Disable Opal in SEE Policy to enforce SEE Native Drive Encryption functionality

Products

Desktop Email Encryption

Issue/Introduction

Symantec Endpoint Encryption can perform Drive Encryption on machines and offers a plethora of excellent features, including "Connectionless Recovery", as well as dynamic SEE Client Admins. There are other encryption solutions that we manage on the SEE Management server, but they do not come with this rich feature set that the SEE Native product does.

In some cases, if the Opal policy is checked, the system may automatically do what is called a "Hardware Encryption", which is for Opal drives only, and in this case, we do send a recovery key to the server--the major disadvantage to this is that you need to be able to send the encryption recovery key. With SEE Native, "Connectionless Recovery" means the recovery is built in to the SEE Management Server database that is unique to only your installation.

One indicator that you are trying to encrypt a machine with SEE Native, but will not start is you will see the following when trying to issue a "Server Command" from the SEE Management Server to encrypt the system:

"1 of the selected endpoints cannot execute this command due to one or more of the following reasons:
*They do not have Drive Encryption installed.
*They do not support server commands.
*They have one or more Opal drives.
*They are encrypted using Apple FileVault or Microsoft Bitlocker
*They have one or more unmanaged drives
Do you still want to issue the command to the other endpoints?"

This article will help you to to ensure that Opal is not used, and will instead favor the feature-rich SEE Native Drive Encryption.

Resolution

First, you will want to locate the SEE Policy that is associated to your groups. You may have multiple Groups and you may have one particular policy associated to many groups. It all depends on how you have things configured, but in this scenario, we will have one policy that we will be modifying that is called "SEE Native Drive Encryption" policy:

When you click into this policy, you will click on the "Next" button until you arrive at the Opal screen:

If the above option is selected for "Hardware Encryption" (Opal) is selected, uncheck the option to ensure the SEE Native Drive Encryption is preferred:

Next, click on "Finish" to save the policy:

Warning: You need to click through every screen in the policy to make this one setting. Be very careful not to change any other settings.
Once this change is saved, all groups associated to this policy will now take effect.

Any machines associated to the groups with this policy will now always prefer the SEE Native Drive Encryption and will ensure you have these rich features available to you.

TIP: If you have a system that you have already encrypted with Opal, unfortunately there is no method to decrypt them from the SEE Management Server (Another advantage to the SEE Native Drive Encryption feature set).

One hint that you have a machine encrypted with Opal is if you send an encrypt command to the machine, and the following message appears:

""1 of the selected endpoints cannot execute this command due to one or more of the following reasons:
*They do not have Drive Encryption installed.
*They do not support server commands.
*They have one or more Opal drives.
*They are encrypted using Apple FileVault or Microsoft Bitlocker
*They have one or more unmanaged drives
Do you still want to issue the command to the other endpoints?"

Instead, you will need to go to the machine in question, open the SEE Client Admin UI, and click on the "Decrypt" option.

Once you are on that machine, and the policy has taken place, click on the "Check In" button in the SEE Management Agent to pull down this new policy, then decrypt, then reboot the system.

Within 15 minutes the system should then start to encrypt with SEE Native.

If you still have this happening and you know the system is not Opal, Bitlocker, or SEE File Vault, capture a full SymDiag dump and provide to Symantec Encryption Support for further review.