symantec endpoint encryption device...

Symantec Endpoint EncryptionDevice Control

Installation GuideVersion 8.2.0

ii

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge is either a trademark or registered trademark of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043http://www.symantec.com

Contents

Chapter 1 Introducing Symantec Endpoint Encryption Device ControlAbout Symantec Endpoint Encryption Device Control ......................................................................................... 1Components of Device Control .................................................................................................................................. 1

Chapter 2 Planning for the installationPreparing for installation ........................................................................................................................................... 5System requirements .................................................................................................................................................. 6

Required Ports ...................................................................................................................................................... 6Directory server requirements .......................................................................................................................... 7Device Control Management Server requirements ........................................................................................ 7Database server requirements ........................................................................................................................... 9Shadow repository requirements ....................................................................................................................10Manager computer requirements ...................................................................................................................10Client computer requirements ........................................................................................................................11

About enabling Internet Information Services (IIS) ............................................................................................11Enabling IIS on Windows Server 2003 ...........................................................................................................11Enabling IIS on Windows Server 2008 ...........................................................................................................11Enabling Distributed Component Object Model (DCOM) .............................................................................12

Disabling User Access Control (UAC) .....................................................................................................................12Enabling Desktop Experience ..................................................................................................................................13About the Windows Management Instrumentation (WMI) protocol ................................................................13

Chapter 3 Installing the Management ServerInstalling the Management Server software for the first time ..........................................................................15Post-installation tasks ..............................................................................................................................................17

Changing the default client uninstall password ...........................................................................................17About changing the Active Directory group membership to one with appropriate permissions .........17

About Device Control system-generated encryption keys ..................................................................................18Restoring a previous installation of the Management Server ............................................................................18Upgrading to a new release of Device Control ......................................................................................................20

Upgrading a system with an embedded database .........................................................................................20Upgrading a system with an external database ............................................................................................20Restoring log files from an embedded database ...........................................................................................21

Uninstalling the Management Server software ....................................................................................................21

Chapter 4 Installing the Device Control Management ConsoleAbout the Management Console .............................................................................................................................23Installing the Management Console on another computer ................................................................................23Starting the Management Console for the first time ...........................................................................................24Uninstalling the Management Console ..................................................................................................................24Upgrading the Management Console .....................................................................................................................25

Chapter 5 Installing the Device Control clientConsiderations before you install the client files .................................................................................................27Creating client installation files ..............................................................................................................................28

Defining the restart method during client installation ...............................................................................28

iv Contents

About deploying the client package ........................................................................................................................29Deploying the client using a third-party tool ................................................................................................29Deploying the client using Active Directory Group Policy Management .................................................29Deploying the client manually .........................................................................................................................30

About upgrading the client software ......................................................................................................................31About uninstalling the client software ..................................................................................................................31

Uninstalling client software manually ...........................................................................................................32Uninstalling clients with an Active Directory GPO ......................................................................................32Using the Client Cleanup utility to correct client uninstall problems ......................................................33

Appendix A Interoperating with Cisco Network Access ControlAbout Cisco Network Access Control (NAC) ..........................................................................................................35Interoperability attributes of Device Control clients ...........................................................................................35About configuring a posture validation policy .....................................................................................................36About the Attribute-Value Pairs (AVP) file ...........................................................................................................36

Index

Chapter 1

Introducing Symantec Endpoint Encryption Device Control

This chapter includes the following topics:

■ About Symantec Endpoint Encryption Device Control

■ Components of Device Control

About Symantec Endpoint Encryption Device ControlSymantec Endpoint Encryption Device Control enables you to control and monitor the data transferred by physical ports, wireless ports, and devices in your network. Use Device Control to block hardware key loggers, U3 smart drives, and hybrid network bridging. Highly granular policies enable you to control and monitor data transfer without affecting your users’ productivity. In addition, Device Control offers the convenience of direct integration with Active Directory and Novell eDirectory.

Comprehensive logging and reporting tools aid forensics, satisfy auditors, and allow identification of unprotected computers. Device Control verifies that the proper controls are in place, and provides details about how employees use their systems.

See also “Components of Device Control” on page 1.

Components of Device ControlTable 1-1 lists the product's components and describes their functions.

Table 1-1 Device Control system components

Component Description

Device Control Management Server The Device Control Management Server does the following:

■ Serves as both a web and an application server.

■ Stores data in and obtains data from the Device Control database.

■ Collects logs from clients, allows direct management of endpoints, and optionally synchronizes with one or more directory servers.

Deploy policies directly from the Device Control Management Server or from the directory server.

For load balancing, high availability, and redundancy during client communications, deploy multiple Management Servers.

2 Introducing Symantec Endpoint Encryption Device ControlComponents of Device Control

See “System requirements” on page 6.

Figure 1-1 shows a sample network configuration.

Directory server (optional) The directory server provides the directory service structure to the Device Control Management Server upon request.

Deploy policies from the directory server, or from the Device Control Management Server.

Use an Active Directory domain controller, a Novell directory server, or both.

Database server Hosts the Device Control database.

Locate the Device Control database on a server that is not the Device Control Management Server.

Previous versions of Device Control offered the option to create a MySQL database embedded within the Management Server. As of version 8.0.0, only external Microsoft SQL Server databases are supported.

Manager computer running Management Console software (optional)

Manager computers are any systems or servers on which the Management Console is installed. The Management Console, enables administrators to manage clients, view logs, define policies, monitor usage, and administer the system.

The Management Console is automatically installed on the Device Control Management Server. It can be installed on any number of additional computers for the convenience of administrators.

Auditor computer (optional) The Auditor computer runs the Device Control Auditor software.

Device Control Auditor scans your network to gather a comprehensive list of all devices that have connected to the endpoints in your network.

Use scan results for reporting purposes and to prepare initial whitelists for Device Control deployments.

Mail server (optional) Used by the Device Control Management Server to relay email alerts to recipients.

Network Management server (optional) Receives Simple Network Management (SMNP) traps from the Device Control Management Server.

Client computer Install the Device Control client software on all the endpoint computers in your network. The client software enforces policy, logs activities, and issues alerts. It blocks unauthorized activities, alerts administrators about unauthorized use attempts for file types, and logs events for future viewing and analysis.

Table 1-1 Device Control system components (Continued)

Component Description

3Introducing Symantec Endpoint Encryption Device ControlComponents of Device Control

Figure 1-1 Sample Network Configuration

See “Preparing for installation” on page 5.


AuditorComputer

DatabaseServer

Clients

Device ControlManagement Servers

Manager Computers

EmailServer

DirectoryServer

NetworkManagement

Server

LDAP

SNMP

HTTPS

SMTP

TDS

4 Introducing Symantec Endpoint Encryption Device ControlComponents of Device Control

Chapter 2

Planning for the installation


■ Preparing for installation

■ System requirements

Preparing for installationTable 2-1 describes the tasks you must perform to install Device Control.

Table 2-1 Preparing for installation

Step Action

1 Verify that your environment meets the minimum requirements that are listed.


2 Make sure that you have opened the necessary ports on your network, including the WMI ports.

See “Required Ports” on page 6.

3 Set up communication between the Management Server and the client computers.

See “About the Windows Management Instrumentation (WMI) protocol” on page 13.

4 Place the servers in the right domain.

■ To use Active Directory to distribute policies, make sure that the Management Server computer belongs to a domain that receives Device Control policies.

■ You may want to locate the Device Control Management Server within the domain that receives most of your policies.

5 Configure the firewall on the clients. See “About the Windows Management Instrumentation (WMI) protocol” on page 13.

6 Verify that both the IIS Admin service and the HTTP SSL service are started and are set to start automatically.

See “Enabling IIS on Windows Server 2003” on page 11.

