advertisement
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx
Trend Micro, the Trend Micro t-ball logo, OfficeScan, and Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Copyright © 2017. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM67633/161108
Release Date: May 2017
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product.
Detailed information about how to use specific features within the product may be available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at the Trend Micro website.
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]
.
Evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Chapter 1: Introduction
Chapter 2: Deployment Planning
Control Manager Deployment ............................................................. 2-4
OfficeScan Deployment ........................................................................ 2-5
Large Enterprise Deployment .............................................................. 2-6
Deployment Including Legacy Agents ................................................ 2-7
Network Infrastructure Checklist ........................................................ 2-8
Security Infrastructure Checklist ........................................................ 2-11
End User Communication .................................................................. 2-13
Network Maintenance ......................................................................... 2-14
Chapter 3: System Requirements
PolicyServer System Requirements .............................................................. 3-2
Hardware and Scaling Requirements ................................................... 3-2
Software Requirements .......................................................................... 3-5
PolicyServer MMC System Requirements .................................................. 3-7
Full Disk Encryption System Requirements .............................................. 3-8
Recommended Disk Combinations .................................................. 3-10
File Encryption System Requirements ...................................................... 3-11
Encryption Management for Microsoft BitLocker System Requirements
i
Trend Micro Endpoint Encryption 6.0 Installation Guide
ii
Encryption Management for Apple FileVault System Requirements .. 3-14
Chapter 4: PolicyServer Installation
Logging on to PolicyServer MMC ..................................................... 4-10
Adding a Top Group ........................................................................... 4-11
Adding a New User to a Group ......................................................... 4-13
Allowing a User to Install Agents in a Group ................................. 4-15
Traffic Forwarding Services for Legacy Agents ....................................... 4-16
Configuring Traffic Forwarding Services ......................................... 4-17
Chapter 5: Control Manager Integration
Control Manager Integration Overview ..................................................... 5-2
Supported Control Manager Versions ......................................................... 5-3
Adding PolicyServer as a Managed Product to Control Manager .......... 5-3
Removing a PolicyServer Managed Product from Control Manager ..... 5-5
Chapter 6: Endpoint Encryption Agent Deployment
Command Line Helper .......................................................................... 6-8
Full Disk Encryption Deployment ............................................................ 6-10
Full Disk Encryption Manual Deployment ...................................... 6-11
Full Disk Encryption Automatic Deployment ................................ 6-15
Encryption Management for Microsoft BitLocker Installation ............ 6-17
Encryption Management for Microsoft BitLocker Manual
Table of Contents
Encryption Management for Microsoft BitLocker Automatic
Encryption Management for Apple FileVault Installation .................... 6-26
Encryption Management for Apple FileVault Manual Deployment
Encryption Management for Apple FileVault Automatic
File Encryption Manual Deployment ............................................... 6-36
File Encryption Automatic Deployment .......................................... 6-38
Chapter 7: Upgrade and Migration
Upgrade Summary of Operations ................................................................ 7-3
Upgrading PolicyServer ......................................................................... 7-6
Upgrading Multiple PolicyServer Services Connected to the Same
Upgrading PolicyServer MMC ........................................................... 7-10
Upgrading Endpoint Encryption Agents ................................................. 7-10
Supported Agent Versions .................................................................. 7-10
Upgrading Full Disk Encryption ....................................................... 7-12
Upgrading File Encryption ................................................................. 7-13
Upgrading Encryption Management for Apple FileVault ............. 7-14
Upgrading Encryption Management for Microsoft BitLocker ..... 7-14
Replacing a Previously Installed Encryption Product .................... 7-15
Migrating Full Disk Encryption to a New Enterprise .................... 7-16
Migrating Agents to a New PolicyServer .......................................... 7-18
Chapter 8: Uninstallation
Uninstalling Endpoint Encryption Agents ................................................. 8-2
Manually Uninstalling Endpoint Encryption Agents ....................... 8-2
Using OfficeScan to Uninstall Endpoint Encryption Agents ......... 8-6
iii
Trend Micro Endpoint Encryption 6.0 Installation Guide
Chapter 9: Technical Support
Using the Support Portal ....................................................................... 9-2
Speeding Up the Support Call .............................................................. 9-4
Sending Suspicious Content to Trend Micro ............................................. 9-4
Email Reputation Services .................................................................... 9-4
Web Reputation Services ....................................................................... 9-5
Documentation Feedback ..................................................................... 9-6
Index
Uninstalling the PolicyServer MMC .................................................... 8-7
Uninstalling the Endpoint Encryption Proxy ............................................ 8-9
iv
Chapter 1
Introduction
Welcome to the Trend Micro™ Endpoint Encryption™ Installation Guide. This guide is intended to assist security administrators and IT professionals to set up PolicyServer, install Endpoint Encryption™ agents, and integrate PolicyServer with Trend Micro
Control Manager. This guide explains system requirements, deployment considerations, product installation, upgrade scenarios, and product uninstallation.
1-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Deployment Overview
Procedure
1.
Decide how to deploy Endpoint Encryption into your environment and prepare for Endpoint Encryption installation.
Deployment Planning on page 2-1
.
2.
Review all system requirements for compatible product versions.
System Requirements on page 3-1
.
3.
Install PolicyServer and PolicyServer MMC.
Installing PolicyServer on page 4-4
.
4.
Optionally, set up Control Manager for Endpoint Encryption management.
See the supporting documentation at: http://docs.trendmicro.com/en-us/enterprise/control-manager.aspx
a.
Install and configure Control Manager.
b.
Add PolicyServer to Control Manager.
Adding PolicyServer as a Managed Product to Control Manager on page 5-3
5.
Prepare endpoints for deployment.
Agent Installation Prerequisites on page 6-3
6.
Install Endpoint Encryption agents.
•
•
If you plan to install agents manually or remotely, follow the steps provided in
Endpoint Encryption Agent Deployment on page 6-1
.
If you plan to install agents using OfficeScan, see the OfficeScan Plug-in Online
Help: http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption-60officescan-plug-in/about-the-endpoint-e.aspx
1-2
Introduction
7.
Manage your agents using your prefered management console.
• If you are using Control Manager for management, see the Endpoint Encryption
Administrator's Guide:
• http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption-60administration-guide/about-trend-micro-en.aspx
If you are using PolicyServer MMC for management, see the Endpoint
Encryption PolicyServer MMC Guide: http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption-60policyserver-mmc-guide/about-trend-micro-en.aspx
1-3
Chapter 2
Deployment Planning
•
•
•
This chapter describes preparation and preinstallation information for Trend Micro™
Endpoint Encryption™ software installation.
When addressing any encryption project, it is important to identify the implementation goals. Organizations needing to satisfy explicit regulatory compliance requirements often require broad encryption solutions with a heavy emphasis on reporting, whereas organizations looking to improve data security may have more targeted needs to protect specific data assets.
No single plan can fit every use-case scenario, and understanding what is required of an encryption solution will greatly decrease deployment times, minimize or eliminate performance degradation, and ensure the project's success. Careful planning is required to understand the deployment requirements and limitations when scaling Endpoint
Encryption across a large enterprise. Planning is especially important when introducing this change across thousands of endpoints, affecting all end-users.
Topics include:
Deployment Considerations on page 2-2
Sample Deployments on page 2-3
Administration Considerations on page 2-8
2-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Deployment Considerations
This section explains the high-level considerations for installing the main Endpoint
Encryption components.
Component
PolicyServer
Endpoint Encryption agents
Details
PolicyServer is the main server software that manages Endpoint
Encryption agents. This software includes a front-end server program and a backend SQL Server database.
When planning your PolicyServer installation, consider how many devices will be managed by PolicyServer and whether your environment requires server or database redundency. After installing PolicyServer, you can configure ActiveDirectory domain authentication and proxy communication.
In the client-server model, “agents” are the client software installed on computers and devices that communicate with
PolicyServer. For information about the available agents, see
Endpoint Encryption Agent Deployment on page 6-1
.
When planning agent deployment, consider whether you will install agents on individual endpoints or whether you will install them remotely. If your environment is protected by Trend Micro™
OfficeScan™, you can install Full Disk Encryption agents using
OfficeScan through the Endpoint Encryption Deployment Tool
Plug-in.
2-2
Deployment Planning
Component
Management console
Details
•
•
The management console determines the encryption, authentication, and configuration policies for the Endpoint
Encryption agents. The main decision you will need to make when planning your installation is what primary management console you will use. You can manage PolicyServer on either of the following consoles:
Control Manager: This is the central management console for
Trend Micro products. Trend Micro recommends using
Control Manager to manage Endpoint Encryption, but using
Control Manager is optional.
PolicyServer MMC: This console performs advanced operations for Endpoint Encryption. If preferred, PolicyServer
MMC can perform user, device, and policy management.
Note
In environments that use Control Manager, changes to
PolicyServer policies are always controlled by Control
Manager. Any changes made using PolicyServer MMC are overwritten the next time that Control Manager synchronizes policies to the PolicyServer database.
Sample Deployments
Endpoint Encryption has the flexibility to be deployed in different network environments. This section shows several example implementations of Endpoint
Encryption into different network security infrastructures.
2-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Simple Deployment
The following illustration shows how to deploy Endpoint Encryption using only
PolicyServer MMC to manage PolicyServer.
Control Manager Deployment
The following illustration shows how to deploy Endpoint Encryption using Control
Manager to manage PolicyServer. In a Control Manager deployment, administrators use
Control Manager for all Endpoint Encryption policy, user, and device controls, and only use PolicyServer MMC for advanced Enterprise maintenance.
2-4
Control Manager Integration on page 5-1
.
Deployment Planning
In environments that use Control Manager, changes to PolicyServer policies are always controlled by Control Manager. Any changes made using PolicyServer MMC are overwritten the next time that Control Manager synchronizes policies to the
PolicyServer database.
OfficeScan Deployment
The following illustration shows how to deploy Endpoint Encryption on OfficeScan managed endpoints. In this example, Control Manager is the primary management
2-5
Trend Micro Endpoint Encryption 6.0 Installation Guide console. However, administrators can use either Control Manager or PolicyServer MMC to manage PolicyServer in OfficeScan deployments.
For more information about OfficeScan integration, see the OfficeScan Plug-in Online Help.
Large Enterprise Deployment
The following illustration shows the network environment of a large enterprise with
40,000 devices. The multiple traffic routes to the firewalls show redundant network
2-6
Deployment Planning paths to account for high availability. For more information about scaling requirements, see
Hardware and Scaling Requirements on page 3-2
.
Figure 2-1.
PolicyServer Scaled to Support 40,000 Users
Deployment Including Legacy Agents
The following illustration shows a complex network environment using both Endpoint
Encryption 5.0 and Endpoint Encryption legacy (3.1.3) agents. In this example, an endpoint between PolicyServer MMC and the Endpoint Encryption agents directs and filters traffic using the Endpoint Encryption proxy service. The Endpoint
EncryptionProxy includes the TMEE Forward service to communicate with 5.0 agents, and the Client Web Service to communicate with legacy agents.
2-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
For more information, see
Traffic Forwarding Services for Legacy Agents on page 4-16
Administration Considerations
This section includes a list of tasks and changes that security and IT administrators should consider when deploying Endpoint Encryption.
Network Infrastructure Checklist
This questionnaire assists IT administrators in defining the project team, documenting the operating environment, assessing architecture requirements, facilitating review of desktop hardware and software profiles, and defining security concerns or support processes.
2-8
Deployment Planning
Category
End users
Endpoints
Questions
1.
What is the total number of users to be deployed?
2.
Of that number, how many are:
•
•
•
Administrators (for either the Enterprise or Group)
Authenticator (Help Desk Personnel)
End users
1.
Is there a standard number of partitions on hardware?
2.
Do devices have multiple physical hard drives?
3.
Do these devices have SED drives attached?
4.
Do any devices have dual boot managers?
5.
What standard software is installed? Check the following:
•
•
•
Antivirus
Security applications that block software installation
Previous encryption products
6.
Do the endpoints use BIOS or UEFI?
2-9
Trend Micro Endpoint Encryption 6.0 Installation Guide
2-10
Category Questions
Enterprise networks and databases
•
•
•
•
•
•
•
How many PolicyServer instances are required to support the user base?
Estimate the maximum number of users in the future. For example, think about the company's potential growth within three years.
If domain authentication is used, one PolicyServer is required for each Active Directory domain.
•
Is load balancing on the servers required?
Load-balancing is recommended for installations that require redundancy and high-availability for
PolicyServers.
•
Clustering can be used to provide redundancy and highavailability for the database servers.
What are the database size estimates?
Estimate the maximum number of users in the future. For example, think about the company's potential growth within three years.
Approximate space required is 1 GB per year for every
1,000 end users.
Internet connectivity 1.
Will agents be required to communicate with PolicyServer over the Internet?
•
Check with internal network/security team to understand requirements to make a web server available on the
Internet.
2.
If agents are required to communicate over the Internet, which of the following functions do you need to set up:
• Domain authentication/single sign-on can be used over the Internet
•
•
•
Policy updates via the Internet
Device auditing via the Internet
Online password resets
Deployment Planning
Security Infrastructure Checklist
Review existing security infrastructure before deploying a new IT service into the production environment. The following table provides specific questions to ask about your existing and potential security infrastructure to better understand how deploying
Endpoint Encryption may affect the organization.
Category
End users
Incident response
Questions
1.
Does the end-user training include the new functionality that
Endpoint Encryption provides?
2.
Is the Acceptable Use Policy (AUP) updated to include encryption services, especially any penalties for not using or bypassing encryption?
3.
Are users notified when they log on to the endpoint that aligns with the AUP?
4.
Are all users fully trained on how to report a lost or stolen device?
5.
Have users been trained on procedures regarding failed login attempts and password recovery?
6.
Is there a policy regarding encryption of confidential documents that are sent outside of the organization?
7.
Have any new password policies been added to the AUP?
1.
Has the Incident Response (IR) policy been updated to include actions taken when a device is lost or stolen?
2.
Has an audit log review schedule been established for the
PolicyServer logs?
3.
Have the email alerts been added to the IR policy, including the recipients and the expected response when an alert is received?
4.
Have specific criteria been developed to allow a device to be killed or wiped, including any audit trail documentation after the action is completed?
2-11
Trend Micro Endpoint Encryption 6.0 Installation Guide
Category Questions
Risk assessment
Disaster recovery
1.
Has a new risk assessment been conducted to show the change in risk profile Endpoint Encryption has provided?
2.
Have Risk Assessment procedures been updated to include the audit data that the PolicyServer provides?
1.
Has PolicyServer been added to the Critical Services list?
2.
Is the DR/BC plan updated to include the restoration of the
PolicyServer service?
3.
Is a process developed to allow user data to be recovered from a device?
Human resources 1.
Is the New Employee checklist updated to include any new process for Endpoint Encryption?
2.
Is the termination process updated to include Endpoint
Encryption? Consider the following:
•
•
•
Backing up, formatting, or restoring devices
Locking or killing devices
Disabling accounts in PolicyServer
Removeable media 1.
What USB and other removeable media devices are allowed in your network?
2.
Will removeable media devices be accessible at all hours of the day, or will you have set times where removeable device authentication is not allowed?
3.
Where can users access removeable media devices: onnetwork, off-network, over VPN, at home?
Compliance 1.
Is the compliance profile updated to include the benefits that
Endpoint Encryption provides?
2.
Has a compliance review been conducted on all aspects on the Endpoint Encryption implementation and deployment?
2-12
Deployment Planning
End User Communication
Trend Micro recommends that the executive sponsor of the data protection project send a message to the end users communicating the importance of the project to the company and the benefits to the users. The following is a high-level communication strategy to promote adoption of Endpoint Encryption and ease the transition into your enterprise's new security practices.
