egress switch client deployment guide...

www.egress.com ©2007-2013 Egress Software Technologies Ltd

Egress Switch Client Deployment Guide

V4.x

Egress Software Technologies Ltd

Table of Contents System Requirements ................................................................................. 4

Deployment Process ................................................................................... 4

Computer & User Based Policy Application ................................................ 4

Computer Based Policies ADMX ............................................................ 5

User Based Policies ADMX .................................................................... 8

Deploying Switch Client via Group Policy ................................................... 12

Switch Support Center .............................................................................. 17

Useful Contact Information: ...................................................................... 18


Introduction Egress Switch is a simple to use data security solution that allows an information owner to package their sensitive information on any type of media (file attachment to email, CD/DVD, USB stick or drive, FTP site, cloud storage, etc.). The secured information, once packaged can be sent to a recipient either electronically (e.g. email, web, FTP/HTTP etc) or physically (e.g. in-person, mail, etc). The owner can specify security policies independent of the package through a web-based system. Egress Switch also provides an extensive audit trail showing who, where and when information has been accessed as well as unauthorised access attempts. This real time identity based protection enables businesses to extend their visibility over what actually happens to corporate information, while offering the ability to instantly revoke data that is mishandled or suspected lost/stolen. How it Works


System Requirements The product requires the following:

✓Microsoft Windows 2003, XP, Vista or 7 operating systems (32/64 bit)

✓Microsoft .NET 2.0 SP1 Runtime Libraries.

✓Microsoft Outlook 2003/2007/2010 (not required)

✓Latest OS Service Packs and patches are recommended.

✓Up to date anti-virus software

✓Internet Connection

The installation does not require you to reboot your workstation. Once the installation has completed Egress Switch is ready to use.

Deployment Process The Egress Switch client for MS Windows is designed to be deployed silently across an organization. The client is supplied as a standard MSI and various policy driven features are available to remotely configure the end user experience. This guide summarises applying both computer and user based policies via Active Directory Group Policy and the deployment of the client software. You can also deploy the client software via any existing software deployment application including MS SCCM however these are not covered in this guide.

Computer & User Based Policy Application When deploying Egress Switch client across a network there is a requirement to apply both computer based and user based policies to control the Switch Client settings. The sections below cover example policies only. Egress supply 2 types of Active Directory policy templates, please request the latest versions from your Egress Software Technical Account Manager:

• ADM Templates – Use ADM templates for Windows 2003 Domain environments or 2008 in classic template mode

• ADMX Templates – Use ADMX templates for Windows 2008 & 2012 Domain environments


This document covers the use of ADMX templates on a Windows 2008 Server only.

Computer Based Policies ADMX Computer based policies can be applied to the Egress Switch client software where changes are required irrespective of the user that logs on. The section below summarises the use of the Egress_Switch_Gateway ADMX files for centrally deploying Switch Gateway settings. For further information about the Switch Gateway please see http://www.egress.com/gateway-encryption/ To configure the Switch Client to integrate with a Switch Gateway infrastructure please using Active Directory Group Policy complete the following steps:

1. Locate the Egress_Switch_Gateway_32-64bit.ADMX and associated Egress_Switch_Gateway_32-64bit.ADML files

2. Copy the ADMX file to your Policy Definitions folder on the domain controller (Default: C:\Windows\PolicyDefinitions)

3. Copy the ADML file to your policy definitions language folder on the domain controller (Default: C:\Windows\PolicyDefinitions\en-US)

4. Open ‘Group Policy Management’ and select a relevant OU(s) where your desktop PC and laptops are stored.

5. The group policy settings should be applied to an OU/Group that holds

all computers that will have the Switch Client deployed to. It is


recommended that these settings are applied prior to deploying the Switch Client (Note: There will be no problem with applying these setting to computers that will not have the Switch Client installed). Select an appropriate OU and either select ‘Create a GPO in this domain, and link it here…’ or if applying to an existing GPO ‘Link an Existing GPO…

6. Right click and select ‘Edit’ on the new GPO

7. Expand ‘Computer Configuration > Policies > Administrative Templates’ and select ‘Egress_Switch_Settings’:


8. There are 3 settings that can be configured via group policy with different versions for 32 and 64bit computers. To apply a setting click the option and select ‘Enabled’, select or enter the setting and click ‘Ok’ to apply the settings. The following settings can be applied: Force Gateway Mode: This option can only be used in conjunction with ‘Switch Gateway Server Address’ and will enable client processing of messages but never use local encryption. When policy flags that a message should be encrypted in Force Gateway Mode a header will be added to the email with details of the encryption policies to be applied by Switch Gateway. The options available are: 0: Force Gateway Mode is disabled 1: Force Gateway Mode is enabled and all emails and file exchange processes will be scanned 2: Force Gateway Mode is enabled but for email only Switch Gateway Server Address: The Switch Gateway Server address enables Gateway mode within the client software. This means that encryption will no longer take place locally (default) and messages will be tagged for encryption by the Switch Gateway. Enable this option and enter the server name/ip address of your Switch Gateway infrastructure. Switch Gateway Size Key: By default if Switch Gateway mode is


enabled and Force Gateway Mode is not enabled the client processing engine will never run. It may be desirable to in certain configurations to run the client processing engine if an email message is greater than a certain size. For example if you have a rule that will upload attachments >10MB to a cloud location it would be desirable to only enable the client processing engine for emails greater than 10MB in size. Select Enable and enter the required size in KB.

