Endpoint Encryption

 View Only

  • 1.  Symantec Endpoint Encryption and Local Administrator rights

    Posted Apr 24, 2018 12:31 PM

    We want to use SEE on BYOD machines, but I am told by my IT service partner that we must remove the users local admin rights.  Is this corret and is there any way around this as it is going to be difficult to convince BYOD users that they should do this.

     

     



  • 2.  RE: Symantec Endpoint Encryption and Local Administrator rights

    Posted May 01, 2018 11:20 AM

    Did they not provide a more specific answer or reason for this? Documentation reference for this at the very least?

    Which version of Encryption are you planning on rolling out? Depending on which version of SEE you are deploying, the Client Administrator for install/uninstall is imbeded into the software and has no relation to the local Windows Administrators. The only means of removing or decrypting the disk is the use of the Client Administrator, not a local Windows Admin.

    I suspect their reason for the statement of removing administrator rights has to do with the version of encryption software and whether or not the agent can be managed by any local admin who can then decrypt the disk, then, remove the encryption software.



  • 3.  RE: Symantec Endpoint Encryption and Local Administrator rights

    Posted May 01, 2018 03:46 PM

    The software can not be removed if the machine is still encrypted. Unless the user has the decryption credentials the machine stays protected. I suspect that the removal of admin rights has more to do with policy of the organization to protect the integrity of what is loaded on the machine. A user that does not have admin rights is less likely to cause enterprise wide issues like virus/malware spreading.