Page is loading ...
PGP™ Remote Disable and Destroy
Configuration Guide
10.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 10.2.0. Last updated: December 2011.
Legal Notice
Copyright (c) 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No
part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF
THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the
terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (http://www.symantec.com)
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
Contents
Introducing PGP Remote Disable and Destroy 1
About PGP Remote Disable and Destroy 1
Components of PGP RDD 1
How PGP RDD Works 1
About PGP RDD Client Anti-Theft States 2
Installation Considerations 5
Planning Your Network Architecture 5
Considerations When Using Multiple PGP Universal Servers 5
Enabling or Disabling PGP RDD in the PGP Universal Server 5
Ports Used by the PGP RDD Service 6
Modifying PGP RDD Ports 6
System Requirements 7
Symantec Products 7
Server Software 7
About PGP Remote Disable & Destroy Licenses 7
Licensing PGP RDD with Intel Anti-Theft 8
About Deploying PGP RDD on Client Systems 9
About the PGP RDD Deployment Process 9
About AT Activated Client Systems 10
Deploying PGP RDD on Client Systems 11
Software Requirements for Client Systems 11
Drivers and BIOS Requirements for Client Systems 12
Hardware Requirements for Client Systems 12
Accessing PGP RDD on the PGP Universal Server 13
Accessing PGP RDD 13
Displaying PGP RDD Data 13
About Intel Anti-Theft Status 13
Decommissioned 14
AT Deactivated 15
Stolen 15
Changing a Computer's Status 15
Exporting PGP RDD System Information 16
Working with Stolen Systems 17
About Stolen Client Systems 17
Recovering a Stolen Client System 17
Identifying the Initial Screen at Power On 18
Recovering Using the Intel BIOS Recovery Screen 18
Recovering Using the PGP BootGuard Screen 19
ii Contents
Setting PGP RDD Policy 21
Enabling PGP RDD in a Consumer Policy 21
Understanding the Difference Between Consumer and PGP RDD Policies 21
About Consumer Policies 22
About PGP RDD Policies 22
Applying Consumer Policy to Consumer Groups 23
Setting a PGP RDD Policy 23
About the PGP RDD Rendezvous 24
Considerations When Configuring Rendezvous Intervals 25
About PGP RDD Timers 25
Considerations When Setting Your PGP RDD and Consumer Policies 27
Setting a PGP RDD Timer 27
About Decommissioning a Computer 29
Recovering a Decommissioned Client System 29
About Decommissioned Computers 30
Decommissioning a PGP RDD-Enabled Client System 30
About AT Deactivated Client Systems 31
Deactivating a Client System 31
Working with PGP RDD Administrator Roles 33
About PGP RDD Administrator Roles 33
Assigning Roles 34
About PGP Remote Disable and Destroy
PGP Remote Disable and Destroy from Symantec(TM) powered by Intel(R) Anti-Theft
Technology (PGP RDD) provides a security solution for lost, stolen, or decommissioned
computers.
PGP RDD solves the need to keep data secure in mobile environments and comply with
increasingly stringent regulations in data security and privacy using the latest Intel AT
technology. PGP RDD offers corporate users the option to activate PGP Universal
Server's security service and manage hardware-based, client-side intelligence to secure
the notebook and/or data if a notebook is lost or stolen. If the client system is lost or
stolen, you can remotely disable client systems or disable access to data and securely
decommission client systems.
Components of PGP RDD
The following items are part of the overall PGP RDD installation:
PGP Universal Server. The administrative server used to manage client systems.
Intel Content License Server (ICLS). The ICLS permit licensing server is the
activation site at Intel where client installations are tracked.
Managed PGP Desktop client system with PGP Whole Disk Encryption installed.
Once PGP RDD policies are applied and the system is encrypted, the client system
then becomes PGP RDD-enabled.
How PGP RDD Works
You deploy PGP RDD to clients you have specified in PGP Universal Server as part of a
particular consumer group. For that consumer group, you create a policy that enables
PGP RDD with Intel Anti-Theft Technology. You then create a PGP Desktop client
installer that uses the policy.
A user installs the PGP Desktop client and enrolls with the PGP Universal Server using
the method you choose. The client computer is then encrypted with PGP Whole Disk
Encryption. During this process, the client receives the policy from PGP Universal
Server that enables PGP RDD. PGP RDD in turn activates the Intel Anti-Theft
Technology on that client, and the encrypted client moves to a state known as “AT
Activated.” This is the normal operating state for a PGP RDD-enabled client. This state
is transparent to the user. The client system operates normally and is protected.
