the link at the
end of each procedure.
About the Symantec Removable Media Encryption Burner
Application
When Removable Media Encryption is installed on a client computer, the Symantec
Removable Media Encryption Burner Application is also installed. The application
requires the enablement of the Access and Encryption policy option 'Allow read
and write access to files on removable media.'
The Symantec Removable Media Encryption Burner Application lets users encrypt
and then burn files and folders onto CDs, DVDs, and Blu-ray Discs. From the client
computer, a user can access the application in two ways:
80
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
From the Windows Start menu, select Symantec Removable Media Burner
Application. When the application launches, the user can access the online
Help for instruction on using the interface.
■
From the command line, run the Removable Media Encryption Burner Application
command line. For more information, see the Symantec Endpoint Encryption
11.1.1 Removable Media Encryption Burner Application Command line Guide.
To configure the Removable Media Encryption installation
settings
Removable Media Encryption Installation Settings - Access and Encryption page
1
On the Windows Client Installation Settings – Removable Media Encryption
page, click Next.
2
On the Removable Media Encryption Installation Settings - Access and
Encryption page, do the following:
■
■
In the Access section, do one of the following:
■
Click Do not allow access to files on removable media to deny read
and write access to the files and folders that are stored on removable
media, even if a user is registered to Symantec Endpoint Encryption.
■
Click Allow read-only access to files on removable media to allow
the users to read the files that are stored on removable media. If the
files are encrypted, users must provide the credentials that are used to
encrypt the file to read its contents. In such a case, the users cannot
write files to removable media.
■
Click Allow read and write access to files on removable media option
to allow the users to read and write files to removable media. If the files
are encrypted, users must provide the credentials that are used to
encrypt the file to read its contents. This option is selected by default.
When you select this option, the options for Encryption Format,
Automatic Encryption, and On-Demand Encryption are available.
In the Encryption Format section, do one of the following:
■
Click SEE RME to encrypt files to removable media using the Symantec
Endpoint Encryption Removable Media Encryption 11.x format. This
option is selected by default.
■
Click SEE RS to encrypt files to removable media using the Symantec
Endpoint Encryption Removable Storage 8.2.1 format.
Select this option if your users move files between the computers that
are running 11.x and 8.2.1 software. This encryption format is
81
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
backward-compatible and computers running either version of the
software can read these files.
■
In the Automatic Encryption section, do one of the following:
■
Click Do not encrypt not to encrypt files on removable media.
■
Click Encrypt files as per Symantec Data Loss Prevention to use
the detection and the response capabilities of Symantec Data Loss
Prevention to dictate the encryption of files.
■
Click Encrypt new files to automatically encrypt all files newly added
to removable media. This option is selected by default.
Note: To exclude multimedia files or certain file types from automatic
encryption, you can select more options on the Device and File Type
Exclusions page.
■
■
3
Click Allow users to choose if you want to let the users choose whether
or not to automatically encrypt new files. Under the Allow users to
choose option, select the default behavior that you want to happen if
your users do not make a choice. Choose either Default to encrypt
new files, or Default to do not encrypt.
In the On-Demand Encryption section, you can:
■
Check Users can right-click to encrypt existing files on removable
media to provide the users with the ability to encrypt files on removable
media using a right-click menu. This option is selected by default.
■
Check Users can right-click to decrypt existing files on removable
media to provide the users with the ability to decrypt files on removable
media using a right-click menu.
If Encrypt files as per Symantec Data Loss Prevention is selected,
Symantec recommends unchecking both options.
Click Next.
Removable Media Encryption Installation Settings - Device and File Type Exclusions
page
1
On the Removable Media Encryption Installation Settings - Device and
File Type Exclusions page, do the following:
■
In the Exemption for Multimedia Files section, check or uncheck Exclude
multimedia files from automatic encryption. Even if you select the
Encrypt new files option on the Access and Encryption page, you can
exempt certain types of multimedia files from automatic encryption by
82
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
checking Exclude multimedia files from automatic encryption. Then
leave selected one or more of the following check boxes according to the
type of multimedia file formats you want to exclude from encryption:
■
■
Audio
■
Video
■
Image
In the File Types Exclusion section,
■
■
2
Check or uncheck Exclude file types extensions from automatic
encryption (comma separated). Check this option, and type the file
type extensions, such as .jpeg, .exe, and so on that are excluded from
automatic encryption.
In the Device Exclusions section, check or uncheck Exclude these
removable media encryption devices from encryption. Do one of the
following to exempt removable media encryption devices from encryption:
■
To exempt a specific device from a vendor, enter the vendor ID, product
ID, and an optional description in the fields provided.
■
To exempt all the devices from a vendor, type the vendor ID in the
Vendor ID box. Also type the wildcard character * in the Product ID
box and an optional description in the Description (Optional) box.
Click Next.
Removable Media Encryption Installation Settings - Encryption Method page
1
2
On the Removable Media Encryption Installation Settings - Encryption
Method page, do one of the following:
■
The A password option is selected by default. The selection of this option
enables the users to restrict the encryption method to a password.
■
Click A certificate so that users can restrict the encryption method to one
certificate.
■
Click A password and/or certificate to let each user choose the encryption
method of password, certificate, or both.
Click Next.
Removable Media Encryption Installation Settings - Default Passwords page
1
On the Removable Media Encryption Installation Settings - Default
Passwords page, do the following:
■
In the Default Password section, do one of the following:
83
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
To allow users to set a default password, click Allow users to set a
default password. This option is chosen by default.
■
To apply password aging to default passwords, check Apply
password aging to Removable Media Encryption default
passwords. This option ensures that users set default passwords
that conform to the restrictions that you define. These restrictions
are defined in the Maximum Password Age and Password History
sections of the Management Agent Password Authentication policy.
These settings define expiration dates and restrict password reuse.
Note: If you let users set a default password, you can also let them set
session passwords. You cannot allow both default passwords and device
session passwords to be set.
■
■
To prevent users from setting a default password, click Do not allow
users to set a default password.
If the Session Passwords section is available, do one of the following:
■
To allow users to set session passwords, click Allow users to set
session passwords; otherwise, click Do not allow users to set
session passwords.
If you let users set session passwords, choose the password expiration
method:
■
To permanently expire (delete) session passwords at the end of
each Windows session, click Delete session passwords at the
end of every Windows session. Users must recreate the
passwords.
■
To temporarily expire (deactivate) session passwords at the end of
each Windows session, click Deactivate session passwords at
the end of every Windows session, but allow them to persist
across every Windows session. Passwords remain on the user's
computer, but the user must toggle them on.
■
To apply password aging to session passwords, click Apply
password aging to session passwords. This option ensures that
users set session passwords that conform to the restrictions that
you define. These restrictions are defined in the Maximum Password
Age and Password History sections of the Management Agent
Password Authentication policy. These settings define expiration
dates and restrict password reuse.
84
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
■
■
To prevent session passwords from expiring, click Do not delete or
deactivate session passwords. This option is chosen by default.
If the Device Session Password section is available, do one of the
following:
■
To allow users to set device session passwords, click Allow users to
set a device session password for each removable media
encryption device. Device session passwords are useful in a kiosk
environment.
Note: If you enable device session passwords, you cannot use recovery
certificates. Even if you enable certificates on the Recovery Certificate
page, Removable Media Encryption ignores them.
■
2
If you do not want users to set device session passwords, click Do not
allow users to set a device session default password for each
removable device. This option is chosen by default.
Click Next.
See “Configuring the Management Agent installation settings” on page 71.
Removable Media Encryption Installation Settings - Recovery Certificate page
Note: Use the Recovery Certificate policy to include the copy of the Recovery
Certificate that does not have the private key in the Removable Media Encryption
package. Upon receipt, clients begin to encrypt files using this Recovery Certificate
in addition to the user’s credentials. The Recovery Certificate policy only applies
to computers on which write access and encryption are enabled for removable
media devices.
1
On the Removable Media Encryption Installation Settings - Recovery
Certificate page, do one of the following:
■
Click Do not encrypt files with a recovery certificate not to include a
copy of the Recovery Certificate in the client installation package. This
option is selected by default.
■
Click Encrypt files with a recovery certificate if you want to use a
Recovery Certificate.
Note: If you enable device session passwords on the Default Passwords
page, Removable Media Encryption ignores recovery certificates.
85
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption Client installation package
2
■
You are prompted for the location of the PKCS#7 format certificate file
(.p7b), choose a certificate file.
■
Click OK.
■
On the Recovery Certificate page, the issuer and serial number of the
certificate appears. Click Change Certificate to select a different certificate
file.
Click Next.
Removable Media Encryption Installation Settings - Portability page
1
On the Removable Media Encryption Installation Settings - Portability
page, do the following:
■
■
In the Access Utility section:
■
Check or uncheck Copy the Removable Media Access Utility for
Windows to removable media. After you check this option, it enables
you to write Removable Media Access Utility that runs on Windows
computers to removable media automatically.
■
Check or uncheck Copy the Removable Media Access Utility for Mac
OS X to removable media. After you check this option, it enables you
to write Removable Media Access Utility that runs on Mac OS X
computers to removable media automatically.
In the Self-Decrypting Archive section:
■
2
Check or uncheck Allow users to save files as password encrypted
self-decrypting archive. After you check this option, it enables you to
permit users to create self-decrypting archives.
Click Next.
Removable Media Encryption Installation Settings - Expired Certificates page
1
On the Removable Media Encryption Installation Settings - Expired
Certificates page, do one of the following:
■
Check Users can use expired certificates to encrypt files so that the
user can encrypt the file using an expired certificate.
■
If you uncheck this option, the user cannot use an expired certificate for file
encryption.
2
Click Finish.
3
In the Save MSI Package dialog box, navigate to the location where you want
to save the Symantec Endpoint Encryption Client installation package.
86
Creating Symantec Endpoint Encryption client installers
About enabling features in the Symantec Endpoint Encryption Client installation package
4
(Optional) Change the default package name to a name of your choice.
5
Click Save to create the Symantec Endpoint Encryption Client installation
package at the selected location.
About enabling features in the Symantec Endpoint
Encryption Client installation package
When you create a Symantec Endpoint Encryption Client installation package, you
enable features depending upon your organization's security requirements. Use
the Windows Client Installation Settings wizard to specify the features that you want
to enable in Symantec Endpoint Encryption Client. The Symantec Endpoint
Encryption Client installation package contains the policy settings for all of the
features that you enable. This topic provides information about enabling features
in the Symantec Endpoint Encryption Client installation package.
