PGP Remote Disable and Destroy

Transcription

1 PGP Remote Disable and Destroy Configuration Guide 10.2

2

3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version Last updated: December Legal Notice Copyright (c) 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA Symantec Home Page ( Printed in the United States of America

4

5 Contents Introducing PGP Remote Disable and Destroy 1 About PGP Remote Disable and Destroy 1 Components of PGP RDD 1 How PGP RDD Works 1 About PGP RDD Client Anti-Theft States 2 Installation Considerations 5 Planning Your Network Architecture 5 Considerations When Using Multiple PGP Universal Servers 5 Enabling or Disabling PGP RDD in the PGP Universal Server 5 Ports Used by the PGP RDD Service 6 Modifying PGP RDD Ports 6 System Requirements 7 Symantec Products 7 Server Software 7 About PGP Remote Disable & Destroy Licenses 7 Licensing PGP RDD with Intel Anti-Theft 8 About Deploying PGP RDD on Client Systems 9 About the PGP RDD Deployment Process 9 About AT Activated Client Systems 10 Deploying PGP RDD on Client Systems 11 Software Requirements for Client Systems 11 Drivers and BIOS Requirements for Client Systems 12 Hardware Requirements for Client Systems 12 Accessing PGP RDD on the PGP Universal Server 13 Accessing PGP RDD 13 Displaying PGP RDD Data 13 About Intel Anti-Theft Status 13 Decommissioned 14 AT Deactivated 15 Stolen 15 Changing a Computer's Status 15 Exporting PGP RDD System Information 16 Working with Stolen Systems 17 About Stolen Client Systems 17 Recovering a Stolen Client System 17 Identifying the Initial Screen at Power On 18 Recovering Using the Intel BIOS Recovery Screen 18 Recovering Using the PGP BootGuard Screen 19

6 ii Contents Setting PGP RDD Policy 21 Enabling PGP RDD in a Consumer Policy 21 Understanding the Difference Between Consumer and PGP RDD Policies 21 About Consumer Policies 22 About PGP RDD Policies 22 Applying Consumer Policy to Consumer Groups 23 Setting a PGP RDD Policy 23 About the PGP RDD Rendezvous 24 Considerations When Configuring Rendezvous Intervals 25 About PGP RDD Timers 25 Considerations When Setting Your PGP RDD and Consumer Policies 27 Setting a PGP RDD Timer 27 About Decommissioning a Computer 29 Recovering a Decommissioned Client System 29 About Decommissioned Computers 30 Decommissioning a PGP RDD-Enabled Client System 30 About AT Deactivated Client Systems 31 Deactivating a Client System 31 Working with PGP RDD Administrator Roles 33 About PGP RDD Administrator Roles 33 Assigning Roles 34

7 1 Introducing PGP Remote Disable and Destroy About PGP Remote Disable and Destroy PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned computers. PGP RDD solves the need to keep data secure in mobile environments and comply with increasingly stringent regulations in data security and privacy using the latest Intel AT technology. PGP RDD offers corporate users the option to activate PGP Universal Server's security service and manage hardware-based, client-side intelligence to secure the notebook and/or data if a notebook is lost or stolen. If the client system is lost or stolen, you can remotely disable client systems or disable access to data and securely decommission client systems. Components of PGP RDD The following items are part of the overall PGP RDD installation: PGP Universal Server. The administrative server used to manage client systems. Intel Content License Server (ICLS). The ICLS permit licensing server is the activation site at Intel where client installations are tracked. Managed PGP Desktop client system with PGP Whole Disk Encryption installed. Once PGP RDD policies are applied and the system is encrypted, the client system then becomes PGP RDD-enabled. How PGP RDD Works You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a particular consumer group. For that consumer group, you create a policy that enables PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client installer that uses the policy. A user installs the PGP Desktop client and enrolls with the PGP Universal Server using the method you choose. The client computer is then encrypted with PGP Whole Disk Encryption. During this process, the client receives the policy from PGP Universal Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft Technology on that client, and the encrypted client moves to a state known as AT Activated. This is the normal operating state for a PGP RDD-enabled client. This state is transparent to the user. The client system operates normally and is protected.

8 2 Introducing PGP Remote Disable and Destroy About PGP RDD Client Anti-Theft States PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic contact between server and client. This contact refreshes the theft status of the computer and is known as a rendezvous. A successful rendezvous indicates to the server that a client is online and controlled by the authorized user. After a missed rendezvous, a timer begins counting down to disable the system. If the client fails to rendezvous successfully before the timer expires, the client is automatically flagged on the server as Stolen. The client is locked down until the user or administrator unlocks the system and returns it to an AT Activated state. Security for the system is local. The computer is disabled when the timers expire. This thwarts a common strategy employed in laptop theft to avoid putting the computer online. Security is also hardware-based, preventing use of the system even if its hard drive is replaced. See About Deploying PGP RDD on Client Systems (on page 9). See Enabling PGP RDD in a Consumer Policy (on page 21). See About the PGP RDD Rendezvous (on page 24). See About PGP RDD Timers (on page 25). See Setting a PGP RDD Policy (on page 23). See Setting a PGP RDD Timer (on page 27). About PGP RDD Client Anti-Theft States A PGP RDD-enabled client is always in one of the following states: AT Activated client systems are clients with PGP RDD currently activated, and which are not marked stolen. This is the normal state for a PGP RDD-enabled client. AT Deactivated client systems do not have PGP RDD-enabled consumer policies or do not support Intel Anti-Theft technology. Stolen client systems are those marked stolen by the administrator or affected when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator. Unsupported client systems do not support Intel Anti-Theft Technology. Note: Computers that do not support Intel Anti-Theft and do not have PGP RDDenabled consumer policies may be listed as AT Deactivated, instead of Unsupported. Decommissioned computers are still encrypted, but the status is AT Deactivated. These computers are listed on the RDD Systems > Deactivated page, but they are no longer protected by Intel Anti-Theft. Use this option when your organization

