Symantec Endpoint Encryption Full Disk

(1)

Full Disk

Policy Administrator Guide

(2)

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS

DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street

(3)

Native Policies . . . 24 Policy Options. . . 24 Client Administrators . . . 24 Registered Users . . . 26 Password Authentication . . . 28 Token Authentication . . . 30 Authentication Message . . . 30 Communication . . . 30 Single Sign-On . . . 30 Authenti-Check . . . 30 One-Time Password . . . 31 Startup . . . 32 Logon History . . . 32 Autologon . . . 32 Remote Decryption . . . 36 Client Monitor . . . 36 Local Decryption . . . 37 4. Policy Deployment . . . 38 Overview. . . 38

Active Directory Policies . . . 38

Basics . . . 38

Order of Precedence . . . 38

Forcing a Policy Update . . . 38

Native Policies . . . 39

Basics . . . 39

Symantec Endpoint Encryption Managed Computer Groups . . . 39

Policy Assignment . . . 41

Order of Precedence . . . 43

Forcing a Policy Update . . . 43

5. Encrypting/Decrypting Drives on Fixed Disks . . . 44

Overview. . . 44

Issuing a Command . . . 44

Encrypting/Decrypting All Fixed Disk Drives on All Computers in a Group . . . 44

Encrypting/Decrypting All Fixed Disk Drives on a Computer . . . 45

Encrypting/Decrypting One or More Fixed Disk Drives on a Computer . . . 46

Forcing a Command to Execute . . . 47

Cancelling a Pending Command. . . 48

Basics . . . 48

(5)

6. Endpoint Support . . . 51

The Management Password . . . 51

Basics . . . 51

Changing the Management Password . . . 51

One-Time Password Program . . . 52

Basics . . . 52

Launch . . . 52

Management Password . . . 53

Method . . . 53

Error Messages . . . 58

Whole Disk Recovery Token (WDRT) . . . 59

Basics . . . 59

Launch . . . 59

Management Password . . . 60

User Identity . . . 60

Token . . . 61

Hard Disk Recovery for Windows Computers . . . 61

Basics . . . 61

Recover DAT File Generation . . . 62

Appendix A. System Event Logging . . . 65

Basics . . . 65

Framework System Events List . . . 65

Full Disk System Events List . . . 81

Appendix B. Authentication Method Changes . . . 90

Overview. . . 90

User Experience . . . 90

Appendix C. Policy Settings Honored by Mac Clients . . . 91

Glossary . . . 92

(6)

Policy Administrator Guide Figures

Figures

Figure 1.1—Sample Network Configuration . . . 1

Figure 1.2—SQL Server Logon Prompt . . . 4

Figure 2.1—Group Policy Results Wizard, User Selection . . . 20

Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client . . . 21

Figure 3.1—Framework Computer Policy, Client Administrators Options . . . 24

Figure 3.2—Add New Client Administrator Dialog . . . 25

Figure 3.3—Framework Computer Policy, Registered Users Options . . . 26

Figure 3.4—Framework Computer Policy, Password Authentication Options . . . 28

Figure 3.5—Framework Computer/User Policy, Authenti-Check Options . . . 30

Figure 3.6—Framework Computer/User Policy, One-Time Password Options . . . 31

Figure 3.7—Full Disk Computer Policy, Startup Options . . . 32

Figure 3.8—Full Disk Computer Policy, Autologon Options . . . 34

Figure 3.9—Full Disk Computer Policy, Client Monitor Options . . . 36

Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group . . . 40

Figure 4.2—Name New Group Dialog . . . 40

Figure 4.3—SEE Unassigned, Computer Highlighted . . . 41

Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog . . . 41

Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected . . . 42

Figure 4.6—Policy Selection Dialog . . . 42

Figure 4.7—Native Policy Assignment Confirmation . . . 42

Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned . . . 43

Figure 5.1—Encrypt/Decrypt All Drives on All Computers Within a Group . . . 45

Figure 5.2—Encrypt/Decrypt All Drives on a Computer . . . 46

Figure 5.3—Encrypt/Decrypt One or More Drives on a Computer’s Fixed Disk . . . 47

Figure 5.4—Before Cancelling Encryption or Decryption, Check the Potential Effect . . . 48