Time
One month before rollout
One week before rollout
One day before rollout
The day of rollout
After rollout
•
•
•
•
•
•
•
•
•
Communication Tasks
Have the executive sponsor outline why new encryption is being introduced and how complying with the new processes benefits the end user as well as the company.
Provide a roll-out schedule to the users, including what to expect from the new product and how the users can get technical support.
Reiterate what changes are coming and what to expect on the day new authentication procedures are required on their endpoints.
Include screen captures and detailed instructions on user name or password conventions, and other internal support services.
Reinforce the timing of the roll-out schedule and what to expect.
Distribute cheat-sheets, installation information, and any on-site contacts who will be available to assist users the next day.
Announce system maintenance start and expected length of down time, if any.
Reiterate contact information for help desk personnel who can assist users.
Provide tools for troubleshooting assistance.
2-13
Trend Micro Endpoint Encryption 6.0 Installation Guide
Network Maintenance
•
•
•
•
•
PolicyServer and related databases are mission-critical services. Trend Micro recommends the following for optimal maintenance of your Endpoint Encryption product and related services:
Actively monitor CPU usage and establish a threshold for when the PolicyServer
Windows Service and Trend Micro Endpoint Encryption Service should be restarted.
Restart the service on a regular schedule that fits with the organization's established maintenance windows (daily, weekly, monthly).
Restart the PolicyServer Windows service whenever maintenance is performed on the Active Directory environment, the server, database, or related communications.
Back up PolicyServer databases when you back up similar enterprise-critical databases.
Back up primary and log databases regularly off site for redundancy.
WARNING!
Any changes to the Active Directory or database environments may affect connectivity with PolicyServer.
2-14
Chapter 3
System Requirements
This chapter outlines the system requirements for Trend Micro Endpoint Encryption.
•
•
•
•
•
•
Topics include:
PolicyServer System Requirements on page 3-2
PolicyServer MMC System Requirements on page 3-7
Full Disk Encryption System Requirements on page 3-8
File Encryption System Requirements on page 3-11
Encryption Management for Microsoft BitLocker System Requirements on page 3-12
Encryption Management for Apple FileVault System Requirements on page 3-14
3-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
PolicyServer System Requirements
Hardware and Scaling Requirements
The following shows deployment and scaling requirements in several different-sized environments. In smaller network environments, PolicyServer SQL databases can be installed on the same server. For PolicyServer deployments in environments greater than
1500 devices, Trend Micro recommends having at least two dedicated servers:
1.
A dedicated server for the PolicyServer services, also known as the “front-end server”
2.
A dedicated server for the database, or add the database to an existing SQL cluster
The following table displays the requirements for the PolicyServer SQL database for the basic requirements at the specified scale:
Devices
1,000
4,000
•
•
•
•
•
•
PolicyServer Front-end
Requirements
One front-end and SQL database multi-role server with an Intel Xeon quad-core 2.2
GHz processor or above
8 GB RAM
120 GB hard drive
One front-end server with four
Intel Xeon quad-core 2.2 GHz processors or above
8 GB RAM
150 GB hard drive
PolicyServer SQL Database
Requirements
Installed on PolicyServer front-end server
Installed on PolicyServer front-end server
3-2
System Requirements
Devices
8,000
20,000
40,000
•
•
•
•
•
•
•
•
•
PolicyServer Front-end
Requirements
Two front-end servers each with four Intel Xeon quad-core
2.2 GHz processor or above
4 GB RAM
40 GB hard drive
Four front-end servers each with four Intel Xeon quad-core
2.2 GHz processors or above
4 GB RAM
40 GB hard drive
Eight front-end servers each with four Intel Xeon quad-core
2.2 GHz processors or above
4 GB RAM
40 GB hard drive
•
•
•
•
•
•
•
•
•
PolicyServer SQL Database
Requirements
One SQL database server with four Intel Xeon quad-core 2.2
GHz processor or above
8 GB RAM
150 GB hard drive
One SQL database server with four Intel Xeon quad-core 2.2
GHz processor or above
8 GB RAM
180 GB RAID 5 hard drive
Two SQL database cluster servers each with two Intel
Xeon quad-core 2.2 GHz processor or above
16 GB RAM
350 GB shared SAN RAID 5 hard drive
•
•
•
Note
Virtual hardware is supported under VMware Virtual Infrastructure.
Microsoft or VMware on virtual hardware does not support Microsoft Cluster
Service.
Baseline testing was performed on an endpoint with an Intel Xeon CPU E5-2650 v4
2.20 GHz, 2200 Mhz.
Redundancy Requirements
With larger environments, Trend Micro recommends adding additional servers to avoid having single points of failure. The following table displays the requirements for the
PolicyServer SQL database for an environment with increased redundancy.
3-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Tip
Trend Micro recommends setting up redundancy for environments with more than 8,000 devices.
Devices
8,000
20,000
40,000
•
•
•
•
•
•
•
•
•
PolicyServer Front-end
Requirements
Four front-end servers each with one Intel Xeon quad-core
2.2 GHz processor or above
4 GB RAM
40 GB hard drive
Six front-end servers each with four Intel Xeon quad-core 2.2
GHz processors or above
4 GB RAM
40 GB hard drive
•
•
•
•
Twelve front-end servers each with four Intel Xeon quad-core
2.2 GHz processors or above
4 GB RAM
40 GB hard drive
•
•
•
•
•
•
•
•
PolicyServer SQL Database with Zero Single Points of
Failure
One SQL server cluster of two nodes, with four Intel Xeon quad-core 2.2 GHz processor or above
8 GB RAM
60 GB RAID 5 hard drive
150 GB shared SAN RAID 5 hard drive
Four SQL server cluster of two nodes, with four Intel Xeon quad-core 2.2 GHz processor or above
8 GB RAM
60 GB RAID 5 hard drive
180 GB shared SAN RAID 5 hard drive
Four SQL database cluster servers with four Intel Xeon quad-core 2.2 GHz processor or above
16 GB RAM
60 GB RAID 5 hard drive
350 GB shared SAN RAID 5 hard drive
3-4
System Requirements
•
•
•
Note
Virtual hardware is supported under VMware Virtual Infrastructure.
Microsoft or VMware on virtual hardware does not support Microsoft Cluster
Service.
Baseline testing was performed on an endpoint with an Intel Xeon CPU E5-2650 v4
2.20 GHz, 2200 Mhz.
Software Requirements
Specification
Operating system
Database server
•
•
•
•
•
•
•
Requirements
Windows Server 2008 / 2008 R2 (64-bit)
Windows Server 2012 / 2012 R2 (64-bit)
Windows Server 2016 (64-bit)
Microsoft SQL Server 2008 / 2008 R2 / 2012 /
2012 R2 / 2014 / 2016
Microsoft SQL Server Express 2008 / 2012 /
2014 / 2016
Mixed Mode Authentication (SA password) installed
Reporting services installed
Application server
Note
For Windows Server 2008 R2, you must install
SQL Server 2008 SP1.
•
PolicyServer 6.0 requires Microsoft Internet Information
Services (IIS) with the following roles installed and enabled:
•
•
Application Development
ASP.NET
ASP
3-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
Specification
Other software
•
•
•
•
Requirements
ISAPI Extensions
ISAPI Filters
Management Tools •
• IIS Management Console
•
•
IIS Management Scripts and Tools
Management Service
•
IIS 6 Management Compatibility
•
IIS 6 Metabase Compatibility
For Windows Server 2008 and 2008 R2 you must install the “Application server” role and the “Web server” role. Additionally, you must add SMTP and
Microsoft IIS Support features.
Legacy Endpoint Encryption environments (version
3.1.3 and earlier) require Client Web Service. If you install Client Web Service on a remote endpoint, install
Microsoft IIS on that endpoint.
Both Microsoft .NET Framework 2.0 SP2 (or 3.5) and 4.0
Windows Installer 4.5 (SQL Express)
Installation Files
File
PolicyServerInstaller.exe
PolicyServer
MMCSnapinSetup.msi
Purpose
Installs PolicyServer databases and services.
Optionally, the PolicyServer MMC can install at the same time.
Installs the PolicyServer MMC only.
3-6
System Requirements
File
TMEEProxyInstaller.exe
Purpose
Installs the Client Web Service and the Traffic
Forwarding Service. These services function as web proxies and communication protocols for environments that have PolicyServer and
Endpoint Encryption agents in different LANs.
Client Web Service functions for 3.1.3 or earlier agents and Traffic Forwarding Service functions for 5.0 or later agents.
Note
PolicyServer includes a 30-day trial license. To upgrade to the full product version, register your product with your Activation Code in Control Manager or PolicyServer MMC.
Required Accounts
Account
SQL SA
SQL MADB
Function
PolicyServer Installer
PolicyServer Windows Service
Local
Administrator
PolicyServer Windows Service and IIS
Description
Account is used only to create the
PolicyServer databases
Account created during installation to authenticate to PolicyServer databases
Account used to run the
PolicyServer Windows Service and web service application pools
PolicyServer MMC System Requirements
Note
PolicyServer MMC can be installed on the PolicyServer front-end server or on a different endpoint that has network connectivity with PolicyServer.
3-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
Specification
Processor
RAM
Disk space
Network connectivity
Operating system
Others
Requirements
Intel Core 2 Duo 2.0 GHz processor or equivalent
512 MB
100 MB
Connectivity with PolicyServer
Any Microsoft Windows operating system supported by
PolicyServer or the Endpoint Encryption agents
Microsoft .NET Framework 4.0
Full Disk Encryption System Requirements
Specification
Processor
RAM
Disk space
Network connectivity
Requirements
Intel Core 2 Duo 2.0 GHz processor or equivalent
1 GB
•
•
•
30 GB
20% free disk space
256 MB contiguous free space
Communication with PolicyServer required for managed agents
3-8
System Requirements
Specification
Operating system
Firmware interface
Other software
Hard disk
•
•
Requirements
Windows™ Embedded POSReady 7 (32-bit/64-bit)
Windows™ 10 (32-bit/64-bit)
Note
Older builds of Windows 10 installed on endpoints where UEFI is enabled may encounter issues if secure boot is turned on. To prevent this issue, install all service packs, hotfixes and security patches for Windows 10 before proceeding with the installation.
•
•
•
•
•
•
Windows™ 8.1 (32-bit/64-bit)
Windows™ 8 (32-bit/64-bit)
Windows™ 7 (32-bit/64-bit)
BIOS: all supported operating systems
UEFI: all supported operating systems
Microsoft .NET Framework 3.5 SP1 or later (Windows 7 and later operating systems)
•
•
Full Disk Encryption uses software-based encryption for all standard drives (drives without self-encryption).
Full Disk Encryption uses hardware-based encryption for the following self-encrypting drives (SEDs):
Seagate OPAL and OPAL 2 drives
SanDisk self-encrypting solid-state drives
•
•
Full Disk Encryption has the following limitations:
Full Disk Encryption does not support RAID and SCSI drives.
Full Disk Encryption does not support eDrive drives for
Windows 8 or later environments.
3-9
Trend Micro Endpoint Encryption 6.0 Installation Guide
Specification
Hard disk controllers •
•
Requirements
Software encryption: ATA, AHCI, or IRRT hard disk controller
Hardware encryption: AHCI hard disk controller
Recommended Disk Combinations
Endpoint Encryption supports endpoints with a maximum of 32 disks attached. Full
Disk Encryption recommends the following disk combinations:
Primary Disk
Normal system disk
Normal system disk
Normal system disk
SED system disk
Secondary Disk
Normal data disk
Normal system disk attached as a data disk
SED data disk
SED data disk
Recommendation
Yes
The disk must either be new or previously encrypted and connected with
PolicyServer.
Yes
If the Bypass Preboot policy is set to Allow, Full
Disk Encryption prompts for the removal of one system disk.
Yes
The disk must either be new or previously encrypted and connected with
PolicyServer.
Yes
The disk must either be new or previously encrypted and connected with
PolicyServer.
3-10
System Requirements
Primary Disk
SED system disk
SED system disk
Secondary Disk
SED system disk attached as a data disk
Normal data disk
Recommendation
No
The Full Disk Encryption installer completes the installation but won't be able to manage both disks.
If the Bypass Preboot policy is set to Allow, Full
Disk Encryption prompts for the removal of one system disk
No
The Full Disk Encryption installer completes the installation but won't be able to manage any disks.
If a non-recommended disk is found, the Full Disk Encryption installer still completes the installation but won't be able to manage the non-recommended disk. Aditionally, it also reports a status of Unmanaged for the non-recommended disk.
File Encryption System Requirements
The following table explains the File Encryption system requirements.
Specification
Processor
RAM
Disk space
Network connectivity
Requirements
Intel Core 2 Duo 2.0 GHz processor or equivalent
1 GB
•
• 30 GB
20% free disk space
Communication with PolicyServer required for managed agents
3-11
Trend Micro Endpoint Encryption 6.0 Installation Guide
Specification
Operating system
Other software
•
•
•
•
•
•
Requirements
Windows™ 10 (32-bit/64-bit)
Windows™ 8.1 (32-bit/64-bit)
Windows™ 8 (32-bit/64-bit)
Windows™ 7 (32-bit/64-bit)
Microsoft .NET Framework 3.5 SP1 (Windows 7 and later operating systems)
Microsoft Windows Installer 3.1
Encryption Management for Microsoft
BitLocker System Requirements
This following table explains the minimum and recommended Encryption Management for Microsoft BitLocker system requirements.
Specification
Processor
RAM
Disk space
Hard disk
Network connectivity
Requirements
Intel Core 2 Duo 2.0 GHz processor or equivalent
•
•
Requirements are the based on Windows system requirements:
64-bit systems: 2 GB
32-bit systems: 1 GB
•
•
•
30 GB
20% free disk space
Standard drives supported by Windows
Connectivity with PolicyServer
3-12
System Requirements
Specification
Operating system
Other software
•
•
•
•
•
•
•
•
•
Requirements
Windows™ Embedded POSReady 7 (32-bit/64-bit)
Windows™ 10 Enterprise and Professional editions (32bit/64-bit)
Windows™ 8.1 Enterprise and Professional editions (32bit/64-bit)
Windows™ 8 Enterprise and Professional editions (32bit/64-bit)
Windows™ 7 Enterprise and Professional editions (32bit/64-bit)
Trusted Platform Module (TPM) 1.2 or higher
Full Disk Encryption is not installed
Microsoft .NET Framework 3.5
Windows BitLocker is disabled
•
•
WARNING!
Full Disk Encryption is unable to install on SED disks attached to devices using UEFI if these disks were previously managed by Windows Bitlocker. To install
Full Disk Encryption on these disks, perform one of the following:
Configure Full Disk Encryption to use softwarebased encryption by adding the
FORCESOFTWARE parameter during installation.
Installing the Full Disk Encryption
.
Restore the SED disk back to its factory setting.
This procedure removes all existing data from the
SED disk. After the disk has been restored, try running the installer again.
3-13
Trend Micro Endpoint Encryption 6.0 Installation Guide
Encryption Management for Apple FileVault
System Requirements
This following table explains the minimum and recommended Encryption Management for Apple FileVault system requirements.
Specification Requirement
Processor
Memory
Disk space
Network connectivity
Operating system
•
•
•
•
•
•
•
•
•
Intel Core 2 Duo 2.0 GHz processor or equivalent
512 MB minimum
2 GB recommended
400 MB minimum
Connectivity with PolicyServer
OS X™ “Sierra”
OS X™ “El Capitan”
OS X™ “Yosemite”
OS X™ “Mavericks”
OS X™ “Mountain Lion”
Other software
•
• Mono runtime environment (MRE) 2.1
Apple FileVault is disabled
Hardware considerations
•
Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X Mountain Lion or later.
Other Mac OS user account types will be unable to initiate encryption.
