In a PGP Universal managed environment, even though the settings for a user policy is set to allow only SKM keys, clients are prompted to create a passphrase for a key during enrollment. After successfully enrolling with the server, an SKM key is created on the server and PGP Desktop also displays a CKM key with a different UserID for the user.
This issue occurs when a user policy on the server is configured to allow user-initiated key creation and the client key option is SKM only. The allow user-initiated key generation option is set by default on the General card in the PGP Desktop Settings for the user policy.
When the Allow user-initiated key generation option is enabled, the client will be prompted to create a passphrase for a local PGP Desktop key even though the user policy it set to only allow an SKM key.
|Note: This article applies to PGP Desktop 9.5 and above managed clients and PGP Universal Server 2.5 and above.
This issue is solved by removing the Allow user-initiated key generation permission for the user policy. Use the following steps to disable the option for the policy.