9 Introducing PGP Remote Disable and Destroy About PGP RDD Client Anti-Theft States 3 removes computers from active use, but still wants to protect the data. For example, if the organization plans to give away or sell the computers to someone who will not have access to PGP Universal Server. See About Intel Anti-Theft Status (on page 13). See Displaying PGP RDD Data (on page 13). See Deactivating a Client System (on page 31). See About Stolen Client Systems (on page 17).

10

11 2 Installation Considerations Planning Your Network Architecture When planning your deployment, keep the following points in mind: The main consideration when planning your deployment of PGP RDD is that the client systems must be able to communicate with the server at their scheduled rendezvous. Missing the rendezvous could lead to locked client systems. Your PGP Universal Server must be able to communicate with the Intel Content License Server. Disruption in communication can lead to activation failures. Considerations When Using Multiple PGP Universal Servers To balance requests to multiple servers, Symantec recommends that you use load balancing on your servers. This ensures that all servers participate in processing the load. When PGP RDD-enabled client computers enroll or perform a rendezvous, they exchange 30 to 40 request and response pairs. Because server replication contains a delay, these requests must be handled and processed by the same server. Your load balancer must be configured so that the same client's requests are processed by the same server during a certain period of time. This is called load balancing stickiness. Symantec recommends that the length of stickiness should be long enough (such as 24 hours, assuming the replication delay will be less than 24 hours) to route requests from one client to the same server. Enabling or Disabling PGP RDD in the PGP Universal Server The PGP RDD service is enabled by default. Warning: If you disable the PGP RDD service while you have AT-Activated computers, the computers will not be able to rendezvous successfully and will eventually lock when the Disable Timer expires. To enable or disable PGP RDD 1 Log in to the PGP Universal Server administrative interface. 2 Select Services > PGP RDD.

12 6 Installation Considerations Ports Used by the PGP RDD Service 3 Do one of the following: To enable PGP RDD, click Enable. The text Intel Anti-Theft Technology is enabled is displayed in the page. To disable PGP RDD, click Disable. The text Intel Anti-Theft Technology is disabled is displayed in the page. Ports Used by the PGP RDD Service The PGP RDD service is enabled by default. Warning: If you disable the PGP RDD service while you have Intel AT-activated computers, the computers will not be able to rendezvous successfully and will eventually lock when the Disable Timer expires. The service requires the following ports to be open. The Intel Anti-Theft Technology Services Port is used for communication between PGP Universal Server and the anti-theft service. External access to this port is not required. The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port. The ICLS permit server is the activation site at Intel where client installations are tracked. Do not change the default settings unless Symantec Corporation notifies you that it is necessary. You can test the connection to the ICLS from the Options page (PGP Remote Disable & Destroy Administration > Configuration > Options). PGP Universal Server and PGP RDD-enabled client system communication uses the same HTTPS port as you use to access the administrative console (port 9000 by default). Modifying PGP RDD Ports To modify PGP RDD settings 1 Log into the administrative interface. 2 Select Services > PGP RDD. 3 To enable PGP RDD, click Enable. The text Intel Anti-Theft Technology is enabled is displayed in the page. 4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port, click Edit. 5 Make the necessary changes, and click Save.

13 Installation Considerations System Requirements 7 System Requirements PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk Encryption installations. Caution: To support PGP RDD, the client and PGP Universal Server must be able to contact each other. Do not activate PGP RDD on a computer that will never contact PGP Universal Server, because the computer will lock. Symantec Products PGP Whole Disk Encryption (PGP WDE) PGP Universal Server PGP Remote Disable & Destroy with Intel Anti-Theft Technology Server Software Linux (CentOS 5.3) Servlet Container (Tomcat) Spring Framework JDK 1.6 Valid SSL Certificate. This certificate to be provided by Symantec. Working connection to Intel ICLS Servers. About PGP Remote Disable & Destroy Licenses Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires three things: PGP Universal Server license. Intel Anti-Theft Technology is automatically included with the PGP Universal Server license. PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file. You must purchase this license separately from your PGP Universal Server. This human-readable XML file shows the number of seats purchased, the start and end dates of the subscription period, and the license serial number. The license expires at the end of the subscription period. If the license expires, activated systems are not affected and continue to be protected. When you view the license history for an expired license, the entry shows that there are no seats available on that license. You can have more than one active license at a time. When you upload a new license, it does not replace existing licenses; instead, they are cumulative.