•
To create a mobile account for Active Directory on your
Mac, see
Creating a Mobile Account for Active Directory on Mac OS on page 6-29
Encryption Management for Apple FileVault supports
Apple Fusion Drives on Mac OS X Mountain Lion or later
(starting with Mac OS build 10.8.2).
3-14
Chapter 4
PolicyServer Installation
Trend Micro PolicyServer manages encryption keys and synchronizes policies across all endpoints in the organization. PolicyServer also enforces secure authentication and provides real-time auditing and reporting tools to ensure regulatory compliance. You can flexibly manage PolicyServer with PolicyServer MMC or with Trend Micro Control
Manager. Other data management features include user-based self-help options and device actions to remotely reset or “kill” a lost or stolen device.
This chapter how to install and configure PolicyServer for the first time, how to set up
Active Directory.
Note
For system requirements, see
PolicyServer System Requirements on page 3-2
The following table describes the PolicyServer components that you can deploy on one server or multiple servers, depending on environmental needs.
Table 4-1. PolicyServer Components
Component
Enterprise
Description
The Endpoint Encryption Enterprise is the unique identifier about the organization in the PolicyServer database configured during
PolicyServer configuration. One PolicyServer database may have one Enterprise configuration.
4-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
4-2
Component
Database
PolicyServer
Windows Service
Endpoint
Encryption Proxy
Endpoint
Encryption Service
Legacy Web
Service
Description
The PolicyServer Microsoft SQL database securely stores all user, device, and log data. The database is either configured on a dedicated server or added to an existing SQL cluster. The log and other databases can reside separately.
PolicyServer Windows Service manages all communication transactions between the host operating system, Endpoint
Encryption Service, Legacy Web Service, Client Web Proxy, and
SQL databases.
The Endpoint Encryption Proxy acts as an intermediary between agents and PolicyServer to manage requests and communication over your network. This service can distinguish requests to new agents (5.0 and later) and legacy agents (3.1.3 and earlier) through the Traffic Forward Service and Client Web Service respectively. To secure PolicyServer behind the network firewall, deploy the
Endpoint Encryption Proxy to an endpoint residing in the network
DMZ.
Starting from Endpoint Encryption 5.0, all agents use Endpoint
Encryption Service to communicate with PolicyServer. Endpoint
Encryption Service uses a Representational State Transfer web
API (RESTful) with an AES-GCM encryption algorithm. After a user authenticates, PolicyServer generates a token related to the specific policy configuration. Until the Endpoint Encryption user authenticates, the service denies all policy transactions.
All Endpoint Encryption 3.1.3 and earlier agents use Simple Object
Access Protocol (SOAP) to communicate with PolicyServer. Under certain situations, SOAP may allow insecure policy transactions without user authentication. Legacy Web Service filters SOAP calls by requiring authentication and limiting the commands that SOAP accepts. This service is optional, and can be installed on the same endpoint as the Endpoint Encryption Service using the Endpoint
Encryption proxy installer.
•
•
Topics include:
Installing PolicyServer on page 4-4
Installing PolicyServer MMC on page 4-8
•
•
Configuring PolicyServer on page 4-9
Traffic Forwarding Services for Legacy Agents on page 4-16
PolicyServer Installation
4-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Installing PolicyServer
•
•
•
•
•
The PolicyServer installation process involves running an installer on the server endpoint to configure the following:
Endpoint Encryption product license
Enterprise name and Administrator logon
Endpoint Encryption services
PolicyServer database
PolicyServer MMC (optional)
WARNING!
For security reasons, legacy Endpoint Encryption agents cannot communicate directly with a PolicyServer instance residing in a different network. For information about configuring a web proxy, see
Traffic Forwarding Services for Legacy Agents on page 4-16
Procedure
1.
Verify that all system requirements are met.
PolicyServer System Requirements on page 3-2
.
2.
Run
PolicyServerInstaller.exe
The PolicyServer Installer opens.
3.
At the PolicyServer Services screen, click Install at the right.
4.
At the Product Legal Notice screen, read the license agreement and accept the terms by clicking Accept.
5.
At the Product Activation screen, select your licensing method:
• Click Register Online to register your product and receive an Activation
Code.
• Select Use a full license if you have an Activation Code to specify your code and activate full functionality.
4-4
PolicyServer Installation
•
Select Use a trial license to evaluate a managed Endpoint Encryption configuration for 30 days.
Note
During the trial period, PolicyServer functions normally with all agent management, unlimited devices, and up to 100 users. After 30 days, contact a
Trend Micro representative for more information about the Registration Key and Activation Code.
6.
At the Create Enterprise Name and Administrator Logon screen, specify the credentials for your main Enterprise administrator account and then click
Continue.
Option Description
Enterprise Name
The name of the Enterprise. This will be required for user and device authentication.
Administrator
Password
The first Enterprise Administrator account user name.
The first Enterprise Administrator account password.
Confirm Password Confirm the first Enterprise Administrator account password.
Enterprise administrator accounts can manage all device, user, and policy settings from PolicyServer MMC and Control Manager. You can create more Enterprise administrator accounts at a later time. If you are upgrading or reinstalling
PolicyServer, the Enterprise administrator account that you specified previously appears automatically.
7.
At the Windows Service Logon screen, click Continue.
8.
At the Database Administrator Logon screen, choose your database connection method:
• Select Microsoft SQL Express to create a new database instance.
Note
Use Microsoft SQL Express only for networks of fewer than 1500 endpoints, or for evaluation purposes. Microsoft SQL Express is only available in environments that do not have SQL Server configured.
4-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
•
Select SQL Server to specify an existing Microsoft SQL Server instance.
If you select SQL Server, specify the following information:
Field
SQL Server
Description
The SQL Server host name or IP address.
User name
Note
For environments with multiple SQL Server instances, append the SQL instance to the end of the database host name or IP address used. Use the following syntax to specify an instance:
<hostname_or_IP_address>
\<database_instance>
The user name with the “sysadmin” role for the specified
SQL Server instance.
The password for the “sysadmin” account.
Password
• Select Use a different log database server to specify a different SQL Server instance for log data.
9.
At the Create Database Logon screen, specify a new database account for the
PolicyServer Windows Service to use for all database transactions.
Note
Do not specify the “sysadmin” account.
10. At the Endpoint Encryption Service screen, specify the following parameters:
Option
Port number
Description
Specify the port number that the PolicyServer MMC, Control
Manager and Endpoint Encryption 6.0 agents use to communicate with PolicyServer (default: 8080).
4-6
PolicyServer Installation
Option Description
Note
In environments with legacy agents, Trend Micro recommends using port 8080 for the Admin Web Service and port 80 for the Client Web Service. The port number must be a positive integer between 1 and 65535.
Automatically generate a new self-signed certificate
Select this option if no certificate is available. The installer generates a certificate for encrypted communication.
Specify an existing certificate
Select this option to use a specific certificate. There are no limitations or requirements for specifying an existing certificate except that the certificate is correctly formatted.
11. Click Continue.
12. At the Legacy Agent Service screen, select the location that legacy Endpoint
Encryption agents (version 3.1.3 and below) use to communicate with PolicyServer, then click Continue.
13. To immediately install PolicyServer MMC, click Yes. To install PolicyServer MMC at a later time or on a separate endpoint, see
Installing PolicyServer MMC on page
The installation process begins.
14. When prompted, click OK.
15. Click Finished.
16. Click Exit to close the PolicyServer installer.
17. Add the initial Endpoint Encryption users and groups.
Configuring PolicyServer on page 4-9
4-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
Installing PolicyServer MMC
If you did not install PolicyServer MMC during PolicyServer installation, follow this procedure to install PolicyServer MMC. PolicyServer MMC can be installed on a separate endpoint from PolicyServer.
Note
Trend Micro recommends installing the same version of PolicyServer MMC as
PolicyServer. Legacy versions of PolicyServer MMC (version 3.1.3 or earlier) are unable to manage PolicyServer 6.0.
Procedure
1.
Run
PolicyServerMMCSnapinSetup.msi
.
The installation begins.
2.
Click Next to begin the Setup Wizard.
3.
Read the license agreement and accept the terms by selecting I Agree and then clicking Next.
4.
Select installation folder or leave at default location, and click Next.
Depending on your processor, the default installation path is:
C:\Program
Files\Trend Micro\PolicyServer MMC\
or
C:\Program Files
(x86)\Trend Micro\PolicyServer MMC\
5.
Click Next to confirm installation.
After the installation completes, the PolicyServer MMC installs to the specified location. A new PolicyServer MMC shortcut appears on the desktop:
4-8
Figure 4-1.
PolicyServer PolicyServer MMC shortcut
PolicyServer Installation
6.
Click Close to finish.
7.
Double-click the PolicyServer MMC shortcut on the desktop.
8.
Once PolicyServer MMC opens, authenticate using the Enterprise and Enterprise
Administrator account created when the PolicyServer databases and services were installed.
See the Endpoint Encryption Administrator's Guide for additional post-installation tasks such as creating devices and users, and setting up policies.
Tip
Trend Micro recommends creating a backup Enterprise Administrator account and changing the default password.
Configuring PolicyServer
The following are the main tasks required for initial PolicyServer configuration. Use the
Enterprise and Enterprise administrator account that were configured during
PolicyServer installation.
Procedure
1.
Install PolicyServer and PolicyServer MMC.
Installing PolicyServer on page 4-4
.
If you intend to install PolicyServer MMC separate from PolicyServer, see
.
2.
Log on to PolicyServer MMC.
Installing PolicyServer MMC on page 4-8
.
3.
Add the first Top Group.
Adding a Top Group on page 4-11
.
4-9
Trend Micro Endpoint Encryption 6.0 Installation Guide
4.
Add Endpoint Encryption users.
Adding a New User to a Group on page 4-13
.
5.
Allow certain Endpoint Encryption users to install new Endpoint Encryption devices to the group.
Allowing a User to Install Agents in a Group on page 4-15
.
Logging on to PolicyServer MMC
Procedure
1.
To open PolicyServer MMC, do one of the following:
•
•
Double-click the PolicyServer MMC shortcut on the desktop.
Go to the folder specified during installation, then double-click
PolicyServerMMC.msc
.
The PolicyServer MMC authentication screen appears.
4-10
PolicyServer Installation
2.
Specify the following parameters:
Option Description
Enterprise Specify the Enterprise.
User name Specify the user name of an Enterprise administrator account.
Password Specify the password for the user name.
Server Specify the PolicyServer IP address or host name, and include the port number assigned to that configuration.
3.
Optional: To use a smart card to authenticate, select Use Smart Card.
4.
Click Login.
The PolicyServer MMC opens.
Adding a Top Group
Groups simplify managing Endpoint Encryption agents, users, policies, subgroups, and devices. A Top Group is the highest-level group.
PolicyServer requires a Top Group for user
Note
Enterprise administrators and authenticators may not be added to groups because their permissions supercede all groups. If you add an administrator or authenticator to a group, that account will be a group administrator or authenticator.
Procedure
1.
Right-click the Enterprise in the left pane, then click Add Top Group.
4-11
Trend Micro Endpoint Encryption 6.0 Installation Guide
The Add New Group screen appears.
2.
Specify the name and description for the group.
3.
If using Endpoint Encryption devices that do not support Unicode, select Support
Legacy Devices.
Endpoint Encryption 5.0 and later devices support Unicode. Do not select this option if all devices are Endpoint Encryption 5.0 and later.
Note
Some legacy devices may not be able to communicate with PolicyServer using
Unicode. Assign Unicode and legacy Endpoint Encryption devices to different groups.
4-12
PolicyServer Installation
4.
Click Apply.
5.
At the confirmation message, click OK.
The new group is added to the tree structure in the left pane.
Adding a New User to a Group
Add one or more users to your group during initial configuration if you intend to have multiple users perform agent installation.
Note
Adding a user to the Enterprise does not assign the user to any groups.
Adding a user to a group adds the user to the group and to the Enterprise.
Procedure
1.
Expand the group and open Users.
2.
On the right pane, right-click the whitespace and select Add New User.
4-13
Trend Micro Endpoint Encryption 6.0 Installation Guide
The Add New User screen appears.
4-14
3.
Specify the following options:
Option Description
User Nme
First Name
Last Name
EmployeeID
Email Address
Specify the user name for the new user account (required).
Specify the first name for the new user account (required).
Specify the last name for the new user account (required).
Specify the employee ID for the new user account (optional).
Freeze
Specify the email address that applies to the user name
(optional).
Select whether to temporarily disable the new user account
(optional). While frozen, the user is unable to log on devices.
Group User Type Select the privileges of the new account.
Options include:
PolicyServer Installation
Option Description
•
•
•
User
Authenticator
Administrator
One Group
Authentication method
Note
Giving a user in a group administrator or authenticator privileges only applies those privileges within that group. That user is treated as a group administrator or group authenticator.
Add an administrator or authenticator in the Enterprise, outside of the group, to give that user Enterprise-level privileges.
Select whether the new user account is allowed to be a member of multiple group policies.
Select the method that the new user account uses to log on to
Endpoint Encryption devices. Options include:
•
•
•
None
Fixed Password
Smart Card
If the Group User Type selection is User, the default authentication method is None. If the Group User Type selection is Administrator or Authenticator, the default authentication method is Fixed Password.
4.
Click OK.
The new user is added to the selected group and to the Enterprise. The user can now log on to Endpoint Encryption devices.
Allowing a User to Install Agents in a Group
Before installing the agents, allow at least one user in a group to install agents.
4-15
Trend Micro Endpoint Encryption 6.0 Installation Guide
Procedure
1.
Expand the group, open Users.
2.
Right-click the user account and then select Allow User to Install to This Group.
Traffic Forwarding Services for Legacy Agents
Endpoint Encryption 6.0 includes backwards compatibility to manage all 5.0 versions of
Endpoint Encryption as well as authenticate and perform commands on legacy agents
(3.1.3 and earlier). Endpoint Encryption uses different architecture for 3.1.3 and earlier agents from 5.0 and later agents, so Endpoint Encryption requires different traffic forwarding services to manage communications between agents and servers.
The Endpoint Encryption Proxy manages the following services:
Service Description
Traffic Forwarding
Service
The Traffic Forwarding Service directs network traffic between
Endpoint Encryption 5.0 and later agents and PolicyServer residing in different local area networks. Endpoint Encryption 5.0
and later agents communicate using RESTful. The Traffic
Forwarding Service sits between the agents and PolicyServer to prevent insecure policy access. The Traffic Forwarding Service installer configures the TMEEForward service that runs on the
Endpoint Encryption Proxy endpoint.
Client Web Service The Client Web Service directs traffic between legacy Endpoint
Encryption agents (3.1.3 and earlier) and PolicyServer residing in different local area networks. Legacy Endpoint Encryption agents communicate using SOAP. Client Web Service sits between the legacy Endpoint Encryption agents and the PolicyServer Windows
Service to prevent insecure policy access. The Client Web
Service installer configures the MAWebService2 (Legacy Web
Service), which is the same Microsoft IIS service installed by the
PolicyServer installer in environments that do not use a proxy.
4-16
PolicyServer Installation
Configuring Traffic Forwarding Services
To create a network topology that includes endpoints of different versions, separately deploy services to an endpoint residing in the network DMZ, and configure
PolicyServer safely behind a firewall. Install the Endpoint Encryption proxy on the separate endpoint to direct and filter traffic between Endpoint Encryption agents and
PolicyServer.
For an example network scenario including legacy agents, see
.
•
•
•
The Endpoint Encryption proxy has the following requirements:
Traffic Forwarding Service and Client Web Service may not be deployed on the same endpoint as PolicyServer.
The default port for the Traffic Forwarding Service is 8080.
The default port for the Client Web Service is 80.
In environments using both new and legacy Endpoint Encryption agents, configure different ports for Traffic Forwarding Service and Client Web Service.