User Based Policies ADMX User based policies are important for distributing policies based on the user that logs on. By default the Egress Switch client will show for all users including features like the Outlook Addin and system tray. There may however be a requirement to show or hide the Switch client based on user group membership. This functionality is particularly important in hotdesk environments and terminal services such as Citrix or Vmware where multiple users share the same environment. To configure the Switch Client to integrate with user based policies using Active Directory Group Policy complete the following steps:

1. Locate the Egress_Switch_User_Settings.ADMX and associated Egress_Switch_User_Settings.ADML file

2. Copy the ADMX file to your Policy Definitions folder on the domain controller (Default: C:\Windows\PolicyDefinitions)

3. Copy the ADML file to your policy definitions language folder on the domain controller (Default: C:\Windows\PolicyDefinitions\en-US)

Configuring User Policy to hide components

The recommended way to apply Switch User based settings is to set a policy to hide all components at the root domain level and then create additional OU’s/Group where features will be enabled:

1. Open ‘Group Policy Management’ and select a relevant OU where all users will live, this could be the root domain level:


2. The Group Policy settings should be applied to the top level group prior to deploying the Switch Client software. (Note: There will be no problem with applying these setting to users that will not have the Switch Client installed). Select an appropriate OU and either select ‘Create a GPO in this domain, and link it here…’ or if applying to an existing GPO ‘Link an Existing GPO…

3. Right click and select ‘Edit’ on the new GPO


4. Expand ‘User Configuration > Policies > Administrative Templates’ and select ‘Egress_Switch_Settings’:


5. There are 5 settings that can be configured Email_Enforcement: Configure whether a user is required to sign in to Switch before permitted to send an email from MS Outlook. The options available are: Force: The user will be required to sign into the Switch client before they can send any email. Prompt: The user will be asked to sign in to the Switch client each time they send a new email however will be permitted to click skip. Hide: The user will never be forced to sign in to the Switch Client when creating a new email Email_Verification_Checks: Enable this option to verify that the signed in Switch ID and senders email address match. Use this option with caution if sending from shared mailboxes is required. Hide_System_Tray: Enable this option to hide the Egress Switch system tray icon and menu. Outlook_Addin_Settings: Select this option to hide the Egress Switch Outlook Addin for new email messages. Welcome Screen: The Egress Switch Welcome screen can be hidden by the user on first access however it may be desirable to hide as part of the deployment. It is recommended that all options are hidden/disabled at the domain root level and enabled for specific user groups as detailed below.

Configuring User Policy to show components

To enable Switch Client features for the required users create appropriate OU’s/Groups and follow the steps above but enable the relevant components.


Deploying Switch Client via Group Policy The Switch Client for MS Windows is supplied as an msi which enables it to be deployed silently via any software deployment application including Active Directory Group Policy. You can download the latest MSI from http://www.egress.com/switch-client-apps/. This section covers silent deployment of the Switch Client software via Group Policy without any pre-configuration:

1) Create a network share with appropriate user permissions and copy EgressSwitch4.0.msi and any supplied transform files

2) Open Group Policy Management and select the OU you wish to apply the Switch Client to:

3) Select to ‘Create a GPO in this domain, and link it here…’ or ‘Link an

Existing GPO’:


4) Select Edit and navigate to ‘Computer Configuration > Policies > Software Settings > Software Installation’:

5) Right click and select ‘New > Package’ and browse the location of the MSI using UNC paths:


6) Select ‘Advanced’ and ‘OK’:

7) The Egress Switch Client summary window will be displayed:


8) Navigate to the ‘Deployment’ tab and select ‘Uninstall this application when it falls out of the scope of management’:


9) If you have been issued with or have created a specific transform file select the Modifications tab to add the transform file. Click OK to complete the process

Important Note: With any Switch Client deployment it is recommend that thorough testing is performed on a selected population of users and computers prior to organisation wide deployment.


Switch Support Center Should you encounter any problems with Egress Switch please visit the Egress Software Technologies Ltd Support Center www.egress.com/support.


Useful Contact Information: Egress Main Switchboard:

Egress Fax:

Egress Website Address:

Egress Sales:

Account Services:

Support:

Follow Egress Online:


Useful Contact Information:

Egress Main Switchboard: +44 (0)207 +44 (0)207 624 8200

Egress Website Address: http://www.egress.com [email protected] [email protected] [email protected] Twitter Facebook LinkedIn Egress Blog

+44 (0)207 624 8500

+44 (0)207 624 8200

http://www.egress.com

[email protected]

[email protected]

[email protected]

Egress Blog

egress switch client deployment guide...

Documents