PGP™ Remote Disable & Destroy
Configuration Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
Introducing PGP Remote Disable and Destroy
About PGP Remote Disable and Destroy 1
Components of PGP RDD 1
How PGP RDD Works 1
About PGP RDD Client Anti-Theft States 2
1
Installation Considerations 3
Planning Your Network Architecture 3
Considerations When Using Multiple PGP Universal Servers 3
Enabling or Disabling PGP RDD in the PGP Universal Server 3
Ports Used by the PGP RDD Service 4
Modifying PGP RDD Ports 4
System Requirements 5
Symantec Products 5
Server Software 5
About PGP Remote Disable & Destroy Licenses 5
Licensing PGP RDD with Intel Anti-Theft 6
About Deploying PGP RDD on Client Systems 7
About the PGP RDD Deployment Process 7
About AT Activated Client Systems 8
Deploying PGP RDD on Client Systems 9
Software Requirements for Client Systems 9
Drivers and BIOS Requirements for Client Systems 10
Hardware Requirements for Client Systems 10
Accessing PGP RDD on the PGP Universal Server 11
Accessing PGP RDD 11
Displaying PGP RDD Data 11
About Intel Anti-Theft Status 11
Changing a Computer's Status 13
Exporting PGP RDD System Information 13
Working with Stolen Systems 15
About Stolen Client Systems 15
Recovering a Stolen Client System 15
Identifying the Initial Screen at Power On 16
Recovering Using the Intel BIOS Recovery Screen 16
Recovering Using the PGP BootGuard Screen 17
Setting PGP RDD Policy 19
Enabling PGP RDD in a Consumer Policy 19
ii Contents
Understanding the Difference Between Consumer and PGP RDD Policies 19
About Consumer Policies 20
About PGP RDD Policies 20
Applying Consumer Policy to Consumer Groups 21
Setting a PGP RDD Policy 21
About the PGP RDD Rendezvous 22
Considerations When Configuring Rendezvous Intervals 23
About PGP RDD Timers 23
Considerations When Setting Your PGP RDD and Consumer Policies 25
Setting a PGP RDD Timer 26
About Decommissioning a Computer 27
Recovering a Decommissioned Client System 27
About Decommissioned Computers 28
Decommissioning a PGP RDD-Enabled Client System 28
About AT Deactivated Client Systems 29
Deactivating a Client System 29
Working with PGP RDD Administrator Roles 31
About PGP RDD Administrator Roles 31
Assigning Roles 31
Introducing PGP Remote Disable and Destroy
1
About PGP Remote Disable and Destroy
PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft
Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned
computers.
PGP RDD solves the need to keep data secure in mobile environments and comply with
increasingly stringent regulations in data security and privacy using the latest Intel AT
technology. PGP RDD offers corporate users the option to activate PGP Universal
Server's security service and manage hardware-based, client-side intelligence to secure
the notebook and/or data if a notebook is lost or stolen. If the client system is lost or
stolen, you can remotely disable client systems or disable access to data and securely
decommission client systems.
Components of PGP RDD
The following items are part of the overall PGP RDD installation:
PGP Universal Server. The administrative server used to manage client systems.
Intel Content License Server (ICLS). The ICLS permit licensing server is the
activation site at Intel where client installations are tracked.
Managed PGP Desktop client system with PGP Whole Disk Encryption installed.
Once PGP RDD policies are applied and the system is encrypted, the client system
then becomes PGP RDD-enabled.
How PGP RDD Works
You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a
particular consumer group. For that consumer group, you create a policy that enables
PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client
installer that uses the policy.
A user installs the PGP Desktop client and enrolls with the PGP Universal Server using
the method you choose. The client computer is then encrypted with PGP Whole Disk
Encryption. During this process, the client receives the policy from PGP Universal
Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft
Technology on that client, and the encrypted client moves to a state known as “AT
Activated.” This is the normal operating state for a PGP RDD-enabled client. This state
is transparent to the user. The client system operates normally and is protected.
2 Introducing PGP Remote Disable and Destroy
About PGP RDD Client Anti-Theft States
PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic
contact between server and client. This contact refreshes the theft status of the
computer and is known as a rendezvous. A successful rendezvous indicates to the
server that a client is online and controlled by the authorized user.
After a missed rendezvous, a timer begins counting down to disable the system. If the
client fails to rendezvous successfully before the timer expires, the client is
automatically flagged on the server as “Stolen.” The client is locked down until the user
or administrator unlocks the system and returns it to an “AT Activated” state.
Security for the system is local. The computer is disabled when the timers expire. This
thwarts a common strategy employed in laptop theft to avoid putting the computer
online. Security is also hardware-based, preventing use of the system even if its hard
drive is replaced.
For more information on configuring and deploying PGP RDD, go to the Symantec
Knowledgebase (
search for DOC4975, "PGP Remote Disable & Destroy Configuration Guide".
http://www.symantec.com/business/support/index?page=home) and
About PGP RDD Client Anti-Theft States
A PGP RDD-enabled client is always in one of the following states:
AT Activated client systems are clients with PGP RDD currently activated, and
which are not marked stolen. This is the normal state for a PGP RDD-enabled
client.
AT Deactivated client systems do not have PGP RDD-enabled consumer policies or
do not support Intel Anti-Theft technology.
Stolen client systems are those marked stolen by the administrator or affected
when the Disable Timer expired and the Platform Disable policy triggered. Stolen
computers are locked and cannot be unlocked without assistance from the
administrator.
D Time Expired client systems are in an activated state but there has been no
rendezvous before the system's Disable Timer expired.
Unsupported client systems do not support Intel Anti-Theft Technology.
Note: Computers that do not support Intel Anti-Theft and do not have PGP
RDD-enabled consumer policies may be listed as AT Deactivated, instead of
Unsupported.
Decommissioned computers are still encrypted, but the status is AT Deactivated.
These computers are listed on the RDD Systems > Deactivated page, but they are
no longer protected by Intel Anti-Theft. Use this option when your organization
removes computers from active use, but still wants to protect the data. For
example, if the organization plans to give away or sell the computers to someone
who will not have access to PGP Universal Server.
See About Intel Anti-Theft Status (on page
See Displaying PGP RDD Data (on page 11).
See Deactivating a Client System (on page 29).
See About Stolen Client Systems (on page 15).
11).