Procedure
1.
Copy the PolicyServer installation folder to the local hard drive.
2.
Go to the path
<installation folder> \TMEE_PolicyServer\Tools
\Optional Installations\TMEEProxy Installer
and run
TMEEProxyInstaller.exe
.
The welcome screen appears.
3.
Click Continue.
The Endpoint Encryption proxy installer analyzes the endpoint.
4.
Specify the PolicyServer IP address or host name and the port number of the
Endpoint Encryption service.
5.
Click Continue.
4-17
Trend Micro Endpoint Encryption 6.0 Installation Guide
The installation begins. Wait for the Endpoint Encryption proxy to install.
6.
After installation completes, note the IP address and port number displayed in the installation screen.
This IP address and port will be used in agent installation.
7.
Click Finish.
8.
Verify the Client Web Service installation.
a.
Go to Start > Administrative Tools > Internet Information Services
(IIS) Manager.
The Internet Information Services (IIS) Manager screen appears.
b.
Find the previously configured site location.
c.
Verify that MAWebService2 is configured.
Client Web Service is installed.
9.
Verify the Traffic Forwarding Service installation.
a.
Go to Start > Administrative Tools > Services.
The Services screen appears.
b.
Verify that TMEEForward service has started.
Traffic Forwarding Service is installed.
4-18
Chapter 5
Control Manager Integration
This chapter explains how to integrate Endpoint Encryption with Trend Micro Control
Manager. You may use Control Manager to manage PolicyServer instead of PolicyServer
MMC for most tasks.
This chapter assumes that you have already installed and configured PolicyServer. For
PolicyServer installation instructions, see
PolicyServer Installation on page 4-1
•
Endpoint Encryption supports only one configured PolicyServer instance in Control
Manager at a time. It is not possible to add multiple PolicyServer configurations.
To configure a different PolicyServer, first remove the previously configured
PolicyServer. If you want to change the PolicyServer managed by Control Manager, remove the existing PolicyServer and add the new one.
•
•
•
Topics include:
Control Manager Integration Overview on page 5-2
Supported Control Manager Versions on page 5-3
Adding PolicyServer as a Managed Product to Control Manager on page 5-3
Removing a PolicyServer Managed Product from Control Manager on page 5-5
5-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Control Manager Integration Overview
Administrators may manage Endpoint Encryption using only PolicyServer MMC or manage Endpoint Encryption using Control Manager for policy, user and device management and PolicyServer MMC for advanced log management and reporting.
Migration to Control Manager is not automated. The following procedure explains manually configuring Control Manager to match the existing configuration.
Procedure
1.
Upgrade PolicyServer to version 6.0.
Upgrading PolicyServer on page 7-6
2.
Install and configure a supported version of Control Manager.
To verify which version of Control Manager to install, see
.
For Control Manager installation instructions, see the supporting documentation: http://docs.trendmicro.com/en-us/enterprise/control-manager.aspx
3.
Add PolicyServer to Control Manager.
Adding PolicyServer as a Managed Product to Control Manager on page 5-3
4.
Add all existing users to Control Manager using the Endpoint Encryption Users widget.
See Endpoint Encryption Users in the Endpoint Encryption Administrator's Guide.
5.
For each group that currently exists, create a new policy in Control Manager.
See Creating a Policy in the Endpoint Encryption Administrator's Guide.
6.
In each new policy, specify a policy target for every device that was assigned to the previous group.
See Specifying Policy Targets in the Endpoint Encryption Administrator's Guide.
5-2
Control Manager Integration
7.
Use Control Manager to deploy policies.
Supported Control Manager Versions
Endpoint Encryption supports the following Control Manager versions.
Table 5-1.
Supported Control Manager versions
Endpoint Encryption version
5.0
5.0 Patch 1
5.0 Patch 2
5.0 Patch 3
5.0 Patch 4
Control Manager version
6.0
6.0 SP1
6.0 SP2, 6.0 SP3
6.0 SP2, 6.0 SP3
6.0 SP3
Apply the latest patches and critical hot fixes for these Control Manager versions to enable Control Manager to manage Endpoint Encryption. To obtain the latest patches and hot fixes, contact your support provider or visit the Trend Micro Update Center at: http://www.trendmicro.com/download
After installing Endpoint Encryption, register it to Control Manager and then configure settings for Endpoint Encryption on the Control Manager management console. See the
Control Manager documentation for information on managing Endpoint Encryption servers.
Adding PolicyServer as a Managed Product to
Control Manager
To use Control Manager to manage PolicyServer, you must add PolicyServer as a managed product.
To perform additional Control Manager configuration, see the Endpoint Encryption
Administrator's Guide.
5-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Procedure
1.
Log on to Control Manager.
2.
Go to Administration > Managed Servers.
The Managed Servers screen appears.
3.
In the Server Type drop-down list, select Endpoint Encryption.
4.
Click Add.
The Add Server screen appears.
5-4
5.
Specify Server Information options.
• Server: Specify the PolicyServer host name and the port number. Use the following format: http://<server_name>:port_number
Note
Control Manager communicates with PolicyServer Endpoint Encryption
Service. The default port number is 8080.
Control Manager Integration
•
Display name: Specify the name for PolicyServer shown in the Managed
Servers screen.
6.
Under Authentication, specify the user name and password of the Endpoint
Encryption Enterprise Administrator account and the Enterprise specified during
PolicyServer installation.
7.
Under Connection, select Use a proxy server for the connection if PolicyServer requires a proxy connection.
8.
Click Save.
Note
Synchronization between Control Manager and PolicyServer may require several minutes to complete.
PolicyServer is added as a new managed product to Control Manager.
Removing a PolicyServer Managed Product from Control Manager
Procedure
1.
Go to Policies > Policy Resources > Managed Servers.
The Managed Servers screen appears.
2.
Click the Delete icon ( ) in the Actions column.
3.
At the message, click OK to confirm.
The PolicyServer instance is removed from Control Manager. Use PolicyServer MMC to manage policies. You may add another PolicyServer instance to Control Manager at this time.
5-5
Chapter 6
Endpoint Encryption Agent
Deployment
Endpoint Encryption includes different agents to perform specific encryption and authentication tasks. This chapter describes the the deployment process for each agent, including installation prerequisites, manual installation tasks, and automated deployment tools.
•
•
•
•
•
•
•
Topics include:
Endpoint Encryption Agents on page 6-2
Agent Installation Prerequisites on page 6-3
Automated Deployments on page 6-4
Full Disk Encryption Deployment on page 6-10
Encryption Management for Microsoft BitLocker Installation on page 6-17
Encryption Management for Apple FileVault Installation on page 6-26
File Encryption Deployment on page 6-36
6-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Endpoint Encryption Agents
The following table describes the Endpoint Encryption agents available for a variety of environments.
Agent
Full Disk Encryption
Encryption Management for
Microsoft BitLocker
Encryption Management for
Apple FileVault
File Encryption
Description
The Endpoint Encryption agent for hardware and software encryption with preboot authentication. Full Disk
Encryption secures data files, applications, registry settings, temporary files, swap files, print spoolers, and deleted files on any Windows endpoint. Strong preboot authentication restricts access vulnerabilities until the user is validated.
The Full Disk Encryption agent may be installed on the same endpoint as the File Encryption agent. The Full Disk
Encryption agent cannot be installed on the same endpoint as either the Encryption Management for
Microsoft BitLocker agent or the Encryption Management for Apple FileVault agent.
The Endpoint Encryption Full Disk Encryption agent for
Microsoft Windows environments that simply need to enable Microsoft BitLocker on the hosting endpoint.
The Encryption Management for Microsoft BitLocker agent may be installed on the same endpoint as the File
Encryption agent.
The Endpoint Encryption Full Disk Encryption agent for
Mac OS environments that simply need to enable Apple
FileVault on the hosting endpoint.
The Endpoint Encryption agent for file and folder encryption on local drives and removable media. File
Encryption protects files and folders located on virtually any device that appears as a drive within the host operating system.
The File Encryption agent may be installed on the same endpoint as either the Full Disk Encryption agent or the
Encryption Management for Microsoft BitLocker agent.
6-2
Endpoint Encryption Agent Deployment
Agent Installation Prerequisites
Before installing the Endpoint Encryption agents, consult the following table for specific agent installation requirements.
Category
Endpoints
PolicyServer
Requirements
1.
Each endpoint meets the minimum system requirements to install the intended agents. See
System Requirements on page 3-1
2.
The boot drive of each endpoint has an unmodified MBR boot sector.
For example, endpoints with multiple operating systems that include modified boot sectors are not supported.
3.
Each endpoint has network access and can communicate with PolicyServer during installation.
4.
The relevant agent installation packages are stored on each endpoint.
1.
PolicyServer is installed or upgraded to version 6.0. See
PolicyServer Installation on page 4-1
.
2.
For environments using PolicyServer MMC, there is at least one top-level group configured.
3.
For environments using Control Manager, there is at least one policy configured.
6-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Category
Accounts
Automated deployments
OfficeScan deployments
Requirements
•
1.
The Endpoint Encryption user account has permission to add devices to the group or policy. Enterprise administrator and authenticator accounts have device installation privileges. To give installation privileges to other user accounts, see
Allowing a User to Install Agents in a Group on page 4-15
.
2.
The installing Windows account has Local Administrator privileges. For automated deployments, the installing account for each endpoint must have Local Administrator privileges as well.
3.
If domain authentication/Single Sign-on is enabled, the user name matches the user name in Active Directory. The Active
Directory password is used for authentication
1.
An automated software distribution tool is installed, such as
SMS, SCCM, Tivoli, GPO, or LANDesk.
2.
Direct access to the endpoint hard drive is available for script deployment. Do not run Endpoint Encryption deployment scripts from USB devices or from shared network drives.
3.
You have installation scripts for each agent. For help making installation scripts, use Command Builder and Command
Automated Deployments on page 6-4
For environments using OfficeScan, the environment is ready for agent deployment through OfficeScan Plug-in Manager.
For more information, see the OfficeScan Plug-in Online
Help.
Automated Deployments
Endpoint Encryption allows users to deploy agents in the following ways:
6-4
Endpoint Encryption Agent Deployment
Deployment
Method
Manual
Automated
Description
Run the agent installation program and configure PolicyServer settings manually on each endpoint. This option is prefered for test installations and endpoints that have individual hardware specifications.
Use an installation script to install and configure the agent automatically on one endpoint or on many endpoints at once
(mass deployment). This option is prefered for environments that include many similar endpoints such as large enterprises.
OfficeScan
WARNING!
Insufficient system setup or hard disk drive preparation may result in irreversible data loss. Verify that you have completed all relevant prerequisites before continuing. See
Agent Installation Prerequisites on page 6-3
Deploy Full Disk Encryption agents to endpoints that already have
OfficeScan agents through the Endpoint Encryption Deployment
Tool plug-in. For information about using the plug-in, see the
OfficeScan Plug-in Online Help.
To assist with creating scripts for automated deployments, Endpoint Encryption includes the following tools:
Tool
Command Builder
Description
The Command Builder generates complete installation command scripts for Full Disk Encryption, File Encryption, and Encryption
Managemement for Microsoft BitLocker based on PolicyServer,
Enterprise, and authentication values.
Tip
The Command Builder is a larger tool that encompasses the functionality of the Command Line Helper. If you intend to use the Command Builder, you do not need to use the
Command Line Helper.
6-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
Tool
Command Line
Helper
Description
The Command Line Helper is a command line utility that generates individual encrypted strings to use for installation, upgrade, or patch scripts.
Command Builder
Full Disk Encryption and File Encryption are compliant with automated software distribution tools, such as SMS, SCCM, Tivoli, GPO, and LANDesk. Use the Command
Builder to generate scripts used to install PolicyServer and Endpoint Encryption agents.
If you intend to use the Command Builder, ensure that your environment meets the agent installation prerequisites, including the automated deployment requirements. See
Agent Installation Prerequisites on page 6-3
Creating Agent Installation Scripts
The following information is required to generate a silent install script: PolicyServer host name or IP address, the Enterprise name, user name, password, and the path and version number of the endpoint client installer. The Command Builder is available in the
Tools
folder of the installation directory.
Note
To run this tool, verify that PolicyServer or an Endpoint Encryption agent is installed on the same endpoint.
Procedure
1.
Download the Command Builder tool and locate the tool in your Endpoint
Encryption download folder.
The Command Builder tool is part of the PolicyServer installation package. Go to
Trend Micro Download Center, select the Endpoint Encryption, and download the
PolicyServer package.
http://downloadcenter.trendmicro.com/
6-6
Endpoint Encryption Agent Deployment
The Command Builder tool is located in the following directory:
<download_directory>\TMEE_PolicyServer\Tools\Command Line
Helper
2.
Run
CommandBuilder.exe
from an endpoint with PolicyServer installed.
The Command Builder screen appears.
3.
Specify the following:
Option
Hostname
Description
Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.
Specify the Enterprise. Only one Enterprise is supported.
Enterprise
Name
Username
Password
Specify the user name of an account with permission to add devices to the Enterprise.
Specify the password for the user name.
4.
Select which the values you want to encrypt from the Encryption Options.
The options selected in Encryption Options will replace the previously specified values with encrypted values in the generated command text.
5.
Select whether to prompt the end user, or to do a silent installation.
6-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
Note
This function is only supported for legacy versions of the Full Disk Encryption agent.
6.
Specify legacy options that affect only older versions of Full Disk Encryption agent.
•
• Allow Cancel: The end user may cancel the installation.
Suppress Reboot: The endpoint does not restart after installation.
• Autologon: The user is automatically logged on the Full Disk Encryption preboot logon after installing the Full Disk Encryption agent and restarting the endpoint.
7.
Specify the path to the installation files.
8.
Click Generate Command.
The script generates.
9.
Click the appropriate button to copy the command.
The resulting script is copied to the clipboard.
10. Paste the command into the installation script.
Command Line Helper
The Command Line Helper is used to create encrypted values that can then be used to secure credentials when you are scripting an install for automated deployment or using
DAAutoLogin. The Command Line Helper tool is located in the
Tools
folder.
Note
The Command Line Helper can only run on systems with Trend Micro Full Disk
Encryption or PolicyServer installed.
The Command Line Helper tool accepts a single string as an argument and returns an encrypted value for in the installation script. The leading and trailing “=” signs are
6-8
Endpoint Encryption Agent Deployment included as part of the complete encrypted string and must be included on the command line. If the value is encrypted and does not return a leading = sign, then an equal sign must be added to the script.
The following shows the fields that may use encrypted values, and the arguments used to receive encrypted values.
Field
Full Disk
Encryption
Unencrypted
Enterprise
ENTERPRISE
PolicyServer
HOST
User name
USERNAME
Password
PASSWORD
Arguments
Full Disk
Encryption
Encrypted eENTERPRISE eHOST eUSERNAME ePASSWORD
File Encryption
PSENTERPRISE
PSHOST
FAUSER
FAPASSWORD
Using the Command Line Helper
Command Line Helper enables encrypted values to pass via the installation script to the
Full Disk Encryption preboot and installer. You can manually use Command Line
Helper to generate encrypted values of strings for installation scripts or patch management.
Procedure
1.
Download the Command Line Helper tool and locate the tool in your Endpoint
Encryption download folder.
The Command Line Helper tool is part of the PolicyServer installation package.
Go to Trend Micro Download Center, select the Endpoint Encryption, and download the PolicyServer package.
http://downloadcenter.trendmicro.com/
The Command Line Helper tool is located in the following directory:
6-9
Trend Micro Endpoint Encryption 6.0 Installation Guide
<download_directory>\TMEE_PolicyServer\Tools\Command Line
Helper
2.
Open a command prompt.
3.
Change the directory to the directory of the Command Line Helper tool.