On the Windows Client Installation Settings – Features page of the Windows
Client Installation Settings wizard, you can choose to enable the following features:
■
■
For disk encryption:
■
Drive Encryption, or
■
Symantec Endpoint Encryption for BitLocker
Removable Media Encryption
You cannot install both Drive Encryption and Symantec Endpoint Encryption for
BitLocker on the same client computer. If you already have Drive Encryption
installed, you cannot enable Symantec Endpoint Encryption for BitLocker. Similarly,
if you already have Symantec Endpoint Encryption for BitLocker installed, you
cannot enable Drive Encryption. However, you can enable Removable Media
Encryption with either feature.
Enabling additional features on Microsoft Windows clients
You can create and deploy a new Symantec Endpoint Encryption Client installation
package to modify the number of features that are installed on version 11.1.1 client
computers. First ensure that the disk is already fully encrypted or decrypted. If disk
encryption or decryption is in progress, wait until the operation is complete before
you deploy the installation package.
For information about deploying the Symantec Endpoint Encryption Client installation
package to install additional features on client computers, see Deploying client
installers using the command line .
87
Creating Symantec Endpoint Encryption client installers
About enabling features in the Symantec Endpoint Encryption Client installation package
Note: You cannot use the Windows Client Installation Settings wizard to remove
features from client computers. You must uninstall the unwanted features individually.
See “About uninstalling the Symantec Endpoint Encryption client” on page 130..
See “Creating a Symantec Endpoint Encryption Client installation package”
on page 69.
Table 5-1
Modifying features in the Symantec Endpoint Encryption Client
installation package
Features that are already
installed
Features that you want to add
Features that you must
enable in the client
installation package
Drive Encryption
Removable Media Encryption
■
Drive Encryption
■
Removable Media Encryption
OR
Removable Media Encryption
only
Removable Media Encryption
Drive Encryption
■
Drive Encryption
■
Removable Media Encryption
OR
Drive Encryption only
Removable Media Encryption
Symantec Endpoint Encryption for BitLocker
Symantec Endpoint
Encryption for BitLocker
Removable Media Encryption
■
■
OR
Symantec Endpoint Encryption
for BitLocker only
This is not a valid feature
combination.
■
Symantec Endpoint
Drive Encryption
Encryption for BitLocker
Removable Media Encryption
■
Drive Encryption
■
Removable Media Encryption
This is not a valid feature
combination.
■
Symantec Endpoint Encryption for BitLocker
88
Creating Symantec Endpoint Encryption client installers
Creating a Symantec Endpoint Encryption for FileVault installation package
Creating a Symantec Endpoint Encryption for FileVault
installation package
The Mac FileVault Client installation wizard walks you through a series of panels,
where you choose your policy settings. You must perform the following steps to
successfully create a Symantec Endpoint Encryption for FileVault installation
package from the Management Console.
To create a Symantec Endpoint Encryption for FileVault installation package
1
In the left pane, click Symantec Endpoint Encryption Software Setup > Mac
FileVault Client.
2
On the Create Mac OS X Installer - Introduction page, click Next.
3
On the Create Mac OS X Installer – Institutional Recovery Key page, do
the following:
■
(Default) Select the Use an Institutional Recovery Key check box. The
selection of this option enables you to include an Institutional Recovery Key
certificate in the install-time policy.
■
Click Change Key to locate the path of the Institutional Recovery Key
certificate, and select it.
■
After you select the Institutional Recovery Key certificate, the name of the
provider and the serial number of the Institutional Recovery Key appear in
the Issued By and Serial boxes on the Create Mac OS X Installer –
Institutional Recovery Key panel. To select a different Institutional
Recovery Key certificate file, click Change Key.
4
Click Next.
5
On the Create Mac OS X Installer - Communication page, do the following:
■
In the Send status updates every <x> minutes box, specify how frequently
the Symantec Endpoint Encryption for FileVault client should send status
updates to Symantec Endpoint Encryption Management Server. The
communication interval is set to 60 minutes by default.
■
Verify the Connection Name, Server, Name, Domain, and type the
password in the Password box under the Communication information
section.
6
Click Finish.
7
In the Save Mac Package dialog box, navigate to the location where you want
to save the Symantec Endpoint Encryption for FileVault installation package.
89
Creating Symantec Endpoint Encryption client installers
Creating a Windows Password Reset Utility installation package
8
If required, change the default Symantec Endpoint Encryption for FileVault
package name.
9
Click Save to create the Symantec Endpoint Encryption for FileVault installer
with the administrative policies you have configured at your desired location.
Creating a Windows Password Reset Utility
installation package
The Symantec Endpoint Encryption Windows Password Reset snap-in enables you
to create a Windows Password Reset Utility installation package. When you install
the Windows Password Reset Utility on a Drive Encryption client computer, the
utility extends the functionality of the Drive Encryption Self-Recovery feature and
the Help Desk Recovery feature to enable users to reset their Windows password
by themselves. Use the Windows Password Reset Utility to reduce support calls
to the local help desk when users forget their Windows password.
Note: To create a Windows Password Reset Utility installation package, you must
have either the Server Administrator role or the Setup Administrator role. If the
policy administrator enabled the Windows Password Reset using Drive Encryption
Self-Recovery, existing registered users are automatically prompted to reconfigure
their security questions and answers in Drive Encryption Self-Recovery wizard after
the Windows Password Reset Utility is installed.
To create a Windows Password Reset Utility MSI file
1
In the left pane of the Management Console, click the Symantec Endpoint
Encryption Windows Password Reset snap-in.
2
On the Windows Password Reset - Management Password Authentication
page, in the Management Password field, type the management password.
3
Click Next.
4
On the Windows Password Reset - Settings page, check one or more of the
following options:
■
Drive Encryption Self-Recovery - Enables users to reset their Windows
password using the Drive Encryption Self-Recovery feature.
90
Creating Symantec Endpoint Encryption client installers
About the Autologon Utility
■
5
Help Desk Recovery - Enables users to reset their Windows password
using the Help Desk Recovery feature.
Click Finish and save the MSI file at the desired location.
Note: If you use a custom folder location, make sure that you install the Windows
Password Reset Utility at the same location as Drive Encryption is installed.
About the Autologon Utility
Use the Autologon Utility to configure Microsoft Windows client computers to bypass
the preboot authentication screen that Symantec Endpoint Encryption Management
Server enforces. By default, the Autologon function is not in effect for a computer.
As an administrator, you can use Autologon when you want to update or deploy
software on a client computer that requires multiple restarts. Patch management
is an example of a process that can require multiple restarts.
Caution: A client computer running the Autologon utility is in a state of heightened
vulnerability. Using Autologon inappropriately weakens the data protection that
Drive Encryption provides. To minimize the associated risks, carefully review your
procedures for enabling and disabling the Autologon function. The Autologon function
should be disabled immediately when its intended use is achieved. For example,
ensure that you disable the Autologon function immediately after you finish updating
client computers.
To make the Autologon Utility available to client computers, generate Autologon
client MSI files. You can create an MSI file in an enabled or disabled state. After
you deploy and install the Autologon MSI on client computers, client administrators
can use the Drive Encryption Administrator Command Line to manage Autologon.
They can override the existing policy and enable or disable the Autologon
functionality, as needed.
See “Creating Autologon MSI files” on page 91.
Creating Autologon MSI files
Pre-requisite: Make sure that you have installed the Autologon Utility and added
it to the Management Console as a snap-in. For more information, see the "Adding
the Autologon snap-in to the Management Console" topic in the Symantec Endpoint
Encryption Installation Guide.
91
Creating Symantec Endpoint Encryption client installers
About the Autologon Utility
To create Autologon client MSI files
1
In the left pane of the Management Console, click Symantec Endpoint
Encryption Autologon Utility.
2
On the Autologon Utility - Settings page, in the Management password
field, type the management password that is currently in use.
3
Under Autologon, do one of the following:
4
5
■
To enable the Autologon feature and create the Autologon Infinite MSI
file, click Always Autologon.
■
To disable the Autologon feature and create the Autologon NoAutologon
MSI file, click Autologon only when activated by admin locally.
Under Autologon Precedence, do one of the following:
■
To enable users to log on to a locked out computer when Autologon is
enabled, click Autologon takes precedence over client monitor lockout.
■
To prevent users from logging on to a locked out computer when Autologon
is enabled, click Client monitor lockout takes precedence over
Autologon.
Click Finish and save the MSI file.
Note: If you want to deploy, save the created MSI files in a folder that is in a
shared network location. For example, the location can be in the domain
controller's SYSVOL folder.
See “About the Autologon Utility” on page 91.
See “Installing an Autologon MSI file on a client computer” on page 92.
Installing an Autologon MSI file on a client computer
Caution: A client computer running Autologon is in a state of heightened vulnerability.
To minimize the associated risks, carefully review your procedures for enabling and
disabling Autologon. Autologon should be disabled immediately when its intended
use is achieved.
Note: If you installed the Symantec Endpoint Encryption Client to a custom
installation folder, make sure that you install the Autologon Utility in the same
location.
92
Creating Symantec Endpoint Encryption client installers
About the Autologon Utility
To install an Autologon MSI file on a client computer
1
Navigate to the folder in which you saved the Autologon client MSI file that you
created.
2
Double-click the MSI file that you want.
3
Restart the computer.
■
If the MSI file is Autologon NoAutologon, after the restart the user is
prompted to authenticate during preboot.
■
If the MSI file is Autologon Infinite, after the restart the user is no longer
prompter to authenticate during preboot
On a client computer, to enable, disable, or set the count of authentication bypasses,
a client administrator can use the Drive Encryption Administrator Command Line.
For more information, see the Symantec Endpoint Encryption Drive Encryption
Administrator Command Line Guide.
See “About the Autologon Utility” on page 91.
See “Creating Autologon MSI files” on page 91.
93
Chapter
6
Deploying new clients
This chapter includes the following topics:
■
Deploying client packages using a third-party tool
■
Deploying new clients using Group Policy Objects
■
Installing the client software manually
■
Installing the Windows Password Reset Utility on a client computer
■
Deploying client installers using the command line
■
Where to find more information about deploying clients
Deploying client packages using a third-party tool
Installation of the Symantec Endpoint Encryption Client packages can be
accomplished using any third-party deployment tool that supports the MSI format.
To avoid installation errors, make sure that when you create the client installer
packages that you save them to a local hard disk or other volume which includes
Full Control permissions. The client installer packages can then be copied to
removable media, a network volume accessible to the client, or the local hard disk
of the client computer.