Installation Considerations
2
Planning Your Network Architecture
When planning your deployment, keep the following points in mind:
The main consideration when planning your deployment of PGP RDD is that the
client systems must be able to communicate with the server at their scheduled
rendezvous. Missing the rendezvous could lead to locked client systems.
Your PGP Universal Server must be able to communicate with the Intel Content
License Server. Disruption in communication can lead to activation failures.
Considerations When Using Multiple PGP Universal Servers
To balance requests to multiple servers, Symantec recommends that you use load
balancing on your servers. This ensures that all servers participate in processing the
load.
When PGP RDD-enabled client computers enroll or perform a rendezvous, they
exchange 30 to 40 request and response pairs. Because server replication contains a
delay, these requests must be handled and processed by the same server. Your load
balancer must be configured so that the same client's requests are processed by the
same server during a certain period of time. This is called load balancing stickiness.
Symantec recommends that the length of stickiness should be long enough (such as 24
hours, assuming the replication delay will be less than 24 hours) to route requests from
one client to the same server.
Enabling or Disabling PGP RDD in the PGP Universal Server
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have AT-Activated computers,
the computers will not be able to rendezvous successfully and will eventually lock
when the Disable Timer expires.
To enable or disable PGP RDD
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Do one of the following:
4 Installation Considerations
Ports Used by the PGP RDD Service
To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
To disable PGP RDD, click Disable. The text Intel® Anti-Theft Technology is
disabled is displayed in the page.
Ports Used by the PGP RDD Service
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have Intel AT-activated
computers, the computers will not be able to rendezvous successfully and will
eventually lock when the Disable Timer expires.
The service requires the following ports to be open.
The Intel Anti-Theft Technology Services Port is used for communication
between PGP Universal Server and the anti-theft service. External access to this
port is not required.
The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port.
The ICLS permit server is the activation site at Intel where client installations are
tracked. Do not change the default settings unless Symantec Corporation notifies
you that it is necessary. You can test the connection to the ICLS from the Options
page (PGP Remote Disable & Destroy Administration > Configuration >
Options).
PGP Universal Server and PGP RDD-enabled client system communication uses
the same HTTPS port as you use to access the administrative console (port 9000 by
default).
Modifying PGP RDD Ports
To modify PGP RDD settings
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port,
click Edit.
5 Make the necessary changes, and click Save.
System Requirements
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
Symantec Products
PGP Whole Disk Encryption (PGP WDE)
PGP Universal Server
PGP Remote Disable & Destroy with Intel Anti-Theft Technology
System Requirements
5 Installation Considerations
Server Software
Linux (CentOS 5.3)
Servlet Container (Tomcat)
Spring Framework
JDK 1.6
Valid SSL Certificate. This certificate to be provided by Symantec.
Working connection to Intel ICLS Servers.
About PGP Remote Disable & Destroy Licenses
Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires
three things:
PGP Universal Server license. Intel Anti-Theft Technology is automatically
included with the PGP Universal Server license.
PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file.
You must purchase this license separately from your PGP Universal Server.
This human-readable XML file shows the number of seats purchased, the start and
end dates of the subscription period, and the license serial number. The license
expires at the end of the subscription period. If the license expires, activated
systems are not affected and continue to be protected. When you view the license
history for an expired license, the entry shows that there are no seats available on
that license.
You can have more than one active license at a time. When you upload a new
license, it does not replace existing licenses; instead, they are cumulative.
6 Installation Considerations
About PGP Remote Disable & Destroy Licenses
PGP Universal Server does not enforce the license to make sure you do not exceed
the number of activated computers your license permits. It is possible to activate
more computers than your license permits, but the number of activated computers
is registered by the ICLS.
Activation file. This encrypted activation file is included when you purchase the
PGP RDD license file.
The activation file registers your license, and enables the ICLS to monitor how
many Intel Anti-Theft-activated computers you have. PGP Universal Server sends
no information directly to Symantec Corporation.
Licensing PGP RDD with Intel Anti-Theft
When you purchased a license for PGP RDD, you received two Symantec license files
with the file extension .slf.zip:
[name1].slf.zip
[name2].slf.zip
For example, the files are named 2230672.slf.zip and 2230673.slf.zip. These files are
uploaded to your PGP Universal Server so you can license PGP RDD.
To apply the license and activation files
1 From the PGP RDD interface, select Configuration > Options.
2 Click Browse to locate the license file you want to upload.
3 Click Browse to locate the activation file you want to upload. You must have both
the license and the activation file. Make sure to select the correct activation file
for the license you are uploading.
4 Click Upload License File to upload the license and activation files.
5 Click Save.
To test the connection between the PGP Universal Server and the ICLS
1 From the PGP RDD interface, select Configuration > Options.
2 Click Test Permit Server Connection. A message confirms whether or not the
server is reachable.
About Deploying PGP RDD on Client Systems
3
On systems that include Intel Anti-Theft Technology, enabling PGP RDD consists of
installing PGP Desktop, enrolling to a PGP Universal Server, and encrypting the disk.
All other functions of PGP RDD are managed by the PGP Universal Server.
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
About the PGP RDD Deployment Process
To roll out PGP RDD in your enterprise, you will perform the following tasks:
Step
1 On the PGP Universal
2 Enter the PGP RDD License
3 Define the Intel Anti-Theft
4 Create one or more
5 Enable PGP RDD in a
Task Description
Server, enable PGP RDD.
and Activation Key.
Technology Services Ports.
consumer groups for PGP
RDD users.
consumer policy.
PGP RDD is a service that you must enable.
See Enabling or Disabling PGP RDD in the PGP
Universal Server (on page 3).
The Intel Anti-Theft (Intel AT) license is an AT permit
that is stored on PGP Universal Server in the database.
The license is obtained from the Intel Licensing Server
during enrollment of PGP RDD client systems and is
pushed to the client system. The permit is different for
each PGP RDD-enabled computer.
See License PGP RDD with Intel AT (see "
Remote Disable & Destroy Licenses" on page 5,
"Licensing PGP RDD with Intel Anti-Theft" on page 6).
The ports are used for communication between PGP
Universal Server and the Anti-Theft service, as well as
between the Intel Content License Server and the cilent
systems.
