PGP Desktop Drive Encryption and Single Sign-On (Symantec Encryption Desktop)
search cancel

PGP Desktop Drive Encryption and Single Sign-On (Symantec Encryption Desktop)

book

Article ID: 262549

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Desktop (Symantec Encryption Desktop) has the ability to encrypt the entire drive, sector-by-sector and provides world-class drive encryption.  In order to boot a system up, the preboot screen must first be authenticated by registered users.  Once the preboot screen is authenticated, the system will boot up.

Depending on the type of user used to authenticate, the system may automatically login to the user's Windows profile or may not.

This article will cover how Single Sign-On will work in these various scenarios.

 

Note: The Single Sign-On feature is a useful feature that can be leveraged to enforce PGP Desktop's passphrase quality alignment with your corporate passphrase quality requirements.

Resolution

This article will cover several scenarios for Drive Encryption and Single Sign-On:

 

There are three options for Single Sign-On:

Allow - Lets your users decide whether or not to use SSO.

Force - Requires them to use SSO.

Deny - Prevents them from using SSO.

 

 

User Experience 1 - Force



To enable this, login to the PGP Server and find the Consumer policy the user is associated to.


If you're not sure which policy the user belongs to, find the user in Consumers, Users, then Internal Users, and click on the user.
Then expand the user and click on Groups to see the Effective Group Policy.

In this test, we have a user called "Bobby":

As you can see, Bobby is part of a group called "Everyone".  Click on Everyone, and you will be taken to the group.
Then you'll see the Consumer Policy associated to the user. 

In this scenario, you'll see "Default" is listed, click it to be taken to the actual consumer policy for this user:

Click on the "Desktop" settings, then Drive Encryption to review the settings:

Once you are here you'll see the options available.  For this scenario, we will be looking at the "Force" option:

 

When you select this option and save, the first time a PGP user encrypts the disk, the following screen will pop up:

Clicking Next, the user is then "Forced" to enter their Windows password:

If the user enters a non-windows password above, they will receive an authentication error until the proper Windows password is entered.

This password will be used to register the user for the Preboot experience. 

Once the proper password is entered, the user will then see Drive Encryption start on the system:

When the user reboots, the user will be prompted to enter the passphrase.  Since we chose "Force" in this scenario, only the Windows passphrase will be accepted.

Once authenticated successfully, the system boots up, and the user is automatically logged in to their Windows profile.

 

Important Note 1: When the user's Windows password changes per password rotation policy, this will be automatically synchronized to the Preboot so the new password can be used at preboot.
When the user enters the new password, this will subsequently allow automatic login to the Windows profile.

Important Note 2: If you wish to have the password automatically synchronized when the user changes their password per the organizations password-rotation policy, but you do *not* wish to have the system automatically logged in to their Windows account, this automatic Sign-On functionality can be disabled with the user of a parameter called "DISABLEWDESSO". 
When the DISABLEWDESSO option is enabled, when the user changes their password, this will be synchronized to the preboot screen, but the boot process will stop at the Windows Login screen.  
The user then enters their Windows password to login. This means the user will need to enter their password twice after preboot.

For more information on this DISABLEWDESSO functionality, see the following article

180167 - HOW TO: Disable the PGP Single Sign-On auto-login feature for PGP Desktop (Symantec Encryption Desktop)

 

If you do a listing of the user via the command line, you will see there is an "S" marker next to the account, indicating "SSO":

 

Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired.  Then the existing user account for the user must be deleted. 

Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected.  The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.

 

User Experience 2 - Deny



To enable this, see "Experience 1" above for the basic flow, and then select the option to "Deny"

When Deny is used, the following screen will pop up for the user:

The username is not displayed at this stage, but it will, indeed, register "Bobby" for this scenario.

Bobby can then enter any passphrase desired (even Bobby's existing Windows password).

The drive will start encrypting once accepted:

 

 

Once Authentication is successful at the preboot screen, the machine will boot up, but the user will *not* be automatically logged in to the Windows profile.

Important Note: When the user's Windows password changes per password rotation policy, this will *not* automatically synchronize to the Preboot screen.
The the old/existing password must be entered at the preboot screen before it will boot up.  The user will then need to manually change the password if desired.

Because the password is not automatically rotated, "User Experience 1 - Force" is recommended so that users will have only Single Sign-On experience for ease of use and automatic password synchronization.

 

When listing the user via the command line, you can see there is no SSO option listed next to the account, indicating this is a "password-only" account:

 

Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired.  Then the existing user account for the user must be deleted.  Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected.  The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.

 

 

 

User Experience 3 - Allow

 

The above two options, Deny and Force, will force the user into one method of preboot password management or the other.  The "Allow" option lets the user choose which option they want to use.

The policy on the PGP server can be configured to Allow, and then users will have the ability to do one or the other, however, the "SSO" option is favored as you will see:

 

When Drive Encryption beings, the user will see the following screen.
The difference with Allow, is the user can choose to close the "Create Single Sign On User" dialog box:

 

 When the user closes the "Create Single Sign On User" dialogue box, the "Password Only" option appears:

 

The user may not realize that both of these options can be chosen initially, so this happens only when the first screen for SSO is declined and closed and then this window will appear.

Depending on which option the user goes with, the preboot behavior will then follow as specified in the User Experiences 1 and 2 above.

Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired.  Then the existing user account for the user must be deleted.  Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected.  The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.

 

Additional Information

Note: If you change the Single Sign-On setting on a group policy or re-assign a user to a new policy with a different setting, the change is not reflected on the user's end. Users continue to sign in once or more than once, based on the original Single Sign-On setting for their group.

Note: If you choose to prevent Single Sign-On, silent enrollment is disabled, even if the Enable Silent Enrollment feature (on the General tab of the Symantec Encryption Desktop section) is enabled.

180167 - HOW TO: Disable the PGP Single Sign-On auto-login feature for PGP Desktop (Symantec Encryption Desktop)