Using Email Enrollment for PGP Desktop Clients

book

Article ID: 153437

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction


Enrollment is the binding of a computer with PGP client software installed to a PGP Universal Server. After a client is bound it receives feature policy information from the PGP Universal Server; for example, encryption keys, email policy, PGP NetShare, or PGP Whole Disk Encryption administration.

This article details the steps to use Email Enrollment to enroll PGP Desktop clients with a PGP Universal Server.

Resolution


This method is available to all client installations, including PGP NetShare-only and PGP Whole Disk Encryption-only installations, as long as there is an email account on the installed computer. Email enrollment is possible even if the PGP Universal Server does not perform email encryption or is out of the mailflow. Email enrollment only requires that the PGP Universal Server be able to send an SMTP message to the mail server.

If your email protocol cannot be proxied, then you cannot use email enrollment, but must choose LDAP enrollment instead. POP, IMAP, Lotus Notes, and MAPI protocols can all be proxied. Novell GroupWise cannot be proxied and does not allow email enrollment.

If you do not select Enroll clients using directory authentication when you enable Directory Synchronization, clients enroll through email.

There are 2 parts to client installation and enrollment:

  • On the PGP Universal Server, you create a client installer. Tasks include: adding mail routes, checking port and SMTP settings, enabling Directory Synchronization, creating user policies, and customizing and downloading the client installer.
  • On the client computer, you install the client software. Tasks include: uploading the installer file, installing the client software, and following the enrollment wizard.
To create an client installer for email enrollment

  1. From Mail>Mail Routes on your PGP Universal Server, create a mail route that sends mail for your domain to the hostname of your mailserver. For more information on adding mail routes, see Specifying Mail Routes .
  2. Make sure port 25 is open between your PGP Universal Server and your mail server.
  3. Make sure your mail server accepts SMTP. Some mail servers, for example Domino servers, are not set to accept SMTP by default.
  4. If you want to use directory synchronization to assign users to user policies, enable Directory Synchronization. From Policy>Internal User Policy, select Directory Synchronization. Do not select Enroll clients using directory authentication.
  5. From Policy>Internal User Policy, create internal user policies.
  6. Create a client installer. From Policy>Internal User Policy, select Download Client.
  7. Click Customize, and add the settings you want for the installer. Make sure to add your mail server name to the Mail Server Binding field. You can use wildcards. Mail Server Binding is necessary for email enrollment because it tells the client where to send enrollment email. This setting is also particularly important when PGP Universal Server is proxying email, because it specifies the mail server for which policies are being locally enforced. When the client computer sends email using the specified mail server, policy from the PGP Universal Server is enforced.
  8. Click Download to download the installer.
If your Microsoft Internet Explorer security settings do not allow downloads, to override the security setting, click Download while you press and hold the CTRL button on your keyboard.

To install and enroll a client through email enrollment

  1. Upload the installer file to the client computer.
  2. Install PGP Desktop by double-clicking the installer file.
  3. Follow the on-screen instructions to install.
  4. Restart the client computer when instructed. The PGP Desktop Setup Assistant appears. Follow the instructions to enroll.
  5. Type the user’s email address.
  6. Run the email client and check for new email.
  7. The user should receive an enrollment email from the PGP Universal Server. Open the email to use the enrollment cookie embedded in the email.

    Note: If the user does not receive an enrollment email, make sure the email domain matches a managed domain, and make sure the correct ports are open.

  8. From the Enrollment Assistant, continue with enrollment by following the instructions.