Page is loading ...
PGP™ Remote Disable & Destroy
Configuration Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
http://www.symantec.com)
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
1
Contents
Introducing PGP Remote Disable and Destroy
About PGP Remote Disable and Destroy 1
Components of PGP RDD 1
How PGP RDD Works 1
About PGP RDD Client Anti-Theft States 2
Installation Considerations 3
Planning Your Network Architecture 3
Considerations When Using Multiple PGP Universal Servers 3
Enabling or Disabling PGP RDD in the PGP Universal Server 3
Ports Used by the PGP RDD Service 4
Modifying PGP RDD Ports 4
System Requirements 5
Symantec Products 5
Server Software 5
About PGP Remote Disable & Destroy Licenses 5
Licensing PGP RDD with Intel Anti-Theft 6
About Deploying PGP RDD on Client Systems 7
About the PGP RDD Deployment Process 7
About AT Activated Client Systems 8
Deploying PGP RDD on Client Systems 9
Software Requirements for Client Systems 9
Drivers and BIOS Requirements for Client Systems 10
Hardware Requirements for Client Systems 10
Accessing PGP RDD on the PGP Universal Server 11
Accessing PGP RDD 11
Displaying PGP RDD Data 11
About Intel Anti-Theft Status 11
Changing a Computer's Status 13
Exporting PGP RDD System Information 13
Working with Stolen Systems 15
About Stolen Client Systems 15
Recovering a Stolen Client System 15
Identifying the Initial Screen at Power On 16
Recovering Using the Intel BIOS Recovery Screen 16
Recovering Using the PGP BootGuard Screen 17
Setting PGP RDD Policy 19
Enabling PGP RDD in a Consumer Policy 19
ii Contents
Understanding the Difference Between Consumer and PGP RDD Policies 19
About Consumer Policies 20
About PGP RDD Policies 20
Applying Consumer Policy to Consumer Groups 21
Setting a PGP RDD Policy 21
About the PGP RDD Rendezvous 22
Considerations When Configuring Rendezvous Intervals 23
About PGP RDD Timers 23
Considerations When Setting Your PGP RDD and Consumer Policies 25
Setting a PGP RDD Timer 26
About Decommissioning a Computer 27
Recovering a Decommissioned Client System 27
About Decommissioned Computers 28
Decommissioning a PGP RDD-Enabled Client System 28
About AT Deactivated Client Systems 29
Deactivating a Client System 29
Working with PGP RDD Administrator Roles 31
About PGP RDD Administrator Roles 31
Assigning Roles 31
1
Introducing PGP Remote Disable and
Destroy
About PGP Remote Disable and Destroy
PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft
Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned
computers.
PGP RDD solves the need to keep data secure in mobile environments and comply with
increasingly stringent regulations in data security and privacy using the latest Intel AT
technology. PGP RDD offers corporate users the option to activate PGP Universal
Server's security service and manage hardware-based, client-side intelligence to secure
the notebook and/or data if a notebook is lost or stolen. If the client system is lost or
stolen, you can remotely disable client systems or disable access to data and securely
decommission client systems.
Components of PGP RDD
The following items are part of the overall PGP RDD installation:
PGP Universal Server. The administrative server used to manage client systems.
Intel Content License Server (ICLS). The ICLS permit licensing server is the
activation site at Intel where client installations are tracked.
Managed PGP Desktop client system with PGP Whole Disk Encryption installed.
Once PGP RDD policies are applied and the system is encrypted, the client system
then becomes PGP RDD-enabled.
How PGP RDD Works
You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a
particular consumer group. For that consumer group, you create a policy that enables
PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client
installer that uses the policy.
A user installs the PGP Desktop client and enrolls with the PGP Universal Server using
the method you choose. The client computer is then encrypted with PGP Whole Disk
Encryption. During this process, the client receives the policy from PGP Universal
Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft
Technology on that client, and the encrypted client moves to a state known as “AT
Activated.” This is the normal operating state for a PGP RDD-enabled client. This state
is transparent to the user. The client system operates normally and is protected.
