PGP Remote Disable & Destroy Best Practices


Article ID: 180981


Updated On:


Symantec Products




Q: What are the steps to activate the PGP Remote Disable & Destroy?

A: 1: First upgrade the Universal Server to 3.2 MP3 version.
    2: License the PGP RDD feature.
Q: What happens if I delete a user from the Universal Server.

A: You cannot delete users with Intel Anti-Theft-activated computers from the Users list, nor activated computers from the Devices list. When you delete users, all user records are lost. The next time the computer tries to rendezvous with PGP Universal Server, authentication fails and the computer locks. You will not be able to recover the laptop without the PGP RDD recovery passphrase, which is also deleted with the user records, unless you previously exported it. Before you delete an AT Activated user or device, you must deactivate and decrypt the computer.
Q: What is the best network placement for the PGP Universal Server when using Intel Anti-Theft?

A: To make it easier for PGP Universal Server and computers with Intel Anti-Theft to communicate, place PGP Universal Server in the DMZ. If PGP Universal Server is in the DMZ, computers can rendezvous using only an Internet connection and do not require VPN access to your network. Placing PGP Universal Server in the DMZ also makes it easier for administrators to shut down stolen computers, because if PGP Universal Server is in the DMZ the computer only needs to be connected to the Internet. If PGP Universal Server is inside the corporate network, the computer also needs to be connected to the corporate network for the administrator to shut it down manually. However, a stolen computer that does not connect to the network will still be marked stolen and shut down based on the Disable Timer policy.
Q: What if I have multiple users for a single machine?

A: If there are multiple users for a single computer, it is important that all users belong to the same consumer group and receive the same policy. Having different PGP Remote Disable & Destroy policies applied to the same computer can cause problems, particularly if not all the users have PGP RDD enabled as part of policy. If each user's PGP RDD policy is different, the PGP RDD policy with the shortest rendezvous timer value applies.
Q: How can I view or manage the Intel Anti-Theft status?

A: The PGP RDD > All Systems page displays information about all client computers, including each computer's Intel Anti-Theft status.

·         AT Activated. Computers on which Intel Anti-Theft is currently activated, and which are not marked stolen.
·         AT Deactivated/Decommissioned. Computers on which Intel Anti-Theft has been turned off. Decommissioned computers are still encrypted, but the status is AT Deactivated. Deactivated computers are both decrypted and AT Deactivated. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies are also listed as AT Deactivated.
·         Stolen. Includes computers marked stolen by the administrator, and computers that locked when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator.
·         Unsupported. Computers that do not support Intel Anti-Theft Technology. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies may be listed as AT Deactivated, instead of Unsupported.

You can change AT Activated computers to Decommissioned or Stolen. You can also change Stolen computers back to AT Activated as part of the recovery process. When you change the status, it appears as pending until the next time the computer completes a rendezvous.
AT Activated
Q: What are the best practices if I want to use PGP in a cluster?

A: In a cluster, enable PGP RDD service on the node in the DMZ.
PGP RDD data in the cluster is replicated in the same way as all other data.
You must enable PGP RDD on all cluster members, because there is no way to control which cluster members receive PGP RDD data.
Do not later disable the service on any node. Activated computers always attempt to rendezvous with the cluster member with which it originally activated, so if that cluster member is down, rendezvous fails. If you do need to disable PGP RDD, reenable it as soon as possible to prevent the Rendezvous and Disable Timers from triggering and possibly leading to locked computers.

Q: What client platforms are supported with PGP RDD?

A: Currently we support the following client platforms.

·         Windows XP SP3 32 bit
·         Windows XP SP2 64 bit
·         Windows 7 32 bit
·         Windows 7 64 bit
·         Windows Vista 32 bit
·          Windows Vista 64 bit