1
Introducing PGP Remote Disable and
Destroy
2 Introducing PGP Remote Disable and Destroy
About PGP RDD Client Anti-Theft States
PGP Universal Server then monitors PGP RDD-enabled clients through regular periodic
contact between server and client. This contact refreshes the theft status of the
computer and is known as a rendezvous. A successful rendezvous indicates to the
server that a client is online and controlled by the authorized user.
After a missed rendezvous, a timer begins counting down to disable the system. If the
client fails to rendezvous successfully before the timer expires, the client is
automatically flagged on the server as “Stolen.” The client is locked down until the user
or administrator unlocks the system and returns it to an “AT Activated” state.
Security for the system is local. The computer is disabled when the timers expire. This
thwarts a common strategy employed in laptop theft to avoid putting the computer
online. Security is also hardware-based, preventing use of the system even if its hard
drive is replaced.
See About Deploying PGP RDD on Client Systems (on page 9).
See Enabling PGP RDD in a Consumer Policy (on page 21).
See About the PGP RDD Rendezvous (on page 24).
See About PGP RDD Timers (on page 25).
See Setting a PGP RDD Policy (on page 23).
See Setting a PGP RDD Timer (on page 27).
About PGP RDD Client Anti-Theft States
A PGP RDD-enabled client is always in one of the following states:
AT Activated client systems are clients with PGP RDD currently activated, and
which are not marked stolen. This is the normal state for a PGP RDD-enabled
client.
AT Deactivated client systems do not have PGP RDD-enabled consumer policies or
do not support Intel Anti-Theft technology.
Stolen client systems are those marked stolen by the administrator or affected
when the Disable Timer expired and the Platform Disable policy triggered. Stolen
computers are locked and cannot be unlocked without assistance from the
administrator.
Unsupported client systems do not support Intel Anti-Theft Technology.
Note: Computers that do not support Intel Anti-Theft and do not have PGP RDD-
enabled consumer policies may be listed as AT Deactivated, instead of
Unsupported.
Decommissioned computers are still encrypted, but the status is AT Deactivated.
These computers are listed on the RDD Systems > Deactivated page, but they are
no longer protected by Intel Anti-Theft. Use this option when your organization
Introducing PGP Remote Disable and Destroy
About PGP RDD Client Anti-Theft States
3
removes computers from active use, but still wants to protect the data. For
example, if the organization plans to give away or sell the computers to someone
who will not have access to PGP Universal Server.
See About Intel Anti-Theft Status (on page 13).
See Displaying PGP RDD Data (on page 13).
See Deactivating a Client System (on page 31).
See About Stolen Client Systems (on page 17).
Planning Your Network Architecture
When planning your deployment, keep the following points in mind:
The main consideration when planning your deployment of PGP RDD is that the
client systems must be able to communicate with the server at their scheduled
rendezvous. Missing the rendezvous could lead to locked client systems.
Your PGP Universal Server must be able to communicate with the Intel Content
License Server. Disruption in communication can lead to activation failures.
Considerations When Using Multiple PGP Universal Servers
To balance requests to multiple servers, Symantec recommends that you use load
balancing on your servers. This ensures that all servers participate in processing the
load.
When PGP RDD-enabled client computers enroll or perform a rendezvous, they
exchange 30 to 40 request and response pairs. Because server replication contains a
delay, these requests must be handled and processed by the same server. Your load
balancer must be configured so that the same client's requests are processed by the
same server during a certain period of time. This is called load balancing stickiness.
Symantec recommends that the length of stickiness should be long enough (such as 24
hours, assuming the replication delay will be less than 24 hours) to route requests from
one client to the same server.
Enabling or Disabling PGP RDD in the PGP Universal Server
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have AT-Activated computers,
the computers will not be able to rendezvous successfully and will eventually lock
when the Disable Timer expires.
To enable or disable PGP RDD
1 Log in to the PGP Universal Server administrative interface.
2 Select Services > PGP RDD.
2
Installation Considerations
6 Installation Considerations
Ports Used by the PGP RDD Service
3 Do one of the following:
To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
To disable PGP RDD, click Disable. The text Intel® Anti-Theft Technology is
disabled is displayed in the page.
Ports Used by the PGP RDD Service
The PGP RDD service is enabled by default.
Warning: If you disable the PGP RDD service while you have Intel AT-activated
computers, the computers will not be able to rendezvous successfully and will
eventually lock when the Disable Timer expires.
The service requires the following ports to be open.
The Intel Anti-Theft Technology Services Port is used for communication
between PGP Universal Server and the anti-theft service. External access to this
port is not required.
The ICLS URL and Port sets the ICLS (Intel Content License Server) URL and port.
