How to re-enroll a Symantec Mobile Encryption for iOS device to a Symantec Encryption Management server

book

Article ID: 157599

calendar_today

Updated On:

Products

Mobile Encryption for iOS Encryption Management Server Encryption Management Server Powered by PGP Technology

Issue/Introduction

You may need to re-enroll the Mobile Encryption device because it received a bad policy setting or it is not updating policy settings properly.

Please note that Mobile Encryption for iOS reaches EOS (End of Service) on 31 December 2020 and EOL (End of Life) on 31 March 2021.

Environment

  • Symantec Mobile Encryption for iOS.
  • Symantec Encryption Management Server 3.4.2 and above.
  • iOS 5 or iOS 6.

Resolution

The following text was taken from the Symantec Mobile Encryption for iOS Users's Guide, Chapter 2:

Re-enrolling to a Symantec Encryption Management Server
To change your server settings, you can "reset" the account settings by re-enrolling. Use this option if you need to change the Symantec Encryption Management Server connection information.
Tip: You will need to re-enter the account settings. Be sure you have this information (server IP address, your user name, password, and so on) before you begin.
1  Open Symantec Mobile Encryption for iOS.
2  Tap Settings.
3  Tap Account.
4  Tap Reset Account Settings.
 

Enrollment Guidelines for Symantec Encryption Management Servers running in DMZ Mode, not hosting Private Keys:

Hosting Private Keys is a requirement for Enrollment to succeed, as well as update policies. If users are allowed to enroll to Symantec Encryption Management Server, running in DMZ mode, unexpected consequences can take place.  For more information on this behavior, and guidelines for this scenario, see article 165197.

Although Enrollment and Policy updates must not be initiated to/from cluster nodes not hosting private keys, these nodes can still be used to lookup keys with the keyserver service.  There is also a preference which can be configured on Symantec Encryption Management Server, which will allow multiple keyservers to be used to do key lookups should one of the nodes not be available.

As per the Symantec Encryption Management Server 3.4.2 Admin Guide, an XML configuration file can be used to add this additional keyserver.

To do so:

  1. Login to Symantec Encryption management server.
  2. Click on the consumer policy applicable.
  3. Click on the General Edit button.
  4. Click on Edit Preferences... button.
  5. For the Pref Name field, enter secondaryKeyserver.
  6. For the Value, enter the FQDN of the other Symantec Encryption Management Server that can be queried for keys in case the primary server is unavailable.
  7. Click Save, and update policy on the mobile device to pull down this new policy.

Caveat: Currently, this secondaryKeyserver option only works when a specific Encryption Server is always accessed and only fails over to the secondary if the primary node is unavailable.  If node 2 is unavailable, there is no option to failover to node 1.