Symantec Endpoint Encryption Full Disk

Transcription

1 Symantec Endpoint Encryption Full Disk Policy Administrator Guide Version 8.0.1

2 Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section Commercial Computer Software - Restricted Rights and DFARS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA

3 Contents Contents 1. Introduction Overview Directory Service Synchronization Active Directory and Native Policies Manager Console Basics Database Access Endpoint Containers Symantec Endpoint Encryption Roles Policy Administrators Client Administrators User Reporting Overview Basics Client Computers Data Available from Users and Computers and Basic Reports Directory Services Synchronization Data Admin Log Data Client Events Data Device Exemptions Report Data Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Reports Basics Active Directory Forests Synchronization Status Client Events Computer Status Report Computers not Encrypting to Removable Storage Computers with Decrypted Drives Computers with Expired Certificates Computers with Specified Users Computers without Full Disk Installed Computers without Removable Storage Installed Device Exemptions Report Percentage of Encrypted Endpoints Full Disk Client Deployment Framework Deployment Non-Reporting Computers Novell edirectory Synchronization Status Custom Reports Resultant Set of Policy (RSoP) Windows System Events Policy Creation & Editing Overview Active Directory Policies Native Policies Policy Options Symantec Endpoint Encryption Full Disk iii

4 Contents Client Administrators Registered Users Password Authentication Token Authentication Authentication Message Communication Single Sign-On Authenti-Check One-Time Password Startup Logon History Autologon Remote Decryption Client Monitor Local Decryption Policy Deployment Overview Active Directory Policies Basics Order of Precedence Forcing a Policy Update Native Policies Basics Symantec Endpoint Encryption Managed Computer Groups Policy Assignment Order of Precedence Forcing a Policy Update Endpoint Support The Management Password Basics Changing the Management Password One-Time Password Program Basics Launch Management Password Method Error Messages Whole Disk Recovery Token (WDRT) Basics Launch Management Password User Identity Token Hard Disk Recovery for Windows Computers Basics Recover DAT File Generation Appendix A. System Event Logging Basics Symantec Endpoint Encryption Full Disk iv

5 Contents Framework System Events List Full Disk System Events List Appendix B. Authentication Method Changes Overview User Experience Appendix C. Policy Settings Honored by Mac Clients Glossary Index Symantec Endpoint Encryption Full Disk v

6 Figures Figures Figure 1.1 Sample Network Configuration Figure 1.2 SQL Server Logon Prompt Figure 2.1 Group Policy Results Wizard, User Selection Figure 2.2 RSoP Report From a Symantec Endpoint Encryption Client Figure 3.1 Framework Computer Policy, Client Administrators Options Figure 3.2 Add New Client Administrator Dialog Figure 3.3 Framework Computer Policy, Registered Users Options Figure 3.4 Framework Computer Policy, Password Authentication Options Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Figure 3.6 Framework Computer/User Policy, One-Time Password Options Figure 3.7 Full Disk Computer Policy, Startup Options Figure 3.8 Full Disk Computer Policy, Autologon Options Figure 3.9 Full Disk Computer Policy, Client Monitor Options Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Figure 4.2 Name New Group Dialog Figure 4.3 SEE Unassigned, Computer Highlighted Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Figure 4.6 Policy Selection Dialog Figure 4.7 Native Policy Assignment Confirmation Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Figure 5.1 Management Password Snap-in Figure 5.2 Management Password Changed, Confirmation Message Figure 5.3 One-Time Password, Welcome Figure 5.4 One-Time Password, Management Password Figure 5.5 One-Time Password, Method Selection, Online Figure 5.6 One-Time Password, Online Method, Identifying Information Figure 5.7 One-Time Password, Online Method, Response Key Figure 5.8 One-Time Password, Method Selection, Offline Figure 5.9 One-Time Password, Offline Challenge Key Figure 5.10 One-Time Password, Offline Response Key Figure 5.11 One-Time Password, User Record Not Found Figure 5.12 One-Time Password, Invalid Code Synchronization Figure 5.13 Whole Disk Recovery Token, Welcome Figure 5.14 Whole Disk Recovery Token Program, Management Password Figure 5.15 Whole Disk Recovery Token Program, Identify User Figure 5.16 Whole Disk Recovery Token Program, Token Characters Figure 5.17 Manager Console, Computer in Need of Recovery Highlighted Figure 5.18 Management Password Prompt Figure 5.19 Recovery Password Prompt Figure 5.20 Recovery Data Export Dialog Figure 5.21 Recovery Data Export Success Message Symantec Endpoint Encryption Full Disk vi