Note: If you run the Symantec Endpoint Encryption Client installation package to
modify the number of features that are installed on the client computer, first ensure
that the disk is already fully encrypted or decrypted. If disk encryption or decryption
is in progress, wait until the operation is complete.
Deploying new clients
Deploying new clients using Group Policy Objects
Deploying new clients using Group Policy Objects
You can deploy the Symantec Endpoint Encryption Client installer using Active
Directory. Use a GPO to include the MSI file, and establish a shared distribution
location that client computers access. Tailor these procedures to suit the
requirements of your organization.
Note: If you run the Symantec Endpoint Encryption Client installation package to
modify the number of features that are installed on the client computer, first ensure
that the disk is already fully encrypted or decrypted. If disk encryption or decryption
is in progress, wait until the operation is complete.
Creating Symantec Endpoint Encryption Client installers for
distribution
To create Symantec Endpoint Encryption client installers for distribution
◆
Create the MSI file for Symantec Endpoint Encryption Client. Choose the 32-bit
or 64-bit version, as appropriate for the version of Microsoft Windows installed
on your client computers.
For more information about creating the Symantec Endpoint Encryption Client
installation package, see the Creating Symantec Endpoint Encryption client installers
chapter available in the Symantec Endpoint Encryption Management Server Online
Help.
See “Creating a Symantec Endpoint Encryption Client installation package”
on page 69.
Creating an Active Directory distribution point
To create a distribution point on your Active Directory forest or domain
1
Save the created MSI file that you want to deploy using a GPO in a folder that
is in a shared network location. For example, the location can be the domain
controller's SYSVOL folder. The created folder is the distribution point on your
Active Directory forest or domain.
2
Set the folder properties to enable users to have read and execute permissions.
For example, you can avoid access permission issues during deployment if
you set the security property of the shared folder to Everyone.
Caution: Carefully review your procedures on your network and follow the rights
assignment policies of your organization. Reset the security property of the
shared folder immediately when you finish deployment.
95
Deploying new clients
Deploying new clients using Group Policy Objects
Creating GPOs to deploy the installer MSI
To create Group Policy Objects and deploy the client installer
Note: To deploy the client installer package with a GPO, you must install is as a
part of a software installation computer policy and not as part of a software
installation user policy. Also, ensure that you create separate GPOs for 32-bit and
64-bit packages.
Note: If User Account Control (UAC) is enabled on a client computer, you must
enable the Always install with elevated privileges group policy setting for Computer
Configuration and User Configuration before you install the client installation package
with a GPO.
1
Open Symantec Endpoint Encryption Management Console.
2
In the left pane, expand Group Policy Management.
3
Right-click Group Policy Objects and click New.
4
In the New GPO window, type a GPO title in the Name box and click OK to
save the new policy.
5
Right-click the created GPO, and select Edit.
6
In the Group Policy Management Editor, expand Computer Configuration
and navigate to Policies and Software settings.
7
Right-click Software Installation, and select New > Package.
8
Navigate to the distribution point where you previously saved the Symantec
Endpoint Encryption client installer.
9
Select the MSI that you want to include in a GPO for deployment and click
Open.
Note: Each MSI must have its own GPO. Ensure that you create separate
GPOs for 32-bit and 64-bit packages.
10 In the Deploy Software dialog box, accept the default value of Assigned and
click OK one or more times as prompted.
11 Close the Group Policy Management Editor.
96
Deploying new clients
Installing the client software manually
Installing the client installer GPOs
After the deployment is complete, to begin the software installation, restart the client
computers.
Installing the client software manually
About installing the client software manually
Apart from the infrastructure-based deployment, the Symantec Endpoint Encryption
client software can be manually installed on individual client computers. Manual
installation is useful when the setup has only a few clients or other deployment
methods are unavailable.
Preparing to install the client software manually
Before installing the client software, you must do the following:
■
Ensure that you log on to the client computer with administrator privileges with
sufficient rights to install software.
■
For Windows clients, determine whether the client computer has a 32-bit or
64-bit version of Microsoft Windows.
■
Identify the Symantec Endpoint Encryption Client installation package that is
compatible with the version of Windows running on the client computer.
■
Provide access to the client installation packages either through a network share
or using a removable storage device.
Note: If you run the Symantec Endpoint Encryption Client installation package to
modify the number of features that are installed on the client computer, first ensure
that the disk is already fully encrypted or decrypted. If disk encryption or decryption
is in progress, wait until the operation is complete.
Installing Symantec Endpoint Encryption Client
To manually install Symantec Endpoint Encryption Client
1
Double-click the SEE Windows Client.msi file or the SEE Windows
Client_x64.msi file.
2
When prompted to restart, click Yes to restart your system and complete the
installation.
97
Deploying new clients
Installing the Windows Password Reset Utility on a client computer
Installing Symantec Endpoint Encryption for FileVault
To manually install Symantec Endpoint Encryption for FileVault
1
Double-click the SEEInstaller-x.x.x installation package file, where x.x.x is
the version number of the Symantec Endpoint Encryption for FileVault.
2
On the Welcome to the Symantec Endpoint Encryption Installer window,
click Continue.
3
Read and agree to the Software license agreement and complete the
installation.
Note: When prompted, enter the administrator user name and password to
install the software.
Installing the Windows Password Reset Utility on a
client computer
When you install the Windows Password Reset Utility on a Drive Encryption client
computer, the utility extends the functionality of the Drive Encryption Self-Recovery
feature to enable users to reset their Windows password by themselves. Use the
Windows Password Reset Utility to reduce support calls to the local help desk when
users forget their Windows password.
Note: If you installed the Symantec Endpoint Encryption Client to a custom
installation folder, make sure that you install the Windows Password Reset Utility
in the same location.
To install the Windows Password Reset Utility MSI file on a client computer
1
Navigate to the folder in which you saved the Windows Password Reset Utility
client MSI file that you want to install.
2
Double-click the MSI file.
3
When prompted to restart, click Yes to restart your system and complete the
installation.
See “Creating a Windows Password Reset Utility installation package” on page 90.
98
Deploying new clients
Deploying client installers using the command line
Deploying client installers using the command line
Using the command line to deploy Symantec Endpoint Encryption Client enables
you to specify an output log file that you can use to troubleshoot any installation
problems.
Note: If you run the Symantec Endpoint Encryption Client installation package to
modify the number of features that are installed on the client computer, first ensure
that the disk is already fully encrypted or decrypted. If disk encryption or decryption
is in progress, wait until the operation is complete.
To run the Symantec Endpoint Encryption Client installer
1
2
3
Copy the installation .MSI file to the local hard disk of the computer on which
you want to run the installer.
■
If the computer's operating system is 32-bit, copy the SEE Client.msi file.
■
If the computer's operating system is 64-bit, copy the SEE Client x64.msi
file.
Depending on the version of Microsoft Windows, do one of the following:
■
Windows 7 – Click Start > All Programs > Accessories. Right-click
Command Prompt and select Run as administrator. If you are prompted,
enter the credentials of a domain administrator account.
■
Windows 8.x – From the Start screen, access the Apps menu. In the
Windows System section, right-click Command Prompt and select Run
as administrator. If you are prompted, enter the credentials of a domain
administrator account.
■
Windows 10 – Click Start > All apps. In the Windows System section,
right-click Command Prompt and select Run as administrator. If you are
prompted, enter the credentials of a domain administrator account.
In the Command Prompt window, enter one of the following commands:
■
To perform a fresh installation:
MSIEXEC /i "[path]\msifile" /l*v "[logpath]\logfile"
■
To modify an existing setup by installing an additional feature:
MSIEXEC /i "[path]\msifile" REINSTALLMODE=vemus ADDLOCAL=ALL
/l*v "[logpath]\logfile"
Where [path]\msifile represents the path and name of the MSI file, and
[logpath]\logfile represents the path and name of the output log file.
4
When prompted, close the Command Prompt window and restart the computer.
99
Deploying new clients
Where to find more information about deploying clients
Where to find more information about deploying
clients
For information about creating client installers, and deploying clients, see the
Symantec Endpoint Encryption Management Server Online Help.
100
Section
3
Additional resources
■
Chapter 7. Using the Symantec Endpoint Encryption Management Server
Configuration Manager
■
Chapter 8. Certificates and Token Software Settings
■
Chapter 9. Uninstalling Symantec Endpoint Encryption
Chapter
7
Using the Symantec
Endpoint Encryption
Management Server
Configuration Manager
This chapter includes the following topics:
■
About using the Symantec Endpoint Encryption Management Server
Configuration Manager
■
Symantec Endpoint Encryption Management Server Configuration Manager Database Configuration page
■
Symantec Endpoint Encryption Management Server Configuration Manager Web Server Configuration page
■
Symantec Endpoint Encryption Management Server Configuration Manager Active Directory Configuration page
■
Symantec Endpoint Encryption Management Server Configuration Manager Active Directory Synchronization Service page
■
Symantec Endpoint Encryption Management Server Configuration Manager Community Quality Program page
■
About Administrative Server Roles
■
Configuring Server Roles
■
Editing Server Roles
Using the Symantec Endpoint Encryption Management Server Configuration Manager
About using the Symantec Endpoint Encryption Management Server Configuration Manager
■
Disabling Server Roles
■
Symantec Endpoint Encryption Configuration Manager - Server Roles
Configuration page
■
Symantec Endpoint Encryption Management Server Configuration Manager Symantec Encryption Management Server page (optional)
About using the Symantec Endpoint Encryption
Management Server Configuration Manager
You can use the Symantec Endpoint Encryption Management Server
Configuration Manager to change the configuration settings of your Symantec
Endpoint Encryption Management Server.
Before you log on to the Symantec Endpoint Encryption Management Server,
consider the following:
■
If you use Microsoft Windows authentication, log on with either the Symantec
Endpoint Encryption Management Server account or the database creation
account.
■
If you use mixed-mode authentication, log on with an account that has local
administrator rights and read and write permissions to the database.
Symantec Endpoint Encryption Management Server
Configuration Manager - Database Configuration page
The Database Configuration page lets you view and change the Symantec
Endpoint Encryption database options.
103
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Database Configuration page
Table 7-1
Options of the Database Configuration page
Option
Description
Database server name
This option displays the NetBIOS name of the computer that
hosts the Symantec Endpoint Encryption database. If you
use a named instance, this field displays the NetBIOS name
and the instance name. For example,
SEEDB-01\NAMEDINSTANCE.
