pgp™ remote disable and destroy - symantec · pdf filepgp rdd offers corporate users the...

PGP™ Remote Disable and Destroy

Configuration Guide 10.2

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version 10.2.0. Last updated: December 2011.

Legal Notice Copyright (c) 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 Symantec Home Page (http://www.symantec.com) Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

http://www.symantec.com/�

Contents

Introducing PGP Remote Disable and Destroy 1 About PGP Remote Disable and Destroy 1 Components of PGP RDD 1 How PGP RDD Works 1 About PGP RDD Client Anti-Theft States 2

Installation Considerations 5 Planning Your Network Architecture 5

Considerations When Using Multiple PGP Universal Servers 5 Enabling or Disabling PGP RDD in the PGP Universal Server 5 Ports Used by the PGP RDD Service 6

Modifying PGP RDD Ports 6 System Requirements 7

Symantec Products 7 Server Software 7

About PGP Remote Disable & Destroy Licenses 7 Licensing PGP RDD with Intel Anti-Theft 8

About Deploying PGP RDD on Client Systems 9 About the PGP RDD Deployment Process 9 About AT Activated Client Systems 10 Deploying PGP RDD on Client Systems 11 Software Requirements for Client Systems 11 Drivers and BIOS Requirements for Client Systems 12 Hardware Requirements for Client Systems 12

Accessing PGP RDD on the PGP Universal Server 13 Accessing PGP RDD 13 Displaying PGP RDD Data 13

About Intel Anti-Theft Status 13 Decommissioned 14 AT Deactivated 15 Stolen 15 Changing a Computer's Status 15 Exporting PGP RDD System Information 16

Working with Stolen Systems 17 About Stolen Client Systems 17 Recovering a Stolen Client System 17

Identifying the Initial Screen at Power On 18 Recovering Using the Intel BIOS Recovery Screen 18 Recovering Using the PGP BootGuard Screen 19

ii Contents

Setting PGP RDD Policy 21 Enabling PGP RDD in a Consumer Policy 21 Understanding the Difference Between Consumer and PGP RDD Policies 21

About Consumer Policies 22 About PGP RDD Policies 22

Applying Consumer Policy to Consumer Groups 23 Setting a PGP RDD Policy 23 About the PGP RDD Rendezvous 24

Considerations When Configuring Rendezvous Intervals 25 About PGP RDD Timers 25

Considerations When Setting Your PGP RDD and Consumer Policies 27 Setting a PGP RDD Timer 27

About Decommissioning a Computer 29 Recovering a Decommissioned Client System 29 About Decommissioned Computers 30 Decommissioning a PGP RDD-Enabled Client System 30

About AT Deactivated Client Systems 31 Deactivating a Client System 31

Working with PGP RDD Administrator Roles 33 About PGP RDD Administrator Roles 33 Assigning Roles 34

About PGP Remote Disable and Destroy PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned computers.

PGP RDD solves the need to keep data secure in mobile environments and comply with increasingly stringent regulations in data security and privacy using the latest Intel AT technology. PGP RDD offers corporate users the option to activate PGP Universal Server's security service and manage hardware-based, client-side intelligence to secure the notebook and/or data if a notebook is lost or stolen. If the client system is lost or stolen, you can remotely disable client systems or disable access to data and securely decommission client systems.

Components of PGP RDD The following items are part of the overall PGP RDD installation:

PGP Universal Server. The administrative server used to manage client systems.

Intel Content License Server (ICLS). The ICLS permit licensing server is the activation site at Intel where client installations are tracked.

Managed PGP Desktop client system with PGP Whole Disk Encryption installed. Once PGP RDD policies are applied and the system is encrypted, the client system then becomes PGP RDD-enabled.

How PGP RDD Works You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a particular consumer group. For that consumer group, you create a policy that enables PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client installer that uses the policy.

A user installs the PGP Desktop client and enrolls with the PGP Universal Server using the method you choose. The client computer is then encrypted with PGP Whole Disk Encryption. During this process, the client receives the policy from PGP Universal Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft Technology on that client, and the encrypted client moves to a state known as “AT Activated.” This is the normal operating state for a PGP RDD-enabled client. This state is transparent to the user. The client system operates normally and is protected.

1 Introducing PGP Remote Disable and Destroy

2 Introducing PGP Remote Disable and Destroy

About PGP RDD Client Anti-Theft States

PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic contact between server and client. This contact refreshes the theft status of the computer and is known as a rendezvous. A successful rendezvous indicates to the server that a client is online and controlled by the authorized user.

After a missed rendezvous, a timer begins counting down to disable the system. If the client fails to rendezvous successfully before the timer expires, the client is automatically flagged on the server as “Stolen.” The client is locked down until the user or administrator unlocks the system and returns it to an “AT Activated” state.

Security for the system is local. The computer is disabled when the timers expire. This thwarts a common strategy employed in laptop theft to avoid putting the computer online. Security is also hardware-based, preventing use of the system even if its hard drive is replaced.

See About Deploying PGP RDD on Client Systems (on page 9).

See Enabling PGP RDD in a Consumer Policy (on page 21).

See About the PGP RDD Rendezvous (on page 24).

See About PGP RDD Timers (on page 25).

See Setting a PGP RDD Policy (on page 23).

See Setting a PGP RDD Timer (on page 27).

About PGP RDD Client Anti-Theft States A PGP RDD-enabled client is always in one of the following states:

AT Activated client systems are clients with PGP RDD currently activated, and which are not marked stolen. This is the normal state for a PGP RDD-enabled client.

AT Deactivated client systems do not have PGP RDD-enabled consumer policies or do not support Intel Anti-Theft technology.

Stolen client systems are those marked stolen by the administrator or affected when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator.

Unsupported client systems do not support Intel Anti-Theft Technology.

Note: Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies may be listed as AT Deactivated, instead of Unsupported.