14 8 Installation Considerations About PGP Remote Disable & Destroy Licenses PGP Universal Server does not enforce the license to make sure you do not exceed the number of activated computers your license permits. It is possible to activate more computers than your license permits, but the number of activated computers is registered by the ICLS. Activation file. This encrypted activation file is included when you purchase the PGP RDD license file. The activation file registers your license, and enables the ICLS to monitor how many Intel Anti-Theft-activated computers you have. PGP Universal Server sends no information directly to Symantec Corporation. Licensing PGP RDD with Intel Anti-Theft When you purchased a license for PGP RDD, you received two Symantec license files with the file extension.slf.zip: [name1].slf.zip [name2].slf.zip For example, the files are named slf.zip and slf.zip. These files are uploaded to your PGP Universal Server so you can license PGP RDD. To apply the license and activation files 1 From the PGP RDD interface, select Configuration > Options. 2 Click Browse to locate the license file you want to upload. 3 Click Browse to locate the activation file you want to upload. You must have both the license and the activation file. Make sure to select the correct activation file for the license you are uploading. 4 Click Upload License File to upload the license and activation files. 5 Click Save. To test the connection between the PGP Universal Server and the ICLS 1 From the PGP RDD interface, select Configuration > Options. 2 Click Test Permit Server Connection. A message confirms whether or not the server is reachable.

15 3 About Deploying PGP RDD on Client Systems On systems that include Intel Anti-Theft Technology, enabling PGP RDD consists of installing PGP Desktop, enrolling to a PGP Universal Server, and encrypting the disk. All other functions of PGP RDD are managed by the PGP Universal Server. PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk Encryption installations. Caution: To support PGP RDD, the client and PGP Universal Server must be able to contact each other. Do not activate PGP RDD on a computer that will never contact PGP Universal Server, because the computer will lock. About the PGP RDD Deployment Process To roll out PGP RDD in your enterprise, you will perform the following tasks: Step Task Description 1 On the PGP Universal Server, enable PGP RDD. 2 Enter the PGP RDD License and Activation Key. 3 Define the Intel Anti-Theft Technology Services Ports. 4 Create one or more consumer groups for PGP RDD users. 5 Enable PGP RDD in a consumer policy. PGP RDD is a service that you must enable. See Enabling or Disabling PGP RDD in the PGP Universal Server (on page 5). The Intel Anti-Theft (Intel AT) license is an AT permit that is stored on PGP Universal Server in the database. The license is obtained from the Intel Licensing Server during enrollment of PGP RDD client systems and is pushed to the client system. The permit is different for each PGP RDD-enabled computer. See License PGP RDD with Intel AT (see "About PGP Remote Disable & Destroy Licenses" on page 7, "Licensing PGP RDD with Intel Anti-Theft" on page 8). The ports are used for communication between PGP Universal Server and the Anti-Theft service, as well as between the Intel Content License Server and the cilent systems. See Ports Used by the PGP RDD Service (on page 6). Multiple consumer groups (Executives, IT, Marketing) can receive the same PGP RDD-enabled consumer policy, or you can enable PGP RDD for only a subset of your groups. PGP RDD is enabled through a Consumer Policy applied on the client. See Setting PGP RDD in Consumer Policies. 6 Apply consumer policy to consumer groups. Move specific users/groups to the PGP RDD policy. See Applying Consumer Policy to Consumer Groups (on page 23).

16 10 About Deploying PGP RDD on Client Systems About AT Activated Client Systems Step Task Description 7 Create a separate PGP Platform Disable policy for each consumer group. 8 Create a PGP Desktop installer and provide it to users. 9 Install PGP Desktop on client systems. 10 Enroll users through or LDAP. 11 Encrypt the disk on the client system. 12 Verify the client system is activated. Although multiple consumer groups can receive the same PGP RDD-enabled consumer policy, you can apply different PGP RDD policy settings to each different group. The PGP Platform Disable policy is used to configure the specific timer values and resulting actions to take when a computer misses a rendezvous. After you create the consumer policy, create a client installer. See the following sections in the PGP Universal Server Administrator's Guide: Understanding User Enrollment Methods Creating an Installer with Preset Policy Users must have administrative rights to install PGP Desktop. Your users will: Locate the client installer application and double-click it. Follow the on-screen instructions. If prompted to do so, restart the client system. Enrollment is the binding of a client system to a PGP Universal Server. After a client is bound it receives feature policy information from the PGP Universal Server. Once enrolled, users are added to the RDDenabled policy group. If specified by policy, encryption begins automatically. Log in to the PGP Universal Server administrative interface. Select Services > PGP RDD. Click Manage PGP RDD with Intel Anti-Theft Technology. Locate the client system and verify the status of the client system is Activated. About AT Activated Client Systems AT Activated systems are clients systems on which Intel Anti-Theft is activated. These systems are connected to the network and are not marked Stolen. AT-Activation starts automatically after the user enrolls and PGP WDE encrypts the disk. Intel Anti-Theft only activates with encryption at enrollment. Therefore, consumer policies that enable PGP RDD should also force disk encryption at installation. If you have not selected auto-encryption, you can AT activate your client system by manually encrypting the disk. Note: If you use PGP Whole Disk Encryption Command Line to begin encryption, Intel Anti-Theft will not activate.

