Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP Universal Server policy to disable SSO

Created: 04 Feb 2013 • Updated: 04 Feb 2013 | 10 comments

Can anyone please tell me if there is a way to disable the Single Sign On (SSO) feature in universal server policies?

Comments 10 CommentsJump to latest comment

Tom Mc's picture

This Knowledge Base Article may help.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

3L3M3NT's picture

OK ... so how do you remove the bootguard sign-on window? I want users to have the drive encrypted but be able to boot into windows without having to unlock the bootguard, sort of like SEE without preboot engaged.

Alex_CST's picture

You can't, you need to authenticate with Bootguard to gain access to the MBR for the machine itself, as far as I'm aware you cant bypass it (in normal operation) - you can use smart cards and other ways other than a passphrase though

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

3L3M3NT's picture

Thank you both for the information. So when I disable SSO, besides being able to use one password to authenticate through bootguard and windows, what other benefits do I lose by disabling SSO?

Tom Mc's picture

The only loss is not being able to enter a passphrase once to directly boot and login to Windows.  You should still be able to use the same passphrase for both, but with having to enter it twice.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

3L3M3NT's picture

Tom, Thanks for the information.. We also use PGP file share encryption, AKA netshare, on some of the higher profile clients/computers. I chose to use the GKM key mode, just for the ease of key management. I want to make this PGP product as transparent as possible for end users. I’m also in the midst of writing up some quick start documentation for end-users that will be published on our internal webpage and want to be accurate and was hoping you could answer this for me...

Will users be able to enroll to PGP using their AD passwords and will that key password/passphrase automatically sync when the users are required to change the AD passwords that are enforced by our password policy? Also, if the local key passphrase is automatically synced with AD, will that key also get synchronized with the universal server automatically? Or is this just a manual process altogether?

 

Tom Mc's picture

I'm not a Universal Server admin, so I'm sure someone else will probably be giving better responses to these questions than I can. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Alex_CST's picture

Yes, it will sync with AD every time there is a PGP policy heartbeat (default 24 hours but can be changed, you should change it to something like hourly), or when PGP Desktop starts up next.  Everything is automatic.  I don't quite understand why you want to disable SSO, that will increase transparency by getting users only to enter their passphrase the once, why do you want to disable SSO?

 

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

3L3M3NT's picture

Alex,

First off, thanks for the answer. I'm still in the SEE/GuardianEdge world… When you disable the SSO AKA preboot option on the SEE/GuardianEdge configuration, it would unlock the MBR and boot into windows without any user intervention. I know this option is not as secure and susceptible to windows exploits but this is the way the company wanted it. The main reason was that the help desk did not like the password recovery options on the preboot screen, too many codes to have user key in over the phone. This is why I wanted to disable the PGP bootguard screen, not sure if the help desk will still complain about entering these 28 digit WDRT tokens, but politics make the decisions in cororate America. Because this is a huge change to our environment, not sure if we will even be using this product anymore because of this bootguard screen. I really wish there was a way to encrypt the drive without having that bootguard screen to authenticate through. The main reason we are  switching from SEE / GuardianEdge is because of all the unsupported controller issues on the new laptops we are now getting. We are release unencrypted assets because SEE will not run on these machines, PGP WDE will but now I’m against the wall again. This really suck!