7 Tables Tables Table 1.1 Active Directory and Native Policies Compared Table 2.1 Client Computer Data Available from Main Window of Users and Computers and Basic Reports Table 2.2 Client Computer Data Available from Computer Info Tab Table 2.3 Client Computer Data Available from Framework Tab Table 2.4 Client Computer Data Available from Full Disk Tab Table 2.5 Client Computer Data Available from Removable Storage Tab Table 2.6 Client Computer Data Available from Associated Users Tab Table 2.7 Fixed Drives Data Table 2.8 Directory Services Synchronization Data Table 2.9 Admin Log Data Table 2.10 Client Log Data Table 2.11 Device Exemptions Report Table 2.12 Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers. 17 Table A.1 Framework System Events Table A.2 Full Disk System Events Table B.1 Effect of a Change in Authentication Method on Existing User Accounts Table C.1 Policy Settings Honored by Mac Clients Symantec Endpoint Encryption Full Disk vii

8 Introduction 1. Introduction Overview Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation. Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies. The following diagram depicts a sample network configuration of Symantec Endpoint Encryption. SOAP over HTTP Group Policy LDAP Database Server TDS TLS/SSL Domain Controller Client Manager Computer edirectory Server Management Server Client your-org.com Client your_tree Client Figure 1.1 Sample Network Configuration The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required. Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported. A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of Active Directory. Symantec Endpoint Encryption Full Disk 1

9 Introduction The Novell edirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. The following table itemizes the differences between Active Directory and native policies. Table 1.1 Active Directory and Native Policies Compared Active Directory Policies Native Policies Certain policies are deployed to users and others are Policies can only be applied to computers. deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Ignored by Mac clients Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server. An immediate policy update can be forced by clicking Check In Now from the User Client Console. Honored by Mac clients Symantec Endpoint Encryption Full Disk 2

10 Introduction Manager Console Basics The Manager Console contains the following Symantec Endpoint Encryption snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. The Management Password controls administrator access to two Full Disk help desk functions: Recover /B and the Help Desk Program. Symantec Endpoint Encryption Software Setup is used to create client installation/migration packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for Recover /B. Symantec Endpoint Encryption Reports includes reports to allow you to obtain endpoint data, Policy Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to export computer-specific Recover DAT files and create your own custom reports. SEE Help Desk Program (optional) enables you to assist Windows or Mac users that forgot their credentials. You can also assist Windows users that have been locked out for a failure to communicate with the Management Server. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Database Access Your Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials. Figure 1.2 SQL Server Logon Prompt Symantec Endpoint Encryption Full Disk 3

11 Introduction The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows: computer name,port number\instance name While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash. To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate. If you don t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console. Endpoint Containers Basics The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or Symantec Endpoint Encryption Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins. Symantec Endpoint Encryption Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container. Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container. Symantec Endpoint Encryption Full Disk 4

12 Introduction Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire. Deleted Computers The Deleted Computers container stores Symantec Endpoint Encryption managed computers that have been deleted, allowing you to restore the computer and revert its deletion. Symantec Endpoint Encryption managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of an Symantec Endpoint Encryption managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container. Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete. Symantec Endpoint Encryption Roles Policy Administrators As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks: Update and set client policies. Run reports. Change the Management Password. Run the Help Desk Program. Create the computer-specific Recover DAT file necessary for Recover /B. Client Administrators Basics Client Administrators provide local support to Symantec Endpoint Encryption users. Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users. Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. Mac Client Each Mac client must have at least and no more than one Client Administrator account. The Client Administrator account is specified within the client installation package or policy. It will be created on the client at the time that the encryption of the boot disk is manually initiated. The Client Administrator account cannot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator authenticates with a password. Privilege level is ignored by the Mac client. The Client Administrator account cannot be used to initiate encryption. Windows Client Client Administrators may be configured to authenticate with either a password or a token. Symantec Endpoint Encryption Full Disk 5

13 Introduction Each Client Administrator account can be assigned any of the following individual administrative privileges: Unregister users allows Client Administrators to unregister registered users from the Administrator Client Console; Decrypt drives provides Client Administrators with the right to decrypt encrypted disks and partitions from the Administrator Client Console or through the use of Recover /D; Extend lockout permits Client Administrators to extend the Client Computer s next communication date using the Administrator Client Console; and Unlock enables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers. Client Administrators should be trusted in accordance with their assigned level of privilege. Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer. Client Administrator accounts have the following restrictions: Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available. Client Administrators cannot use Single Sign-On. User Basics Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing the operating system to load. Users set their own Symantec Endpoint Encryption credentials, which allow them to power the machine on from an off state and gain access to the operating system. Only the credentials of registered users and Client Administrators will be accepted by Full Disk. Mac Client Upon manual initiation of encryption, a user account must be created. Up to 119 users can be added. Windows Client At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention. Authentication to Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Full Disk 6