17 About Deploying PGP RDD on Client Systems Deploying PGP RDD on Client Systems 11 The AT Activated status appears in the PGP Universal Server interface as Activated (pending) until the client system contacts PGP Universal Server at its next scheduled rendezvous. After a successful rendezvous, the status changes to AT Activated. You cannot activate PGP RDD on a system that is already encrypted. You must decrypt the disk before switching a user from a policy that does not support PGP RDD to a policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates. When you recover a locked computer, you must first change the status from Stolen to AT Activated. For more information on laptop recovery, see Recovering Locked Systems. You can change AT Activated computers to Decommissioned or Stolen. You can also change Stolen computers back to AT Activated as part of the recovery process. When you change the status, it appears as pending until the next time the computer completes a rendezvous. Deploying PGP RDD on Client Systems To deploy PGP RDD on client systems 1 Install PGP Desktop. 2 Enroll to PGP Universal Server using or LDAP credentials. 3 Encrypt the disk. Software Requirements for Client Systems Client Software Microsoft Windows XP (32-bit SP2, 64-bit SP3) Microsoft Windows 7 (32-bit and 64-bit) Microsoft Windows Vista (32-bit and 64-bit) Intel Management Engine Chip Note: The Intel Management Engine (ME) chip is not backward-compatible, so you cannot use the 7.x driver ME chip on a computer with a 6.x driver. Computers with a 6.x driver should use ME driver for Intel 5-series chipset-based boards. Computers with a 7.x driver should use ME driver for Intel 6-series chipset-based boards. The Intel ME driver installer works XP, Vista, and Win7, 32-bit and 64-bit OS. The ME firmware driver is available notebook vendors and Intel s web site.

18 12 About Deploying PGP RDD on Client Systems Drivers and BIOS Requirements for Client Systems Drivers and BIOS Requirements for Client Systems Required Drivers BIOS Support Install the Intel MEI drivers for the client computer manufacturer. These drivers are on the installation disks if your computer is made by Hewlett Packard. You can also get the drivers from either the manufacturer's website or from Intel's website. Using the manufacturer's MEI drivers is recommended, but the drivers from Intel are also acceptable. These processors support Intel AT most of the time, but not always. Check the BIOS to see if Intel AT is supported. Intel AT functionality is usually turned on by default in the BIOS. If it is not turned on, you must turn it on manually. The process for turning on Intel AT in the BIOS differs from manufacturer to manufacturer. Contact Intel or technical support for your computer's manufacturer for more information. Hardware Requirements for Client Systems Hardware Intel vpro Core i5 with Intel Anti-Theft Technology Intel vpro Core i7 with Intel Anti-Theft Technology 2nd Generation Intel vpro Core i5 processor with Intel Anti-Theft Technology 2nd Generation Intel vpro Core i7 processor with Intel Anti-Theft Technology

19 4 Accessing PGP RDD on the PGP Universal Server Accessing PGP RDD You can view Intel Anti-Theft data for all the computers managed by the RDD policy. To access PGP RDD 1 Log into the administrative interface. 2 Select Services > PGP RDD. 3 Click Manage PGP RDD with Intel Anti-Theft Technology. 4 Review the computers on the RDD Systems tab. Displaying PGP RDD Data To display PGP RDD data 1 Log into the administrative interface. 2 Select Services > PGP RDD. 3 Click Manage PGP RDD with Intel Anti-Theft Technology. 4 Click Configuration. 5 Under PGP Remote Disable & Destroy Report Fields, select the check boxes for the data you want to display. 6 Click Save. 7 On the RDD Systems page, click the buttons at the top of the page to display data for the specified computers. About Intel Anti-Theft Status The All Systems page displays information about all client computers, including each computer's Intel Anti-Theft status. AT Activated are systems on which Intel Anti-Theft is currently activated. These systems are connected to the network and are not marked Stolen.

20 14 Accessing PGP RDD on the PGP Universal Server Displaying PGP RDD Data AT-Activation starts automatically after the user enrolls and PGP WDE encrypts the disk. Therefore, consumer policies that enable PGP RDD should also force disk encryption at installation. The AT-Activated status appears in the PGP Universal Server interface as Activated (pending) until the client system contacts PGP Universal Server at its next scheduled rendezvous. After a successful rendezvous, the status changes to AT Activated. You cannot activate PGP RDD on a system that is already encrypted. You must decrypt the disk before switching a user from a policy that does not support PGP RDD to a policy that does. When the new policy forces re-encryption, Intel Anti- Theft activates. Make sure that consumer policies enable PGP Remote Disable & Destroy with Intel Anti-Theft Technology. If you have not selected auto-encryption, you can AT activate your client system by manually encrypting the disk. The AT Activated status appears as pending until the computer contacts PGP Universal Server at the next scheduled rendezvous. When you recover a locked computer, you must first change the status from Stolen to AT Activated. For more information recovery, see Recovering Locked Systems. AT Deactivated are computers on which Intel Anti-Theft has been turned off. Deactivated computers are both decrypted and AT Deactivated. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies are also listed as AT Deactivated. Stolen. Includes computers marked stolen by the administrator, and computers that locked when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator. Unsupported. Computers that do not support Intel Anti-Theft Technology. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies may be listed as AT Deactivated, instead of Unsupported. You can change AT Activated computers to Decommissioned or Stolen. You can also change Stolen computers back to AT Activated as part of the recovery process. When you change the status, it appears as pending until the next time the computer completes a rendezvous. Decommissioned Decommissioning a computer is the process of deactivating Intel AT, but the disk is still encrypted. When necessary the administrator can decrypt it, reimage it, activate it, and encrypt the disk for a new user. A PGP RDD-enabled client system can be decommissioned, for example, when an employee leaves the company, so that a license can be reused, and so that it can be stored with the secured data. If the client system is decommissioned, then it can be redeployed to another user either as a PGP RDD-enabled client system or a non PGP RDD system.

