Symantec Endpoint Encryption Full Disk

Transcription

1 Symantec Endpoint Encryption Full Disk Policy Administrator Guide Version 8.2.1

2 ii Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section Commercial Computer Software - Restricted Rights and DFARS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA

3 Contents Chapter 1 Chapter 2 Introduction Overview... 1 Directory Service Synchronization... 2 Active Directory and Native Policies... 3 Manager Console... 3 Basics... 3 Database Access... 4 Endpoint Containers... 5 Basics... 5 Active Directory/Novell edirectory Computers... 5 Symantec Endpoint Encryption Managed Computers... 5 Deleted Computers... 5 Symantec Endpoint Encryption Roles... 6 Policy Administrators... 6 Client Administrators... 6 Basics... 6 Mac Client... 6 Windows Client... 6 Reporting Overview... 9 Basics... 9 Client Computers Data Available from Users and Computers and Basic Reports... 9 Basics... 9 Main Window...10 Computer Info Tab...11 Framework Tab...11 Full Disk Tab...12 Removable Storage Tab...12 Associated Users Tab...12 Fixed Drives Tab...13 Server Commands Tab...14 Directory Services Synchronization Data...14 Admin Log Data...15 Client Events Data...17 Device Exemptions Report Data...17 Server Commands Data...17 Command History, Decrypt Drive, and Encrypt Drive Snap-Ins...17 Command Assignment...18 Symantec Endpoint Encryption Users and Computers...18 Symantec Endpoint Encryption Reports...18 Basics...18 Active Directory Forests Synchronization Status...19 Client Events...19 Computer Status Report...19 Computers not Encrypting to Removable Storage...19 Computers with Decrypted Drives...19

4 iv Contents Computers with Expired Certificates...20 Computers with Specified Users...20 Computers without Full Disk Installed...20 Computers without Removable Storage Installed...20 Device Exemptions Report...20 Framework Deployment...20 Full Disk Client Deployment...20 Non-Reporting Computers...20 Novell edirectory Synchronization Status...21 Opal Endpoints...21 Percentage of Encrypted Endpoints...21 Removable Storage Client Deployment Report...21 Removable Storage Details Report...21 Removable Storage Password Aging Report...21 Custom Reports...21 Server Commands...22 Basics...22 Command History...22 Decrypt Drive...22 Encrypt Drive...22 Resultant Set of Policy (RSoP)...22 Windows System Events...23 Chapter 3 Policy Creation & Editing Overview...25 Active Directory Policies...25 Native Policies...26 Policy Options...26 Client Administrators...26 Registered Users...28 Basics...28 Authentication Method...28 Registration...29 Unregistration...29 Password Authentication...29 Basics...29 Password Attempts...30 Password Complexity...30 Maximum Password Age...31 Password History...31 Minimum Password Age...31 Token Authentication...32 Authentication Message...32 Communication...32 Single Sign-On...32 Authenti-Check...32 One-Time Password...33 Startup...34 Logon History...34 Autologon...35 About the Autologon Feature...35 Always Require User Authentication...36 Never Require User Authentication...36 Bypass Pre-Windows User Authentication During a Single Time Frame...36 Bypass Pre-Windows User Authentication During a Recurring Time Frame...37

5 Contents v When the Autologon Settings in a Policy Take Effect...38 Resetting the Number of Authentication Bypasses...38 Order of Precedence...38 Remote Decryption...38 Client Monitor...38 Local Decryption...39 Chapter 4 Chapter 5 Chapter 6 Policy Deployment Active Directory Policies...41 Basics...41 Order of Precedence...41 Forcing a Policy Update...41 Basics...41 Windows XP Clients...41 Windows 2000 Clients...42 Native Policies...42 Basics...42 Symantec Endpoint Encryption Managed Computer Groups...42 Basics...42 Group Creation...43 Move Computers...43 Policy Assignment...44 Order of Precedence...45 Forcing a Policy Update...45 Encrypting/Decrypting Drives on Fixed Disks Overview...47 Issuing a Command...48 Encrypting/Decrypting All Fixed Disk Drives on All Computers in a Group...48 Encrypting/Decrypting All Fixed Disk Drives on a Computer...48 Encrypting/Decrypting One or More Fixed Disk Drives on a Computer...49 Forcing a Command to Execute...50 Cancelling a Pending Command...50 Basics...50 Cancelling a Command for All Endpoints...50 Cancelling a Command for One Endpoint...51 Endpoint Support The Management Password...53 Basics...53 Changing the Management Password...53 One-Time Password Program...54 Basics...54 Launch...54 Management Password...55 Method...55 Basics...55 Online...55 Offline...57 Error Messages...60 User Record Not Found...60 Invalid Code Synchronization...60 Whole Disk Recovery Token (WDRT)...61 Basics...61