14 Reporting 2. Reporting Overview Basics The Manager Console reporting tools allow you to obtain information about: Client Computers, Policy Administrator activities, and Directory service synchronization. Client Computers Data Available from Users and Computers and Basic Reports Basics At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following snap-in and reports: Symantec Endpoint Encryption Users and Computers on page 14; Computer Status Report on page 15; Computers not Encrypting to Removable Storage on page 15; Computers with Decrypted Drives on page 15; Computers with Expired Certificates on page 15; Computers with Specified Users on page 15; Computers without Full Disk Installed on page 16; Computers without Removable Storage Installed on page 16; Non-Reporting Computers on page 16; and Custom Reports on page 17. Basic data is shown in the main window and you can double-click a record of interest or right-click it and select Show Selection to obtain further details. If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s) even if it has never checked in with the Management Server. While only the computer name and directory service location of these machines will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. Symantec Endpoint Encryption Full Disk 7

15 Reporting Main Window The following table itemizes the data available about Client Computers from the main window. Columns that will be displayed but not populated by Full Disk are identified as not applicable (N/A). Table 2.1 Client Computer Data Available from Main Window of Users and Computers and Basic Reports Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* Last Check-In Decrypted Decrypting Encrypted group name time/date stamp drive letter(s) or disk ID(s) drive letter(s) or disk ID(s) drive letter(s) or disk ID(s) Location of the computer within Symantec Endpoint Encryption Users and Computers The time and date of the last connection that the Client Computer made with the Management Server The drive letter(s) or disk ID(s) of any decrypted drives and/or partitions on this computer The drive letter(s) or disk ID(s) of any drive and/or partitions on this computer that are in the process of decrypting The drive letter(s) or disk ID(s) of any encrypted drive and/or partitions on this computer Encrypting drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any drives and/or partitions on this computer that are in the process of encrypting Version n.n.n The three digit version number of Full Disk that is currently installed Installation Date time/date stamp The time and date on which Full Disk was installed RS Device Access Control* N/A RS Encryption Policy N/A N/A RS Encryption Method N/A N/A RS On-Demand Encryption* N/A N/A RS Access Utility* N/A N/A RS Self-Extracting Archives* N/A N/A * This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in. This column is not shown in the reports. N/A Computer Info Tab After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab. Table 2.2 Client Computer Data Available from Computer Info Tab Column Heading Data Displayed Explanation Group group name Location of the computer within Symantec Endpoint Encryption Users and Computers OS operating system name The name of the installed operating system OS Type 32-bit 64-bit The number of bits of memory supported by the installed operating system Serial Number serial number The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. Symantec Endpoint Encryption Full Disk 8

16 Reporting Table 2.2 Client Computer Data Available from Computer Info Tab (Continued) Column Heading Data Displayed Explanation Asset Tag Part Number asset tag time/date stamp The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank. Framework Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab. Table 2.3 Client Computer Data Available from Framework Tab Column Heading Data Displayed Explanation FR Version n.n.n The three digit version number of Framework that is currently installed FR Installation Date time/date stamp The time and date on which Framework was installed Last Check-In Time SSL Certificate Expiration Date time/date stamp time/date stamp The time and date of the last connection that the Client Computer made with the Management Server The time and date of the client-side TLS/SSL certificate s expiration Full Disk Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab. Table 2.4 Client Computer Data Available from Full Disk Tab Column Heading Data Displayed Explanation FD Version n.n.n The three digit version number of Full Disk that is currently installed FD Installation Version time/date stamp The time and date on which Full Disk was installed Last Check-in SSL Certificate Expiration Date time/date stamp time/date stamp The time and date of the last connection that the Client Computer made with the Management Server The time and date of the client-side TLS/SSL certificate s expiration Partition drive letter The drive letter of the partition that is encrypted, encrypting, decrypted, or decrypting Encryption start time time/date stamp The date and time that encryption was initiated Encryption end time time/date stamp The date and time that encryption completed Decryption start time time/date stamp The date and time that decryption was initiated Decryption end time time/date stamp The date and time that decryption completed Decryption initiated by user name The user name of the user or Client Administrator that initiated decryption Symantec Endpoint Encryption Full Disk 9

