ESET Endpoint Encryption Self Enrolment
What is Self Enrolment?
The new Self Enrolment feature provides automatic activation for systems that are on the same local network as the ESET Endpoint Encryption (EEE) Server. When a user logs into their domain account, the EEE Server is contacted and the ESET Endpoint Encryption client is automatically provided with the user’s key-file and activation information.
This provides a seamless experience for the user, especially when roaming, as a user can log into a new workstation without needing to perform the traditional EEE activation.
Once Self Enrolment has been completed, the EEE Server and client are able to communicate through the Cloud Proxy in the usual way. Key-File updates, Full Disk Encryption and all the EEE functions continue to operate as normal.
It is required that users are in an Active Directory which is queried by the EEE Server to identify and enrol the user.
If a user is unable to activate using Self Enrolment, perhaps they are not connected to the LAN, then the traditional activation can still be used. The user can be sent an activation email, which they can click, or the activation code can be typed in.
Step 1. Enable ESET Endpoint Encryption Server Direct Communications – ESDirect
This option is enabled by default on new installs of EEE Server (v2.8.0 or later).
Self Enrolment uses a new EEE Server feature called ESDirect. Currently ESDirect only provides Self Enrolment and Network Discovery (so the EEE Client can find the server), however it may in future provide other functionality.
To enable the facility open the EEE Server Control Panel, select Administration\Settings and set the checkbox named Enable ESET Endpoint Encryption Server Direct Communications . If you modify the setting ensure you click the Save button in the lower right corner to apply the change.
The Communications Port can be changed from the default 8266 setting if required.
IMPORTANT: If you are using the multi-tenant version of the EEE Server with multiple Organisations, then you must specify a unique port number for each Organisation for Self Enrolment to work correctly.
Please note: If the communications port is changed, any existing clients will need to be reconfigured. The setting is included as part of Workstation Policy within the install. Please see the section 'Applying to existing workstations' in this article for details for the steps required: KB229 - How do I modify workstation policy?
Step 2. Configure firewall to allow access
For the client workstations to self-enrol, the network must allow access on the communications port specified in Step 1 into the machine hosting the EEE Server.
You should ensure both hardware and software firewalls in protecting the EEE Server open port 8266 (default setting) for both UDP and TCP traffic from domain network traffic. Alternatively, with software firewalls you can specify the executable of the EEE Server itself, dlpecsrv.exe as an exclusion. This can be located in the EEE Server folder C:\Program Files\ESET Endpoint Encryption Server\ (or Program Files (x86) on 32 bit hosts).
Please see the following example for opening the build in Windows Firewall: KB426 - Opening the Windows Firewall for Self Enrolment
Step 3. Ensure client licences have been added to the ESET Endpoint Encryption Server
If you have not done so already ensure the pool of licences you will be using have been added to the EEE Server. There are details of the procedure for this in the following article: KB218 - How do I add a new client licence to my ESET Endpoint Encryption Server?
Step 4. Active Directory Settings
Self Enrolment requires the users activating have their details imported from an Active Directory server and have a licence assigned to them. When configuring the Active Directory settings you can choose which licence newly licenced users are allocated to when they enrol. If no licence is selected, then only already licenced users can use Self Enrolment.
If you have not specified to automatically import users then you should perform a manual import before proceeding. For more information on setting up Active Directory synchronization, please see this article: KB113 - How does the ESET Endpoint Encryption Server integrate with Active Directory?
Step 5. Workstation Policy
This option is already enabled by default on new installs of DESlock+ Enterprise Server v2.8.0 /ESET Endpoint Encryption Server 3.0 or later).
Self Enrolment is controlled in the EEE Client via a new workstation policy.
Please note: If you have existing workstations you wish to enable this option for, the workstations must be updated once the setting has been changed. Please see the section 'Applying to existing workstations' in this article for details of the steps required: KB229 - How do I modify workstation policy?
Step 6. Install software on target workstations
With the Self Enrolment setting enabled you will need to install the software to the workstations, this can be achieved using push install or a client MSI install.
Please see the following article for details: KB253 - Installing a managed version of ESET Endpoint Encryption
Step 7. Activation
With the above settings configured when the user logs into their domain network profile on the Workstation they will activate automatically and they will appear licenced and linked to the Workstation in the EEE Server.
It should be noted that as the Self Enrolment process communicates directly with the EEE Server the appearance of the workstation in the EEE Server does not require a Proxy Sync process to appear.
The ESDirect and Self Enrolment log can be found in the following directories. If you are experiencing difficulties and require assistance then you should provide this with your support enquiry where possible:
Windows XP: \Documents and Settings\< username>\Local Settings\DESkey\DESlock+\ESDirect.log
Windows Vista and later: \Users\<username>\AppData\Local\DESkey\DESlock+\ESDirect.log
If the logfile details 'Server Not Found C03B0003' then the workstation is unable to communicate with the EEE Server. You should ensure that exceptions have been included for firewalls as detailed above to allow the workstation to communicate with the EEE Server for both UDP and TCP protocols. Additionally if your network is configured to block multicast UDP packets, then you will need to specify the exact Server Address as detailed in the client settings below.
User not found
If the logfile details 'Command Failed C03B000E' then the user was not found in the EEE Server itself. You should ensure this user has been imported from the domain and has been added to the EEE Server. They should also be licensed already, unless you have selected a licence to use for auto licensing within the ES Direct settings.
The following settings are used to control the Self Enrolment in the EEE client. This information is provided for reference, take care when editing the registry.
Use this to manually set the address of the server if multicast UDP packets are blocked by the network. In this example, the server address is dlpes.mydomain.local. You may also set a static IP address instead of a name if DNS is not implemented correctly.
Insert new string value:
Enable Self Enrolment
Set through ES Workstation Policy
Set through ES Workstation Policy. The example below is of the default 8266 port.
Balloon Popup After Activation
This prevents the notification displayed to the user when the system activates.
No value = enabled
keywords: self, enrolment, automatic, activation, auto, activate