Product Guide
McAfee Endpoint Encryption 7.0
For use with ePolicy Orchestrator 4.6 Software
COPYRIGHT
Copyright © 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Endpoint Encryption 7.0
Product Guide
Contents
1
Preface
7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
7
8
Introduction
9
Comprehensive McAfee Endpoint Encryption . . . . . . . . . . . . . . . . . . . . . . .
What is McAfee Endpoint Encryption . . . . . . . . . . . . . . . . . . . . . . . . . .
How McAfee Endpoint Encryption works . . . . . . . . . . . . . . . . . . . . . . . . .
Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Requirements testing for client systems . . . . . . . . . . . . . . . . . . . . . . . .
2
Installing EEPC
17
Installing the EEPC client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the installation process . . . . . . . . . . . . . . . . . . . . . . .
Install the EEPC and Help extensions . . . . . . . . . . . . . . . . . . . . . . .
Check in the EEPC software packages . . . . . . . . . . . . . . . . . . . . . .
Register Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . .
Configure automation server task for LDAP synchronization . . . . . . . . . . . . . .
Deploy EEPC to the client system . . . . . . . . . . . . . . . . . . . . . . . .
Send an agent wake-up call . . . . . . . . . . . . . . . . . . . . . . . . . .
Install EEPC using a third-party tool . . . . . . . . . . . . . . . . . . . . . . .
Add users to a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a policy to users . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure UBP enforcement . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a policy to a system . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce EEPC policies on a system . . . . . . . . . . . . . . . . . . . . . . . .
Edit the client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the Pre-Boot Smart Check feature . . . . . . . . . . . . . . . . . . . . .
Upgrading from EEPC 6.x.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . .
User experience summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstalling the EEPC client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deactivate the EEPC client . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove EEPC from the client system . . . . . . . . . . . . . . . . . . . . . . .
Remove the EEPC extensions . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove the EEPC software packages . . . . . . . . . . . . . . . . . . . . . . .
Manually uninstall EEPC from the client system . . . . . . . . . . . . . . . . . . .
3
EEPC offline activation
17
17
18
19
19
20
20
21
22
23
23
24
25
25
26
26
28
28
28
29
29
30
31
31
31
33
How offline activation works . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create and download the McAfee Agent installation package . . . . . . . . . . . . .
McAfee Endpoint Encryption 7.0
9
9
10
10
12
13
15
33
34
Product Guide
3
Contents
Extracting the MSI packages (EEAgent and EEPC) . . . . . . . . . . . . . . . . .
Extract the EpeOaGenXML.exe file . . . . . . . . . . . . . . . . . . . . . . . .
Extract and download the Key Server Public Key . . . . . . . . . . . . . . . . . .
Create the user configuration file . . . . . . . . . . . . . . . . . . . . . . . .
Creating the offline activation package . . . . . . . . . . . . . . . . . . . . . . . . .
Generate the offline activation package . . . . . . . . . . . . . . . . . . . . . .
Performing offline activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the McAfee Agent package . . . . . . . . . . . . . . . . . . . . . . . .
Install the EEAgent and EEPC software packages . . . . . . . . . . . . . . . . . .
Install the offline activation package and activate EEPC . . . . . . . . . . . . . . .
Log on to the client system . . . . . . . . . . . . . . . . . . . . . . . . . . .
Perform recovery tasks using EETech . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Installing EEMac
43
Installing the EEMac client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the installation process . . . . . . . . . . . . . . . . . . . . . . .
Deploy McAfee Agent to the Mac OS X client . . . . . . . . . . . . . . . . . . . .
Deploy McAfee Agent to Mac OS X client through SSH . . . . . . . . . . . . . . . .
Install the EEMac extensions . . . . . . . . . . . . . . . . . . . . . . . . . .
Check in the EEMac software packages . . . . . . . . . . . . . . . . . . . . . .
Register Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . .
Configure automation task for LDAP synchronization . . . . . . . . . . . . . . . .
Deploy EEMac to the client system . . . . . . . . . . . . . . . . . . . . . . . .
Send an agent wake-up call . . . . . . . . . . . . . . . . . . . . . . . . . .
Add users to a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a policy to a system . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce EEMac policies on a system . . . . . . . . . . . . . . . . . . . . . . .
Edit the client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to run the MER tool for EEMac . . . . . . . . . . . . . . . . . . . . . . .
Upgrading from EEMac 1.x/6.x to EEMac 7.0 . . . . . . . . . . . . . . . . . . . . . .
Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . .
User experience summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstalling the EEMac client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deactivate the Endpoint Encryption Agent . . . . . . . . . . . . . . . . . . . . .
Remove EEMac from the client system . . . . . . . . . . . . . . . . . . . . . .
Remove the EEMac extensions . . . . . . . . . . . . . . . . . . . . . . . . .
Remove the EEMac software packages . . . . . . . . . . . . . . . . . . . . . .
Manually uninstall EEMac from the client system . . . . . . . . . . . . . . . . . .
5
Managing McAfee Endpoint Encryption policies
Managing McAfee Endpoint Encryption users
McAfee Endpoint Encryption 7.0
57
57
68
68
69
69
71
View the list of users assigned to a system . . . . . . . . . . . . . . . . . . . . . . .
Remove users from a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit user inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How EEPC controls the Windows logon mechanism . . . . . . . . . . . . . . . . . . . .
Enable Single-Sign-On (SSO) on a system . . . . . . . . . . . . . . . . . . . . . . .
Synchronize the EEPC password with the Windows password . . . . . . . . . . . . . . . .
Configure password content rules . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage a disabled user in Windows Active Directory . . . . . . . . . . . . . . . . . . .
4
43
43
44
45
46
46
47
47
48
49
49
50
50
51
51
52
52
53
53
53
54
55
55
56
57
Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a policy from the Policy Catalog . . . . . . . . . . . . . . . . . . . . . . . . .
Edit EE policy settings from Policy Catalog . . . . . . . . . . . . . . . . . . . . . . . .
Assign a policy to a system group . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce EE policies on a system group . . . . . . . . . . . . . . . . . . . . . . . . .
6
35
35
35
36
36
37
38
38
38
39
40
40
71
72
72
73
73
74
75
75
Product Guide
Contents
Managing the blacklist rule with the ALDU function . . . . . . . . . . . . . . . . . . . .
Add an ALDU blacklist policy . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure global user information . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage logon hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define EE permission sets for McAfee ePO users . . . . . . . . . . . . . . . . . . . . .
7
76
76
77
78
78
Managing client computers
81
Add a system to an existing system group . . . . . . . . . . . . . . . . . . . . . . .
Move systems between groups . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Select the disks for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable or disable the automatic booting . . . . . . . . . . . . . . . . . . . . . . . .
Enable or disable the temporary automatic booting for PC . . . . . . . . . . . . . . . . .
Enable or disable the temporary automatic booting for Mac . . . . . . . . . . . . . . . .
Set the priority of encryption providers . . . . . . . . . . . . . . . . . . . . . . . . .
Maintain a list of incompatible products . . . . . . . . . . . . . . . . . . . . . . . . .
Enable Accessibility (USB audio devices) in the Pre-Boot environment . . . . . . . . . . . .
Allow user to update self-recovery answers . . . . . . . . . . . . . . . . . . . . . . .
Manage the default and customized themes . . . . . . . . . . . . . . . . . . . . . . .
Assign a customized theme to a system . . . . . . . . . . . . . . . . . . . . . . . .
Manage simple words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Endpoint Encryption system recovery . . . . . . . . . . . . . . . . . . . . . . . . .
8
81
82
83
83
84
85
85
86
87
88
88
89
90
91
McAfee Endpoint Encryption out-of-band management
93
The EEDeep extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the out-of-band feature . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Out Of Band - Remediation functionality . . . . . . . . . . . . . . . . . . .
Configure the Out Of Band - Unlock PBA feature . . . . . . . . . . . . . . . . . . . . .
Configure the Out Of Band - User Management feature . . . . . . . . . . . . . . . . . .
9
Configuring and managing tokens/readers
93
93
94
95
97
99
Modify the token type associated with a system or group . . . . . . . . . . . . . . . . . . 99
How to use a Stored Value token in Endpoint Encryption for PC . . . . . . . . . . . . . . . 100
Associate a Stored Value token with a system or group . . . . . . . . . . . . . . . 100
How to make Single-Sign-On (SSO) work . . . . . . . . . . . . . . . . . . . . 100
How to use a PKI token in Endpoint Encryption . . . . . . . . . . . . . . . . . . . . . 101
Associate a PKI token with a system or group . . . . . . . . . . . . . . . . . . 101
How to make SSO work for EEPC . . . . . . . . . . . . . . . . . . . . . . . . 101
How to use a Self-Initializing token in Endpoint Encryption . . . . . . . . . . . . . . . .
