Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Setting up single PGP password despite multiple users

Created: 19 Mar 2012 | 14 comments

Can you set policies to machines instead of users? If not, any suggestions on the following situation:

A lot of our users have their own laptops, which in turn prompts them to create encryption passwords when they log in. We also have a selection of 'pool' laptops that we would only like a single PGP passphrase for, despite users logging in to Windows as themselves. Is there a way to disable the prompt for encryption on these laptops except for the 'pool' account created specifically to set the single passphrase? Setting a policy to the users to exclude them wouldn't necessarily work in case they then log in to a laptop that should prompt them e.g. their own laptop.

Currently we set up PGP using the 'pool' and then remove PGPTray from startup for All Users to prevent it prompting everyone else for a passphrase, but this isn't ideal as the Universal Server seems to lose details on the machines, causing them to appear blank under Devices.

Anyone else in a similar situation that could give some pointers?

Comments 14 CommentsJump to latest comment

Julian_M's picture

pooled laptops should be encrypted ....to a generic account. so user can use a generic passphrase for WDE , and log to windows using their own domain passphrase. Once they log , pgp will require disk encryption  according to policy, but wont prompt for it !  disk has already been encrypted...

Did I get the idea?

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

James Hawk's picture

Yeah, basically I don't want new users to be prompted for encryption on specific laptops because the laptop is already encrypted.

BUT I don't want to remove users from encryption policies in case they also have their own laptop where they should be prompted, so I'd be looking at something machine specific as opposed to user specific.

OtrumD's picture

Has there been any progress on this issue?  I have pretty much the same problem, and would love ot know.

James Hawk's picture

Afraid not, tried applying to devices instead of users before reading that you can't specify 'Managed devices' for WDE. Can't think how to do it any other way to what we're doing already...

cetnamys19's picture

 If you are using PGP universal server you can set an administrator password for the encryption of a the disk. You can also set silent enrollment  for the new user that will sign in on a the machine, using silent enrollment, pgp enrollment will still appear but the user will just log in using their domain account. The passphrase is required for the user's key.

badgerlad's picture

Just wondering if anyone came up with a viable solution to this problem.

I need to do the exact same thing detailed in the original problem posted.

The last entry doesnt meet my requirements as I don't want anyone to be prompted for the pgp enrollment but I still want pgp desktop to run so that it can talk to the universal server.

So far I have created a generic Active Directory account, this is enrolled on the laptop I am using for test purposes, I have changed the DISABLEWDESSO registry key under HKLM > Software > PGP Corporation > PGP so that the single sign on is turned off.

The final step is just to stop the enrollment box appearing for the logged on users credentials while maintaining a connection to the Universal server.

Any help would be greatly appreciated

Alex_CST's picture

You need to reinstall using silent enrollment, that should do the trick then, if SSO is disabled, if a new users logs on (bootguard via generic account) itll enroll them silently

http://www.symantec.com/docs/TECH183325

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

badgerlad's picture

thanks for your response,

Am I not right in thinking that the silent enrollment will still prompt the user for their security credentials?

this is the part I am trying to get rid of as I dont actually want any of the users (apart from the generic) to be enrolled.

James Hawk's picture

badgerlad doesn't want every user enrolled, just one 'generic' account that is used to set a single password for a shared laptop. Any additional users shouldn't be prompted to enroll, but PGP should still load in order to talk to the server.

badgerlad - Only solution I've found is to remove PGPTray from All Users\Startup, but of course this poses the issue of PGP not talking with the server, it seems. Not found any alternative since, unfortunately.

badgerlad's picture

@ James Hawk - this is exactly the situation we have found ourselves to be in at the moment.

Have you actually went with the solution of removing PGPTray? I am curious to know once Universal Server loses contact with the hosts can you still issue a WDE unlock code if the disk was to be locked?

Alex_CST's picture

You can remote PGPTray from the systray:

http://www.symantec.com/business/support/index?page=content&id=HOWTO42064

If you want just a single "catch all" password, why not just move this laptop/pool of laptops into a separate policy, and assign a WDE Administrator passphrase to it?

A word of caution, having 1 password for all users to access this laptop removes a lot of compliance to do with security.  You have no accountability on who logged into where because itll just log as "Administrator"

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

James Hawk's picture

You can still use the WDRT, but on the odd occasion, but not with every machine, the machine details on the Universal Server blank out. I assume this is due to lack of contact between the client on the server, but the WDRT still works if you can figure out which blank record is which (go by generic user account is best, assuming you use a different user per machine).

Just to clarify, by blank out I mean the device name, client status etc all disappear, but the device still remains in the list, just without a name. The machine UUID, Disk ID and WDRT details remain, see below:

Alex_CST's picture

I've not seen that before, but if you were referring to my suggestion, the WDE Administrator phrase is different to the WDRT, you set the WDE Administrator phrase in the policy itself

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

James Hawk's picture

It was aimed at badgerlad's last post, we appear to have posted at almost the same time in response to him :)

The blank entries seem to happen after having PGPTray not load for a long period. It still allows for WDRT though. I wouldn't fancy using the Admin passphrase on a regular basis, but it would do the job, I agree.