21 Accessing PGP RDD on the PGP Universal Server Displaying PGP RDD Data 15 AT Deactivated Deactivated computers are both decrypted and no longer protected by Intel Anti-Theft. There are two ways to deactivate a computer. Change the computer's consumer policy to one where PGP RDD is disabled, and disk encryption is not required. For this process to successfully deactivate the computer, PGP Tray must be running and the computer must be able to contact PGP Universal Server. Decrypt the computer. Decryption triggers Intel AT deactivation. If PGP Tray is not running or PGP Universal Server is not reachable, the computer is decrypted but remains activated. In this case, you must manually change the computer's status to Decommissioned. At the next rendezvous, Intel AT deactivates. Disable Intel AT by changing the status to Decommissioned, and then decrypt it. Client computers cannot be decrypted while Intel Anti-Theft is still activated, if PGP RDD is still required by policy. After the computer is deactivated, the license seat for that system can be reused. Warning: You cannot delete users with Intel Anti-Theft-activated computers from the Users list, nor activated computers from the Devices list. When you delete users, all user records are lost. The next time the computer tries to rendezvous with PGP Universal Server, authentication fails and the computer locks. You will not be able to recover the laptop without the PGP RDD recovery passphrase, which is also deleted with the user records, unless you previously exported it. Before you delete an AT Activated user or device, you must deactivate and decrypt the computer. Stolen If a client system is marked Stolen in PGP Universal Server by the administrator, the Platform Stolen policy is triggered the next time the computer completes rendezvous or is restarted. For more information on the Platform Stolen policy, see About PGP RDD Policies (on page 22). The license seat for that system remains active and in use. Changing a Computer's Status To change a computer's status 1 Log in to the PGP Universal Server administrative interface. 2 Select Services > PGP RDD. 3 Click Manage Remote Disable & Destroy with Intel Anti-Theft Technology. 4 Select a new status from the drop-down menu. The new status may appear as pending until the next time the computer completes rendezvous. 5 Click Save.

22 16 Accessing PGP RDD on the PGP Universal Server Displaying PGP RDD Data Exporting PGP RDD System Information The PGP Remote Disable & Destroy (RDD) service logs actions on PGP Universal Server's Logs page. For more information, see System Logs. Access data reports for PGP RDD directly from the PGP RDD interface, not from the PGP Universal Server Reporting or Graphs pages. To export PGP RDD data 1 Open PGP RDD. 2 From Configuration > Options, select what data you want to appear in the systems pages. Possible reported data includes Computer Name, Name, Status, Policy Group, Last Date Connected, and Passphrase. 3 Click Save. 4 From RDD Systems, choose the set of systems for which you want information exported: All, Activated, Deactivated, Stolen, or Unsupported. 5 Click Export Data. All the information on the systems page is exported into a CSV file. If you have permission to view recovery passphrases, the exported file will contain those passphrases. The passphrases are unencrypted plain text.

23 5 Working with Stolen Systems Client systems that are designated as stolen include those systems marked stolen by the administrator, as well as computers that locked when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator. If a computer is lost or stolen, change the computer's status to Stolen to trigger the Platform Stolen policy the next time the computer completes rendezvous or restarts. If the computer never connects to rendezvous, the status changes to Stolen - timer expired when the Disable Timer expires and the Platform Disable policy triggers. When the computer's status is Stolen, you must follow the recovery process to unlock it. When a computer is marked stolen, the license seat for that system remains active and in use. See Recovering a Stolen Client System (on page 17). See Recovering a Decommissioned Client System (on page 29). About Stolen Client Systems Two actions trigger a system's status to change to stolen: If a client system is lost or stolen, users must notify their Administrator, who will then change the client system's status AT Activated to Stolen in PGP Universal Server. This triggers the Platform Stolen policy the next time the client system completes rendezvous or is restarted. If the client system never connects for rendezvous, the status changes to Stolen - timer expired when the Disable Timer expires and the Platform Disable policy triggers. The license seat for the stolen client system is active and in use. For example, if you are traveling, and you accidentally leave your client system at the security checkpoint in an airport, you must contact your administrator to have the client system marked as Stolen. When the client system's status is Stolen, you must follow the recovery process to unlock it. For more information on recovering stolen client systems, see Recovering a Stolen Client System (on page 17). Recovering a Stolen Client System To recover a client system, a user must contact the PGP Universal Server Administrator supporting PGP RDD. To instruct the user during recovery, first identify the screen that appeared after reboot. See Identifying the Initial Screen at Power On (on page 18).