101
Associate a Self-Initializing token with a system or group . . . . . . . . . . . . . . 102
How to make SSO work for EEPC . . . . . . . . . . . . . . . . . . . . . . . . 102
Setup scenarios for the 'Read Username from Smartcard' feature . . . . . . . . . . . . .
102
Set up using the Subject field . . . . . . . . . . . . . . . . . . . . . . . . . 103
Set up using the Subject Alternative Name - Other Name field . . . . . . . . . . . . 103
How to use a Biometric token in Endpoint Encryption for PC . . . . . . . . . . . . . . . . 104
How to use a UPEK Biometric token in Endpoint Encryption for PC . . . . . . . . . .
104
How to use a Validity Biometric token in Endpoint Encryption for PC . . . . . . . . . . 106
10
Managing EE reports
107
Queries as dashboard monitors . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create EE custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the standard EE reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Endpoint Encryption client events . . . . . . . . . . . . . . . . . . . . . . . . . .
Create the EE dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the EE dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Report the encrypted and decrypted systems . . . . . . . . . . . . . . . . . . . . . .
McAfee Endpoint Encryption 7.0
107
108
108
110
112
113
113
Product Guide
5
Contents
11
Recovering users and systems
115
Enable or disable the self-recovery functionality . . . . . . . . . . . . . . . . . . . . .
Perform the self-recovery on the client computer . . . . . . . . . . . . . . . . . . . .
Enable or disable the administrator recovery functionality . . . . . . . . . . . . . . . . .
Perform administrator recovery on the client computer . . . . . . . . . . . . . . . . . .
Generate the response code for the administrator recovery . . . . . . . . . . . . . . . .
End user self-recovery in Mac systems . . . . . . . . . . . . . . . . . . . . . . . . .
Perform end user self-recovery on a Mac system . . . . . . . . . . . . . . . . .
12
FIPS 140-2 certification
Pre-requisites to use EEPC in FIPS mode . . . . .
Install the EEPC client packages in FIPS mode . . .
Impact of FIPS mode . . . . . . . . . . . . .
Uninstalling the EEPC client packages in FIPS mode .
13
Common Criteria EAL2+ mode operation
115
116
116
117
118
118
119
121
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
121
121
122
122
123
Administrator guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
User guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Index
6
McAfee Endpoint Encryption 7.0
125
Product Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
•
Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee Endpoint Encryption 7.0
Product Guide
7
Preface
Find product documentation
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
8
McAfee Endpoint Encryption 7.0
Product Guide
1
Introduction
McAfee Endpoint Encryption delivers powerful encryption that protects data from unauthorized access,
loss, and exposure. With data breaches on the rise, it is important to protect information assets and
comply with privacy regulations.
Contents
Comprehensive McAfee Endpoint Encryption
What is McAfee Endpoint Encryption
How McAfee Endpoint Encryption works
Product components
Features
Requirements
Requirements testing for client systems
Comprehensive McAfee Endpoint Encryption
This guide indicates Endpoint Encryption (EE) as the term to describe EEPC and EEMac. The content
that refers to the term Endpoint Encryption (EE) is applicable to both EEPC and EEMac. Procedures and
other details that are different for EEPC and EEMac setup are described in separate sections indicating
its individual product name, for example, EEPC or EEMac.
The McAfee Endpoint Encryption (EE) suite provides multiple layers of defense against data loss with
several integrated modules that address specific areas of risk. The suite provides protection for
individual computers, roaming laptops, MacBooks, and Mac desktops with 64‑bit Extensible Firmware
Interface (EFI).
This guide discusses these McAfee Endpoint Encryption solutions:
•
McAfee Endpoint Encryption for PC
•
McAfee Endpoint Encryption for Mac
What is McAfee Endpoint Encryption
McAfee Endpoint Encryption (EE) is a strong cryptographic facility for denying unauthorized access to
data stored on any system or disk when it is not in use.
It prevents the loss of sensitive data, especially from lost or stolen equipment. It protects the data
with strong access control using Pre‑Boot Authentication and a powerful encryption engine.
To log on to a system, the user must first authenticate through the Pre‑Boot environment. On a
successful authentication, the client system's operating system (Microsoft Windows or Mac OS X) loads
and gives access to normal system operation. McAfee Endpoint Encryption is completely transparent to
the user and has little impact on the computer's performance.
McAfee Endpoint Encryption 7.0
Product Guide
9
1
Introduction
How McAfee Endpoint Encryption works
McAfee Endpoint Encryption is the encryption software installed on client systems and the managing
component on the servers. It is deployed and managed through McAfee ePolicy Orchestrator (McAfee
ePO ) using policies. A policy is a set of rules that determine how McAfee Endpoint Encryption software
functions on the user’s computer.
®
®
™
How McAfee Endpoint Encryption works
McAfee Endpoint Encryption protects the data on a system by taking control of the hard disk or
self‑encrypting drive (Opal), from the operating system. For more information about Opal, see
Features . The Endpoint Encryption driver encrypts all data written to the disk; it also decrypts the
data read off the disk.
The McAfee Endpoint Encryption software is installed on the client system. After the installation has
completed, and depending on the settings within the Endpoint Encryption policy assigned to the client
system, the client system might start to activate Endpoint Encryption. Until a successful activation,
encryption doesn't start, and Pre‑Boot Authentication does not appear if the system is restarted.
During the activation process, the system synchronizes with McAfee ePolicy Orchestrator (McAfee ePO)
and acquires user data, token data, and Pre‑Boot theme data.
However, the system can be activated without synchronizing with the McAfee ePO server while following
the Offline Activation process.
Only once this activation process is successfully completed; Endpoint Encryption takes control of the
disk and starts to enforce any encryption policy. Once activation has successfully completed, restart
the system so that the user authenticates and logs on through the Pre‑Boot environment, which will
then load the operating system.
Product components
Each McAfee Endpoint Encryption component or feature as explained below plays a part in protecting
your systems.
McAfee ePolicy Orchestrator Administration
The McAfee ePO server provides a scalable platform for centralized policy management and
enforcement of your security products and systems on which they reside. The McAfee ePO console
allows the administrator to manage McAfee Endpoint Encryption policies on the client computer. The
console also allows you to deploy and manage McAfee Endpoint Encryption products. It provides
comprehensive reporting and product deployment capabilities; all through a single point of control.
This guide does not provide detailed information about installing or using the McAfee ePO software. See
the product documentation for your version of McAfee ePO.
Policies
McAfee Endpoint Encryption is managed through McAfee ePO using a combination of User Based
Policies and Product Settings Policies. The McAfee ePO console allows the administrator to enforce
policies across groups of computers or on a single computer. Any new policy enforcement through
McAfee ePO overrides the existing policy that is already set on the individual systems. For information
regarding policies and how they are enforced, see the product documentation for your version of
McAfee ePO.
10
McAfee Endpoint Encryption 7.0
Product Guide
Introduction
Product components
1
EEPC/EEMac
The EEPC/EEMac extension installed in McAfee ePO defines the encryption algorithm, product settings,
and server settings for the client system. The EEPC/EEMac software package checked in to McAfee
ePO defines the actual Endpoint Encryption software that is installed on the client system.
Endpoint Encryption Admin
The Endpoint Encryption administration system called EE Admin defines the generic Endpoint
Encryption settings for Product Settings Policies, User‑Based Policies, Add local domain user settings,
and Server settings for the users. This is common for both EEPC and EEMac.
LDAP Server
McAfee Endpoint Encryption acquires users through the Windows Active Directory (AD). You must have
a registered LDAP server to use Policy Assignment Rules, to enable dynamically assigned permission
sets, and to enable manual and automatic user account creation.
Client system components
For McAfee ePO to communicate, the client system should be configured with the components such as:
•
•
For EEPC
•
Windows operating system
•
McAfee Agent for Windows
For EEMac
•
Mac OS X platform
•
McAfee Agent for Mac
The ePolicy Orchestrator server deploys the EE Agent and the EE product to the client system.
The user installs the McAfee Agent on a Mac client system using install.sh file, which is picked up from
the Windows‑based system where the McAfee ePO server is installed. However, on Windows‑based
systems, ePolicy Orchestrator itself deploys the McAfee Agent to the client system.
For more details and procedures, see the product documentation for your version of McAfee ePO.
McAfee Endpoint Encryption product components are depicted in Figure 1.
McAfee Endpoint Encryption 7.0
Product Guide
11
1
Introduction
Features
Figure 1-1 Product components
Features
These features of McAfee Endpoint Encryption are important for your organization's system security
and protection.
•
EE leverages the McAfee ePO infrastructure for automated security reporting, monitoring,
deployment, and policy administration.
•
EE integrates itself fully into McAfee ePO so that the management can be performed from this
console.
•
EE enables transparent encryption without hindering users or system performance.
