PGP Remote Disable Destroy - 10.2.1 User Manual
PGP™ Remote Disable & Destroy
Configuration Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
Introducing PGP Remote Disable and Destroy
About PGP Remote Disable and Destroy 1
Components of PGP RDD 1
How PGP RDD Works 1
About PGP RDD Client Anti-Theft States 2
1
Installation Considerations 3
Planning Your Network Architecture 3
Considerations When Using Multiple PGP Universal Servers 3
Enabling or Disabling PGP RDD in the PGP Universal Server 3
Ports Used by the PGP RDD Service 4
Modifying PGP RDD Ports 4
System Requirements 5
Symantec Products 5
Server Software 5
About PGP Remote Disable & Destroy Licenses 5
Licensing PGP RDD with Intel Anti-Theft 6
About Deploying PGP RDD on Client Systems 7
About the PGP RDD Deployment Process 7
About AT Activated Client Systems 8
Deploying PGP RDD on Client Systems 9
Software Requirements for Client Systems 9
Drivers and BIOS Requirements for Client Systems 10
Hardware Requirements for Client Systems 10
Accessing PGP RDD on the PGP Universal Server 11
Accessing PGP RDD 11
Displaying PGP RDD Data 11
About Intel Anti-Theft Status 11
Changing a Computer's Status 13
Exporting PGP RDD System Information 13
Working with Stolen Systems 15
About Stolen Client Systems 15
Recovering a Stolen Client System 15
Identifying the Initial Screen at Power On 16
Recovering Using the Intel BIOS Recovery Screen 16
Recovering Using the PGP BootGuard Screen 17
Setting PGP RDD Policy 19
Enabling PGP RDD in a Consumer Policy 19
ii Contents
Understanding the Difference Between Consumer and PGP RDD Policies 19
About Consumer Policies 20
About PGP RDD Policies 20
Applying Consumer Policy to Consumer Groups 21
Setting a PGP RDD Policy 21
About the PGP RDD Rendezvous 22
Considerations When Configuring Rendezvous Intervals 23
About PGP RDD Timers 23
Considerations When Setting Your PGP RDD and Consumer Policies 25
Setting a PGP RDD Timer 26
About Decommissioning a Computer 27
Recovering a Decommissioned Client System 27
About Decommissioned Computers 28
Decommissioning a PGP RDD-Enabled Client System 28
About AT Deactivated Client Systems 29
Deactivating a Client System 29
Working with PGP RDD Administrator Roles 31
About PGP RDD Administrator Roles 31
Assigning Roles 31
Introducing PGP Remote Disable and Destroy
1
About PGP Remote Disable and Destroy
PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft
Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned
computers.
PGP RDD solves the need to keep data secure in mobile environments and comply with
increasingly stringent regulations in data security and privacy using the latest Intel AT
technology. PGP RDD offers corporate users the option to activate PGP Universal
Server's security service and manage hardware-based, client-side intelligence to secure
the notebook and/or data if a notebook is lost or stolen. If the client system is lost or
stolen, you can remotely disable client systems or disable access to data and securely
decommission client systems.
Components of PGP RDD
The following items are part of the overall PGP RDD installation:
PGP Universal Server. The administrative server used to manage client systems.
Intel Content License Server (ICLS). The ICLS permit licensing server is the
activation site at Intel where client installations are tracked.
Managed PGP Desktop client system with PGP Whole Disk Encryption installed.
Once PGP RDD policies are applied and the system is encrypted, the client system
then becomes PGP RDD-enabled.
How PGP RDD Works
You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a
particular consumer group. For that consumer group, you create a policy that enables
PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client
installer that uses the policy.
A user installs the PGP Desktop client and enrolls with the PGP Universal Server using
the method you choose. The client computer is then encrypted with PGP Whole Disk
Encryption. During this process, the client receives the policy from PGP Universal
Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft
Technology on that client, and the encrypted client moves to a state known as “AT
Activated.” This is the normal operating state for a PGP RDD-enabled client. This state
is transparent to the user. The client system operates normally and is protected.
2 Introducing PGP Remote Disable and Destroy
About PGP RDD Client Anti-Theft States
PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic
contact between server and client. This contact refreshes the theft status of the
computer and is known as a rendezvous. A successful rendezvous indicates to the
server that a client is online and controlled by the authorized user.
After a missed rendezvous, a timer begins counting down to disable the system. If the
client fails to rendezvous successfully before the timer expires, the client is
automatically flagged on the server as “Stolen.” The client is locked down until the user
or administrator unlocks the system and returns it to an “AT Activated” state.
Security for the system is local. The computer is disabled when the timers expire. This
thwarts a common strategy employed in laptop theft to avoid putting the computer
online. Security is also hardware-based, preventing use of the system even if its hard
drive is replaced.
For more information on configuring and deploying PGP RDD, go to the Symantec
Knowledgebase (
search for DOC4975, "PGP Remote Disable & Destroy Configuration Guide".
http://www.symantec.com/business/support/index?page=home) and
About PGP RDD Client Anti-Theft States
A PGP RDD-enabled client is always in one of the following states:
AT Activated client systems are clients with PGP RDD currently activated, and
which are not marked stolen. This is the normal state for a PGP RDD-enabled
client.
AT Deactivated client systems do not have PGP RDD-enabled consumer policies or
do not support Intel Anti-Theft technology.
Stolen client systems are those marked stolen by the administrator or affected
when the Disable Timer expired and the Platform Disable policy triggered. Stolen
computers are locked and cannot be unlocked without assistance from the
administrator.
D Time Expired client systems are in an activated state but there has been no
rendezvous before the system's Disable Timer expired.