See “Enabling IIS on Windows Server 2008” on page 11.

7 The Device Control Management Server requires DCOM. Enable DCOM on the server.

See “Enabling Distributed Component Object Model (DCOM)” on page 12.

8 UAC must be disabled for Device Control to function properly. Disable UAC on the Management Server.

See “Disabling User Access Control (UAC)” on page 12.

9 To use a shadow repository to store and view user data, you must enable Desktop Experience on the Management Server.

See “Shadow repository requirements” on page 10.

See “Enabling Desktop Experience” on page 13.

6 Planning for the installationSystem requirements

System requirementsBefore you begin the installation of any Device Control components, review the system requirements and the installation requirements. Confirm the computers that you plan to use meet the requirements and are configured for communication between the Device Control system components.

Symantec software requires specific protocols, operating systems and service packs, software, and hardware. All computers on which you install Symantec software should meet or exceed the recommended system requirements for the computer’s operating system.

■ See “Required Ports” on page 6 .

■ See “Directory server requirements” on page 7.

■ See “Device Control Management Server requirements” on page 7.

■ See “Database server requirements” on page 9.

■ See “Shadow repository requirements” on page 10.

■ See “Manager computer requirements” on page 10.

■ See “Client computer requirements” on page 11.

Required PortsThe following ports are used for communication between Device Control system components. Notify your network staff of the ports you intend to use.

If your clients run firewall software, you must open those ports so that communication between the management server and clients is possible.

Note that WMI ports must be opened on the client.

10 Ensure that your database instance is installed and accessible. Refer to the database vendor documentation for more information.

Table 2-1 Preparing for installation (Continued)

Step Action

Table 2-2 Ports for client and server communication

Computer Port(s) Protocol Used by Function

Device Control Management Server

Configurable. 443 by default.

HTTPS Internet Information Services (IIS)

Communication with client computers.

Configurable. 4443 by default.

HTTPS Internet Information Services (IIS)

Communication with Manager Computer(s).

Random ports between 1024 and 65535

HTTPS .NET Remoting Communication with Active Directory domain controller.

Directory Server 389 LDAP Device Control Management Server

Communication with Novell directory server.

Client computers 135 plus a random series

SNMP Windows Management Instrumentation (WMI)

Client management from Device Control Management Server. Auditor queries.

135 plus a random series

SNMP SetupAPI Auditor queries.

Network Management Server Configurable. SNMP Device Control Management Server

To receive SNMP traps from Device Control Management Server.

7Planning for the installationSystem requirements

Directory server requirements Table 2-3 lists the minimum directory server system requirements.

Device Control Management Server requirementsDo not install the Device Control Management Server on a domain controller. Symantec recommends that you install the Management Server software on a dedicated computer.

Database server Specified in Microsoft SQL Server.

TDS Device Control Management Server

Communication with Device Control Management Server.

Mail server Configurable. SMTP Device Control Management Server

Used with Device Control Management Server to provide email alerts.

Table 2-2 Ports for client and server communication (Continued)

Computer Port(s) Protocol Used by Function

Table 2-3 Directory server requirements

Directory server Server requirements Client requirements

Active Directory server Domain functional level of Windows 2000 native or higher.

Forest functional level of Windows 2000 or higher.

Novell eDirectory Directory server

Novell eDirectory 8.7, 8.7.3, 8.8, and 8.8.5.

Or

NetWare 6.5, 6.5 SP6, 6.5 SP7, and 6.5 SP8.

Novell Client 4.91 SP3, SP4, or SP5.

One of the following versions of ZENworks Desktop Management software.

■ ZENworks 6.5 Desktop Management

■ ZENworks 6.5 SP1 Desktop Management

■ ZENworks 6.5 SP1 IR1 Desktop Management

■ ZENworks 7 Desktop Management

■ ZENworks 7 SP1 Desktop Management


Note: Do not enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing on the server.

Table 2-4 Management Server system requirements

Number of clients Hardware Software

1 - 1000 3-GHz processor

2 GB RAM

72 GB free disk space

SCSI or SATA

Windows Server 2008 (User Access Control cannot be enabled):

■ Windows Server 2008 Standard, Standard x64, Enterprise, or Enterprise x64 Edition (SP1 or SP2)

■ Windows Server 2008 R2 Standard, R2 Standard x64, R2 Enterprise, or R2 Enterprise x64 Edition (SP1)

Windows Server 2003 (32-bit only):

■ Windows Server 2003 Standard or Enterprise, R2 Standard or R2 Enterprise Edition (SP2)The following software must also be installed on the server:

■ Microsoft Internet Information Services (IIS)

■ .NET Framework 2.0

1,001 - 10,000 2–4 3.4 GHz dual Xeon processors

4–8 GB RAM

2 RAID 1 drives (SATA or SCSI), each with 72 GB of free space


■ Windows Server 2008 Enterprise, or Enterprise x64 Edition (SP1 or SP2)

■ Windows Server 2008 R2 Enterprise, or R2 Enterprise x64 Edition (SP1)


■ Windows Server 2003 Enterprise, R2 Standard or R2 Enterprise Edition (SP2)The following software must also be installed on the server:



10,001 - 50,000 4–8 3.4 GHz dual Xeon processors

8–16 GB RAM

2 RAID 1 drives (SCSI only), each with 144 GB of free space





■ Windows Server 2003 Enterprise, R2 Standard or R2 Enterprise Edition (SP2The following software must also be installed on the server:



50,001 - 100,000 8 3.4 GHz dual Xeon processors

16 GB RAM

5 RAID 5 drives (SCSI only), each with 144 GB of free space





■ Windows Server 2003 Enterprise, R2 Standard or R2 Enterprise Edition (SP2)The following software must also be installed on the server:



100,001 + Clients Contact Symantec support for specific recommendations.

9Planning for the installationSystem requirements

Database server requirementsDo not install the Device Control database on the Device Control Management Server. .

Table 2-5 Database server system requirements

Number of clients

Hardware Operating system and additional software Database software

1-1000 3-GHz processor

2 GB RAM

144 GB free disk space

SATA or SCSI

Windows Server 2008:






Microsoft SQL Server 2008 Express, Standard, or Enterprise Edition

Microsoft SQL Server 2005 Express, Standard, or Enterprise Edition (32-bit only) (SP3)

1001 - 10,000 2 3.4 GHz dual Xeon processors

4 GB RAM

2 RAID 1 drives (SATA or SCSI), each with 72 GB of free space for system files and logs

3 RAID 5 drives (SCSI only), each with 144 GB of free space for data files







Microsoft SQL Server 2008 Standard or Enterprise Edition

Microsoft SQL Server 2005 Standard or Enterprise Edition (32-bit only) (SP3)

10,001 - 50,000 4 3.4 GHz dual Xeon processors

8 GB RAM

2 RAID 1 drives (SCSI only), each with 144 GB of free space for system files and logs










50,001 - 100,000 External Storage Area Network (SAN) storage is recommended. Spread database files on maximum number of physical disks. Transaction logs can be placed on mirrored disks.









100,001 + Clients Contact Symantec support for specific recommendations.


Shadow repository requirementsFile shadowing is an optional feature. File shadowing provides a mirror image of data transferred in the network.

■ For fewer than 1,000 clients, Symantec recommends locating the shadowing repository on the Device Control Management Server itself.

■ For 1,000 to 10,000 clients, Symantec recommends locating one or more shadow repositories on computers other than the Device Control Management Server.

■ For more than 10,000 clients, Symantec recommends that you augment local storage on the Device Control Management Server with external SAN storage.

Manager computer requirementsA Manager computer runs the Device Control Management Console software. Run the Management Console on the Device Control Management Server or on one or more Manager computers.