You should edit this option if you moved the Symantec
Endpoint Encryption database to a different computer, or if
you renamed the computer.
Note: To enable TLS/SSL, this name must match the
common name (CN) in the server-side TLS/SSL certificate.
Custom port
If you configured the Symantec Endpoint Encryption database
to use a custom port, this field displays the port number. This
field is empty if the Symantec Endpoint Encryption database
uses the default port number. You should enter the new port
number if you have changed the port number of the Symantec
Endpoint Encryption database.
Database name
This field displays the name of the Symantec Endpoint
Encryption database.
Authentication mode
This option lets you choose how the Symantec Endpoint
Encryption Management Server authenticates with the
database.
■
■
User name
Windows authentication lets you configure the Symantec
Endpoint Encryption Management Server to authenticate
to the database through Windows Domain authentication.
SQL Server authentication lets you configure the
Symantec Endpoint Encryption Management Server to
authenticate to the database through SQL authentication.
Enter the user name for the account that authenticates with
the database.
■
■
If you use Microsoft Windows authentication, this field
displays the domain account that you provisioned before
you installed the Symantec Endpoint Encryption
Management Server. You must enter the user name
domain\user name format.
If you use SQL authentication, this field displays the
Microsoft SQL Server account that you created when you
installed the Symantec Endpoint Encryption Management
Server.
104
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Web Server Configuration page
Table 7-1
Options of the Database Configuration page (continued)
Option
Description
Password
■
■
Password
Enter the password for the Microsoft SQL Server account
or the Windows Domain account. This account is the one
that the Symantec Endpoint Encryption Management
Server uses to communicate with the Symantec Endpoint
Encryption database.
Show password
Select this option to display the characters that you type
in the Password field.
After you save your changes, the dialog displays the
message, "Changes are saved successfully." The password
characters are obfuscated with symbols.
Enable TLS/SSL
Click this option to encrypt the traffic between the Microsoft
SQL Server database and the Symantec Endpoint Encryption
Management Server.
For more information about configuring TLS/SSL
communications, see the section "About configuring TLS/SSL
communications for Symantec Endpoint Encryption" in the
Symantec Endpoint Encryption Installation Guide.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save
during an update.
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
Symantec Endpoint Encryption Management Server
Configuration Manager - Web Server Configuration
page
The Web Server Configuration page lets you view and modify your Symantec
Endpoint Encryption Management Server and client computer communication
settings.
105
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Web Server Configuration page
Table 7-2
Options of the Web Server Configuration page
Option
Description
Web server name
This field displays the name of the computer that hosts the Symantec Endpoint
Encryption Management Server. This field displays the NetBIOS name by default but
it also accepts a fully qualified domain name (FQDN).
You may need to change this value under the following circumstances:
■
■
The computer name of the Symantec Endpoint Encryption Management Server is
changed.
DNS configuration issues prevent the Configuration Manager from resolving the
NetBIOS name. In this case, use the FQDN.
Note: To use HTTPS communication, this name must match the common name (CN)
in the server-side TLS/SSL certificate.
Credentials
These fields display the name and domain of the Internet Information Services (IIS)
client account. If you change the IIS client account, you must enter the credentials of
this account.
■
■
■
■
User name
Enter the user name for the IIS client account.
Password
Enter the password for the IIS client account.
Show password
Select this option to display the characters that you type in the Password field.
Enable Windows Authentication
Select this option to distribute Removable Media Encryption workgroup key to your
Active Directory computers. To enable Windows authentication, the Windows
authentication server role must be selected from the Add Roles and Feature
Wizard.
After you save your changes, the dialog displays the message, "Changes are saved
successfully." The password characters are obfuscated with symbols.
106
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Web Server Configuration page
Table 7-2
Options of the Web Server Configuration page (continued)
Option
Description
Protocol
These fields let you select your communication protocol and enter the port numbers
for HTTP and HTTPS traffic.
■
HTTP
Enter the TCP port on the Symantec Endpoint Encryption Management Server for
unencrypted client communication. Make sure that the port number is not already
in use.
Note: You should not use the HTTP protocol unless you are deploying the Symantec
Endpoint Encryption Management Server in a test environment. Use HTTPS protocol
for secure communications in a production setting.
■
Secure certificates
HTTPS
Select this option to enable HTTPS communication. Enter the SSL port on Symantec
Endpoint Encryption Management Server for encrypted client communication. Make
sure that the port number is not already in use.
These fields let you provide your client-side and server-side certificates for secure
communication.
■
■
CA certificate
This option is the certificate that client computers use for encrypted communication
with the Symantec Endpoint Encryption Management Server. The client computer
uses this certificate to verify the Server certificate that the server presents during
an SSL handshake.
To choose the SSL certificate file, click Browse. Browse to the correct CA certificate
and then click Open. The dialog box displays the certificate hash string beside the
Browse option.
Server certificate
This option is the certificate that the Symantec Endpoint Encryption Management
Server uses for encrypted communication with Symantec Endpoint Encryption client
computers. To choose the SSL certificate file, click Browse. Browse to the correct
TLS/SSL certificate and then click Open. The dialog box displays the certificate
hash string beside the Browse option.
Note: Selecting the server-side TLS/SSL certificate in the Configuration Manager
also assigns the server-side TLS/SSL certificate to the Symantec Endpoint
Encryption services website.
For more information about configuring TLS/SSL communications, see the section
"About configuring TLS/SSL communications for Symantec Endpoint Encryption" in
the Symantec Endpoint Encryption Installation Guide.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save during an update.
107
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Active Directory Configuration page
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
Symantec Endpoint Encryption Management Server
Configuration Manager - Active Directory
Configuration page
The Active Directory Configuration page lets you view and change your Active
Directory configuration settings. You can configure directory synchronization with
multiple forests and trees. You can configure domain filtering, and also enable
TLS/SSL encryption.
Table 7-3
Option
Options of the Active Directory Configuration page
Description
Add one or more AD forest Click the Add one more AD forest icon (+ symbol), to synchronize with additional
Active Directory forests.
Remove this AD forest
Click the Remove this AD forest icon ("X" symbol), to remove the configuration
information for the currently displayed forest.
Active Directory forest
name
This field is the name of the specified forest.
Global catalog server
(Optional) This field is the name of the global catalog server computer for the specified
forest. Use the fully qualified domain name of the global catalog server.
Credentials
These fields display the name and domain of the Active Directory synchronization
account. If you change the Active Directory synchronization account, you must enter
the credentials of this account.
■
■
■
Enable TLS/SSL
User name
Enter the Domain and the user name for the Active Directory synchronization
account.
Password
Enter the password for the Active Directory synchronization account.
Show password
Select this option to display the characters that you type in the Password field.
This option lets you encrypt all of your synchronization traffic between Active Directory
and the Symantec Endpoint Encryption Management Server. This option requires you
to install and configure TLS/SSL certificates.
108
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Active Directory Synchronization Service
page
Table 7-3
Option
Options of the Active Directory Configuration page (continued)
Description
Configure the domain filter This option lets you specify Active Directory domains to be included or excluded from
synchronization. For example, there may be domains within your forest(s) that do not
contain Symantec Endpoint Encryption client computers. To improve performance and
usability, you can exclude these domains from being synchronized.
To add a domain filter, click Configure Domain Filter.
In the Include Computers from column, select a domain you want to exclude and
click the ">>" symbol. If you exclude a parent domain, you also exclude all child domains
of that parent domain.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save during an update.
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
Symantec Endpoint Encryption Management Server
Configuration Manager - Active Directory
Synchronization Service page
The Active Directory Synchronization Service page displays the options and
status information for your directory service.
Directory service synchronization runs about every 15 minutes and updates the
data that is different from the last synchronization such as new users or deleted
computers.
109
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Active Directory Synchronization Service
page
Table 7-4
Options of the Active Directory Synchronization Service page
Option
Description
Status
This section displays the current status of synchronization with the directory service.
A message displays the last time that you synchronized the directory.
The status values are as follows:
■
■
■
■
■
Running
The synchronization service is running.
Stopped
The synchronization service is stopped.
Start Pending
The synchronization service is starting.
Continue Pending
The synchronization service is restarting.
Pause Pending
The synchronization service is stopping.
Refresh Status
To refresh the synchronization service values, click this option.
Start
To start a stopped service, click this option.
Stop
To stop the synchronization service, click this option.
Restart
To restart the service, click this option.
Full Synchronization
This option makes the Active Directory Synchronization Service run a full
synchronization. It also restarts the Active Directory Synchronization Service. The
Active Directory Synchronization Service works in the background. The Full
Synchronization option returns to its normal state after the Active Directory
Synchronization restart operation completes.
Depending on the size of your organization, this operation may take time to complete.
This operation can temporarily increase the load on the Symantec Endpoint Encryption
database and each directory service.
Method
This option lets you select whether each directory synchronization service should start
automatically or manually.
■
To run the service automatically at boot time, click Automatic synchronization.
■
If you do not want the service to run automatically at boot time, click On-demand
synchronization.
110
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Community Quality Program page
Table 7-4
Options of the Active Directory Synchronization Service page
(continued)
Option
Description
Server type
By default, each Symantec Endpoint Encryption Management Server is installed as a
primary synchronizer. When you set up multiple Symantec Endpoint Encryption
Management Servers, you should only configure a single Symantec Endpoint Encryption
Management Server as primary. All other Symantec Endpoint Encryption Management
Servers should be configured as secondary.
■
■
Reverse data verification
Primary synchronizer
Click this option to configure this Symantec Endpoint Encryption Management
Server to act as a primary synchronizer.
Secondary synchronizer
Click this option to configure this Symantec Endpoint Encryption Management
Server to act as a secondary synchronizer.
This option ensures that all deleted directory objects are synchronized with the
Symantec Endpoint Encryption Management Server.
This setting is disabled by default.
This setting doubles the number of times that the directory is queried for changes and
can decrease network performance.
You should analyze your directory synchronization network traffic before and after you
enable this setting so that you can assess its effect on your network.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save during an update.
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
Symantec Endpoint Encryption Management Server
Configuration Manager - Community Quality Program
page
The Community Quality Program page lets you opt in or opt out of submitting
anonymous system and product information about how you use this product to
Symantec. You may opt in or opt out at any time.
See “About Symantec's Community Quality Program” on page 34.
111
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Community Quality Program page
Information purpose, type and use
The purpose of the information that is collected is to help Symantec analyze and
improve the functionality of its endpoint security solutions. Such information may
be comprised of installation information, software diagnostics, and facts in other
pertinent categories. The data may include general usage statistics, server load,
whether client software is up to date, problems in the client profile, and general
security profiles.