The ICLS permit server is the activation site at Intel where client installations are
tracked. Do not change the default settings unless Symantec Corporation notifies
you that it is necessary. You can test the connection to the ICLS from the Options
page (PGP Remote Disable & Destroy Administration > Configuration >
Options).
PGP Universal Server and PGP RDD-enabled client system communication uses
the same HTTPS port as you use to access the administrative console (port 9000 by
default).
Modifying PGP RDD Ports
To modify PGP RDD settings
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 To enable PGP RDD, click Enable. The text Intel® Anti-Theft Technology is
enabled is displayed in the page.
4 To modify the Intel Anti-Theft Technology Services Port, or the ICLS URL or Port,
click Edit.
5 Make the necessary changes, and click Save.
Installation Considerations
System Requirements
7
System Requirements
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
Symantec Products
PGP Whole Disk Encryption (PGP WDE)
PGP Universal Server
PGP Remote Disable & Destroy with Intel Anti-Theft Technology
Server Software
Linux (CentOS 5.3)
Servlet Container (Tomcat)
Spring Framework
JDK 1.6
Valid SSL Certificate. This certificate to be provided by Symantec.
Working connection to Intel ICLS Servers.
About PGP Remote Disable & Destroy Licenses
Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology requires
three things:
PGP Universal Server license. Intel Anti-Theft Technology is automatically
included with the PGP Universal Server license.
PGP Remote Disable & Destroy with Intel Anti-Theft Technology license file.
You must purchase this license separately from your PGP Universal Server.
This human-readable XML file shows the number of seats purchased, the start and
end dates of the subscription period, and the license serial number. The license
expires at the end of the subscription period. If the license expires, activated
systems are not affected and continue to be protected. When you view the license
history for an expired license, the entry shows that there are no seats available on
that license.
You can have more than one active license at a time. When you upload a new
license, it does not replace existing licenses; instead, they are cumulative.
8 Installation Considerations
About PGP Remote Disable & Destroy Licenses
PGP Universal Server does not enforce the license to make sure you do not exceed
the number of activated computers your license permits. It is possible to activate
more computers than your license permits, but the number of activated computers
is registered by the ICLS.
Activation file. This encrypted activation file is included when you purchase the
PGP RDD license file.
The activation file registers your license, and enables the ICLS to monitor how
many Intel Anti-Theft-activated computers you have. PGP Universal Server sends
no information directly to Symantec Corporation.
Licensing PGP RDD with Intel Anti-Theft
When you purchased a license for PGP RDD, you received two Symantec license files
with the file extension .slf.zip:
[name1].slf.zip
[name2].slf.zip
For example, the files are named 2230672.slf.zip and 2230673.slf.zip. These files are
uploaded to your PGP Universal Server so you can license PGP RDD.
To apply the license and activation files
1 From the PGP RDD interface, select Configuration > Options.
2 Click Browse to locate the license file you want to upload.
3 Click Browse to locate the activation file you want to upload. You must have both
the license and the activation file. Make sure to select the correct activation file
for the license you are uploading.
4 Click Upload License File to upload the license and activation files.
5 Click Save.
To test the connection between the PGP Universal Server and the ICLS
1 From the PGP RDD interface, select Configuration > Options.
2 Click Test Permit Server Connection. A message confirms whether or not the
server is reachable.
On systems that include Intel Anti-Theft Technology, enabling PGP RDD consists of
installing PGP Desktop, enrolling to a PGP Universal Server, and encrypting the disk.
All other functions of PGP RDD are managed by the PGP Universal Server.
PGP RDD can only be used with managed PGP Desktop with PGP Whole Disk
Encryption installations.
Caution: To support PGP RDD, the client and PGP Universal Server must be able to
contact each other. Do not activate PGP RDD on a computer that will never contact
PGP Universal Server, because the computer will lock.
About the PGP RDD Deployment Process
To roll out PGP RDD in your enterprise, you will perform the following tasks:
Step Task Description
1 On the PGP Universal
Server, enable PGP RDD.
PGP RDD is a service that you must enable.
See Enabling or Disabling PGP RDD in the PGP
Universal Server (on page 5).
2 Enter the PGP RDD License
and Activation Key.
The Intel Anti-Theft (Intel AT) license is an AT permit
that is stored on PGP Universal Server in the database.
The license is obtained from the Intel Licensing Server
during enrollment of PGP RDD client systems and is
pushed to the client system. The permit is different for
each PGP RDD-enabled computer.
See License PGP RDD with Intel AT (see "About PGP
Remote Disable & Destroy Licenses" on page 7,
"Licensing PGP RDD with Intel Anti-Theft" on page 8).