Decommissioned computers are still encrypted, but the status is AT Deactivated. These computers are listed on the RDD Systems > Deactivated page, but they are no longer protected by Intel Anti-Theft. Use this option when your organization

Introducing PGP Remote Disable and Destroy

About PGP RDD Client Anti-Theft States 3

removes computers from active use, but still wants to protect the data. For example, if the organization plans to give away or sell the computers to someone who will not have access to PGP Universal Server.

See About Intel Anti-Theft Status (on page 13).

See Displaying PGP RDD Data (on page 13).

See Deactivating a Client System (on page 31).

See About Stolen Client Systems (on page 17).

Planning Your Network Architecture When planning your deployment, keep the following points in mind:

The main consideration when planning your deployment of PGP RDD is that the client systems must be able to communicate with the server at their scheduled rendezvous. Missing the rendezvous could lead to locked client systems.

Your PGP Universal Server must be able to communicate with the Intel Content License Server. Disruption in communication can lead to activation failures.

Considerations When Using Multiple PGP Universal Servers To balance requests to multiple servers, Symantec recommends that you use load balancing on your servers. This ensures that all servers participate in processing the load.

When PGP RDD-enabled client computers enroll or perform a rendezvous, they exchange 30 to 40 request and response pairs. Because server replication contains a delay, these requests must be handled and processed by the same server. Your load balancer must be configured so that the same client's requests are processed by the same server during a certain period of time. This is called load balancing stickiness.

Symantec recommends that the length of stickiness should be long enough (such as 24 hours, assuming the replication delay will be less than 24 hours) to route requests from one client to the same server.

Enabling or Disabling PGP RDD in the PGP Universal Server The PGP RDD service is enabled by default.

Warning: If you disable the PGP RDD service while you have AT-Activated computers, the computers will not be able to rendezvous successfully and will eventually lock when the Disable Timer expires.

To enable or disable PGP RDD

1 Log in to the PGP Universal Server administrative interface.

2 Select Services > PGP RDD.

2 Installation Considerations


Ports Used by the PGP RDD Service

3 Do one of the following:

To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is enabled is displayed in the page.

To disable PGP RDD, click Disable. The text Intel® Anti-Theft Technology is disabled is displayed in the page.

Ports Used by the PGP RDD Service The PGP RDD service is enabled by default.

Warning: If you disable the PGP RDD service while you have Intel AT-activated computers, the computers will not be able to rendezvous successfully and will eventually lock when the Disable Timer expires.

The service requires the following ports to be open.

The Intel Anti-Theft Technology Services Port is used for communication between PGP Universal Server and the anti-theft service. External access to this port is not required.

The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port. The ICLS permit server is the activation site at Intel where client installations are tracked. Do not change the default settings unless Symantec Corporation notifies you that it is necessary. You can test the connection to the ICLS from the Options page (PGP Remote Disable & Destroy Administration > Configuration > Options).

PGP Universal Server and PGP RDD-enabled client system communication uses the same HTTPS port as you use to access the administrative console (port 9000 by default).

Modifying PGP RDD Ports

To modify PGP RDD settings

1 Log into the administrative interface.


3 To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is enabled is displayed in the page.

4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port, click Edit.

5 Make the necessary changes, and click Save.

Installation Considerations

System Requirements 7

System Requirements PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk Encryption installations.

Caution: To support PGP RDD, the client and PGP Universal Server must be able to contact each other. Do not activate PGP RDD on a computer that will never contact PGP Universal Server, because the computer will lock.

Symantec Products PGP Whole Disk Encryption (PGP WDE)

PGP Universal Server

PGP Remote Disable & Destroy with Intel Anti-Theft Technology

Server Software Linux (CentOS 5.3)

Servlet Container (Tomcat)

Spring Framework

JDK 1.6

Valid SSL Certificate. This certificate to be provided by Symantec.

Working connection to Intel ICLS Servers.

About PGP Remote Disable & Destroy Licenses Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires three things:

PGP Universal Server license. Intel Anti-Theft Technology is automatically included with the PGP Universal Server license.

PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file. You must purchase this license separately from your PGP Universal Server.

This human-readable XML file shows the number of seats purchased, the start and end dates of the subscription period, and the license serial number. The license expires at the end of the subscription period. If the license expires, activated systems are not affected and continue to be protected. When you view the license history for an expired license, the entry shows that there are no seats available on that license.

You can have more than one active license at a time. When you upload a new license, it does not replace existing licenses; instead, they are cumulative.


About PGP Remote Disable & Destroy Licenses

PGP Universal Server does not enforce the license to make sure you do not exceed the number of activated computers your license permits. It is possible to activate more computers than your license permits, but the number of activated computers is registered by the ICLS.

Activation file. This encrypted activation file is included when you purchase the PGP RDD license file.

The activation file registers your license, and enables the ICLS to monitor how many Intel Anti-Theft-activated computers you have. PGP Universal Server sends no information directly to Symantec Corporation.

Licensing PGP RDD with Intel Anti-Theft When you purchased a license for PGP RDD, you received two Symantec license files with the file extension .slf.zip:

[name1].slf.zip

[name2].slf.zip

For example, the files are named 2230672.slf.zip and 2230673.slf.zip. These files are uploaded to your PGP Universal Server so you can license PGP RDD.

To apply the license and activation files

1 From the PGP RDD interface, select Configuration > Options.

2 Click Browse to locate the license file you want to upload.

3 Click Browse to locate the activation file you want to upload. You must have both the license and the activation file. Make sure to select the correct activation file for the license you are uploading.

4 Click Upload License File to upload the license and activation files.

5 Click Save.

To test the connection between the PGP Universal Server and the ICLS

1 From the PGP RDD interface, select Configuration > Options.

2 Click Test Permit Server Connection. A message confirms whether or not the server is reachable.

On systems that include Intel Anti-Theft Technology, enabling PGP RDD consists of installing PGP Desktop, enrolling to a PGP Universal Server, and encrypting the disk. All other functions of PGP RDD are managed by the PGP Universal Server.

PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk Encryption installations.