Example: cd C:\TMEE_PolicyServer\Tools\Command Line Helper
4.
Type
CommandLineHelper.exe
followed by the string that you want to encrypt, and press ENTER.
Example:
CommandLineHelper.exe examplepassword
Tip
It may be easier to copy the generated value directly from a text file.
In that case, the above example would be modified as follows:
CommandLineHelper.exe examplepassword > file.txt
The Command Line Helper produces an encrypted string.
Full Disk Encryption Deployment
The following section describes how to install and configure the Full Disk Encryption agent.
Before installing Endpoint Encryption agents, verify that your environment meets the
Agent Installation Prerequisites on page 6-3
6-10
Endpoint Encryption Agent Deployment
Full Disk Encryption Manual Deployment
Installing the Full Disk Encryption Agent
To install Full Disk Encryption, perform the following procedure.
Procedure
1.
Verify that all of the agent installation prerequisites have been completed.
Agent Installation Prerequisites on page 6-3
2.
Verify that the hard disk is not already encrypted, no other full disk encryption product is installed, and that Microsoft BitLocker is disabled.
3.
Run a hard drive integrity utility on the system drive.
For example, to run the Windows utility Check Disk, open a command prompt and run chkdsk /f /r
. Windows will perform Check Disk on the next restart.
If bad sectors are found, fix or replace the hard drive depending on your enterprise hardware policy.
4.
Defragment the system drive.
5.
Copy the installation files to the system drive.
6.
Run
TMFDEInstall.exe
.
Note
If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.
The Full Disk Encryption installer checks the endpoint for installation issues. If a system incompatibility is discovered, the installer closes and generates the
PreInstallCheckReport.txt
in the same location as the installer. For more information, see
Pre-Installation Check on page 6-13
.
7.
Specify the following PolicyServer information:
6-11
Trend Micro Endpoint Encryption 6.0 Installation Guide
6-12
Option
Server name
Description
Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.
Specify the Enterprise. Only one Enterprise is supported.
Enterprise
User name
Specify the user name of an account with permission to add devices to the Enterprise.
Specify the password for the user name.
Password
Forcesoftware (Optional) Forces Full Disk Encryption to use software encryption instead of hardware encryption.
This option is recommended for SED disks.
•
•
WARNING!
Full Disk Encryption is unable to install on SED disks attached to devices using
UEFI if these disks were previously managed by Windows Bitlocker. To install Full
Disk Encryption on these disks, perform one of the following:
Configure Full Disk Encryption to use software-based encryption by adding the
FORCESOFTWARE
parameter during installation.
Restore the SED disk back to its factory setting. This procedure removes all existing data from the SED disk. After the disk has been restored, try running the installer again.
8.
At the Installation Complete screen, click Close.
A message appears asking if you want to restart or shut down the endpoint. The endpoint restarts for software-based encryption or shuts down for hardware-based encryption.
9.
Click Yes to restart or shutdown the endpoint.
Full Disk Encryption installation is complete when the Full Disk Encryption preboot displays. At the preboot screen, the user must log on. The user is required to change their password after logging on. The next time Windows starts, Full Disk
Encryption encrypts the disk.
Endpoint Encryption Agent Deployment
Policies are synchronized with PolicyServer after the endpoint restarts.
Pre-Installation Check
The Full Disk Encryption installer automatically checks the target system to make sure that all necessary system requirements are met before installing the agent. If a system incompatibility is discovered, the installer closes and generates the
PreInstallCheckReport.txt
in the same location as the installer. The following are the requirements that Full Disk Encryption installer checks.
Specification
Supported
Operating System
Encryption
Management for
Microsoft BitLocker is already installed
Secure Boot
Fixed media
Free space
Memory
Partition count
Physical drive is bootable
Requirement
The endpoint must have a supported operating system installed.
Encryption Management for Microsoft BitLocker must not be installed. Uninstall Encryption Management for Microsoft
BitLocker to install Full Disk Encryption or use Encryption
Management for Microsoft BitLocker instead.
Full Disk Encryption is unable to install on endpoints where
Secure Boot has been enabled. To ensure successful installation, disable Secure Boot prior to installation.
The physical disk must be fixed and not removable.
Full Disk Encryption cannot be installed on removable drives running Windows.
The drive must have at least 256 MB of contiguous free disk space.
The endpoint must have at least 512 MB of RAM.
Trend Micro recommends having at least 1 GB of RAM.
The drive must have fewer than 25 partitions.
Partitions with extended MBRs are not supported.
The drive must be bootable.
6-13
Trend Micro Endpoint Encryption 6.0 Installation Guide
6-14
Specification
SCSI disk
Requirement
SCSI drives are not supported.
Note
This check only records a warning, because Windows may report a SATA drive as SCSI. If the disk is not SCSI, Full
Disk Encryption may be installed. To verify that the drive is not SCSI, physically check the device.
Microsoft .NET
Framework
SED hardware compatibility
Microsoft .NET Framework 3.5 or later is required for Windows 8 or later devices.
•
•
If a drive is a self-encrypting drive, Full Disk Encryption enables hardware encryption for that drive.
Full Disk Encryption currently supports the following:
Seagate OPAL and OPAL 2 drives
SanDisk self-encrypting solid-state drives
BitLocker is enabled Microsoft BitLocker must not be enabled. Two full disk encryption solutions may not run on the same drive.
If your environment uses Microsoft BitLocker for encryption, install the Encryption Management for Microsoft BitLocker agent instead of Full Disk Encryption.
Intel Rapid Storage
Technology
Drives using Intel Rapid Storage Technology with mSATA caches are not supported.
Windows MBR
Keyboard
Wi-Fi/NIC
Disks are distinguishable
Check Not
Initialized Disk(s)
Checks if the boot disk uses a typical Windows MBR or not.
The Full Disk Encryption Preboot supports the current keyboard layout.
The Full Disk Encryption Preboot supports the system Network
Interface Controller (NIC) and Wi-Fi hardware.
The disks on the device must have unique hardware properties, such as Serial Number and Model
The disks on the device are initialized. If there are one or more disks which are not initialized, open Disk Management to initialize.
Endpoint Encryption Agent Deployment
Specification
GPT partition checking
Incompatible software
Requirement
First usable LBA and partition size check.
Incompatible software must be uninstalled before installing Full
Disk Encryption.
For example, HP Drive Encryption and Dell Backup Recovery.
Full Disk Encryption Automatic Deployment
If performing automated and mass deployments, use the tools described in
. This section describes automatic deployment information specific to Full Disk Encryption.
Disable Encryption During Deployment
The table below explains how to disable encryption centrally from one of the management consoles. Temporarily disable drive encryption to minimize end user impact and simplify mass deployment. Once device compatibility is confirmed, optionally re-enable encryption.
Tip
If you are performing a mass deployment, to simplify installation and minimize user impact, you may want to disable encryption. You can enable encryption at a later time to encrypt all devices simultaneously or when fewer users may be affected.
Depending on your primary management console, do the following to disable encryption during employment.
Console
PolicyServer MMC
Policy Setting
Go to Full Disk Encryption > PC > Encryption > Encrypt
Device and select No.
6-15
Trend Micro Endpoint Encryption 6.0 Installation Guide
Console
Control Manager
Policy Setting
Access a new or existing policy (Policies > Policy Management) and then deselect Encrypt device under Full Disk Encryption.
Full Disk Encryption Script Example
The following is an example script to use for automated deployment. Use Command
Line Helper to encrypt necessary credentials, and use Command Builder to generate the deployment script.
For example, the following values are placed into Command Builder:
Hostname
Enterprise Name
Username
Password
Path to FDE
Installer
PolicyServer.mycompany.com
MyCompany
GroupAdministrator
123456
C:\Program Files\Trend Micro\Full Disk Encryption
\TMFDEInstaller.exe
In this example, under Encryption Options, the fields Username and Password are selected.
Output to install Full Disk Encryption:
C:\Program Files\Trend Micro\
Full Disk Encryption\TMFDEInstaller.exe
ENTERPRISE=MyCompany HOST= PolicyServer.mycompany.com eUSERNAME==jJUJC/Lu4C/Uj7yYwxubYhAuCrY4f7AbVFp5hKo2PR4O ePASSWORD==5mih67uKdy7T1VaN2ISWGQQ=
6-16
Endpoint Encryption Agent Deployment
Encryption Management for Microsoft
BitLocker Installation
Use the Encryption Management for Microsoft BitLocker agent to secure endpoints with Trend Micro Full Disk Encryption protection in an existing Windows infrastructure.
In addition to the other requirements, Encryption Management for Microsoft Bitlocker requires two partitions: a boot partition and a system partition on the local endpoint. On
Microsoft Windows 7 and later versions, a system partition and a boot partition are both typically created during the installation process. If you attempt to install or upgrade
Encryption Management for Microsoft Bitlocker and receive an error regarding system and boot partitions, create a system partition and try again.
Creating a System Partition with Microsoft BitLocker on page 6-19
.
Once installed, the Endpoint Encryption agent is inactive until the policy to encrypt the
Endpoint Encryption device is enabled. The Endpoint Encryption agent becomes inactive again if encryption is disabled at a later time.
Encryption Management for Microsoft BitLocker Manual
Deployment
Installing the Encryption Management for Microsoft
BitLocker Agent
To install Encryption Management for Microsoft BitLocker, perform the following procedure.
Procedure
1.
Verify that all of the agent installation prerequisites have been completed.
Agent Installation Prerequisites on page 6-3
2.
Verify that the hard disk is not already encrypted and that no other full disk encryption product is installed.
6-17
Trend Micro Endpoint Encryption 6.0 Installation Guide
6-18
3.
Run a hard drive integrity utility on the system drive.
For example, to run the Windows utility Check Disk, open a command prompt and run chkdsk /f /r
. Windows will perform Check Disk on the next restart.
If bad sectors are found, fix or replace the hard drive depending on your enterprise hardware policy.
4.
Defragment the system drive.
5.
Copy the installation files to the system drive.
6.
Run
TMFDEInstall_MB.exe
.
Note
If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.
7.
Specify the following PolicyServer information:
Option Description
Server name Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.
Enterprise
User name
Specify the Enterprise. Only one Enterprise is supported.
Specify the user name of an account with permission to add devices to the Enterprise.
Password
Specify the password for the user name.
8.
Click Install.
Encryption Management for Microsoft BitLocker installation begins. After a moment, the installation completes and the installer closes.
9.
Go to the system tray and click the icon to open the Encryption Management for Microsoft BitLocker agent.
Endpoint Encryption Agent Deployment
Note
For information about understanding and managing the Endpoint Encryption agent, see the Endpoint Encryption Administrator's Guide.
Creating a System Partition with Microsoft BitLocker
Encryption Management for Microsoft Bitlocker requires separate boot and system partitions on the local endpoint. On Microsoft Windows 7 and later versions, a system partition and a boot partition are both typically created during the installation process. If you attempt to install or upgrade Encryption Management for Microsoft Bitlocker and receive an error regarding system and boot partitions, you may need to create a system partition.
Perform the following procedure to check whether the endpoint has separate boot and system partitions. If the endpoint does not have separate partitions, this procedure also shows how to use BitLocker Drive Encryption to create a system partition.
Procedure
1.
Verify whether your endpoint has separate system and boot partitions.
a.
Open the Windows Start menu.
b.
Type diskmgmt.msc
to open the Computer Management window.
6-19
Trend Micro Endpoint Encryption 6.0 Installation Guide
The following is an example of an endpoint that contains separate system and boot partitions:
WARNING!
If you attempted to install or upgrade Encryption Management for Microsoft
Bitlocker and received an error regarding system and boot partitions, check
Computer Management. If you find that you already have separate system and boot partitions, do not continue this task. Contact Trend Micro Support.
6-20
Endpoint Encryption Agent Deployment
The following is an example of an endpoint that contains a combined system and boot partition:
If your system and boot partitions are both in the same disk, continue the rest of this procedure.
2.
If you already have an Encryption Management for Microsoft BitLocker agent on your endpoint, uninstall the agent.
This step is only necessary if you were attempting to upgrade Encryption
Management for Microsoft BitLocker to a newer version.
3.
Back up critical files in your primary drive.
Important
The following steps include using BitLocker to change the structure of your primary drive. Any changes to system structure may result in errors. Trend Micro strongly recommends backing up important files before continuing.
4.
Turn on BitLocker.
a.
From the Windows Start menu, go to Control Panel > System and
Security > BitLocker Drive Encryption.
6-21
Trend Micro Endpoint Encryption 6.0 Installation Guide b.
Click Turn on BitLocker.
6-22
The BitLocker Drive Encryption window appears.
5.
To create the system partition, follow the on-screen instructions in the BitLocker
Drive Encryption window.
Creating the system partition may take a long time depending upon the drive size.
6.
Restart your endpoint.
Endpoint Encryption Agent Deployment
After restarting your endpoint, BitLocker will display the following screen:
7.
Click Next.
BitLocker will request that you back up your recovery key.
8.
Click Cancel to close BitLocker Drive Encryption.
Tip
Endpoint Encryption will create a recovery key during the encryption process, so backing up the recovery key at this point is unnecessary.
The system partition has been created.
6-23
Trend Micro Endpoint Encryption 6.0 Installation Guide
At this point you may re-install the Encryption Management for Microsoft
BitLocker agent.
Troubleshooting Password and Encryption Issues
After installing Encryption Management for Apple FileVault and restarting the endpoint, Apple FileVault attempts to encrypt the disk. If the password specified during installation did not match the specified user account, the following window appears:
6-24
After specifying the correct password, restart the endpoint again. If the password was the issue, after restarting, Apple FileVault encrypts the endpoint.
If this problem persists, or if the encryption status displays that the endpoint is not encrypting, then another issue is restricting Apple FileVault functionality. Do the following procedure to determine the location of the issue and whether to send the issue to Trend Micro Support.
Procedure
1.
From the Apple menu, go to Security & Privacy > FileVault.
Endpoint Encryption Agent Deployment
2.
If the lock icon is locked, click the lock icon to make changes.
3.
Click Turn On FileVault....
A window appears that asks for your password.
4.
Type your password and click Start Encryption.
If your user account has permission to turn on FileVault, your credentials are correct, and FileVault is working properly, FileVault begins encrypting the disk.
5.
If FileVault encounters any issues during encryption after this point, take relevant screenshots of those issues and contact Trend Micro Support.
Encryption Management for Microsoft BitLocker
Automatic Deployment
If performing automated and mass deployments, use the tools described in
. This section describes automatic deployment information specific to Encryption Management for Microsoft BitLocker.
Encryption Management for Microsoft BitLocker Script
Example
The following is an example script to use for automated deployment. Use Command
Line Helper to encrypt necessary credentials, and use Command Builder to generate the deployment script.
For example, the following values are placed into Command Builder:
Hostname
Enterprise Name
Username
Password
PolicyServer.mycompany.com
MyCompany
GroupAdministrator
123456
6-25
Trend Micro Endpoint Encryption 6.0 Installation Guide
Path to Full Disk
Encryption for
Microsoft BitLocker
Installer
32-bit: C:\Program Files\Trend Micro\FDE Management for
Microsoft BitLocker\TMFDEInstall_MB.exe
64-bit: C:\Program Files (x64)\Trend Micro\FDE Management for
Microsoft BitLocker\TMFDEInstall_MB.exe
In this example, under Encryption Options, the fields Username and Password are selected.
Output to install Encryption Management for Microsoft BitLocker:
C:\Program Files\Trend Micro\
FDE Management for Microsoft BitLocker\TMFDEInstall_MB.exe
ENTERPRISE=MyCompany HOST= PolicyServer.mycompany.com eUSERNAME==jJUJC/Lu4C/Uj7yYwxubYhAuCrY4f7AbVFp5hKo2PR4O ePASSWORD==5mih67uKdy7T1VaN2ISWGQQ=
Encryption Management for Apple FileVault
Installation
Use the Encryption Management for Apple FileVault agent to secure endpoints with
Trend Micro Full Disk Encryption protection in an existing Mac OS X infrastructure.