24 18 Working with Stolen Systems Recovering a Stolen Client System Identifying the Initial Screen at Power On Before you can recover a stolen system 1 Instruct the user to power on the client system. On most systems, the Intel BIOS recovery screen appears, followed by the PGP BootGuard screen. If you selected Enable PBA Recovery on the RDD Policies page, however, the Intel BIOS recovery screen is skipped and the PGP BootGuard screen appears. Note: Only certain hardware platforms, such as Panasonic's Toughbook and Let's Note CF models, support this feature. If the user sees three options, they are on the Intel screen. If they are prompted for their user name, passphrase, and domain, they are on the PGP Bootguard screen. Have them tell you which screen they are seeing. If the user is on the Intel screen, see Recovering Using the Intel BIOS Recovery Screen (on page 18). If the user is on the PGP screen, see Recovering Using the PGP BootGuard Screen (on page 19). Recovering Using the Intel BIOS Recovery Screen On the Intel BIOS screen, have the user select one of the following options: To use a passphrase to recover the system, select option 1. To use a recovery token to recover the system, select option 2. Tip: Recovery using Option 1 is faster, because a passphrase is easier to enter than communicating and entering the very long strings that make up a recovery token. To recover a client system using a recovery passphrase To recover a client system when the user has selected option 1 (to use a passphrase), you must provide the recovery passphrase to the user. 1 Log in to the administrative interface. 2 Select Services > PGP RDD. 3 Click Manage PGP RDD with Intel Anti-Theft Technology. 4 Locate the system that was stolen and which you want to recover, and change the status of the client system from Stolen to Activated (pending). 5 Click Passphrase. 6 Provide the current recovery passphrase to the user. The user should enter the recovery passphrase and click OK. If authentication is successful, the PGP BootGuard screen appears on the client system.

25 Working with Stolen Systems Recovering a Stolen Client System 19 7 See Recovering Using the PGP BootGuard Screen (on page 19). To recover a client system using a recovery token To recover a client system when the user has selected option 2 (to use a recovery token), you must provide the recovery token to the user. 1 Log in to the administrative interface. 2 Select Services > PGP RDD. 3 Click Manage PGP RDD with Intel Anti-Theft Technology. 4 Locate the system that was stolen and which you want to recover, and change the status of the client system from Stolen to Activated (pending). 5 Obtain from the user the long string that is displayed when the user pressed option 2 after powering the system on. This string is specified as Platform Recovery ID on the user's system. 6 Log into the administrative interface. 7 Select Services > PGP RDD. 8 Click Manage PGP RDD with Intel Anti-Theft Technology. 9 Locate the system that was stolen and which you want to recover, and click Passphrase. 10 In the Recovery Passphrase dialog box, click Generate Server Recovery Token. 11 Enter the string that the user provided in step 5 and click Generate. The following recovery tokens are generated: Hexadecimal Decimal Base32 12 Provide the string for the Base32 recovery token to the user. The user enters the string and presses Enter. If authentication is successful, the PGP BootGuard screen appears. See Recovering Using the PGP BootGuard Screen (on page 19). Recovering Using the PGP BootGuard Screen To recover using the PGP BootGuard screen 1 To switch from the user name/passphrase prompts to the WDRT prompt, tell the user to press F4. 2 To provide the WDRT to the user, on PGP Universal Server, select Consumers > Users and locate the user associated with this system. 3 Expand the Whole Disk Encryption panel to locate the client system. 4 Click the system's WDRT icon. Provide the displayed WDRT to the user.

26 20 Working with Stolen Systems Recovering a Stolen Client System After the rendezvous occurs, the state of the computer changes from Activated (pending) to Activated in PGP Universal Server. Depending on the server s load, the state change might take 30 seconds to 1 minute.

27 6 Setting PGP RDD Policy Enabling PGP RDD in a Consumer Policy To enable PGP RDD in a consumer policy 1 Log in to the PGP Universal Server administrative interface. 2 On the Consumer Policy page, select the consumer policy for which you want to enable PGP RDD. 3 In the PGP Desktop panel, click Desktop. 4 On the General tab, select Enable RDD with Intel Anti-Theft Technology. 5 Click Save. Understanding the Difference Between Consumer and PGP RDD Policies When working with PGP RDD, note that there are two types of policies that are applied to client systems: Consumer policies You can apply a consumer policy to a consumer group when you create that group or change existing policy on the Group Settings page. PGP RDD policies PGP RDD policies are set for each consumer group in the Edit PGP Remote Disable & Destroy Policies page. The client receives changes to the consumer policy as part of the PGP WDE policy download and changes to the PGP RDD policy during a rendezvous. Both of these policy types can be applied to the same consumer groups, but they are defined separately in PGP Universal Server. See About Consumer Policies (on page 22). See About PGP RDD Policies (on page 22). See About PGP RDD Timers (on page 25). See Enabling PGP RDD in a Consumer Policy (on page 21). See Applying Consumer Policy to Consumer Groups (on page 23). See Setting a PGP RDD Policy (on page 23).

