For SEE Client Administrators

For IT Professionals, with picture of swiss army knife

A safeFor Symantec Endpoint Encryption (SEE) Client Administrators

Symantec Endpoint Encryption software provides advanced data and file encryption for desktops, laptops, and removable storage devices. It offers scalable, enterprise-wide security that prevents unauthorized access by using strong access control and powerful encryption. SEE provides a central management console, enabling safe, central deployment and management of encryption to endpoints. [SEE Data Sheet/Overview]

The following FAQ covers the role of the client admin, basic points of installation, general use, and troubleshooting. Should you have other questions to add to the list, please contact us at ISG@brown.edu.

» What is the role of the client administrator?
» How can I apply to become a client admin?
» How are client admin accounts managed?
» Are all client admins at same level of access?
» Where can I find client admin documentation?
» Is there written documentation I can refer my users to?
» What's entailed in the installation process?
» How do the Windows & Mac experiences differ for this process?
» Will SEE work with File Vault on a Mac that is encrypted or desktop that is?
» Questions about setting up more than one user on one laptop
» How are users removed? Example, if a user is at home with machine?
» Will changes to a Brown network password also change the SEE password?
» With all the possible complications due to servicing and people traveling abroad for extended periods of time, what precautions should my users take?
» Considering all the caveats, should we try this in our department anyway?
» If a person whose laptop is going to be encrypted has NOT taken the Protecting Brown Information class, should they be encouraged to do so?
» When is the Help Desk available to provide support?
» Resources

Q. What is the role of the client administrator?
A. Client Admins provide support to all SEE users. In addition to installing SEE, Client Admins can sign-in users who forget their SEE password, decrypt drives before traveling overseas if necessary (depending upon the country being visited), and boot encrypted machines in Safe Mode. Note that ALL registered users can boot into Safe Mode, not just Client Admins.

N.B.: Client Administrators cannot use Single Sign-On.

Q. How can I apply to become a client admin?
A. Due to some of the complexities associated with this role, CIS requires that client admins attend a training session before being set up as a client admin. To initiate this process, complete an access request form using Remedy, selecting "Symantec Endpoint Encryption" from the Request Access dropdown list and specifying "Client Administrator" for the role. You will then be contacted by a CIS staff person to arrange for the training and, upon successful completion of it, creation of your client admin account.

Q. How are client admin accounts managed?
A. Client admin accounts are created and maintained from the SEE Manager by the Policy Administrators. Client admin accounts are managed entirely by SEE, independent of operating system or directory service, allowing client admins to support a wide range of users.

Since client admin credentials are managed from the manager console, they cannot be changed at the Client Computer. This single-source credential management allows client admins to remember only one set of credentials as they move among many users' computers.

Each Client Computer must have one default client admin account, which has all administrative privileges and authenticates using a password. Only client admins who authenticate with a password and have all administrative privileges can perform hard disk recovery.

Q. Are all client admins at same level of access?
A. Yes. All client admins all have same access. This allows any client administrator to help any SEE user.

Q. Where can I find client admin documentation?
A. There is a detailed guide available on the Symantec site for SEE Full Disk Edition, v8.2.0.

Q. Is there written documentation I can refer my users to?
A. Yes, users guides from Symantec can be found at Windows and Mac OS X.

Q. What's entailed in the installation process?
A. See the IT Administrators Guide developed by Software Services for full details. Note that as part of the user registration process:

  • Recommend to users that they take the precaution to backup their laptops before the installation as well as regularly thereafter as a disk crash -- whether during or after the installation -- renders the drive inoperable and data recovery is no longer possible.
  • Advise the user to be aware of the effects of encryption and the resulting care that must be taken if any repairs are necessitated (see below), referring them to the list found on the SEE FAQ page. Recommend that they back-up their laptop before the installation as well as regularly thereafter.
  • Affix an ALERT tag to the front of the outside of the laptop, bottom left. Note: Alert tags are available from the CAP, ITSC and ISG.
  • Let the user know that the encryption process can take up to 8 or more hours to complete depending on the volume of data stored on your hard drive. The process can run in the background and be stopped and started.

Q. How do the Windows & Mac experiences differ for this process?
A. The Windows experience is more 'integrated', it will automatically prompt new users to create SEE accounts.

Q. Will SEE work with File Vault on a Mac that is encrypted or desktop that is?
A. Yes, but it adversely affects performance. Users are advised to choose one encryption scheme that meets their needs and satisfies legal requirements.

Questions about setting up more than one user on one laptop

Q. Can you have multiple SEE users on one machine?
A. Yes, as many as you want.

Q. How do you add users to an already encrypted laptop?
A. On Windows, log in once as that user and you should be prompted to register that account. On Macs, you manually manage the list of users.

Q. Do users all have to be registered at the same time?
A. No, they can be registered on an "as needed" basis.

Q. How does this affect the login? For example, if one user is already registered and a second one is being added, how do you do this?
A. You will need the initial user to pass the SEE screen until the new user registers their own account, then either user can login with their own credentials.

Q. What are recommended procedures for client admins with multiple users? (Or even singles)
A. The important thing is to not let users travel before they have registered with SEE and confirmed that they have access.

Q. How are users removed? Example, if a user is at home with machine?
A. Client administrators must manually decrypt the computer and uninstall the product.

Q. Will changes to a Brown network password also change the SEE password?
A. No. If the Brown credential password is changed and the user wants them to be the same, they will need to change the SEE one as well.

Q. With all the possible complications due to servicing and people traveling abroad for extended periods of time, what precautions should my users take?
A. When traveling abroad with an encrypted laptop, advise them to review the information on Brown's International Travel pages, which includes details on registering with "International SOS." Also make sure that an ALERT label has been affixed to their laptop, which warns anyone to contact the Help Desk before attempting any repair service.

Q. Considering all the caveats, should we try this in our department anyway?
A. SEE isn't right for everyone. It may be best to travel with a laptop free of any information needing protection (advisable for some countries that don't allow encrypted computers past customs). However, if it is the best solution for you, don't be intimidated. If you follow best practices you should not have any issues. Problems are usually due to user error and not the software.

Q. If a person whose laptop is going to be encrypted has NOT taken the Protecting Brown Information class, should they be encouraged to do so?
A. Definitely. Advise them of the online version, which can be done quickly at their convenience. Send an email to PBI_Online@brown.edu to request access.

Q. When is the Help Desk available to provide support?
A. The Help Desk is available during regular business hours (EST). If you plan on traveling and may need assistance off-hours, be sure to have the contact information of the IT support person who installed SEE on your computer.

Resources