2 Introducing PGP Remote Disable and Destroy
About PGP RDD Client Anti-Theft States
PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic
contact between server and client. This contact refreshes the theft status of the
computer and is known as a rendezvous. A successful rendezvous indicates to the
server that a client is online and controlled by the authorized user.
After a missed rendezvous, a timer begins counting down to disable the system. If the
client fails to rendezvous successfully before the timer expires, the client is
automatically flagged on the server as “Stolen.” The client is locked down until the user
or administrator unlocks the system and returns it to an “AT Activated” state.
Security for the system is local. The computer is disabled when the timers expire. This
thwarts a common strategy employed in laptop theft to avoid putting the computer
online. Security is also hardware-based, preventing use of the system even if its hard
drive is replaced.
For more information on configuring and deploying PGP RDD, go to the Symantec
Knowledgebase (
http://www.symantec.com/business/support/index?page=home) and
search for DOC4975, "PGP Remote Disable & Destroy Configuration Guide".
About PGP RDD Client Anti-Theft States
A PGP RDD-enabled client is always in one of the following states:
AT Activated client systems are clients with PGP RDD currently activated, and
which are not marked stolen. This is the normal state for a PGP RDD-enabled
client.
AT Deactivated client systems do not have PGP RDD-enabled consumer policies or
do not support Intel Anti-Theft technology.
Stolen client systems are those marked stolen by the administrator or affected
when the Disable Timer expired and the Platform Disable policy triggered. Stolen
computers are locked and cannot be unlocked without assistance from the
administrator.
D Time Expired client systems are in an activated state but there has been no
rendezvous before the system's Disable Timer expired.
Unsupported client systems do not support Intel Anti-Theft Technology.
Note: Computers that do not support Intel Anti-Theft and do not have PGP
RDD-enabled consumer policies may be listed as AT Deactivated, instead of
Unsupported.
Decommissioned computers are still encrypted, but the status is AT Deactivated.
These computers are listed on the RDD Systems > Deactivated page, but they are
no longer protected by Intel Anti-Theft. Use this option when your organization
removes computers from active use, but still wants to protect the data. For
example, if the organization plans to give away or sell the computers to someone
who will not have access to PGP Universal Server.
See About Intel Anti-Theft Status (on page
11).
See Displaying PGP RDD Data (on page 11).
See Deactivating a Client System (on page 29).
See About Stolen Client Systems (on page 15).
2
Installation Considerations
Planning Your Network Architecture
When planning your deployment, keep the following points in mind:
The main consideration when planning your deployment of PGP RDD is that the
client systems must be able to communicate with the server at their scheduled
rendezvous. Missing the rendezvous could lead to locked client systems.
Your PGP Universal Server must be able to communicate with the Intel Content
License Server. Disruption in communication can lead to activation failures.
Considerations When Using Multiple PGP Universal Servers
To balance requests to multiple servers, Symantec recommends that you use load
balancing on your servers. This ensures that all servers participate in processing the
load.
When PGP RDD-enabled client computers enroll or perform a rendezvous, they
exchange 30 to 40 request and response pairs. Because server replication contains a
delay, these requests must be handled and processed by the same server. Your load
balancer must be configured so that the same client's requests are processed by the
same server during a certain period of time. This is called load balancing stickiness.
Symantec recommends that the length of stickiness should be long enough (such as 24
hours, assuming the replication delay will be less than 24 hours) to route requests from
one client to the same server.
Enabling or Disabling PGP RDD in the PGP Universal Server
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have AT-Activated computers,
the computers will not be able to rendezvous successfully and will eventually lock
when the Disable Timer expires.
To enable or disable PGP RDD
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Do one of the following:
4 Installation Considerations
Ports Used by the PGP RDD Service
To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
To disable PGP RDD, click Disable. The text Intel® Anti-Theft Technology is
disabled is displayed in the page.
Ports Used by the PGP RDD Service
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have Intel AT-activated
computers, the computers will not be able to rendezvous successfully and will
eventually lock when the Disable Timer expires.
The service requires the following ports to be open.
