About Invisible Silent Enrollment
Symantec Encryption Desktop (previously PGP Desktop) invisible silent enrollment eliminates screens for your users to navigate during enrollment with Symantec Encryption Management Server (previously PGP Universal Server). Invisible silent enrollment suppresses non-essential screens and uses default settings.
Considerations Before You Begin
Configuration Guidelines for Invisible Silent Enrollment
For specific instructions on making these configuration changes to the installer, see the Administrator’s Guide and related KnowledgeBase articles.
Forcing Separate LDAP Authentication
In some environments, the user needs to authenticate to SEMS with different credentials than their Windows password. In this case, the PGP_SILENT_FORCE_LDAP=1 setting can be used to force the display of the LDAP authentication dialog. Note: Symantec PGP WDE will still use the Windows credentials automatically; the LDAP credentials are only used for authentication to SEMS. When using PGP_SILENT_FORCE_LDAP=1, the PGPsso.dat file is still created whenever PGP_INSTALL_DISABLESSOENROLL=0, however, the file is not used.
About Installation Failure
The code is written to fail silently. This means that if the user is not able to authenticate to SEMS, nothing will happen to notify the user. There are a variety of reasons an error might occur. To troubleshoot, consult the PGPssoLog.txt file (located in the Windows TEMP directory - typically C:\Windows\Temp) and examine the log to identify the problem.
Implications of Using Different Key Modes than SKM
Invisible silent enrollment generates SKM keys only. Symantec recommends setting the client policy only to SKM mode on SEMS. Note however, that using PGP_SILENT_FORCE_LDAP=1 does allow for using other key modes. Please note that the key passphrase will be set to the user’s LDAP authentication password and never, under any circumstances, to the Windows password. Symantec Encryption Desktop will prefer GKM mode in this scenario if GKM is an allowed mode, but SKM mode still remains the recommended mode.
Considerations and Constraints with Invisible Silent Enrollment
The feature does not work in the following situations:
Implications of Using Invisible Silent Enrollment with Smartcards
If you use smartcards to encrypt the drive, the installation is not completely silent. The user will encounter additional dialogs and will be prompted for a PIN. The user will not see an LDAP enrollment dialog and the user's Windows password will be used to authenticate to SEMS (depending on PGP_SILENT_FORCE_LDAP=1). Note that using PGP_SILENT_FORCE_LDAP=1 together with forcing smart cards for Drive Encryption negates invisible silent enrollment, because the captured Windows password actually won't be used for anything. However, as long as PGP_INSTALL_DISABLESSOENROLL=0, a PGPsso.dat file is still created.
Using the "Smartcard Enrollment" feature also negates invisible silent enrollment. In this case the Windows password isn't used for anything, the user will be authenticated to SEMS using smartcard credentials, and the driver will also be encrypted to the smartcard credentials. This process is mostly silent and automatic except for prompting the user for the PIN. Smartcard enrollment also implies using Smartcard Single Sign-on; the smartcard PIN is entered at the PGP BootGuard screen and the user is logged into Windows automatically.
See also: Enable Silent Enrollment for clients:www.symantec.com/docs/TECH149857