Table 2-6 Shadow repository requirements

Number of clients Hardware Software

1 - 10,000 3-GHz processor

2 GB RAM





■ Windows Server 2003 Standard or Enterprise, R2 Standard or R2 Enterprise Edition (SP2)

10,001 + 4 3.4 GHz dual Xeon processors

8 GB RAM

2 RAID 1 drives (SCSI only), each with 144 GB of free space for system files and logs






■ Windows Server 2003 Standard or Enterprise, R2 Standard or R2 Enterprise Edition (SP2)

Table 2-7 Manager computer requirements

Hardware Software

300 MHz Pentium processor

128 MB RAM

20 MB free disk space

1024x768 display resolution (or greater)

■ Windows 7 Professional, Professional x64, Ultimate, Ultimate x64, Enterprise, or Enterprise x64 Edition (SP1)

■ Windows Server 2008 R2 Standard, Standard x64, Enterprise, or Enterprise x64 Edition (SP1)


■ Windows Vista Business, Ultimate, or Enterprise Edition (32-bit only, SP1 or SP2)

■ Windows Server 2003 R2 Standard or Enterprise Edition (32-bit only, SP2), with Microsoft .NET Framework 2.0

■ Windows Server 2003 Standard or Enterprise Edition (32-bit only, SP2), with Microsoft .NET Framework 2.0

■ Windows XP Professional or Tablet PC Edition (32-bit only, SP3), with Microsoft .NET Framework 2.0

11Planning for the installationAbout enabling Internet Information Services (IIS)

Client computer requirementsTable 2-8 lists the minimum system requirements for client computers running Device Control software.

About enabling Internet Information Services (IIS)IIS is used for communication between the Device Control Management Server, client computers, and Management Console. IIS is included in both Windows Server 2003 and Windows Server 2008. However, the operating system can be installed without it or it may not be enabled.

Enable IIS using the instructions for the operating system of the Device Control Management Server.

■ See Enabling IIS on Windows Server 2003.

■ See Enabling IIS on Windows Server 2008.

Enabling IIS on Windows Server 2003Confirm that IIS is installed. If the operating system was installed without it, follow the steps in this section to add IIS. To perform the procedure, you must have access to the Windows Server 2003 installation files.

To enable IIS on Windows Server 2003

1 In Control Panel, select Add or Remove Programs.

2 Click Add/Remove Windows Components.

3 In the Windows Components Wizard, select Application Server and click Next.

4 If you are prompted, select the location of the relevant Microsoft Windows installation components and click OK.

5 Click Finish to close the wizard.

Enabling IIS on Windows Server 2008Ensure that IIS is enabled with the correct roles and role services by completing the following steps.

To enable IIS on Windows Server 2008

1 Click Start, then click Server Manager.

2 In the left pane of the Server Manager, right-click Roles and click Add roles.

3 In the Add Roles Wizard, click Next.

4 On the Select Server Roles page, select Web Server (IIS), and then click Next.

Table 2-8 Client computer requirements

Hardware Software

300 MHz Pentium processor

128 MB RAM

10 MB free disk space

■ Windows 7 Professional, Professional x64, Ultimate, Ultimate x64, Enterprise, or Enterprise x64 Edition (SP1)

■ Windows Server 2008 R2 Standard, Standard x64, Enterprise, or Enterprise x64 Edition


■ Windows Vista Business, Ultimate, or Enterprise Edition (32-bit only, SP1 or SP2)

■ Windows Server 2003 R2 Standard or Enterprise Edition (32-bit only, SP2)

■ Windows Server 2003 Standard or Enterprise Edition (32-bit only, SP2)

■ Windows XP Professional or Tablet PC Edition (32-bit only, SP3)

12 Planning for the installationDisabling User Access Control (UAC)

5 On the Web Server (IIS) page, click Next.

Note: Selecting the IIS role automatically selects the additional role services that IIS requires. In the following steps, ensure that you do not deselect any of these pre-selected options.

6 On the Select Role Services page, expand Web Server, then expand Application Development and select ASP.NET.

7 In the Add role services and features required for ASP.NET dialog box, click Add Required Role Services. Selecting this option also selects .NET Extensibility, ISAPI Extensions, and ISAPI Filters.

8 Expand Security and select Basic Authentication.

9 Expand Management Tools, then select IIS Management Scripts and Tools. Expand IIS 6 Management Compatibility, then select IIS 6 Metabase Compatibility and IIS 6.

10 Click Next, then click Install.

11 Click Close. Select File > Exit to close the Server Manager snap-in.

Enabling Distributed Component Object Model (DCOM)The Device Control Management Server requires DCOM, which is enabled by default in both Windows Server 2003 and 2008, but may be disabled on your computer. Verify that DCOM is enabled.

To enable DCOM

1 Do one of the following:

■ For Windows Server 2003, click Start > Run, type dcomcnfg, and press Enter.

■ For Windows Server 2008, click Start, type dcomcnfg, and press Enter.

2 In the Component Services snap-in, expand Computers, right-click My Computer, and click Properties.

3 In the My Computer Properties dialog box, click Default Properties.

4 If it is not already selected, select Enable Distributed COM on this computer, then click OK.

5 Click Yes to continue.

6 Close the Component Services snap-in.

Disabling User Access Control (UAC)User Access Control must be disabled for Device Control to function properly.

If the Device Control Management Server is installed with Windows Server 2008, complete the following steps to ensure that UAC is not enabled.

To disable UAC

1 In Control Panel, double-click User Accounts, then click Turn User Account Control on or off.

2 Deselect Use User Account Control (UAC) to help protect your computer, then click OK.

3 You must restart the computer to apply the change. Do one of the following:

■ To apply the change immediately, click Restart Now.

■ To restart later, click Restart Later and close the User Accounts window.

13Planning for the installationEnabling Desktop Experience

Enabling Desktop ExperienceThe Desktop Experience feature of Windows Server 2008 includes programs such as Windows Media Player or DirectX. These programs may be required to view shadowed media data.

If you do not need to view shadowed media files, you can ignore this procedure.

To enable Desktop Experience

1 Click Start > Administrative Tools, and then double-click Server Manager.

2 In Server Manager, click Add Features under Features Summary.

3 In the Add Features Wizard dialog box, make sure that the Desktop Experience option is selected.

4 Click Next, and then click Install.

5 After the installation process is complete, click Close, and then close Server Manager.

6 You must restart the computer to apply the change.

About the Windows Management Instrumentation (WMI) protocolThe Device Control Management Server communicates with client computers using WMI. WMI is an access mechanism that enables you to query, change, and monitor configuration settings on client computers. To interact with the Device Control Client systems, you must open the WMI port on the clients.

Once you have opened the WMI port on a client, confirm communication is successful by updating a policy or collecting logs.

To troubleshoot issues, see the following Microsoft link:

http://msdn.microsoft.com/en-us/library/aa394603%28VS.85%29.aspx

Table 2-9 WMI configuration information

Operating system Action

Windows Vista or Windows 7 For Windows Vista or later clients, you can set a fixed port for WMI. See the following link.

http://msdn.microsoft.com/en-us/library/bb219447%28VS.85%29.aspx

Windows XP or earlier ■ For clients using the Windows firewall, see the following link: http://msdn.microsoft.com/en-us/library/aa389286%28VS.85%29.aspx

■ For clients using a firewall other than the one built in with the Windows operating system, see the vendor’s documentation.

14 Planning for the installationAbout the Windows Management Instrumentation (WMI) protocol

Chapter 3

Installing the Management Server


■ Installing the Management Server software for the first time

■ Post-installation tasks

■ Restoring a previous installation of the Management Server

■ Upgrading to a new release of Device Control

■ Uninstalling the Management Server software

Installing the Management Server software for the first timeBefore you begin, do the following:

■ Prepare for installation as described in “Preparing for installation” on page 5.