See Ports Used by the PGP RDD Service (on page
Multiple consumer groups (Executives, IT, Marketing)
can receive the same PGP RDD-enabled consumer
policy, or you can enable PGP RDD for only a subset of
your groups.
PGP RDD is enabled through a Consumer Policy applied
on the client.
See Setting PGP RDD in Consumer Policies.
About PGP
4).
6 Apply consumer policy to
consumer groups.
Move specific users/groups to the PGP RDD policy. See
Applying Consumer Policy to Consumer Groups (on page
21).
8 About Deploying PGP RDD on Client Systems
About AT Activated Client Systems
Step
7 Create a separate PGP
8 Create a PGP Desktop
9 Install PGP Desktop on
10 Enroll users through email
11
12
Task Description
Platform Disable policy for
each consumer group.
installer and provide it to
users.
client systems.
or LDAP.
Encrypt the disk on the
client system.
Verify the client system is
activated.
Although multiple consumer groups can receive the
same PGP RDD-enabled consumer policy, you can apply
different PGP RDD policy settings to each different
group.
The PGP Platform Disable policy is used to configure
the specific timer values and resulting actions to take
when a computer misses a rendezvous.
After you create the consumer policy, create a client
installer. See the following sections in the PGP
Universal Server Administrator's Guide:
Understanding User Enrollment Methods
Creating an Installer with Preset Policy
Users must have administrative rights to install PGP
Desktop. Your users will:
Locate the client installer application and double-click
it.
Follow the on-screen instructions.
If prompted to do so, restart the client system.
Enrollment is the binding of a client system to a PGP
Universal Server. After a client is bound it receives
feature policy information from the PGP Universal
Server. Once enrolled, users are added to the
RDD-enabled policy group.
If specified by policy, encryption begins automatically.
Log in to the PGP Universal Server administrative
interface.
Select
Services > PGP RDD.
Click
Manage PGP RDD with Intel Anti-Theft
Technology.
Locate the client system and verify the status of the
client system is
Activated.
About AT Activated Client Systems
AT Activated systems are clients systems on which Intel Anti-Theft is activated. These
systems are connected to the network and are not marked Stolen. AT-Activation starts
automatically after the user enrolls and PGP WDE encrypts the disk. Intel Anti-Theft
only activates with encryption at enrollment. Therefore, consumer policies that enable
PGP RDD should also force disk encryption at installation.
If you have not selected auto-encryption, you can AT activate your client system by
manually encrypting the disk.
Note: If you use PGP Whole Disk Encryption Command Line to begin encryption,
Intel Anti-Theft will not activate.
The AT Activated status appears in the PGP Universal Server interface as Activated
(pending) until the client system contacts PGP Universal Server at its next scheduled
rendezvous. After a successful rendezvous, the status changes to AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must decrypt
the disk before switching a user from a policy that does not support PGP RDD to a
policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates.
When you recover a locked computer, you must first change the status from Stolen to
AT Activated. For more information on laptop recovery, see Recovering Locked
Systems.
You can change AT Activated computers to Decommissioned or Stolen. You can also
change Stolen computers back to AT Activated as part of the recovery process. When
you change the status, it appears as pending until the next time the computer
completes a rendezvous.
Deploying PGP RDD on Client Systems
To deploy PGP RDD on client systems
1 Install PGP Desktop.
2 Enroll to PGP Universal Server using email or LDAP credentials.
3 Encrypt the disk.
Deploying PGP RDD on Client Systems
9 About Deploying PGP RDD on Client Systems
Software Requirements for Client Systems
Client Software
Microsoft Windows XP (32-bit SP2, 64-bit SP3)
Microsoft Windows 7 (32-bit and 64-bit)
Microsoft Windows Vista (32-bit and 64-bit)
Intel Management Engine Chip
Note: The Intel Management Engine (ME) chip is not backward-compatible, so you
cannot use the 7.x driver ME chip on a computer with a 6.x driver.
Computers with a 6.x driver should use ME driver for Intel 5-series chipset-based
boards.
Computers with a 7.x driver should use ME driver for Intel 6-series chipset-based
boards. The Intel ME driver installer works XP, Vista, and Win7, 32-bit and 64-bit
OS. The ME firmware driver is available notebook vendors and Intel’s web site.
10 About Deploying PGP RDD on Client Systems
Drivers and BIOS Requirements for Client Systems
Drivers and BIOS Requirements for Client Systems
Required Drivers
Install the Intel MEI drivers for the client computer manufacturer. These drivers are on
the installation disks if your computer is made by Hewlett Packard. You can also get the
drivers from either the manufacturer's website or from Intel's website. Using the
manufacturer's MEI drivers is recommended, but the drivers from Intel are also
acceptable.
BIOS Support
These processors support Intel AT most of the time, but not always. Check the BIOS to
see if Intel AT is supported.
Intel AT functionality is usually turned on by default in the BIOS. If it is not turned on,
you must turn it on manually. The process for turning on Intel AT in the BIOS differs
from manufacturer to manufacturer. Contact Intel or technical support for your
computer's manufacturer for more information.
Hardware Requirements for Client Systems
Hardware
Intel vPro Core i5 with Intel Anti-Theft Technology
Intel vPro Core i7 with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i5 processor with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i7 processor with Intel Anti-Theft Technology
Accessing PGP RDD on the PGP Universal Server
4
Accessing PGP RDD
You can view Intel Anti-Theft data for all the computers managed by the RDD policy.
To access PGP RDD
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Review the computers on the RDD Systems tab.
Displaying PGP RDD Data
To display PGP RDD data
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Click Configuration.
5 Under PGP Remote Disable & Destroy Report Fields, select the check boxes for
the data you want to display.
6 Click Save.
7 On the RDD Systems page, click the buttons at the top of the page to display data
for the specified computers.
About Intel Anti-Theft Status
The All Systems page displays information about all client computers, including each
computer's Intel Anti-Theft status.
AT Activated are systems on which Intel Anti-Theft is currently activated. These
systems are connected to the network and are not marked Stolen.
12 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
AT-Activation starts automatically after the user enrolls and PGP WDE encrypts
the disk. Therefore, consumer policies that enable PGP RDD should also force disk
encryption at installation.
The AT-Activated status appears in the PGP Universal Server interface as
Activated (pending) until the client system contacts PGP Universal Server at its
next scheduled rendezvous. After a successful rendezvous, the status changes to
AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must
decrypt the disk before switching a user from a policy that does not support PGP
RDD to a policy that does. When the new policy forces re-encryption, Intel
Anti-Theft activates.