Figure 5.5—Cancelling a Command for All Endpoints . . . 49

Figure 5.6—Cancelling a Command for One Endpoint . . . 50

Figure 6.1—Management Password Snap-in . . . 51

Figure 6.2—Management Password Changed, Confirmation Message . . . 52

Figure 6.3—One-Time Password, Management Password . . . 53

Figure 6.4—One-Time Password, Method Selection, Online . . . 54

Figure 6.5—One-Time Password, Online Method, Identifying Information . . . 54

Figure 6.6—One-Time Password, Online Method, Response Key . . . 55

Figure 6.7—One-Time Password, Method Selection, Offline . . . 56

Figure 6.8—One-Time Password, Offline Challenge Key . . . 56

Figure 6.9—One-Time Password, Offline Response Key . . . 57

Figure 6.10—One-Time Password, User Record Not Found . . . 58

Figure 6.11—One-Time Password, Invalid Code Synchronization . . . 58

Figure 6.12—Whole Disk Recovery Token Program, Management Password . . . 60

Figure 6.13—Whole Disk Recovery Token Program, Identify User . . . 60

Figure 6.14—Whole Disk Recovery Token Program, Token Characters . . . 61

Figure 6.15—Manager Console, Computer in Need of Recovery Highlighted . . . 62

Figure 6.16—Management Password Prompt . . . 63

Figure 6.17—Recovery Password Prompt . . . 63

Figure 6.18—Recovery Data Export Dialog . . . 64

(7)

Tables

Table 1.1—Active Directory and Native Policies Compared . . . 2

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports . . . 8

Table 2.2—Client Computer Data Available from Computer Info Tab . . . 9

Table 2.3—Client Computer Data Available from Framework Tab . . . 10

Table 2.4—Client Computer Data Available from Full Disk Tab . . . 10

Table 2.5—Client Computer Data Available from Associated Users Tab . . . 11

Table 2.6—Fixed Drives Data . . . 11

Table 2.7—Server Commands Data . . . 12

Table 2.8—Directory Services Synchronization Data . . . 12

Table 2.9—Admin Log Data . . . 13

Table 2.10—Client Log Data . . . 15

Table 2.11—Command History, Decrypt Drive, and Encrypt Drive Snap-In Data . . . 15

Table 2.12—Command Assignment Details . . . 15

Table 2.13—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers . 19 Table 6.1—Recover Program Options . . . 62

Table A.1—Framework System Events . . . 65

Table A.2—Full Disk System Events . . . 81

Table B.1—Effect of a Change in Authentication Method on Existing User Accounts . . . 90

(8)

Policy Administrator Guide Introduction

1. Introduction

Overview

.Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation.

Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies.

The following diagram depicts a sample network configuration of Symantec Endpoint Encryption.

Figure 1.1—Sample Network Configuration

The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required. Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported.

A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory.

your-org.com your_tree eDirectory Server Client Client Client Manager Computer Database Server Client Management Server Domain Controller Group Policy SOAP over HTTP LDAP TLS/SSL TDS

(9)

The Novell eDirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional.

Directory Service Synchronization

Synchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell eDirectory server.

When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities.

In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints.

The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes.

Active Directory and Native Policies

Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not.

Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off.

The following table itemizes the differences between Active Directory and native policies. Table 1.1—Active Directory and Native Policies Compared

Active Directory Policies Native Policies

Certain policies are deployed to users and others are deployed to computers.

Policies can only be applied to computers.

Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence.

Policies are applied in Computer, Subgroup, Group (CSG) order of precedence.

Single pane policy creation/deployment. Each pane must be visited when creating the policy. Policies are obtained from the domain controller

and applied at each reboot.

Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server. An immediate policy update can be forced using the

gpupdate \force or secedit command.

An immediate policy update can be forced by clicking

Check In Now from the User Client Console.

(10)

Manager Console

Basics

The Manager Console contains the following Symantec Endpoint Encryption snap-ins:

 Symantec Endpoint Encryption Management Password—allows you to change the Management Password. The

Management Password controls administrator access to two Full Disk help desk functions: the Recover Program and the Help Desk Program.

 Symantec Endpoint Encryption Software Setup—is used to create client installation/migration packages.

 Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a computer

policy for clients not managed by Active Directory, such as Novell and other clients.

 Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your Active

Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for the Recover Program.

 Symantec Endpoint Encryption Reports—includes reports to allow you to obtain endpoint data, Policy

Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to export computer-specific Recover DAT files and create your own custom reports.

 Symantec Endpoint Encryption Server Commands—provides information about commands issued to encrypt or

decrypt drives. You can also use the snap-in to cancel a pending command.

 SEE Help Desk Program (optional)—enables you to assist Windows or Mac users that forgot their credentials.

You can also assist Windows users that have been locked out for a failure to communicate with the Management Server.

It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:  Active Directory Users and Computers—allows you to both view and modify your Active Directory

organizational hierarchy.

 Group Policy Management—lets you manage group policy objects and launch the Group Policy Object Editor

(GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory–managed computers.

Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account.

Database Access

Your Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials.

(11)

Figure 1.2—SQL Server Logon Prompt

The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows:

computer name,port number\instance name

While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash.

To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate.

If you don’t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console.

Endpoint Containers

Basics

The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers:  Active Directory Computers,

 Novell eDirectory Computers, or

 Symantec Endpoint Encryption Managed Computers.

Active Directory/Novell eDirectory Computers

No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers unless synchronization with the directory service is enabled.

If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell eDirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins.

(12)

Symantec Endpoint Encryption Managed Computers

Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container.

Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not.

 If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container.

 If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container.

Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire.

Deleted Computers

The Deleted Computers container stores Symantec Endpoint Encryption–managed computers that have been deleted, allowing you to restore the computer and revert its deletion.

Symantec Endpoint Encryption–managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of a Symantec Endpoint Encryption–managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container.

Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete.

Symantec Endpoint Encryption Roles

Policy Administrators

As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks:

 Update and set client policies.

 Issue server-based commands to encrypt or decrypt drives on fixed disks that are not Opal-compliant.  Run reports.

 Change the Management Password.  Run the Help Desk Program.

 Create the computer-specific Recover DAT file necessary for Recover /B, Recover /S, and Recover /O.

Client Administrators

Basics

(13)

Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users.

Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers.

Mac Client

Each Mac client must have at least and no more than one Client Administrator account. The Client Administrator account is specified within the client installation package or policy. It will be created on the client at the time that the encryption of the boot disk is manually initiated. The Client Administrator account cannot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator authenticates with a password. Privilege level is ignored by the Mac client. The Client Administrator account cannot be used to initiate encryption.

Windows Client

Client Administrators may be configured to authenticate with either a password or a token.

Each Client Administrator account can be assigned any of the following individual administrative privileges:  Unregister users—allows Client Administrators to unregister registered users from the Administrator Client

Console;

 Decrypt drives—provides Client Administrators with the right to decrypt drives encrypted by Symantec Endpoint

Encryption Full Disk from the Administrator Client Console or through the use of Recover /D;

 Extend lockout—permits Client Administrators to extend the Client Computer’s next communication date using

the Administrator Client Console; and

 Unlock—enables Client Administrators to unlock Client Computers that have been locked for failure to

communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers.

Client Administrators should be trusted in accordance with their assigned level of privilege.

Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer.

Client Administrator accounts have the following restrictions:

 Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available.

 Client Administrators cannot use Single Sign-On.

User

Basics

Full Disk protects the data stored on the Client Computer by requiring valid credentials before allowing the operating system to load. Users set their own Symantec Endpoint Encryption credentials, which allow them to power the machine on from an off state and gain access to the operating system. Only the credentials of registered users and Client Administrators will be accepted by Full Disk.

Mac Client

(14)

Windows Client

At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention.

Authentication to Full Disk can be configured to occur in one of three ways:

 Single Sign-On enabled—The user will be prompted to authenticate once each time they restart their computer.

 Single Sign-On not enabled—The user must log on twice: once to Full Disk and then separately to Windows.

 Automatic authentication enabled—The user is not prompted to provide credentials to Full Disk; the

authentication process is transparent. This option relies on Windows to validate the user’s credentials. A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy.

To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges.

(15)

2. Reporting

Overview

Basics

The Manager Console reporting tools allow you to obtain information about:  Client Computers,

 Policy Administrator activities, and  Directory service synchronization.

