Symantec Encryption Management Server: What is the difference between User Last Use and Device Last Seen?


Article ID: 181768


Updated On:


Drive Encryption Encryption Management Server




There are two values on the Symantec Encryption Management Server which provide an idea for how often a user or device will check in, indicating if the user is active or not.

When clicking a user account on Symantec Encryption Management Server under Consumers >> Internal Users, on the main user overview page, there is a value, "Last Use" and lists a timestamp.

Last Use correlates to when the user last updated policy on the server if the user has Symantec Encryption Desktop on the system.  Last Use will also get updated, whenever a user sends an email message through the Symantec Encryption Management Server.

If users are not downloading policy, or sending email through the Symantec Encryption Management Server, then this value will not change.  The next time the user downloads policy for the Symantec Encryption Desktop client, this value will be updated.  If the user has not client, but Symantec Encryption Management Server is in the mailflow, this value will get updated, the next time the user sends an email through the Symantec Encryption Management Server.


How often a user updates policy depends on what value is set in Consumer Policy for "Download policy updates from Symantec Encryption Server Every...".  If this value is set to download policy every 12 hours, then the client will only update policy every 12 hours, unless a manual policy update is initiated.  Even if a system is rebooted, or if a user logs off the system, or exits the services, policy will not be updated before this 12 hours is up.

The other value Symantec Encryption Management Server keeps track of for check-in events is the Last Seen value for the device.  Upon clicking a user, and then device for the user, the main device interface is displayed.  Last Seen will show a timestamp for when the Symantec Encryption Management Server last received Drive Encryption data from the client.  This value can get updated each time the client sends logging data to the server, as well as whenever a system is rebooted.

The value in Consumer Policy that can control the behavior of the Last Seen timestamp is also under Consumer Policy, called "Send client logs to Symantec Encryption Server every...".  If the client logging interval is set to 12 hours, then the client will not send any logging data to the server until 12 hours has passed.  The exception to this is when a system that has been encrypted with Symantec Drive Encryption has been rebooted.  Upon logging in after a reboot, Symantec Drive Encryption will do a WDRT Health Check to ensure the WDRT uploaded to the server is valid.  When this is done, this will also update the Last Seen value for the device.

If any Drive Encryption events take place, such as encrypting a drive, pausing encryption, decrypting a drive, adding a user to the Whole Disk User Access list within Drive Encryption, using a WDRT, these events will be recorded in the PGPlog.dat file located in %appdata%\PGP Corporation\PGP.  If 12 hours has been configured for sending logging data, then these logging events will accumulate in this file and the size will increase.  When the 12 hours has been reached, the client will then send this logging data to the server, thus updating the timestamp for the Device Last Seen value.

If "Options" is enabled via the Symantec Encryption Desktop icon in the system tray, under the General Tab with the software will show the last time the client updated policy, as well as the last time logging data was sent to the server.

These two timestamps within Symantec Encryption Desktop Options that control this timestamp can also be seen in the PGPprefs.xml file as:







These timestamps are using Unix convention, and must be converted with any of your preferred utility.  Online tools exist to convert unix timestamps as well.