Make sure that consumer policies enable PGP Remote Disable & Destroy with Intel
Anti-Theft Technology. If you have not selected auto-encryption, you can AT
activate your client system by manually encrypting the disk.
The AT Activated status appears as pending until the computer contacts PGP
Universal Server at the next scheduled rendezvous. When you recover a locked
computer, you must first change the status from Stolen to AT Activated. For more
information recovery, see Recovering Locked Systems.
You can change AT Activated computers to Decommissioned or Stolen. You can
also change Stolen computers back to AT Activated as part of the recovery
process. When you change the status, it appears as pending until the next time the
computer completes a rendezvous.
AT Deactivated are computers on which Intel Anti-Theft has been turned off.
Deactivated computers are both decrypted and AT Deactivated and therefore no
longer protected by Intel Anti-Theft. After the computer is deactivated, the license
seat for that system can be reused. Computers that do not support Intel Anti-Theft
and do not have PGP RDD-enabled consumer policies are also listed as AT
Deactivated. There are two ways to deactivate a computer:
Change the computer's consumer policy to one where PGP RDD is disabled,
and disk encryption is not required. For this process to successfully
deactivate the computer, PGP Tray must be running and the computer must
be able to contact PGP Universal Server. Decrypt the computer. Decryption
triggers Intel AT deactivation. If PGP Tray is not running or PGP Universal
Server is not reachable, the computer is decrypted but remains activated. In
this case, you must manually change the computer's status to
Decommissioned. At the next rendezvous, Intel AT deactivates.
Disable Intel AT by changing the status to Decommissioned, and then
decrypt it. Client computers cannot be decrypted while Intel Anti-Theft is
still activated, if PGP RDD is still required by policy.
Stolen. Includes computers marked stolen by the administrator, and computers
that locked when the Disable Timer expired and the Platform Disable policy
triggered. Stolen computers are locked and cannot be unlocked without assistance
from the administrator. If a client system is marked Stolen in PGP Universal
Server by the administrator, the Platform Stolen policy is triggered the next time
the computer completes rendezvous or is restarted. For more information on the
Platform Stolen policy, see About PGP RDD Policies (on page
for that system remains active and in use.
20). The license seat
Displaying PGP RDD Data
D Timer Expired. Systems in this state are listed if they are in an activated state
and if there is no rendezvous before the system's Disable Timer has expired. The
system shuts down if it was not in the sleep mode when disable timer is expired. If
the system was in Sleep mode (not Hibernation), and the disable timer is expired,
when the system resumes, it does not shut down immediately as the grace timer
will make the computer turn on until the grace timer is expired. In this case, if
there is a successful rendezvous, then the system becomes activated and the
status changes to AT Activated. If there is no rendezvous before the grace timer
expires, the system shuts down, and is reported to the server as “DTimerExpired”.
Because the server does not know when the system resumed from Sleep mode, the
server does not know when the grace timer starts and therefore does not know
when the grace timer expires.
Unsupported. Computers that do not support Intel Anti-Theft Technology.
Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled
consumer policies may be listed as AT Deactivated, instead of Unsupported.
A PGP RDD-enabled client system can be decommissioned, for example, when an
employee leaves the company, so that a license can be reused, and so that it can be
stored with the secured data. If the client system is decommissioned, then it can be
redeployed to another user either as a PGP RDD-enabled client system or a non PGP
RDD system. For information on how to decommission a system, see About
Decommissioning a Client System (see "
About Decommissioning a Computer" on page 27).
13 Accessing PGP RDD on the PGP Universal Server
Warning: You cannot delete users with Intel Anti-Theft-activated computers from the
Users list, nor activated computers from the Devices list. When you delete users, all
user records are lost. The next time the computer tries to rendezvous with PGP
Universal Server, authentication fails and the computer locks. You will not be able to
recover the laptop without the PGP RDD recovery passphrase, which is also deleted
with the user records, unless you previously exported it. Before you delete an AT
Activated user or device, you must deactivate and decrypt the computer.
Changing a Computer's Status
To change a computer's status
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Click Manage Remote Disable & Destroy with Intel Anti-Theft Technology.
4 Select a new status from the drop-down menu.
The new status may appear as pending until the next time the computer completes
rendezvous.
5 Click Save.
Exporting PGP RDD System Information
The PGP Remote Disable & Destroy (RDD) service logs actions on PGP Universal
Server's Logs page. For more information, see System Logs.
14 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
Access data reports for PGP RDD directly from the PGP RDD interface, not from the
PGP Universal Server Reporting or Graphs pages.
To export PGP RDD data
1 Open PGP RDD.
2 From Configuration > Options, select what data you want to appear in the systems
pages. Possible reported data includes Computer Name, Name, Status, Policy
Group, Last Date Connected, and Passphrase.
3 Click Save.
4 From RDD Systems, choose the set of systems for which you want information
exported: All, Activated, Deactivated, Stolen, or Unsupported.
5 Click Export Data.
All the information on the systems page is exported into a CSV file. If you have
permission to view recovery passphrases, the exported file will contain those
passphrases. The passphrases are unencrypted plain text.
Working with Stolen Systems
5
Client systems that are designated as stolen include those systems marked stolen by the
administrator, as well as computers that locked when the Disable Timer expired and the
Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked
without assistance from the administrator.
If a computer is lost or stolen, change the computer's status to Stolen to trigger the
Platform Stolen policy the next time the computer completes rendezvous or restarts. If
the computer never connects to rendezvous, the status changes to Stolen - timer
expired when the Disable Timer expires and the Platform Disable policy triggers.
When the computer's status is Stolen, you must follow the recovery process to unlock
it.
When a computer is marked stolen, the license seat for that system remains active and
in use.
See Recovering a Stolen Client System (on page
See Recovering a Decommissioned Client System (on page 27).
About Stolen Client Systems
15).
Two actions trigger a system's status to change to stolen:
If a client system is lost or stolen, users must notify their Administrator, who will
then change the client system's status AT Activated to Stolen in PGP Universal
Server. This triggers the Platform Stolen policy the next time the client system
completes rendezvous or is restarted.
If the client system never connects for rendezvous, the status changes to Stolen -
timer expired when the Disable Timer expires and the Platform Disable policy
triggers.
