Symantec Endpoint Encryption (SEE) has the ability to encrypt drives with Connectionless recovery, as well as encrypt removable media and is managed by the SEE Management Server. Policy can be managed either via GPO, or through "Native SEE Policy". The Native SEE policy allows for the easiest management of policy and can be done all on the centralized server. In addition to these features, Symantec can encrypt Removable Media devices, such as Blu-ray disks, USB drives, and others with strong encryption.
This article will cover the general process to create the SEE Client from the SEE Management Server and will offer some tips and tricks.
This article will also link you to other topics related to this to help you in your deployment process.
Important Note: This article is meant for the MMC Client Creation method, which is no longer recommended.
We now recommend using the SEE 12 Web Portal for client creation, which makes it much easier to use.
For help creating the SEE Client in SEE version 12 and above, see the following article:
276501 - Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12
If you still need to use the SEE 11.4 server to create clients, this article will guide you through the process.
The SEE Management Server is where the SEE Client is created. When logging in to the server, you look for the "Symantec Endpoint Encryption Software Setup" option.
From here, you will have the ability to create a Windows installer, or a Mac FileVault client installer.
In this example, we will create a client for the Windows platform. To do so, you will click on the "Windows Client" option from the server shelf:
When you click on this option, you'll be presented with the following choices:
The option for "Drive Encryption" will provide you with the capabilities to be able to use the SEE Native Encryption, which will provide you with a wealth of options.
The screen below show you the "Preferred Policy Group" options, which will come in to play when the SEE Client checks in with the SEE Management Server:
As you can see, there are several policies here to choose from from the list:
DE Recovery Disabled
All of the above policies were added as custom Policy Groups and correspond with actual Policy Groups on the SEE Management Server that can be viewed:
The only Policy Group listed here by default is "SEE Unassigned", which is the default policy for the SEE Client.
Each of the Policy Groups are assigned a particular policy. In this example, we have created Policies to correspond to each of these:
It is not necessary for you to have a policy for each Policy Group, and you can have multipe Policy Groups that correspond with the same Native Policy.
For example, I can associate the "LockoutPolicy" Native Policy to the "Regular Policies" AND the "Lockout" Groups in this example.
Machines are then assigned to each of the Group Policies, and whatever Group Policy the machine is associated to, the corresponding Native SEE policy will be applied.
This is important to understand because it will come in to play as you create the SEE Client.
In this example, when we create the SEE Client, we will assign the Preferred Policy Group as "LockoutPolicy":
This means that when the SEE Client checks in with the SEE Management Server, the machine will match the "LockoutPolicy" Preferred Policy Group, and will then apply the SEE Native Policy tied to this group.
In this example, we have the "Lockout" policy assigned so all the settings for this policy will then take place here when your client checks in.
When you build the SEE Client, all the policies you create will be considered "Local Policy". This means that when the SEE Client is installed, it will not need to talk to the server to apply these policies.
When you the client checks in with the server, it will automatically be associated to the "LockoutPolicy" Group, and then download the policy assigned here.
One other important aspect to realize here is the way the SEE Client communicates with the server is via a Windows Authentication credential:
In this example, the "Name" field is for an actual Windows account that exists in the Active Directory. The "Password" field corresponds to the password of this user. In this case, the user is "user1".
When the SEE Client is built, this account is embedded into this account and the communications URL "Server" field is the location where the SEE Client will communicate. It will connect to this URL.
For more information and troubleshooting tips on this topic, see the following article:
IMPORTANT NOTE: Windows Authentication as described above is no longer recommended. Instead, OAuth should be used, and does not have the limitations Windows Auth uses.
For more information on this, see the following article:
After this screen, you will be going through all the policy settings possible for the SEE Client. All the settings configured will be applicable at the time of install. Once the client checks in, the policy on the server will then take precedence.
In other words, the Server policy will always take priority over the policy that is built in to the client.
Once the client creation wizard has completed, you will be provided with an MSI file. This is a standard MSI.
When you install this client on a system, it will require a reboot. You can suppress the reboot and reboot later if this is required, but Symantec recommends rebooting directly after the install if you can.
Once the system has rebooted, even if you don't login to the system, the SEE Client will start encrypting the drive. This is great to get the system ready for a user who hasn't logged in to the system.
As long as nobody logs in to the system, there is no preboot screen. Once someone logs in, the user is registered, and the preboot screen will engage.
At this point, any policies that are pulled down from the server will then be applied to the client.
Include a Delayed Reboot feature when deploying the SEE client to machines
If you would like to be added to this request so that post install, the SEE Client will delay for X hours/days, contact Symantec Encryption Support.