■ Install and set up your database server. See the database vendor documentation for more details. The database server connection information is required during the Management Server installation process.

■ Log onto the Management Server computer using an account with appropriate access privileges.

To install the Management Server software

1 Start the installation process by double-clicking Symantec Endpoint Encryption Device Control Server.exe.

2 To continue the installation process and extract the installation files, click Yes, and then click Next.

3 On the Welcome screen of the installation wizard, click Next.

4 Review the license agreement. Click I accept the terms in the license agreement, and then click Next.

5 On the Installation Mode dialog box, click New, then click Next.

6 On the Database credentials page, in the Database Server field, do one of the following:

■ Type the name of the database server.

■ Type the name of the server instance and port, using the following syntax:

computer name\instance name,port number

For example:

SEEDB-01\DEVICECONTROL,1044

7 For Database authentication mode, select the type of security that should be used. This selection must correspond to how your database server is configured to authenticate.

■ MS SQL Security

■ Microsoft Windows Security

16 Installing the Management ServerInstalling the Management Server software for the first time

8 Type your database authentication credentials for User Name and Password. If you selected Microsoft Windows Security, you must also enter a Domain name.

9 Click Next.

10 If a valid Device Control database exists at the location in the Database Server field, do one of the following:

■ To use the existing database, select Restore a previous installation using this database and click OK.

■ To create a new database or overwrite an existing database, select Overwrite it with a new database and click OK.

11 On the Destination Folder page, do one of the following:

■ To select the default installation folder, click Next.

■ To select a different installation folder, click Change. Select a new location, and then click Next.

12 On the Domain Credentials page, type the credentials of an Active Directory domain or local user account. Symantec recommends using an account with domain administrator privileges. You can change this user after installation.

Do one of the following:

■ To use Active Directory to distribute your policies, type the user name, password, and domain of a domain account and click Next.

■ To use Novell, type the user name and password or a local account, or type the user name, password, and domain of a domain account. Click Next.

Note: An account with domain administrator privileges is recommended.

See “About changing the Active Directory group membership to one with appropriate permissions” on page 17.

13 On the Access Privileges dialog box, click Next.

14 The Device Control Management Server communicates using the default SSL port of the host computer. To use different port numbers, type the port numbers in the following fields:

■ Device Control Clients Communication port (SSL) (default port is 443)

■ Management Console Communication port (SSL) (default port is 4443)

15 For SSL to operate, a certificate is needed to authenticate the Device Control Management Server. This certificate is also used to encrypt the data that is sent on the communication port. If the computer that is running the Management Server has an active Web site that allows SSL port activation, the application uses the existing certificate. If no certificate exists, the application creates a new self-signed certificate. In this case, click OK to continue with the installation.

16 Click Next.

17 On the System Unique Encryption Keys page, you are asked to back up the encryption keys that Symantec Endpoint Encryption Device Control generates. Do one of the following:

■ To back up your encryption keys now, confirm the path to the backup file, or click Browse to specify a new location. To protect the keys, type and confirm a password. Click Next.

Note: The password must be at least five characters in length and must contain one letter and one digit.

■ To back up your keys at another time, select Do not backup encryption keys now. Click Next.

For more information about system-generated encryption keys, see the Administrator Guide.

18 On the Summary page, review the summary and do one of the following:

■ To accept the options and install the software, click Install.

17Installing the Management ServerPost-installation tasks

Note: If you need to change any options, click Back.

19 On the Installation Completed page, select Launch Managment Console and click Finish.

Post-installation tasksBefore you continue with any other deployment activities, complete the following tasks:

■ Change the default password for uninstalling client software.

See “Changing the default client uninstall password” on page 17.

■ To make a change to the Active Directory account, apply the change first within Device Control and then in Active Directory.

■ Change access to the Management Console from the local administrators group of the machine hosting the Management Server to a user group in your Active Directory.


■ If you used a domain account as your Domain Credentials, log on to the Device Control Management Server after installation, using that domain account. This caches the credentials of the domain account, so authentication occurs when there is no connection to the domain controller.

■ If you are joining a cluster, verify that the Device Control Management Server you added is listed in the Management Console as an active Management Server. See the Administrator Guide for details.

Changing the default client uninstall passwordThe Management Server includes a default password for client administration tasks and for uninstalling client software. You should change these passwords immediately after installing the server software and before deploying the client in a production environment.

To change the client uninstall password

1 On the Management Console, click Tools > Global Policy Settings.

2 Under Settings, click Options. In the Client Uninstall Password area, click Change Password.

3 To set new passwords, select Use a different password and then click both Change Password buttons.

4 For each password, type and confirm a password that is at least five characters long and contains one letter and one digit.

5 Click OK.

See the Administrator Guide for more information.

About changing the Active Directory group membership to one with appropriate permissions

Access to the Management Console is restricted by default to the local administrators group of the computer hosting the Management Server. To ensure that your Management Server computer user and password are not exposed, change this setting before you install additional Management Consoles.

You can change this setting from the Administration window in the Management Console. See the Administrator Guide for more information.

18 Installing the Management ServerAbout Device Control system-generated encryption keys

About Device Control system-generated encryption keysTo enhance the security of the system, Device Control generates encryption keys during installation. These keys have the following properties:

■ They are unique to your organization.

■ They increase the tampering resistance of your system.

■ They are used to encrypt policies and logs.

■ They are used for mutual authentication between the Device Control Management Server and the client computers in your system.

One use of these unique keys is to associate endpoints with the organization’s unique keys. The client rejects any policy that does not correlate to the organization’s unique keys as an attempt to circumvent its protection.

For this reason, it is highly recommended that you back up the system-generated keys and store them in another location. This practice ensures smooth recovery in cases of server malfunction, and avoids the need to redeploy clients to endpoints.

See “About Device Control system-generated encryption keys” on page 18.

Restoring a previous installation of the Management Server

To restore a previous installation of the Management Server software

1 Start the process by double-clicking Symantec Endpoint Encryption Device Control Server.exe.

2 To continue the installation process and extract the installation files, click Yes, and then click Next.

3 On the Welcome screen of the installation wizard, click Next.

4 Review the license agreement. Click I accept the terms in the license agreement, and then click Next.

5 On the Installation Mode dialog box, click Restore, then click Next.

6 On the Backup Files dialog box, do the following:

■ Specify the path to your encryption key file (.SKB) or click Browse to locate the file and type the password protecting the key.

■ To restore configuration data such as policies, select Restore previous installation configuration data. Specify the path to your configuration data file (.SCB) or click Browse to locate the file.

Note: The restoring process transfers previous policies to the new database, but does not transfer policy associations.

7 Click Next.

8 On the Database credentials page, in the Database Server field, do one of the following:

■ Type the name of the database server.

■ Type the name of the server instance and port, using the following syntax:

computer name\instance name,port number

For example:

SEEDB-01\DEVICECONTROL,1044

9 For Database authentication mode, select the type of security that should be used. This selection must correspond to how your database server is configured to authenticate.

■ MS SQL Security

■ Microsoft Windows Security

19Installing the Management ServerRestoring a previous installation of the Management Server

10 Type your database authentication credentials for User Name and Password. If you selected Microsoft Windows Security, you must also enter a Domain name.

11 Click Next.

12 If a valid Device Control database exists at the location in the Database Server field, do one of the following:

■ To use the existing database, select Restore a previous installation using this database and click OK.

■ To create a new database or overwrite an existing database, select Overwrite it with a new database and click OK.

13 On the Destination Folder page, do one of the following:

■ To select the default installation folder, click Next.

■ To select a different installation folder, click Change. Select a new location, and then click Next.

14 On the Domain Credentials page, type the credentials of an Active Directory domain or local user account. Symantec recommends using an account with domain administrator privileges. You can change this user after installation.