Caution: To support PGP RDD, the client and PGP Universal Server must be able to contact each other. Do not activate PGP RDD on a computer that will never contact PGP Universal Server, because the computer will lock.

About the PGP RDD Deployment Process To roll out PGP RDD in your enterprise, you will perform the following tasks:

Step Task Description

1 On the PGP Universal Server, enable PGP RDD.

PGP RDD is a service that you must enable.

See Enabling or Disabling PGP RDD in the PGP Universal Server (on page 5).

2 Enter the PGP RDD License and Activation Key.

The Intel Anti-Theft (Intel AT) license is an AT permit that is stored on PGP Universal Server in the database. The license is obtained from the Intel Licensing Server during enrollment of PGP RDD client systems and is pushed to the client system. The permit is different for each PGP RDD-enabled computer.

See License PGP RDD with Intel AT (see "About PGP Remote Disable & Destroy Licenses" on page 7, "Licensing PGP RDD with Intel Anti-Theft" on page 8).

3 Define the Intel Anti-Theft Technology Services Ports.

The ports are used for communication between PGP Universal Server and the Anti-Theft service, as well as between the Intel Content License Server and the cilent systems.

See Ports Used by the PGP RDD Service (on page 6).

4 Create one or more consumer groups for PGP RDD users.

Multiple consumer groups (Executives, IT, Marketing) can receive the same PGP RDD-enabled consumer policy, or you can enable PGP RDD for only a subset of your groups.

5 Enable PGP RDD in a consumer policy.

PGP RDD is enabled through a Consumer Policy applied on the client.

See Setting PGP RDD in Consumer Policies.

6 Apply consumer policy to consumer groups.

Move specific users/groups to the PGP RDD policy. See Applying Consumer Policy to Consumer Groups (on page 23).

3 About Deploying PGP RDD on Client Systems


About AT Activated Client Systems

Step Task Description

7 Create a separate PGP Platform Disable policy for each consumer group.

Although multiple consumer groups can receive the same PGP RDD-enabled consumer policy, you can apply different PGP RDD policy settings to each different group.

The PGP Platform Disable policy is used to configure the specific timer values and resulting actions to take when a computer misses a rendezvous.

8 Create a PGP Desktop installer and provide it to users.

After you create the consumer policy, create a client installer. See the following sections in the PGP Universal Server Administrator's Guide:

Understanding User Enrollment Methods

Creating an Installer with Preset Policy

9 Install PGP Desktop on client systems.

Users must have administrative rights to install PGP Desktop. Your users will:

Locate the client installer application and double-click it.

Follow the on-screen instructions.

If prompted to do so, restart the client system.

10 Enroll users through email or LDAP.

Enrollment is the binding of a client system to a PGP Universal Server. After a client is bound it receives feature policy information from the PGP Universal Server. Once enrolled, users are added to the RDD-enabled policy group.

11 Encrypt the disk on the client system.

If specified by policy, encryption begins automatically.

12 Verify the client system is activated.

Log in to the PGP Universal Server administrative interface.

Select Services > PGP RDD.

Click Manage PGP RDD with Intel Anti-Theft Technology.

Locate the client system and verify the status of the client system is Activated.

About AT Activated Client Systems AT Activated systems are clients systems on which Intel Anti-Theft is activated. These systems are connected to the network and are not marked Stolen. AT-Activation starts automatically after the user enrolls and PGP WDE encrypts the disk. Intel Anti-Theft only activates with encryption at enrollment. Therefore, consumer policies that enable PGP RDD should also force disk encryption at installation.

If you have not selected auto-encryption, you can AT activate your client system by manually encrypting the disk.

Note: If you use PGP Whole Disk Encryption Command Line to begin encryption, Intel Anti-Theft will not activate.

About Deploying PGP RDD on Client Systems

Deploying PGP RDD on Client Systems 11

The AT Activated status appears in the PGP Universal Server interface as Activated (pending) until the client system contacts PGP Universal Server at its next scheduled rendezvous. After a successful rendezvous, the status changes to AT Activated.

You cannot activate PGP RDD on a system that is already encrypted. You must decrypt the disk before switching a user from a policy that does not support PGP RDD to a policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates.

When you recover a locked computer, you must first change the status from Stolen to AT Activated. For more information on laptop recovery, see Recovering Locked Systems.

You can change AT Activated computers to Decommissioned or Stolen. You can also change Stolen computers back to AT Activated as part of the recovery process. When you change the status, it appears as pending until the next time the computer completes a rendezvous.

Deploying PGP RDD on Client Systems

To deploy PGP RDD on client systems

1 Install PGP Desktop.

2 Enroll to PGP Universal Server using email or LDAP credentials.

3 Encrypt the disk.

Software Requirements for Client Systems Client Software

Microsoft Windows XP (32-bit SP2, 64-bit SP3)

Microsoft Windows 7 (32-bit and 64-bit)

Microsoft Windows Vista (32-bit and 64-bit)

Intel Management Engine Chip

Note: The Intel Management Engine (ME) chip is not backward-compatible, so you cannot use the 7.x driver ME chip on a computer with a 6.x driver.

Computers with a 6.x driver should use ME driver for Intel 5-series chipset-based boards.

Computers with a 7.x driver should use ME driver for Intel 6-series chipset-based boards. The Intel ME driver installer works XP, Vista, and Win7, 32-bit and 64-bit OS. The ME firmware driver is available notebook vendors and Intel’s web site.


Drivers and BIOS Requirements for Client Systems

Drivers and BIOS Requirements for Client Systems

Required Drivers Install the Intel MEI drivers for the client computer manufacturer. These drivers are on the installation disks if your computer is made by Hewlett Packard. You can also get the drivers from either the manufacturer's website or from Intel's website. Using the manufacturer's MEI drivers is recommended, but the drivers from Intel are also acceptable.

BIOS Support These processors support Intel AT most of the time, but not always. Check the BIOS to see if Intel AT is supported.

