Video Screencast Help

Utilizing Boot Guard Bypass (multiple)

Created: 08 Feb 2011 • Updated: 10 Feb 2011 | 5 comments
This issue has been solved. See solution.

Hello,

Is there anyone in the community who is using the BootGuard bypass feature for their PGP Desktop clients?  I am having difficulty getting the feature to work.  PGP Universal Server version is 3.0.1, PGP Desktop version 10.0.2 build 13.  I have added the wdeMaximumBypassRestarts field with an integer of 3 to the test profile policy.  I've updated the policy on the client which was enrolled using this test policy, and I've entered the pgpwde --add-bypass --disk 0 --count (integer) --admin-passphrase (passphrase) on the client itself.

BootGuard is bypassed for one restart only, not for the 3 I am seeking to test.  What am I doing wrong?  Does the placement of the wdeMaximumBypassRestarts field matter where it is within the xml data?  Additionally, does the Everyone (default) policy override the test policy?  Any insight would be truly appreciated. 

Thank you

Comments 5 CommentsJump to latest comment

Demostenes's picture

Hi,

If the wdeMaximumBypassRestars field value is equal to the --count parameter value, you should not be having the issue.

Consumer policy is applied to consumers depending on group membership and policy group order.

Because consumers can belong to more than one group, you can set the priority order of the list of groups that reference consumer policy. Consumers receive policy based on the highest ranking group to which the consumer belongs. The Everyone group is always last in priority and the Excluded group is always first.

About the place the parameter occupies in the XML, there is not much info about it, but I would not change it, just in case.

Here is a link about BootGuard bypass: http://www.symantec.com/business/support/index?pag...

"See, the problem with speculation is you make a speck out of you and some guy named lation"

oldariflea's picture

- Does the placement of the wdeMaximumBypassRestarts field matter where it is within the xml data? 

As far I have tested, it doesn't matter where you put that.

- Does the Everyone (default) policy override the test policy?

I think that the Everyone policy could interfere with this. Maybe you can try removing the test user from the default policy... or if you want to see what policy is applied you can check that in the "PGP Messaaging" tab of the PGP Desktop.

 

Anyway, when you type the bypass command in the desktop, do you receive any message?

schwack's picture

I do receive a message that says Bypass User added successfully.

The count and the wdeMaximumBypassRestarts value in the server policy is the same (3 for testing).

To clarify, on the Server, I have added that line to the Consumer Policy General Options XML (Tried it in PGP Desktop options)

One other question, could it be the version I am using?  PGP Desktop client here is 10.0.2 (build 13), Server is 3.0.1 (build 4279)

I could try removing myself from the everyone group and remain in just the test group to see if that helps.

Lastly, to confirm, this is something that needs set on the server AND client, correct?  So if I set MaxBypassRestarts on the server to 10, unless I've added the command to the client, it won't bypass bootguard correct?

Thanks so much for taking the time to answer my questions!!

 

schwack's picture

In order to make use of BootGuard bypass, you MUST have PGP Universal Server 3.1 and PGP Desktop client 10.1 at a minimum.  Earlier versions will only allow for one reboot bypass only.

 

Thanks!

SOLUTION
Demostenes's picture

Thank you for posting the solved issue!

"See, the problem with speculation is you make a speck out of you and some guy named lation"