28 22 Setting PGP RDD Policy Understanding the Difference Between Consumer and PGP RDD Policies About Consumer Policies Consumer policies are used when installing client systems and control how these client systems behave. Policies are applied to consumers depending on their group membership and policy group order. The following consumer policies are available on the PGP Universal Server: Default policy Excluded policy You can modify these or create specific new consumer policies to apply to your PGP RDD clients. For example, you can create two policies for the a group, one called PGP RDD Default policy for those clients who should be managed through PGP RDD, and another called PGP RDD Excluded policy. You might apply the PGP RDD Excluded policy to systems that are infrequently used or not high risk and the PGP RDD Default policy to high-risk systems like those that are used for travel or those that contain sensitive data. See Understanding the Difference Between Consumer and PGP RDD Policies (on page 21). See About PGP RDD Policies (on page 22). About PGP RDD Policies Note: To implement a PGP RDD policy, the client system has to be Intel Anti-Theft capable. If it is not, it is considered to be unsupported. In the Edit PGP Remote Disable & Destroy Policies page, after you select a consumer group, you need to select the platform actions to be completed if the client system is stolen or if the Disable timer is triggered. The selections you make and the values you enter for each timer affect only the selected consumer group. The Platform Stolen options determine what happens when you mark a computer stolen. Platform + Data Disable Shutdown on next rendezvous If this option is selected, and the client system is stolen, when the next rendezvous occurs, the client system is shut down. Platform + Data Disable Require passphrase on next boot If this option is selected, and the client system is stolen, the administrator marks the client system as stolen in PGP Universal Server. The client system does not immediately shut down. After a user shuts down his/her client system and restarts, he/she is prompted for the Intel BIOS passphrase. This Intel BIOS passphrase is the same one that a user needs to recover a stolen client system. Note: Users can only get this passphrase from their PGP Universal Server Administrator. After the user enters this passphrase, the PGP BootGuard authentication with WDRT occurs and the recovery process is complete. The Platform Disable Timer options determine what happens when the Disable Timer expires.

29 Setting PGP RDD Policy Applying Consumer Policy to Consumer Groups 23 Platform + Data Disable Shutdown on timer expiration If this option is selected and the Disable timer is triggered, the client system is shut down. Platform + Data Disable Require passphrase on next boot If this option is selected, and the client system is stolen, the administrator marks the client system as stolen in PGP Universal Server. The client system does not immediately shut down. After a user shuts down his/her client system and restarts, he/she is prompted for the Intel BIOS passphrase. This Intel BIOS passphrase is the same one that a user needs to recover a stolen client system. Note: Users can only get this passphrase from their PGP Universal Sever Administrator. After the user enters this passphrase, the PGP BootGuard authentication with WDRT occurs and the recovery process is complete. See Understanding the Difference Between Consumer and PGP RDD Policies (on page 21). See About Consumer Policies (on page 22). Applying Consumer Policy to Consumer Groups Use the following procedure to move specific users/groups to the PGP RDD policy. To apply consumer policy to consumer groups 1 Log in to the PGP Universal Server administrative interface. 2 Select Consumers > Groups. 3 Click your RDD policy. 4 In Users, click View. 5 Click Add Users. 6 Type the user s name and click Save. 7 Repeat step 6 for all the users you want to add to your RDD policy. Setting a PGP RDD Policy To set a PGP RDD policy 1 Log in to the PGP Universal Server administrative interface. 2 Select Services > PGP RDD. 3 Click Manage PGP RDD with Intel Anti-Theft Technology. 4 On the Configuration tab, click Policies. 5 Select the consumer group for which you want to set policy.

30 24 Setting PGP RDD Policy About the PGP RDD Rendezvous 6 For each of the following policy and timer settings, make the necessary changes. Platform Stolen. Sets what happens when you mark a computer stolen. Choose from Platform+Data Disable - Shutdown on next rendezvous or Platform+Data Disable - Require passphrase on next boot. The default option is Platform+Data Disable - Shutdown on next rendezvous. Platform Disable Timer. Sets what happens when the Disable Timer expires. Choose from Platform+Data Disable - Shutdown on timer expiration or Platform+Data Disable - Require passphrase on next boot. The default option is Platform+Data Disable - Shutdown on timer expiration. Enable PBA Recovery. Enables stolen laptops to be unlocked using only the Whole Disk Recovery Token at PGP BootGuard, without requiring a hardware recovery passphrase or Server Recovery Token. This function is not available for all Intel AT-enabled computers. It works with a pre-boot authentication recovery feature specific to only some computers. 7 For each of the timers, specify the value, value type, and (when available), if the timer is enabled. 8 Click Save. The PGP RDD policy has been set for the selected consumer group. See About PGP RDD Timers (on page 25). About the PGP RDD Rendezvous The communication between server and a PGP RDD-enabled client is called a rendezvous. A successful rendezvous indicates that the client is online and in the control of its authorized user. All state and policy changes are made during a rendezvous. The most common outcome of a rendezvous attempt is success. The client continues operating normally after a successful rendezvous until its next rendezvous. The interval between rendezvous is configured as a timer, which counts down until it expires, triggering the next rendezvous. A client automatically retries a missed rendezvous, for example, if the client was powered down during a scheduled rendezvous interval. A series of timers control the behavior of the system after a missed rendezvous. These behaviors include when to retry the rendezvous, how long to wait after the failed rendezvous before disabling the system, and how long after the disable timer s expiration to wait before shutting down the system. See also About PGP RDD Timers (on page 25). See also About PGP RDD Policies (on page 22). See also Setting a PGP RDD Timer (on page 27).