Data collection and transmission
Symantec Endpoint Encryption Management Server periodically sends this data to
a Symantec server using SSL encryption. Data transmission takes place weekly.
This information is collected anonymously. The information that is collected cannot
be tracked to a specific user or customer. No new information is gathered. The
information already exists in your database.
When you opt in, data transmission is scheduled immediately. When you opt out,
data transmission stops; transmission is no longer scheduled.
Table 7-5
Options of the Community Quality Program tab
Option
Description
Participate in Symantec's
Community Quality
Program
(default) To opt in to the program, check the Participate in
Symantec's Community Quality Program check box.
To opt out of the program, uncheck the check box.
If you opt-in to the program, the current server is configured
to transmit telemetry data. If you have a clustered
deployment, the telemetry transmissions are only done by
the most recently configured Symantec Endpoint Encryption
Management Server.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
112
Using the Symantec Endpoint Encryption Management Server Configuration Manager
About Administrative Server Roles
Table 7-5
Options of the Community Quality Program tab (continued)
Option
Description
Next/Save
To save your settings, click Next during installation or Save
during an update.
Note: If you receive the following error message, contact
your SQL server administrator to troubleshoot the issue:
""Unable to access Symantec Endpoint Encryption
Management Server data store for the Community Quality
Program. The Telemetry Credentials are invalid or SQL
Server authentication has failed. To resolve this issue, contact
your database administrator."
Note: For more information about troubleshooting telemetry
settings, see the following Symantec Knowledgebase article:
http://www.symantec.com/docs/HOWTO110233
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
About Administrative Server Roles
The Symantec Endpoint Encryption Configuration Manager lets you assign Symantec
Endpoint Encryption Management Server roles to an individual or a group of
administrative users. You can assign these roles to an administrative user or a
group of administrative users and provide application-level access and allow
administrative users to access only certain server snap-ins, such as Help Desk.
The server roles are as follows:
■
Server administrator
■
Setup administrator
■
Policy administrator
■
Report administrator
■
Help Desk administrator
Server Role functions
The following table lists the server roles and the Management Console snap-ins to
which each server role allows access. The table also lists a summary of the functions
that an administrator can perform with each snap-in.
113
Using the Symantec Endpoint Encryption Management Server Configuration Manager
About Administrative Server Roles
Table 7-6
Server Role functions
Server Role
Snap-in Access
Function
Server
Symantec Endpoint
Encryption Management
Password
Set up and change the
Management Password. The
Management Password is
required to:
All other snap-ins as listed
below
■
■
■
■
■
Install and upgrade
Symantec Endpoint
Encryption Management
Server
Install and upgrade the
Management Console
Access the Help Desk
Recovery snap-in in the
Management Console
Create the Autologon
utility installation package
Create the Windows
Password Reset Utility
installation package
If the Management Password
is lost, the Management
Server must be reinstalled.
Symantec Endpoint
Encryption Database
Maintenance
View and remove old tracked
endpoints and recorded client
events from the database.
114
Using the Symantec Endpoint Encryption Management Server Configuration Manager
About Administrative Server Roles
Table 7-6
Server Role functions (continued)
Server Role
Snap-in Access
Function
Setup
Symantec Endpoint
Encryption Software Setup
Create installation policies for
the Management Agent, Drive
Encryption, and Removable
Media Encryption and
generate client MSIs.
Symantec Endpoint
Encryption Autologon Utility
Generate MSIs that enable or
disable the autologon function
on client computers. If
autologon is enabled, users
bypass preboot
authentication.
Symantec Endpoint
Encryption Windows
Password Reset
Generate the Windows
Password Reset Utility MSI
that installs the Windows
Password Reset feature on
Drive Encryption client
computers.
115
Using the Symantec Endpoint Encryption Management Server Configuration Manager
About Administrative Server Roles
Table 7-6
Server Role functions (continued)
Server Role
Snap-in Access
Function
Policy
Symantec Endpoint
Encryption Native Policy
Manager
Create and deploy native
policies to client computers.
Active Directory Users and
Computers
Manage users and computers
in the AD hierarchy.
Symantec Endpoint
Encryption Users and
Computers
Manage users and computers
in the SEE hierarchy.
Group Policy Management
Create and deploy GPOs to
client computers.
To access group policy
management snap-ins without
any issue user should be
member of the following four
security groups:
1
Domain Administrators
2
Domain Users
3
Enterprise
Administrators
4
Group Policy Creator
owners
Symantec Endpoint
Issue server-based
Encryption Server Commands commands from the
Symantec Endpoint
Encryption Users and
Computers snap-in. The
commands are to encrypt or
decrypt fixed disk drives on
specified client computers.
The Symantec Endpoint
Encryption Server Commands
snap-in provides reports on
issued commands. It also
provides an interface for
canceling pending
commands.
116
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Configuring Server Roles
Table 7-6
Server Role functions (continued)
Server Role
Snap-in Access
Function
Report
Symantec Endpoint
Encryption Reports
Run and customize
predefined reports. View
information about client
computers, Active Directory
and native policy settings,
and Active Directory service
synchronization.
To access custom reports, the
user must have administrative
rights. Local users cannot
access custom reports.
Helpdesk
Symantec Endpoint
Encryption Help Desk
Use online or offline Help
Desk recovery options to
assist users to regain access
to their computers from
preboot, either because of a
forgotten password or a
computer lockout.
Configuring Server Roles
You can define server roles for individual Active Directory users, server administrator
users, and assign roles to Active Directory groups. You can define the database
access to users and groups and you can limit administrative access in the
Management Console. This feature can be enabled or disabled by the server
administrator. When you enable this feature, the logged in user is added as the
Server Administrator role and has access to all snap-ins.
To configure server roles for Active Directory users:
1
On the Symantec Endpoint Encryption Management Server, launch the
Configuration Manager.
2
Select Server Roles from the list on the left of the screen.
3
Switch the Manage Server Roles toggle to On.
4
Do one of the following:
5
■
Click Add User to add and configure a role to an Active Directory user.
■
Click Add Group to add and configure one or more server roles to a group.
Under Select location, browse to the Active Directory users.
117
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Configuring Server Roles
6
Enter at least the first few letters of a user name or group name.
7
Click Check name.
8
Select one or more users or groups from the list.
9
To assign one or more roles to one or more selected users or group, under
Assign Role, click one or more check boxes next to the roles.
10 Click Add.
11 Click Allow Symantec Endpoint Encryption to manage database access
permissions for AD users to enable Symantec Endpoint Encryption to
configure and manage SQL server logins and database access permissions
for Active Directory users.
Note: Make sure that the user who authenticated to the database has the
appropriate roles and permissions to manage SQL Server database users.
12 Click Save.
To configure server roles for Local Users:
1
On the Symantec Endpoint Encryption Management Server, launch the
Configuration Manager.
2
Select Server Roles from the list on the left of the screen.
3
Switch the Manage Server Roles toggle to On.
4
Do one of the following:
■
Click Add User to add and configure a role to a local user.
■
Click Add Group to add and configure one or more server roles to a group.
5
Under Select location, browse to the local users directory.
6
Enter at least the first few letters of a user name or group name.
7
Select one or more users or groups from the list.
8
To assign one or more roles to one or more selected users or group, under
Assign Role, click one or more check boxes next to the roles.
9
Click Add.
10 Click Save.
118
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Editing Server Roles
Editing Server Roles
The server administrator can edit previously configured server roles for individual
users or groups to change administrative access within the Symantec Endpoint
Encryption Manager. The administrator can also configure and edit server roles for
multiple users or groups.
To edit Server Roles:
1
On the Symantec Endpoint Encryption Management Server, launch the
Configuration Manager.
2
Select Server Roles from the list on the left of the screen.
3
Select a user or a group from the list.
4
Click Edit.
5
Select the desired roles for this user or group from the Edit Role dialog box.
The user’s current roles are preselected and can be deselected.
6
Click OK, and then click Save.
Note: It is possible to select multiple users to edit simultaneously. If you do, the
dialog box is not populated with a user’s current server roles so your selection
changes all of the users to have the same roles.
Disabling Server Roles
The server administrator can disable the Server Roles feature at any time so that
all users running the Configuration Manager have access to all snap-ins. Once this
feature is disabled, the user accounts are removed from the user interface but are
not deleted from the database. If you re-enable the Server Roles feature, the
previously assigned users are available.
To disable the Server Roles feature:
1
On the Symantec Endpoint Encryption Management Server, launch the
Configuration Manager.
2
Select Server Roles from the list on the left of the screen.
3
Switch the Manage Server Roles toggle to Off.
4
Click Save.
119
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Configuration Manager - Server Roles Configuration page
Note: When the Configuration Manager is launched and server roles are enabled,
the current user is automatically assigned to the server administrator role. This user
can modify all other users but cannot change their own role.
Symantec Endpoint Encryption Configuration Manager
- Server Roles Configuration page
The Symantec Endpoint Encryption Configuration Manager lets you choose from
multiple administrative server roles to provide application-level access control. You
can assign these roles to administrative users and provide access to only certain
server snap-ins, such as Help Desk.
In Active Directory, you can create server administrator groups, and then use the
Configuration Manager to assign group-based roles. You can create groups of
server administrators who require similar administrative access permissions, then
assign the appropriate server roles to each group.
Note: Users of a subgroup do not inherit administration roles from a group above
it in the group hierarchy.
For more information about adding, editing, configuring, and removing server roles,
see the topic "Essential administration tasks" in the Symantec Endpoint Encryption
Management Server Online Help.
Table 7-7
Options of the Server Roles Configuration page
Option
Description
Manage Server Roles
Click this option to add, remove, and edit your server roles.
Add User
Click this option to add and configure a new server role to a
user.
Add Group
Click this option to add and configure a new server role to a
group.
Remove
Click this option to remove a server role.
120
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Configuration Manager - Server Roles Configuration page
Table 7-7
Options of the Server Roles Configuration page (continued)
Option
Description
Edit
This option lets you assign roles.
You can assign the following roles.
■
Server
■
Setup
■
Reports
■
Policy
■
Helpdesk
For more information, see the section Server Role functions
in the following topic:
See “About Administrative Server Roles” on page 113.
Allow Symantec Endpoint
Encryption to manage
database access
permissions for AD users
Click this option to enable Symantec Endpoint Encryption to
configure and manage SQL server logins and database
access permissions for Active Directory users.