Unsupported client systems do not support Intel Anti-Theft Technology.
Note: Computers that do not support Intel Anti-Theft and do not have PGP
RDD-enabled consumer policies may be listed as AT Deactivated, instead of
Unsupported.
Decommissioned computers are still encrypted, but the status is AT Deactivated.
These computers are listed on the RDD Systems > Deactivated page, but they are
no longer protected by Intel Anti-Theft. Use this option when your organization
removes computers from active use, but still wants to protect the data. For
example, if the organization plans to give away or sell the computers to someone
who will not have access to PGP Universal Server.
See About Intel Anti-Theft Status (on page
See Displaying PGP RDD Data (on page 11).
See Deactivating a Client System (on page 29).
See About Stolen Client Systems (on page 15).
11).
Installation Considerations
2
Planning Your Network Architecture
When planning your deployment, keep the following points in mind:
The main consideration when planning your deployment of PGP RDD is that the
client systems must be able to communicate with the server at their scheduled
rendezvous. Missing the rendezvous could lead to locked client systems.
Your PGP Universal Server must be able to communicate with the Intel Content
License Server. Disruption in communication can lead to activation failures.
Considerations When Using Multiple PGP Universal Servers
To balance requests to multiple servers, Symantec recommends that you use load
balancing on your servers. This ensures that all servers participate in processing the
load.
When PGP RDD-enabled client computers enroll or perform a rendezvous, they
exchange 30 to 40 request and response pairs. Because server replication contains a
delay, these requests must be handled and processed by the same server. Your load
balancer must be configured so that the same client's requests are processed by the
same server during a certain period of time. This is called load balancing stickiness.
Symantec recommends that the length of stickiness should be long enough (such as 24
hours, assuming the replication delay will be less than 24 hours) to route requests from
one client to the same server.
Enabling or Disabling PGP RDD in the PGP Universal Server
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have AT-Activated computers,
the computers will not be able to rendezvous successfully and will eventually lock
when the Disable Timer expires.
To enable or disable PGP RDD
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Do one of the following:
4 Installation Considerations
Ports Used by the PGP RDD Service
To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
To disable PGP RDD, click Disable. The text Intel® Anti-Theft Technology is
disabled is displayed in the page.
Ports Used by the PGP RDD Service
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have Intel AT-activated
computers, the computers will not be able to rendezvous successfully and will
eventually lock when the Disable Timer expires.
The service requires the following ports to be open.
The Intel Anti-Theft Technology Services Port is used for communication
between PGP Universal Server and the anti-theft service. External access to this
port is not required.
The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port.
The ICLS permit server is the activation site at Intel where client installations are
tracked. Do not change the default settings unless Symantec Corporation notifies
you that it is necessary. You can test the connection to the ICLS from the Options
page (PGP Remote Disable & Destroy Administration > Configuration >
Options).
PGP Universal Server and PGP RDD-enabled client system communication uses
the same HTTPS port as you use to access the administrative console (port 9000 by
default).
Modifying PGP RDD Ports
To modify PGP RDD settings
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port,
click Edit.
5 Make the necessary changes, and click Save.
System Requirements
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
Symantec Products
PGP Whole Disk Encryption (PGP WDE)
PGP Universal Server
PGP Remote Disable & Destroy with Intel Anti-Theft Technology
System Requirements
5 Installation Considerations
Server Software
Linux (CentOS 5.3)
Servlet Container (Tomcat)
Spring Framework
JDK 1.6
Valid SSL Certificate. This certificate to be provided by Symantec.
Working connection to Intel ICLS Servers.
About PGP Remote Disable & Destroy Licenses
Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires
three things:
PGP Universal Server license. Intel Anti-Theft Technology is automatically
included with the PGP Universal Server license.
PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file.
You must purchase this license separately from your PGP Universal Server.
This human-readable XML file shows the number of seats purchased, the start and
end dates of the subscription period, and the license serial number. The license
expires at the end of the subscription period. If the license expires, activated
systems are not affected and continue to be protected. When you view the license
history for an expired license, the entry shows that there are no seats available on
that license.
You can have more than one active license at a time. When you upload a new
license, it does not replace existing licenses; instead, they are cumulative.
6 Installation Considerations
About PGP Remote Disable & Destroy Licenses
PGP Universal Server does not enforce the license to make sure you do not exceed
the number of activated computers your license permits. It is possible to activate
more computers than your license permits, but the number of activated computers
is registered by the ICLS.
Activation file. This encrypted activation file is included when you purchase the
PGP RDD license file.
The activation file registers your license, and enables the ICLS to monitor how
many Intel Anti-Theft-activated computers you have. PGP Universal Server sends
no information directly to Symantec Corporation.
Licensing PGP RDD with Intel Anti-Theft
When you purchased a license for PGP RDD, you received two Symantec license files
with the file extension .slf.zip:
[name1].slf.zip
[name2].slf.zip
For example, the files are named 2230672.slf.zip and 2230673.slf.zip. These files are
uploaded to your PGP Universal Server so you can license PGP RDD.
To apply the license and activation files
1 From the PGP RDD interface, select Configuration > Options.
2 Click Browse to locate the license file you want to upload.
3 Click Browse to locate the activation file you want to upload. You must have both
the license and the activation file. Make sure to select the correct activation file
for the license you are uploading.
4 Click Upload License File to upload the license and activation files.
5 Click Save.
To test the connection between the PGP Universal Server and the ICLS
1 From the PGP RDD interface, select Configuration > Options.
2 Click Test Permit Server Connection. A message confirms whether or not the
server is reachable.
Loading...