What is Self Enrolment?

The new Self Enrolment feature provides automatic activation for systems that are on the same local network as the Enterprise Server. When a user logs into their domain account, the Enterprise Server is contacted and the DESlock+ client is automatically provided with the user’s key-file and activation information.

This provides a seamless experience for the user, especially when roaming, as a user can log into a new workstation without needing to perform the traditional DESlock activation. 

Once Self Enrolment has been completed, the Enterprise Server and DESlock+ client are able to communicate through the DESlock+ Cloud Proxy in the usual way. Key-File updates, Full Disk Encryption and all the DESlock+ functions continue to operate as normal.

It is required that users are in an Active Directory which is queried by the Enterprise Server to identify and enrol the user. 

If a user is unable to activate using Self Enrolment, perhaps they are not connected to the LAN, then the traditional activation can still be used. The user can be sent an activation email, which they can click, or the activation code can be typed in. 

Setup Guide 

Step 1. Enable Enterprise Server Direct Communications – ESDirect

This option is enabled by default on new installs of Enterprise Server (v2.8.0 or later).

Self Enrolment uses a new Enterprise Server feature called ESDirect. Currently ESDirect only provides Self Enrolment and Network Discovery (so the DESlock+ Client can find the server), however it may in future provide other functionality. 

To enable the facility open the Enterprise Server Control Panel, select Administration\Settings and set the checkbox named Enable Enterprise Server Direct Communications .  If you modify the setting ensure you click the Save button in the lower right corner to apply the change.

The Communications Port can be changed from the default 8266 setting if required. 

Please note: If the communications port is changed, any existing DESlock+ clients will need to be reconfigured.  The setting is included as part of Workstation Policy within the install.  Please see the section 'Applying to existing workstations' in this article for details for the steps required: KB229 - How do I modify workstation policy?

Step 2. Configure firewall to allow access 

For the client workstations to self-enrol, the network must allow access on the communications port specified in Step 1 into the machine hosting the Enterprise Server. 

You should ensure both hardware and software firewalls in protecting the Enterprise Server open port 8266 (default setting) for both UDP and TCP traffic from domain network traffic.  Alternatively, with software firewalls you can specify the executable of the Enterprise Server itself, dlpecsrv.exe as an exclusion.  This can be located in the Enterprise Server folder C:\Program Files\DESlock+ Enterprise Server\ (or Program Files (x86) on 32 bit hosts).

Please see the following example for opening the build in Windows Firewall:  KB426 - Opening the Windows Firewall for Self Enrolment

Step 3. Ensure client licences have been added to the Enterprise Server

If you have not done so already ensure the pool of licences you will be using have been added to the Enterprise Server.  There are details of the procedure for this in the following article:  KB218 - How do I add a new client licence to my Enterprise Server?

Step 4. Active Directory Settings

Self Enrolment requires the users activating have their details imported from an Active Directory server and have a licence assigned to them.  When configuring the Active Directory settings you can choose which licence newly licenced users are allocated to when they enrol.  If no licence is selected, then only already licenced users can use Self Enrolment.

If you have not specified to automatically import users then you should perform a manual import before proceeding.  For more information on setting up Active Directory synchronization, please see this article: KB113 - How does the Enterprise Server integrate with Active Directory?

Step 5. Workstation Policy

This option is already enabled by default on new installs of Enterprise Server (v2.8.0 or later).

Self Enrolment is controlled in the DESlock+ Client via a new workstation policy.

Please note: If you have existing workstations you wish to enable this option for, the workstations must be updated once the setting has been changed. Please see the section 'Applying to existing workstations' in this article for details of the steps required: KB229 - How do I modify workstation policy?

Step 6. Install software on target workstations

With the Self Enrolment setting enabled you will need to install the software to the workstations, this can be achieved using push install or a client MSI install. 

Please see the following article for details: KB253 - Installing a managed version of DESlock+

Step 7. Activation

With the above settings configured when the user logs into their domain network profile on the Workstation they will activate automatically and they will appear licenced and linked to the Workstation in the Enterprise Server. 

It should be noted that as the Self Enrolment process communicates directly with the Enterprise Server the appearance of the workstation in the Enterprise Server does not require a Proxy Sync process to appear. 

Troubleshooting 

Logging

The ESDirect and Self Enrolment log can be found in the following directories.  If you are experiencing difficulties and require assistance then you should provide this with your support enquiry where possible:

Windows XP: \Documents and Settings\< username>\Local Settings\DESkey\DESlock+\ESDirect.log

Windows Vista and later: \Users\<username>\AppData\Local\DESkey\DESlock+\ESDirect.log

Communications Timeout

If the logfile details 'Server Not Found C03B0003' then the workstation is unable to communicate with the Enterprise Server.  You should ensure that exceptions have been included for firewalls as detailed above to allow the workstation to communicate with the Enterprise Server for both UDP and TCP protocols.  Additionally if your network is configured to block multicast UDP packets, then you will need to specify the exact Server Address as detailed in the client settings below.

User not found

If the logfile details 'Command Failed C03B000E' then the user was not found in the Enterprise Server itself. You should ensure this user has been imported from the domain and has been added to the Enterprise Server. They should also be licensed already, unless you have selected a licence to use for auto licensing within the ES Direct settings.

Client Settings

The following settings are used to control the Self Enrolment in the DESlock+ client. This information is provided for reference, take care when editing the registry.

Server Address

Use this to manually set the address of the server if multicast UDP packets are blocked by the network. In this example, the server address is dlpes.mydomain.local. You may also set a static IP address instead of a name if DNS is not implemented correctly.

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl]

"DLPESDirectAddress"="dlpes.mydomain.local"

Enable Self Enrolment

Set through ES Workstation Policy  

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client]

"EnableSelfEnrolment"=dword:00000001

Server Port

Set through ES Workstation Policy. The example below is of the default 8266 port.

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl]

"DLPESDirectPort"=dword:0000204A

Balloon Popup After Activation

This prevents the notification displayed to the user when the system activates.

No value = enabled

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl]

"SelfEnrolmentPopup"=dword:00000000

Related Articles:

KB417 - Description of ES Direct protocol

keywords: self, enrolment, automatic, activation, auto, activate