Symantec Endpoint Encryption Roles on Version 8.0.0
Symantec Endpoint Encryption consist of three different role, with which you can access, modify and administrate the SEE console.
They are ;
1. Policy Administrator
2. Client Administrator
3. User
Policy Administrator;
The policy administrator performs multiple tasks as a centralize administration of Symantec Endpoint Encryption, with the help of Symantec Encryption Manager
Policy administrator. The Policy Administrator log in using the windows account. The access to individual snap-in of the Symantec Endpoint Encryption Manager can be
restricted by windows privilege. The policy administrator will require the access to the Symantec Encryption database and its prevleges are maintained
by the Windows and Microsoft SQL Server.
The Policy Administrator has the permission to read-write the Symantec Encryption Database. This account can be a windows or sql account.
The Policy Administrator includes the following tasks.
1. Updates and sets client policies.
2. Runs reports.
3. Changes the Management Password.
4. Runs the Help Desk Program.
5. Creates the computer-specific Recover DAT file necessary for Recover /B
Client Administrator
Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely
by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users.
Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management
allows Client Administrators to remember only one password as they move among many Client Computers.
Client Administrator are configured to authenticate with either with a password or token.
Client Administrator can be assigned with the following administrative privileges’ :
1. Unregister users : Allows Client Administrators to unregister registered users from the Administrator Client Console
2. Decrypt drives : Provides Client Administrators with the right to decrypt encrypted disks and partitions from the Administrator Client Console or
through the use of Recover /D;
3. Extend lockout : Permits Client Administrators to extend the Client Computer’s next communication date using the Administrator Client Console; and
4. Unlock : Enables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the
Symantec Endpoint Encryption Management Server.
Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges
and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform
hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer.
Client Administrator accounts have the following restrictions:
1. Client Administrators do not have either of the authentication assistance methods (Authentic-Check and One-Time Password) available.
2. Client Administrators cannot use Single Sign-On.
Mac Client
Each Mac client has one Client Administrator account. The Client Administrator account will be created as specified within the client installation package
or policy at the time that the encryption of the boot disk is manually initiated on the Mac endpoint. is specified within the installation package and updated
via policy. The Client Administrator account annot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator
authenticates with a password. Privilege level will not affect the Client Administrator on the Mac client. The Client Administrator account cannot be used to
initiate encryption.
User
Symantec Encryption Full Disk encrypt the data on the client machine which requirs a valid credential before windows load. Only the credentials of
registered users and Client Administrators will be accepted by Full Disk.
Mac Client
Upon manual initiation of encryption, a user account must be created. Up to 119 users can be added.
Windows Client
At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process,
which involves a maximum of five screens. The registration process can also be configured to occur without user intervention.
Full Disk authentication can be configured to occur in one of three ways :
1. Single Sign-On enabled : The user will be prompted to authenticate once each time they restart their computer.
2. Single Sign-On not enabled : The user must log on twice: once to Full Disk and then separately to Windows.
3. Automatic authentication enabled : The user is not prompted to provide credentials to Full Disk; the authentication process is transparent. This option relies on Windows to validate the user’s credentials.
A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy.
To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges.
Courtesy : Installation guide 8.0.0