17 Reporting Removable Storage Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Removable Storage tab. Table 2.5 Client Computer Data Available from Removable Storage Tab Column Heading Data Displayed Explanation RS Device Access Control N/A N/A RS Encryption Policy N/A N/A RS On-Demand Encryption N/A N/A RS Encryption Method N/A N/A RS Exempted File Type N/A N/A RS Recovery Certificate N/A N/A RS Workgroup Key N/A N/A RS Device Exclusions N/A N/A RS Passwords N/A N/A RS Password Aging N/A N/A RS Access Utility N/A N/A RS Self-Extracting Archives N/A N/A RS Version N/A N/A RS Last Upgrade Date N/A N/A RS Installation Version N/A N/A Associated Users Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab will contain one row of data per registered user or Client Administrator on the Windows Client Computer. If this is a Mac record, no data will be available from the Associated Users tab. Table 2.6 Client Computer Data Available from Associated Users Tab Column Heading Data Displayed Explanation User Name user name The user name of the registered user or Client Administrator account User Type Authentication Method User Domain Reg User Client Admin Password Token Password and Token Unauthenticated name of domain or tree computer name If the account is that of a registered user, Reg User will be displayed. If the account is that of a Client Administrator, Client Admin will be displayed. If the user or Client Administrator uses a password to authenticate, Password will be displayed. If the user or Client Administrator uses a token to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed. If the computer is joined to a domain or a part of a Novell tree, the name of the domain or tree will be displayed. If the computer does not belong to either directory service, the name of the computer will be displayed. For Client Administrators, this cell will be blank. Symantec Endpoint Encryption Full Disk 10

18 Reporting Table 2.6 Client Computer Data Available from Associated Users Tab (Continued) Column Heading Data Displayed Explanation Last Logon Time Registration Time time/date stamp time/date stamp If a user, the time and date of the last User Client Console logon. If a Client Administrator, the time and date of the last Administrator Client Console logon. The time and date on which this user registered. If this is a Client Administrator account, the time and date on which the account was created either by MSI or policy update. Fixed Drives Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the Fixed Drives tab will contain one row of data per physical disk drive on the Client Computer. Table 2.7 Fixed Drives Data Column Heading Data Displayed Explanation Disk ID Volume(s) Serial Number digit drive letter number The number of the physical disk, as assigned by the operating system. The operating system will assign a number to each physical disk. The first physical disk will be assigned the number 0 and the rest of the assigned numbers will increment sequentially. The alphabetical letter assigned by the operating system to the logical drive will be identified in this cell. If the drive has been divided into partitions, the letter of each partition will be displayed, separated by commas. The serial number of the physical disk will be displayed. This information is obtained from the device properties. If this data could not be obtained from the device properties, the value will be blank. Directory Services Synchronization Data Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports: Active Directory Forests Synchronization Status on page 15, and Novell edirectory Synchronization Status on page 16. One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports. Table 2.8 Directory Services Synchronization Data Column Heading Data Displayed Explanation Forest/Tree Name Administrator Name Administrator Domain* Last Synchronization forest or tree name user name domain time date stamp The name of the forest or tree that you are synchronizing with will be identified in this column. The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. The Active Directory domain of the Active Directory synchronization account for this forest will be identified. The time and date of the last successful synchronization with this forest or tree will be supplied. Symantec Endpoint Encryption Full Disk 11

19 Reporting Table 2.8 Directory Services Synchronization Data (Continued) Column Heading Data Displayed Explanation Total Computers number The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption protected endpoints. * This column is not shown in the Novell edirectory Synchronization Status report. Admin Log Data Each time the Policy Administrator makes a change using the Manager Console, the action will be logged. The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report. Table 2.9 Admin Log Data Column Heading Data Displayed Explanation Date-Time User Computer time date stamp user name computer name The time and date on which the activity occurred The Windows user name of the Policy Administrator that initiated the activity The computer name of the Manager Computer from which the activity was initiated Symantec Endpoint Encryption Full Disk 12

20 Reporting Table 2.9 Admin Log Data (Continued) Column Heading Data Displayed Explanation Activity Description Changed Symantec Endpoint Encryption management password Created native policy policy name Renamed native policy old policy name to new policy name Deleted native policy policy name Edited native policy policy name Created new Symantec Endpoint Encryption Managed computer group group name Renamed Symantec Endpoint Encryption Managed computer group old group name to new group name Deleted Symantec Endpoint Encryption Managed computer group group name Assigned native policy policy name to group group name Unassigned native policy policy name from group group name Changed assigned native policy for group group name from native policy old policy name to native policy new policy name Deleted Symantec Endpoint Encryption Managed Computer computer name Moved Symantec Endpoint Encryption Managed Computer computer name from group old group name to new group name Restored Symantec Endpoint Encryption Managed Computer computer name Exported Recover DAT file for computer computer name Initiated One-Time Password online method for user user name on computer computer name Symantec Endpoint Encryption GUID Symantec Endpoint Encryption GUID of computer Initiated One-Time Password offline method for user user name Created Framework client installation package MSI package name Created Full Disk client installation package MSI package name Created Removable Storage client installation package MSI package name Created Autologon MSI package MSI package name Symantec Endpoint Encryption Full Disk 13