Intel AT functionality is usually turned on by default in the BIOS. If it is not turned on, you must turn it on manually. The process for turning on Intel AT in the BIOS differs from manufacturer to manufacturer. Contact Intel or technical support for your computer's manufacturer for more information.

Hardware Requirements for Client Systems Hardware

Intel vPro Core i5 with Intel Anti-Theft Technology

Intel vPro Core i7 with Intel Anti-Theft Technology

2nd Generation Intel vPro Core i5 processor with Intel Anti-Theft Technology

2nd Generation Intel vPro Core i7 processor with Intel Anti-Theft Technology

Accessing PGP RDD You can view Intel Anti-Theft data for all the computers managed by the RDD policy.

To access PGP RDD



3 Click Manage PGP RDD with Intel Anti-Theft Technology.

4 Review the computers on the RDD Systems tab.

Displaying PGP RDD Data

To display PGP RDD data




4 Click Configuration.

5 Under PGP Remote Disable & Destroy Report Fields, select the check boxes for the data you want to display.

6 Click Save.

7 On the RDD Systems page, click the buttons at the top of the page to display data for the specified computers.

About Intel Anti-Theft Status The All Systems page displays information about all client computers, including each computer's Intel Anti-Theft status.

AT Activated are systems on which Intel Anti-Theft is currently activated. These systems are connected to the network and are not marked Stolen.

4 Accessing PGP RDD on the PGP Universal Server



AT-Activation starts automatically after the user enrolls and PGP WDE encrypts the disk. Therefore, consumer policies that enable PGP RDD should also force disk encryption at installation.

The AT-Activated status appears in the PGP Universal Server interface as Activated (pending) until the client system contacts PGP Universal Server at its next scheduled rendezvous. After a successful rendezvous, the status changes to AT Activated.

You cannot activate PGP RDD on a system that is already encrypted. You must decrypt the disk before switching a user from a policy that does not support PGP RDD to a policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates.

Make sure that consumer policies enable PGP Remote Disable & Destroy with Intel Anti-Theft Technology. If you have not selected auto-encryption, you can AT activate your client system by manually encrypting the disk.

The AT Activated status appears as pending until the computer contacts PGP Universal Server at the next scheduled rendezvous. When you recover a locked computer, you must first change the status from Stolen to AT Activated. For more information recovery, see Recovering Locked Systems.

AT Deactivated are computers on which Intel Anti-Theft has been turned off. Deactivated computers are both decrypted and AT Deactivated. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies are also listed as AT Deactivated.

Stolen. Includes computers marked stolen by the administrator, and computers that locked when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator.

Unsupported. Computers that do not support Intel Anti-Theft Technology. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies may be listed as AT Deactivated, instead of Unsupported.

You can change AT Activated computers to Decommissioned or Stolen. You can also change Stolen computers back to AT Activated as part of the recovery process. When you change the status, it appears as pending until the next time the computer completes a rendezvous.

Decommissioned Decommissioning a computer is the process of deactivating Intel AT, but the disk is still encrypted. When necessary the administrator can decrypt it, reimage it, activate it, and encrypt the disk for a new user.

A PGP RDD-enabled client system can be decommissioned, for example, when an employee leaves the company, so that a license can be reused, and so that it can be stored with the secured data. If the client system is decommissioned, then it can be redeployed to another user either as a PGP RDD-enabled client system or a non PGP RDD system.

Accessing PGP RDD on the PGP Universal Server

Displaying PGP RDD Data 15

AT Deactivated Deactivated computers are both decrypted and no longer protected by Intel Anti-Theft.

There are two ways to deactivate a computer.

Change the computer's consumer policy to one where PGP RDD is disabled, and disk encryption is not required. For this process to successfully deactivate the computer, PGP Tray must be running and the computer must be able to contact PGP Universal Server. Decrypt the computer. Decryption triggers Intel AT deactivation. If PGP Tray is not running or PGP Universal Server is not reachable, the computer is decrypted but remains activated. In this case, you must manually change the computer's status to Decommissioned. At the next rendezvous, Intel AT deactivates.

Disable Intel AT by changing the status to Decommissioned, and then decrypt it. Client computers cannot be decrypted while Intel Anti-Theft is still activated, if PGP RDD is still required by policy.

After the computer is deactivated, the license seat for that system can be reused.

Warning: You cannot delete users with Intel Anti-Theft-activated computers from the Users list, nor activated computers from the Devices list. When you delete users, all user records are lost. The next time the computer tries to rendezvous with PGP Universal Server, authentication fails and the computer locks. You will not be able to recover the laptop without the PGP RDD recovery passphrase, which is also deleted with the user records, unless you previously exported it. Before you delete an AT Activated user or device, you must deactivate and decrypt the computer.

Stolen If a client system is marked Stolen in PGP Universal Server by the administrator, the Platform Stolen policy is triggered the next time the computer completes rendezvous or is restarted. For more information on the Platform Stolen policy, see About PGP RDD Policies (on page 22). The license seat for that system remains active and in use.

Changing a Computer's Status

To change a computer's status



3 Click Manage Remote Disable & Destroy with Intel Anti-Theft Technology.

4 Select a new status from the drop-down menu.

The new status may appear as pending until the next time the computer completes rendezvous.

5 Click Save.



Exporting PGP RDD System Information The PGP Remote Disable & Destroy (RDD) service logs actions on PGP Universal Server's Logs page. For more information, see System Logs.

Access data reports for PGP RDD directly from the PGP RDD interface, not from the PGP Universal Server Reporting or Graphs pages.

To export PGP RDD data

1 Open PGP RDD.

2 From Configuration > Options, select what data you want to appear in the systems pages. Possible reported data includes Computer Name, Name, Status, Policy Group, Last Date Connected, and Passphrase.

3 Click Save.

4 From RDD Systems, choose the set of systems for which you want information exported: All, Activated, Deactivated, Stolen, or Unsupported.