6 vi Contents Launch...61 Management Password...61 User Identity...62 Token...62 Hard Disk Recovery for Windows Computers...63 Basics...63 Recover DAT File Generation...63 Appendix A Appendix B Appendix C System Event Logging Basics...65 Framework System Events List...65 Full Disk System Events List...85 Authentication Method Changes Overview...97 User Experience...97 Policy Settings Honored by Mac Clients Glossary Index...105

7 Chapter 1 Introduction This chapter includes the following topics: Overview Directory Service Synchronization Active Directory and Native Policies Manager Console Symantec Endpoint Encryption Roles Overview Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation. Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies. The following diagram depicts a sample network configuration of Symantec Endpoint Encryption.

8 2 Introduction Directory Service Synchronization Figure 1-1 Sample Network Configuration SOAP over HTTP Group Policy LDAP Database Server TDS TLS/SSL Domain Controller Client Manager Computer edirectory Server Management Server Client your-org.com Client your_tree Client The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required. Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported. A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of Active Directory. The Novell edirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active

9 Introduction Active Directory and Native Policies 3 Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. The following table itemizes the differences between Active Directory and native policies. Table 1-1 Active Directory and Native Policies Compared Active Directory Policies Certain policies are deployed to users and others are deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Ignored by Mac clients Native Policies Policies can only be applied to computers. Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server. An immediate policy update can be forced by clicking Check In Now from the User Client Console. Honored by Mac clients Manager Console Basics The Manager Console contains the following Symantec Endpoint Encryption snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. The Management Password controls administrator access to two Full Disk help desk functions: the Recover Program and the Help Desk Program. Symantec Endpoint Encryption Software Setup is used to create client installation/migration packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for the Recover Program. Symantec Endpoint Encryption Reports includes reports to allow you to obtain endpoint data, Policy Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to export computer-specific Recover DAT files and create your own custom reports. Symantec Endpoint Encryption Server Commands provides information about commands issued to encrypt or decrypt drives. You can also use the snap-in to cancel a pending command.

10 4 Introduction Manager Console SEE Help Desk Program (optional) enables you to assist Windows or Mac users that forgot their credentials. You can also assist Windows users that have been locked out for a failure to communicate with the Management Server. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Database Access Your Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials. Figure 1-2 SQL Server Logon Prompt The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows: computer name,port number\instance name While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash. To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate. If you don t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console.

11 Introduction Manager Console 5 Endpoint Containers Basics The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or Symantec Endpoint Encryption Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins. Symantec Endpoint Encryption Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container. Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container. Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire. Deleted Computers The Deleted Computers container stores Symantec Endpoint Encryption managed computers that have been deleted, allowing you to restore the computer and revert its deletion. Symantec Endpoint Encryption managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of a Symantec Endpoint Encryption managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container. Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete.