Note: Before enabling this option ensure the user who
authenticate to the database have appropriate roles and
permissions to manage SQL Server database users.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save
during an update.
Add User and Assign Role dialog
Table 7-8
Options of the Add and Assign Role dialog
Option
Description
Select Location
This section lets you browse the directory to locate the user
that you want to add.
Select User
This option lets you search for a user name. Use Show
groups option to also display groups. You can enter the first
letters of a user's or group's name and then click Check
Name to search for the name. After you locate the user that
you want to assign a role to, in the Select User list, click the
check-box next to the user's name.
121
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Configuration Manager - Server Roles Configuration page
Table 7-8
Options of the Add and Assign Role dialog (continued)
Option
Description
Assign Role
This option lets you assign roles.
You can assign the following roles.
■
Server
■
Setup
■
Policy
■
Reports
■
Helpdesk
For more information, see the section Server Role functions
in the following topic:
See “About Administrative Server Roles” on page 113.
Cancel
To leave the dialog, click Cancel. Your settings are lost.
Save
To add the server role(s), click Save.
Add Group and Assign Role dialog
Table 7-9
Options of the Add Group and Assign Role dialog
Option
Description
Select Location
This section lets you browse the directory to locate the group
that you want to add.
Select Group
This section lets you search for a group. Enter the starting
letters of a group name that you want to search for and click
Check name to list and view one or more groups.
Show Users
To view users included in a particular group, click the check
box next to that group name and click Show Users. The user
names in that group are displayed in the Group Users
window.
122
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Symantec Encryption Management Server
page (optional)
Table 7-9
Options of the Add Group and Assign Role dialog (continued)
Option
Description
Assign role
This option lets you assign roles. You can assign the following
roles listed under Assign role:
■
Server
■
Setup
■
Reports
■
Policy
■
Help Desk
To assign one or more roles to a particular group, click the
check box next to that group name and click one or more
check boxes next to the roles, and then click Add. In the
Server Roles Configuration page, click Save.
Add
To add the server role(s) to a group, click Add.
Cancel/Close
To close the dialog, click Cancel/Close. Your settings are
lost.
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
Symantec Endpoint Encryption Management Server
Configuration Manager - Symantec Encryption
Management Server page (optional)
The Symantec Encryption Management Server page lets you configure your
new server to connect to a previous Symantec Encryption Management Server.
This feature lets you use a single console for the recovery of clients through a
whole-disk recovery token (WDRT).
Table 7-10
Symantec Encryption Management Server page
Option
Description
Activate Symantec
Encryption Management
Server Configurationn
This option is disabled by default. If you have clients managed
by the Symantec Encryption Management Server, then you
can enable this option to let you configure the connection.
You can use a single console to service those users as well.
Server Hostname/IP
Enter the host name or IP address of the Symantec
Encryption Management Server.
123
Using the Symantec Endpoint Encryption Management Server Configuration Manager
Symantec Endpoint Encryption Management Server Configuration Manager - Symantec Encryption Management Server
page (optional)
Table 7-10
Symantec Encryption Management Server page (continued)
Option
Description
Password authentication
■
■
■
User Name
Enter the administrator name to be used to connect to
the Symantec Encryption Management Server. This
administrator must have WDRT privileges.
Password
Enter the administrator password to be used to connect
to the Symantec Encryption Management Server.
Show password
Select this option to display the characters that you type
in the Password field.
Test connection
This option lets you verify that the connection is properly
configured. If the connection is not properly configured then
an error message indicates why.
Cancel
To leave the wizard, click Cancel. Your settings are lost.
Next/Save
To save your settings, click Next during installation or Save
during an update.
See “About using the Symantec Endpoint Encryption Management Server
Configuration Manager” on page 103.
124
Chapter
8
Certificates and Token
Software Settings
This chapter includes the following topics:
■
Using Symantec Endpoint Encryption authentication certificates
■
Using Removable Media Encryption certificates
■
Recommended token software configuration
Using Symantec Endpoint Encryption authentication
certificates
About certificate issuance from Windows Server 2003
If Windows Server 2003 is the operating system for the certificate authority computer,
download and apply the following Microsoft patch before issuing certificates:
http://www.microsoft.com/downloads/details.aspx?
FamilyId=FFAEC8B2-99E0-427A-8110-2F745059A02D&displaylang=en
Best practices: placing a single certificate on each token
Having multiple certificates on one token is cumbersome and potentially introduces
human error. Multiple certificates that satisfy key usage and extended key usage
requirements on a single token can cause user prompts. The prompts appear each
time a user logs on to the Management Agent. Make sure, therefore, that only one
certificate with the required key usage and extended key usage exists on each
token.
Certificates and Token Software Settings
Using Removable Media Encryption certificates
Required key usage
Set the key usage on the certificate to be used for authentication to Symantec
Endpoint Encryption as described in the table.
Table 8-1
Token type
Required Key Usage for Symantec Endpoint Encryption
Authentication Certificates
Name
Also known as
Personal Identity Verification digitalSignature
(PIV)
Digital signature
Note: Additional key usages do not prevent a certificate from being used for
authentication.
Required extended key usage
Set the extended key usage (sometimes called "enhanced key usage") on the
certificate to be used for authentication to Symantec Endpoint Encryption as
described in the table.
Table 8-2
Required Extended Key Usage for Symantec Endpoint Encryption
Authentication Certificates
Token type
OID (object
identifier)
Name
Also known as
Personal Identity
Verification (PIV)
1.3.6.1.5.5.7.3.2
clientAuth
Client authentication
Note: Additional extended key usages do not prevent a certificate from being used
for authentication.
See “Recommended token software configuration” on page 127.
Using Removable Media Encryption certificates
About using Removable Media Encryption certificates
The certificate to be used for file encryption or decryption must reside within the
local Windows certificate store. The user can:
■
Manually import the certificate into the local certificate storage
126
Certificates and Token Software Settings
Recommended token software configuration
■
Insert the token that contains the certificate into the computer and provide the
PIN, if prompted
Required key usage
Set the key usage on the certificate to be used for file encryption or decryption as
described in the table.
Table 8-3
Required Key Usage for Removable Media Encryption Certificates
Name
Also known as
keyEncipherment
Key encipherment
Without the required key usage setting:
■
The certificate is not available for user selection
■
Administrators cannot create client installation packages or the policies that
contain Recovery Certificates
Note: Additional key usages do not prevent a certificate from being used for
encryption or decryption.
See “Recommended token software configuration” on page 127.
Recommended token software configuration
Configure the token software:
■
To insert the certificate into the Windows certificate store upon user logon or
token insertion
■
To remove the certificate from the Windows certificate store upon user logoff or
token removal
■
To disallow PIN caching
Note: If you allow PIN caching, users can gain access to the Management Agent
even after they provide an invalid PIN.
See “Using Symantec Endpoint Encryption authentication certificates ” on page 125.
See “Using Removable Media Encryption certificates” on page 126.
127
Chapter
9
Uninstalling Symantec
Endpoint Encryption
This chapter includes the following topics:
■
Uninstalling the Symantec Endpoint Encryption Suite
■
About repairing or modifying the Symantec Endpoint Encryption Suite installation
■
About uninstalling the Symantec Endpoint Encryption client
■
About uninstalling the Symantec Endpoint Encryption client with a third-party
tool
■
About uninstalling the Symantec Endpoint Encryption client software using Group
Policy Objects
■
Uninstalling the Symantec Endpoint Encryption Client installation package using
Group Policy Objects
■
Deploying uninstallation scripts using Group Policy Objects
■
Uninstalling the Symantec Endpoint Encryption client software using the Control
Panel
■
Uninstalling the Symantec Endpoint Encryption client software using the
command line
■
Uninstalling Symantec Endpoint Encryption for FileVault
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption Suite
Uninstalling the Symantec Endpoint Encryption Suite
To uninstall the Symantec Endpoint Encryption Suite:
1
Log on to the Symantec Endpoint Encryption Management Server with a domain
account that has privileges to uninstall software and system administrator
privileges on the Microsoft SQL Server.
Alternatively, you can log on with a local account that has sufficient privileges
to uninstall the software and then provide credentials of a Microsoft SQL account
that has administrative privileges to the database.
2
Do one of the following:
■
On Windows 2012, click Start > Settings > Control Panel > Programs
and Features.
■
On Windows 2008, click Start, and then click Control Panel. Click
Programs and Features.
3
(Optional) If Symantec Endpoint Encryption Autologon Client and Windows
Password Reset Utility are also listed in the Programs and Features window,
then select them and click Uninstall.
4
In the Programs and Features window, select Symantec Endpoint
Encryption Suite. Click Uninstall.
5
In the warning dialog box, click Yes.
6
In the Symantec Endpoint Encryption Suite dialog box, do one of the
following:
■
To preserve the existing database and communication account, do not click
Delete my Management Database and SQL User account. This option
lets you reuse these if you reinstall the Symantec Endpoint Encryption
Management Server later. The wizard uses the current Windows account
to uninstall the Symantec Endpoint Encryption Management Server.
■
To delete the Symantec Endpoint Encryption database and database
communication account, click Delete my Management Database and SQL
User account.
If the Windows account you logged on with has administrative privileges to
the database, leave Windows authentication at the default state. Otherwise,
129
Uninstalling Symantec Endpoint Encryption
About repairing or modifying the Symantec Endpoint Encryption Suite installation
click SQL authentication and enter the credentials of a Microsoft SQL
account that has administrative privileges to the database.
7
Click Next.
Note: The wizard uninstalls the complete Symantec Endpoint Encryption Suite.
That is all the features and snap-ins that were installed using the Symantec
Endpoint Encryption Suite are uninstalled.
To uninstall the Symantec Endpoint Encryption Suite through command-line
◆
Run the following command:
MSIEXEC /x "[path]\SEE Server Suite x64.msi /l*v
"[logpath]\logfile"
About repairing or modifying the Symantec Endpoint
Encryption Suite installation
Symantec Endpoint Encryption does support modifying its installation from the
Microsoft Windows Add/Remove programs list. However, Symantec Endpoint
Encryption does not support repairing its installation from the Microsoft Windows
Add/Remove programs list.
About uninstalling the Symantec Endpoint Encryption
client
When you uninstall Symantec Endpoint Encryption from client computers, you can
either uninstall specific features separately or uninstall all of the features together.
Note: While uninstalling features separately, you can specify only Drive Encryption,
Symantec Endpoint Encryption for BitLocker, and Removable Media Encryption.