5 Click Export Data.

All the information on the systems page is exported into a CSV file. If you have permission to view recovery passphrases, the exported file will contain those passphrases. The passphrases are unencrypted plain text.

Client systems that are designated as stolen include those systems marked stolen by the administrator, as well as computers that locked when the Disable Timer expired and the Platform Disable policy triggered. Stolen computers are locked and cannot be unlocked without assistance from the administrator.

If a computer is lost or stolen, change the computer's status to Stolen to trigger the Platform Stolen policy the next time the computer completes rendezvous or restarts. If the computer never connects to rendezvous, the status changes to Stolen - timer expired when the Disable Timer expires and the Platform Disable policy triggers.

When the computer's status is Stolen, you must follow the recovery process to unlock it.

When a computer is marked stolen, the license seat for that system remains active and in use.

See Recovering a Stolen Client System (on page 17).

See Recovering a Decommissioned Client System (on page 29).

About Stolen Client Systems Two actions trigger a system's status to change to stolen:

If a client system is lost or stolen, users must notify their Administrator, who will then change the client system's status AT Activated to Stolen in PGP Universal Server. This triggers the Platform Stolen policy the next time the client system completes rendezvous or is restarted.

If the client system never connects for rendezvous, the status changes to Stolen - timer expired when the Disable Timer expires and the Platform Disable policy triggers.

The license seat for the stolen client system is active and in use.

For example, if you are traveling, and you accidentally leave your client system at the security checkpoint in an airport, you must contact your administrator to have the client system marked as Stolen. When the client system's status is Stolen, you must follow the recovery process to unlock it. For more information on recovering stolen client systems, see Recovering a Stolen Client System (on page 17).

Recovering a Stolen Client System To recover a client system, a user must contact the PGP Universal Server Administrator supporting PGP RDD.

To instruct the user during recovery, first identify the screen that appeared after reboot. See Identifying the Initial Screen at Power On (on page 18).

5 Working with Stolen Systems


Recovering a Stolen Client System

Identifying the Initial Screen at Power On

Before you can recover a stolen system

1 Instruct the user to power on the client system.

On most systems, the Intel BIOS recovery screen appears, followed by the PGP BootGuard screen. If you selected Enable PBA Recovery on the RDD Policies page, however, the Intel BIOS recovery screen is skipped and the PGP BootGuard screen appears.

Note: Only certain hardware platforms, such as Panasonic's Toughbook and Let's Note CF models, support this feature.

If the user sees three options, they are on the Intel screen. If they are prompted for their user name, passphrase, and domain, they are on the PGP Bootguard screen. Have them tell you which screen they are seeing.

If the user is on the Intel screen, see Recovering Using the Intel BIOS Recovery Screen (on page 18).

If the user is on the PGP screen, see Recovering Using the PGP BootGuard Screen (on page 19).

Recovering Using the Intel BIOS Recovery Screen On the Intel BIOS screen, have the user select one of the following options:

To use a passphrase to recover the system, select option 1.

To use a recovery token to recover the system, select option 2.

Tip: Recovery using Option 1 is faster, because a passphrase is easier to enter than communicating and entering the very long strings that make up a recovery token.

To recover a client system using a recovery passphrase

To recover a client system when the user has selected option 1 (to use a passphrase), you must provide the recovery passphrase to the user.

1 Log in to the administrative interface.



4 Locate the system that was stolen and which you want to recover, and change the status of the client system from Stolen to Activated (pending).

5 Click Passphrase.

6 Provide the current recovery passphrase to the user.

The user should enter the recovery passphrase and click OK. If authentication is successful, the PGP BootGuard screen appears on the client system.

Working with Stolen Systems

Recovering a Stolen Client System 19

7 See Recovering Using the PGP BootGuard Screen (on page 19).

To recover a client system using a recovery token

To recover a client system when the user has selected option 2 (to use a recovery token), you must provide the recovery token to the user.




4 Locate the system that was stolen and which you want to recover, and change the status of the client system from Stolen to Activated (pending).

5 Obtain from the user the long string that is displayed when the user pressed option 2 after powering the system on. This string is specified as Platform Recovery ID on the user's system.




9 Locate the system that was stolen and which you want to recover, and click Passphrase.

10 In the Recovery Passphrase dialog box, click Generate Server Recovery Token.

11 Enter the string that the user provided in step 5 and click Generate.

The following recovery tokens are generated:

Hexadecimal

Decimal

Base32

12 Provide the string for the Base32 recovery token to the user.

The user enters the string and presses Enter. If authentication is successful, the PGP BootGuard screen appears.

See Recovering Using the PGP BootGuard Screen (on page 19).

Recovering Using the PGP BootGuard Screen

To recover using the PGP BootGuard screen

1 To switch from the user name/passphrase prompts to the WDRT prompt, tell the user to press F4.

2 To provide the WDRT to the user, on PGP Universal Server, select Consumers > Users and locate the user associated with this system.

3 Expand the Whole Disk Encryption panel to locate the client system.

4 Click the system's WDRT icon. Provide the displayed WDRT to the user.


Recovering a Stolen Client System

After the rendezvous occurs, the state of the computer changes from Activated (pending) to Activated in PGP Universal Server. Depending on the server’s load, the state change might take 30 seconds to 1 minute.

Enabling PGP RDD in a Consumer Policy

To enable PGP RDD in a consumer policy


2 On the Consumer Policy page, select the consumer policy for which you want to enable PGP RDD.

3 In the PGP Desktop panel, click Desktop.

4 On the General tab, select Enable RDD with Intel Anti-Theft Technology.

5 Click Save.

Understanding the Difference Between Consumer and PGP RDD Policies

When working with PGP RDD, note that there are two types of policies that are applied to client systems:

Consumer policies

You can apply a consumer policy to a consumer group when you create that group or change existing policy on the Group Settings page.

PGP RDD policies

PGP RDD policies are set for each consumer group in the Edit PGP Remote Disable & Destroy Policies page. The client receives changes to the consumer policy as part of the PGP WDE policy download and changes to the PGP RDD policy during a rendezvous.