12 6 Introduction Symantec Endpoint Encryption Roles Symantec Endpoint Encryption Roles Policy Administrators Client Administrators As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks: Basics Update and set client policies. Issue server-based commands to encrypt or decrypt drives on fixed disks that are not Opal-compliant. Run reports. Change the Management Password. Run the Help Desk Program. Create the computer-specific Recover DAT file necessary for Recover /B, Recover /S, and Recover /O. Client Administrators provide local support to Symantec Endpoint Encryption users. Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users. Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. Mac Client Each Mac client must have at least and no more than one Client Administrator account. The Client Administrator account is specified within the client installation package or policy. It will be created on the client at the time that the encryption of the boot disk is manually initiated. The Client Administrator account cannot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator authenticates with a password. Privilege level is ignored by the Mac client. The Client Administrator account cannot be used to initiate encryption. Windows Client Client Administrators may be configured to authenticate with either a password or a token. Each Client Administrator account can be assigned any of the following individual administrative privileges: Unregister users allows Client Administrators to unregister registered users from the Administrator Client Console; Decrypt drives provides Client Administrators with the right to decrypt drives encrypted by Symantec Endpoint Encryption Full Disk from the Administrator Client Console or through the use of Recover /D; Extend lockout permits Client Administrators to extend the Client Computer s next communication date using the Administrator Client Console; and Unlock enables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers.

13 Introduction Symantec Endpoint Encryption Roles 7 Client Administrators should be trusted in accordance with their assigned level of privilege. Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer. Client Administrator accounts have the following restrictions: Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available. Client Administrators cannot use Single Sign-On.

14 8 Introduction Symantec Endpoint Encryption Roles

15 Chapter 2 Reporting This chapter includes the following topics: Overview Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Reports Server Commands Resultant Set of Policy (RSoP) Windows System Events Overview Basics The Manager Console reporting tools allow you to obtain information about: Client Computers Policy Administrator activities Directory service synchronization Client Computers Data Available from Users and Computers and Basic Reports Basics At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following: Symantec Endpoint Encryption Users and Computers on page 18; Computer Status Report on page 19; Computers not Encrypting to Removable Storage on page 19; Computers with Decrypted Drives on page 19; Computers with Expired Certificates on page 20; Computers with Specified Users on page 20; Computers without Full Disk Installed on page 20; Computers without Removable Storage Installed on page 20; and Non-Reporting Computers on page 20.

16 10 Reporting Overview Basic data is shown in the main window and you can double-click a record of interest or right-click it and select Show Selection to obtain further details. Note: If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s) even if it has never checked in with the Management Server. While only the computer name and directory service location of these machines will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. Main Window The following table itemizes the data available about Client Computers from the main window. Columns that will be displayed but not populated by Full Disk are identified as not applicable (N/A). Table 2-1 Client Computer Data Available from Users and Computers and Basic Reports Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* group name Location of the computer within Symantec Endpoint Encryption Users and Computers Last Check-In date time The date and time of the last connection that the Client Computer made with the Management Server Decrypted drive letter(s) The drive letter(s) of any decrypted drives and/or partitions on this computer Decrypting drive letter(s) The drive letter(s) of any drive and/or partitions on this computer that are in the process of decrypting Encrypted drive letter(s) The drive letter(s) of any encrypted drive and/or partitions on this computer Encrypting drive letter(s) The drive letter(s) of any drives and/or partitions on this computer that are in the process of encrypting Drive Encryption Service SEEFD Opal SEEFD will be displayed for computers without Opal-compliant hard drives. Opal will be displayed for computers with Opalcompliant hard drives. RS Device Access Control* N/A N/A RS Encryption Policy N/A N/A RS Encryption Method N/A N/A RS On-Demand Encryption N/A N/A RS Device Exclusion** N/A N/A RS Access Utility* N/A N/A RS Self-Extracting Archives* N/A N/A

17 Reporting Overview 11 Table 2-1 Client Computer Data Available from Users and Computers and Basic Reports (Continued) Column Heading Data Displayed Explanation * Shown only in the Computer Status Report. Not shown in the Computer Status Report. Not shown in the Computers with Specified Users report. ** Not shown in the Computer Status Report or the Computers with Specified Users report. Computer Info Tab After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab. Table 2-2 Client Computer Data Available from Computer Info Tab Column Heading Data Displayed Explanation Group group name Location of the computer within Symantec Endpoint Encryption Users and Computers OS operating system name The name of the installed operating system OS Type 32-bit 64-bit The number of bits of memory supported by the installed operating system Serial Number serial number The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. Asset Tag asset tag The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. Part Number part number The System Management BIOS (SMBIOS) part number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. Framework Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab. Table 2-3 Client Computer Data Available from Framework Tab Column Heading Data Displayed Explanation FR Version n.n.n The three digit version number of Framework that is currently installed FR Installation Date date time The date and time on which Framework was installed Last Check-In Time date time The date and time of the last connection that the Client Computer made with the Management Server SSL Certificate Expiration Date FR Build Number date time major build number.minor build number.patch number.1 The date and time of the client-side TLS/SSL certificate s expiration The major build number, minor build number, and patch number of Framework. The final digit will always be 1.

