Endpoint Encryption

 View Only

  • 1.  Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Dec 29, 2009 12:40 PM
    Hi,
     
    I've been trialling SEE for a few days and have a question on how to make change to an installation once a laptop has been installed & encrypted!
     
    When initially setting up my test laptop I used the defaults for the Framework Client & Hard Disk Client settings. These were settings like minimum 7 characters for answers to the authenti-check questions, and using the default SEE logo for the pre-windows environment. However, now I'd like to tailor & customize the install a bit more, and would like to decrease the minimum number of characters to the authenti-check questions to 4, and create my own custom logo. I've added these setting to 2 the new Framework & Full Disk edition client MSI installs, but when I run them on the target laptop, it asks if I want to uninstall the existing installation, if I say yes, it fails because the drive is encrypted. So it appears if the only way to make these kinds of changes is to decrypt the drive, uninstall the existing installation, and then reinstall with the 2 new MSIs! Is this correct?
     
    I've previously used McAfee Endpoint Encryption (when it was Safeboot) and these kind of changes could be pushed out on the fly, by simply making the changes in the management console, then when the client next connected to the management server, it would download any changes, or new files, and update itself! Isn't SEE capable of doing this?

    Any help or suggestions would be appreciated!

    Ben


  • 2.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Dec 29, 2009 04:48 PM
    If you have AD sync clients then you manage the settings via software settings GPO.

    If you do not have AD sync then you use the native policy wizard and assign policies to groups that you create under SEE unassigned.


  • 3.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Dec 29, 2009 06:49 PM
    Hi Jeremy,

    Thanks for the reply.

    The SEE module under the Software Settings GPO does not seem to have settings for the Authenti-check questions, or anywhere where I can specify a new bmp image for the pre-windows environment. Under the SEE FD module > Startup, I can tell it to use the SEE logo, or tell it to use a custom logo, however I can't specify a new custom logo.

    I've read through the install guide again, and found how to update an existing installation using the upgrade tab under Software Installations.

    Ben


  • 4.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Dec 30, 2009 03:39 PM
    Unfortunately some of the configuration options must be selected at the time of install as they are then included in the MSI package.

    One example is the .bmp for the custom logo. Another example is client - server communication settings (which server the SEE client uses).




  • 5.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Dec 30, 2009 09:41 PM

    Hi there,

    When you edit a GPO under user settings when you expand software settings >> Guardianedge >> GE Framework >> you have option for authenti check questions .... You can make the changes there and push the policy to the client machines .....

    For the custom logo - right now there is no option ...... you need to set is while you create packages .....


  • 6.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Jan 04, 2010 05:23 AM
    Hi Vaibhav,

    Thanks for the reply!

    I hadn't seen that setting under user settings, I was only looking at the computer settings for SEE, as I assumed these GPO settings would be computer wide!

    This brings up 2 questions of GP usage and SEE:

    1) If I set the authenti-check minimum answer length to 10 in the MSI install, but then change the setting in the GP to 5 and apply it, presumably the setting 5 take precedence. However, what happens when the GP is deleted, or the user moved to an OU where that setting isn't set? Does the GP setting remain in place, or does it revert back to the original MSI setting?

    2) How does this setting get affected by multiple users, with multiple GPs? I.e. user A is in an OU where the authenti-check setting is 10, user B is in an OU where the authentic-check setting is 5. When the users logon, which take precedence? Is it aware of the GP setting for each user during the pre-windows authentication environment?

    Thanks

    Ben

    P.S. Wish list to Symantec for SEE v7.0.5/v8: Would it be possible to specify a custom BMP image in the GP settings? I.e. if you could reference a server location as \\server1.domain.local\shares\see-logo.bmp in the GP, then have SEE download the logo from that location, (which could even be a URL for external clients)! If it can't find a new logo, it would just use the existing one, or the default logo!


  • 7.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Jan 04, 2010 05:44 PM
     The authenti-check questions/answers can only be created while the user is logged onto windows and registering for the SEE framework. This means that the user's GPOs will be loaded and the policy in place at the time of registration will be used.


  • 8.  RE: Making Changes to SEE Install - How to do it without decrypting & reinstalling?

    Posted Jan 05, 2010 09:43 PM
    Hi bjblackmore,

     

    <o p=""> </o>

    Once a user gets an authentic check setting – then this cannot be changed --- however if you apply a GPO with 5 characters (earlier being10) – the new users who register on the machine will get 5 character policy. Now if you move this new user with 5 characters to different OU with no policies in place then he will go back to 10 characters – or whatever msi package has.

    <o p=""> </o>

    <o p=""> </o>

    For the second question, again once a user has authenti check settings (if they are according to msi package) then this cannot be changed … however if you place a GP in that OU then new users will get new policy (lets say 5 characters now – earlier being 10). If you move the users to a new OU with new settings then go back to default of msi packages.

    <o p=""> </o>

    To your third question – custom images can be deployed at the time of package creation only. If you have deployed a custom image then you can change to default logo via GP. This is the feature we have till now. Not sure about future J

    Let me know if this answers your question