Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)
Article ID: 153245
Updated On:
Products
Issue/Introduction
Symantec offers many different products, each with its own licensing requirements. Some Symantec Encryption products use a licensing system to enable product functionality for purchased products. This article outlines the licensing concepts and explores licensing scenarios
Symantec Encryption functionality may be fully or partially disabled until a valid license number is entered. The process of entering a license number into Symantec Encryption software is called License Authorization and enables one or more seats (or users) of Symantec Encryption software.
Sample License Number:
DWDK0-ABCD-12345-ABC12-ABCDE-123
Symantec Enterprise Division reserves the right to audit systems for licensing compliance as per the End User License Agreement.
Resolution
Table of Contents
Section 1 - Symantec Endpoint Encryption (SEE):
Symantec Endpoint Encryption Management Server (SEE MS)
Symantec Endpoint Encryption Drive Encryption (SEE Drive Encryption)
Symantec Endpoint Encryption Removable Media Encryption (SEE RME)
Symantec Endpoint Encryption Management Server can be installed on as many systems as is needed without additional licensing.
SEEMS manages systems encrypted with Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption.
Symantec Endpoint Encryption license meter is per device such as the number of laptops or desktops to be covered.
Example 1: If SEE Drive Encryption is installed on 100 systems, then a license for 100 seats would be needed.
Example 2: If an additional 50 seats was installed with SEE RME, then another 50 seats would be needed for a total of 150 seats needed.
Symantec Endpoint Encryption products do not employ the use of a license number as do the rest of the encryption products in this document.
Section 2 - Symantec Encryption Products (PGP):
Symantec Email Encryption
Symantec File Share Encryption
Symantec Drive Encryption
All of these PGP Desktop features listed above are licensed per user, meaning individual users actively using the PGP Desktop software either on the same system or any profile on the same system.
The exception to this rule is Symantec Drive Encryption, which is licensed per device.
Example 1: One user on one or more profiles per system must purchase one copy of PGP Desktop.
Example 2: Two users on one or more profiles per system must purchase two copies of PGP Desktop.
Example 3: One user wanting to use PGP Desktop on five different computers must purchase five copies.
Example 4: Symantec Drive Encryption enables a user to encrypt the entire hard drive of a computer. After the system has been encrypted, the system cannot be booted until a passphrase (password) has been entered. In some cases, this is the only encryption functionality that will be used.
Symantec Drive Encryption will allow multiple users to be added to the software to boot a system. In this scenario, only one license per system\device is required. This applies for Administrators wanting to add themselves to the Symantec Drive Encryption software (See the screenshot below to see the Drive Encryption shelf). If any additional features are used, such as individual file encryption or Virtual Disk, each user taking advantage of these features requires an individual license.
Example 5: Email Decryption only: Symantec Encryption Desktop (SED) has the ability to encrypt and decrypt emails. When the license term ends for Email Encryption, previously encrypted email content can be decrypted with PGP Viewer on an email-by-email basis. In the event that PGP Viewer cannot be used, Symantec Enterprise Division allows customers to decrypt messages that were previously encrypted as long as a license for other SED features are currently owned.
For example, if Symantec Drive Encryption and Email Encryption was previously purchased, but only Drive Encryption is renewed, you may continue to use the email piece to decrypt emails only. No further emails can be encrypted with the SED client. Symantec Enterprise Division requires the mail policies be configured such that no future email will be encrypted. These mail policies may be needed to be modified on the Symantec Encryption Management Server, or as a standalone client. For help in how to do this, please contact support.
Section 3 - Symantec Encryption Management Server (PGP Server):
Two scenarios exist for licensing with Symantec Encryption Management Server:
1. Symantec Encryption Management Server with PGP Command Line Integration (KMS)
2. Symantec Encryption Management Server Gateway Email Deployment
Example 1 - Symantec Encryption Desktop Clients (PGP Desktop Client) Managed by Symantec Encryption Management Server (PGP Server):
Symantec Encryption Management Server includes the ability to manage users on the server or centrally manage individual Symantec Encryption Desktop clients centrally. Symantec Encryption Management Server allows Administrators to lock down Symantec Encryption Desktop policies.
The central management functionality is a bundled SKU which includes both the client and server functionality. The amount of seats needing to be purchased depends on the amount of clients needing to be installed. If 100 users need to install Symantec Encryption Desktop, this SKU automatically includes 100 seats of Symantec Encryption Management Server for client management.
A license must be entered to enable features of Symantec Encryption Management Server. No license number is needed to be entered on the server to enable client functionality. When additional seats of Symantec Encryption Desktop are purchased, there is also no need to update a license key on Symantec Encryption Management Server.
Example 2 - Symantec Encryption Management Server (PGP Server) for Gateway Email Encryption Only:
When Symantec Encryption Management Server is used to only encrypt email in the mailstream, the server is licensed per user. If 100 users exist on Symantec Encryption Management Server, then 100 seats must be purchased.