18 12 Reporting Overview Full Disk Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab. Table 2-4 Client Computer Data Available from Full Disk Tab Column Heading Data Displayed Explanation FD Version n.n.n The three digit version number of Full Disk that is currently installed FD Installation Version n.n.n The three digit version number of Full Disk that was originally installed Last Upgrade Date date time The date and time on which Full Disk was last installed or upgraded FD Installation Date date time The date and time on which Full Disk was installed FD Build Number major build number.minor build number.patch number.1 The major build number, minor build number, and patch number of Full Disk. The final digit will always be 1. Partition drive letter The letter of the logical drive that is encrypted, encrypting, decrypted, or decrypting Encryption start time date time The date and time that encryption was initiated Encryption end time date time The date and time that encryption completed Decryption start time date time The date and time that decryption was initiated Decryption end time date time The date and time that decryption completed Decryption initiated by user name or Command The user name or Client Administrator that initiated decryption. Alternatively, Command is displayed if the action was initiated by a Policy Administrator using the Manager Console to issue a server-based decryption command. Removable Storage Tab The Removable Storage tab is not applicable to Full Disk. Associated Users Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab will contain one row of data per registered user or Client Administrator on the Windows Client Computer. Table 2-5 Client Computer Data Available from Associated Users Tab Column Heading Data Displayed Explanation User Name user name The user name of the registered user or Client Administrator account

19 Reporting Overview 13 Table 2-5 Client Computer Data Available from Associated Users Tab (Continued) Column Heading Data Displayed Explanation User Type Reg User Client Admin If the account is that of a registered user, Reg User will be displayed. If the account is that of a Client Administrator, Client Admin will be displayed. Authentication Method Password Token Password and Token Unauthenticated If the user or Client Administrator uses a password to authenticate, Password will be displayed. If the user or Client Administrator uses a token to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed. User Domain name of domain or tree computer name If the computer is joined to a domain or a part of a Novell tree, the name of the domain or tree will be displayed. If the computer does not belong to either directory service, the name of the computer will be displayed. For Client Administrators, this cell will be blank. Last Logon Time date time If a user, the date and time of the last User Client Console logon. If a Client Administrator, the date and time of the last Administrator Client Console logon. Registration Time date time The date and time on which this user registered. If this is a Client Administrator account, the date and time on which the account was created either by MSI or policy update. Note: If this is a Mac record, no data will be available from the Associated Users tab. Fixed Drives Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the Fixed Drives tab will contain one row of data per physical disk drive on the Client Computer. Table 2-6 Fixed Drives Data Column Heading Data Displayed Explanation Disk ID digit The number of the physical disk, as assigned by the operating system. The operating system will assign a number to each physical disk. The first physical disk will be assigned the number 0 and the rest of the assigned numbers will increment sequentially.

20 14 Reporting Overview Table 2-6 Fixed Drives Data (Continued) Column Heading Data Displayed Explanation Volume(s) drive letter The alphabetical letter assigned by the operating system to the logical drive will be identified in this cell. If the drive has been divided into partitions, the letter of each partition will be displayed, separated by commas. Serial Number number The serial number of the physical disk will be displayed. This information is obtained from the device properties. If this data could not be obtained from the device properties, the value will be blank. Server Commands Tab After you double-click on a record of interest or right-click it and select Show Selection, the Server Commands tab will contain one row of data per command issued for this computer. Table 2-7 Server Commands Data Column Heading Data Displayed Explanation Command Encrypt Drive Decrypt Drive The command issued by the administrator. Issuer domain\user name The Windows domain and user name of the administrator who issued the command. Time of Issue date time The date and time that the command was issued. Status Pending Sent to endpoint If the status is Pending, the command has not been sent to this computer. If the status is Sent to endpoint, the command has been sent. Command Data All Drives drive letter(s) If the data is All Drives, the command targets all drives on this computer. If the data consists of drive letters, the command targets one or more partitions on one of the computer s fixed disks. Directory Services Synchronization Data Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports: Active Directory Forests Synchronization Status on page 19, and Novell edirectory Synchronization Status on page 21.

