Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12
search cancel

Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12


Article ID: 276501


Updated On:


Endpoint Encryption Drive Encryption Encryption Management Server


Starting with Symantec Endpoint Encryption version 12, the ability to create and manage Groups, Policies, and the SEE Client can all be done via the new SEE Web Portal.  This article will discuss this functionality. 



Section 1 of 3: SEE Policy Configuration via Web Portal


Step 1: First, to access your Web URL, login to the Windows Server where you just installed the SEE Management Server on, and click the Start menu.

Step 2: Next, under "Symantec Endpoint Encryption", you should see "SEE Management Console".  Clicking this will open the new web portal:


Step 3: Once you login, if you see the message "Upload a license to protect your sensitive data." see the following articles to help you find and license the SEE 12 Server:

206503 - How to find your license number for Symantec Encryption products (Look at Section 1)

276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12


Step 4: After you have logged in, if this is an upgrade, you will see that all of your SEE Native Policies were migrated to the new version and should now be presented to you under the Policies tab:

Preexisting policies will remain, and you can continue to use them as they were in previous versions of SEE.

Step 5: In SEE 12, you can create policies within the web portal here by clicking on "Create Policy" on the top-right portion of the screen:

You can then give the new policy a name and a description:

Step 6: You will notice on the left side of the Policy screen each of the sections of policies.  In SEE 12, you can now click on each category to configure the policy.

This allows you to make a single change in the policy. Once you're done editing the policy, you can click "Save & Finish".

Notice for Completion of Policies: This article will not go over all of the components of policy, but make sure you visit each component. 
If you don't change any of the settings, the default settings will be applied, which may not be the desired outcome.

For example, if you do not enable Autologon, it will be completely disabled via policy. 

We recommend Autologon be enabled in order to assist you in Windows Feature Updates, which can skip the preboot screen after each reboot:


For more information on the Autologon feature, see the following article:
213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

Additionally, the "Advanced Settings" is a particularly useful feature that is not commonly used, but most certainly should be:

Step 7:  Once you have completed your policies, and saved the settings, you are ready to assign it to a group.  Before we do that, we will discuss groups.



Section 2 of 3: SEE Groups via Web Portal


Like Policies, preexisting Groups will be migrated over from previous versions of SEE and will show up under the Groups tab in the Web Console:

Step 1: On the left side of the Window you will see each of the policies that came from the previous versions and were brought over during the upgrade.

In this example, we'll create a new policy, which can be done simply by clicking the menu icon under "SEE Managed Groups":

Step 2: You can see "New Group" was created. Click the pencil icon to give the group a new name:

Step 3: Now we have a new Group called "SEE 12 Group" and you will notice there is "No policy assigned".  We will now assign our policy to it.

To do this, simply click the "Assign Policy" option on the top-left portion of this screen:

Step 4: Once "Assign Policy" is selected, the following window will appear.  We will select the SEE 12 Policy" that we created previously, and click "Assign":

The following message will appear: 

Step 5: Now in your Policies list, you can see the SEE 12 Policy, and that the SEE 12 Group has the policy assigned.
When viewing your Groups, you can also validate the proper groups were assigned.

For preexisting Groups, you can see they were migrated over and should continue to show the corresponding policy:


Step 6: Now that you have created a new Group and Policy, and validated that preexisting groups were migrated, you are ready to create a new SEE 12 Client.



Section 3 of 3: SEE 12 Client Creation via the Web Portal

The first step to creating the client is to determine which policy you would like to build from.  With SEE 12, you will have only a few steps to make this happen.

In this example, we will build the SEE Client based on the SEE 12 policy we created and fully configured.  

Important: As mentioned above, it is important to make sure you have fully configured the SEE Client policies before creating the client.  

Step 1: You may have noticed under the Policies tab the "Create Client Package" was listed on the top-right portion of the window:

Once you have clicked on this option, the following screen will appear:

Step 2: For this example, all of the options are selected, but you can uncheck items as needed. 

We will then select the "SEE 12 Policy" from the list to use for the client creation:

Step 3: The following Window you'll notice the SEE Management Server hostname "seems1", and then the "Server URL" of "".

This URL uses OAuth communications only.  SEE 12 will not accept a Windows authentication parameter to be built in to the SEE Client.

This is good for many reasons, but the main reason is it can now use secure tokens to authenticate the clients properly with no user intervention, and no password expirations.

This also means that it is very important to configure TLS for the SEE Management Server. 

Before building your SEE Clients, it's important to configure TLS in the SEEMS Configuration Manager to ensure these Secure Tokens are encrypted via TLS.



For more information on how to configure TLS for the SEE Management Server, see the following KB:

214267 - Enable TLS/SSL for the Database on Symantec Endpoint Encryption Configuration Manager


Step 4: Once you have a valid TLS Certificate and your client-server communications are secure, click the "Test Connection" button.

If this works, this means the SEE Clients should be able to successfully communicate with the server.

If you are not able to successfully test the connection, you'll receive the following:



You'll notice there is an option "Do you want to proceed anyway?".  This option should only be used if you know the SEE Client is having an issue only with the validation tool.

If you go to the URL via a web browser, and you receive a message "Service is up and running", test this on your endpoints as well.

If this is successful, you can proceed to create the SEE Client and then ensure you test this before deploying.

Install on a test machine to make sure that it is checking in to the server properly and if not, troubleshooting the connection may be necessary.


Step 5: Once you proceed, you'll see the following screen to confirm the settings:

Some of the above settings are not default, but recommended, such as to encrypt "All Disks", which will encrypt even secondary fixed disks.

Also, "Encrypt unused disk space" is not selected.  If you are imaging your systems for the first time and no data is on those unused sectors, the encryption will completely much more quickly.

If you are in a highly-secured environment and need to ensure all sectors are encrypted, check the box, "Encrypt unused disk space".

Step 6: Once you have confirmed your desired parameters, click "Finish", and you will receive a popup confirming the file will be downloaded:

You should end up with a "" file, which contains the configuration details of the packages created as well as the installation packages, one for 32-bit and one for 64 bit.

Step 7: Unzip the file and review the contents.  Be sure to test the SEE client on a few test machines to ensure it performs as expected before deploying to the rest of the enterprise population.


The .msi package can be deployed with all the supported installation paramters as with previous versions.

Do not use "reinstallmode=vemus and addlocal=all" in any of your installation commands.  This parameter has been used in the past, but should no longer be used.
If this parameter is used during install, the SEE Client installation will abort.


For further guidance, consult the SEE 12 Documentation and reach out to Symantec Encryption Support for additional assistance. 




Additional Information

193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

179347 - HOW TO: Install/Upgrade Symantec Endpoint Encryption Management Server (SEE Management Server)

206503 - How to find your license number for Symantec Encryption products

240649 - Symantec Endpoint Encryption Web Dashboard and Reports

276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12

276501 - Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12

205088 - What's New with Symantec Endpoint Encryption version 12 (and 11.4 and 11.3.1)