Symantec offers many different products, each with its own licensing requirements. Some Symantec Encryption products use a licensing system to enable product functionality for purchased products. This article outlines the licensing concepts and explores licensing scenarios
Symantec Encryption functionality may be fully or partially disabled until a valid license number is entered. The process of entering a license number into Symantec Encryption software is called License Authorization and enables one or more seats (or users) of Symantec Encryption software.
Sample License Number:
Symantec Corporation reserves the right to audit systems for licensing compliance as per the End User License Agreement.
Section 1 - Symantec Endpoint Encryption:
Symantec Endpoint Encryption Management Server (SEEMS)
Symantec Endpoint Encryption Drive Encryption (SEE Drive Encryption)
Symantec Endpoint Encryption Removable Media Encryption (SEE RME)
Symantec Endpoint Encryption Management Server can be installed on as many systems as is needed without additional licensing. SEEMS manages systems encrypted with Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption.
Symantec Endpoint Encryption license meter is per device such as number of laptops or desktops to be covered. For example, if SEE Drive Encryption is installed on 100 systems, then a licence for 100 seats would be needed.
If an additional 50 seats was installed with SEE RME, then another 50 seats would be needed for a total of 150 seats needed.
Symantec Endpoint Encryption products do not employ the use of a license number as do the rest of the encryption products in this document.
Section 2 - Symantec Encryption Products:
Symantec Email Encryption
Symantec Drive Encryption
Symantec File Share Encryption
All of these Encryption Desktop features listed above are licensed per user, meaning individual users actively using the Symantec Encryption Desktop software either on the same system or any profile on the same system. The exception to this rule is Symantec Drive Encryption, which is licensed per device.
Example 1: One user on one or more profiles per system must purchase one copy of Symantec Encryption Desktop.
Example 2: Two users on one or more profiles per system must purchase two copies of Symantec Encryption Desktop.
Example 3: One user wanting to use Symantec Encryption Desktop on five different computers must purchase five copies.
Example 4: Symantec Drive Encryption enables a user to encrypt the entire hard drive of a computer. After the system has been encrypted, the system cannot be booted until a passphrase (password) has been entered. In some cases, this is the only encryption functionality that will be used. Symantec Drive Encryption will allow multiple users to be added to the software to boot a system. In this scenario, only one license per system\device is required. This applies for Administrators wanting to add themselves to the Symantec Drive Encryption software (See the screenshot below to see the Drive Encryption shelf). If any additional features are used, such as individual file encryption or Virtual Disk, each user taking advantage of these features requires an individual license.
Section 3 - Symantec Encryption Management Server:
Two scenarios exist for licensing with Symantec Encryption Management Server:
1. Symantec Encryption Management Server managing clients
2. Symantec Encryption Management Server Gateway Email Only
Example 1 - Symantec Encryption Desktop Clients Managed by Symantec Encryption Management Server:
Symantec Encryption Management Server includes the ability to manage users on the server or centrally manage individual Symantec Encryption Desktop clients centrally. Symantec Encryption Management Server allows Administrators to lock down Symantec Encryption Desktop policies.
The central management functionality is a bundled SKU which includes both the client and server functionality. The amount of seats needing to be purchased depends on the amount of clients needing to be installed. If 100 users need to install Symantec Encryption Desktop, this SKU automatically includes 100 seats of Symantec Encryption Management Server for client management.
A license must be entered to enable features of Symantec Encryption Management Server. No license number is needed to be entered on the server to enable client functionality. When additional seats of Symantec Encryption Desktop are purchased, there is also no need to update a license key on Symantec Encryption Management Server.
Example 2 - Symantec Encryption Management Server for Gateway Email Encryption Only:
When Symantec Encryption Management Server is used to only encrypt email in the mailstream, the server is licensed per user. If 100 users exist on Symantec Encryption Management Server, then 100 seats must be purchased.
A license must be entered to enable the mail functionality of Symantec Encryption Management Server.
|Note on Clustering: Symantec Encryption Management Server has the ability to share/replicate information to other Symantec Encryption Management Servers. This process is called clustering. In clustering, multiple Symantec Encryption Management Servers are used. Symantec does not limit the amount of clusters for licensing purposes that can be used within the environment as long as the user count does not exceed the quantity of licenses purchased (the technical limitation is 6 nodes).
