[KB7182] Self Enrollment in ESET Endpoint Encryption

Solution

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE.

Visit What's new in ESET Full Disk Encryption to view EFDE content.

The new Self-Enrollment feature provides automatic activation for systems that are on the same local network as the ESET Endpoint Encryption (EEE) Server. When a user logs into their domain account, the EEE Server is contacted and the ESET Endpoint Encryption client is automatically provided with the user’s key-file and activation information.

This provides a seamless experience for the user, especially when roaming, since a user can log into a new workstation without needing to activate EEE.

Once Self-Enrollment is completed, the EEE Server and client communicate through the Cloud Proxy. Key-File updates, Full Disk Encryption and all the EEE functions continue to operate as usual.

To use Self Enrollment, users must be in the Active Directory that is queried by the EEE Server to identify and enroll the user. If a user is unable to activate using Self-Enrollment, for example, they may are not connected to the LAN, then traditional activation can still be used. The user can be sent an activation email, with a clickable activation button, or the activation code can be typed in manually. 

Setup Guide

  1. Enable ESET Endpoint Encryption Server Direct Communications—ESDirect

 This option is enabled by default on new installations of the EEE Server (v2.8.0 or later). Self-Enrollment uses a new EEE Server feature called ESDirect, which provides Self-Enrollment and Network Discovery (so the EEE Client can find the server). 

  1. Open the EEE Server Control Panel. In the Administration section, click Settings.
     
  2. Select the check box next to Enable ESET Endpoint Encryption Server Direct Communications

The Communications Port can be changed from the default 8266 setting if required. 

Specify a unique port number for each Organization
If you are using the multi-tenant version of the EEE Server with multiple Organizations, then you must specify a unique port number for each Organization so that Self-Enrollment works correctly. If the communications port is changed, any existing clients need to be reconfigured. The setting is included as part of Workstation Policy within the install. See the Applying to existing workstations section in this article for the additional steps required: How do I modify workstation policy?

Figure 1-1

  1. Configure the firewall

For the client workstations to self-enroll, the network must allow access on the communications port specified in Step 1 into the machine hosting the EEE Server.

Ensure that both the hardware and software firewalls protecting the EEE Server open port 8266 (the default setting) for both UDP and TCP traffic from domain network traffic. Alternatively, with software firewalls, you can specify the executable of the EEE Server itself, dlpecsrv.exe as an exclusion. This file may be located in the EEE Server folder: C:\Program Files\ESET Endpoint Encryption Server\ (Program Files (x86) on 32-bit hosts).

Visit this article to view an example for opening the build in Windows Firewall: Opening the Windows Firewall for Self-Enrollment.

  1. Ensure client licenses have been added to the ESET Endpoint Encryption Server

Make sure the pool of licenses you will be using have been added to the EEE Server. Add a new client license to my ESET Endpoint Encryption Server.

  1. Self-Enrollment requires users who are activating to have their details imported from an Active Directory server and have a license assigned to them. When configuring the Active Directory settings you can select which license the new users are allocated to when they enroll. If no license is selected, then only already licensed users can use Self-Enrollment. If you did not automatically import users, perform a manual import before proceeding.
    For more information about setting up Active Directory synchronization, visit: How does the ESET Endpoint Encryption Server integrate with Active Directory?

    Figure 1-2

  2. Workstation Policy—This option is already enabled by default on new installs of DESlock+ Enterprise Server version 2.8.0 / ESET Endpoint Encryption Server 3.0 or later).

    Self-Enrollment is controlled in the EEE Client with a new workstation policy. If you have existing workstations you are enabling this option for, they must be updated once the setting has been changed. Visit the Applying to existing workstations section in How do I modify workstation policy? for more information. 

Figure 1-3

  1. Install software on target workstations—With the Self-Enrollment setting enabled you will need to install the software to the workstations. The software can be installed using push install or a client .msi install. Install software on target workstations.
  1. When the user logs into their domain network profile on the workstation, they will activate automatically and they will appear licensed and linked to the workstation in the EEE Server.

 

Proxy Sync:

As the Self Enrollment process communicates directly with the EEE Server, the appearance of the workstation in the EEE Server does not require a Proxy Sync process to appear.

Figure 1-4


Troubleshooting

Logging

The ESDirect and Self-Enrollment log can be found in the following directories. If you are experiencing difficulties and require assistance then you should provide this with your support ticket where possible:

Windows XP: \Documents and Settings\\Local Settings\DESkey\DESlock+\ESDirect.log

Windows Vista and later: \Users\\AppData\Local\DESkey\DESlock+\ESDirect.log

Communications Timeout

If the logfile details 'Server Not Found C03B0003' then the workstation is unable to communicate with the EEE Server. Ensure that exceptions have been included for firewalls as detailed above to allow the workstation to communicate with the EEE Server for both UDP and TCP protocols. Additionally, if your network is configured to block multicast UDP packets, then you will need to specify the exact Server Address as detailed in the client settings below.

User not found

If the log file details 'Command Failed C03B000E' then the user was not found in the EEE Server itself. You should ensure this user has been imported from the domain and has been added to the EEE Server. They should also be licensed already, unless you have selected a license to use for auto licensing within the ES Direct settings.

Client Settings

The following settings are used to control the Self Enrolment in the EEE client. This information is provided for reference, take care when editing the registry.

  • Server Address: Use this to manually set the address of the server if multicast UDP packets are blocked by the network. In this example, the server address is dlpes.mydomain.local. You may also set a static IP address instead of a name if DNS is not implemented correctly. [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] Insert new string value: "DLPESDirectAddress"="dlpes.mydomain.local"
  • Enable Self Enrollment: Set through ES Workstation Policy [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client] "EnableSelfEnrolment"=dword:00000001
  • Server Port: Set through ES Workstation Policy. The example below is of the default 8266 port. [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] "DLPESDirectPort"=dword:0000204A
  • Balloon Popup after Activation: This prevents the notification displayed to the user when the system activates. No value = enabled [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] "SelfEnrolmentPopup"=dword:00000000
English
Deutsch
Last Updated: Oct 12, 2023

Additional resources

User Guides

ESET Forum

YouTube videos

Need further assistance?

Contact ESET Technical Support

More Information

Support News
Customer Advisories
ESET Status Portal