The license seat for the stolen client system is active and in use.
For example, if you are traveling, and you accidentally leave your client system at the
security checkpoint in an airport, you must contact your administrator to have the
client system marked as Stolen. When the client system's status is Stolen, you must
follow the recovery process to unlock it. For more information on recovering stolen
client systems, see Recovering a Stolen Client System (on page
Recovering a Stolen Client System
To recover a client system, a user must contact the PGP Universal Server Administrator
supporting PGP RDD.
To instruct the user during recovery, first identify the screen that appeared after
reboot. See Identifying the Initial Screen at Power On (on page 16).
15).
16 Working with Stolen Systems
Recovering a Stolen Client System
Identifying the Initial Screen at Power On
Before you can recover a stolen system
1 Instruct the user to power on the client system.
On most systems, the Intel BIOS recovery screen appears, followed by the PGP
BootGuard screen. If you selected Enable PBA Recovery on the RDD Policies page,
however, the Intel BIOS recovery screen is skipped and the PGP BootGuard screen
appears.
Note: Only certain hardware platforms, such as Panasonic's Toughbook and Let's
Note CF models, support this feature.
If the user sees three options, they are on the Intel screen. If they are prompted for
their user name, passphrase, and domain, they are on the PGP Bootguard screen.
Have them tell you which screen they are seeing.
If the user is on the Intel screen, see Recovering Using the Intel BIOS Recovery
Screen (on page 16).
If the user is on the PGP screen, see Recovering Using the PGP BootGuard Screen
(on page 17).
Recovering Using the Intel BIOS Recovery Screen
On the Intel BIOS screen, have the user select one of the following options:
To use a passphrase to recover the system, select option 1.
To use a recovery token to recover the system, select option 2.
Tip: Recovery using Option 1 is faster, because a passphrase is easier to enter
than communicating and entering the very long strings that make up a recovery
token.
To recover a client system using a recovery passphrase
To recover a client system when the user has selected option 1 (to use a passphrase),
you must provide the recovery passphrase to the user.
1 Log in to the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Locate the system that was stolen and which you want to recover, and change the
status of the client system from Stolen to Activated (pending).
5 Click Passphrase.
6 Provide the current recovery passphrase to the user.
The user should enter the recovery passphrase and click OK. If
authentication is successful, the PGP BootGuard screen appears on the client
system.
Recovering a Stolen Client System
7 See Recovering Using the PGP BootGuard Screen (on page 17).
To recover a client system using a recovery token
To recover a client system when the user has selected option 2 (to use a recovery token),
you must provide the recovery token to the user.
1 Log in to the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Locate the system that was stolen and which you want to recover, and change the
status of the client system from Stolen to Activated (pending).
5 Obtain from the user the long string that is displayed when the user pressed
option 2 after powering the system on. This string is specified as Platform
Recovery ID on the user's system.
6 Log into the administrative interface.
7 Select Services > PGP RDD.
8 Click Manage PGP RDD with Intel Anti-Theft Technology.
9 Locate the system that was stolen and which you want to recover, and click
Passphrase.
10 In the Recovery Passphrase dialog box, click Generate Server Recovery Token.
11 Enter the string that the user provided in step 5 and click Generate.
The following recovery tokens are generated:
17 Working with Stolen Systems
Hexadecimal
Decimal
Base32
12 Provide the string for the Base32 recovery token to the user.
The user enters the string and presses Enter. If authentication is successful,
the PGP BootGuard screen appears.
13 See Recovering Using the PGP BootGuard Screen (on page
Recovering Using the PGP BootGuard Screen
To recover a system from the PGP BootGuard screen, the user needs to enter the Whole
Disk Recovery Token.
Note: The user cannot recover a stolen system using Local Self Recovery (LSR).
To recover using the PGP BootGuard screen
1 To switch from the user name/passphrase prompts to the WDRT prompt, tell the
user to press F4.
17).
18 Working with Stolen Systems
Recovering a Stolen Client System
2 To provide the WDRT to the user, on PGP Universal Server, select Consumers >
3 Expand the Whole Disk Encryption panel to locate the client system.
4 Click the system's WDRT icon. Provide the displayed WDRT to the user.
After the rendezvous occurs, the state of the computer changes from Activated
(pending) to Activated in PGP Universal Server. Depending on the server’s load, the
state change might take 30 seconds to 1 minute.
Users and locate the user associated with this system.
Setting PGP RDD Policy
6
Enabling PGP RDD in a Consumer Policy
To enable PGP RDD in a consumer policy
1 Log in to the PGP Universal Server administrative interface.
2 On the Consumer Policy page, select the consumer policy for which you want to
enable PGP RDD.
3 In the PGP Desktop panel, click Desktop.
4 On the General tab, select Enable RDD with Intel Anti-Theft Technology.
5 Click Save.
Understanding the Difference Between Consumer and PGP RDD Policies
When working with PGP RDD, note that there are two types of policies that are applied
to client systems:
Consumer policies
You can apply a consumer policy to a consumer group when you create that group
or change existing policy on the Group Settings page.
PGP RDD policies
PGP RDD policies are set for each consumer group in the Edit PGP Remote
Disable & Destroy Policies page. The client receives changes to the consumer
policy as part of the PGP WDE policy download and changes to the PGP RDD
policy during a rendezvous.
Both of these policy types can be applied to the same consumer groups, but they are
defined separately in PGP Universal Server.
See About Consumer Policies (on page
See About PGP RDD Policies (on page 20).
See About PGP RDD Timers (on page 23).
See Enabling PGP RDD in a Consumer Policy (on page 19).
See Applying Consumer Policy to Consumer Groups (on page 21).
See Setting a PGP RDD Policy (on page 21).
20).
20 Setting PGP RDD Policy
Understanding the Difference Between Consumer and PGP RDD Policies
About Consumer Policies
Consumer policies are used when installing client systems and control how these client
systems behave. Policies are applied to consumers depending on their group
membership and policy group order.
The following consumer policies are available on the PGP Universal Server:
Default policy
Excluded policy
You can modify these or create specific new consumer policies to apply to your PGP
RDD clients. For example, you can create two policies for the a group, one called PGP
RDD Default policy for those clients who should be managed through PGP RDD, and
another called PGP RDD Excluded policy. You might apply the PGP RDD Excluded
policy to systems that are infrequently used or not high risk and the PGP RDD Default
policy to high-risk systems like those that are used for travel or those that contain
sensitive data.