Note on Licensing Counts and Compliance: Although this article describes how the software is licensed and includes scenarios to help clarify how the licenses are counted, Symantec Encryption Management Server does not currently provide a method to determine an exact number of licensed seats currently in use—there are several reasons for this, but two of the most common are as follows:
Managed User Scenario: This means that a user who may not necessarily be with the organization any longer, could still appear on the Encryption Server. Symantec Encryption Management Server would count this user against the total amount of Internal Users, however the user technically is not using a licensed seat. Users (and Devices) on Symantec Encryption Management Server are never removed unless an Administrator does so manually.
Managed Device (Machine) Scenario: A user may acquire a new machine, and could list two machines on Symantec Encryption Management Server. One machine may be retired, reimaged, and may no longer be in use, and the new machine would appear as an additional device. Technically, for Symantec Drive Encryption, this would count as two seats, however on paper, only one seat is being used.
Due to the above scenarios, and possible other scenarios, checking for counts on Symantec Encryption Management Server for licensing compliance is not a reliable method to know how many seats are in use. For compliance reasons, it is best to keep track with your own software management solution, such as Altiris, to query actual machines to see on which machines Symantec Encryption Desktop is installed.
Section 4 - Symantec PGP Command Line
Symantec PGP Command Line is licensed (i) per physical CPUs/processors, (ii) Keys and (iii) Functionality.
CPUs/processors refers to the number of physical CPUs on a system. If a computer has one or two physical processors, a 2-CPU license is required. If a computer has up to four processors, a 4-CPU license is required, and so on. For CPUs with multiple internal processing units (e.g. cores), each processing unit counts as a single processor.
Keys: Symantec PGP Command Line options offer either one-key or unlimited-key licensing for local keyring management.
One-key licensing means that one public key may be used in the local keyring, other than your own key. This licensing option may be used for PGP Command Line to (i) send files to and receive files from one Server which uses PGP Command Line and is not subject to the "1 Key" limitation; (ii) sign or decrypt a file with Your private key; (iii) encrypt a file or verify a signature on a file with a public key from one Server which uses PGP Command Line and is not subject to the "1 Key" limitation; and (iv) create self-decrypting archives. For purposes of this section, "Key" means either or both components of a public/private cryptographic key pair.
Unlimited-keys licensing means that more than one public key may be used in the local keyring, other than your own key. An Unlimited-key license should be purchased if encrypting/signing to more than one recipient is needed.
For each seat of Symantec PGP Command Line, Symantec allows installation on one production and one non-production system. This means if one 2-CPU license is purchased for Symantec PGP Command Line, it may be installed on the production box that is handling all encryption/decryption processes, and another system that is not handling production encryption/decryption. The non-production box may be a failover box or a test box, but may not perform any encryption/decryption related to business encryption/decryption.
Section 5 - Licensing for Terminal Server or Citrix Environments:
Various Symantec Encryption Desktop functionality can be used in Terminal Server or Citrix Server environments. In Terminal or Citrix Server environments, the applications are installed on the server itself and any users logged into this server can access the application installed. Due to the nature of these environments, Symantec Encryption Desktop is managed quite differently than in normal environments. The Encryption software is licensed per-user on the Terminal or Citrix Server and not by how many users are using the Symantec Encryption Desktop.
Example: Symantec Encryption Desktop is installed on a Terminal Server that has 100 users; however 25 users are currently using Symantec Encryption Desktop. In this scenario, 100 copies must be purchased, because all users on the server have the ability to use the Symantec Encryption software, whether it is used or not.
The only exception to this, in Citrix environments, is a technical restriction that has been enforced on the Citrix Server. In other words, only those users who are licensed to use Symantec Encryption Desktop have the ability to use any encryption functionality. To enforce a technical restriction in a Citrix environment, NTFS Permissions should be modified on the Citrix Server to remove Execute access for the Program Files folder so that only licensed users can open Symantec Encryption Desktop. In addition to restricting execute access, other restrictions should be put in place so that Symantec Encryption Desktop does not startup when a user logs into an account and the menu items are not available.
|Due to the nature of licensing with Terminal Server or Citrix environments, licensing is per user on the Terminal or Citrix server where Symantec Encryption Desktop is installed as is listed in the example above. The only exception to this licensing is by implementing a technical lockdown of the Symantec Encrypt in Desktop software for non-licensed users in this type of environment. This means the non-licensed users are technically unable to utilize any features. When such a technical lockdown has been implemented, Symantec will only require licenses for the users who will be using Symantec Encryption Desktop and are legally authorized to do so.|