•
EE enforces strong access control with Pre‑Boot Authentication.
•
EEPC supports locking/unlocking and managing of self‑encrypting drives (Opal 1.0) from Trusted
Computing Group (TCG).
•
EEPC supports Intel® Active Management Technology (Intel® AMT) for remotely managing and
securing systems in conjunction with ePO Deep Command.
•
EEMac allows an end‑user to self‑remediate most of the Pre‑Boot issues on a Mac OSX system,
without contacting the administrator.
•
The McAfee Recovery feature in EEMac allows the end‑user to perform emergency when the system
fails to reboot or its PBFS is corrupt.
Support for self‑encrypting (Opal from Trusted Computing Group) drive
EEPC 7.0 provides a management facility for Opal drives, which are self‑contained, standalone Hard
Disk Drives (HDD) that conform to the TCG Opal standard. The drive is always encrypted by the on
board crypto processor, however, it might or might not be locked. Though Opal drives handle all of the
encryption, they need to be managed by management software like McAfee ePO. If an Opal drive is
not managed, it behaves and responds like a normal HDD.
Opal is now supported on Windows 8 and UEFI systems that support Secure Boot.
12
McAfee Endpoint Encryption 7.0
Product Guide
Introduction
Requirements
1
Opal self‑encrypting drives will be supported on UEFI systems where the system is Windows 8 logo
compliant and if the system was shipped from the manufacturer fitted with an Opal self‑encrypting
drive.
Opal self‑encrypting drives may not be supported on UEFI systems if the system is not Windows 8 logo
compliant, or if the system did not ship from the manufacturer fitted with an Opal self‑encrypting
drive.
This is because a UEFI security protocol that is required for Opal management is only mandatory on
Windows 8 logo compliant system where a Opal self‑encrypting drive is fitted at the time of shipping.
Those shipped without self‑encrypting drives may or may not include the security protocol. Without
the security protocol, Opal management is not possible.
EEPC 7.0 will support the Opal encryption provider on UEFI systems fitted with an Opal drive if the UEFI
protocol EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is present on the system.
However, this does not affect support for Opal drives under BIOS.
The combination of EEPC and McAfee ePO for Opal provides:
•
Centralized management
•
Reporting and recovery functionality
•
Secure Pre‑Boot Authentication that unlocks the Opal drive
•
Efficient user management
•
Continuous policy enforcement
The overall experience and tasks of an administrator and users in installing and using EEPC, are the
same, whether the target system has an Opal drive or a normal HDD. The installation of the product
extension, deployment of the software packages, policy enforcement, and the method of management
are the same for systems with Opal and Non‑Opal HDD.
To activate a system using Opal locking, Windows 7 SP1 or above is required. On systems with Opal
drives where the Operating System is Windows 7 RTW or below, PC software encryption will be used.
When any OPAL system activated using OPAL encryption is reimaged and restarted without removing
Endpoint Encryption, the user is locked out of the system. This happens because:
•
The Pre‑Boot is held off the disk and it is still active.
•
The Pre‑Boot File System is destroyed during the imaging process.
Opal activation might occasionally fail because the Microsoft defragmentation API used fails to
defragment the host. For this to happen, the activation will restart at the next ASCI.
Requirements
These are the requirements for your computer that you should be aware of before installing EEPC and
EEMac.
McAfee Endpoint Encryption 7.0
Product Guide
13
1
Introduction
Requirements
Table 1-1 System requirements
Systems
Requirements
McAfee ePO server
systems
See the product documentation for your version of McAfee ePO.
Client systems for
EEPC
• CPU: Pentium III 1 GHz or higher
• RAM: 512 MB minimum (1 GB recommended)
• Hard Disk: 200 MB minimum free disk space
For requirements on Intel® AMT systems, see the product documentation for
ePO Deep Command.
Client systems for
EEMac
• CPU: EEMac works on all Intel‑based Mac CPU with 64‑bit EFI
• RAM: 1 GB minimum
• Hard Disk: 1 GB minimum free disk space
Table 1-2 Software requirements
Software
Requirements
McAfee ePO
• EEPC 7.0 — See the McAfee Endpoint Encryption for PC 7.0
Release Notes
• EEMac 7.0 — See the McAfee Endpoint Encryption for Mac 6.2
Release Notes
McAfee Endpoint Encryption
for PC software (for Windows)
Extensions
• EEADMIN.zip
• EEPC.zip
• help_ee_700.zip
• EEDEEP.ZIP
Before installing this extension, you
have to install the ePO Deep
Command extension.
McAfee Endpoint Encryption
for Mac software (for Mac OS
X)
EEPC software package
• MfeEEPC.zip
EE Agent
• MfeEEAgent.zip
Extensions
• EEADMIN.zip
• EEMAC.zip
• help_ee_700.zip
EEMac software package • MfeEeMac‑7.0.0.x.zip
EEMac Agent
14
• MfeEEAgent‑7.0.0.x.zip
Microsoft Windows Installer
3.0 Redistributable package
(for McAfee ePO)
See the product documentation for your version of McAfee ePO.
Microsoft .NET Framework 2.0
Redistributable package (for
McAfee ePO)
See the product documentation for your version of McAfee ePO.
Microsoft MSXML 6 (for
McAfee ePO)
See the product documentation for your version of McAfee ePO.
McAfee Endpoint Encryption 7.0
Product Guide
Introduction
Requirements testing for client systems
1
Table 1-3 Operating system requirements
Systems
Software
McAfee ePO server
systems
See the product documentation for your version of McAfee ePO.
Client systems for
EEPC
• Windows Server 2003 SP1 or later (32‑bit only)
• Windows Server 2008 (32‑ and 64‑bit)
• Windows XP Professional SP3 (32‑bit only)
• Windows Vista SP1 or later (32‑ and 64‑bit)
• Windows 7 and SP1 (32‑ and 64‑bit), (Not XP Mode)
For Opal activation, Windows 7 SP1 is required.
• Windows 8 (32‑and 64‑bit)
EEPC 7.0 supports Windows 8 in UEFI boot mode that runs only on Windows
8 logo certified hardware.
Client systems for
EEMac
• Lion: 10.7.0 and later (32‑ and 64‑bit)
• Mountain Lion: 10.8.0 and later (32‑ and 64‑bit)
Table 1-4 Hardware support for Mac
Systems
Types
Macs with 64‑bit EFI MacBook, MacBook Pro, MacBook Air, and Mac desktops. For more information
about supported Mac hardware, refer to this KnowledgeBase article link https://
kc.mcafee.com/corporate/index?page=content&id=KB72604
Requirements testing for client systems
McAfee Endpoint Encryption for PC requirements must be met before it can be installed on a client
system.
McAfee Endpoint Encryption GO (EEGO) 7.0
McAfee provides the McAfee Endpoint Encryption GO (EEGO) 7.0 utility for system administrators to
determine which systems are compatible for installing and activating EEPC. EEGO runs a set of
compatibility tests on a client system, and then creates a report through the McAfee ePO console that
summarizes the readiness of the managed systems.
The McAfee Endpoint Encryption system policy can be configured to prevent activation of encryption
on client systems that fail EEGO testing.
Make sure that EEGO is not a pre‑requisite for installing EEPC and it comes as a separate package.
If the system is connected to the McAfee ePO server, the system sends the readiness status to McAfee
ePO through McAfee Agent.
The overall EEGO installation and deployment process can be simplified into the following steps.
This assumes that the user has already successfully installed McAfee ePO and has McAfee Agent
installed on all appropriate client systems that successfully communicates with McAfee ePO.
McAfee Endpoint Encryption 7.0
Product Guide
15
1
Introduction
Requirements testing for client systems
1
Install the EEGO extension (EEGO.ZIP) in McAfee ePO. Repeat the same procedures used for
installing the product extension.
2
Check in the EEGO software package (EegoPackage.ZIP) to McAfee ePO. Repeat the same
procedures used for checking in the product package.
3
Deploy Endpoint Encryption GO to the client system. Repeat the same procedures used for the
product deployment task.
4
Enforce EEGO policies to the client system.
After restarting, the client system communicates with the McAfee ePO server and pulls down the
assigned Endpoint Encryption GO policy, runs the tests and reports the system diagnostic information
according to the defined policies.
If you select the Only activate if health check (Endpoint Encryption : Go) passes option and then uninstall EEGO from
the client, it is not possible to deselect this option. As a result of this, EEPC will fail to activate.
Also, the status of EEGO endpoints can be monitored through various chart representations available
in McAfee ePO.
EEGO runs these tests for installing EEPC:
•
Incompatible product detection: SafeBoot, HP ProtectTools 2009, Bitlocker, PointSec, Truecrypt,
GuardianEdge, Symantec Endpoint Encryption, SafeGuardEasy and PGP Whole Disk Encryption.
