HOW TO: Deploy Client Installers with PGP Universal Server 2.x

Article:HOWTO41981  |  Created: 2006-09-21  |  Updated: 2013-05-10  |  Article URL http://www.symantec.com/docs/HOWTO41981
Article Type
How To



Note: This article pertains to a version of PGP Universal Server that has reached an End of Support Life (EOSL) as of April 1st 2012. For more information on the End of Support Life dates for PGP Software products see the following article here for more information

This article provides step-by-step instructions to assist administrators in creating and managing custom client deployments of PGP Desktop and PGP Universal Satellite. Once installed, clients can obtain updated policies and client updates from the PGP Universal Server.


 

HOW TO: Deploy Client Installers with PGP Universal Server

PGP Universal Satellite and PGP Desktop Client installers securely retrieve policies and keys from their originating PGP Universal Server. These installers can perform encryption and decryption at the user's desktop, providing true end-to-end security. You can create different default settings for various user groups and also manage policies to centrally enforce your security policy.

There are two ways to manage which users get assigned to which user group policies. First, you can bind the policy to the installer and distribute the installer. With this method, you will not be able to change which policy each user is bound to without having the user reinstall their client software.

Second, with LDAP directory synchronization enabled, then you can assign policies to internal users based on their directory attributes, and switch which policy they are bound to by changing their LDAP attributes, or changing the LDAP attributes of the user group. Then the next time the user interacts with the server, they receive new settings based on which policy they are now bound to.

The ability to manage PGP Desktop deployments falls under the Internal User Policy section of the PGP Universal Server administrative interface (this functionality was previously in a separate application called PGP Admin).

You can create PGP Desktop installers for your internal users with one of three available policy settings:
 

  • No policy settings. In this scenario, you create a PGP Desktop installer with no policy settings, which means that you, the PGP administrator, have no way to control how your users use PGP Desktop on their systems.

     
  • Auto-detect policy. In this scenario, which is only available if you have an LDAP directory and have enabled the Directory Synchronization feature, PGP Desktop will coordinate with the PGP Universal Server and link to the correct user policy. Policy settings for your PGP Desktop users are determined by the email address of the user and their attributes in your LDAP directory. Based on these attributes, the appropriate user policy is applied. If you later create a new user policy and the users attributes match the group to which the policy applies, the policy for the PGP Desktop user will be switched to the more appropriate policy. If you have not created any custom user policies, the default internal users policy will be applied.

     
  • Preset policy. In this scenario, you select a user policy to apply to the installer you are creating. All of the users who get this installer are bound to the selected policy. If you change the settings of the policy later, those settings that are not implemented at installation (such as creating a PGP Virtual Disk volume) will be modified for the PGP Desktop users who are bound to this policy. If you have not created any custom user policies, the default internal users policy will be the only user policy you can apply to the installer.

 

You must have a PGP Desktop license to create customized PGP Desktop installers. You can use the same license for all your policies, but unless you clone your user settings from a policy that already has license information entered, you will need to enter the license information into each policy individually.

You cannot upgrade or install a PGP Desktop 9.5 bound client to PGP Universal 2.0.x. You must upgrade your PGP Universal Server to version 2.5/2.6 to support PGP Desktop 9.5 bound clients. PGP Universal 2.5/2.6 does support 9.0.x clients.


 

 

Configuring PGP Desktop Settings

PGP Desktop settings can be established for the default internal user policy as well as any custom internal user policy you create. Each of these can have different sets of PGP Desktop settings.

To Establish PGP Desktop Settings:

 

  1. Click on Policy then Internal User Policy in the Administrative interface.
     
  2. On the Internal User Policy card, click the name of the Internal Users: Default policy or a custom internal user policy such as Test Policy.

    The possible PGP Desktop settings are the same for both types of policy.

     
  3. Click the Edit button for PGP Desktop Settings.

    The PGP Desktop Options screen appears with the General tab options showing by default.

    Check Allow users to change options if you want your PGP Desktop users to be able to change the options that you, the PGP administrator, establish.

    Check Allow users to override mail policy if you want your PGP Desktop users to be able to take actions that override the mail policy of this PGP Universal Server.

    Check Allow user-initiated key generation if you want your PGP Desktop users to be able to create new keys and subkeys in addition to the key created during installation.

    Check Allow user-initiated key signing if you want your PGP Desktop users to be able to sign keys.

    Check Allow conventional encryption and self-decrypting archives if you want your PGP Desktop users to be able to conventionally encrypt files (using a
    passphrase instead of a key) or create self-decrypting archives (SDAs).

    Check Encrypt/Decrypt AOL Instant Messenger conversations if you want instant messages (IM) between users of AOL Instant Messenger to be protected.  IMs will only be protected if both users are running PGP Desktop with this option enabled.

    Check Search for keys on PGP Desktop keyrings when encrypting or verifying email to allow users to import keys into the PGP Desktop keyring so that the client can encrypt or verify messages without needing to refer to the PGP Universal Server for key information. This allows PGP Desktop to operate as if it were not bound to the PGP Universal Server, even if it is bound.

    Check Add a comment to secured email if you want the text you enter in the box to be appended to clear-signed PGP blocks, including exported key files, and encrypted files and text.

    Check Allow the user to create and manage PGP NetShare folders if you want users to be able to create and manage PGP NetShare protected folders. When this option is disabled, users can participate in a PGP NetShare Work Group that someone else has created, but cannot create files themselves.

    Check Allow user to enable Advanced User mode if you want PGP NetShare users to protect individual files that are moved out of a Protected Folder.

    Check Always encrypt to users key if you want every message your PGP Desktop users send to be encrypted to their key. This is in addition to any other user- or system-specified key, for example, the ADK.

    Check Automatically synchronize keys with servers if you want PGP Desktop to automatically keep your users keys synchronized with configured servers.