A license must be entered to enable the mail functionality of Symantec Encryption Management Server.
| Note on Clustering: Symantec Encryption Management Server has the ability to share/replicate information to other Symantec Encryption Management Servers. This process is called clustering. In clustering, multiple Symantec Encryption Management Servers are used. Symantec does not limit the amount of clusters for licensing purposes that can be used within the environment as long as the user count does not exceed the quantity of licenses purchased (the technical limitation is 6 nodes).
Note on Licensing Counts and Compliance: Although this article describes how the software is licensed and includes scenarios to help clarify how the licenses are counted, Symantec Encryption Management Server does not currently provide a method to determine an exact number of licensed seats currently in use. There are several reasons for this, but two of the most common are as follows: Managed User Scenario: This means that a user who may not necessarily be with the organization any longer, could still appear on the Encryption Server. Symantec Encryption Management Server would count this user against the total amount of Internal Users, however the user technically is not using a licensed seat. Users (and Devices) on Symantec Encryption Management Server are never removed unless an Administrator does so manually. Managed Device (Machine) Scenario: A user may acquire a new machine, and could list two machines on Symantec Encryption Management Server. One machine may be retired, reimaged, and may no longer be in use, and the new machine would appear as an additional device. Technically, for Symantec Drive Encryption, this would count as two seats, however on paper, only one seat is being used. Due to the above scenarios, and possible other scenarios, checking for counts on Symantec Encryption Management Server for licensing compliance is not a reliable method to know how many seats are in use. For compliance reasons, it is best to keep track with your own software management solution, such as Altiris, to query actual machines to see on which machines Symantec Encryption Desktop is installed. |
Section 4 - Symantec PGP Command Line
Symantec PGP Command Line is licensed per physical Machine and how many CPUs/processors are being used
CPUs/processors refers to the number of physical CPUs on a system.
Note: CPUs with multiple internal processing units or cores each count as a CPU as this allows for multithreaded processing to take place, which in turn provides better processing power for PGP Command Line.
PGP Command Line is a powerful tool so the more CPUs you assign to a system, the more encryption/decryption routines that can run.
Each copy of PGP Command Line purchased entitles you to install on one production machine (that handles all your encryption/decryption for your business) and one non-production machine (That is used to develop scripts for testing, but does *not* handle production data for encryption/decryption).
This means if one 2-CPU license is purchased for Symantec PGP Command Line, it may be installed on the production box that is handling all encryption/decryption processes, and another system that is not handling production encryption/decryption. The non-production box may be a failover box or a test box, but may not perform any encryption/decryption related to business encryption/decryption.
Example 1: If a computer has one or two physical processors, a 2-CPU license is required.
Example 2: If a computer has up to four processors, a 4-CPU license is required, and so on.
Example 3: If a 1-CPU processor has 4 cores, then a 4-CPU license would be needed. If a system has 4 CPUs, and 4 cores each, then a 16-CPU license would be needed.
Section 5 - Licensing for Terminal Server or Citrix Environments:
Various Symantec Encryption Desktop functionality can be used in Terminal Server or Citrix Server environments. In Terminal or Citrix Server environments, the applications are installed on the server itself and any users logged into this server can access the application installed. Due to the nature of these environments, Symantec Encryption Desktop is managed quite differently than in normal environments. The Encryption software is licensed per-user on the Terminal or Citrix Server and not by how many users are using the Symantec Encryption Desktop.
Example: Symantec Encryption Desktop is installed on a Terminal Server that has 100 users; however 25 users are currently using Symantec Encryption Desktop. In this scenario, 100 copies must be purchased, because all users on the server have the ability to use the Symantec Encryption software, whether it is used or not.
The only exception to this, in Citrix environments, is a technical restriction that has been enforced on the Citrix Server. In other words, only those users who are licensed to use Symantec Encryption Desktop have the ability to use any encryption functionality. To enforce a technical restriction in a Citrix environment, NTFS Permissions should be modified on the Citrix Server to remove Execute access for the Program Files folder so that only licensed users can open Symantec Encryption Desktop. In addition to restricting execute access, other restrictions should be put in place so that Symantec Encryption Desktop does not startup when a user logs into an account and the menu items are not available.
| Due to the nature of licensing with Terminal Server or Citrix environments, licensing is per user on the Terminal or Citrix server where Symantec Encryption Desktop is installed as is listed in the example above. The only exception to this licensing is by implementing a technical lockdown of the Symantec Encrypt in Desktop software for non-licensed users in this type of environment. This means the non-licensed users are technically unable to utilize any features. When such a technical lockdown has been implemented, Symantec will only require licenses for the users who will be using Symantec Encryption Desktop and are legally authorized to do so. |
Feedback
