Install Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

100

Table Of Contents

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.0
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- Advanced Threat Prevention
  - Compatibility
- Client Firewall and Web Protection
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- Full Disk Encryption
- Advanced Threat Prevention
- SED Manager
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Endpoint Security Suite Enterprise Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install Advanced Threat Prevention Client
- Install Client Firewall and Web Protection
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Web Protection and Firewall
- Uninstall Advanced Threat Prevention
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client and Advanced Threat Prevention
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
- BitLocker Manager and Advanced Threat Prevention
Provision a Tenant
- Provision a Tenant
Configure Advanced Threat Prevention Agent Auto Update
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- Advanced Threat Prevention Troubleshooting
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

● Encryption External Media policies control removable media access to the server, authentication, encryption, and more.

● Port Control policies affect removable media on protected servers, for example, by controlling access and usage of the

server's USB ports by USB devices.

The policies for removable media encryption can be found in the Management Console in the Server Encryption technology

group.

Encryption on a Server Operating System and External Media

When the protected server's EMS Encrypt External Media policy is Selected, external media is encrypted. Encryption links the

device to the protected server with the Machine key and to the user, with the User Roaming key of the removable device's

owner/user. All files added to the removable device are then encrypted with those same keys, regardless of the computer it is

connected to.

NOTE:

Encryption on a server operating system converts User encryption to Common encryption, except on removable devices.

On removable devices, encryption is performed with the User Roaming key associated with the computer.

When the user does not agree to encrypt a removable device, the user's access to the device can be set to blocked when used

on the protected server, Read only while used on the protected server, or Full access. The protected server's policies determine

the level of access on an unprotected removable device.

Policy updates occur when the removable device is re-inserted into the original protected server.

Authentication and External Media

The protected server's policies determine authentication functionality.

After a removable device has been encrypted, only its owner/user can access the removable device on the protected server.

Other users cannot access the encrypted files on the removable media.

Local automatic authentication allows the protected removable media to be automatically authenticated when inserted in the

protected server when the owner of that media is logged in. When automatic authentication is disabled, the owner/user must

authenticate to access the protected removable device.

When a removable device's original encrypting computer is a protected server, the owner/user must always log in to the

removable device when using it in computers that are not the original encrypting computer, regardless of the Encryption

External Media policy settings defined on the other computers.

Refer to AdminHelp for information on Server Encryption Port Control and Encryption External Media policies.

Suspend an Encryption on a Server Operating System

Suspending an encrypted server prevents access to its encrypted data after a restart. The virtual server user cannot be

suspended. Instead, the encrypted server's Machine key is suspended.

NOTE:

Suspending the server endpoint does not immediately suspend the server. The suspension takes place the next time the key

is requested, typically the next time the server is restarted.

NOTE:

Use with care. Suspending an encrypted server could result in instability, depending on policy settings and whether the

protected server is suspended while disconnected from the network.

Prerequisites

● Help desk administrator rights, assigned in the Management Console, are required to suspend an endpoint.

● The administrator must be logged in to the Management Console.

In the left pane of the Management Console, click Populations > Endpoints.

Search or select a hostname, then click the Details & Actions tab.

Under Server Device Control, click Suspend then Yes.

Configure Encryption on a Server Operating System