31 Setting PGP RDD Policy About PGP RDD Timers 25 Considerations When Configuring Rendezvous Intervals Setting an interval to a period that is shorter than three days will eventually lead to a number of clients attempting a rendezvous during a weekend when many of the systems are offline. When those clients come online on Monday morning, they will all retry the rendezvous. This can impact PGP Universal Server performance. Symantec recommends that you set a rendezvous interval of seven days and stagger your deployment to spread client rendezvous days across the work week. This sets clients on a regular schedule that may change if vacations or other unusual circumstances take a laptop offline for its regular rendezvous interval, but will otherwise stay relatively consistent and avoid Monday morning load. To prevent a large group of rendezvous from occurring at the same time of day, you can add a random delay that triggers when the rendezvous timer expires. When a rendezvous is overdue, the rendezvous randomization timer triggers a random value between 0 and the maximum specified value set in PGP Universal Server. If the rendezvous timer expires and rendezvous is unsuccessful, the client waits until the random interval to retry the rendezvous. For example, if a rendezvous was due at 8:30 AM on Wednesday, but the computer was offline until 9:00 AM, the client attempts a rendezvous at 9:00 AM plus a random value between 0 and the configured number of minutes. About PGP RDD Timers As a part of your PGP RDD policy, you specify the action to take if a client system misses its rendezvous. A variety of timers determines when the next action is triggered and the result on the client system after the set interval for that trigger has expired. For each timer, you can type a number value and select an amount of time. The following timers are available: Timer Disable Timer Unlock Timer Description This Intel AT timer is triggered when a rendezvous does not occur during the set time interval. When the Disable Timer expires, the computer moves to a Stolen state and the PGP RDD Platform Stolen policy is executed. This timer is enabled by default. To disable the timer, deselect the Enabled check box. This timer allows the recovery process from a Stolen state to begin. The user must enter the Intel recovery token before the time interval expires. For example, if this timer is set to 30 minutes, the user has 30 minutes to get the Intel recovery token from the administrator and enter it before the computer shuts down again. This timer is enabled by default. To disable the timer, deselect the Enabled check box.

32 26 Setting PGP RDD Policy About PGP RDD Timers Timer Grace Timer PBA Login Timer Rendezvous Timer Kill Timer Rendezvous Randomization Rendezvous Retry Interval Description This Intel AT timer is dependent on the Disable timer. If the Disable timer is triggered and then expires during a sleep or hibernation state, when the computer resumes, the Grace timer starts. Note: If the computer is in an On state and the Disable timer expires, the computer shuts down immediately. Following is an example of the Grace timer's usefulness: A computer misses its rendezvous and the Disable timer is triggered, beginning its count down. If the computer goes into a sleep or hibernation state and the Disable timer expires, when the computer resumes, the user has a grace period defined by the Grace timer, to authenticate and save their work, prior to the computer shutting down. This timer is enabled by default. To disable the timer, deselect the Enabled check box. (Pre-boot authentication timer) This Intel AT timer is supported only by some Panasonic systems, such as Toughbooks and Let's Note CF models. You enable this recovery option by selecting the Enable PBA Recovery check box on the PGP RDD Policies page. When this option is enabled, during the recovery of a stolen system the Intel BIOS screen does not appear; only the PGP BootGuard screen appears. During the recovery of a stolen machine, the Intel BIOs page does not appear, and only the PGP BootGuard page appears. When the PBA recovery option is enabled, the PBA timer value is the maximum time that a user has to authenticate at the BootGuard page. If the user fails to authenticate in the time allowed for PBA logon, the computer is shut down. This timer is how often the client computer connects to the server. The purpose of this timer is to synchronize the AT status. This timer is similar to the Grace Timer but is only triggered when the computer is marked as Stolen in PGP Universal Server. There is a delay in shutting the computer down, but unlike the Grace Timer--which can be set in seconds, minutes, hours, days, or months--the Kill Timer can only be set in seconds, with a value range of zero or seconds (or the equivalent time in minutes). When a rendezvous is overdue, this timer triggers a random value between 0 and the maximum value set in PGP Universal Server. If there is still no successful rendezvous, because the network cable is not connected, the retry interval is triggered. For example, if a rendezvous was due at 8:30 am on Monday, but the computer was only powered on at 9 am. This means that a rendezvous is overdue on Monday morning. Instead of attempting a rendezvous at 9 am, the computer attempts a rendezvous at 9 am plus a random value between minutes. This timer is triggered when the rendezvous is overdue, because the network cable was not connected. For example, if this interval is set to 45 seconds, the client computer will attempt a rendezvous every 45 seconds until it is successful. See Setting a PGP RDD Timer (on page 27).