Encryption Management for Apple FileVault Manual
Deployment
Installing the Encryption Management for Apple FileVault
Agent
To install Encryption Management for Apple FileVault, perform the following procedure.
Procedure
1.
Verify that all of the agent installation prerequisites have been completed.
6-26
Endpoint Encryption Agent Deployment
Agent Installation Prerequisites on page 6-3
2.
Verify that the hard disk is not already encrypted, no other full disk encryption product is installed, and that Apple FileVault is disabled.
a.
Go to System Preferences > Security & Privacy.
b.
Select the FileVault tab.
c.
If necessary, click the lock icon ( ) to make changes.
d.
Specify the user name and password for the endpoint.
e.
Click Turn Off FileVault.
3.
Run a hard drive integrity utility on the system drive.
For example, run Verify Disk from OS X Disk Utility. To use this feature, do the following: a.
Restart your Mac in Recovery Mode by holding Command + R during startup.
6-27
Trend Micro Endpoint Encryption 6.0 Installation Guide b.
Click Disk Utility.
c.
Select your startup disk.
d.
Click Verify Disk.
e.
If errors are found on the disk, click Repair Disk.
4.
Check with your system administrator about whether you should defragment your system drive.
5.
Copy the installation files to the system drive.
6.
Run
TMFDEInstall_FV.exe
.
7.
From the Welcome screen, click Continue.
The Installer checks that the system requirements are met.
8.
If the system requirements are met, click Install.
9.
Select the hard disk to install that agent.
10. Specify the user name and password of an account with permission to install applications on the endpoint, and click Install Agent
The installation begins.
11. Specify the following PolicyServer information:
Option Description
Server name Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.
Enterprise
User name
Specify the Enterprise. Only one Enterprise is supported.
Specify the user name of an account with permission to add devices to the Enterprise.
Password
Specify the password for the user name.
6-28
Endpoint Encryption Agent Deployment
Option Description
Important
Make sure that you type the correct password at this time, or you may need to troubleshoot your encryption status later.
12. After the installation completes, click Close to restart the endpoint.
The Encryption Management for Apple FileVault agent initiates immediately after the endpoint restarts.
13. Go to the menu bar (
Management for Apple FileVault agent.
) to open the Encryption
Note
For information about understanding and managing the Endpoint Encryption agent, see the Endpoint Encryption Administrator's Guide.
Creating a Mobile Account for Active Directory on Mac OS
Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X
Mountain Lion or later. Other Mac OS user account types will be unable to initiate encryption.
6-29
Trend Micro Endpoint Encryption 6.0 Installation Guide
If a Mac OS account other than a local account or mobile account attempts to initiate encryption, the following notification appears:
6-30
The following task shows how to create a mobile account for your Mac OS account to bypass this issue.
Procedure
1.
Go to System Preferences... in the Apple menu.
The System Preferences window appears.
2.
Select User Groups under the System section.
3.
Click the lock icon in the lower left corner.
4.
Click Create... next to Mobile account.
5.
On the following screens, select any personal settings, and click Create to proceed from one screen to the next.
6.
When prompted, enter your Active Directory password and click OK.
Endpoint Encryption Agent Deployment
Your mobile account has been created. You may now use this mobile account to initate encryption.
Encryption Management for Apple FileVault Automatic
Deployment
If performing automated and mass deployments, use the tools described in
. This section describes automatic deployment information specific to Encryption Management for Apple FileVault.
Deploying Encryption Management for Apple FileVault
Automatically
•
•
•
The following is the process for setting up command line scripts to automate
Encryption Management for Apple FileVault deployments. This procedure assumes that you have received the following files:
Installer.sh
InstallPreCheck
Trend Micro Full Disk Encryption.pkg
6-31
Trend Micro Endpoint Encryption 6.0 Installation Guide
6-32
The following is an example of the intended installation command script built using this procedure:
$ sudo /var/tmp/Installer.sh /var/tmp
The following is an example of the intended agent registration command script built using this procedure:
$ sudo“/Library/Application Support/TrendMicro/FDEMM/
RegisterDevice
HOST=10.1.152.58 ENTERPRISE=MyCompany USERNAME=User ePASSWORD==5mih67uKdy7TlVaN2ISWGQQ=
Procedure
1.
Place the installation files into the the same directory.
Installer.sh
,
InstallPreCheck
, and
Trend Micro Full Disk
Encryption.pkg
must be in the same directory for automated deployment to run successfully. This procedure assumes those files have been placed in the directory
/var/tmp
for later example command scripts.
2.
In a command line interface, run
Installer.sh
with the directory of the installation files as the first parameter.
An example command script is as follows:
$ sudo /var/tmp/Installer.sh /var/tmp
Installer.sh
will call
InstallPreCheck
to check your environment for potential issues that could hinder deployment or agent use. If any issues are found, the return code of the issue will be returned. If no issues are found,
Installer.sh
will execute
Trend Micro Full Disk Encryption.pkg
to perform installation.
For potential error codes and limitations of Encryption Management for Apple
FileVault deployment, see
Encryption Management for Apple FileVault Preinstallation
3.
If
Installer.sh
returns code
106
, check the version of a currently installed
Encryption Management for Apple FileVault agent.
Endpoint Encryption Agent Deployment
Return code
106
means that Encryption Management for Apple FileVault is already installed.
To check the currently installed version, run the following command script:
$ defaults read "/Applications/Encryption Management for
Apple FileVault.app/Contents/Info.plist"
CFBundleShortVersionString
To check the version of the intended agent deployment package, run the following command script:
$ /var/tmp/InstallPreCheck version
If the intended version is later than the currently installed version, upgrade
Encryption Management for Apple FileVault instead of continuing deployment.
Upgrading Encryption Management for Apple FileVault on page 7-14
.
4.
If installation of Encryption Management for Apple FileVault proceeded successfully, run the
RegisterDevice
executable with your enterprise credentials as parameters to register the agent to PolicyServer.
The
RegisterDevice
executable is located in the agent directory. The default
RegisterDevice
path is
/Library/Application Support/TrendMicro/
FDEMM/RegisterDevice
.
In order, add the
HOST
,
ENTERPRISE
,
USERNAME
, and
PASSWORD
arguments as parameters. Encryption Management for Apple FileVault supports encrypted values of these arguments by adding e
before the argument name. For example, an encrypted argument of
PASSWORD
is ePASSWORD
.
For help creating the
RegisterDevice
command script, see
The following is an example of the intended agent registration command script:
$ sudo“/Library/Application Support/TrendMicro/FDEMM/
RegisterDevice
HOST=10.1.152.58 ENTERPRISE=MyCompany USERNAME=User ePASSWORD==5mih67uKdy7TlVaN2ISWGQQ=
6-33
Trend Micro Endpoint Encryption 6.0 Installation Guide
After agent registration, the Encryption Management for Apple FileVault agent deployment is complete.
6-34
Encryption Management for Apple FileVault Preinstallation
Return Codes
Before performing an Encryption Management for Apple FileVault automated deployment, run
Installer.sh
to check your environment for potential issues that could hinder deployment or agent use. The following is a list of the potential codes that
Installer.sh
will return.
Note
Do not perform Encryption Management for Apple FileVault agent deployment unless
Installer.sh
returns code
0
.
Table 6-1. Return Codes
Return Code
0
101
102
103
104
105
Description
The endpoint is ready for Encryption Management for Apple FileVault agent deployment.
The operating system is not supported. Encryption Management for
Apple FileVault requires Mac OS X Mountain Lion (10.7) or later.
The endpoint does not have sufficient disk space. Encryption
Management for Apple FileVault requires at least 400 MB of free disk space.
Apple FileVault is enabled. Disable Apple FileVault, restart the endpoint, and try again.
Encryption Management for Apple FileVault does not support Apple
Fusion Drive. Set a hard drive without Apple Fusion Drive as the root drive and try again.
Encryption Management for Apple FileVault requires Mono Framework version 2.10.11. Unistall the currently installed version and try again.
Endpoint Encryption Agent Deployment
Return Code
106
Description
Encryption Management for Apple FileVault is already installed.
To check the currently installed version, run the following command script:
$ defaults read "/Applications/Encryption Management for
Apple FileVault.app/Contents/Info.plist"
CFBundleShortVersionString
To check the version of the intended agent deployment package, run the following command script:
$ <directory>/InstallPreCheck version
107
108
109
110
111
Encryption Management for Apple FileVault deployment requires administrator privileges. Use the sudo
parameter when running the command script.
The syntax of the command script is incorrect. Specify the directory of
Installer.sh
in the first parameter position and try again.
For example:
$ /var/tmp/Installer.sh /var/tmp
Installer.sh
is unable to find or run
InstallPreCheck
. Check that
InstallPreCheck
is in the same directory as
Installer.sh
and that you have privileges to run executable files and try again.
Installer.sh
is unable to find
Trend Micro Full Disk
Encryption.pkg
. Check that
Trend Micro Full Disk
Encryption.pkg
is in the same directory as
Installer.sh
and try again.
Trend Micro Full Disk Encryption.pkg
is unable to execute.
Check that you have privileges to run executable files and try again.
Encryption Management for Apple FileVault Script Example
This is an example of an installation script to install Encryption Management for Apple
FileVault.
6-35
Trend Micro Endpoint Encryption 6.0 Installation Guide
Software location = /Library/Application Support/TrendMicro/
FDEMM/RegisterDevice
ENTERPRISE = MyCompany
HOST = 10.1.152.58
USERNAME = User ePASSWORD = 5mih67uKdy7TlVaN2ISWGQQ
Note
In this example the password is encrypted.
Output to install Encryption Management for Apple FileVault:
$ sudo “/Library/Application Support/TrendMicro/FDEMM/
RegisterDevice”
HOST=10.1.152.58 ENTERPRISE=MyCompany USERNAME=User ePASSWORD==5mih67uKdy7TlVaN2ISWGQQ=
File Encryption Deployment
This section describes how to install the File Encryption agent. Use File Encryption to protect files and folders within the host operating system.
Note
It is now possible to use the Enterprise Administrator and Enterprise Authenticator roles to install Endpoint Encryption agents.
File Encryption Manual Deployment
The File Encryption installation process involves running an installer on the endpoint and following the step-by-step instructions.
6-36
Endpoint Encryption Agent Deployment
Procedure
1.
Verify that all of the agent installation prerequisites have been completed.
Agent Installation Prerequisites on page 6-3
2.
Run
FileEncryptionInst.exe
The File Encryption Setup Wizard appears.
3.
Click Next.
Note
If prompted by User Account Control, click Yes.
The File Encryption installer initiates and automatically installs the agent.
4.
When the installation completes, click Close.
5.
Click Yes to restart Windows.
The endpoint restarts and File Encryption is installed. Two File Encryption icons display: one shortcut on the desktop and one tray icon. After the desktop loads, it may take a moment for the agent to initiate.
6.
From the File Encryption Login screen, set the following parameters.
Option Description
User name
Specify the user name of an account with permission to add devices to the Enterprise.
Specify the password for the user name.
Password
Server name Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.
Enterprise
Specify the Enterprise. Only one Enterprise is supported.
7.
Click OK to complete installation.
8.
Go to the system tray and click the icon to open the File Encryption agent.
6-37
Trend Micro Endpoint Encryption 6.0 Installation Guide
Note
For information about understanding and managing the Endpoint Encryption agent, see the Endpoint Encryption Administrator's Guide.
File Encryption Automatic Deployment
If performing automated and mass deployments, use the tools described in
. This section describes automatic deployment information specific to File Encryption.
File Encryption Script Example
This is an example of an installation script to install File Encryption.
Software location = C:\Program Files\Trend Micro\File
Encryption\FileEncryptionIns.exe
PSEnterprise = MyCompany
PSHost = PolicyServer.mycompany.com
FAUser = GroupAdministrator
FAPassword = 123456
Note
In this example, both user name and password will be encrypted.
Output to install File Encryption:
C:\Program Files\Trend Micro\
File Encryption\FileEncryptionIns.exe
PSEnterprise=MyCompany PSHost= PolicyServer.mycompany.com
FAUser==jJUJC/Lu4C/Uj7yYwxubYhAuCrY4f7AbVFp5hKo2PR4O=
FAPassword==5mih67uKdy7T1VaN2ISWGQQ=
6-38
Chapter 7
Upgrade and Migration
To gain access to new product features or to upgrade older agent software for improved endpoint security, administrators may need to upgrade the Endpoint Encryption
PolicyServer and all managed endpoints running any Endpoint Encryption agent. For policy synchronization and information security, make sure to always upgrade
PolicyServer before the Endpoint Encryption agents.
This section explains how to safely upgrade Endpoint Encryption, including
PolicyServer, PolicyServer MMC, and the Endpoint Encryption agent software to the most current versions. This section also describes methods to migrate existing configurations to the most recent version of Endpoint Encryption.
WARNING!
Before upgrading the agent, make sure to first upgrade PolicyServer to version 6.0.
Endpoint Encryption 6.0 and later agents cannot communicate with PolicyServer 5.0 or earlier.
•
•
•
Topics include:
Upgrade Summary of Operations on page 7-3
Upgrading PolicyServer on page 7-6
7-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
•
•
Upgrading Endpoint Encryption Agents on page 7-10
Migration Scenarios on page 7-14
7-2
Upgrade and Migration
Upgrade Summary of Operations
The following set of tasks are the recommended order for upgrading your environment.
Important
To avoid having endpoints lose connection to PolicyServer, make sure to upgrade
PolicyServer before upgrading the agents. The keys to access data encrypted on those endpoints may become inaccessible if you upgrade in the wrong order.
If an agent is unable to connect to PolicyServer after the upgrade, manually run the upgrade installer on the endpoint.
Procedure
1.
Review the new system requirements.
System Requirements on page 3-1
.
2.
Review the upgrade path for the currently installed PolicyServer and Endpoint
Encryption agents.
3.
Make sure that Endpoint Encryption 6.0 supports the upgrade.
Supported Agent Versions on page 7-10
.
4.
Upgrade PolicyServer.
Upgrading PolicyServer on page 7-6
5.
Optionally install or upgrade Control Manager and configure as necessary.
Control Manager Integration on page 5-1
6.
Optionally install or upgrade OfficeScan and configure as necessary.
See the OfficeScan Plug-in Online Help.
7.
Upgrade Endpoint Encryption agents.
7-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Upgrading Endpoint Encryption Agents on page 7-10
.
Upgrade Paths
The following table describes the upgrade path from each previous product version to version 6.0. Some older versions cannot upgrade directly to 6.0 and must first upgrade to a newer version of that product. For information about installing legacy versions of
Endpoint Encryption products, see the documentation available at: http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx
Endpoint Encryption performs in-place upgrades when upgrading directly to version
6.0. For older versions of Endpoint Encryption that require multiple upgrades, you may need to perform reconfiguration for proper agent validation and PolicyServer synchronization.
Table 7-1.