3 Define the Intel Anti-Theft
Technology Services Ports.
The ports are used for communication between PGP
Universal Server and the Anti-Theft service, as well as
between the Intel Content License Server and the cilent
systems.
See Ports Used by the PGP RDD Service (on page 6).
4 Create one or more
consumer groups for PGP
RDD users.
Multiple consumer groups (Executives, IT, Marketing)
can receive the same PGP RDD-enabled consumer
policy, or you can enable PGP RDD for only a subset of
your groups.
5 Enable PGP RDD in a
consumer policy.
PGP RDD is enabled through a Consumer Policy applied
on the client.
See Setting PGP RDD in Consumer Policies.
6 Apply consumer policy to
consumer groups.
Move specific users/groups to the PGP RDD policy. See
Applying Consumer Policy to Consumer Groups (on page
23).
3
About Deploying PGP RDD on Client
Systems
10 About Deploying PGP RDD on Client Systems
About AT Activated Client Systems
Step Task Description
7 Create a separate PGP
Platform Disable policy for
each consumer group.
Although multiple consumer groups can receive the
same PGP RDD-enabled consumer policy, you can apply
different PGP RDD policy settings to each different
group.
The PGP Platform Disable policy is used to configure
the specific timer values and resulting actions to take
when a computer misses a rendezvous.
8 Create a PGP Desktop
installer and provide it to
users.
After you create the consumer policy, create a client
installer. See the following sections in the PGP
Universal Server Administrator's Guide:
Understanding User Enrollment Methods
Creating an Installer with Preset Policy
9 Install PGP Desktop on
client systems.
Users must have administrative rights to install PGP
Desktop. Your users will:
Locate the client installer application and double-click
it.
Follow the on-screen instructions.
If prompted to do so, restart the client system.
10 Enroll users through email
or LDAP.
Enrollment is the binding of a client system to a PGP
Universal Server. After a client is bound it receives
feature policy information from the PGP Universal
Server. Once enrolled, users are added to the RDD-
enabled policy group.
11 Encrypt the disk on the
client system.
If specified by policy, encryption begins automatically.
12 Verify the client system is
activated.
Log in to the PGP Universal Server administrative
interface.
Select
Services > PGP RDD.
Click
Manage PGP RDD with Intel Anti-Theft
Technology.
Locate the client system and verify the status of the
client system is Activated.
About AT Activated Client Systems
AT Activated systems are clients systems on which Intel Anti-Theft is activated. These
systems are connected to the network and are not marked Stolen. AT-Activation starts
automatically after the user enrolls and PGP WDE encrypts the disk. Intel Anti-Theft
only activates with encryption at enrollment. Therefore, consumer policies that enable
PGP RDD should also force disk encryption at installation.
If you have not selected auto-encryption, you can AT activate your client system by
manually encrypting the disk.
Note: If you use PGP Whole Disk Encryption Command Line to begin encryption,
Intel Anti-Theft will not activate.
About Deploying PGP RDD on Client Systems
Deploying PGP RDD on Client Systems
11
The AT Activated status appears in the PGP Universal Server interface as Activated
(pending) until the client system contacts PGP Universal Server at its next scheduled
rendezvous. After a successful rendezvous, the status changes to AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must decrypt
the disk before switching a user from a policy that does not support PGP RDD to a
policy that does. When the new policy forces re-encryption, Intel Anti-Theft activates.
When you recover a locked computer, you must first change the status from Stolen to
AT Activated. For more information on laptop recovery, see Recovering Locked
Systems.
You can change AT Activated computers to Decommissioned or Stolen. You can also
change Stolen computers back to AT Activated as part of the recovery process. When
you change the status, it appears as pending until the next time the computer
completes a rendezvous.
Deploying PGP RDD on Client Systems
To deploy PGP RDD on client systems
1 Install PGP Desktop.
2 Enroll to PGP Universal Server using email or LDAP credentials.
3 Encrypt the disk.
Software Requirements for Client Systems
Client Software
Microsoft Windows XP (32-bit SP2, 64-bit SP3)
Microsoft Windows 7 (32-bit and 64-bit)
Microsoft Windows Vista (32-bit and 64-bit)
Intel Management Engine Chip
Note: The Intel Management Engine (ME) chip is not backward-compatible, so you
cannot use the 7.x driver ME chip on a computer with a 6.x driver.
Computers with a 6.x driver should use ME driver for Intel 5-series chipset-based
boards.
Computers with a 7.x driver should use ME driver for Intel 6-series chipset-based
boards. The Intel ME driver installer works XP, Vista, and Win7, 32-bit and 64-bit
OS. The ME firmware driver is available notebook vendors and Intel’s web site.