Do one of the following:

■ To use Active Directory to distribute your policies, type the user name, password, and domain of a domain account and click Next.

■ To use Novell, type the user name and password or a local account, or type the user name, password, and domain of a domain account. Click Next.

Note: An account with domain administrator privileges is recommended.


15 On the Access Privileges dialog box, click Next.

16 The Device Control Management Server communicates using the default SSL port of the host computer. To use different port numbers, type the port numbers in the following fields:

■ Device Control Clients Communication port (SSL) (default port is 443)

■ Management Console Communication port (SSL) (default port is 4443)

17 For SSL to operate, a certificate is needed to authenticate the Device Control Management Server. This certificate is also used to encrypt the data that is sent on the communication port. If the computer that is running the Management Server has an active Web site that allows SSL port activation, the application uses the existing certificate. If no certificate exists, the application creates a new self-signed certificate. In this case, click OK to continue with the installation.

18 Click Next.

19 On the System Unique Encryption Keys page, you are asked to back up the encryption keys that Symantec Endpoint Encryption Device Control generates. Do one of the following:

■ To back up your encryption keys now, confirm the path to the backup file, or click Browse to specify a new location. To protect the keys, type and confirm a password. Click Next.

Note: The password must be at least five characters in length and must contain one letter and one digit.

■ To back up your keys at another time, select Do not backup encryption keys now. Click Next.

For more information about system-generated encryption keys, see the Administrator Guide.

20 On the Summary page, review the summary and do one of the following:

■ To accept the options and install the software, click Install.

20 Installing the Management ServerUpgrading to a new release of Device Control

Note: If you need to change any options, click Back.

On the Installation Completed page, select Launch Managment Console and click Finish.

Upgrading to a new release of Device ControlThis section describes how to upgrade to the latest version of the Device Control Management Server.

Upgrading a system with an embedded databaseIf you have an embedded database, you must migrate to an external database before you upgrade.

To upgrade a system with an embedded database

1 Back up your keys, configuration data, and logs. (Refer to the Administrator Guide of the Device Control version that you are currently running for more information).

2 Once you have backed up this data, uninstall the Device Control Management Server. See “Uninstalling the Management Server software” on page 21.

3 After you uninstall the Device Control Management Server, reinstall the same version of the Device Control Management Server. (See the Installation Guide for the version that you are currently running for more information.)

4 During reinstallation, select the Restore option and provide the backed up keys and configuration data. See “Restoring a previous installation of the Management Server” on page 18.

5 After completing the InstallShield Wizard, follow the procedure to upgrade a system with an external database. See “Upgrading a system with an external database” on page 20.

6 After the successful upgrade, restore your backed up logs. (“Embedded Database Log Restoration” on page 24).

Upgrading a system with an external database

Note: After upgrading the Management Server to this version of Device Control, pre-8.0.0 clients will no longer be able to communicate with the Management Server. You must upgrade pre-8.0.0 clients to regain communications.

To upgrade to a new release of Device Control

1 Back up your database.

2 Uninstall all instances of the Device Control Management Console.

3 Double-click or otherwise launch the Symantec Endpoint Encryption Device Control Server.exe file.

4 After the files have been successfully extracted, click Next.

5 Do one of the following:

■ To back up your system-generated encryption keys, specify the backup location. Symantec recommends saving the keys to a different location. Set and confirm a password to protect the keys. The password must be at least five characters in length and include at least one letter and one digit.

■ To back up the keys later, select Do not backup encryption keys now.

6 Click Next.

7 Click Finish. You may be prompted to restart.

21Installing the Management ServerUninstalling the Management Server software

See “Restoring log files from an embedded database” on page 21.

Restoring log files from an embedded databaseAfter you upgrade to an external database and upgrade to the latest version of Device Control, migrate the log backup file into the new database.

Before you begin, copy the log backup file to a location accessible from the Device Control Management Server.

To restore log files from an embedded database

1 Click Start > Administrative Tools > Services.

2 Stop the two Device Control services. To stop the service, click the service name, right-click, and select Stop.

■ Symantec Endpoint Encryption Device Control domain service

■ Symantec Endpoint Encryption Device Control local service

3 Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

4 In the left pane, expand the Device Control Management Server and select Web Sites.

5 Stop the two Device Control websites. To stop the service, click the service name, right-click, and select Stop.

■ Symantec Endpoint Encryption Device Control Web Site

■ Symantec Endpoint Encryption Device Control Web Site WS

6 Locate RestoreTool.exe in your Device Control Management Server installation folder under the bin folder. The default path is: c:\Program Files\Symantec Endpoint Encryption\Device Control\Management Server\bin.

7 Open a command prompt window and run the RestoreTool utility using the following syntax:

RestoreTool restore -backupFile <path> [-silent] [-verbose]

The program notifies you of any errors in the restore process. If there are no errors, your log data and structure are restored.

8 Restart the Symantec Endpoint Encryption Device Control Web sites and services.

Uninstalling the Management Server software

To uninstall the Device Control Management Server

1 Log on to Windows as the user who originally installed the Device Control Management Server.


Table 3-1 RestoreTool syntax

Parameter Explanation

-backupFile path Use this mandatory parameter to specify the location and name of the log backup (SLB) file.

-silent Use this optional parameter to run the Log Restoration utility in silent mode. In this mode, no confirmation is requested.

-verbose Use this optional parameter to run the Log Restoration utility in verbose mode.

-help Displays help.

version Displays the RestoreTool version number.

22 Installing the Management ServerUninstalling the Management Server software

3 Select Symantec Endpoint Encryption Device Control Management Server.

4 Click Remove.

Chapter 4

Installing the Device Control Management Console


■ About the Management Console

■ Installing the Management Console on another computer

■ Starting the Management Console for the first time

■ Uninstalling the Management Console

■ Upgrading the Management Console

About the Management ConsoleThe Management Console is a tool to manage clients, view logs, define policies, monitor usage, and administer the Device Control Management Server. The Console is automatically installed when you install the Device Control Management Server. However, you can install and run the Management Console on computers other than your Management Server.

Manager computers are any systems or servers on which the Management Console is installed.

Installing the Management Console on another computerThe Management Console installer files are located on the Management Server.

A Web page is created during the installation of the Management Server containing links to the Management Console installation files.

To install the Management Console software on another computer

1 In a Web browser on the target computer, type one of the following addresses:

■ https://servername:serverport/symantecendpointencryptionDeviceControl/consoleinstall.aspx

■ https://servername:serverport/symantecendpointencryptiondevicecontrol

Note: If you created a self-signed SSL certificate during installation of the Management Server, your browser may display a security alert.

2 On the Management Console installation page, click the link to install the appropriate software.

■ Microsoft .NET Framework 2.0 software (pre-requisite). If .NET Framework 2.0 is not already installed, click the link and install it before proceeding with the Management Console installation.

■ The 32-bit Management Console installation package

■ The 64-bit Management Console installation package

24 Installing the Device Control Management ConsoleStarting the Management Console for the first time

3 On the File Download - Security Warning dialog, do one of the following:

■ To launch the MSI right away, click Run.

■ To save a copy of the MSI, click Save.

Note: You can transfer the saved package to removable media for manual installation on other computers.

4 If the Management Console installer has not already started, locate the ManagementConsole.en-US.msi file and double-click it to start installation.

5 If the Open File - Security Warning dialog box displays, click Run.

6 On the Welcome page, click Next.

7 On the Select Installation Folder page, do one of the following and then click Next.

■ Accept the default location.

■ Specify a custom location.

8 On the Confirm Installation page, click Next.

9 On the Installation Complete page, click Close to exit.

Starting the Management Console for the first timeConfirm that the Management Console launches properly by completing the following steps.