Both of these policy types can be applied to the same consumer groups, but they are defined separately in PGP Universal Server.

See About Consumer Policies (on page 22).

See About PGP RDD Policies (on page 22).


See Enabling PGP RDD in a Consumer Policy (on page 21).

See Applying Consumer Policy to Consumer Groups (on page 23).

See Setting a PGP RDD Policy (on page 23).

6 Setting PGP RDD Policy


Understanding the Difference Between Consumer and PGP RDD Policies

About Consumer Policies Consumer policies are used when installing client systems and control how these client systems behave. Policies are applied to consumers depending on their group membership and policy group order.

The following consumer policies are available on the PGP Universal Server:

Default policy

Excluded policy

You can modify these or create specific new consumer policies to apply to your PGP RDD clients. For example, you can create two policies for the a group, one called PGP RDD Default policy for those clients who should be managed through PGP RDD, and another called PGP RDD Excluded policy. You might apply the PGP RDD Excluded policy to systems that are infrequently used or not high risk and the PGP RDD Default policy to high-risk systems like those that are used for travel or those that contain sensitive data.

See Understanding the Difference Between Consumer and PGP RDD Policies (on page 21).

See About PGP RDD Policies (on page 22).

About PGP RDD Policies

Note: To implement a PGP RDD policy, the client system has to be Intel Anti-Theft capable. If it is not, it is considered to be unsupported.

In the Edit PGP Remote Disable & Destroy Policies page, after you select a consumer group, you need to select the platform actions to be completed if the client system is stolen or if the Disable timer is triggered. The selections you make and the values you enter for each timer affect only the selected consumer group.

The Platform Stolen options determine what happens when you mark a computer stolen.

Platform + Data Disable – Shutdown on next rendezvous

If this option is selected, and the client system is stolen, when the next rendezvous occurs, the client system is shut down.

Platform + Data Disable – Require passphrase on next boot

If this option is selected, and the client system is stolen, the administrator marks the client system as stolen in PGP Universal Server. The client system does not immediately shut down. After a user shuts down his/her client system and restarts, he/she is prompted for the Intel BIOS passphrase. This Intel BIOS passphrase is the same one that a user needs to recover a stolen client system.

Note: Users can only get this passphrase from their PGP Universal Server Administrator.

After the user enters this passphrase, the PGP BootGuard authentication with WDRT occurs and the recovery process is complete.

The Platform Disable Timer options determine what happens when the Disable Timer expires.

Setting PGP RDD Policy

Applying Consumer Policy to Consumer Groups 23

Platform + Data Disable – Shutdown on timer expiration

If this option is selected and the Disable timer is triggered, the client system is shut down.

Platform + Data Disable – Require passphrase on next boot

If this option is selected, and the client system is stolen, the administrator marks the client system as stolen in PGP Universal Server. The client system does not immediately shut down. After a user shuts down his/her client system and restarts, he/she is prompted for the Intel BIOS passphrase. This Intel BIOS passphrase is the same one that a user needs to recover a stolen client system.

Note: Users can only get this passphrase from their PGP Universal Sever Administrator.

After the user enters this passphrase, the PGP BootGuard authentication with WDRT occurs and the recovery process is complete.

See Understanding the Difference Between Consumer and PGP RDD Policies (on page 21).

See About Consumer Policies (on page 22).

Applying Consumer Policy to Consumer Groups Use the following procedure to move specific users/groups to the PGP RDD policy.

To apply consumer policy to consumer groups


2 Select Consumers > Groups.

3 Click your RDD policy.

4 In Users, click View.

5 Click Add Users.

6 Type the user’s name and click Save.

7 Repeat step 6 for all the users you want to add to your RDD policy.

Setting a PGP RDD Policy

To set a PGP RDD policy




4 On the Configuration tab, click Policies.

5 Select the consumer group for which you want to set policy.


About the PGP RDD Rendezvous

6 For each of the following policy and timer settings, make the necessary changes.

Platform Stolen. Sets what happens when you mark a computer stolen. Choose from Platform+Data Disable - Shutdown on next rendezvous or Platform+Data Disable - Require passphrase on next boot. The default option is Platform+Data Disable - Shutdown on next rendezvous.

Platform Disable Timer. Sets what happens when the Disable Timer expires. Choose from Platform+Data Disable - Shutdown on timer expiration or Platform+Data Disable - Require passphrase on next boot. The default option is Platform+Data Disable - Shutdown on timer expiration.

Enable PBA Recovery. Enables stolen laptops to be unlocked using only the Whole Disk Recovery Token at PGP BootGuard, without requiring a hardware recovery passphrase or Server Recovery Token. This function is not available for all Intel AT-enabled computers. It works with a pre-boot authentication recovery feature specific to only some computers.

7 For each of the timers, specify the value, value type, and (when available), if the timer is enabled.

8 Click Save.

The PGP RDD policy has been set for the selected consumer group.


About the PGP RDD Rendezvous The communication between server and a PGP RDD-enabled client is called a rendezvous. A successful rendezvous indicates that the client is online and in the control of its authorized user. All state and policy changes are made during a rendezvous.

The most common outcome of a rendezvous attempt is success. The client continues operating normally after a successful rendezvous until its next rendezvous. The interval between rendezvous is configured as a timer, which counts down until it expires, triggering the next rendezvous.

A client automatically retries a missed rendezvous, for example, if the client was powered down during a scheduled rendezvous interval. A series of timers control the behavior of the system after a missed rendezvous. These behaviors include when to retry the rendezvous, how long to wait after the failed rendezvous before disabling the system, and how long after the disable timer’s expiration to wait before shutting down the system.

See also About PGP RDD Timers (on page 25).

See also About PGP RDD Policies (on page 22).

See also Setting a PGP RDD Timer (on page 27).

