[KB7142] Getting started with ESET Endpoint Encryption Server

Solution

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE.

Visit What's new in ESET Full Disk Encryption to view EFDE content.

Software Install

After installing the ESET Endpoint Encryption (EEE) Server, a wizard will run to guide you through the setup process. Set up ESET Endpoint Encryption Server.

The purpose of the Setup Wizard is to configure the database enough to allow an initial login to the organization. There are additional configuration steps you will need to complete in the Organization itself after this initial setup. You will also need to complete these configuration steps if you create and add a new Organization to an existing server.

This guide will describe the other configuration options you may want to consider before you start managing users within the Organization.

Creating Teams and defining User policies

User policies define the software features that are available on the ESET Endpoint Encryption (EEE) client, control security policies (e.g., minimum password strength and removable media encryption) and can set default options for users.

All ESET Endpoint Encryption policies in the EEE Server are hierarchical. Policies you define in a "Team" within the EEE Server will automatically be inherited by all "Sub Teams." You can change a single policy and apply it to a single user in a team, without affecting the other users, by creating a sub-team with that one policy difference and moving the user to that team.

Team structure means you may wish to consider the layout of your organization initially. If every user can have the same policy, then all users could be placed in a single root team. Another option is to have alternative policies for different users. Alternatively, you can group users by geographical location, business function or role, without changing the policies.

You can move users between teams and change policies at any time. So it is not essential to get this right straight away. You could choose to start with all users in a single team with one policy, and as you and your users become more experienced with the software, make changes then.

For more information about user policies, see: How do I modify group policy?

For a brief description of the different types of policies in EEE Server, see: Workstation and Group Policy

Creating encryption keys

If you are using the granular encryption features of EEE client for the file, folder, container or email encryption, you may want to assign encryption keys to your users. If you have users who need to share the same encrypted data, then they will need to be assigned the same encryption key. If you do not want users to access encrypted data, then they should not be assigned to that particular encryption key.

These encryption keys are only applicable to the granular encryption features and are not related to Full Disk Encryption.

As with policies, encryption key access is granted hierarchically, so users in a sub-team will inherit encryption keys from a parent team. Keys can also be added and removed at any time so you can skip this stage initially and add keys later.

For more information, visit Create Encryption Keys and Encryption Key Groups and then assign them to a user

Adding licenses

When you purchase a license, you will receive a Product ID and Product Key. The EEE Server can store multiple licenses for different products (e.g., for Windows operating systems or Mobile devices) or might contain different feature sets (e.g., Professional licenses for users who require Full Disk Encryption, and Standard licenses for those that do not). Before the EEE client can be activated, the user must be licensed. You can assign licenses to users by selecting a license from within the EEE Server. 

For more information about adding licenses, see: How do I add a new client license to my ESET Endpoint Encryption Server

Adding Users

There are two main ways to add users to the EEE Server: you can either add the details manually or import the details from Active Directory. There is no actual difference with either approach, and the users in the EEE Server would be identical in either case. One benefit to using Active Directory synchronization is that it will automatically keep user details up to date in the Enterprise Server if they are changed in the Active Directory. If you use the Team import, it will create and maintain Teams within EEE Server that correspond to the Organizational Units (OUs) defined in the Active Directory. In either case, the users are licensed in the same way, and there is no difference in behavior on the EEE client machine.

Manually add users

Users can be added directly to a team by typing or pasting their details into the Add interface. For more details, see How do I add users to the Enterprise Server

Import from Active Directory

Users can be imported into the EEE Server from an Active Directory. For more details see: How does the ESET Endpoint Encryption Server Synchronize with Active Directory?

Define workstation policies

Workstation policies operate in a similar way to user policies. The main point of the workstation policy is to control policies when the user deactivates EEE and to be in place before they are activated. It also contains some workstation-specific settings.

The workstation policy is included in the EEE client MSI so once defined, they will be included in the install when the installer is created.

In a similar concept to User teams, you may want to use Workstation teams either to arbitrarily group workstations into more convenient sets or to make it easier to have different sets of policies available for different situations.

For more information about workstation policies, see How do I modify a workstation policy?

For a brief description of the different types of policies in the EEE Server, see: What are Workstation and Group Policies

Create a managed install

There are two ways to install the EEE client.

  • Download the MSI from the EEE Server and deploy it manually or with third-party tools like SCCM, Altiris or Avnet BMC (Marimba).
  • Use the network push function in the EEE Server to automatically connect to the workstation over the network and run the install automatically.

There is no functional difference between either approach, and the EEE client machine will operate identically in either case. Use the approach that is either the quickest or easiest for you.

For more information, see Install a managed version of ESET Endpoint Encryption

Updating client installs

The EEE client software is frequently updated, so depending on the age of your EEE Server, you may not have the latest version available. Alternatively, you may wish to add a non-English language version of the client software to the EEE Server. You can, therefore, make changes to the client installs by uploading new versions and removing old versions you no longer need. For more information, see: Upload a new client version for ESET Endpoint Encryption Server.

Activating a user

The final step in using the EEE Server is to activate the user. The user activation process will also add the workstation record to the Organization, and from this point, you will be able to manage both the user and workstation and, if available, perform Full Disk Encryption operations.

For more information, see How do I activate a managed version of ESET Endpoint Encryption