The Intel Anti-Theft Technology Services Port is used for communication
between PGP Universal Server and the anti-theft service. External access to this
port is not required.
The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port.
The ICLS permit server is the activation site at Intel where client installations are
tracked. Do not change the default settings unless Symantec Corporation notifies
you that it is necessary. You can test the connection to the ICLS from the Options
page (PGP Remote Disable & Destroy Administration > Configuration >
Options).
PGP Universal Server and PGP RDD-enabled client system communication uses
the same HTTPS port as you use to access the administrative console (port 9000 by
default).
Modifying PGP RDD Ports
To modify PGP RDD settings
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port,
click Edit.
5 Make the necessary changes, and click Save.
5 Installation Considerations
System Requirements
System Requirements
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
Symantec Products
PGP Whole Disk Encryption (PGP WDE)
PGP Universal Server
PGP Remote Disable & Destroy with Intel Anti-Theft Technology
Server Software
Linux (CentOS 5.3)
Servlet Container (Tomcat)
Spring Framework
JDK 1.6
Valid SSL Certificate. This certificate to be provided by Symantec.
Working connection to Intel ICLS Servers.
About PGP Remote Disable & Destroy Licenses
Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires
three things:
PGP Universal Server license. Intel Anti-Theft Technology is automatically
included with the PGP Universal Server license.
PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file.
You must purchase this license separately from your PGP Universal Server.
This human-readable XML file shows the number of seats purchased, the start and
end dates of the subscription period, and the license serial number. The license
expires at the end of the subscription period. If the license expires, activated
systems are not affected and continue to be protected. When you view the license
history for an expired license, the entry shows that there are no seats available on
that license.
You can have more than one active license at a time. When you upload a new
license, it does not replace existing licenses; instead, they are cumulative.
6 Installation Considerations
About PGP Remote Disable & Destroy Licenses
PGP Universal Server does not enforce the license to make sure you do not exceed
the number of activated computers your license permits. It is possible to activate
more computers than your license permits, but the number of activated computers
is registered by the ICLS.
Activation file. This encrypted activation file is included when you purchase the
PGP RDD license file.
The activation file registers your license, and enables the ICLS to monitor how
many Intel Anti-Theft-activated computers you have. PGP Universal Server sends
no information directly to Symantec Corporation.
Licensing PGP RDD with Intel Anti-Theft
When you purchased a license for PGP RDD, you received two Symantec license files
with the file extension .slf.zip:
[name1].slf.zip
[name2].slf.zip
For example, the files are named 2230672.slf.zip and 2230673.slf.zip. These files are
uploaded to your PGP Universal Server so you can license PGP RDD.
To apply the license and activation files
1 From the PGP RDD interface, select Configuration > Options.
2 Click Browse to locate the license file you want to upload.
3 Click Browse to locate the activation file you want to upload. You must have both
the license and the activation file. Make sure to select the correct activation file
for the license you are uploading.
4 Click Upload License File to upload the license and activation files.
5 Click Save.
To test the connection between the PGP Universal Server and the ICLS
1 From the PGP RDD interface, select Configuration > Options.
2 Click Test Permit Server Connection. A message confirms whether or not the
server is reachable.
3
About Deploying PGP RDD on Client
Systems
On systems that include Intel Anti-Theft Technology, enabling PGP RDD consists of
installing PGP Desktop, enrolling to a PGP Universal Server, and encrypting the disk.
All other functions of PGP RDD are managed by the PGP Universal Server.
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
About the PGP RDD Deployment Process
To roll out PGP RDD in your enterprise, you will perform the following tasks:
Step
1 On the PGP Universal
Server, enable PGP RDD.
2 Enter the PGP RDD License
and Activation Key.
3 Define the Intel Anti-Theft
Technology Services Ports.
4 Create one or more
consumer groups for PGP
RDD users.
5 Enable PGP RDD in a
consumer policy.
6 Apply consumer policy to
consumer groups.
Task Description
PGP RDD is a service that you must enable.
See Enabling or Disabling PGP RDD in the PGP
Universal Server (on page 3).