Upgrade Paths
Product/Agent
PolicyServer
Full Disk Encryption
Version Upgrade Path
5.0 and later 5.0 → 6.0
3.1.3 SP1 3.1.3 SP1 → 6.0
3.1.3
3.1.2
3.1.3 → 6.0
3.1.2 → 5.0 → 6.0
5.0 and later 5.0 → 6.0
3.1.3 SP1 3.1.3 SP1 → 6.0
3.1.3
3.1.3 → 6.0
7-4
Upgrade and Migration
Product/Agent
MobileArmor Full Disk
Encryption Product
File Encryption
FileArmor
Encryption
Management for
Microsoft BitLocker
Encryption
Management for Apple
FileVault
OfficeScan Plug-in
Service (Full Disk
Encryption Deployment
Tool)
Control Manager widgets
5.0
5.0
5.0
Version Upgrade Path
3.1.2
SP7g
SP7-SP7f
3.1.2 → Full Disk Encryption 5.0 → Full Disk
Encryption 6.0
SP7g → 3.1.3 → Full Disk Encryption 5.0 →
Full Disk Encryption 6.0
SP7-SP7f → SP7g → 3.1.3 → Full Disk
Encryption 5.0 → Full Disk Encryption 6.0
5.0 and later 5.0 → 6.0
3.1.3 SP1 FileArmor 3.1.3 SP1 → File Encryption 5.0 →
File Encryption 6.0
3.1.3
3.0.14
FileArmor 3.1.3 → File Encryption 5.0 → File
Encryption 6.0
FileArmor 3.0.14 → FileArmor 3.1.3 → File
Encryption 5.0 → File Encryption 6.0
3.0.13
FileArmor 3.0.13 → FileArmor 3.1.3 → File
Encryption 5.0 → File Encryption 6.0
5.0 and later 5.0 → 6.0
5.0 → 6.0
5.0 → 6.0
5.0 → 6.0
7-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
Upgrading PolicyServer
To gain access to new product features or to upgrade older agent software for improved endpoint security, administrators may need to upgrade the Endpoint Encryption
PolicyServer and all managed endpoints running any Endpoint Encryption agent. For policy synchronization and information security, make sure to always upgrade
PolicyServer before the Endpoint Encryption agents.
This section explains how to safely upgrade Endpoint Encryption, including
PolicyServer, PolicyServer MMC, and the Endpoint Encryption agent software to the most current versions. For more information, see
Upgrade Summary of Operations on page
WARNING!
Before upgrading the agent, make sure to first upgrade PolicyServer to version 6.0.
Endpoint Encryption 6.0 agents cannot communicate with PolicyServer 5.0 or earlier.
Upgrading PolicyServer
Upgrade PolicyServer to gain access to server enhancements and new security features available in the latest product version. During the upgrade, PolicyServer services are temporarily stopped. However, there is no interruption to Endpoint Encryption device access. Existing policy configurations are maintained.
Note
For information about fresh installs, see
Installing PolicyServer on page 4-4
.
WARNING!
For security reasons, legacy Endpoint Encryption agents cannot communicate directly with a PolicyServer instance residing in a different network. For information about configuring a web proxy, see
Traffic Forwarding Services for Legacy Agents on page 4-16
7-6
Upgrade and Migration
Procedure
1.
Verify that all system requirements are met.
PolicyServer System Requirements on page 3-2
.
2.
Stop the services “TMEEservice” and “PolicyServerWindowsService”.
3.
Run
PolicyServerInstaller.exe
The PolicyServer Installer opens.
4.
At the Product Legal Notice screen, read the license agreement and accept the terms by clicking Accept.
5.
Verify the PolicyServer version and then click Upgrade.
Make sure to follow the correct upgrade path for PolicyServer. For more information, see
.
6.
At the License Registration message, click OK to continue.
7.
At the Windows Service Logon screen, click Continue.
8.
At the Database Administrator Logon screen, provide the following in the
Primary Database section:
Option Description
Server
The Microsoft SQL Server host name (localhost) or IP address.
User name The user name with the sysadmin role for the specified Microsoft
SQL Server.
Password
The password for the sysadmin account.
Note
For environments with multiple SQL Server instances, append the SQL instance to the end of the database host name or IP address used. Use the following syntax to specify an instance:
<hostname_or_IP_address>\<database_instance>
7-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
7-8
The installer verifies the database connection.
9.
At the PolicyServer Question message, do one of the following:
•
•
Click Yes to back up existing data
Click No to overwrite existing data
Tip
Trend Micro recommends backing up the existing data before performing the upgrade.
10. At the Endpoint Encryption Service screen, specify the following parameters:
Option
Port number
Description
Specify the port number that the PolicyServer MMC, Control
Manager and Endpoint Encryption 6.0 agents use to communicate with PolicyServer (default: 8080).
Note
In environments with legacy agents, Trend Micro recommends using port 8080 for the Admin Web Service and port 80 for the Client Web Service. The port number must be a positive integer between 1 and 65535.
Automatically generate a new self-signed certificate
Select this option if no certificate is available. The installer generates a certificate for encrypted communication.
Specify an existing certificate
Select this option to use a specific certificate. There are no limitations or requirements for specifying an existing certificate except that the certificate is correctly formatted.
11. At the Legacy Agent Service screen, select the location that legacy Endpoint
Encryption agents (version 3.1.3 and below) use to communicate with PolicyServer, then click Continue.
12. Click Yes to install PolicyServer MMC.
Upgrade and Migration
WARNING!
The PolicyServer installer can automatically install a version of PolicyServer MMC that supports the management of the product. PolicyServer 6.0 does not support older versions of PolicyServer MMC. Only click No if another endpoint with
PolicyServer MMC 6.0 installed manages PolicyServer.
The installation process begins.
13. At the PolicyServer Installation message, click OK.
14. Click Finished.
15. From the PolicyServer Installer window, click Exit.
Upgrading Multiple PolicyServer Services Connected to the Same Database
Only one PolicyServer can perform the database upgrade at a time.
Procedure
1.
Stop the services “TMEEservice” and “PolicyServerWindowsService” on all
PolicyServer instances except the one to upgrade.
a.
Go to Start > Administrative Tools > Services.
b.
Right-click PolicyServer Windows Service and then select Stop.
2.
Perform the upgrade on the active server.
Upgrading PolicyServer on page 7-6
3.
After the upgrade completes and the database replicates, run the upgrade on the remaining PolicyServer instances.
7-9
Trend Micro Endpoint Encryption 6.0 Installation Guide
Upgrading PolicyServer MMC
Note
For improved security measures, legacy versions of the PolicyServer MMC cannot manage
PolicyServer 6.0. Upgrading the PolicyServer MMC is required.
Procedure
1.
Uninstalling the PolicyServer MMC on page 8-7
.
2.
Installing PolicyServer MMC on page 4-8
.
Upgrading Endpoint Encryption Agents
To gain access to new product features or to upgrade older agent software for improved endpoint security, administrators may need to upgrade the Endpoint Encryption
PolicyServer and all managed endpoints running any Endpoint Encryption agent. For policy synchronization and information security, make sure to always upgrade
PolicyServer before the Endpoint Encryption agents.
This section explains how to safely upgrade Endpoint Encryption, including
PolicyServer, PolicyServer MMC, and the Endpoint Encryption agent software to the most current versions.
WARNING!
Before upgrading the agent, make sure to first upgrade PolicyServer to version 6.0.
Endpoint Encryption 6.0 agents cannot communicate with PolicyServer 5.0 or earlier.
Supported Agent Versions
Although PolicyServer supports policy management for all agents, older agents cannot register as a new device in PolicyServer 6.0 or Control Manager. The following table explains which legacy versions can register as a new device. Trend Micro recommends using the newest versions of all agents.
7-10
Upgrade and Migration
Table 7-2. Supported Legacy Agents for New Devices
Agent Version
Can Register as a New
Device
Full Disk
Encryption
MobileArmor Full
Disk Encryption
Product
File Encryption
5.0 Patch 3
5.0 Patch 2
5.0 Patch 1
5.0
3.1.3 SP1
3.1.3
3.1.2
SP7g
FileArmor
Encryption
Management for
Microsoft BitLocker
5.0 Patch 3
5.0 Patch 2
5.0 Patch 1
5.0
3.1.3
3.0.14
3.0.13
5.0 Patch 3
5.0 Patch 2
5.0 Patch 1
5.0
Policies Supported
7-11
Trend Micro Endpoint Encryption 6.0 Installation Guide
Agent Version
Encryption
Management for
Apple FileVault
DriveArmor
KeyArmor
5.0 Patch 3
5.0 Patch 2
5.0 Patch 1
5.0
3.0
3.02
Can Register as a New
Device
Policies Supported
*
Note
*Only supported on PolicyServer upgrades from Endpoint Encryption 3.1.2 or 3.1.3
Upgrading Full Disk Encryption
Use the Full Disk Encryption installer to upgrade the agent from Full Disk Encryption
3.1.3 SP1 to Full Disk Encryption 6.0. For previous versions of Full Disk Encryption, see the associated documentation available at: http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx
Procedure
1.
Verify that your current version upgrades directly to 6.0.
If your version does not directly upgrade to the latest version, contact Trend Micro support to assist you with your upgrade.
2.
Copy the installation package to the local hard drive.
3.
Run
TMFDEInstall.exe
.
7-12
Upgrade and Migration
Note
If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.
The upgrade process begins.
WARNING!
Do not shut down or restart the endpoint or put the endpoint to sleep, as these actions may interrupt the upgrade process. If upgrade is interrupted, at the next system start, you may be unable to access or log on the Full Disk Encryption preboot.
4.
When the upgrade completes, restart the endpoint.
Upgrading File Encryption
•
Before you begin
File Encryption System Requirements on page 3-11
• Review
Use
FileEncryptionIns.exe
to upgrade the agent from a previous version.
Note
FileEncryptionIns.exe
overrides the Allow User to Uninstall policy and upgrades whether the policy is set to Yes or No.
Procedure
1.
Run
FileEncryptionIns.exe
.
Windows installer uninstalls the older File Encryption agent (FileArmor) and then installs File Encryption 6.0.
7-13
Trend Micro Endpoint Encryption 6.0 Installation Guide
2.
Wait for the endpoint to restart.
3.
After Windows loads, log on and check the new File Encryption folder. Encrypted files and folders are maintained.
Upgrading Encryption Management for Apple FileVault
The process for upgrading is the same as it is for installation. Make sure to have the
PolicyServer information available.
•
Procedure
Installing the Encryption Management for Apple FileVault Agent on page 6-26
.
Upgrading Encryption Management for Microsoft
BitLocker
Procedure
1.
Uninstalling Encryption Management for Microsoft BitLocker on page 8-4
2.
Wait for endpoint decryption to complete. The user can use the endpoint as usual.
3.
Complete Encryption Management for Microsoft BitLocker at
Encryption Management for Microsoft BitLocker Agent on page 6-17
.
Migration Scenarios
Administrators may need to migrate Endpoint Encryption devices when employees move to a different department or office location. Each PolicyServer instance supports one Enterprise configuration that may represent a business unit or department.
7-14
Upgrade and Migration
Moving to a new Enterprise adds the Endpoint Encryption device to the new
Enterprise within the same PolicyServer instance. The Endpoint Encryption remains in the old Enterprise until removed.
Moving to a new PolicyServer changes the network configuration in the Endpoint
Encryption agent to point to the new PolicyServer instance.
Replacing a Previously Installed Encryption Product
Full Disk Encryption can be installed on a device that was previously encrypted with a different full disk encryption product. As most encryption software modifies every sector on a hard drive, it is critical to test the disk preparation process and deployment strategy. Depending on the time required to decrypt a device and encrypt with Full Disk
Encryption, it may be as simple as backing up user data and re-imaging the endpoint before installing Full Disk Encryption.
Option 1: Remove Previous Encryption Product
Procedure
1.
Decrypt the disk using the defined method as provided by the software vendor.
2.
Uninstall the previously installed vendor’s software (or verify BitLocker is disabled).
3.
Reboot the device.
4.
Run chkdsk
and defragment the drive.
5.
Check each device for a Normal Master Boot Record (MBR) and confirm that a
Normal Boot Sector is present on the boot partition.
Note
The device cannot be a dual-boot machine.
6.
Back up user files.
7-15
Trend Micro Endpoint Encryption 6.0 Installation Guide
7.
Install Full Disk Encryption. For more information, see
.
Option 2: Back Up and Re-image the Endpoint
Procedure
1.
Backup user files.
2.
Re-image the drive: a.
From a command prompt, run
DiskPart Clean All
.
b.
Create a partition.
c.
Format the drive.
d.
Image the drive.
3.
Install Full Disk Encryption and encrypt the endpoint.
4.
Restore user files.
Migrating Full Disk Encryption to a New Enterprise
One PolicyServer instance may have multiple Enterprise configurations that each represent a business unit or department. Moving to a new Enterprise removes the
Endpoint Encryption device from the old Enterprise and adds the Endpoint Encryption device to the new Enterprise within the same PolicyServer instance. The Full Disk
Encryption agent may need to move to a new Enterprise when the employee moves to a different department or office location.
Note
For information about changing the PolicyServer that manages the Full Disk Encryption
Changing the Full Disk Encryption PolicyServer on page 7-19
Changing the Enterprise requires access to Full Disk Encryption Recovery Console. For more information, see Recovery Console in the Endpoint Encryption Administrator's Guide.
7-16
Upgrade and Migration
WARNING!
Changing the Enterprise requires configuring policies again, recreating groups, and deletes all cached passwords, password history, and audit logs.
Procedure
1.
Click Network Setup.
2.
Select the PolicyServer tab.
3.
Click Change Enterprise.
The Change Enterprise screen appears.
Figure 7-1.
Recovery Console Change Enterprise
4.
Configure the following options:
7-17
Trend Micro Endpoint Encryption 6.0 Installation Guide
Option Description
New Server User
Specify a Group Administrator account user name, or user name of account with permission to install to the group in the new PolicyServer.
New User Password
Specify the password for the Enterprise Administrator account.
New Server Address Specify the new PolicyServer IP address or host name.
New Enterprise
Specify the new PolicyServer Enterprise.
5.
Click Save.
Full Disk Encryption validates the new PolicyServer information.
6.
At the confirmation message, click OK.
Note
Restart the Full Disk Encryption agent to update the encryption status displayed in
PolicyServer MMC and Control Manager.
Migrating Agents to a New PolicyServer
This section explains how to change the PolicyServer that controls Endpoint Encryption agent policies. The Endpoint Encryption agent may need to migrate to a different
PolicyServer if the endpoint moves to another department that is managed by a different
PolicyServer instance or when there are network factors that required PolicyServer to change its IP address or host name. After migrating to the new PolicyServer, the endpoint registers as a new Endpoint Encryption device in the new PolicyServer database and the previously registered Endpoint Encryption device is removed from the old PolicyServer database.
7-18
Upgrade and Migration
Changing the Full Disk Encryption PolicyServer
Note
Changing the PolicyServer requires access to Full Disk Encryption Recovery Console.
Procedure
1.
Start or restart the endpoint.
The Full Disk Encryption preboot appears.
2.
Select the Recovery Console check box.
3.
Specify Endpoint Encryption user account credentials.
Note
By default, only Administrator and Authenticator accounts may access the Recovery
Console. To allow other users to access the Recovery Console, enable user recovery from your management console.
4.
Click Login.
The Recovery Console opens.
5.
Go to Network > Setup.
6.
Select the PolicyServer tab.
7.
Click Change Server.
8.
At the warning message, click Yes.
9.
Specify the new server address.
10. Click Save.
7-19
Trend Micro Endpoint Encryption 6.0 Installation Guide
Changing the Encryption Management for Apple FileVault
PolicyServer
For information about why Endpoint Encryption agents may need to change the
PolicyServer that manages policies, see
Migrating Agents to a New PolicyServer on page 7-18
Procedure
1.
Uninstall the Encryption Management for Apple FileVault agent.
Uninstalling Encryption Management for Apple FileVault on page 8-3
.
2.
Wait for the hard drive decryption to complete. The user can use the endpoint as usual.
3.
Remove the device from the old PolicyServer.
a.
Log on to PolicyServer MMC.
b.
Right-click the Endpoint Encryption device, and then select Remove Device.
c.
Click Yes to confirm.
For more information about removing Endpoint Encryption devices, see the
Endpoint Encryption Administrator's Guide.
4.