The Management Agent is removed automatically when there are no other features
left to uninstall.
You can uninstall Symantec Endpoint Encryption in the following ways:
■
Using a third-party tool to execute an uninstallation script on the client computers
■
Using a GPO
■
Using the Control Panel in Microsoft Windows
130
Uninstalling Symantec Endpoint Encryption
About uninstalling the Symantec Endpoint Encryption client with a third-party tool
■
Using the Command Prompt
Note: The uninstallation of specific features is possible only from the Command
Prompt or by using a third-party tool with an uninstallation script.
Prerequisites
Before you uninstall the Drive Encryption feature:
■
Make sure that all fixed disks are fully decrypted.
■
(Optional) Make sure that the Autologon feature is uninstalled.
■
(Optional) Make sure that the Windows Password Reset Utility is uninstalled.
Before you uninstall the Symantec Endpoint Encryption for BitLocker feature:
■
On encrypted systems, ensure that the users back up their BitLocker Recovery
Key for recovery. Symantec Endpoint Encryption Management Server does not
store the BitLocker Recovery Key after the Symantec Endpoint Encryption for
BitLocker client is uninstalled from the system. Encrypted systems can be
uninstalled without being decrypted.
Note: If Symantec Endpoint Encryption manages this computer, you should manually
delete it from the Management Console after you uninstall.
See “About uninstalling the Symantec Endpoint Encryption client with a third-party
tool” on page 131.
See “About uninstalling the Symantec Endpoint Encryption client software using
Group Policy Objects” on page 132.
See “Uninstalling the Symantec Endpoint Encryption client software using the
Control Panel” on page 136.
See “Uninstalling the Symantec Endpoint Encryption client software using the
command line” on page 137.
About uninstalling the Symantec Endpoint Encryption
client with a third-party tool
You can uninstall the Symantec Endpoint Encryption Client package using any
third-party deployment tool that supports the MSI format.
131
Uninstalling Symantec Endpoint Encryption
About uninstalling the Symantec Endpoint Encryption client software using Group Policy Objects
Note: Make sure that the client computers fulfill the uninstallation prerequisites
before you attempt to uninstall Symantec Endpoint Encryption Client.
For large-scale deployments, you can use the command line as a basis for scripted
uninstalls.
For example, you can create a batch file to invoke the Windows Installer
(msiexec.exe). This batch file can contain one or more of the following commands:
■
To uninstall the Drive Encryption feature:
MSIEXEC /i "[path]\msifile" REMOVE="DE" /l*v "[logpath]\logfile"
■
To uninstall the Symantec Endpoint Encryption for BitLocker feature:
MSIEXEC /i "[path]\msifile" REMOVE="BL" /l*v "[logpath]\logfile"
■
To uninstall the Removable Media Encryption feature:
MSIEXEC /i "[path]\msifile" REMOVE="RME" /l*v "[logpath]\logfile"
■
To uninstall the all of the Symantec Endpoint Encryption features together:
MSIEXEC /x "[path]\msifile" /l*v "[logpath]\logfile"
Where [path]\msifile represents the path and name of the MSI file, and
[logpath]\logfile represents the path and name of the output log file.
Note: If you want to uninstall Symantec Endpoint Encryption Client from both 32-bit
and 64-bit computers, make sure that the commands specify the appropriate MSI
files.
About uninstalling the Symantec Endpoint Encryption
client software using Group Policy Objects
If you used a Group Policy Object to deploy Symantec Endpoint Encryption clients,
you must use the same GPO to uninstall them.
Note: You should never manually uninstall GPO-deployed client packages either
manually or from the command line.
The uninstallation process consists of the following steps:
1.
If you used a GPO to deploy the Drive Encryption feature, issue a server
command to decrypt all of the fixed drives on all of the targeted computers.
132
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption Client installation package using Group Policy Objects
2.
If you used a GPO to deploy the Removable Media Encryption feature, manually
decrypt all of the files on the removable drives that do not contain the
Removable Media Access Utility.
3.
Uninstall the desired features, or all of them.
Depending upon the way in which you deployed Symantec Endpoint Encryption
11.1.1, there are two ways to uninstall the clients using GPOs:
■
Completely uninstall the Symantec Endpoint Encryption Client package from all
of the client computers by removing the MSI file from the GPO. This method is
available only if you installed Symantec Endpoint Encryption 11.1.1 directly, for
example, you did not use a GPO to upgrade to version 11.1.1.
■
Deploy an uninstallation script to remove the desired features, or all of them.
This method is available only if you used a GPO to upgrade to Symantec
Endpoint Encryption 11.1.1 from an earlier product.
As a best practice, you should set the appropriate Microsoft Windows policies to
prevent users from manually removing the client packages.
Note: Uninstallation fails if all drives are not fully decrypted.
See “Uninstalling the Symantec Endpoint Encryption Client installation package
using Group Policy Objects” on page 133.
See “Deploying uninstallation scripts using Group Policy Objects” on page 135.
Uninstalling the Symantec Endpoint Encryption Client
installation package using Group Policy Objects
Uninstall the GPO-managed client installation package when you want to uninstall
all of the Symantec Endpoint Encryption features at the same time. You can use
this uninstallation method only if you used a GPO to install Symantec Endpoint
Encryption 11.1.1 directly, and have not upgraded from an earlier product.
133
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption Client installation package using Group Policy Objects
Note: Make sure that the client computers fulfill the uninstallation prerequisites
before you attempt to uninstall Symantec Endpoint Encryption Client. See “About
uninstalling the Symantec Endpoint Encryption client” on page 130.
To uninstall the Symantec Endpoint Encryption Client installation package using
GPOs
1
In the navigation pane of the Management Console, expand the Group Policy
Management snap-in.
2
Expand the domain in which you want to uninstall the client software.
3
Expand Group Policy Objects.
4
Right-click the GPO that you used to deploy the client software, and select
Edit.
5
In the Group Policy Management Editor window, expand Computer
Configuration.
6
Expand Policies > Software Settings
7
Right-click Software installation, and select Properties.
8
In the Software installation Properties dialog box, click the Advanced tab.
9
To configure the GPO to uninstall the unmanaged software packages from the
subscribed computers, check Uninstall the applications when they fall out
of the scope of management.
10 Click OK to close the dialog box.
11 In the navigation pane of the Group Policy Management Editor window, click
Software installation.
The right pane of the window displays a list of the software packages that were
deployed using this GPO.
12 Right-click the software package that you want to uninstall from all of the
computers in the domain, and select Remove.
13 In the Remove Software dialog box, check Immediately uninstall the
software from users and computers and click OK.
14 Close the Group Policy Management Editor window.
134
Uninstalling Symantec Endpoint Encryption
Deploying uninstallation scripts using Group Policy Objects
Deploying uninstallation scripts using Group Policy
Objects
Deploying an uninstallation script enables you to uninstall specific Symantec
Endpoint Encryption features from the client computers. Alternatively, you can also
use an uninstallation script to completely uninstall Symantec Endpoint Encryption
from the client computers.
Note: You can use this uninstallation method only if you used a GPO to upgrade
to Symantec Endpoint Encryption 11.1.1 from an earlier product.
Before you begin
Make sure that the client computers fulfill the uninstallation prerequisites before
you attempt to uninstall Symantec Endpoint Encryption Client.
See “About uninstalling the Symantec Endpoint Encryption client” on page 130.
Creating an uninstallation script file
Create a script file that includes one or more of the following commands:
■
To uninstall the Drive Encryption feature:
MSIEXEC /i "[path]\msifile" REMOVE=DE /l*v "[logpath]\logfile"
■
To uninstall the Symantec Endpoint Encryption for BitLocker feature:
MSIEXEC /i "[path]\msifile" REMOVE=BL /l*v "[logpath]\logfile"
■
To uninstall the Removable Media Encryption feature:
MSIEXEC /i "[path]\msifile" REMOVE=RME /l*v "[logpath]\logfile"
■
To uninstall the all of the Symantec Endpoint Encryption features together:
MSIEXEC /x "[path]\msifile" /l*v "[logpath]\logfile"
Where [path]\msifile represents the share path and name of the MSI file, and
[logpath]\logfile represents the path and name of the output log file.
Configuring GPOs to deploy the uninstallation script
Note: If your network includes both 32-bit and 64-bit systems, make sure that you
update all of the relevant GPOs.
135
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption client software using the Control Panel
To configure GPOs to deploy the uninstallation script
1
Open Symantec Endpoint Encryption Management Console.
2
In the left pane, expand Group Policy Management and navigate to the GPO
that you previously used to upgrade the Symantec Endpoint Encryption clients..
3
Right-click the GPO and click Edit.
4
In the left pane of the Group Policy Management Editor, navigate to
Computer Configuration > Policies > Windows settings > Scripts
(Startup/Shutdown).
5
In the right pane, double-click Startup.
6
On the Scripts tab of the Startup Properties dialog box, click Add.
7
In the Add a script dialog box, click Browse.
8
Using the navigation windows to select the uninstallation file, and then click
Open.
9
To submit the script file, click OK.
10 In the Startup Properties dialog box, select the upgrade script that you
previously used to upgrade the Symantec Endpoint Encryption clients, and
click Remove.
11 To close the Startup Properties dialog box, click OK.
12 Close the Group Policy Management Editor.
Deploying the uninstallation script
After you finish configuring the GPO, restart the client computers to begin the
uninstallation.
Uninstalling the Symantec Endpoint Encryption client
software using the Control Panel
You can uninstall the Symantec Endpoint Encryption client software from a Microsoft
Windows computer by using the Windows Add/Remove Programs utility. However,
if the client software was installed using a Group Policy Object, it can only be
uninstalled through that same GPO.
Perform the following procedure to uninstall the Symantec Endpoint Encryption
client software using the Add/Remove Programs utility in the Control Panel.
136
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption client software using the command line
Note: This uninstallation method removes all of the Symantec Endpoint Encryption
features from client computers.
To uninstall the Symantec Endpoint Encryption client software manually:
1
Log on to the client computer using an administrator account or another account
with sufficient privileges to uninstall software.
2
To access the Control Panel, do one of the following:
3
■
For Microsoft Windows 7, click Start > Control Panel.
■
For Microsoft Windows 8.x, access the Start screen, and type Control
Panel. In the Apps search results, click the Control Panel icon.
■
For Microsoft Windows 10, in the Search the web and Windows search
bar, type Control Panel. In the search results menu, click the Control
Panel icon.
Do one of the following:
■
In the Category view of the Control Panel, under Programs, click Uninstall
a program.