•
Smart Controller predictive failure, a test that reports if the Operating System is reporting that the
S.M.A.R.T. controller is indicating an imminent failure.
•
Disk Status, a test for BIOS based systems, reports if the disk (MBR and partition structure) is
suitable to install EEPC.
Make sure to note that EEGO is not supported for UEFI systems.
•
Datachannel communication status, a test reporting of the success or failure of the Datachannel
communication from the client to the McAfee ePO server.
•
Datachannel communication delay, a test in milliseconds of the delay of the communication
between the McAfee ePO server and the endpoint.
If any of these requirements is not valid, and the EEPC system policy is configured to abandon
activation if the EEGO tests fail, EEPC activation will be abandoned.
EEGO is capable of detecting a series of circumstances that might impact the rollout of EEPC. However,
EEGO does not replace the need to perform due diligence testing prior to a rollout.
Pre‑boot Smart Check
The Pre‑Boot Smart Check is functionality in EEPC that performs various tests to ensure that the EEPC
pre‑boot environment can work successfully on a device. It will test the areas that have been identified
to cause incompatibility issues in the past.
If a device fails the Pre‑Boot Smart Check it will not activate EEPC and will not proceed. You can view
the audit log to get the latest information on any progress of the check from the last time the device
synchronized with McAfee ePO.
The Pre‑Boot Smart Check can be used in conjunction with EEGO and help administrators during initial
deployments. EEGO will perform checks and validation in the operating system, and the Pre‑Boot
Smart Check will perform checks/validations outside of the operating system. The combined usage can
give administrators the highest confidence of a successful deployment.
16
McAfee Endpoint Encryption 7.0
Product Guide
2
Installing EEPC
This chapter covers the high‑level process of installing, upgrading, and uninstalling the EEPC client.
Contents
Installing the EEPC client
Upgrading from EEPC 6.x.x
Uninstalling the EEPC client
Installing the EEPC client
The EEPC extensions and software packages are checked in to the McAfee ePO server for the
management functionality. This is necessary before deploying the software and configuring the
policies.
This release supports migrating your EEPC 5.x.x installed systems and upgrading EEPC 6.x.x installed
systems to EEPC 7.0. For more details and procedures on migrating your EEPC 5.x.x installed systems
to EEPC 7.0, see the McAfee Endpoint Encryption for PC 7.0 Migration Guide.
•
In this guide, EEPC 5.x.x refers to EEPC 5.2.6 or later versions
•
EEPC 6.x.x refers to EEPC 6.1 Patch 2 or later versions
Make sure that you remove any competitor's encryption products from your system. Also, do not install
any other encryption products after installing EEPC.
Overview of the installation process
The EEPC client software is deployed from the McAfee ePO server and installed on the client system
through the McAfee Agent.
The client system requires a restart to complete the installation. After the restart, the client
communicates with the McAfee ePO server, pulls down the assigned Endpoint Encryption policies,
assigned users, and encrypts the system according to the defined policies. EEPC creates the Pre‑Boot
File System (PBFS) on the client system at the time of activation. The assigned users can be initialized
through the Pre‑Boot screen after the subsequent restart.
The overall EEPC installation and deployment process can be simplified into the following steps. The
entire installation and deployment process is the same for both PC software and Opal encrypted
drives.
This assumes that the user has already installed McAfee ePO and has the McAfee Agent installed on
various systems, which successfully communicate with the McAfee ePO server.
McAfee Endpoint Encryption 7.0
Product Guide
17
2
Installing EEPC
Installing the EEPC client
1
Install the EEAdmin, EEPC, and EEDeep extensions into McAfee ePO.
Make sure to note that EEDeep is an optional extension and can be installed only if you want to use
ePO DeepCommand with EEPC.
2
Check in the EEPC software packages (MfeEEAgent.zip and MfeEEPC.zip in the order) to the McAfee
ePO server.
3
Configure the registered server (Windows Active Directory).
4
Configure and run the automation server task for LDAP Synchronization.
5
Deploy the Endpoint Encryption Agent to the client system.
6
Deploy the EEPC software package to the client system.
7
Restart the client system. You should now be able to see the Quick Settings | Show Endpoint Encryption
Status option in McAfee Agent System Tray on the client system.
8
Add users to the system or a group of systems.
9
Create a custom product settings policy or edit the default policy, then assign it to the system or a
group of systems.
10 Create a custom user‑based policy or edit the default policy, then assign it to a user or a group of
users on a system. Configure UBP enforcement if using Policy Assignment Rules.
The Show Endpoint Encryption Status changes from Inactive to Active only after adding the
user(s) and enforcing the policies correctly.
11 Verify the Endpoint Encryption System Status by right‑clicking McAfee Agent System Tray on the client
system, then clicking Quick Settings | Show Endpoint Encryption Status.
In some cases, EEPC installed systems might fail to lock OPAL disks during reboot. Subsequent policy
enforcement might fail until a full power‑cycle is performed. For more details, refer to the
KnowledgeBase article https://kc.mcafee.com/corporate/index?page=content&id=KB73889.
Install the EEPC and Help extensions
You can view and configure the policies and settings of EEPC by installing the product and help
extensions into the repository on the McAfee ePO server 4.6.
Before you begin
•
You must have appropriate permissions to perform this task.
•
You must install the extensions in order: EEADMIN.zip, EEPC.zip, help_ee_700.zip, and
EEDeep.zip.
Task
18
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Extensions | Install Extension to open the Install Extension dialog box.
3
Click Browse and select the extension file EEADMIN.zip, then click OK. The Install Extension page
appears with the extension name and version details.
4
Click OK.
5
Repeat steps 2 through 4 to install EEPC.zip, help_ee_700.zip, and EEDeep.zip extensions.
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEPC
Installing the EEPC client
2
Check in the EEPC software packages
The software package needs to be checked in to the master repository so that you can deploy the
software to the client system using ePolicy Orchestrator. You must check in two packages:
MfeEEAgent.zip and MfeEEPC.zip in the order.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Before checking in the software packages, make sure there are no pull or replication
tasks running.
•
If you are installing the EEPC 7.0 on the Windows 8 client system, we
recommend that you install the McAfee Agent 4.6 Patch 2 package
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Master Repository, then click Actions | Check In Package to open the Check In Package
wizard.
3
From the Package type list, select Product or Update (.zip), then browse and select the MfeEEAgent.zip
package file.
4
Click Next to open the Package Options page.
5
Click Save. When the package is checked in, it appears in Packages in the Master Repository list on
the Master Repository page.
6
Repeat steps 2 through 5 to install the MfeEEPC.zip package.
The new package appears in the Packages in Master Repository list on the Master Repository page
under the respective branch in the repository.
Register Windows Active Directory
It is necessary to register Windows Active Directory with McAfee ePO to in order to create EEPC users.
Before you begin
Make sure that you have the appropriate permissions to modify the server settings,
permission sets, users, and registered servers.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Configuration | Registered Servers, then click New Server to open the Registered Server Builder
wizard.
3
From the Server type drop‑down list on the Description page, select LDAP Server, specify a unique
user‑friendly name and any details, then click Next.
McAfee Endpoint Encryption 7.0
Product Guide
19
2
Installing EEPC
Installing the EEPC client
4
On the Details page:
a
Select Active Directory from LDAP server type, then type the Domain name or the Server name.
Use DNS‑style domain name. While using DNS‑style domain name, make sure that the McAfee
ePO system is configured with appropriate DNS setting and can resolve the DNS‑style domain
name of the Active Directory. The Server name is the name or IP address of the system where
the Windows Active Directory is present.
b
Type the User name.
The User name should be of the format: domain\Username for Active Directory accounts.
c
Type the Password and confirm it.
d
Click Test Connection to verify that the connection to the server works, then click Save.
Configure automation server task for LDAP synchronization
You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and
McAfee Endpoint Encryption software. Run this task to synchronize EEPC with the user Active
Directory.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Automation | Server Tasks to open the Server Tasks page.
3
Click Actions | New Task to open the Server Task Builder wizard.
4
On the Description page, name the task, add a description about the task, select Enabled under
Schedule status, then click Next.
5
From the Actions drop‑down list, select EE LDAP Server User/Group Synchronization and accept the default
values.
6
Click Next to open the Schedule page.
7
Schedule the task, then click Next to display the Summary page.
8
Review the task details, then click Save.
In addition to the task running at the scheduled time, you can run this task immediately by clicking
Run next to the task on the Server Tasks page.
Deploy EEPC to the client system
The McAfee ePO repository infrastructure allows you to deploy the EEPC product to your managed
systems from a central location. Once you have checked in the software package, use this Product
Deployment client task to install the product on managed systems. For more details and procedures
on how to perform this task, see the product documentation for your version of McAfee ePO.
Before you begin
You must have appropriate permissions to perform this task.