See Understanding the Difference Between Consumer and PGP RDD Policies (on page
See About PGP RDD Policies (on page 20).
19).
About PGP RDD Policies
Note: To implement a PGP RDD policy, the client system has to be Intel Anti-Theft
capable. If it is not, it is considered to be unsupported.
In the Edit PGP Remote Disable & Destroy Policies page, after you select a consumer
group, you need to select the platform actions to be completed if the client system is
stolen or if the Disable timer is triggered. The selections you make and the values you
enter for each timer affect only the selected consumer group.
The Platform Stolen options determine what happens when you mark a computer
stolen.
Platform + Data Disable – Shutdown on next rendezvous
Platform + Data Disable – Require passphrase on next boot
If this option is selected, and the client system is stolen, when the next rendezvous
occurs, the client system is shut down.
If this option is selected, and the client system is stolen, the administrator marks
the client system as stolen in PGP Universal Server. The client system does not
immediately shut down. After a user shuts down his/her client system and
restarts, he/she is prompted for the Intel BIOS passphrase. This Intel BIOS
passphrase is the same one that a user needs to recover a stolen client system.
Note: Users can only get this passphrase from their PGP Universal Server
Administrator.
After the user enters this passphrase, the PGP BootGuard authentication with
WDRT occurs and the recovery process is complete.
Applying Consumer Policy to Consumer Groups
The Platform Disable Timer options determine what happens when the Disable Timer
expires.
Platform + Data Disable – Shutdown on timer expiration When the Disable
Timer expires, the computer shuts down.
Platform + Data Disable – Require passphrase on next boot
If this option is selected, and the client system is stolen, the administrator marks
the client system as stolen in PGP Universal Server. The client system does not
immediately shut down. When the Disable Timer expires, the next time the
computer is started, it must be unlocked with the recovery passphrase.
Note: Users can only get this passphrase from their PGP Universal Sever
Administrator.
After the user enters this passphrase, the PGP BootGuard authentication with
WDRT occurs and the recovery process is complete.
See Understanding the Difference Between Consumer and PGP RDD Policies (on page 19).
See About Consumer Policies (on page 20).
21 Setting PGP RDD Policy
Applying Consumer Policy to Consumer Groups
Use the following procedure to move specific users/groups to the PGP RDD policy.
To apply consumer policy to consumer groups
1 Log in to the PGP Universal Server administrative interface.
2 Select Consumers > Groups.
3 Click your RDD policy.
4 In Users, click View.
5 Click Add Users.
6 Type the user’s name and click Save.
7 Repeat step 6 for all the users you want to add to your RDD policy.
Setting a PGP RDD Policy
To set a PGP RDD policy
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 On the Configuration tab, click Policies.
22 Setting PGP RDD Policy
About the PGP RDD Rendezvous
5 Select the consumer group for which you want to set policy.
6 For each of the following policy and timer settings, make the necessary changes.
Platform Stolen. Sets what happens when you mark a computer stolen.
Choose from Platform+Data Disable - Shutdown on next rendezvous or
Platform+Data Disable - Require passphrase on next boot. The default
option is Platform+Data Disable - Shutdown on next rendezvous.
Platform Disable Timer. Sets what happens when the Disable Timer
expires. Choose from Platform+Data Disable - Shutdown on timer
expiration or Platform+Data Disable - Require passphrase on next boot.
The default option is Platform+Data Disable - Shutdown on timer
expiration.
Enable PBA Recovery. Enables stolen laptops to be unlocked using only
the Whole Disk Recovery Token at PGP BootGuard, without requiring a
hardware recovery passphrase or Server Recovery Token. This function is
not available for all Intel AT-enabled computers. It works with a pre-boot
authentication recovery feature specific to only some computers.
7 For each of the timers, specify the value, value type, and (when available), if the
timer is enabled.
8 Click Save.
The PGP RDD policy has been set for the selected consumer group.
See About PGP RDD Timers (on page
23).
About the PGP RDD Rendezvous
The communication between server and a PGP RDD-enabled client is called a
rendezvous. A successful rendezvous indicates that the client is online and in the
control of its authorized user. All state and policy changes are made during a
rendezvous.
The most common outcome of a rendezvous attempt is success. The client continues
operating normally after a successful rendezvous until its next rendezvous. The
interval between rendezvous is configured as a timer, which counts down until it
expires, triggering the next rendezvous.
A client automatically retries a missed rendezvous, for example, if the client was
powered down during a scheduled rendezvous interval. A series of timers control the
behavior of the system after a missed rendezvous. These behaviors include when to
retry the rendezvous, how long to wait after the failed rendezvous before disabling the
system, and how long after the disable timer’s expiration to wait before shutting down
the system.
See also About PGP RDD Timers (on page
See also About PGP RDD Policies (on page 20).
See also Setting a PGP RDD Timer (on page 26).
23).
Considerations When Configuring Rendezvous Intervals
Setting an interval to a period that is shorter than three days will eventually lead to a
number of clients attempting a rendezvous during a weekend when many of the
systems are offline. When those clients come online on Monday morning, they will all
retry the rendezvous. This can impact PGP Universal Server performance.
Symantec recommends that you set a rendezvous interval of seven days and stagger
your deployment to spread client rendezvous days across the work week. This sets
clients on a regular schedule that may change if vacations or other unusual
circumstances take a laptop offline for its regular rendezvous interval, but will
otherwise stay relatively consistent and avoid Monday morning load.
To prevent a large group of rendezvous from occurring at the same time of day, you can
add a random delay that triggers when the rendezvous timer expires. When a
rendezvous is overdue, the rendezvous randomization timer triggers a random value
between 0 and the maximum specified value set in PGP Universal Server. If the
rendezvous timer expires and rendezvous is unsuccessful, the client waits until the
random interval to retry the rendezvous.
For example, if a rendezvous was due at 8:30 AM on Wednesday, but the computer was
offline until 9:00 AM, the client attempts a rendezvous at 9:00 AM plus a random value
between 0 and the configured number of minutes.
About PGP RDD Timers
23 Setting PGP RDD Policy
About PGP RDD Timers
As a part of your PGP RDD policy, you specify the action to take if a client system
misses its rendezvous. A variety of timers determines when the next action is triggered
and the result on the client system after the set interval for that trigger has expired.