Follow the fresh install instructions to reinstall Encryption Management for Apple
FileVault at
Installing the Encryption Management for Apple FileVault Agent on page 6-26
Make sure to specify the new PolicyServer credentials.
5.
To confirm the migration, go to either the Control Manager Endpoint Encryption
Devices widgets or log on the PolicyServer MMC that manages the new
PolicyServer.
7-20
Changing the Encryption Management for Microsoft
BitLocker PolicyServer
For information about why Endpoint Encryption agents may need to change the
PolicyServer that manages policies, see
Migrating Agents to a New PolicyServer on page 7-18
Upgrade and Migration
Procedure
1.
Uninstall the Encryption Management for Microsoft BitLocker agent.
Uninstalling Encryption Management for Microsoft BitLocker on page 8-4
2.
Wait for the hard drive decryption to complete. The user can use the endpoint as usual.
3.
Remove the device from the old PolicyServer.
a.
Log on to PolicyServer MMC.
b.
Right-click the Endpoint Encryption device, and then select Remove Device.
c.
Click Yes to confirm.
For more information about removing Endpoint Encryption devices, see the
Endpoint Encryption Administrator's Guide.
4.
Follow the fresh install instructions to reinstall Encryption Management for
Installing the Encryption Management for Microsoft BitLocker Agent on page 6-17
. Make sure to specify the new PolicyServer credentials.
5.
To confirm the migration, go to either the Control Manager Endpoint Encryption
Devices widgets or log on the PolicyServer MMC that manages the new
PolicyServer.
Changing the File Encryption PolicyServer
For information about why Endpoint Encryption agents may need to change the
PolicyServer that manages policies, see
Migrating Agents to a New PolicyServer on page 7-18
Procedure
1.
Right-click the File Encryption tray icon and select About File Encryption.
2.
Click Edit PolicyServer.
3.
Specify the new PolicyServer IP address or host name and then click OK.
7-21
Chapter 8
Uninstallation
The following section explains how to manually uninstall PolicyServer or Endpoint
Encryption agents.
•
•
When uninstalling Endpoint Encryption, uninstall all Endpoint Encryption agents first, and then uninstall PolicyServer.
•
Topics include:
Uninstalling Endpoint Encryption Agents on page 8-2
Uninstalling PolicyServer on page 8-7
Uninstalling the Endpoint Encryption Proxy on page 8-9
8-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Uninstalling Endpoint Encryption Agents
During an upgrade, some Endpoint Encryption agents require first manually uninstalling the old Endpoint Encryption agent software. If the Endpoint Encryption agent software is malfunctioning in some way, uninstalling and reinstalling the Endpoint Encryption agent software may solve the problem.
The following section explains how to manually uninstall the Endpoint Encryption agent software or use OfficeScan to deploy the uninstallation command simultaneously to multiple managed endpoints.
Manually Uninstalling Endpoint Encryption Agents
The following section explains how to manually uninstall Endpoint Encryption agents using the program installer. Uninstalling the Endpoint Encryption agent software may be a necessary step to resolve a problem or to upgrade the Endpoint Encryption agent software.
Uninstalling Full Disk Encryption
During an upgrade, some Endpoint Encryption agents require first manually uninstalling the old Endpoint Encryption agent software. If the Endpoint Encryption agent software is malfunctioning in some way, uninstalling and reinstalling the Endpoint Encryption agent software may solve the problem.
To uninstall Endpoint Encryption agents, the user account must have uninstallation rights within the group or policy that the Endpoint Encryption devices are registered to and have local administrator rights.
Procedure
1.
From Windows, go to
C:\Program Files\Trend Micro\Full Disk
Encryption
and run TMFDEUninstall.exe.
Note
If prompted by User Account Control, click Yes.
8-2
Uninstallation
The Full Disk Encryption Uninstall window opens.
2.
Click Next.
Full Disk Encryption begins to uninstall.
3.
Click OK to confirm hard drive decryption.
To view decryption status, open Full Disk Encryption from the system tray.
WARNING!
Do not shut down or restart the endpoint or put the endpoint to sleep, as these actions may interrupt the decryption process. If decryption is interrupted, some data may become corrupted.
4.
When decryption completes, click OK.
5.
Run
TMFDEUninstall.exe
again to complete uninstallation.
6.
Restart the endpoint.
The device record is not automatically removed and must be manually removed from PolicyServer.
Uninstalling Encryption Management for Apple FileVault
Uninstalling the Encryption Management for Apple FileVault agent requires access to the Mac OS X Terminal application.
For information about installing Encryption Management for Apple FileVault, see
Encryption Management for Apple FileVault Installation on page 6-26
To uninstall Endpoint Encryption agents, the user account must have uninstall rights within the group or policy that the Endpoint Encryption devices are registered to and have local administrator rights.
Tip
Any User or Group Authenticator can run the uninstaller if the policy Full Disk
Encryption > Agent > Allow User to Uninstall = Yes.
8-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
8-4
Procedure
1.
Go to Applications > Utilities and double-click Terminal.
The Terminal window appears.
2.
Type cd /Library/Application Support/TrendMicro/FDEMM
3.
Type sudo ./Uninstaller
During automated uninstallations on Mac OS X Yosemite, the user must confirm that they want to restart the endpoint if the the device requires decryption before uninstallation. To automate this confirmation, users can append the parameter
RebootWithoutConfirm
.
The following is an example command that automates restart confirmation: sudo ./Uninstaller RebootWithoutConfirm
The agent uninstalls in the background.
4.
Restart the endpoint to complete the uninstallation.
Uninstalling Encryption Management for Microsoft
BitLocker
Use Windows Add or Remove Programs to uninstall Encryption Management for
Microsoft BitLocker.
Note
To uninstall Endpoint Encryption agents, the user account must have uninstall rights within the group or policy that the Endpoint Encryption devices are registered to and have local administrator rights.
Tip
Any User or Group Authenticator can run the uninstaller in Windows if the policy Full
Disk Encryption > Agent > Allow User to Uninstall = Yes.
Uninstallation
Procedure
1.
Go to Start > Settings > Control Panel > Add or Remove Programs
The Add or Remove Programs window appears.
2.
Select Encryption Management for Microsoft BitLocker from the list of installed programs.
3.
Click Remove.
4.
At the Add or Remove Programs message, click Yes to confirm.
The uninstall process completes when the program is removed from the list.
Uninstalling File Encryption
Use Windows Add or Remove Programs to uninstall File Encryption.
Note
To uninstall Endpoint Encryption agents, the user account must have uninstall rights within the group or policy that the Endpoint Encryption devices are registered to and have local administrator rights.
Tip
Any User or Group Authenticator can run the uninstaller in Windows if the policy Full
Disk Encryption > Agent > Allow User to Uninstall = Yes.
•
•
Note
Set the Policies > File Encryption > Computer > Allow User to Uninstall to Yes to allow any User or Group Authenticator to run the uninstaller in Windows.
Save and close all documents before starting the uninstall process. A reboot is required when the uninstaller completes.
8-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
WARNING!
Decrypt all encrypted files before uninstalling File Encryption. Otherwise, they will become unreadable.
Procedure
1.
Log on to File Encryption with an account that has permission to uninstall File
Encryption.
2.
Open the Windows Start Menu and go to Control Panel > Programs >
Uninstall a Program.
3.
Select File Encryption from the list and then click Uninstall.
Using OfficeScan to Uninstall Endpoint Encryption
Agents
During an upgrade, some Endpoint Encryption agents require first manually uninstalling the old Endpoint Encryption agent software. If the Endpoint Encryption agent software is malfunctioning in some way, uninstalling and reinstalling the Endpoint Encryption agent software may solve the problem.
This procedure explains how to uninstall Endpoint Encryption agents using the
OfficeScan Endpoint Encryption Deployment Tool plug-in.
Procedure
1.
Select the Endpoint Encryption device.
Note
To select multiple Endpoint Encryption devices, hold SHIFT and select applicable endpoints.
2.
Click Uninstall and select the appropriate Endpoint Encryption agent from the drop-down list.
8-6
Uninstallation
3.
Click OK to confirm the deployment.
The Endpoint Encryption agent uninstall command is deployed.
4.
The Endpoint Encryption agent uninstallation is complete when OfficeScan displays the confirmation message.
Note
All future deployment commands fail if the Endpoint Encryption device is not restarted after the uninstall command is initiated and completes.
If uninstallation is unable to complete, manually uninstall the agent. See the Endpoint
Encryption Installation Guide.
When uninstallation completes, the Endpoint Encryption agent is removed and the product folder is deleted from the endpoint.
Uninstalling PolicyServer
The following section explains how to uninstall PolicyServer. A common use case for uninstalling PolicyServer is that incorrect information was specified when PolicyServer was installed.
Uninstalling the PolicyServer MMC
Use Windows Add or Remove Programs to uninstall the PolicyServer MMC.
Note
Uninstalling the PolicyServer MMC does not affect the PolicyServer database and services.
Procedure
1.
Go to Start > Settings > Control Panel > Add or Remove Programs
The Add or Remove Programs window appears.
8-7
Trend Micro Endpoint Encryption 6.0 Installation Guide
2.
Select PolicyServer from the list of installed programs.
3.
Click Remove.
4.
At the Add or Remove Programs message, click Yes to confirm.
The uninstall process completes when the program is removed from the list.
Uninstalling PolicyServer
Uninstalling PolicyServer removes all Endpoint Encryption services. The Endpoint
Encryption database is not affected by uninstalling PolicyServer.
WARNING!
Although uninstalling PolicyServer does not affect the Endpoint Encryption database, uninstalling PolicyServer removes all Endpoint Encryption services. Endpoint Encryption users are unable to log on to Endpoint Encryption devices until PolicyServer is reinstalled.
Procedure
1.
Run
PolicyServerInstaller.exe
The PolicyServer Installer opens.
2.
At the Product Legal Notice screen, read the license agreement and accept the terms by clicking Accept.
3.
At the PolicyServer Services screen, click Uninstall at the left.
The PolicyServer uninstallation begins.
4.
Wait for the PolicyServer uninstalling process to remove all services and database settings.
5.
Click Finished.
6.
Restart the server.
7.
Optionally, reinstall PolicyServer.
8-8
Uninstallation
Installing PolicyServer on page 4-4
.
Uninstalling the Endpoint Encryption Proxy
Uninstall the Endpoint Encryption Proxy using the Endpoint Encryption Proxy installer.
Procedure
1.
Download or locate the Endpoint Encryption Proxy installer on the endpoint with the Endpoint Encryption Proxy installed.
2.
Run
TMEEProxyInstaller.exe
with administrator privileges.
The Endpoint Encryption Proxy installer detects that the Endpoint Encryption
Proxy is already installed. A message appears that asks whether you would like to uninstall the proxy, or reinstall or upgrade the proxy.
3.
Click Yes to uninstall the proxy.
The Endpoint Encryption Proxy uninstalls the Client Web Service and the
TMEEForward service.
4.
After the services have been successfully uninstalled, click Finish.
8-9
Technical Support
•
•
•
•
Learn about the following topics:
Troubleshooting Resources on page 9-2
Contacting Trend Micro on page 9-3
Sending Suspicious Content to Trend Micro on page 9-4
Chapter 9
9-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend Micro online resources.
Using the Support Portal
The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems.
Procedure
1.
Go to http://esupport.trendmicro.com
.
2.
Select from the available products or click the appropriate button to search for solutions.
3.
Use the Search Support box to search for available solutions.
4.
If no solution is found, click Contact Support and select the type of support needed.
Tip
To submit a support case online, visit the following URL: http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours or less.
Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more technologies, to bypass computer security protocols. Trend Micro combats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia
9-2
Technical Support
•
•
•
•
• provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities.
Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learn more about:
Malware and malicious mobile code currently active or "in the wild"
Correlated threat information pages to form a complete web attack story
Internet threat advisories about targeted attacks and security threats
Web attack and online trend information
Weekly malware reports
Contacting Trend Micro
•
•
In the United States, Trend Micro representatives are available by phone or email:
Address
Phone
Website
Email address
Trend Micro, Incorporated
225 E. John Carpenter Freeway, Suite 1500
Irving, Texas 75062 U.S.A.
Phone: +1 (817) 569-8900
Toll-free: (888) 762-8736 http://www.trendmicro.com
Worldwide support offices: http://www.trendmicro.com/us/about-us/contact/index.html
Trend Micro product documentation: http://docs.trendmicro.com
9-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
Speeding Up the Support Call
•
•
•
•
•
•
•
•
•
To improve problem resolution, have the following information available:
Steps to reproduce the problem
Appliance or network information
Computer brand, model, and any additional connected hardware or devices
Amount of memory and free hard disk space
Operating system and service pack version
Version of the installed agent
Serial number or Activation Code
Detailed description of install environment
Exact text of any error message received
Sending Suspicious Content to Trend Micro
Several options are available for sending suspicious content to Trend Micro for further analysis.
Email Reputation Services
Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: https://ers.trendmicro.com/
Refer to the following Knowledge Base entry to send message samples to Trend Micro: http://esupport.trendmicro.com/solution/en-US/1112106.aspx
9-4
Technical Support
File Reputation Services
Gather system information and submit suspicious file content to Trend Micro: http://esupport.trendmicro.com/solution/en-us/1059565.aspx
Record the case number for tracking purposes.
Web Reputation Services
Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): http://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend Micro.
Other Resources
In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends.
Download Center
From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: http://www.trendmicro.com/download/
If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions.
9-5
Trend Micro Endpoint Encryption 6.0 Installation Guide
Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please go to the following site: http://www.trendmicro.com/download/documentation/rating.asp
9-6
Index
A
about
Legacy Web Service,
PolicyServer,
administration agent considerations,
agents,
C
checklist
Command Builder,
for Encryption Management for Apple
for File Encryption,
Command Line Installer Helper,
D
deployment end users,
examples,
E
editing managed servers,
encryption project planning,
Encryption Management for Apple
FileVault change,
Encryption Management for Microsoft
BitLocker change,
F
File Encryption change,
uninstalling,
Full Disk Encryption change,
changing enterprises,
scripts,
policies,
IN-1
Trend Micro Endpoint Encryption 6.0 Installation Guide
replacing another product,
uninstalling,
G
GPO,
H
I
installation checklist,
Encryption Management for Apple
Encryption Management for Microsoft
File Encryption,
Full Disk Encryption,
PolicyServer,
PolicyServer databases,
PolicyServer web services,
security infrastructure checklist,
L
LANDesk,
M
Active Directory,
PolicyServer,
managed server list editing servers,
Microsoft SMS,
migration
Control Manager,
migrations agents,
O
OfficeScan
OPAL,
P
policy management editing managed servers,
PolicyServer
AD synchronization,
installation database,
installation process,
installation requirements,
requirements
system requirements
uninstallation
upgrades database,
upgrading the PolicyServer MMC,
PolicyServer MMC
IN-2
Index
authentication,
groups
users
allow to install,
proxy options,
R
Recovery Console changing enterprises,
changing PolicyServer,
S
SCCM,
scripts
Encryption Management for Apple
File Encryption,
Full Disk Encryption,
Seagate DriveTrust drives,
support resolve issues faster,
supported agents,
system requirements
Encryption Management for Apple
Encryption Management for Microsoft
File Encryption,
Full Disk Encryption,
PolicyServer,
T
tools,
Command Builder,
trial license,
U
uninstall,
File Encryption,
Full Disk Encryption,
database,
uninstalling agents,
upgrade agents,
PolicyServer,
PolicyServer web services,
upgrades agents,
File Encryption,
Full Disk Encryption,
PolicyServer,
PolicyServer databases,
summary,
users adding new user to group,
IN-3
Trend Micro Endpoint Encryption 6.0 Installation Guide
V
VMware Virtual Infrastructure,
IN-4
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project