■
Click Programs and Features.
4
In the Programs and Features window, select Symantec Endpoint
Encryption Client.
5
Click Uninstall.
6
If prompted to confirm, click Yes.
7
(Optional) If Symantec Endpoint Encryption Autologon Client and Windows
Password Reset Utility are also listed in the Programs and Features window,
uninstall them the same way.
8
After all of the clients are uninstalled, restart the computer when prompted.
Uninstalling the Symantec Endpoint Encryption client
software using the command line
Client Administrators can use the command prompt to uninstall one or more
Symantec Endpoint Encryption features from a single computer. You can also
uninstall the Autologon Utility. The results of the uninstallation are saved in a log
file that you specify.
137
Uninstalling Symantec Endpoint Encryption
Uninstalling the Symantec Endpoint Encryption client software using the command line
Note: Make sure that the client computers fulfill the uninstallation prerequisites
before you attempt to uninstall Symantec Endpoint Encryption Client. See “About
uninstalling the Symantec Endpoint Encryption client” on page 130.
If you are prompted to restart the computer after uninstalling one or more client
software, accept the prompt. When Microsoft Windows starts, return to the command
prompt and enter the remaining commands to uninstall the remaining software.
Note: To perform a silent installation, append the commands in the following
procedure with the CONDITION_NOUI=1 parameter.
To uninstall Symantec Endpoint Encryption client software using the command
line:
1
Click Start > Run.
2
In the Run dialog box, type cmd.
3
To open the command prompt, click OK.
4
(Optional) To uninstall the Autologon Utility when the Autologon feature is
enabled permanently, enter one of the following commands:
■
For 32-bit systems:
msiexec -x "[Path]\Autologon Infinite DD MMM YYYY.msi" /qn
/live LogFilePath
■
For 64-bit systems:
msiexec -x "[Path]\Autologon Infinite_x64 DD MMM YYYY.msi" /qn
/live LogFilePath
5
(Optional) To uninstall the Autologon Utility when the Autologon feature is
enabled by a client administrator, enter one of the following commands:
■
For 32-bit systems:
msiexec -x "[Path]\Autologon NoAutologon.msi" /qn /live
LogFilePath
■
For 64-bit systems:
msiexec -x "[Path]\Autologon NoAutologon_x64.msi" /qn /live
LogFilePath
6
(Optional) To uninstall the Drive Encryption feature, enter one the following
commands:
■
For 32-bit systems:
msiexec -i "[Path]\SEE Client.msi" REMOVE=DE /l*v LogFilePath
138
Uninstalling Symantec Endpoint Encryption
Uninstalling Symantec Endpoint Encryption for FileVault
■
For 64-bit systems:
msiexec -i "[Path]\SEE Client x64.msi" REMOVE=DE /l*v
LogFilePath
7
(Optional) To uninstall the Removable Media Encryption feature, enter one the
following commands:
■
For 32-bit systems:
msiexec -i "[Path]\SEE Client.msi" REMOVE=RME /l*v LogFilePath
■
For 64-bit systems:
msiexec -i "[Path]\SEE Client x64.msi" REMOVE=RME /l*v
LogFilePath
8
(Optional) To uninstall the Symantec Endpoint Encryption for BitLocker feature,
enter one the following commands:
■
For 32-bit systems:
msiexec -i "[Path]\SEE Client.msi" REMOVE=BL /l*v LogFilePath
■
For 64-bit systems:
msiexec -i "[Path]\SEE Client x64.msi" REMOVE=BL /l*v
LogFilePath
9
(Optional) To uninstall the all of the Symantec Endpoint Encryption Client
features, enter one the following commands:
■
For 32-bit systems:
msiexec -x "[Path]\SEE Client.msi" /l*v LogFilePath
■
For 64-bit systems:
msiexec -x "[Path]\SEE Client x64.msi" /l*v LogFilePath
Uninstalling Symantec Endpoint Encryption for
FileVault
Perform the following procedure to uninstall Symantec Endpoint Encryption for
FileVault from a Macintosh computer. You do not have to decrypt the disk before
uninstalling Symantec Endpoint Encryption for FileVault.
Note: Make sure that you have administrator privileges.
139
Uninstalling Symantec Endpoint Encryption
Uninstalling Symantec Endpoint Encryption for FileVault
To uninstall Symantec Endpoint Encryption for FileVault
1
Launch the Terminal application.
2
Using Terminal, navigate to the /Library/Application Support/Symantec
Endpoint Encryption/ directory.
3
Type the following command:
sudo ./uninstall
140
Index
Symbols
.NET
prerequisites 43
requirements 38
.NET Framework
client support 21
A
accounts 30
database access account 33
Active Directory
configuration 108
forests 54
synchronization 109
synchronization account 30
synchronizing 54
Active Directory distribution point
creating 95
agent
installation 59
authentication
Windows and SQL 46
Autologon
bypassing authentication 91
installing 59, 92
MSI files, creating 91
pre-requisite, creating 91
precaution 91
C
CD/DVD Burner
Removable Media Encryption Burner Application
description 80
certificates, TLS/SSL
about 41
configuration 54
Citrix
client support 21
client
about uninstalling with GPO 132
client (continued)
deploying uninstallation scripts with GPO 135
deployment 100
uninstalling 130
uninstalling manually 136
uninstalling the installation package with
GPO 133
uninstalling using the command line 137
uninstalling using the Control Panel 136
uninstalling with third-party tools 131
client administrator
role 36
client computer
operating systems
Mac OS X 28
Microsoft Windows 19
smart card support 22
supported disks types 22
unsupported disks types 22
client installation package
about 66
client installer deployment
command line, using 99
Group Policy Object, using 95
third-party tool, using 94
client installers
about 66
Active Directory deployment, using 95
command line, deploying 99
command line, using 99
Group Policy Object, deploying 95
client software
installing manually 97
communications, encrypting
about 41
configuration 54
Community Quality Program
opt in, opt out 111
configuration manager
about 103
console
installation 59
Index
D
database
access account 30, 33
backup, about 64
configuration 46
connecting 46
creation account 30
post installation configuration 103
requirements 17
verifying install 64
deployment, client 100
directory service
post installation configuration 108–109
synchronization 46, 54
disk types, supported 22
Drive Encryption
install-time policies, configuring 74
installation 59
installation settings, configuring 74
F
forests
synchronization 54
G
GPO
about uninstalling clients 132
deploying uninstallation scripts 135
uninstalling installation packages 133
H
hardware
requirements 16, 22
tablet support 22
Help Desk Recovery
installation 59
HTTP communications
about 41
configuration 54
HTTPS communications
about 41
configuration 54
I
IIS
client authentication account 30
post installation configuration 105
IIS (continued)
setting up 39
installation
connecting to database 46
database configuration 46
Drive Encryption 59
Help Desk Recovery 59
Management Console 59
process 46
Removable Media Encryption 59
repair 130
Windows Password Reset 59
wizard 46
installing
Autologon 59
M
Management Agent
install-time policies, configuring 71
installation settings, configuring 71
installation wizard 59
Management Agent installation settings wizards
about 67
Management Console
installation 59
operating systems 18
requirements 18
Management Password
about 37
creating 46
media support
Removable Media Encryption 22
Microsoft SQL Server
authentication best practices 36
connecting to 46
supported versions 17
O
operating systems
client computer
Microsoft Windows 19
Management Console 18
Symantec Endpoint Encryption Management
Server 16
P
PGP Universal Server
connecting to 123
142
Index
policy administrator
account 30
role 36
post installation configuration
about 103
connecting to PGP Universal Server 123
database 103
directory service synchronization 108–109
Web server 105
preboot authentication
bypassing 91
prerequisites
.NET 43
accounts 30
IIS 39
Microsoft Windows Server 2008 39
Microsoft Windows Server 2012 39
Remote Server Administration Tools 43
roles 36
server roles and services 39
R
Remote Desktop Services
client support 21
Remote Server Administration Tools 39
prerequisites 43
Removable Media Encryption
install-time policies, configuring 80
installation 59
installation settings, configuring 80
supported media 22
unsupported media 22
requirements
.NET 38
accounts 30
database 17
Management Console 18
roles 36
Symantec Endpoint Encryption Management
Server 16
role services 39
roles 36
roles, server. See Server Roles
S
secure traffic
about 41
configuration 54
Server Roles
configuration 120
configuring 117
defining 113
disabling 119
editing 119
overview 113
smart card support 22
snap in, Drive Encryption
installation 59
snap in, Help Desk Recovery
installation 59
snap in, Removable Media Encryption
installation 59
snap in, Windows Password Reset
installation 59
SSL communications
about 41
configuration 54
Symantec Encryption Management Server
configuration 123
Symantec Endpoint Encryption
about 12
key features 12
Symantec Endpoint Encryption Client
features, modifying 87
install-time policies, configuring 69
installation package
features 87
installation package, creating 69
installation settings, configuring 69
installing manually 97
Symantec Endpoint Encryption for FileVault
install-time policies, configuring 89
installation package, creating 89
installing manually 97
uninstalling 139
Symantec Endpoint Encryption Management Server
configuration 103
install wizard 46
installation process 46
operating system support 16
requirements 16
verifying install 64
Symantec Endpoint Encryption Suite
uninstalling 129
synchronization
directory service 46
post installation configuration 108–109
143
Index
syncronization
directory service 54
system requirements
.NET 38
.NET Framework 21
Citrix 21
database 17
FileVault 28
hardware 22
Management Console 18
operating systems
Mac OS X 28
Microsoft Windows 19
Remote Desktop Services 21
roles 36
SQL Server feature pack 38
Symantec Endpoint Encryption for FileVault 28
Symantec Endpoint Encryption Management
Server 16
tablet support 22
VMware 21
T
tablets 22
telemetry
see Community Quality Program 111
TLS communications
about 41
configuration 54
Trusted Platform Module
client support 21
U
uninstalling
about uninstalling the client with GPO 132
client 130
command line, using 137
Control Panel 136
deploying uninstallation scripts with GPO 135
Mac OS X 139
Symantec Endpoint Encryption for FileVault 139
Symantec Endpoint Encryption Suite 129
uninstalling the client manually 136
uninstalling the client with third-party tools 131
uninstalling the installation package with
GPO 133
user
role 36
V
VMware
client support 21
W
Web Server (IIS)
configuration 54
post installation configuration 105
prerequisites 39
Windows Password Reset
installation 59
Windows Password Reset Utility
installing 98
144
Download PDF
Similar pages