HOW TO: Enable Invisible Silent Enrollment for Symantec Encryption Desktop Clients
Last Updated November 04, 2013
About Invisible Silent Enrollment
Symantec Encryption Desktop (previously PGP Desktop) invisible silent enrollment eliminates screens for your users to navigate during enrollment with Symantec Encryption Management Server (previously PGP Universal Server). Invisible silent enrollment suppresses non-essential screens and uses default settings.
Considerations Before You Begin
Invisible Silent Enrollment applies only to Symantec Encryption Management Server (SEMS) managed clients.
You must use LDAP enrollment for users, typically with Windows Active Directory, because the feature uses the Windows AD credentials to authenticate to SEMS.
Requires SKM key mode.
Configuration Guidelines for Invisible Silent Enrollment
For specific instructions on making these configuration changes to the installer, see the Administrator’s Guide and related KnowledgeBase articles.
Supply the msi switch PGP_INSTALL_DISABLESSOENROLL=0.
There are two ways to do this:
Use msiexec. Example syntax is: msiexec /i C:\pgpdesktop.msi PGP_INSTALL_DISABLESSOENROLL=0
Modify this value for the client msi using an editor such as Orca.
Symantec recommends using the feature in conjunction with Drive Encryption auto-encryption and Single Sign-on (SSO), although these are optional.
Set SEMS to bind to using the server’s host name and not its IP address. There must be at least one userid on your SEMS Organization key that matches the value. One way to ensure this is to make the domain match the Organization key. For example, using example.local.com for the organization key and example.global.com for the domain will cause enrollment to fail.
Clients must use an installer downloaded from Symantec Encryption Management Server because the feature relies on information supplied in the msi by SEMS.
Forcing Separate LDAP Authentication
In some environments, the user needs to authenticate to SEMS with different credentials than their Windows password. In this case, the PGP_SILENT_FORCE_LDAP=1 setting can be used to force the display of the LDAP authentication dialog. Note: Symantec PGP WDE will still use the Windows credentials automatically; the LDAP credentials are only used for authentication to SEMS. When using PGP_SILENT_FORCE_LDAP=1, the PGPsso.dat file is still created whenever PGP_INSTALL_DISABLESSOENROLL=0, however, the file is not used.
About Installation Failure
The code is written to fail silently. This means that if the user is not able to authenticate to SEMS, nothing will happen to notify the user. There are a variety of reasons an error might occur. To troubleshoot, consult the PGPssoLog.txt file (located in the Windows TEMP directory - typically C:\Windows\Temp) and examine the log to identify the problem.
Implications of Using Different Key Modes than SKM
Invisible silent enrollment generates SKM keys only. Symantec recommends setting the client policy only to SKM mode on SEMS. Note however, that using PGP_SILENT_FORCE_LDAP=1 does allow for using other key modes. Please note that the key passphrase will be set to the user’s LDAP authentication password and never, under any circumstances, to the Windows password. Symantec Encryption Desktop will prefer GKM mode in this scenario if GKM is an allowed mode, but SKM mode still remains the recommended mode.
Considerations and Constraints with Invisible Silent Enrollment
The feature does not work in the following situations:
You use msi switch PGP_NO_USERNAME=1 (setting DisableUsernamePrepopulation=1 in HKLM/Software/PGP Corporation/PGP).
Symantec Encryption Desktop is installed with the msi switch PGP_INSTALL_SSO=0. This disables the credential manager and the password will not be captured.
Drive Encryption policy on SEMS is set to Deny SSO. The user will be displayed an error dialog during disk encryption. Make sure the Drive Encryption policy either allows or requires SSO.
Implications of Using Invisible Silent Enrollment with Smartcards
If you use smartcards to encrypt the drive, the installation is not completely silent. The user will encounter additional dialogs and will be prompted for a PIN. The user will not see an LDAP enrollment dialog and the user's Windows password will be used to authenticate to SEMS (depending on PGP_SILENT_FORCE_LDAP=1). Note that using PGP_SILENT_FORCE_LDAP=1 together with forcing smart cards for Drive Encryption negates invisible silent enrollment, because the captured Windows password actually won't be used for anything. However, as long as PGP_INSTALL_DISABLESSOENROLL=0, a PGPsso.dat file is still created.
Using the "Smartcard Enrollment" feature also negates invisible silent enrollment. In this case the Windows password isn't used for anything, the user will be authenticated to SEMS using smartcard credentials, and the driver will also be encrypted to the smartcard credentials. This process is mostly silent and automatic except for prompting the user for the PIN. Smartcard enrollment also implies using Smartcard Single Sign-on; the smartcard PIN is entered at the PGP BootGuard screen and the user is logged into Windows automatically.