Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Mac OS X clients
search cancel

Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Mac OS X clients

book

Article ID: 155714

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

If there is unusual behavior with PGP Encryption Desktop (Symantec Encryption Desktop) or the software is not working correctly, sometimes the easiest solution is to re-enroll the client to PGP  Encryption Server (Symantec Encryption Management Server).

Issues that re-enrollment can address:

  • Key issues
  • Decryption or encryption issues
  • Forceful check in
  • Unexplained behavior

The enrollment is the process of registering the PGP client with (Symantec Encryption Management Server).

After a PGP client is registered with the PGP server, it receives policy updates from the server, updates logs to the server, and can lookup PGP keys on the server.

This article covers Windows clients. For Windows clients, see Re-enrolling Encryption Desktop for Windows clients.

Resolution

Enrollment is the binding of a computer with PGP Encryption Desktop client software installed to a PGP Encryption Server.  After a client is bound it receives feature policy information from the SEMS; for example, encryption keys, email policy, or PGP Drive Encryption (formerly known as Whole Disk Encryption) administration.

In some circumstances, you may need to re-enroll PGP Encryption Desktop clients if the client is experiencing connection problems with the SEMS, the client license does not update after renewing the client license on the server, or in rare circumstances the client preference files ( ~Library\Preferences\com.pgp.*) become corrupted.

Use the following steps to re-enroll a PGP Encryption Desktop for Mac client with the PGP Encryption Server.

  1. Stop the PGP Services by pressing the Option key, click the PGP padlock icon on the menu bar and select Quit.
  2. Browse to the ~/Library/Preferences folder.

    Note: The ~ refers to the user profile (home) directory.
     
  3. Move all the com.pgp.* files to Trash (there will be com.pgp.desktop and other com.pgp plist files that should be moved to Trash).
  4. For PGP Encryption Desktop 9.x, follow the next steps.  For PGP Encryption Desktop 10.x and above, simply re-launch PGP.app (Starting with PGP Encryption Desktop, the "PGP.app" has been renamed to "Encryption Desktop.app").
  5. Open the Terminal application.
  6. Type defaults write com.pgp.pgp configurationString "ovid=keys.example.com&mail=*&admin=1"

    Note: Steps (5-6) is only necessary when using PGP Desktop 9.x clients.

  7. Launch Symantec Encryption Desktop to start the Symantec Enrollment Assistant.

For Encryption Desktop 10.0.x through 10.3.0, if enrollment does not begin: Check under /Applications/PGP.app/Contents/Resources/policy.txt      ---- This should contain a string similar to this 'ovid=keys.example.com&mail=*&admin=1'. If there is any trouble resolving the hostname found in the string then enrollment will not function as expected.  In Symantec Encryption Desktop 10.3.1 and above, the location is /Applications/Encryption Desktop.app/Contents/Resources/policy.txt.

Caution: When Symantec Encryption Desktop clients are enrolled, entries are placed in the Mac OS X Keychain Access Utility.  These entries include "PGP LDAP", "PGP Universal Auth Cookie" and a user entry of Kind, "PGP Passphrase" (Usually the name of this entry is the email address of the user enrolling).  These entries are used for enrollment and for the passphrase that can be used during encryption of a drive.  These entries remain, even after an uninstall of the software.

If re-enrollment is being done, it is also recommended to clear out all these entries before re-enrolling the client so they will be re-created from scratch. Not clearing these out may have unexpected results.