For each timer, you can type a number value and select an amount of time.
The following timers are available:
Timer Description
Platform Disable
Timer
Sets what happens when the
Platform+Data Disable - Shutdown on timer expiration. When
Disable Timer expires, the computer shuts down.
the
Platform+Data Disable - Require passphrase on next boot.
When the
started, it must be unlocked with the recovery passphrase.
Disable Timer expires, the next time the computer is
Disable Timer expires:
24 Setting PGP RDD Policy
About PGP RDD Timers
Timer Description
Disable Timer
Unlock Timer
Grace Timer
PBA Login Timer
This Intel AT timer is triggered when a rendezvous does not occur
during the set time interval. When the Disable Timer expires when the
computer is on, the computer moves to a Stolen state and the PGP RDD
Platform Stolen policy is executed. When the Disable Timer expires
when computer is in sleep mode, the Grace Timer starts counting down
when the computer wakes up. If a rendezvous happens before the Grace
Timer counts down to zero, the computer status synchronizes with the
computer state on the PGP Universal Server. If no rendezvous occurs
before the Grace Timer expires, the computer moves to Stolen state and
the PGP RDD
This timer is enabled by default. To disable the timer, deselect the
Enabled check box.
Specifies how much time the user can take to recover the system after it
is locked. The default value is 25 minutes. If the timer expires, the
computer shuts down and the user must start the recovery process over.
For example, if this timer is set to 30 minutes, the user has 30 minutes to
get the Intel recovery token from the administrator and enter it before
the computer shuts down again.
You cannot disable the Unlock Timer.
This Intel AT timer is dependent on the Disable timer. If the Disable
timer is triggered and then expires during a sleep or hibernation state,
when the computer resumes, the Grace timer starts.
Note: If the computer is in an On state and the Disable timer expires, the
computer shuts down immediately.
Following is an example of the Grace timer's usefulness: A computer
misses its rendezvous and the Disable timer is triggered, beginning its
count down. If the computer goes into a sleep or hibernation state and
the Disable timer expires, when the computer resumes, the user has a
grace period defined by the Grace timer, to authenticate and save their
work, prior to the computer shutting down.
The default value is 25 minutes.
You cannot disable the Grace Timer.
(Pre-boot authentication timer) This Intel AT timer is supported only by
some Panasonic systems, such as Toughbooks and Let's Note CF models.
You enable this recovery option by selecting the
Recovery
option is enabled, during the recovery of a stolen system the Intel BIOS
screen does not appear; only the PGP BootGuard screen appears.
During the recovery of a stolen machine, the Intel BIOs page does not
appear, and only the PGP BootGuard page appears. When the PBA
recovery option is enabled, the PBA timer value is the maximum time
that a user has to authenticate at the BootGuard page. If the user fails to
authenticate in the time allowed for PBA logon, the computer is shut
down.
check box on the PGP RDD Policies page. When this
Platform Stolen policy is executed.
Enable PBA
Timer Description
Rendezvous Timer
Kill Timer
Rendezvous
Randomization
Rendezvous Retry
Interval
Specifies how often the Intel Anti-Theft-activated computer must
contact PGP Universal Server. The default value is 1 day (86400 sec).
If a rendezvous is missed or fails, the
the computer cannot complete a rendezvous before the
expires, the
be locked.
On a computer with multiple users, if each user has a different
rendezvous timer value, the shortest timer value applies.
You cannot disable the rendezvous timer because the computer must be
able to contact PGP Universal Server for PGP RDD policy updates.
This timer is similar to the Grace Timer but is only triggered when the
computer is marked as
in shutting the computer down, but unlike the Grace Timer--which can
be set in seconds, minutes, hours, days, or months--the Kill Timer can
only be set in seconds, with a value range of zero or 10-300 seconds (or
the equivalent time in minutes).
The default is 0 seconds.
When a rendezvous is overdue, this timer triggers a random value
between 0 and the maximum value set in PGP Universal Server. If there
is still no successful rendezvous, because the network cable is not
connected, the retry interval is triggered.
For example, if a rendezvous was due at 8:30 am on Monday, but the
computer was only powered on at 9 am. This means that a rendezvous is
overdue on Monday morning. Instead of attempting a rendezvous at 9
am, the computer attempts a rendezvous at 9 am plus a random value
between 0-240 minutes.
The default is 7200 seconds (2 hours).
This timer is triggered when the rendezvous is overdue, because the
network cable was not connected. For example, if this interval is set to 45
seconds, the client computer will attempt a rendezvous every 45 seconds
until it is successful.
The default is 3 minutes (180 seconds).
Platform Disable Policy is applied and the computer may
About PGP RDD Timers
25 Setting PGP RDD Policy
Disable Timer starts running. If
Disable Timer
Stolen in PGP Universal Server. There is a delay
See Setting a PGP RDD Timer (on page 26).
Considerations When Setting Your PGP RDD and Consumer Policies
If there are multiple users for a client machine, it is important that all users belong to
the same consumer group and receive the same consumer policy and the same PGP
RDD policy. Having different PGP RDD policies applied to the same client machine can
cause problems, especially if not all the users have PGP RDD enabled by policy. If each
user's PGP RDD policy is different, the PGP RDD policy with the shortest rendezvous
timer value applies, whether that user is logged in and is using the system.
26 Setting PGP RDD Policy
Setting a PGP RDD Timer
Setting a PGP RDD Timer
To set a PGP RDD timer
1 Log in to the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Select Configuration > Policies.
5 In Consumer Group, select RDD.
The timers are valid for all policies, but you must select RDD to apply the timers
for the users in your RDD policy group.
6 In the Timers panel, enter values and select the appropriate value types.
7 Click Save.
7
About Decommissioning a Computer
Decommissioning a computer is the process of deactivating Intel AT, but the disk is still
encrypted. When necessary the administrator can decrypt it, reimage it, activate it, and
encrypt the disk for a new user. This option removes the computer from active use but
still protects the data. Decommissioned computers are listed on the RDD Systems >
Deactivated page as AT Deactivated and they are no longer protected by Intel
Anti-Theft.