The Intel Anti-Theft (Intel AT) license is an AT permit
that is stored on PGP Universal Server in the database.
The license is obtained from the Intel Licensing Server
during enrollment of PGP RDD client systems and is
pushed to the client system. The permit is different for
each PGP RDD-enabled computer.
See License PGP RDD with Intel AT (see "
About PGP
Remote Disable & Destroy Licenses" on page 5,
"Licensing PGP RDD with Intel Anti-Theft" on page 6).
The ports are used for communication between PGP
Universal Server and the Anti-Theft service, as well as
between the Intel Content License Server and the cilent
systems.
See Ports Used by the PGP RDD Service (on page
4).
Multiple consumer groups (Executives, IT, Marketing)
can receive the same PGP RDD-enabled consumer
policy, or you can enable PGP RDD for only a subset of
your groups.
PGP RDD is enabled through a Consumer Policy applied
on the client.
See Setting PGP RDD in Consumer Policies.
Move specific users/groups to the PGP RDD policy. See
Applying Consumer Policy to Consumer Groups (on page
21).
8 About Deploying PGP RDD on Client Systems
About AT Activated Client Systems
Step
7 Create a separate PGP
Platform Disable policy for
each consumer group.
8 Create a PGP Desktop
installer and provide it to
users.
9 Install PGP Desktop on
client systems.
10 Enroll users through email
or LDAP.
11
12
Encrypt the disk on the
client system.
Verify the client system is
activated.
Task Description
Although multiple consumer groups can receive the
same PGP RDD-enabled consumer policy, you can apply
different PGP RDD policy settings to each different
group.
The PGP Platform Disable policy is used to configure
the specific timer values and resulting actions to take
when a computer misses a rendezvous.
After you create the consumer policy, create a client
installer. See the following sections in the PGP
Universal Server Administrator's Guide:
Understanding User Enrollment Methods
Creating an Installer with Preset Policy
Users must have administrative rights to install PGP
Desktop. Your users will:
Locate the client installer application and double-click
it.
Follow the on-screen instructions.
If prompted to do so, restart the client system.
Enrollment is the binding of a client system to a PGP
Universal Server. After a client is bound it receives
feature policy information from the PGP Universal
Server. Once enrolled, users are added to the
RDD-enabled policy group.
If specified by policy, encryption begins automatically.
Log in to the PGP Universal Server administrative
interface.
Select
Services > PGP RDD.
Click
Manage PGP RDD with Intel Anti-Theft
Technology.
Locate the client system and verify the status of the
client system is
Activated.
About AT Activated Client Systems
AT Activated systems are clients systems on which Intel Anti-Theft is activated. These
systems are connected to the network and are not marked Stolen. AT-Activation starts
automatically after the user enrolls and PGP WDE encrypts the disk. Intel Anti-Theft
only activates with encryption at enrollment. Therefore, consumer policies that enable
PGP RDD should also force disk encryption at installation.
If you have not selected auto-encryption, you can AT activate your client system by
manually encrypting the disk.
Note: If you use PGP Whole Disk Encryption Command Line to begin encryption,
Intel Anti-Theft will not activate.
9 About Deploying PGP RDD on Client Systems
Deploying PGP RDD on Client Systems
The AT Activated status appears in the PGP Universal Server interface as Activated
(pending) until the client system contacts PGP Universal Server at its next scheduled
rendezvous. After a successful rendezvous, the status changes to AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must decrypt
the disk before switching a user from a policy that does not support PGP RDD to a
policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates.
When you recover a locked computer, you must first change the status from Stolen to
AT Activated. For more information on laptop recovery, see Recovering Locked
Systems.
You can change AT Activated computers to Decommissioned or Stolen. You can also
change Stolen computers back to AT Activated as part of the recovery process. When
you change the status, it appears as pending until the next time the computer
completes a rendezvous.