To launch the Management Console software for the first time

1 Click Start > Programs > Symantec Endpoint Encryption Device Control > Management Console.

2 On the Login window type your user name, password and domain and click Login.

3 The Password Change Required dialog displays if the default global client uninstallation password has not been changed. Click OK.

Note: To avoid receiving this prompt each time you log on to the Management Console, change the default global uninstall password. See the Administrator Guide for more information.

4 In the Management Console, do the following before you deploy any clients:

■ Select your policy distribution method

■ Back up the system unique encryption keys

■ Set a shared folder for client installation package distribution

■ Define the log transfer interval.

See the Administrator Guide for instructions on how to perform these tasks.

Uninstalling the Management ConsoleUninstalling the Management Console does not cause any information loss. You can reinstall the Management Console at any time.

To uninstall the Management Console


2 From the list of installed programs, select Symantec Device Control Management Console, and click Remove.

25Installing the Device Control Management ConsoleUpgrading the Management Console

Upgrading the Management ConsoleThe Management Console must be the same version as the Device Control Management Server. When you upgrade the Device Control Management Server, you must also upgrade all Management Consoles.

To upgrade the Management Console

1 Uninstall the Management Console software. See “Uninstalling the Management Console” on page 24.

2 Install the new version of the Management Console. See “Installing the Management Console on another computer” on page 23.

26 Installing the Device Control Management ConsoleUpgrading the Management Console

Chapter 5

Installing the Device Control client


■ Considerations before you install the client files

■ Creating client installation files

■ About deploying the client package

■ About upgrading the client software

■ About uninstalling the client software

Considerations before you install the client filesConsider the following before you install:

■ Before you install the Symantec Endpoint Encryption Device Control client, you must first install the Device Control Management Server. When you create client installation files on the Management Server, the Management Server imprints each installed client with the server’s encryption keys. After installation, the client uses these keys when it communicates with the server. Clients do not accept any policies from, nor communicate with a server that does not hold matching keys.

This imprinting process is performed by initializing the client with a file called ClientConfig.scc. The Device Control Management Server generates this file upon demand. The ClientConfig.scc file must be available to the client during installation. For more information on creating the file, see the Administrator’s Guide.

■ Before you create Device Control client installation files, determine where you want the installation files to be located. Regardless of the method you use to deploy the client, you must have access to this folder from all client computers in the network. See “Creating client installation files” on page 28.

■ By default, the process of installing the Device Control client involves restarting most of the peripheral devices on the endpoint to start enforcing policy. This restart may cause temporary disconnection from the network in the final stages of the installation.

■ When you distribute clients using an Active Directory GPO, the clients install silently with no user interface visible to the user. For example, if a restart is necessary, the restart occurs without a prompt to the user. Note that you cannot install using a GPO if the client was previously installed manually. See “Deploying the client using Active Directory Group Policy Management” on page 29

■ If you use third-party products to deploy client software, you may find it useful to postpone restarting the devices to avoid network disconnection during installation. You can control both device restart and restart behavior by defining whether they should be performed during installation. If you choose not to restart or restart, the policy is not enforced until the computer restarts upon user request.

See “Defining the restart method during client installation” on page 28.

28 Installing the Device Control clientCreating client installation files

Creating client installation filesWhen you deploy the client, the installation files must be accessible from all client computers. The default folder in which the Management Server creates installation files is local to the server. For example, if you specify C:\Shared Folder, the files are created in the Shared Folder directory on the C drive of the Management Server. Your target clients need to have access to this directory. If you want to create the files in another location, use the UNC syntax to specify a network path such as \\CADC-01\Sysvol.

To create client installation files

1 Start the Management Console.

2 Select Tools > Administration.

3 In the left pane of the Administration window, click Clients.

4 On the Clients panel, click Browse to navigate to the shared destination of your client installation files, or type the path in by hand.

5 To generate client installation files, click Create Files, and then click OK.

Defining the restart method during client installationYou can define how and when client systems are restarted during Device Control client installation.

To define the restart method during client installation

1 Open the ClientConfig.scc file in Notepad or a similar text editing tool.

2 Scroll to the end of the file to the [InstallParams] section.

3 Edit the InstallMethod value as required.

Table 5-1 InstallMethod Parameters and Values

Parameter Meaning

InstallMethod=0 Default method.

The installation restarts devices and displays a restart request message when required.

This option ensures instant protection. After installation, all of your endpoints immediately begin to enforce policy.

InstallMethod=1 The installation restarts devices, but does not display a restart request message, even if restart is required.

This option lets you perform a totally silent installation, with no messages to the end user. However, policy may not be enforced until the next restart.

InstallMethod=2 The installation does not restart devices, but instead displays a restart request message when required.

Use this option to significantly shorten the installation process and use third-party applications to deploy the client without losing the network connection.

By requiring a client computer to restart, you can make sure that policy is enforced immediately.

29Installing the Device Control clientAbout deploying the client package

Note: When you use silent installation methods, such as InstallMethod=1 or InstallMethod=3, the system may become unstable when devices connect to the monitored ports. Make sure that the endpoint performs a restart as soon as possible after the installation process completes.

About deploying the client packageYou can deploy the client packages using one of the following methods:

■ From a central location using the third-party tool of your choice, such as Microsoft SMS or IBM Tivoli.

■ As a GPO using Active Directory.

■ Manually, on the client.

Note: User information does not appear in the client logs after installation until the computer is restarted and a user logs on to the client system.

Deploying the client using a third-party toolYou can install the client using a third-party corporate software management solution such as Microsoft SMS or IBM Tivoli.

To installing the client software using a third-party tool

1 Locate the shared folder you specified for the client installation files. This folder must contain both of the following files:

■ SymantecEndpointEncryptionDeviceControlClient.msi

■ ClientConfig.scc

2 Create a batch file to install the client silently. Use the following command: msiexec /i <path>\SymantecEndpointEncryptionDeviceControlClient.msi /qn

3 If prompted to do so, the user should restart the endpoint computer.

Deploying the client using Active Directory Group Policy ManagementYou can use an Active Directory GPO to distribute the Device Control client.

Note: If a client has already been installed manually, uninstall it and then reinstall it with GPO. Otherwise, GPO installation fails.

The client can take between 90 minutes and 120 minutes before it processes the software installation GPO. Depending on the configuration, it may take an additional 15 minutes for the GPO containing the installation package to replicate to other domain controllers.

InstallMethod=3 The installation does not restart devices and does not display a restart request message, even if restart is required.

This option lets you perform a totally silent installation, with no messages to the user and without causing network disconnections.

However, policy is not enforced until the next restart.

Table 5-1 InstallMethod Parameters and Values (Continued)

Parameter Meaning

30 Installing the Device Control clientAbout deploying the client package

To deploy the client using Active Directory:

1 In Active Directory, open the Group Policy Management container and expand the entire container hierarchy to reveal the Group Policy Objects container.

2 Right-click Group Policy Objects and select New.

3 In the New GPO window, type the name of the new group policy in the Group Policy Object field and click OK.

4 Right-click the new policy and choose Edit.

5 In the Group Policy Object Editor, select Computer Configuration > Software Settings > Software installation.

6 Right-click Software Installation > New > Package and then click My Network Places.

7 Locate the shared folder you specified for the client installation files. This folder must contain both of the following files:


■ ClientConfig.scc

8 Select SymantecEndpointEncryptionDeviceControlClient.msi, and click Open, and then click OK to accept the default value of Assigned for that package.

9 Select Administrative Templates > System > Logon.

10 Right-click Always wait for the network at computer startup and logon, and select Properties.

11 To ensure that the target computers have access to the shared network drive after restarting, in the Always wait for the network at computer startup and logon dialog box, select Enabled.