Client Computers Data Available from Users and Computers and Basic Reports

Basics

At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following:

 “Symantec Endpoint Encryption Users and Computers” on page 16;  “Computer Status Report” on page 16;

 “Computers not Encrypting to Removable Storage” on page 17;  “Computers with Decrypted Drives” on page 17;

 “Computers with Expired Certificates” on page 17;  “Computers with Specified Users” on page 17;  “Computers without Full Disk Installed” on page 17;

 “Computers without Removable Storage Installed” on page 17; and  “Non-Reporting Computers” on page 18.

Basic data is shown in the main window and you can double-click a record of interest or right-click it and select

Show Selection to obtain further details.

Main Window

The following table itemizes the data available about Client Computers from the main window. Columns that will be displayed but not populated by Full Disk are identified as not applicable (N/A).

If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s)—even if it has never checked in with the Management Server. While only the computer name and directory service location of these machines will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in.

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports

Column Heading Data Displayed Explanation

Computer name computer name Computer name

Group name* group name Location of the computer within Symantec Endpoint Encryption Users and

(16)

Policy Administrator Guide Reporting

Computer Info Tab

After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab.

Last Check-In date time The date and time of the last connection that the Client Computer made with

the Management Server

Decrypted drive letter(s) The drive letter(s) of any decrypted drives and/or partitions on this

computer

Decrypting drive letter(s) The drive letter(s) of any drive and/or partitions on this computer that are in

the process of decrypting

Encrypted drive letter(s) The drive letter(s) of any encrypted drive and/or partitions on this computer Encrypting drive letter(s) The drive letter(s) of any drives and/or partitions on this computer that are

in the process of encrypting Drive Encryption Service SEEFD|Opal

SEEFD will be displayed for computers without Opal-compliant hard drives. Opal will be displayed for computers with Opal-compliant hard drives.

RS Device Access Control* N/A N/A

RS Encryption Policy N/A N/A

RS Encryption Method† N/A N/A

RS On-Demand

Encryption‡ N/A N/A

RS Device Exclusion** N/A N/A

RS Access Utility* N/A N/A

RS Self-Extracting

Archives* N/A N/A

* Shown only in the Computer Status Report.

† Not shown in the Computer Status Report.

‡ Not shown in the Computers with Specified Users report.

** Not shown in the Computer Status Report or the Computers with Specified Users report.

Table 2.2—Client Computer Data Available from Computer Info Tab

Group group name Location of the computer within Symantec Endpoint Encryption Users and

Computers

OS operating system name The name of the installed operating system

OS Type 32-bit|64-bit The number of bits of memory supported by the installed operating system

Serial Number serial number

The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.

Asset Tag asset tag

The System Management BIOS (SMBIOS) asset tag from

WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.

Part Number part number

The System Management BIOS (SMBIOS) part number from

WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports

(17)

Framework Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab.

Full Disk Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab.

Removable Storage Tab

The Removable Storage tab is not applicable to Full Disk.

Table 2.3—Client Computer Data Available from Framework Tab

FR Version n.n.n The three digit version number of Framework that is currently installed

FR Installation Date date time The date and time on which Framework was installed

Last Check-In Time date time The date and time of the last connection that the Client Computer made with

the Management Server SSL Certificate Expiration

Date date time The date and time of the client-side TLS/SSL certificate’s expiration FR Build Number major build number.minor

build number.patch number.1

The major build number, minor build number, and patch number of Framework. The final digit will always be 1.

Table 2.4—Client Computer Data Available from Full Disk Tab

FD Version n.n.n The three digit version number of Full Disk that is currently installed

FD Installation Version n.n.n The three digit version number of Full Disk that was originally installed Last Upgrade Date date time The date and time on which Full Disk was last installed or upgraded FD Installation Date date time The date and time on which Full Disk was installed

FD Build Number major build number.minor

build number.patch number.1

The major build number, minor build number, and patch number of Full Disk. The final digit will always be 1.

Partition drive letter The letter of the logical drive that is encrypted, encrypting, decrypted, or

decrypting

Encryption start time date time The date and time that encryption was initiated

Encryption end time date time The date and time that encryption completed

Decryption start time date time The date and time that decryption was initiated

Decryption end time date time The date and time that decryption completed

Decryption initiated by user name or Command

The user name of the user or Client Administrator that initiated decryption. Alternatively, Command will be displayed if the action was initiated by a Policy Administrator using the Manager Console to issue a server-based decryption command.