12 About Deploying PGP RDD on Client Systems
Drivers and BIOS Requirements for Client Systems
Drivers and BIOS Requirements for Client Systems
Required Drivers
Install the Intel MEI drivers for the client computer manufacturer. These drivers are on
the installation disks if your computer is made by Hewlett Packard. You can also get the
drivers from either the manufacturer's website or from Intel's website. Using the
manufacturer's MEI drivers is recommended, but the drivers from Intel are also
acceptable.
BIOS Support
These processors support Intel AT most of the time, but not always. Check the BIOS to
see if Intel AT is supported.
Intel AT functionality is usually turned on by default in the BIOS. If it is not turned on,
you must turn it on manually. The process for turning on Intel AT in the BIOS differs
from manufacturer to manufacturer. Contact Intel or technical support for your
computer's manufacturer for more information.
Hardware Requirements for Client Systems
Hardware
Intel vPro Core i5 with Intel Anti-Theft Technology
Intel vPro Core i7 with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i5 processor with Intel Anti-Theft Technology
2nd Generation Intel vPro Core i7 processor with Intel Anti-Theft Technology
Accessing PGP RDD
You can view Intel Anti-Theft data for all the computers managed by the RDD policy.
To access PGP RDD
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Review the computers on the RDD Systems tab.
Displaying PGP RDD Data
To display PGP RDD data
1 Log into the administrative interface.
2 Select Services > PGP RDD.
3 Click Manage PGP RDD with Intel Anti-Theft Technology.
4 Click Configuration.
5 Under PGP Remote Disable & Destroy Report Fields, select the check boxes for
the data you want to display.
6 Click Save.
7 On the RDD Systems page, click the buttons at the top of the page to display data
for the specified computers.
About Intel Anti-Theft Status
The All Systems page displays information about all client computers, including each
computer's Intel Anti-Theft status.
AT Activated are systems on which Intel Anti-Theft is currently activated. These
systems are connected to the network and are not marked Stolen.
4
Accessing PGP RDD on the PGP
Universal Server
14 Accessing PGP RDD on the PGP Universal Server
Displaying PGP RDD Data
AT-Activation starts automatically after the user enrolls and PGP WDE encrypts
the disk. Therefore, consumer policies that enable PGP RDD should also force disk
encryption at installation.
The AT-Activated status appears in the PGP Universal Server interface as
Activated (pending) until the client system contacts PGP Universal Server at its
next scheduled rendezvous. After a successful rendezvous, the status changes to
AT Activated.
You cannot activate PGP RDD on a system that is already encrypted. You must
decrypt the disk before switching a user from a policy that does not support PGP
RDD to a policy that does. When the new policy forces re-encryption, Intel Anti-
Theft activates.
Make sure that consumer policies enable PGP Remote Disable & Destroy with Intel
Anti-Theft Technology. If you have not selected auto-encryption, you can AT
activate your client system by manually encrypting the disk.
The AT Activated status appears as pending until the computer contacts PGP
Universal Server at the next scheduled rendezvous. When you recover a locked
computer, you must first change the status from Stolen to AT Activated. For more
information recovery, see Recovering Locked Systems.
AT Deactivated are computers on which Intel Anti-Theft has been turned off.
Deactivated computers are both decrypted and AT Deactivated. Computers that do
not support Intel Anti-Theft and do not have PGP RDD-enabled consumer policies
are also listed as AT Deactivated.
Stolen. Includes computers marked stolen by the administrator, and computers
that locked when the Disable Timer expired and the Platform Disable policy
triggered. Stolen computers are locked and cannot be unlocked without assistance
from the administrator.
Unsupported. Computers that do not support Intel Anti-Theft Technology.
Computers that do not support Intel Anti-Theft and do not have PGP RDD-enabled
consumer policies may be listed as AT Deactivated, instead of Unsupported.
You can change AT Activated computers to Decommissioned or Stolen. You can also
change Stolen computers back to AT Activated as part of the recovery process. When
you change the status, it appears as pending until the next time the computer
completes a rendezvous.
Decommissioned
Decommissioning a computer is the process of deactivating Intel AT, but the disk is still
encrypted. When necessary the administrator can decrypt it, reimage it, activate it, and
encrypt the disk for a new user.
A PGP RDD-enabled client system can be decommissioned, for example, when an
employee leaves the company, so that a license can be reused, and so that it can be
stored with the secured data. If the client system is decommissioned, then it can be
redeployed to another user either as a PGP RDD-enabled client system or a non PGP
RDD system.
/