21 Reporting Overview 15 One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports. Table 2-8 Directory Services Synchronization Data Column Heading Data Displayed Explanation Forest/Tree Name forest or tree name The name of the forest or tree that you are synchronizing with will be identified in this column. Administrator Name user name The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. Administrator Domain* domain The Active Directory domain of the Active Directory synchronization account for this forest will be identified. Last Synchronization date time The date and time of the last successful synchronization with this forest or tree will be supplied. Total Computers number The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption protected endpoints. * This column is not shown in the Novell edirectory Synchronization Status report. Admin Log Data Each time the Policy Administrator makes a change using the Manager Console, the action will be logged. The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report. Table 2-9 Admin Log Data Column Heading Data Displayed Explanation Date-Time date time The date and time on which the activity occurred User domain\user name The Windows domain and user name of the Policy Administrator that initiated the activity Computer computer name The computer name of the Manager Computer from which the activity was initiated

22 16 Reporting Overview Table 2-9 Admin Log Data (Continued) Column Heading Data Displayed Explanation Activity Description Changed Symantec Endpoint Encryption management password Created native policy policy name Renamed native policy old policy name to new policy name Deleted native policy policy name Edited native policy policy name Created new Symantec Endpoint Encryption Managed computer group group name Renamed Symantec Endpoint Encryption Managed computer group old group name to new group name Deleted Symantec Endpoint Encryption Managed computer group group name Assigned native policy policy name to group group name Unassigned native policy policy name from group group name Changed assigned native policy for group group name from native policy old policy name to native policy new policy name Deleted Symantec Endpoint Encryption Managed Computer computer name Moved Symantec Endpoint Encryption Managed Computer computer name from group old group name to new group name Restored Symantec Endpoint Encryption Managed Computer computer name Exported Recover DAT file for computer computer name Initiated One-Time Password online method for user user name on computer computer name Symantec Endpoint Encryption GUID Symantec Endpoint Encryption GUID of computer Initiated One-Time Password offline method for user user name Created Framework client installation package MSI package name Created Full Disk client installation package MSI package name

23 Reporting Overview 17 Table 2-9 Admin Log Data (Continued) Column Heading Data Displayed Explanation * The command ID is an integer that identifies a command. When a command is created, the SQL server increments the previous command ID by 1. Command ID numbering begins with 1; numbering is not restarted. Client Events Data A subset of the Windows system events from Windows Client Computers will be available from the Client Events report. The following table identifies the data that will be available in the Client Events report for Windows endpoints. No client events data for Mac clients will be available. Table 2-10 Client Log Data Column Heading Data Displayed Explanation Date-Time date time The date and time on which the activity occurred User user name The Windows user name of the user that initiated the activity Computer Name computer name The computer name of the Windows Client Computer on which the event was logged Event Description description text Framework events 4, 6, 8, 11,14, 15, 16, 18, 19, 21, 124, 183, 184, and 246. Full Disk events 1004, 1008, 1012, 1014, 1015, 1019, 1023, 1027, 1028, 1107, 1108, 1109, 1110, 1111, 1114, 1119, 1120, and Refer to Appendix A, Basics on page 65 for the text of each event. Device Exemptions Report Data Device Exemptions Report Data is not applicable to Full Disk. Server Commands Data Command History, Decrypt Drive, and Encrypt Drive Snap-Ins The following data is available from the Command History, Decrypt Drive, and Encrypt Drive snap-ins. Table 2-11 Command History, Decrypt Drive, and Encrypt Drive Snap-In Data Column Heading Data Displayed Explanation Time of Issue date time The date and time the command was issued. Command* Decrypt Drive Encrypt Drive The command issued. Issued By domain name\user name The Windows domain and user name of the administrator that issued the command. Computer Issued From computer name The name of the computer from which an administrator issued the command.