(18)

Associated Users Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab will contain one row of data per registered user or Client Administrator on the Windows Client Computer.

Fixed Drives Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the Fixed Drives tab will contain one row of data per physical disk drive on the Client Computer.

If this is a Mac record, no data will be available from the Associated Users tab.

Table 2.5—Client Computer Data Available from Associated Users Tab

User Name user name The user name of the registered user or Client Administrator account

User Type Reg User|Client Admin If the account is that of a registered user, Reg User will be displayed. If the account is that of a Client Administrator, Client Admin will be displayed.

Authentication Method Password|Token|Password and Token|Unauthenticated

If the user or Client Administrator uses a password to authenticate, Password will be displayed. If the user or Client Administrator uses a token to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed.

User Domain name of domain or

tree|computer name

If the computer is joined to a domain or a part of a Novell tree, the name of the domain or tree will be displayed. If the computer does not belong to either directory service, the name of the computer will be displayed. For Client Administrators, this cell will be blank.

Last Logon Time date time

If a user, the date and time of the last User Client Console logon. If a Client Administrator, the date and time of the last Administrator Client Console logon.

Registration Time date time

The date and time on which this user registered. If this is a Client Administrator account, the date and time on which the account was created either by MSI or policy update.

Table 2.6—Fixed Drives Data

Disk ID digit

The number of the physical disk, as assigned by the operating system. The operating system will assign a number to each physical disk. The first physical disk will be assigned the number 0 and the rest of the assigned numbers will increment sequentially.

Volume(s) drive letter

The alphabetical letter assigned by the operating system to the logical drive will be identified in this cell. If the drive has been divided into partitions, the letter of each partition will be displayed, separated by commas.

Serial Number number

The serial number of the physical disk will be displayed. This information is obtained from the device properties. If this data could not be obtained from the device properties, the value will be blank.

(19)

Server Commands Tab

After you double-click on a record of interest or right-click it and select Show Selection, the Server Commands tab will contain one row of data per command issued for this computer.

Directory Services Synchronization Data

Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports:

 “Active Directory Forests Synchronization Status” on page 16, and  “Novell eDirectory Synchronization Status” on page 18.

One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports.

Admin Log Data

Each time the Policy Administrator makes a change using the Manager Console, the action will be logged. Table 2.7—Server Commands Data

Command Encrypt Drive|Decrypt

Drive The command issued by the administrator.

Issuer domain\user name The Windows domain and user name of the administrator who issued the

command.

Time of Issue date time The date and time that the command was issued.

Status Pending|Sent to endpoint If the status is Pending, the command has not been sent to this computer. If the status is Sent to endpoint, the command has been sent.

Command Data All Drives|drive letter(s)

If the data is All Drives, the command targets all drives on this computer. If the data consists of drive letters, the command targets one or more partitions on one of the computer’s fixed disks.

Table 2.8—Directory Services Synchronization Data

Forest/Tree Name forest or tree name The name of the forest or tree that you are synchronizing with will be

identified in this column.

Administrator Name user name

The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. Administrator Domain* domain The Active Directory domain of the Active Directory synchronization

account for this forest will be identified.

Last Synchronization date time The date and time of the last successful synchronization with this forest or

tree will be supplied.

Total Computers number

The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption–protected endpoints.

(20)

The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report.

Table 2.9—Admin Log Data

Date-Time date time The date and time on which the activity

occurred User domain\user name

The Windows domain and user name of the Policy Administrator that initiated the activity

Computer computer name

The computer name of the Manager Computer from which the activity was initiated

(21)

Activity Description

Changed Symantec Endpoint Encryption management password —

Created native policy ‘policy name’ —

Renamed native policy ‘old policy name’ to ‘new policy name’ —

Deleted native policy ‘policy name’ —

Edited native policy ‘policy name’ —

Created new Symantec Endpoint Encryption Managed computer group

‘group name’ —

Renamed Symantec Endpoint Encryption Managed computer group ‘old

group name’ to ‘new group name’ —

Deleted Symantec Endpoint Encryption Managed computer group ‘group

name’ —

Assigned native policy ‘policy name’ to group ‘group name’ — Unassigned native policy ‘policy name’ from group ‘group name’ — Changed assigned native policy for group ‘group name’ from native policy