Deploying PGP RDD on Client Systems
To deploy PGP RDD on client systems
1 Install PGP Desktop.
2 Enroll to PGP Universal Server using email or LDAP credentials.
3 Encrypt the disk.
Software Requirements for Client Systems
Client Software
Microsoft Windows XP (32-bit SP2, 64-bit SP3)
Microsoft Windows 7 (32-bit and 64-bit)
Microsoft Windows Vista (32-bit and 64-bit)
Intel Management Engine Chip
Note: The Intel Management Engine (ME) chip is not backward-compatible, so you
cannot use the 7.x driver ME chip on a computer with a 6.x driver.
Computers with a 6.x driver should use ME driver for Intel 5-series chipset-based
boards.
Computers with a 7.x driver should use ME driver for Intel 6-series chipset-based
boards. The Intel ME driver installer works XP, Vista, and Win7, 32-bit and 64-bit
OS. The ME firmware driver is available notebook vendors and Intel’s web site.
10 About Deploying PGP RDD on Client Systems
Drivers and BIOS Requirements for Client Systems
Drivers and BIOS Requirements for Client Systems
Required Drivers
Install the Intel MEI drivers for the client computer manufacturer. These drivers are on
the installation disks if your computer is made by Hewlett Packard. You can also get the
drivers from either the manufacturer's website or from Intel's website. Using the
manufacturer's MEI drivers is recommended, but the drivers from Intel are also
acceptable.
BIOS Support
These processors support Intel AT most of the time, but not always. Check the BIOS to
see if Intel AT is supported.
Intel AT functionality is usually turned on by default in the BIOS. If it is not turned on,
you must turn it on manually. The process for turning on Intel AT in the BIOS differs
from manufacturer to manufacturer. Contact Intel or technical support for your
computer's manufacturer for more information.
Hardware Requirements for Client Systems
Hardware
Intel vPro Core i5 with Intel Anti-Theft Technology
Intel vPro Core i7 with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i5 processor with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i7 processor with Intel Anti-Theft Technology
4
Accessing PGP RDD on the PGP
Universal Server
Accessing PGP RDD
You can view Intel Anti-Theft data for all the computers managed by the RDD policy.
To access PGP RDD
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Review the computers on the RDD Systems tab.
Displaying PGP RDD Data
To display PGP RDD data
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Click Configuration.
5 Under PGP Remote Disable & Destroy Report Fields, select the check boxes for
the data you want to display.
6 Click Save.
7 On the RDD Systems page, click the buttons at the top of the page to display data
for the specified computers.
About Intel Anti-Theft Status
The All Systems page displays information about all client computers, including each
computer's Intel Anti-Theft status.
AT Activated are systems on which Intel Anti-Theft is currently activated. These
systems are connected to the network and are not marked Stolen.
12 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
AT-Activation starts automatically after the user enrolls and PGP WDE encrypts
the disk. Therefore, consumer policies that enable PGP RDD should also force disk
encryption at installation.
The AT-Activated status appears in the PGP Universal Server interface as
Activated (pending) until the client system contacts PGP Universal Server at its
next scheduled rendezvous. After a successful rendezvous, the status changes to
AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must
decrypt the disk before switching a user from a policy that does not support PGP
RDD to a policy that does. When the new policy forces re-encryption, Intel
Anti-Theft activates.
Make sure that consumer policies enable PGP Remote Disable & Destroy with Intel
Anti-Theft Technology. If you have not selected auto-encryption, you can AT
activate your client system by manually encrypting the disk.
The AT Activated status appears as pending until the computer contacts PGP
Universal Server at the next scheduled rendezvous. When you recover a locked
computer, you must first change the status from Stolen to AT Activated. For more
information recovery, see Recovering Locked Systems.
You can change AT Activated computers to Decommissioned or Stolen. You can
also change Stolen computers back to AT Activated as part of the recovery
process. When you change the status, it appears as pending until the next time the
computer completes a rendezvous.
AT Deactivated are computers on which Intel Anti-Theft has been turned off.