20
McAfee Endpoint Encryption 7.0
Product Guide
2
Installing EEPC
Installing the EEPC client
To perform a check on requirements and compatibility of the client system, you need to deploy EEGO
7.0 to the client system. For more information about deploying EEGO 7.0 to the client system, see the
Requirements testing for client systems section.
Task
1
Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then
click Actions | New Task. The New Task dialog box appears.
2
Make sure that Product Deployment is selected, then click OK.
3
Type a name for the task you are creating and add any notes.
4
Next to Target platforms, select Windows to use the deployment.
5
Next to Products and components set the following:
a
Select Endpoint Encryption Agent for Windows 7.0.0.x to specify the version of the EEAgent to be
deployed.
b
Click + and select Endpoint Encryption for PC 7.0.0.x to specify the version of the EEPC package to be
deployed.
c
Set the Action to Install, then select the Language of the package, and the Branch.
6
Next to Options, select if you want to run this task for every policy enforcement process (Windows
only) and click Save.
7
Click Menu | Systems | System Tree | Systems, then select the system on which you want to deploy
product and click Actions | Agent | Modify Tasks on a single system.
8
Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears.
9
On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created for deploying product.
10 Next to Tags, select the desired platforms to which you are deploying the packages, then click Next:
•
Send this task to all computers
•
Send this task to only computers that have the following criteria — Use one of the edit links to configure the
criteria.
11 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
12 Review the summary, then click Save.
Send an agent wake-up call
The client computer gets the policy update whenever it connects to the McAfee ePO server during the
next Agent‑Server Communication Interval (ASCI). The policy update can be scheduled or forced. The
agent wake‑up call option forces the policy update to the client system. For information on adding a
new system, see the product documentation for your version of McAfee ePO.
Before you begin
You must have appropriate permissions to perform this task.
McAfee Endpoint Encryption 7.0
Product Guide
21
2
Installing EEPC
Installing the EEPC client
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Systems | System Tree, then select a system or a group of system(s) from the left pane.
3
Select the System Name(s) of that group.
4
Click Actions | Agents | Wake Up Agents from the drop‑down menu.
5
Select a Wake‑up call type and a Randomization period (0‑60 minutes) by which the system(s) respond to
the wake‑up call sent by ePolicy Orchestrator.
6
Select Get full product properties for the agent(s) to send complete properties instead of sending only
the properties that have changed since the last agent‑to‑server communication.
7
Select Force complete policy and task update for the agent to send the complete policy and task update.
8
Click OK.
To view the status of the agent wake‑up call, navigate to Menu | Automation | Server Task Log.
Install EEPC using a third-party tool
Although McAfee ePO has all required features for deploying EEPC, you might need to use a third‑party
tool to deploy the product.
Before you begin
•
Make sure that your McAfee ePO version is at least 4.6 Patch 4 or later.
•
Make sure that your McAfee Agent for Windows version is at least 4.6 or later.
•
Make sure that you have installed the EEPC 7.0 extensions (EEAdmin.zip and EEPC .zip)
on McAfee ePO.
•
Make sure that your LDAP server is registered in McAfee ePO.
There are two files required to be installed, and two versions of each file, different per OS type.
•
Agent installer files: MfeEEAgent32.msi or MfeEEAgent64.msi
•
Plug‑in installer files: MfeEEPc32.msi or MfeEEPc64.msi
For more information about enabling the logs when installing EEPC through msi, see https://
kc.mcafee.com/corporate/index?page=content&id=KB76569.
Task
22
1
Determine whether your client computer is running a 32‑bit or a 64‑bit version of Windows
operating system.
2
Log on to the target computer using an administrator account that has sufficient rights for installing
the software.
3
Copy the agent and plug‑in installer files for your operating system, to a temporary location on the
client system.
4
Install the agent: double‑click the agent installer file for your operating system.
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEPC
Installing the EEPC client
5
Install the plug‑in: double‑click the plug‑in installer file for your operating system.
6
Restart the client system to complete the installation of EEPC.
2
After restarting the client system, you need to add users and configure the required encryption
policies on McAfee ePO. On enabling the correct encryption policy, the encryption begins after the next
agent‑to‑server communication.
Add users to a system
Use the ePolicy Orchestrator server to add the EEPC users to the client system. The EEPC software can
be activated on a client system only after adding a user and enforcing the required encryption policies
correctly.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Data Protection | Encryption Users to open the My Organization page.
2
Select a group or system(s) from the System Tree pane on the left.
To add users to a particular system, select the required system from the System Tab under the My
Organization pane on the right.
3
Click Actions | Endpoint Encryption | Add Users to open the Add Endpoint Encryption Users page.
4
Add users: Click + in the Users field, browse to the users list, select the Users, then click OK.
5
Add groups: Click + in the From the groups field, browse to the users groups list, select the groups,
then click OK.
6
Add an organizational unit: Click + in the From the organizational units field, browse to the organizational
unit list, select the unit, then click OK.
7
In the Add Endpoint Encryption Users page, click OK.
Assign a policy to users
You need to configure and assign the policies to the users, if required, and specify which user or group
of users are allowed or not allowed to use the Policy Assignment Rules. The allowed users get their
required User Based Policies.
Before you begin
You must have appropriate permissions to perform this task.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
You can apply a Policy Assignment Rule to custom policies apart from My Default policies.
Task
1
Click Menu | Policy | Policy Assignment Rules to open the Policy Assignment Rules page.
2
Click Actions | New Assignment Rule. The Policy Assignment Builder wizard opens to the Details page.
3
Type the Name and Description, then click Next.
McAfee Endpoint Encryption 7.0
Product Guide
23
2
Installing EEPC
Installing the EEPC client
4
In the Rule Type field, select either System Based or User Based accordingly.
5
Click Next to open the Assigned Policies page.
6
Click Add Policy to select a policy, define these options:
From this drop‑down list...
Select this...
Product
Endpoint Encryption 7.0.0
Category
User Based Policies
Policy
My Default
7
Click Next to open the Selection Criteria page.
8
In the Comparison field, select either System is in group or subgroup or System is in group.
In the Value field, the My Organization system tree group is selected by default.
9
Click Next to open the Summary page.
10 Click Save.
A policy is assigned to selected users.
Configure UBP enforcement
By default, all users inherit the default user‑based policy assigned to a system, and are prevented
from using Policy Assignment Rules. This allows maximum system scalability.
To allow a user to use a non‑default UBP, you must enable the Configure UBP enforcement option for that
user. This allows Policy Assignment Rules to be performed to select a specific non‑default user‑based
policy for the user. If not enabled, Policy Assignment Rules are not performed and the user inherits the
default user‑based policy.
When the Configure UBP enforcement option is enabled for a user who is not assigned with a Policy
Assignment Rule, activation will fail on the client systems.
EEPC 7.0 requires that you specify which groups of users are allowed to use the Policy Assignment
Rules. The allowed users get their required user‑based policy. Users who are not allowed to use the
Policy Assignment Rules inherit the default user‑based policy assigned to the system.
Task
1
Click Menu | Reporting | Queries & Reports then select Endpoint Encryption from Shared Groups in the Groups
pane. The standard EE query list appears.
2
Run the EE: Users query to list all the Endpoint Encryption users.
3
Select a user (or users) from the list to enforce the policy.
4
Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page
appears.
5
Select Enable or Disable, then click OK to configure the UBP enforcement state.
At each ASCI, McAfee ePO ensures that all the relevant user‑based policies are deployed to each
client in addition to the user‑based policy for the logged on user configured with UBP enforcement.
On selecting Enable, Policy Assignment Rules are enabled for the selected users, and a specific UBP
is assigned to the user according to the rule defined. Policy Assignment Rules are enabled for the
selected users only if a rule has been set for those users.
24
McAfee Endpoint Encryption 7.0
Product Guide
2
Installing EEPC
Installing the EEPC client
Assign a policy to a system
You can assign the required policy in the Policy Catalog to any system or system group. Assignment
allows you to define policy settings once for a specific need, then apply the policy to multiple locations.
Before you begin
You must have appropriate permissions to perform this task.
When you assign a new policy to a particular group, all child groups and systems that are set to inherit
the policy from this assignment point, get the set policies.
Task
1
Click Menu | Systems | System Tree, then on the Systems tab under System Tree, select a group. All the
systems within this group (but not its subgroups) appear in the details pane.
2
Select the target system, then click Actions | Agent | Modify Policies on a Single System. The Policy
Assignment page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption are listed with the system’s assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned policy drop‑down list, select the Product Setting policy.
From this location, you can edit the selected policy or create a new policy.
7
Select whether to lock policy inheritance so that any systems that inherit this policy can't have
another one assigned in its place.
8
When modifying the default policy or creating the new policy, select any one of the disk encryption
options other than None, by navigating to Encryption (tab) | Encrypt. The default option None does not
initiate the encryption, but will enable the Pre‑Boot Authentication.
