Symantec Endpoint Encryption Management Server is a centralized server that has the capability to manage individual endpoints using the SEE Client. The SEE Client can encrypt machines as well as devices and all of this is controlled via policy. There are two methods to control the policies and this article assumes you have already gone through the two methods available. If you would like to become more familiar with these methods, see the following article:
237667 - Symantec Endpoint Encryption Policy Configuration Options and Considerations
This article will focus on switching from the more complicated "Active Directory Policy Method" (Method 2 in the article above) to the more simple and seamless method of "SEE Native Policy" (Method 1 in the article above). Symantec recommends using SEE Native policy for ease of use and easy control and visibility.
To first determine if you are using AD Sync, or "Active Directory", first open the SEEMS Configuration Manager.
To do so, click the Start menu, then look for Endpoint Encryption, and look for SEEMS Configuration Manager:
Once open, click on "Active Directory" to see if any items are listed.
As you can see below, "sr388.dom" is listed, and this means AD Sync or Active Directory is enabled, and this means GPO Policy is being used for SEE.
As can be seen above, with AD Sync enabled, all the SEE Policies will be managed via Active Directory GPOs. This means that in order to manage or modify them, you need to have read/write access to the policies. This is often not provided for typical administrators, so modifying these policies requires additional work with those administrators who do have the permissions. For this reason, we recommend using the "SEE Native" policies rather than GPO policies.
This makes managing policies, and making any modifications to policies much more flexible, assuming the proper Server Roles is provided.
As you can seen in the screenshot below, the user "Kyle" has only the "Policy" role, which would allow this administrator to make changes to policies:
As you can see above using GPO to manage SEE Policies is much more difficult.
The below screenshot is what the GPO policies look like for a particular policy:
If you are using GPO policies, you can see that to make these changes, you must be able to edit the GPOs themselves, so using SEE Native Policies will make things much easier.
Switching from GPO to SEE Native Policies greatly reduces administration overhead and effort. It is much easier to manage these policies as they are directly visible in the UI for the SEE Management Server, rather than having to drill down into actual GPOs within Active Directory. Something else that will help ease administration and help reduce complexity is to use Open Authentication with the SEE Client (OAuth). To do this, see the following article:
243136 - OAuth Communications with Symantec Endpoint Encryption 11.4 and above
Switching from Windows Auth to OAuth does require deploying a new SEE Client to be able to do this, but if you are going to be upgrading the SEE Client to the environment, this is an excellent opportunity to make this switch.
Due to all of the above, Symantec recommends using the SEE Native Policies instead, which will make your management of the SEE policies much more visible and obvious.
Important Note: Even though you will be removing your directories from your environment, this does not remove AD Management capabilities. The SEE Management Server will still be able to find your SEE Administrators for proper Server Role Integration and your SEE Clients will still be able to get policies--this simply removes the capability to manage the policies via GPOs, which is typically much more difficult to achieve.
To be able to switch from GPO policies to SEE Native, first review the current policies you are enforcing in your environment. Once you have a good idea of how this is done, you will want to create new policies for the SEE Native Policies.
First, right-click on "Symantec Endpoint Encryption Native Policy Manager, and click Create New Policy:
This will allow you to configure your policies to match what you've been using with GPO policies.
You can create multiple policies if you want to have additional policies, such as a policy to enable Autologon, or a policy to disable Autologon, or a SEE Bitlocker Policy, etc.
As you can see in this scenario, we have the following SEE Native Policies already created:
As a result, for ease of use, we recommend creating Groups with the same names, and then you can associate these policies with your groups.
In this example, we will use the following groups:
In this example, we will associate the "Regular Policies" policy with the "Regular Policies" Group.
To do this, right-click the Group, and then click "Assign Policy to Group":
After you do this, you'll see the "Regular Policy" policy. Click on this, and then click OK:
Once you have done this, you now have a SEE Native Policy configured to match your GPO SEE Policies, and you have a policy mapped to a group.
The next thing to look at is the "SEE Unassigned" policy. This is the "Default" policy that all older versions of SEE Clients would be assigned to. We recommend to right-click SEE Unassigned and then assign a policy you would like all machines that may go to this group to be assigned to. You can assign multiple groups to the same policies, just keep in mind that it's a good idea to make sure the SEE Unassigned Group has a policy before you switch to SEE Native, in case SEE Clients get mapped to this group.
Note: SEE Clients version 11.3.1 and above have the ability to designate a SEE Client Preferred Group policy so that once installed, the machine will be automatically assigned to the group in question. For more information on this, see the following KB:
214037 - Symantec Endpoint Encryption Preferred Policy Group Assignment
Now with the SEE Unassigned Group configured with a policy, or any other Groups have been associated to any of your custom policies, you should be ready to move forward switching from GPO SEE Policies to "SEE Native Policy".
In the screenshot below, each of the groups are associated to the policy of the same name. The SEE Unassigned Group is configured with the "Regular Policies" Group, but any policy can be used:
Once all of the above has been done, open the SEEMS Configuration Manager and click on Active Directory to see your existing AD entry:
To switch from GPO policy management for SEE policy to the recommended method with SEE Native, simply click the red "x" for the directory listed.
You will get the following message to confirm (sr388.dom is the directory in this example and will be specific to each location):
Once you click OK, and then Save, you will have been switched to SEE Native.
Close the SEEMS Configuration Manager, and then re-open it and click on Active Directory to ensure you no longer have the directory listed that was previously being used.
In this screenshot below, you can see that there are no directories listed any longer, which is what we wanted:
Now you can close the SEEMS Configuration Manager.
Next, open your SEE Management Server Console and then click on the "Symantec Endpoint Encryption Managed Computers".
As the SEE Clients check in, they will be put into policies that are applicable to the SEE Client that was used for the endpoints. In this example, the clients are going to the SEE Unassigned group.
If you would like to then move these machines to a different group, simply highlight the systems in question, and click "Change Group", and then select the group you would like the SEE Clients to then be part of:
Now you are successfully switched from GPO Policy to "SEE Native Policies" and all management can now be done within the SEE Management Server console itself.
Caution: Once you switch from GPO policy to SEE Native Policy, do not re-enter any information on the Active Directory tab. This effectively switches back to GPO policy and this can cause the policies to get assigned unexpectedly. Then if you switch back to SEE Native, the client machines will end up in the original Group Policy, and you may need to move machines around again.
TIP: If you find that all of your systems are going into the "SEE Unassigned" Group, and you would like to have them appear in a new group, but there are too many machines to move manually, reach out to Symantec Encryption Support for further guidance (EPG-27456).