My understanding so far.
From the universal server I can control and manage all of the clients which are running PGP desktop.
Correct, as long as they are enrolled to that UN
To install the desktop software I download it from server console and configure the policy settings to control the PGP desktop software
Correct, if you are dealing with a large number of clients, using Silent Enrollment is the best option
I have configured directory sync to enrol a user. Does PGP validate a user from Active Directory?
The only real way of using PGP in a production network will be via LDAPS like AD, you need to be able to use either LDAP or LDAPS (highly recommended) because otherwise user credentials are sent in the clear between your DC and UN so make sure the port is opened for LDAPS and tick the box to use it in Directory Syncronisation
I assume if I want the enrolment to happen silently there is a options for this??
There is an option for Silent Enrollment, but if you are using this product for WDE the user will (by default) get prompted to create and answer 5 questions for recovery. You can turn this off however. This also depends on what keymode the UN is in, if you are just playing around i suggest using Guarded Key Mode, that way the users private keys are stored on the UN and not under the control of the user.
Whenever a action is performed by PGP desktop I get a certificate error which I need to allow. I assume I need to publish this certificate to the domain?
What do you mean by this, even if you have a self signed certificate on the server the user experience on PGP Desktop will remain unaffected and you shouldn't get certificate errors
What about email? I don’t understand this part all. We don’t need to use this feature at the moment but It would be good to get a understanding on how it works? and how to set it up correctly?
You can set up the UN however you want in terms of email encryption. The most common set up is to put in a setting whereby if the user puts in [ENCRYPT] or [PGP] or [PRIVATE] in the subject line, it goes for encryption, or if sending to a certain domain always encrypt, things like that. The way you set up the UN depends on your internal setup, if you are SME, it should be in the mailflow to make the initial setup easier, so all mail passes through the UN and only encrypts stuff according to your policy chain, otherwise it passes it through to your MTA or SMTP server etc.
PGP is basically a massive range of products to encrypt almost anything, that's pretty much all you need to know looking at it.