Make sure that you select the correct encryption provider and set the priority, as appropriate. For
systems with Opal drive, the encrypt options other than All disks and Boot disk only, are not supported.
Also, for systems with Opal drive, make sure to set the highest priority in order to use Opal in the
organization.
9
Click Save.
Enforce EEPC policies on a system
Enable or disable policy enforcement for EEPC on a client system. Policy enforcement is enabled by
default, and is inherited in the System Tree.
Before you begin
You must have appropriate permissions to perform this task.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
1
Click Menu | Systems | System Tree | Systems tab, then under System Tree, select the group where the
system belongs. The list of systems belonging to this group appears in the details pane.
2
Select a system, then click Actions | Agent | Modify Policies on a Single System.
McAfee Endpoint Encryption 7.0
Product Guide
25
2
Installing EEPC
Installing the EEPC client
3
Select Endpoint Encryption 7.0.0, then click Enforcing next to Enforcement status.
4
Select Break inheritance and assign the policy and settings below to change the enforcement status.
5
Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click Save.
After restarting, the client system communicates with the McAfee ePO server and pulls down the
assigned EEPC policies and encrypts the system according to the defined policies. The assigned user
can be initialized through the Pre‑Boot screen after the subsequent restart.
Edit the client tasks
The McAfee ePO server allows you to create and schedule client tasks that run on managed systems.
You can define tasks for the entire System Tree, for a specific group, or for an individual system. Like
policy settings, client tasks are inherited from parent groups in the System Tree.
Before you begin
You must have appropriate permissions to perform this task.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
1
Click Menu | Policy | Client Task Catalog, then select McAfee Agent | Product Deployment as Client Task Types.
2
Click the task to edit. The Client Task Builder wizard opens.
3
Edit the task settings as needed, then click Save.
The managed systems receive these changes during the next agent‑server communication.
Enable the Pre-Boot Smart Check feature
Enable this feature to perform the hardware compatibility check prior to EEPC activation and
encryption.
Before you begin
You must have appropriate permissions to perform this task.
When you enable this feature, it modifies the EEPC activation sequence and creates a pre‑activation
stage, where a series of hardware compatibility checks are performed prior to actual activation and
subsequent encryption to successfully activate EEPC on platforms where BIOS issues might exist.
This feature is available only for BIOS systems using PC software encryption, and is not available for
UEFI or Opal systems.
Make sure to note that there will be several reboots of the client system before the Smart Check is
completed.
This feature's process flow is explained clearly as follows:
26
•
System receives the system policy with Pre‑Boot Smart Check enabled
•
System activates with default Pre‑Boot configuration, but encryption will not commence
•
System forces a restart to occur
•
User must log on through Pre‑Boot
•
If Windows logon is successfully achieved, encryption will commence
McAfee Endpoint Encryption 7.0
Product Guide
2
Installing EEPC
Installing the EEPC client
•
If there is a compatibility issue on the platform, the system will not reach Windows
•
The user will have to hard‑boot the system
•
Pre‑Boot will start in a different Pre‑Boot configuration
•
User must log on through Pre‑Boot
Repeat this until all Pre‑Boot configurations are exhausted
•
If no Pre‑Boot configurations manage to successfully boot Windows, EEPC will be removed from the
system at the next boot through to Windows
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
In the Encryption Providers tab, select the Enable Pre‑Boot Smart Check option to update this policy on to the
client systems.
This feature is applicable only for BIOS based systems using PC software encryption.
After you select this option, the Force system restart once activation completes option is selected
automatically.
8
Click Save.
After the policy is applied on to the client systems, EEPC activation starts and completes after a
period of time. EEPC is not in 'Active' state now. The user will be notified that the system will
restart in a moment, and after a specific time period, the system restarts automatically.
After the client system restart, authenticate to PBA, and if the system is successfully booted into
Windows, the EEPC status switches to 'Active' and EEPC is activated successfully.
However, if the system is not able to boot into Windows (or the PBA cannot run), due to hardware
compatibility issues, the user will need to manually power off the system and try again. On each
retry (several reboots will be required before smart‑check fails and boots into Windows), the PBA
will configure a different set of compatibility configurations to work around any issues on the client
system to boot into Windows. After all configurations are exhausted, the client system will bypass
the PBA and boot directly into Windows. The client system will then deactivate and record the
failure by sending an audit message to McAfee ePO, then PBA will be removed and EEPC activation
will fail.
McAfee Endpoint Encryption 7.0
Product Guide
27
2
Installing EEPC
Upgrading from EEPC 6.x.x
Upgrading from EEPC 6.x.x
The primary goal of upgrading is to update the product components while maintaining all of the
existing encryption, policies, users, authentication details, Single Sign On (SSO) details, audit, and
tokens.
Overview of the upgrade process
Use this high‑level process to upgrade EEPC 6.x.x client systems.
1
Install the required EEPC 7.0 extensions on the McAfee ePO server. You can also upgrade the 6.x.x
extensions with 7.0 extensions.
2
Check in the Endpoint Encryption Agent for Windows 7.0.0.x and Endpoint Encryption for PC
7.0.0.x packages to the McAfee ePO server.
3
Define the appropriate policy settings for 7.0 as needed.
4
Make sure that you have assigned the required UBP to the user assigned to the client system.
EEPC 7.0 required that you specify which groups of users are allowed to use the Policy Assignment
Rules. The allowed users get their required User Based Policies. Users who are not allowed inherit
the default User Based Policies assigned to the system.
5
Deploy EEAgent 7.0.0.x and EEPC 7.0.0.x to the client system.
6
Restart the client system after the deployment task.
After the upgrade, the only visible change is the version numbers in various modules lists.
After restarting the client system, the new files and drivers are in place. The EEPC 7.0 encryption
status dialog box shows the status as Active throughout the upgrade process.
User experience summary
This table highlights the summary of the user experience during the client upgrade from EEPC 6.x.x.
State
Pre‑Boot
Comments
Before deployment
EEPC 6.x.x The client system has EEPC 6.x.x installed.
During deployment
EEPC 6.x.x The EEPC 7.0 deployment forces the restart of the client system.
After deployment
and restart
EEPC 7.0
• The EEPC 6.x.x system status remains as Active throughout the
upgrade process.
• The user credentials for both Windows and Pre‑Boot logons are
the same as EEPC 6.x.x for 7.0.
• SSO to Windows continues to function as it did before the
upgrade.
28
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEPC
Uninstalling the EEPC client
2
Uninstalling the EEPC client
To uninstall EEPC from the client, the Endpoint Encryption for PC extensions and the software
packages need to be removed, and the policy settings have to be disabled.
Here are some important steps involved in removing the software.
•
Disable the EEPC product setting policy.
•
Make sure that the Endpoint Encryption System Status is Inactive.
•
Uninstall EEPC from the client system.
Deactivate the EEPC client
To deactivate the EEPC client, you need to modify the product setting policy of EEPC on the McAfee
ePO console.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Systems | System Tree | Systems, then select a group under System Tree. All systems within
this group (but not its subgroups) appear in the details pane.
2
Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption are listed with the system’s assigned policy.
4
Select the Product Setting policy category, then click Edit Assignments.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below that is present next
to Inherit from.
6
From the Assigned policy drop‑down list, select a product setting policy.
From this location, you can edit the selected policy, or create a new policy.
7
Select whether to lock policy inheritance any systems that inherit this policy can't have another one
assigned in its place.
8
On the General tab, deselect Enable policy.
On Opal systems, make sure that you select the correct encryption provider and set the priority, as
appropriate, so that the policy enforcement occurs correctly.
9
Click Save on the Policy Settings page, then click Save on the Product Settings page.
10 Send an agent wake‑up call.
On disabling the product setting policy, all the encrypted drives get decrypted, and the Endpoint
Encryption status becomes Inactive. This can take a few hours depending on the number and size of
the encrypted drives. However, client systems with Opal drives become Inactive very quickly.
McAfee Endpoint Encryption 7.0
Product Guide
29
2
Installing EEPC
Uninstalling the EEPC client
Remove EEPC from the client system
The McAfee ePO repository infrastructure allows you to remove the EEPC product from your managed
systems from a central location. To remove the software package from the client system, use this
Product Deployment client task.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Make sure that you remove EEPC from the client system before removing the product
extensions from McAfee ePO.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
1
Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then
click Actions | New Task. The New Task dialog box appears.
2
Make sure that Product Deployment is selected, then click OK.
3
Type a name for the task you are creating and add any notes.
4
Next to Target platforms, select Windows to use the deployment.
5
Next to Products and components set the following:
a
Select Endpoint Encryption for PC 7.0.0.x to specify the version of the EEPC package to be removed.
b
Click + and select Endpoint Encryption Agent for Windows 7.0.0.x to specify the version of the EEAgent to
be removed.
c
Set the Action to Remove.
