Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Mac OS X clients
search cancel

Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Mac OS X clients

book

Article ID: 155714

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

If there is unusual behavior with Symantec Encryption Desktop (PGP Desktop) or the software is not working correctly, sometimes the easiest solution is to re-enroll the client to PGP Server.  

Issues that re-enrollment can address:

  • Key issues
  • Decryption or encryption issues
  • Forceful check in
  • Unexplained behavior

The enrollment is the process of registering the PGP client with Symantec Encryption Management Server (PGP Server).  After a PGP client is registered with the PGP server, it receives policy updates from the server, updates logs to the server, and can lookup PGP keys on the server.

This article covers Windows clients. For Windows clients, see Re-enrolling Encryption Desktop for Windows clients.

Resolution

Enrollment is the binding of a computer with Symantec Encryption Desktop client software installed to a Symantec Encryption Management Server (SEMS - previously PGP Universal Server).  After a client is bound it receives feature policy information from the SEMS; for example, encryption keys, email policy, or Symantec Drive Encryption (formerly known as Whole Disk Encryption) administration.

In some circumstances, you may need to re-enroll Symantec Encryption Desktop clients if the client is experiencing connection problems with the SEMS, the client license does not update after renewing the client license on the server, or in rare circumstances the client preference files ( ~Library\Preferences\com.pgp.*) become corrupted.

Use the following steps to re-enroll a Symantec Encryption Desktop for Mac client with SEMS.

  1. Stop the PGP Services by pressing the Option key, click the PGP padlock icon on the menu bar and select Quit.
  2. Browse to the ~/Library/Preferences folder.

    Note: The ~ refers to the user profile (home) directory.
     
  3. Move all the com.pgp.* files to Trash (there will be com.pgp.desktop and other com.pgp plist files that should be moved to Trash).
  4. For Symantec Encryption Desktop 9.x, follow the next steps.  For Symantec Encryption Desktop 10.x and above, simply re-launch PGP.app (Starting with Symantec Encryption Desktop, the "PGP.app" has been renamed to "Encryption Desktop.app").
  5. Open the Terminal application.
  6. Type defaults write com.pgp.pgp configurationString "ovid=example.keyserver.com&mail=*&admin=1"

    Note: Steps (5-6) is only necessary when using PGP Desktop 9.x clients.

  7. Launch Symantec Encryption Desktop to start the Symantec Enrollment Assistant.

For Encryption Desktop 10.0.x through 10.3.0, if enrollment does not begin: Check under /Applications/PGP.app/Contents/Resources/policy.txt      ---- This should contain a string similar to this 'ovid=keys.example.com&mail=*&admin=1'. If there is any trouble resolving the hostname found in the string then enrollment will not function as expected.  In Symantec Encryption Desktop 10.3.1 and above, the location is /Applications/Encryption Desktop.app/Contents/Resources/policy.txt.

Caution: When Symantec Encryption Desktop clients are enrolled, entries are placed in the Mac OS X Keychain Access Utility.  These entries include "PGP LDAP", "PGP Universal Auth Cookie" and a user entry of Kind, "PGP Passphrase" (Usually the name of this entry is the email address of the user enrolling).  These entries are used for enrollment and for the passphrase that can be used during encryption of a drive.  These entries remain, even after an uninstall of the software.

If re-enrollment is being done, it is also recommended to clear out all these entries before re-enrolling the client so they will be re-created from scratch. Not clearing these out may have unexpected results.