12 Close the Group Policy Object Editor.

13 In the Group Policy Management Console, select the group policy you created, then drag the group policy and drop it into the organizational unit (OU) or other object containing the computers to which you are deploying the client installer packages.

14 Click OK to confirm linking the policy to the specified location.

Deploying the client manuallyYou can deploy the Device Control client manually on computers you want to protect in your organization.

You need the following files:


■ ClientConfig.scc files

To deploy the client manually

1 Log on to Windows using an account with administrative privileges.

2 Double-click the SymantecEndpointEncryptionDeviceControlClient.msi file.

3 On the Welcome page, click Next.

4 On the License Agreement page, select the I accept the terms in the license agreement option then click Next.

5 On the Destination Folder page, select the folder to which you want to install the client. To install it to a folder other than the default, click Change. In the Change Current Destination Folder dialog box, select a destination folder, and then click OK. Click Next.

6 On the Select Client Configuration File page, select the ClientConfig.scc file and then click Next.

31Installing the Device Control clientAbout upgrading the client software

Note: If the ClientConfig.scc file is in a location other than the installation file, click Browse and navigate to the location of the ClientConfig.scc file.

7 On the Ready to Install the Program page, do one of the following:

■ To review or modify the destination folder and/or the SCC file, click Back

■ To cancel and exit the installation process, click Cancel.

■ To begin the installation, click Install.

Note: During the installation, some of the devices that are attached to the client computer may stop functioning temporarily. The devices resume functioning when installation is complete.

8 Click Finish.

Note: Depending on the computer’s hardware configuration, a restart is required after installation for the Device Control client to begin protecting the endpoint. A message notifies you when a restart is required.

Note: User information does not appear in the client logs after installation until the computer is restarted and a user logs on to the client system.

About upgrading the client softwareYou can upgrade the client software using one of the following methods:

About uninstalling the client softwareThe process of uninstalling is password protected using a global password or a policy-specific password. You set this password as one of the first post-installation tasks.

See “Changing the default client uninstall password” on page 17.

Clients that were deployed using a GPO must be uninstalled using a GPO. All other clients can be uninstalled manually.

See “Uninstalling clients with an Active Directory GPO” on page 32.

See “Uninstalling client software manually” on page 32.

Table 5-2 Methods for updating client software

Method Process

As a GPO, using Active Directory.

Follow the process for deploying the client as a GPO, using the installer file for the new version. The endpoints update the next time they are restarted.

See “Deploying the client using Active Directory Group Policy Management” on page 29.

Manually, on the client. Follow the process for deploying the client manually. Symantec Endpoint Encryption Device Control automatically uninstalls your previous version of the product and updates it with the new version.

Note: After upgrade, you must restart the computer on which it was performed. The user is prompted to restart, unless you have configured this message not to appear.

See “Defining the restart method during client installation” on page 28.

32 Installing the Device Control clientAbout uninstalling the client software

Uninstalling client software manuallyYou must have the uninstallation password to remove the software.

To uninstall client software manually

1 Log on to the client computer with a user name that has the appropriate privileges to uninstall software.


3 From the list of installed programs, select Symantec Device Control Client and click Change.

4 Click Next.

5 On the Uninstall Password page, type the password that was defined to remove the software and click Next. See the Administrator Guide and “Post-installation tasks” on page 17.

6 On the Remove the Program page, do one of the following:

■ To review or change any settings before continuing, click Back

■ To exit the uninstall wizard, click Cancel.

■ To remove the Symantec Endpoint Encryption Device Control client, click Remove

7 Depending on your operating system, a message appears to notify you that a restart is required. Click OK.

8 In the InstallShield Wizard Completed page, click Finish.

9 To complete the uninstallation, the client computer must restart. Do one of the following:

■ Click Yes to restart now.

■ Click No to restart later.

Uninstalling clients with an Active Directory GPOYou cannot use the automatic uninstall feature in the GPO software installation package because the Device Control uninstall procedure is password protected. To uninstall Device Control you must use a startup script.

To uninstall Device Control clients deployed by GPO, do one of the following:

■ Unlink the Symantec Endpoint Encryption Device Control Install GPO from the OU containing the client computers, and apply a new GPO containing an uninstall script. Symantec recommends this method.

See “Unlinking a Device Control Deployment GPO from an OU” on page 32

■ Edit the Symantec Endpoint Encryption Device Control Deployment GPO.

See “Editing a Device Control Deployment GPO” on page 33

Unlinking a Device Control Deployment GPO from an OUUse the following process to uninstall Device Control clients deployed by GPO.

Note: The actual uninstall process occurs after the computer is restarted.

To unlink a Device Control GPO from an OU

1 Create a new GPO with the name Device Control Uninstall.

2 Right-click the new GPO and select Edit.

3 Navigate to Computer Configuration > Windows Settings, select Script and then select Startup.

33Installing the Device Control clientAbout uninstalling the client software

4 Click Show Files. Create a new batch file containing the following command. The uninstall command in the batch file must be written on one line. msiexec.exe /x "\\<full UNC path to Device Control shared install folder>\ SymantecEndpointEncryptionDeviceControlClient.msi" /qn UNINSTALL_PASSWORD=<uninstall password>

■ Replace the full UNC path to Device Control’s shared installation folder with the appropriate path.

■ Replace the uninstall password with the appropriate uninstall password.

■ Save the file with a .BAT extension.

5 Close the folder, click Add and then click Browse.

6 Select the newly created batch file and click OK.

See “Editing a Device Control Deployment GPO” on page 33.

Editing a Device Control Deployment GPOUse the following process to uninstall Device Control clients using an edited deployment GPO.

Note: The actual uninstall process occurs after the computer is restarted.

To edit a Device Control Deployment GPO

1 Edit the group policy that is applied to the client computers from which you want to uninstall the Device Control client software.

2 Expand Computer Configuration > Software Settings, and then expand Software Installation.

3 Right-click the Device Control object, select All Tasks and then click Remove.

4 Select Allow users to continue to use the software, but prevent new installations and click OK.

5 Create a new GPO with the name Device Control Uninstall.

6 Right-click the new GPO and select Edit.

7 Navigate to Computer Configuration > Windows Settings, select Script and then select Startup.

8 Click Show Files. Create a new batch file containing the following command. The uninstall command in the batch file must be written on one line. msiexec.exe /x "\\<full UNC path to Device Control shared install folder>\ SymantecEndpointEncryptionDeviceControlClient.msi" /qn UNINSTALL_PASSWORD=<uninstall password>

■ Replace the full UNC path to Device Control’s shared installation folder with the appropriate path.

■ Replace the uninstall password with the appropriate uninstall password.

■ Save the file with a .BAT extension.

9 Close the folder, click Add and then click Browse.

10 Select the newly created batch file and click OK.

See “Unlinking a Device Control Deployment GPO from an OU” on page 32

Using the Client Cleanup utility to correct client uninstall problemsThe Client Cleanup Utility lets you recover from the following situations without assistance from Symantec Support:

■ Device Control cannot be uninstalled using the procedures in “About uninstalling the client software” on page 31.

■ Device Control cannot be uninstalled because the client uninstall program fails to remove the client software.

34 Installing the Device Control clientAbout uninstalling the client software

This utility can also be used to correct the following situations, but you must call Symantec support for assistance:

■ The client is not functioning properly (for example, it is in panic mode) and does not accept your client uninstall password.

■ You have forgotten the client uninstall password and cannot update the client’s policy with a policy that set a new uninstall password.

You must use the Client Cleanup utility from the client computer itself and cannot be executed remotely.