6
Next to Options, select if you want to run this task for every policy enforcement process (Windows
only) and click Save.
7
Click Menu | Systems | System Tree | Systems, then select the system on which you want to remove
product and click Actions | Agent | Modify Tasks on a single system.
8
Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears.
9
On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created for removing the product.
10 Next to Tags, select the desired platforms from which you are removing the packages, then click
Next:
•
Send this task to all computers
•
Send this task to only computers that have the following criteria — Use one of the edit links to configure the
criteria.
11 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
12 Review the summary, then click Save.
30
McAfee Endpoint Encryption 7.0
Product Guide
2
Installing EEPC
Uninstalling the EEPC client
Remove the EEPC extensions
To uninstall the EEPC extension and the checked in packages, you need to remove them from the
McAfee ePO server.
Before you begin
Make sure that you deactivate the Endpoint Encryption Agent before removing the EEPC
extension from McAfee ePO.
Because EEPC and EEMac are being managed by a single McAfee ePO server, you can remove the
EEAdmin extension only when the McAfee ePO management is not required for both products.
You need to remove the EEPC.zip, EEADMIN.zip, and EEDeep.zip extensions in the order by following
the below procedure.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Extensions, then select Endpoint Encryption. The Extension page appears with the
extension name and version details.
3
Click Remove. The Remove extension confirmation page appears.
4
Click OK to remove the extension.
Remove the EEPC software packages
When you deactivate and remove the EEPC software from the client system, you need to remove the
EEPC software packages from the McAfee ePO server.
Before you begin
Make sure that you deactivate the Endpoint Encryption client before removing the EEPC
software package from McAfee ePO.
You need to remove both the software packages MfeEEAgent.zip and MfeEEPC.zip in the order by
following the below procedure.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Master Repository. The Packages in Master Repository page appears with the list
of software packages and their details.
3
Click Delete next to the EEPC software packages.
4
Click OK to confirm.
Manually uninstall EEPC from the client system
Although McAfee ePO has all the required features for removing the product from the client system,
you can also manually uninstall EEPC from the client system.
Before you begin
•
You must have administrator privileges to perform this task.
•
Make sure that you deactivate the Endpoint Encryption client before initiating the
manual removal process.
McAfee Endpoint Encryption 7.0
Product Guide
31
2
Installing EEPC
Uninstalling the EEPC client
Task
1
2
After deactivating the Endpoint Encryption Agent, on the client system, browse to these registry
values and double‑click the Uninstall command. The Edit String dialog box appears.
•
For EE Agent on 32‑bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
\Application Plugins\EEADMIN_1000.
•
For EEPC on 32‑bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
\Application Plugins\Endpoint Encryption.
•
For EE Agent on 64‑bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Application Plugins\EEADMIN_1000.
•
For EEPC on 64‑bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Application Plugins\Endpoint Encryption.
Copy the Value data from the Edit String dialog box, paste and run it on the command prompt. You can
retain /q and add /norestart commands to run a silent removal and to avoid restarting the
system after uninstalling the EEPC software.
The uninstall option switch /q might not work for Windows Vista and Windows 7, where User Access
Control (UAC) is set to protect.
32
McAfee Endpoint Encryption 7.0
Product Guide
3
EEPC offline activation
In the overall installation process of EEPC, activating EEPC on the client system is the most important
phase. The activation process enables the client system to receive the required policies and user
assignments, for the first time, from the McAfee ePO server. The Offline Activation feature allows you
to activate EEPC on a client system without connecting to the McAfee ePO server.
Contents
How offline activation works
Creating the offline activation package
Performing offline activation
Perform recovery tasks using EETech
How offline activation works
For activating EEPC on a system that has no network connectivity or no connection to McAfee ePO, you
can create an offline activation package on the McAfee ePO server and later distribute it to the
required client system. This package will contain the initial set of policies and a list of offline users.
Once the EEPC software is installed successfully using the MSI packages (EEAgent and EEPC), you
need to run the offline activation tool to apply and enforce your selected policies and to add user
accounts. After the system is active, encryption will commence if specified in the policy, and you might
then be required to authenticate on the Pre‑Boot Authentication page using the offline user account if
autoboot is not enabled.
These offline users are not part of the Active Directory.
During the activation process, the disk encryption key will be written to a user‑specified location in an
encrypted form. This might be used in recovery scenarios until such a time as the system has sent the
disk encryption key up to the ePO server.
To perform a check on requirements and compatibility of the client system, you need to deploy EEGO
7.0 to the client system. For more information about deploying EEGO 7.0 to the client system, see the
Requirements testing for client systems section.
EEGO will not be able to communicate the results to McAfee ePO but the logging can be used to
determine any compatibility issues prior to doing the offline activation.
What happens when an offline activated system connects to ePO
Assuming that the offline activation was done for provisioning purposes, the system will at one point in
time connect to ePO. Upon successful communication with ePO, the client will move into an "online"
mode. Online mode being defined as a normal connection between the McAfee Agent and McAfee ePO;
consider it the same as a normal install. It will discard the offline policy that was enforced at
McAfee Endpoint Encryption 7.0
Product Guide
33
3
EEPC offline activation
How offline activation works
activation. It will receive the real policy from McAfee ePO, the list of assigned users as per a normal
activation, and save its encryption key in McAfee ePO. You could view it as a second, but automatic
activation.
The important point to remember is that if the offline users were not added to this system on ePO
prior to connection of the system then all of their offline information is discarded. If the users are
assigned to the system on ePO prior to the offline activated system being connected to ePO then they
will switch to online mode and their data will be retained.
Create and download the McAfee Agent installation package
The McAfee Agent extension must be installed on the McAfee ePO server before the agent is installed
on any target systems. We recommend that you refer to the McAfee ePO documentation to verify that
you are using the most current package and extension.
Before you begin
•
Make sure that you have created a temporary folder on the McAfee ePO system, to save
the files required for offline activation.
•
You must have appropriate permissions to perform this task.
This task requires the creation of an agent installation package, FramePkg.exe (see Step 4). Installation
of the package requires administrator credentials.
Task
1
Download both the agent extension, ePOAgentMeta.zip, and the agent package, MA460Win.zip, to
the system containing the ePO server.
2
Install the agent extension:
a
Click Menu | Software | Extensions. The Extensions page opens.
b
Click Install Extensions.
c
Browse to the location containing ePOAgentMeta.zip, select it and click OK. The Install Extensions
summary page appears.
d
Click OK to complete the installation of the extension.
3
Check in the agent package to one of the repository branches, Current (default), Previous, or Evaluation.
4
Create an installation package:
a
Click Menu | Systems | System Tree. The System Tree page opens.
b
Click System Tree Actions, then select New Systems from the drop‑down menu.
c
Select Create and download agent installation package.
d
Select the Agent version for Windows.
e
Deselect Embed Credentials in Package.
If deselected, you receive the default package. If selected you can specify required credentials.
34
f
Click OK. The Download file dialog box opens.
g
Select FramePkg.exe and save it to the temporary folder.
McAfee Endpoint Encryption 7.0
Product Guide
EEPC offline activation
How offline activation works
3
Extracting the MSI packages (EEAgent and EEPC)
There are two files required to install EEPC on the client systems, and two versions of each file,
different per OS type.
You can extract these files from the EEPC product build:
•
EEAgent installer files: MfeEEAgent32.msi or MfeEEAgent64.msi
•
EEPC Plug‑in installer files: MfeEEPc32.msi or MfeEEPc64.msi
These files are available in MfeEEAgent.zip and MfeEEPC.zip under Win\EEAgent and Win\EEPC
folders respectively in the product build.
Extract the EpeOaGenXML.exe file
You need to use the EpeOaGenXML.exe file as an input to create the offline activation package. Extract
this file from the EEPC build that you have downloaded from the download site.
Before you begin
Make sure that you have access to the latest EEPC build.
Task
1
Download the latest EEPC build to a temporary location on the target system.
2
Extract the EpeOaGenXML.exe file from the product build to the temporary folder (for example,
offline) on the target system. The EpeOaGenXML.exe file is available at McAfeeEEPC70\Endpoint
Encryption Misc\Endpoint Encryption Admin tools.
Extract and download the Key Server Public Key
The Key Server Public Key, located in the ePO Default Product Policy, is required for generating the
offline activation package. It is used to encrypt the disk encryption key on the client system during
activation. You need to download the default product policy from the McAfee ePO server.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Policy | Policy Catalog.
2
From the Product drop‑down list, select Endpoint Encryption 7.0.0 . The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
3
Select the Product Settings policy category and click the Export button from the My Default policy row. The
Export page appears.
4
Click on the link to open the file, or right‑click the link to download and save the file to the same
location where the EpeOaGenXML.exe file is present.
When saving the download file, change the file name from My_Default.xml to ePO_policy.xml.