    Check Automatically set up Key Reconstruction if you want key reconstruction to be available when new keys are created. The key reconstruction data is stored on the PGP Universal Server.

    Check Show PGP Desktop in system tray/menu if you want a PGP Desktop padlock icon to display in the system tray of Windows users or the system menu of Mac OS X users when PGP Desktop is active on their systems. The icon provides access to some PGP Desktop features without requiring users to launch the whole application.

     
  4. Click on the Licensing tab of the PGP Desktop Options screen to add or change PGP Desktop 9.0 or 9.5 licenses.

    Enter in the appropriate licensing information.

     
  5. Click on the File & Disk tab of the PGP Desktop Options screen to manage PGP Virtual and Whole Disk options

    Enter the Number of shredder passes. The default is 3. The larger the number, the more secure the shred, but it may take a little longer.

    Check Warn user before shredding files if you want your PGP Desktop users to be warned before files on their system are shredded (securely deleted).

    Check Automatically shred when emptying the Recycle Bin/Trash if you want files that are deleted from your PGP Desktop users system to be shredded instead of just deleted.

    Check Automatically create PGP Disk upon installation if you want a PGP Virtual Disk volume created automatically on your PGP Desktop users systems.

    Check Unmount when inactive for X minutes if you want your PGP Desktop users PGP Virtual Disk volumes to be automatically unmounted after the specified number of minutes of inactivity.

    Check Unmount on system sleep if you want your PGP Desktop users PGP Virtual Disk volumes to automatically unmount if the system goes to sleep. Some systems dont support sleep mode, so this option would not apply.

    Check Prevent sleep if disk(s) cannot be unmounted if you want your PGP Desktop users machines not to sleep if, for some reason, a volume cannot be unmounted. Using this option could prevent loss of data.

    Check Allow user-initiated whole disk encryption and decryption if you want your PGP Desktop users to be able to encrypt the whole disk drive on their system. You PGP Desktop license must support whole disk encryption if you want to use this feature.

    Check Encrypt disks to existing Windows password (Single Sign-On) to enable users to log into PGP Whole Disk at the same time they log into their computer.

    Check Maximum CPU Usage to make encrypting PGP Whole Disk faster by using more CPU.

    Check Power failure safety to allow the users computer to track the progress of PGP Whole Disk encryption so that in case power fails during encryption, the computer can recover the data and restart encryption.

    Check Enable administrators to recover disks remotely if you want to be able to remotely recover a disk that has been whole disk encrypted.

    Check Automatically encrypt boot disk upon installation if you want your PGP Desktop users to automatically have their boot volume whole disk encrypted when they install PGP Desktop on their system.

    Check Require Aladdin eToken Pro for hardware security if you want to require that your PGP Desktop users who whole disk encrypt their systems to have an Aladdin eToken Pro installed to use the data that has been whole disk encrypted. Users will not be able to complete the installation of PGP Desktop without setting up token use.

     
  6. Click on the Policy Options: Default link at the top of the page, then click the Edit button for  Key Settings.

    The Key Settings Options screen appears with the Generation tab options showing by default.

    Choose your Key Type, Key Size, Supported Ciphers, and Key Renewal Options.

     
  7. Click on the Management tab.

    Choose which Key Modes that will be available to your clients.

     
  8. Click on the Options tab.

    Choose your Passphrase Requirements, Smartcard options, and your Lotus Notes options.
     

Create a PGP Desktop Installer

Creating PGP Desktop installers for your users is slightly different depending on the policy settings you want to use. All three procedures include configuring settings on the PGP Desktop card.  The available policy settings are No Policy, Auto-Detect Policy, and Preset Policy.  See the beginning of this article for a description of each type of policy.

 

  1. Click the Policy card,  then the Internal User Policy tab on Administrative interface.
     
  2. Click Download Client.

     
  3. Next to Client, select PGP Desktop from the pull down menu.

     
  4. Next to Platform, use the pull down menu to select the desired platform (Windows or Mac)

     
  5. Click the Customize checkbox (Not clicking will configure with No Policy and it will not be managed by the PGP Universal Server). Select either Auto-detect Policy or Preset Policy. If you choose Preset Policy, use the pull down menu to select which policy you would like applied to this installer.

    Note: The auto-detect policy is only available if you have an LDAP directory and have enabled Directory Synchronization. Policy settings for your PGP Desktop users are determined by the email address of the user and their attributes in your LDAP directory. Based on these attributes, the appropriate user group policy is applied. If you later create a new user group policy and the user's attributes match the group to which the policy applies, the policy for the PGP Desktop user will be switched to the more appropriate policy. If you have not created any custom user group policies, the default internal users policy will be applied.

     
  6. Enter the Universal Server name beside PGP Universal Server.
     
  7. Enter the mail server name beside Mail Server Binding.
     
  8. Click Download.
     
  9. Browse to where you wish to save the download and click Save.
     
  10. After the download is complete you may use a third-party tool to silently roll out the installer to users. If such a tool is not available, you may simply distribute the executable file to internal users and have them install it.
     

 

Create a PGP Universal Satellite Installer

  1. Click the Policy tab,  then the Internal User Policy tab on the Administrative interface.
     
  2. Click Download Client.
     
  3. Next to Client, select Satellite from the pull down menu.
     
  4. Next to Platform, use the pull down menu to select the desired platform (Windows or Mac)
     
  5. Click the Customize checkbox if you wish to manage the PGP Universal Satellite client. Enter the PGP Universal Server and Mail Server Binding information.
     
  6. Click Download.
     
  7. Browse to where you wish to save the download and click Save.
     

Legacy ID



641


Article URL http://www.symantec.com/docs/HOWTO41981


Terms of use for this information are found in Legal Notices