A PGP RDD-enabled client system can be decommissioned, for example, when an
employee leaves the company, so that a license can be reused, and so that it can be
stored with the secured data. If the client system is decommissioned, then it can be
redeployed to another user either as a PGP RDD-enabled client system or a non PGP
RDD system. You can also decommission a computer if your organization plans to
donate or sell the computers to someone who will not have access to PGP Universal
Server.
For more information on repurposing a decommissioned computer, see Recovering a
Decommissioned Client System (on page
Note: The only way to access a decommissioned computer is by using the Whole Disk
Recovery Token (WDRT). The user passphrase no longer works.
After the computer is decommissioned, the license seat for that system can be reused.
27).
Recovering a Decommissioned Client System
A decommissioned client system can be reimaged or reinstalled and distributed to a
new user. This procedure is completed by the administrator on the PGP Universal
Server. To recover the computer, the administrator must have the decommissioned
computer in his/her possession.
To recover a decommissioned client system
To recover a system using the user name, on PGP Universal Server:
1 Select Consumers > Users and locate the user associated with this system.
2 Expand the Whole Disk Encryption panel to locate the client system.
3 Click on the system's WDRT icon for the WDRT string.
To recover a system when a user has more than one system or to verify this system's
state, on PGP Universal Server:
1 On the RDD list screen, locate the computer/user pair where the system has a
Decommissioned state.
2 Select Consumers > Users and locate the user associated with this system.
3 Expand the Whole Disk Encryption panel to locate the client system.
4 Click on the system's WDRT icon for the WDRT string.
28 About Decommissioning a Computer
About Decommissioned Computers
On the decommissioned client system:
1 Power on the system.
2 At the PGP BootGuard authentication screen, to switch from the user
name/passphrase prompts to the WDRT prompt, press F4.
Note: After the client system is marked as Decommissioned, PGP BootGuard
authentication and decryption work only if you use WDRT.
3 Type the WDRT string and press Enter.
4 Open PGP Desktop and decrypt the system using WDRT.
About Decommissioned Computers
Decommissioning a computer is the process of deactivating Intel AT, but leaving the
disk encrypted. When necessary, the administrator can decrypt it, reimage it, activate
it, and encrypt the disk for a new user.
A PGP RDD-enabled client system can be decommissioned, for example, when an
employee leaves the company, so that a license can be reused, and so that it can be
stored with secured data. If the client system is decommissioned, then it can be
redeployed to another user either as a PGP RDD-enabled client system or a non PGP
RDD system.
Decommissioning a PGP RDD-Enabled Client System
When you decommission a client system, no more rendezvous timers are triggered. The
client system is deactivated but is still encrypted.
To decommission a client system
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 In All Systems, in the drop-down menu next to the decommissioned computer,
select Decommissioned and click Save.
After a successful rendezvous, Intel AT deactivates the client system. The status
changes from Decommissioned (pending) to Decommissioned.
8
About AT Deactivated Client Systems
Deactivating a client system automatically triggers decryption; therefore, deactivated
computers have both a status of AT Deactivated and are decrypted. Computers that do
not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies are
also listed as AT Deactivated. Deactivated computers are both decrypted and no longer
protected by Intel Anti-Theft.
There are two ways to deactivate a computer.
Change the computer's consumer policy to one where PGP RDD is disabled, and
disk encryption is not required. Decrypt the computer. Completing decryption
triggers Intel AT deactivation. For this process to successfully deactivate the
computer, PGP Tray must be running and the computer must be able to contact
PGP Universal Server.
Disable Intel AT by changing the status to Decommissioned, and then decrypt it.
Client computers cannot be decrypted while Intel Anti-Theft is still activated, if
PGP RDD is still required by policy.
After the computer is deactivated, the license seat for that system can be reused.
Warning: You cannot delete users with Intel Anti-Theft-activated computers from the
Users list, nor activated computers from the Devices list. When you delete users, all
user records are lost. The next time the computer tries to rendezvous with PGP
Universal Server, authentication fails and the computer locks. You will not be able to
recover the laptop without the PGP RDD recovery passphrase, which is also deleted
with the user records, unless you previously exported it. Before you delete an AT
Activated user or device, you must deactivate and decrypt the computer.
After the Administrator moves a user from an RDD-enabled policy group to an RDD
disabled group policy, the user can:
Update the policy on the client system.
Decrypt the computer (if the PGP Universal Server policy allows the user to
decrypt the disk).
Deactivating a Client System
Before you begin, the PGP RDD-enabled client must be available and can communicate
with the PGP Universal Server.
To deactivate a PGP RDD-enabled client system
1 Log in to your PGP Universal Server administrative interface.
2 Apply the new policy.
This moves the user from a policy group that is PGP RDD-enabled to one that is
not.
30 About AT Deactivated Client Systems
Deactivating a Client System
Once the new policy has been applied, the system has been deactivated. If the PGP
Universal Server policy allows, the user can then decrypt the disk.
Working with PGP RDD Administrator Roles
9
The PGP Universal Server administrator can assume several different roles, depending
on the tasks that each administrator should perform. The roles for a PGP RDD
administrator are the same as those for a PGP Universal Server Administrator, with the
addition of several PGP RDD-specific tasks.
See About PGP RDD Administrator Roles (on page
See Assigning Roles (on page 31).
About PGP RDD Administrator Roles
In addition to the tasks the Basic Administrator can perform, the RDD Administrator
can:
Access the PGP RDD Administration screens.
Access and read PGP RDD recovery passphrases.
Control and configure services, including the Intel Anti-Theft Technology Services
Port.
Configure system settings, including uploading the PGP RDD license and
activation file.
Manage PGP RDD policies, such as the timers.
For more information on the tasks the Basic Administrator can perform, refer to the
PGP Universal Server Administrator's Guide.
See also Assigning Roles (on page
31).
31).
Assigning Roles
Each PGP RDD administrator can be assigned to a role. That administrator can perform
tasks that are associated only with that role.
To assign roles
1 Log in to your PGP Universal Server administrative interface.
2 Select System > Administrators.
3 Do one of the following:
To change an existing administrator's role, select the administrator's name
in the list displayed. Select the new role and click Save.
32 Working with PGP RDD Administrator Roles
Assigning Roles
To add a new administrator, click Add Administrator. Enter the
administrator's login name and other information, select the administrator's
role, and click Save.
See About PGP RDD Administrator Roles (on page
31).
Loading...