Setting PGP RDD Policy About PGP RDD Timers

25

Considerations When Configuring Rendezvous Intervals Setting an interval to a period that is shorter than three days will eventually lead to a number of clients attempting a rendezvous during a weekend when many of the systems are offline. When those clients come online on Monday morning, they will all retry the rendezvous. This can impact PGP Universal Server performance.

Symantec recommends that you set a rendezvous interval of seven days and stagger your deployment to spread client rendezvous days across the work week. This sets clients on a regular schedule that may change if vacations or other unusual circumstances take a laptop offline for its regular rendezvous interval, but will otherwise stay relatively consistent and avoid Monday morning load.

To prevent a large group of rendezvous from occurring at the same time of day, you can add a random delay that triggers when the rendezvous timer expires. When a rendezvous is overdue, the rendezvous randomization timer triggers a random value between 0 and the maximum specified value set in PGP Universal Server. If the rendezvous timer expires and rendezvous is unsuccessful, the client waits until the random interval to retry the rendezvous.

For example, if a rendezvous was due at 8:30 AM on Wednesday, but the computer was offline until 9:00 AM, the client attempts a rendezvous at 9:00 AM plus a random value between 0 and the configured number of minutes.

About PGP RDD Timers As a part of your PGP RDD policy, you specify the action to take if a client system misses its rendezvous. A variety of timers determines when the next action is triggered and the result on the client system after the set interval for that trigger has expired.

For each timer, you can type a number value and select an amount of time.

The following timers are available:

Timer Description

Disable Timer This Intel AT timer is triggered when a rendezvous does not occur during the set time interval. When the Disable Timer expires, the computer moves to a Stolen state and the PGP RDD Platform Stolen policy is executed. This timer is enabled by default. To disable the timer, deselect the Enabled check box.

Unlock Timer This timer allows the recovery process from a Stolen state to begin. The user must enter the Intel recovery token before the time interval expires. For example, if this timer is set to 30 minutes, the user has 30 minutes to get the Intel recovery token from the administrator and enter it before the computer shuts down again. This timer is enabled by default. To disable the timer, deselect the Enabled check box.


About PGP RDD Timers

Timer Description

Grace Timer This Intel AT timer is dependent on the Disable timer. If the Disable timer is triggered and then expires during a sleep or hibernation state, when the computer resumes, the Grace timer starts.

Note: If the computer is in an On state and the Disable timer expires, the computer shuts down immediately.

Following is an example of the Grace timer's usefulness: A computer misses its rendezvous and the Disable timer is triggered, beginning its count down. If the computer goes into a sleep or hibernation state and the Disable timer expires, when the computer resumes, the user has a grace period defined by the Grace timer, to authenticate and save their work, prior to the computer shutting down.

This timer is enabled by default. To disable the timer, deselect the Enabled check box.

PBA Login Timer (Pre-boot authentication timer) This Intel AT timer is supported only by some Panasonic systems, such as Toughbooks and Let's Note CF models. You enable this recovery option by selecting the Enable PBA Recovery check box on the PGP RDD Policies page. When this option is enabled, during the recovery of a stolen system the Intel BIOS screen does not appear; only the PGP BootGuard screen appears.

During the recovery of a stolen machine, the Intel BIOs page does not appear, and only the PGP BootGuard page appears. When the PBA recovery option is enabled, the PBA timer value is the maximum time that a user has to authenticate at the BootGuard page. If the user fails to authenticate in the time allowed for PBA logon, the computer is shut down.

Rendezvous Timer This timer is how often the client computer connects to the server. The purpose of this timer is to synchronize the AT status.

Kill Timer This timer is similar to the Grace Timer but is only triggered when the computer is marked as Stolen in PGP Universal Server. There is a delay in shutting the computer down, but unlike the Grace Timer--which can be set in seconds, minutes, hours, days, or months--the Kill Timer can only be set in seconds, with a value range of zero or 10-300 seconds (or the equivalent time in minutes).

Rendezvous Randomization

When a rendezvous is overdue, this timer triggers a random value between 0 and the maximum value set in PGP Universal Server. If there is still no successful rendezvous, because the network cable is not connected, the retry interval is triggered.

For example, if a rendezvous was due at 8:30 am on Monday, but the computer was only powered on at 9 am. This means that a rendezvous is overdue on Monday morning. Instead of attempting a rendezvous at 9 am, the computer attempts a rendezvous at 9 am plus a random value between 0-240 minutes.

Rendezvous Retry Interval

This timer is triggered when the rendezvous is overdue, because the network cable was not connected. For example, if this interval is set to 45 seconds, the client computer will attempt a rendezvous every 45 seconds until it is successful.

See Setting a PGP RDD Timer (on page 27).

Setting PGP RDD Policy

Setting a PGP RDD Timer 27

Considerations When Setting Your PGP RDD and Consumer Policies If there are multiple users for a client machine, it is important that all users belong to the same consumer group and receive the same consumer policy and the same PGP RDD policy. Having different PGP RDD policies applied to the same client machine can cause problems, especially if not all the users have PGP RDD enabled by policy. If each user's PGP RDD policy is different, the PGP RDD policy with the shortest rendezvous timer value applies, whether that user is logged in and is using the system.

Setting a PGP RDD Timer

To set a PGP RDD timer




4 Select Configuration > Policies.

5 In Consumer Group, select RDD.

The timers are valid for all policies, but you must select RDD to apply the timers for the users in your RDD policy group.

6 In the Timers panel, enter values and select the appropriate value types.

7 Click Save.

Decommissioned computers are still encrypted, but the status is AT Deactivated. These computers are listed on the RDD Systems > Deactivated page, but they are no longer protected by Intel Anti-Theft. Use this option when your organization removes computers from active use, but you still want to protect the data; for example, if the organization plans to donate or sell the computers to someone who will not have access to PGP Universal Server. For more information on repurposing a decommissioned computer, see Recovering a Decommissioned Client System (on page 29).

Note: The only way to access a decommissioned computer is by using the Whole Disk Recovery Token (WDRT). The user passphrase no longer works.

