File Share Encryption

 View Only

  • 1.  Utilizing Boot Guard Bypass (multiple)

    Posted Feb 08, 2011 02:17 PM

    Hello,

    Is there anyone in the community who is using the BootGuard bypass feature for their PGP Desktop clients?  I am having difficulty getting the feature to work.  PGP Universal Server version is 3.0.1, PGP Desktop version 10.0.2 build 13.  I have added the wdeMaximumBypassRestarts field with an integer of 3 to the test profile policy.  I've updated the policy on the client which was enrolled using this test policy, and I've entered the pgpwde --add-bypass --disk 0 --count (integer) --admin-passphrase (passphrase) on the client itself.

    BootGuard is bypassed for one restart only, not for the 3 I am seeking to test.  What am I doing wrong?  Does the placement of the wdeMaximumBypassRestarts field matter where it is within the xml data?  Additionally, does the Everyone (default) policy override the test policy?  Any insight would be truly appreciated. 

    Thank you



  • 2.  RE: Utilizing Boot Guard Bypass (multiple)

    Posted Feb 09, 2011 12:18 PM

    Hi,

    If the wdeMaximumBypassRestars field value is equal to the --count parameter value, you should not be having the issue.

    Consumer policy is applied to consumers depending on group membership and policy group order.

    Because consumers can belong to more than one group, you can set the priority order of the list of groups that reference consumer policy. Consumers receive policy based on the highest ranking group to which the consumer belongs. The Everyone group is always last in priority and the Excluded group is always first.

    About the place the parameter occupies in the XML, there is not much info about it, but I would not change it, just in case.

    Here is a link about BootGuard bypass: http://www.symantec.com/business/support/index?page=content&id=TECH149026&key=59256&actp=LIST



  • 3.  RE: Utilizing Boot Guard Bypass (multiple)

    Posted Feb 09, 2011 12:30 PM

    - Does the placement of the wdeMaximumBypassRestarts field matter where it is within the xml data? 

    As far I have tested, it doesn't matter where you put that.

    - Does the Everyone (default) policy override the test policy?

    I think that the Everyone policy could interfere with this. Maybe you can try removing the test user from the default policy... or if you want to see what policy is applied you can check that in the "PGP Messaaging" tab of the PGP Desktop.

     

    Anyway, when you type the bypass command in the desktop, do you receive any message?



  • 4.  RE: Utilizing Boot Guard Bypass (multiple)

    Posted Feb 09, 2011 04:39 PM

    I do receive a message that says Bypass User added successfully.

    The count and the wdeMaximumBypassRestarts value in the server policy is the same (3 for testing).

    To clarify, on the Server, I have added that line to the Consumer Policy General Options XML (Tried it in PGP Desktop options)

    One other question, could it be the version I am using?  PGP Desktop client here is 10.0.2 (build 13), Server is 3.0.1 (build 4279)

    I could try removing myself from the everyone group and remain in just the test group to see if that helps.

    Lastly, to confirm, this is something that needs set on the server AND client, correct?  So if I set MaxBypassRestarts on the server to 10, unless I've added the command to the client, it won't bypass bootguard correct?

    Thanks so much for taking the time to answer my questions!!

     



  • 5.  RE: Utilizing Boot Guard Bypass (multiple)
    Best Answer

    Posted Feb 10, 2011 01:48 PM

    In order to make use of BootGuard bypass, you MUST have PGP Universal Server 3.1 and PGP Desktop client 10.1 at a minimum.  Earlier versions will only allow for one reboot bypass only.

     

    Thanks!



  • 6.  RE: Utilizing Boot Guard Bypass (multiple)

    Posted Feb 13, 2011 03:31 PM

    Thank you for posting the solved issue!