Enrollment is the binding of a computer with PGP Desktop client (Symantec Encryption Desktop) software installed to a PGP Server (Symantec Encryption Management Server). After a PGP Desktop client is bound to a PGP Server, it receives feature policy information from the Server; for example, encryption keys, email policy, PGP File Share Encryption, or PGP Drive Encryption administration.
There are several methods to enroll. The most common method to enroll and the method recommended is called "LDAP Enrollment", which uses User Attributes and Values stored on the PGP server. For more information about Directory Synchronization, see the following article:
Once Directory Synchronization is configured, LDAP Enrollment can be used.
Another method to enroll, and one that we will detail in this article, is "Email Enrollment", which makes it possible to enroll, even without the use of an LDAP/Active Directory Server.
This article details the steps to use Email Enrollment to enroll PGP Desktop clients with a PGP Server.
This method is available for all client installations, including PGP File Share Encryption-only, and PGP Whole Disk Encryption-only installations, as long as there is an email account on the installed computer.
Email enrollment is possible even if the PGP Server does not perform email encryption or is out of the mailflow. Email enrollment requires the PGP Server be able to send an SMTP message to the mail server.
The mailserver in turn, must accept email from the PGP Server.
Important Note: It is not necessary to fully "Trust" the PGP server on the mailserver, only allow an email to be sent TO the mailserver, so as to prevent a mail relay situation.
Email Enrollment requires the following protocols be used:
Exchange for macOS is not supported as it is technically a hybrid of HTTPS and our mail service does not handle that protocol.
If your email protocol can be proxied, then you can use email enrollment. If you do not support one of the above, you can still enroll if you are using "LDAP enrollment" as mentioned previously.
If you do not select Enroll clients using directory authentication when you enable Directory Synchronization, clients enroll through email.
There are a few parts to client installation and enrollment:
On the PGP server, login and click on the Consumers tab, then click Directory Synchronization:
As shown in the screenshot above, you can see the Directory Synchronization service is enabled.
Click the "Disable" button to disable Directory Sync.
Next, Click on the "Settings..." button to open the settings and make sure "Enroll clients using directory authentication" is unchecked:
Next, click on the Consumers, Managed Domains to see the list of domains available. In this example, the only domain is "sr388.dom":
Make sure all the domains you will be enrolling with are added. We will have two domains, so we will add the second:
Click Save and verify both domains are now added:
Because "Email Enrollment" needs to send an email to each users who will be enrolling, we need to make sure there is a mail route configured for the PGP Server to send to.
Click on "Mail", then "Mail Routes" to see what is listed. If no mail routes are configured, the PGP server will do its own lookup on the domain for the MX record and try to send there.
In our example, we want the PGP server to bypass the MX lookup and send to a specific mailserver. To do this, click on "Add Mail Route...":
In this example, will will add a mail route for "newdomain.dom" and add an IP address of the Mailserver, 192.168.1.155:
When the user gets the Email Enrollment prompt, they will be asked to enter their email address and then confirm. When this happens, the PGP server will use these mail routes to send the enrollment email to the user.
In this example, this means the PGP server will send the enrollment email to 192.168.1.155. To ensure the enrollment email is sent to the user, make sure the receiving mailserver will accept mail from the PGP server.
Important Note: Again, take special care to not "Trust" the PGP Server as a relay, or give it "Relay" capabilities, simply allow mail to be accepted, so as to prevent a mail relay situation.
Now the new mail route is configured:
Add any other domains you wish to apply the mail routes with.
After the user enters their email address, and the PGP server sends the email to that mailserver, it is important that the "Enrollment Email" destined for the user, is not modified.
There is an encryption cookie that must be authenticated once it arrives at the user's inbox. If this cookie is modified, the enrollment process may fail.
For more information on downloading the PGP Desktop client, see the following article:
180244 - HOW TO: Download Encryption Desktop Client Installers in Symantec Encryption Management Server
|Note: If the user does not receive an enrollment email, make sure the email domain matches a managed domain, and make sure the correct ports are open.|