‘old policy name’ to native policy ‘new policy name’ —

Deleted Symantec Endpoint Encryption Managed Computer ‘computer

name’ —

Moved Symantec Endpoint Encryption Managed Computer ‘computer

name’ from group ‘old group name’ to ‘new group name’ —

Restored Symantec Endpoint Encryption Managed Computer ‘computer

name’ —

Exported Recover DAT file for computer ‘computer name’ — Initiated One-Time Password online method for user ‘user name’ on

computer ‘computer name’ Symantec Endpoint Encryption GUID ‘Symantec Endpoint Encryption GUID of computer’

— Initiated One-Time Password offline method for user ‘user name’ — Created Framework client installation package ‘MSI package name’ — Created Full Disk client installation package ‘MSI package name’ — Created Removable Storage client installation package ‘MSI package

name’ —

Created Autologon MSI package ‘MSI package name’ —

Assigned Encrypt Drive command. —

Assigned Decrypt Drive command. —

Cancelled Encrypt Drive command. —

Cancelled Decrypt Drive command. —

Removed Encrypt Drive command (ID = command ID*) assignment from

computer ‘name of domain or tree\computer name’ —

Removed Decrypt Drive command (ID = command ID*) assignment from

computer ‘name of domain or tree\computer name’ —

* The command ID is an integer that identifies a command. When a command is created, the SQL server increments the previous command ID by 1. Command ID numbering begins with 1; numbering is not restarted.

Table 2.9—Admin Log Data (Continued)

(22)

Client Events Data

A subset of the Windows system events from Windows Client Computers will be available from the Client Events report. The following table identifies the data that will be available in the Client Events report for Windows endpoints. No client events data for Mac clients will be available.

Device Exemptions Report Data

Device Exemptions Report Data is not applicable to Full Disk.

Server Commands Data

Command History, Decrypt Drive, and Encrypt Drive Snap-Ins

The following data is available from the Command History, Decrypt Drive, and Encrypt Drive snap-ins.

Command Assignment

After double-clicking a command or right-clicking it and selecting Show Selection, the following data is displayed in the Command Assignment window. The Command Assignment window displays one row of data per computer.

Table 2.10—Client Log Data

Date-Time date time The date and time on which the activity occurred

User user name The Windows user name of the user that initiated the activity

Computer Name computer name The computer name of the Windows Client Computer on which the event was logged Event

Description description text

Framework events 4, 6, 8, 11,14, 15, 16, 18, 19, 21, 124, 183, 184, and 246. Full Disk events 1004, 1008, 1012, 1014, 1015, 1019, 1023, 1027, 1028, 1107, 1108, 1109, 1110, 1111, 1114, 1119, 1120, and 1123. Refer to Appendix A “System Event Logging” on page 65 for the text of each event.

Commands that are older than 30 days do not appear; they have expired and have been deleted from the database.

Table 2.11—Command History, Decrypt Drive, and Encrypt Drive Snap-In Data

Time of Issue date time The date and time the command was issued.

Command* Decrypt Drive|Encrypt

Drive The command issued.

Issued By domain name\user name The Windows domain and user name of the administrator that issued the

command.

Computer Issued From computer name The name of the computer from which an administrator issued the

command. Command Data All Drives|drive letter(s)

If the data is All Drives, all of the drives on multiple computers or on a single computer are targeted. If the data consists of drive letters, one or more partitions on a single computer’s fixed disk are targeted. *This column appears only for the Command History snap-in.

Table 2.12—Command Assignment Details

(23)

Symantec Endpoint Encryption Users and Computers

The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis.

You might also want to consider your reporting needs when you create your groups (“Symantec Endpoint Encryption Managed Computer Groups” on page 39).

Symantec Endpoint Encryption Reports

Basics

The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s).

After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console.

Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu.

Active Directory Forests Synchronization Status

The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status (“Directory Services Synchronization Data” on page 12).

Client Events

The Client Events report provides you with a subset of the events logged on the endpoint (“Client Events Data” on page 15). Client events can be filtered according to inclusive date and time, user name, and computer name.