24 18 Reporting Symantec Endpoint Encryption Users and Computers Table 2-11 Command History, Decrypt Drive, and Encrypt Drive Snap-In Data (Continued) Column Heading Data Displayed Explanation Command Data All Drives drive letter(s) If the data is All Drives, all of the drives on multiple computers or on a single computer are targeted. If the data consists of drive letters, one or more partitions on a single computer s fixed disk are targeted. *This column appears only for the Command History snap-in. Note: Commands that are older than 30 days do not appear; they have expired and have been deleted from the database. Command Assignment After double-clicking a command or right-clicking it and selecting Show Selection, the following data is displayed in the Command Assignment window. The Command Assignment window displays one row of data per computer. Table 2-12 Command Assignment Details Column Heading Data Displayed Explanation Computer Name computer name The name of the endpoint computer that the command targets. Status Pending Sent to endpoint If the status is Pending, the command has not yet been sent to the endpoint. If the status is Sent to endpoint, the command has been sent. Group Tree\Context and/or forest\domain\ou The Novell and/or Active Directory hierarchical context for this computer. Symantec Endpoint Encryption Users and Computers The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups ( Symantec Endpoint Encryption Managed Computer Groups on page 42). Symantec Endpoint Encryption Reports Basics The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s). After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console.

25 Reporting Symantec Endpoint Encryption Reports 19 Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu. Active Directory Forests Synchronization Status The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status ( Directory Services Synchronization Data on page 14). Client Events The Client Events report provides you with a subset of the events logged on the endpoint ( Client Events Data on page 17). Client events can be filtered according to inclusive date and time, user name, and computer name. Computer Status Report The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful for Windows clients under the following circumstances: After deploying Windows client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each Windows client checks in at least once. During the check in process, the Windows Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B, /O and /S options of the Recover Program. Once you have identified Windows Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation. Should a Windows Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B or /O. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again. Computers not Encrypting to Removable Storage The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network: Computers with Decrypted Drives Did not have Removable Storage installed as of the time of last check-in. Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of the time of last check in. Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices. The Computers with Decrypted Drives report will retrieve the records of the following computers on your network: Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have a decrypted or decrypting drive or partition.

26 20 Reporting Symantec Endpoint Encryption Reports Computers with Expired Certificates The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/ SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click Run. Computers with Specified Users The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run. The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results. Computers without Full Disk Installed The Computers without Full Disk Installed report will retrieve the records of the following computers on your network: Did not have Full Disk installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Full Disk installed. Computers without Removable Storage Installed Device Exemptions Report Framework Deployment Full Disk Client Deployment Non-Reporting Computers The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network: Did not have Removable Storage installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Removable Storage installed. Device Exemptions Report data is not applicable to Full Disk. The Framework Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Framework versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Full Disk versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report. The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This

27 Reporting Symantec Endpoint Encryption Reports 21 report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh. It is also an essential complement to a lockout policy. Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the Symantec Endpoint Encryption Management Server within the specified number of days will be retrieved and listed. Novell edirectory Synchronization Status Opal Endpoints The Novell edirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status. The Opal Endpoints report will retrieve the records of the following computers on your network: Percentage of Encrypted Endpoints Had Full Disk installed as of the time of last check-in. Uses an Opal-compliant drive as the primary, boot drive. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. The Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of computers that are encrypted versus the percentage that are not. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report. Removable Storage Client Deployment Report The Removable Storage Client Deployment report provides a pie chart comparison of the percentage of computers installed with Removable Storage versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients are not included in this report. Removable Storage Details Report The Removable Storage Details report provides the latest details on the Removable Storage policy settings for each reporting client. Removable Storage Password Aging Report Custom Reports The Removable Storage Password Aging report provides the latest details on password aging settings for the Removable Storage default passwords and session default passwords. The custom reports feature allows you to create your own reports that you can run or edit at a later time. You can create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the Query Editor. Click Save when you are done and type in a name for the new report. Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter criteria, see Client Computer Data Available from Users and Computers and Basic Reports on page 10. While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the selection of a Symantec Endpoint Encryption version number will result in the retrieval of not only the records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you