search cancel

Creating System Images with Symantec Endpoint Encryption for FileVault

book

Article ID: 161835

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Administrators can create a system image (also known as golden image, master image, or base image) with Symantec Endpoint Encryption for FileVault for Mac OS X operating environment. And later, can deploy the created image on a large number of computers in a managed environment.

After the images are deployed, Symantec Endpoint Encryption Management Server (SEEMS) identifies all the computers to which the image has been deployed with the same endpoint GUID. As a result, SEEMS creates only one entry for all the computers as well as overwrites their recovery key, hostnames, and IP addresses.

This article is intended for administrators who create system images with Symantec Endpoint Encryption for FileVault and deploy them on Macintosh client computers. This document also helps administrators to understand the background information and perform initial set up to create and deploy the system images correctly.

Cause

Enterprise environments commonly use system images to configure computers to a pristine, working state. In some cases, Symantec Endpoint Encryption for FileVault is also included as part of the image as an installed application so that installation of Symantec Endpoint Encryption for FileVault will not be necessary later.

Symantec Endpoint Encryption Management Server (SEEMS) uniquely identifies each computer running Symantec Endpoint Encryption for FileVault in the managed environment for monitoring the events taking place on the computer. For this purpose, Symantec Endpoint Encryption for FileVault creates unique endpoint GUID, a unique identity for each Macintosh computer. This unique identity is recorded in the SEEMS to create an entry for each computer. When Symantec Endpoint Encryption for FileVault sends an event to SEEMS, it sends its endpoint GUID as an identity for SEEMS to determine the source of the event.

When a system image with Symantec Endpoint Encryption for FileVault is created using a Macintosh computer, the system image creates a unique endpoint GUID for that Macintosh computer. When this system image is deployed on multiple computers in a managed environment, the endpoint GUID available on the images is applied to all of the Macintosh computers. Therefore, Symantec Endpoint Encryption Management Server identifies all the computers with the same endpoint GUID, which eventually leads to data communication issues.

Resolution

Before you install the system image, ensure that you set the environment variable “GoldenImageInstall”. When you deploy the system image, the installer identifies that the environment variable is set, and then stores the Hardware UUID in Macintosh computer account preferences.

During the launch, the stored Hardware UUID with the current Hardware UUID of the Macintosh computer is compared to verify system image installation. If there is a mismatch in the Hardware UUID, it creates a unique endpoint GUID that would be used to communicate with Symantec Endpoint Encryption Management Server.

You must install the system image with Symantec Endpoint Encryption for FileVault using the Macintosh command line as shown in the following example:

sudo sh –c “launchctl setenv GoldenImageInstall 1; installer –pkg SEEInstaller-11.0.1.7342.pkg –target /”