Computer Status Report

The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful for Windows clients under the following circumstances:

 After deploying Windows client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each Windows client checks in at least once. During the check in process, the Windows Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B, /O and /S options of the Recover Program. Once you have identified Windows Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation.

 Should a Windows Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B or /O.

Status Pending|Sent to endpoint If the status is Pending, the command has not yet been sent to the endpoint. If the status is Sent to endpoint, the command has been sent.

Group Tree\Context and/or

forest\domain\OU The Novell and/or Active Directory hierarchical context for this computer.

Table 2.12—Command Assignment Details (Continued)

(24)

Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again.

Computers not Encrypting to Removable Storage

The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network:

 Did not have Removable Storage installed as of the time of last check-in.

 Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of the time of last check in.

 Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices.

Computers with Decrypted Drives

The Computers with Decrypted Drives report will retrieve the records of the following computers on your network:  Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have a decrypted or decrypting drive or partition.

Computers with Expired Certificates

The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click

Run.

Computers with Specified Users

The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run.

The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results.

Computers without Full Disk Installed

The Computers without Full Disk Installed report will retrieve the records of the following computers on your network:

 Did not have Full Disk installed as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Full Disk installed.

Computers without Removable Storage Installed

The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network:

 Did not have Removable Storage installed as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Removable Storage installed.

(25)

Device Exemptions Report

Device Exemptions Report data is not applicable to Full Disk.

Framework Deployment

The Framework Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Framework versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart.

Full Disk Client Deployment

The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Full Disk versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Non-Reporting Computers

The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh. It is also an essential complement to a lockout policy.

Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the Symantec Endpoint Encryption Management Server within the specified number of days will be retrieved and listed.

Novell eDirectory Synchronization Status

The Novell eDirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status.

Opal Endpoints

The Opal Endpoints report will retrieve the records of the following computers on your network:  Had Full Disk installed as of the time of last check-in.

 Uses an Opal-compliant drive as the primary, boot drive.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in.

Percentage of Encrypted Endpoints

The Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of computers that are encrypted versus the percentage that are not. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Removable Storage Client Deployment Report

The Removable Storage Client Deployment report provides a pie chart comparison of the percentage of computers installed with Removable Storage versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients are not included in this report.

Removable Storage Details Report

The Removable Storage Details report provides the latest details on the Removable Storage policy settings for each reporting client.

Removable Storage Password Aging Report

The Removable Storage Password Aging report provides the latest details on password aging settings for the Removable Storage default passwords and session default passwords.

(26)

Custom Reports

The custom reports feature allows you to create your own reports that you can run or edit at a later time. You can create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the Query Editor. Click Save when you are done and type in a name for the new report.

Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter criteria, see Table 2.1 on page 8.

While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the selection of a Symantec Endpoint Encryption version number will result in the retrieval of not only the records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you select the 7.0.3 check box, the records of 7.0.3 clients will be retrieved—as well as the records of GuardianEdge Framework 9.3.0 and 9.3.1 clients. If you have GuardianEdge clients, consult the following table for the full mapping.

Server Commands

Basics

The Symantec Endpoint Encryption Server Commands snap-in contains the Command History, Decrypt Drive, and Encrypt Drive snap-ins. The data can be printed or exported into a comma-delimited format (CSV) for further manipulations in the tool of your choice.

Command History

The Command History snap-in lists all encryption and decryption commands issued within the last thirty days.

Decrypt Drive

The Decrypt Drive snap-in lists all decryption commands issued within the last thirty days.

Encrypt Drive

The Encrypt Drive snap-in lists all encryption commands issued within the last thirty days.

Table 2.13—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers

Symantec Endpoint Encryption Version Number Equivalent GuardianEdge Version Number(s)

7.0.0 9.2.0 7.0.1 9.2.1 7.0.2 9.2.2 7.0.3 9.3.0, 9.3.1 7.0.4 9.4.0, 9.4.1 7.0.5 9.5.0 7.0.6 9.5.1, 9.5.1 Patch 1 7.0.7 — 7.0.8 9.5.3

(27)

Resultant Set of Policy (RSoP)

The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.

To generate an RSoP report, perform the following steps:

1. Open the Symantec Endpoint Encryption Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results.

2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. 5. Click Next.