To use the Client Cleanup utility to correct client uninstall problems

1 Run the file named spec.exe. It is usually located in the following folder: c:\Windows\System32\.

2 On the Symantec Endpoint Encryption Device Control Cleanup Utility, do one of the following:

■ If you can’t find the Device Control program in Windows Add/Remove Programs, or if a previous uninstallation attempt failed to complete, select Clean Corrupt Installation and type the Uninstall Password. You may also need to provide the path to ClientConfig.scc.

■ If you have forgotten the uninstallation password or can’t enter it because the client is in panic mode, select Symantec Support Assisted Cleanup. Contact Symantec support and provide them with the computer-specific cleanup token. The token is shown in the Your Cleanup Token is box.

Once they have provided you with your cleanup key, type it in the Cleanup Key box.

3 Click Cleanup Now.

4 Click OK to close the confirmation window.

5 Restart the client computer.

Chapter 6

Interoperating with Cisco Network Access Control


■ About Cisco Network Access Control (NAC)

■ Interoperability attributes of Device Control clients

■ About configuring a posture validation policy

■ About the Attribute-Value Pairs (AVP) file

About Cisco Network Access Control (NAC)You can use Device Control with Cisco’s NAC to enhance your network security. NAC uses the network infrastructure to enforce security-policy compliance on all devices that attempt to access network computing resources. This enforcement limits damages from emerging security threats.

You can use NAC to limit network access only to compliant and trusted endpoint devices, such as PCs, servers, and PDAs. You can also restrict the access of noncompliant devices.

Interoperability attributes of Device Control clientsDuring installation of the Device Control client software, the SProtectorPP.dll is installed on the client. This DLL communicates the status of various Device Control client attributes to Cisco Trust Agent (CTA). CTA delivers the posture attributes to the Cisco Secure Access Control Server, which performs evaluation of the posture attributes.

If one or more of the attribute checks fail, the endpoint’s access to the network is blocked.

Device Control checks for the existence of the Device Control client on the endpoint. It also checks the following client parameters and reports them to the CTA Posture Agent:

■ Software version

■ Device Control policy name

■ Device Control policy ID

■ Device Control policy revision

■ Device Control policy type

■ Device Control policy update time

See “About Cisco Network Access Control (NAC)” on page 35

36 Interoperating with Cisco Network Access ControlAbout configuring a posture validation policy

About configuring a posture validation policyA posture validation policy defines the validation checks for Device Control client attributes. Validation checks are performed on the attributes communicated by the Device Control client using the SProtectorPP.dll. The results are communicated to the CTA Posture Agent and reported by CTA to the Cisco Secure Access Control Server (ACS).

To configure policies for Device Control client attributes, import the Device Control attribute-value pairs (AVP) file into ACS.

Note: For additional details, see the Cisco ACS documentation.

To import the AVP file into ACS policy, do the following:

About the Attribute-Value Pairs (AVP) fileThe AVP file describes the Symantec Endpoint Encryption Device Control client attributes necessary for posture validation. The file must be imported into Cisco Secure Access Control Server.

This section contains all available Device Control client attributes. Delete any sections that apply to attributes that you do not want to check.

[attr#0]

vendor-id=24493

vendor-name=Symantec

application-id=5

application-name=HIPS

attribute-id=32768

attribute-name=Software-Name

attribute-profile=in out

attribute-type=string

[attr#1]

vendor-id=24493


application-id=5

Table 6-1 Importing an AVP file into ACS

Step Task

1 Install the Symantec Endpoint Encryption Device Control client on computers in your network.

See “Deploying the client using a third-party tool” on page 29

See “Deploying the client using Active Directory Group Policy Management” on page 29

See “Deploying the client manually” on page 30

2 Prepare a Symantec Endpoint Encryption Device Control AVP file.

See “About the Attribute-Value Pairs (AVP) file” on page 36.

3 On the Cisco Secure Access Control Server, import the AVP file.

See your Cisco Secure Access Control Server documentation for instructions.

4 On the Cisco Secure Access Control Server, set up a profile and create posture validation policies in the Posture Validation Page.

See your Cisco Secure Access Control Server documentation for instructions

37Interoperating with Cisco Network Access ControlAbout the Attribute-Value Pairs (AVP) file


attribute-id=32769

attribute-name=Version


attribute-type=version

[attr#2]

vendor-id=24493


application-id=5


attribute-id=32770

attribute-name=Policy-Name



[attr#3]

vendor-id=24493


application-id=5


attribute-id=32771

attribute-name=Policy-ID



[attr#4]

vendor-id=24493


application-id=5


attribute-id=32772

attribute-name=Policy-Revision



[attr#5]

vendor-id=24493


application-id=5


attribute-id=32773

attribute-name=Policy-Type


attribute-type=unsigned integer

[attr#6]

vendor-id=24493

38 Interoperating with Cisco Network Access ControlAbout the Attribute-Value Pairs (AVP) file


application-id=5


attribute-id=32774

attribute-name=Policy-Update-Time


attribute-type=date

Index

AActive Directory

system requirements 7Active Directory GPO

deploying client software with 29editing 33unlinking 32

architecture diagram 3attribute-value pairs

AVP example of 36Auditor computer

about 2

CCisco NAC

about 35attribute-value pairs 36interoperability attributes 35

Client Cleanup utility 33client computers

about 2Active Directory GPO uninstallation 32before you install 27client software, deploying 29client software, uninstalling 32ClientConfig.scc file 27installation files, creating 28installation folder, specifying 28required ports 6restart method, defining 27, 28system requirements 11WMI protocol use 13

client softwareabout 2See also client computers 2

ClientConfig.scc fileabout 27editing 28installation parameters, defining 28

communication ports 6components of Device Control 1configuration

network 3

Ddatabase server

about 2required ports 7system requirements 9

deploying client software 29Desktop Experience

enabling 13Device Control

about 1

components of 1network configuration 3

Device Control client computersSee client computers. 2

Device Control Management Server. See Management ServerDirectory server

about 2required ports 6system requirements 7

Distributed Component Object Model (DCOM)enabling 12

Eencryption keys

use during client software installation 27endpoints

See also client computers. 11

Ffile shadowing 10

enabling Desktop Experience 13system requirements 10

Iinstallation

client installation files, creating 28client restart method, defining 28client software, deploying 29considerations before installing client software 27first time 15Management Console 23Management Server 15overview of process 5shared installation folder, specifying 28silent installation 27system requirements 6

InstallMethod parameterdefinitions 28

Internet Information Services (IIS) 8enabling 11

interoperability attributes 35

Mmail server

required ports 7Management Console

about 2, 23installing 23starting 24system requirements 10uninstalling 24upgrading 25

Management Server

40 Index

about 1changing default client uninstall password 17completing first-time installation 17installing 15required ports 6system requirements 7uninstalling 21

Manager computerabout 2See also Management Console. 2system requirements 10

manually deploying client software 30

NNetwork Access Control (NAC)

about 35network architecture 3Novell eDirectory

system requirements 7

Pposture validation 35

configuring policy 36

Rrequired ports 6

client computers 6database server 7Directory server 6mail server 7Management Server 6SNMP 6use of WMI protocol 13

Sshadow repository

system requirements 10silent installation

considerations 27SNMP ports 6

SPProtectorPP.dll 35starting

Management Console 24system architecture 2system components 1system requirements

Active Directory 7client computers 11database server 9directory server 7Management Console 10Management Server 7, 9Manager computer 10Novell eDirectory 7overview 6required ports 6shadow repository 10

Tthird-party tool

deploying clients with 29

Uuninstallation password

changing default 17uninstalling

changing default client uninstall password 17client software 32Management Console 24Management Server software 21using Client Cleanup utility 33

unlinking Active Directory GPO 32upgrading

Management Console 25User Access Control (UAC)

disabling 12

WWindows Management Instrumentation (WMI) protocol

communicating 13

symantec endpoint encryption device...

Documents