Deactivated computers are both decrypted and AT Deactivated and therefore no
longer protected by Intel Anti-Theft. After the computer is deactivated, the license
seat for that system can be reused. Computers that do not support Intel Anti-Theft
and do not have PGP RDD-enabled consumer policies are also listed as AT
Deactivated. There are two ways to deactivate a computer:
Change the computer's consumer policy to one where PGP RDD is disabled,
and disk encryption is not required. For this process to successfully
deactivate the computer, PGP Tray must be running and the computer must
be able to contact PGP Universal Server. Decrypt the computer. Decryption
triggers Intel AT deactivation. If PGP Tray is not running or PGP Universal
Server is not reachable, the computer is decrypted but remains activated. In
this case, you must manually change the computer's status to
Decommissioned. At the next rendezvous, Intel AT deactivates.
Disable Intel AT by changing the status to Decommissioned, and then
decrypt it. Client computers cannot be decrypted while Intel Anti-Theft is
still activated, if PGP RDD is still required by policy.
Stolen. Includes computers marked stolen by the administrator, and computers
that locked when the Disable Timer expired and the Platform Disable policy
triggered. Stolen computers are locked and cannot be unlocked without assistance
from the administrator. If a client system is marked Stolen in PGP Universal
Server by the administrator, the Platform Stolen policy is triggered the next time
the computer completes rendezvous or is restarted. For more information on the
Platform Stolen policy, see About PGP RDD Policies (on page
20). The license seat
for that system remains active and in use.
13 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
D Timer Expired. Systems in this state are listed if they are in an activated state
and if there is no rendezvous before the system's Disable Timer has expired. The
system shuts down if it was not in the sleep mode when disable timer is expired. If
the system was in Sleep mode (not Hibernation), and the disable timer is expired,
when the system resumes, it does not shut down immediately as the grace timer
will make the computer turn on until the grace timer is expired. In this case, if
there is a successful rendezvous, then the system becomes activated and the
status changes to AT Activated. If there is no rendezvous before the grace timer
expires, the system shuts down, and is reported to the server as “DTimerExpired”.
Because the server does not know when the system resumed from Sleep mode, the
server does not know when the grace timer starts and therefore does not know
when the grace timer expires.
Unsupported. Computers that do not support Intel Anti-Theft Technology.
Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled
consumer policies may be listed as AT Deactivated, instead of Unsupported.
A PGP RDD-enabled client system can be decommissioned, for example, when an
employee leaves the company, so that a license can be reused, and so that it can be
stored with the secured data. If the client system is decommissioned, then it can be
redeployed to another user either as a PGP RDD-enabled client system or a non PGP
RDD system. For information on how to decommission a system, see About
Decommissioning a Client System (see "
About Decommissioning a Computer" on page 27).
Warning: You cannot delete users with Intel Anti-Theft-activated computers from the
Users list, nor activated computers from the Devices list. When you delete users, all
user records are lost. The next time the computer tries to rendezvous with PGP
Universal Server, authentication fails and the computer locks. You will not be able to
recover the laptop without the PGP RDD recovery passphrase, which is also deleted
with the user records, unless you previously exported it. Before you delete an AT
Activated user or device, you must deactivate and decrypt the computer.
Changing a Computer's Status
To change a computer's status
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
3 Click Manage Remote Disable & Destroy with Intel Anti-Theft Technology.
4 Select a new status from the drop-down menu.
The new status may appear as pending until the next time the computer completes
rendezvous.
5 Click Save.
Exporting PGP RDD System Information
The PGP Remote Disable & Destroy (RDD) service logs actions on PGP Universal
Server's Logs page. For more information, see System Logs.
14 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
Access data reports for PGP RDD directly from the PGP RDD interface, not from the
PGP Universal Server Reporting or Graphs pages.
To export PGP RDD data
1 Open PGP RDD.
2 From Configuration > Options, select what data you want to appear in the systems
pages. Possible reported data includes Computer Name, Name, Status, Policy
Group, Last Date Connected, and Passphrase.
3 Click Save.
4 From RDD Systems, choose the set of systems for which you want information
exported: All, Activated, Deactivated, Stolen, or Unsupported.
5 Click Export Data.
All the information on the systems page is exported into a CSV file. If you have
permission to view recovery passphrases, the exported file will contain those
passphrases. The passphrases are unencrypted plain text.
/