Figure 2.1—Group Policy Results Wizard, User Selection

6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results.

7. Click Next.

8. Click Next at the summary screen, then click Finish.

9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right.

10. Click on the Settings tab of the Group Policy Results window in the pane on the right.

The initial Symantec Endpoint Encryption installation settings as deployed using the Framework and Full Disk client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report.

(28)

11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration.

12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. Symantec Endpoint Encryption uses registry based policies, and any Symantec Endpoint Encryption computer policies you create and apply will show up within the subsections Computer Configuration, Administrative

Templates, Symantec Endpoint Encryption/Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Full Disk.

For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework

section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect.

Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client

Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown

authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege.

Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example,

Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to

save the HTML report.

Some Symantec Endpoint Encryption Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular Symantec Endpoint Encryption policy and can be ignored.

(29)

Windows System Events

All security-related system events are logged on the Symantec Endpoint Encryption Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view Full Disk–specific system events logged on a specific Windows computer, perform the following steps:

1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK.

3. An Event Viewer console window opens showing the events on your local computer.

4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose

Connect to another computer.

5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another

computer.

8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Symantec and click Apply.

10. This filters the event log for that computer to show Framework and Full Disk events. Drag the Application Properties window away from the Event Viewer window, but leave it open.

11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event.

The Description field contains information about that particular Full Disk event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window.

To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified.

For a complete list of all Symantec Endpoint Encryption–specific system events, their event code numbers, and descriptions of the events, refer to Appendix A “System Event Logging” on page 65.

Full Disk System events generated in Windows log the user account information associated with that event in the User field of the Event Properties window, while Full Disk events generated in the pre-Windows environment log the user account information in the Description field of the Event Properties window.

(30)

Policy Administrator Guide Policy Creation & Editing

3. Policy Creation & Editing

Overview

Each client will have installation settings in place. Installation settings are created at the time that the client is installed and modified each time an upgrade package is applied. Policy settings will always take precedence over any installation settings on the client.

Symantec Endpoint Encryption provides two different types of policies. While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies.

This chapter discusses the following:

 How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) (“Active Directory Policies” on page 23);

 How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager (“Native Policies” on page 24); and

 The individual policy options themselves (“Policy Options” on page 24).

Active Directory Policies

To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects.

 To edit an existing GPO, right-click the GPO and select Edit.

 To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch.

 To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand

Symantec Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs.

 To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec

Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs.

Each Active Directory policy panel features three option buttons at the top:

 Do not change these settings—this option is the default option. It specifies that no changes to existing policies or

installation settings will be made.

 Change these settings—click this option if you want to specify a policy update. When this option is selected, the

fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults.

 Restore the installation settings—click this option to apply a policy that instructs the client to disregard any

existing policies and return to the settings that were specified in its installation package.

When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary

Symantec Endpoint Encryption Full Disk

Full Disk

Policy Administrator Guide

Contents

Figures

Tables

1. Introduction

Overview

Directory Service Synchronization

Active Directory and Native Policies

Manager Console

Basics

Database Access

Endpoint Containers

Symantec Endpoint Encryption Roles

Policy Administrators

Client Administrators

User

2. Reporting

Overview

Basics

Client Computers Data Available from Users and Computers and Basic Reports

Directory Services Synchronization Data

Admin Log Data

Client Events Data

Device Exemptions Report Data

Server Commands Data

Symantec Endpoint Encryption Users and Computers

Symantec Endpoint Encryption Reports

Basics

Active Directory Forests Synchronization Status

Client Events

Computer Status Report

Computers not Encrypting to Removable Storage

Computers with Decrypted Drives

Computers with Expired Certificates

Computers with Specified Users

Computers without Full Disk Installed

Computers without Removable Storage Installed

Device Exemptions Report

Framework Deployment

Full Disk Client Deployment

Non-Reporting Computers

Novell eDirectory Synchronization Status

Opal Endpoints

Percentage of Encrypted Endpoints

Removable Storage Client Deployment Report

Removable Storage Details Report

Removable Storage Password Aging Report

Custom Reports

Server Commands

Basics

Command History

Decrypt Drive

Encrypt Drive

Resultant Set of Policy (RSoP)

Windows System Events

3. Policy Creation & Editing

Overview

Active Directory Policies