search cancel

Symantec Endpoint Encryption Policy Configuration Options and Considerations

book

Article ID: 237667

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption Clients can be configured with two different policy options:

Method 1: SEE Native Policy

Method 2: Group Policy, or GPO

This article will go over each of these methods and how they are beneficial.

Resolution

Symantec Endpoint Encryption Management Server will be able to manage the machines where the SEE Client is installed. 

When the SEE Client is installed on a machine, the server can then manage the policies to which these policies are assigned.  There are two different methods for handling these policies:

 

Method 1: SEE Native Policy (Recommended) - The SEE Native Policy is the best way to manage the SEE clients due to the ease in which you can match machines to groups, and then each group is associated to a SEE Policy.   

It's easy to create a group on the SEE Management Server and once you do, you then assign a policy to it.

When you open the SEE Management Server console, you'll see the "Symantec Endpoint Encryption Users and Computers:

Expand this and you can create different groups to which machines will be assigned to.

 

You will also want to check out the "Symantec Endpoint Encryption Native Policy Manager":

This is where you will be creating separate SEE Policies. Once you have a Policy creating, you can right-click on the group you want machines to show up in and then assign the group to a policy.

When you build the SEE Client, you can specify the Group Policy the SEE Client will automatically show up in by default.  

For more information on how to select different Group Policies with the SEE Client Creation Wizard, see the following article:

214037 - Symantec Endpoint Encryption Preferred Policy Group Assignment

 

As mentioned, this is the easiest way to group users, because you can very easily find out which machines show up in the Group and then easily know which policy is assigned to the group.

Important: This is the recommended way to use the SEE Policy and if you are using this option, make sure to delete any entries you may have listed for "AD Sync" in the SEEMS Configuration Manager.


How does the SEE Client Obtain Policy?

When the SEE Client is created, there are "Local Policies" that are built in to the SEE Client.  If the SEE Client does not communicate with the SEE Management Server, then these policies will be enforced "Locally".
As soon as the SEE Client checks in with the SEE Management Server, the "Local Policies" will be superseded by the Server policies that are configured.  

When the SEE Client "Checks in" with the SEE Management Server, the policies are downloaded (Pulled) from the server and are added to the policies on the client machine.  The Local policies will no longer be used, even if the SEE Client cannot communicate with the SEE Management Server.  

When the SEE Native Policy is being used, the configuration is simple and it will pull the policy from the server each time it "Checks in" to the server.

This policy option is also recommended because as the SEE Management Server Administrator, you do not need to have ownership or the ability to modify policies and can be managed all directly from the SEE Management Server itself.

 

 

Method 2: Group Policy, or GPO

The Group Policy method is more difficult to configure and control if you do not have full access to the Active Directory infrastructure. For example, to be able to edit the policies for this, you need to be able to edit the AD policies any time you want to change the SEE Policies.  Due to this being a requirement and most environments need special change-control approvals to be able to add, this method is recommended only if you need to manage the SEE policies via the GPO itself.

The way this works is you edit the GPO in the Software settings and drill down to the SEE Policies to assign.  If you ever want to change the settings, you would modify the GPO itself.  For the SEE Client to "Pull" down the policy, a "gpupdate" operation would need to complete.  

In this paradigm, even if the SEE Client checks in with the server, this does not modify the policy itself--it is required to run a gpupdate to pull down the policy via the domain controller policy.  Check ins are used simply for the "Lockout" functionality.  For more information about the lockout functionality, see the following article:

214020 - Symantec Endpoint Encryption Lockout Monitoring feature

 

 

Important: To use GPO to manage the SEE SEE Policy you would need to make sure to you have added an "AD Sync" entry for your directory in the SEEMS Configuration Manager.

Additional Information

243136 - Migrating to Symantec Endpoint Encryption Policy Methodologies to SEE Native Policies (From Active Directory Policies)

214037 - Symantec Endpoint Encryption Preferred Policy Group Assignment

237667 - Symantec Endpoint Encryption Policy Configuration Options and Considerations

214020 - Symantec Endpoint Encryption Lockout Monitoring feature

Attachments