After the computer is decommissioned, the license seat for that system can be reused.

Recovering a Decommissioned Client System

A decommissioned client system can be reimaged or reinstalled and distributed to a new user. This procedure is completed by the administrator on the PGP Universal Server. To recover the computer, the administrator must have the decommissioned computer in his/her possession.

To recover a decommissioned client system

To recover a system using the user name, on PGP Universal Server:

1 Select Consumers > Users and locate the user associated with this system.


3 Click on the system's WDRT icon for the WDRT string.

To recover a system when a user has more than one system or to verify this system's state, on PGP Universal Server:

1 On the RDD list screen, locate the computer/user pair where the system has a Decommissioned state.

2 Select Consumers > Users and locate the user associated with this system.


4 Click on the system's WDRT icon for the WDRT string.

On the decommissioned client system:

1 Power on the system.

2 At the PGP BootGuard authentication screen, to switch from the user name/passphrase prompts to the WDRT prompt, press F4.

Note: After the client system is marked as Decommissioned, PGP BootGuard authentication and decryption work only if you use WDRT.

7 About Decommissioning a Computer

30 About Decommissioning a Computer

About Decommissioned Computers

3 Type the WDRT string and press Enter.

4 Open PGP Desktop and decrypt the system using WDRT.

About Decommissioned Computers Decommissioning a computer is the process of deactivating Intel AT, but leaving the disk encrypted. When necessary, the administrator can decrypt it, reimage it, activate it, and encrypt the disk for a new user.

A PGP RDD-enabled client system can be decommissioned, for example, when an employee leaves the company, so that a license can be reused, and so that it can be stored with secured data. If the client system is decommissioned, then it can be redeployed to another user either as a PGP RDD-enabled client system or a non PGP RDD system.

Decommissioning a PGP RDD-Enabled Client System When you decommission a client system, no more rendezvous timers are triggered. The client system is deactivated but is still encrypted.

To decommission a client system




4 In All Systems, in the drop-down menu next to the decommissioned computer, select Decommissioned and click Save.

After a successful rendezvous, Intel AT deactivates the client system. The status changes from Decommissioned (pending) to Decommissioned.

Deactivating a client system automatically triggers decryption; therefore, deactivated computers have both a status of AT Deactivated and are decrypted. Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies are also listed as AT Deactivated. Deactivated computers are both decrypted and no longer protected by Intel Anti-Theft.

There are two ways to deactivate a computer.

Change the computer's consumer policy to one where PGP RDD is disabled, and disk encryption is not required. Decrypt the computer. Completing decryption triggers Intel AT deactivation. For this process to successfully deactivate the computer, PGP Tray must be running and the computer must be able to contact PGP Universal Server.

Disable Intel AT by changing the status to Decommissioned, and then decrypt it. Client computers cannot be decrypted while Intel Anti-Theft is still activated, if PGP RDD is still required by policy.

After the computer is deactivated, the license seat for that system can be reused.

Warning: You cannot delete users with Intel Anti-Theft-activated computers from the Users list, nor activated computers from the Devices list. When you delete users, all user records are lost. The next time the computer tries to rendezvous with PGP Universal Server, authentication fails and the computer locks. You will not be able to recover the laptop without the PGP RDD recovery passphrase, which is also deleted with the user records, unless you previously exported it. Before you delete an AT Activated user or device, you must deactivate and decrypt the computer.

After the Administrator moves a user from an RDD-enabled policy group to an RDD disabled group policy, the user can:

Update the policy on the client system.

Decrypt the computer (if the PGP Universal Server policy allows the user to decrypt the disk).

Deactivating a Client System Before you begin, the PGP RDD-enabled client must be available and can communicate with the PGP Universal Server.

To deactivate a PGP RDD-enabled client system

1 Log in to your PGP Universal Server administrative interface.

2 Apply the new policy.

This moves the user from a policy group that is PGP RDD-enabled to one that is not.

8 About AT Deactivated Client Systems

32 About AT Deactivated Client Systems

Deactivating a Client System

Once the new policy has been applied, the system has been deactivated. If the PGP Universal Server policy allows, the user can then decrypt the disk.

The PGP Universal Server administrator can assume several different roles, depending on the tasks that each administrator should perform. The roles for a PGP RDD administrator are the same as those for a PGP Universal Server Administrator, with the addition of several PGP RDD-specific tasks.

See About PGP RDD Administrator Roles (on page 33).

See Assigning Roles (on page 34).

About PGP RDD Administrator Roles The following is a list of the PGP RDD Administrator roles and the tasks that each administrator can perform:

Read-only Administrator

Access the PGP RDD Administration screens.

View settings and logs.

WDRT-only Administrator



Access and read the PGP BootGuard WDRT.

Access and read PGP RDD recovery passphrases.

Generate new recovery tokens.

Service Control Only Administrator



Control services, including the Intel Anti-Theft Technology Services Port.

Basic Administrator



Control and configure services, including the Intel Anti-Theft Technology Services Port.




Configure system settings, including uploading the PGP RDD license and activation file.

9 Working with PGP RDD Administrator Roles

34 Working with PGP RDD Administrator Roles

Assigning Roles

Full Administrator






Access and generate new recovery tokens.


Manage PGP RDD policies, such as the timers.

Superuser








Manage PGP RDD policies, such as the timers.

See Assigning Roles (on page 34).

Assigning Roles Each PGP RDD administrator can be assigned to a role. That administrator can perform tasks that are associated only with that role.

To assign roles

1 Log in to your PGP Universal Server administrative interface.

2 Select System > Administrators.

3 Do one of the following:

To change an existing administrator's role, select the administrator's name in the list displayed. Select the new role and click Save.

To add a new administrator, click Add Administrator. Enter the administrator's login name and other information, select the administrator's role, and click Save.

See About PGP RDD Administrator Roles (on page 33).

pgp™ remote disable and destroy - symantec · pdf filepgp rdd offers corporate users the...

Documents