McAfee Endpoint Encryption 7.0
Product Guide
35
3
EEPC offline activation
Creating the offline activation package
Create the user configuration file
You need to have at least one user account within the offline activation package to activate EEPC
offline on a client system that is not connected to McAfee ePO. For adding these users, you need to
first add them to a user configuration file, then use that file while creating the offline package.
Before you begin
•
Make sure that you have the list of user names to be added to the user configuration
file.
•
Make sure that you have the required token details.
Task
1
Open a text file and add the EEPC users, which you need to add to the client system. Name the file,
as appropriate (for example: UserList.txt).
2
Save the text file to a temporary location on the target system. The format of each user being
added is name: token, where:
•
Name—The EEPC username you need to add to the client system and this will be used for EEPC
logon. Make sure that you add a colon (:) after the username.
•
Token—The token type you need to assign to that user.
In the user configuration file, you can have any number of blank spaces between names and token.
There are 5 token types supported, they are:
•
Password
•
4 SI token types (Gemalto, ActivID, PIV, and CAC)
The token type is case sensitive.
Make sure to keep the following things in mind:
•
If your SI token is configured using the "Gemalto .NET PKI Smart Card" token type use the
"Gemalto" tag.
•
If your SI token is configured using the "ActivIdentity/CAC PKI Smart Card" token type use the
"ActivID" tag
•
If your SI token is configured using the "PIV PKI Smart Card" token type use the "PIV" tag.
•
If your SI token is configured using the "Common Access Card PKI Smart Card" token type use
the "CAC" tag.
When using the Offline Activation process, the offline user can be setup as a password user or
token user. For a token user only Self Initializing tokens are supported, as standard PKI tokens
need to sync back with ePO to be authenticated.
Creating the offline activation package
There are three files required to create the offline activation package. This package is used for
activating EEPC on a client system that is not connected to the McAfee ePO server.
They are:
36
McAfee Endpoint Encryption 7.0
Product Guide
EEPC offline activation
Creating the offline activation package
•
EpeOaGenXML.exe
•
Key Server Public Key
•
User configuration file (Example: Userlist.txt)
3
You need to extract and export the Key Server Public Key from the McAfee ePO server, then manually
create the user configuration file.
Generate the offline activation package
Using EpeOaGenXML.exe and the user configuration file, you can create the offline activation package
with default policy settings that you have exported from the McAfee ePO server.
Before you begin
•
Make sure that you have the required input files (EpeOaGenXML.exe, Userlist.txt) copied
to the McAfee ePO system.
•
You must have appropriate permissions to perform this task.
Task
1
Open the command prompt and navigate to the folder where the EpeOaGenXML.exe and
Userlist.txt files are located.
2
Type EpeOaGenXML.exe ‑‑help to display the list of policy configuration options available with EEPC
7.0.
3
Generate the offline activation package using the command: 'EpeOaGenXML.exe ‑‑option arg',
where:
•
‑‑option arg is used to specify the required setting for any of the policy configurations. For
example, ‑‑PbfsSize 60 ‑‑BackupMachineKey false ‑‑Sso true
If you don't specify any input for arg on the command line, the default policy configuration is used
to generate the Offline Activation package. However, you can also modify the default policy
configuration options by specifying the required settings on the command line.
4
To generate the offline activation package using the default policy settings and the Userlist.txt file,
run the command: EpeOaGenXML.exe ‑‑user‑file UserList.txt. You can also use the shorter
version of the command: EpeOaGenXML.exe UserList.txt.
If the user configuration file is in a different location to EpeOaGenXML.exe, you need to specify the
full path to the user configuration file. If there are blank spaces in the path, make sure that you type
the path within the double quotes. For example, EpeOaGenXML.exe ‑‑user‑file "c:\documents and
settings\user\my documents\UserList.txt".
5
Here is an example of how to generate the offline activation package with non‑default policy
settings and the Userlist.txt file, run the command: EpeOaGenXML.exe ‑‑user‑file UserList.txt
‑‑PbfsSize 60 ‑‑BackupMachineKey false ‑‑Sso true.
McAfee Endpoint Encryption 7.0
Product Guide
37
3
EEPC offline activation
Performing offline activation
If the package is generated successfully, no feedback or error message appear on the command
prompt. The offline activation package (ESOfflineActivateCmd.XML and OfflineActivation.exe) is
created in the same folder where the EpeOaGenXML.exe file is located.
•
ESOfflineActivateCmd.XML—Lists all the users you added, the policy settings, and all the policy
configuration options. Also, if you modified any of the policy configuration options while running
the EpeOaGenXML.exe file, then that change also appears in the XML file.
•
OfflineActivation.exe— This is the actual offline activation package to be used to activate EEPC
on the client system, which is not connected to a network or McAfee ePO.
Performing offline activation
The purpose of creating the offline activation package is to install and activate EEPC offline on a client
system that is not connected to a network or to the McAfee ePO server. After creating and
downloading all required packages and MSIs, you need to copy them to the client system and run
them one by one to install and activate the EEPC software on the system.
Before you start performing offline activation on the client system:
•
Make sure that your client system is not connected to network and not managed by the McAfee
ePO server.
•
Make sure that your client system has an administrator account that has sufficient rights for
installing and activating the EEPC software.
•
Make sure that you have copied these files to a temporary location on the client system:
•
OfflineActivation.exe
•
McAfee Agent installation package (FramePkg.exe)
•
MfeEEAgentXX.msi and MfeEEPcXX.msi, where XX=32‑bit or XX=64‑bit
Install the McAfee Agent package
This method is appropriate if you need to install the software on systems manually. You can install the
agent on the system, or distribute the FramePkg.exe installer for Distributing Agents to Manage
Systems users to run the installation program themselves.
Before you begin
You must have appropriate permissions to perform this task.
If you want users (who have local administrator rights) to install the agent on their own systems, then
distribute the agent installation package file to them. You can attach it to an email message, copy it to
media, or save it to a shared network folder.
Task
1
Distribute the agent installation package to the target system.
2
Double‑click FramePkg.exe and wait a few moments while the agent is installed.
Install the EEAgent and EEPC software packages
There are two files required to be installed, and two versions of each file, different per OS type.
Before you begin
Make sure that your client system has an administrator account that has sufficient rights
for installing and activating the EEPC software.
38
McAfee Endpoint Encryption 7.0
Product Guide
3
EEPC offline activation
Performing offline activation
They are:
•
Agent installer files: MfeEEAgent32.msi or MfeEEAgent64.msi
•
Plug‑in installer files: MfeEEPc32.msi or MfeEEPc64.msi
Task
1
Determine whether your client computer is running a 32‑bit or a 64‑bit version of Windows
operating system.
2
Log on to the target computer using an administrator account that has sufficient rights for installing
the software.
3
Copy the agent and plug‑in installer files for your operating system, to a temporary location on the
client system.
4
Install the agent: double‑click the agent installer file for your operating system.
5
Verify the installation by right‑clicking McAfee Agent System Tray on the client system, then clicking
About. The McAfee Endpoint Encryption Agent and version number are listed.
6
Install the plug‑in: double‑click the plug‑in installer file for your operating system.
7
Restart the client system to complete the installation of EEPC.
8
Verify the Endpoint Encryption System Status by right‑clicking McAfee Agent System Tray on the client system,
then clicking Quick Settings | Show Endpoint Encryption Status.
Install the offline activation package and activate EEPC
To activate EEPC offline, you need to install the offline package that has the users list, policy settings,
and policy configuration options. You need to copy and run the OflflineActivation.exe package on the
client system to activate EEPC offline.
Before you begin
Make sure that your client system has an administrator account that has sufficient rights
for installing and activating the EEPC software.
Task
1
Run the OfflineActivation.exe file from the temporary location. A command prompt window
appears with the Activating EEPC, please wait… message. The command prompt window
disappears after adding the users and activating EEPC.
The activation process might take up to 3 minutes.
2
Verify the Endpoint Encryption System Status by right‑clicking McAfee Agent System Tray on the client system,
then clicking Quick Settings | Show Endpoint Encryption Status.
The Endpoint Encryption System State should be Active, and after a short while the Volume Status
should change to Decrypted. The message Activation has completed successfully also appears on the Endpoint
Encryption System Status window.
McAfee Endpoint Encryption 7.0
Product Guide
39
3
EEPC offline activation
Perform recovery tasks using EETech
Log on to the client system
When the client system is restarted and EEPC is first activated, the user should log on with the
username that matches the user account defined in the user configuration file.
Task
1
Restart the client system after installing and activating EEPC. The Pre‑Boot Authentication page
appears, prompting for a username.
2
In the user name field, type the username that was defined in the user configuration file.
The user account can be either a password user or a user associated with a supported token type.
When you are logging on for the first time, you need to initialize the user with the default password
of 12345 in the PBA page. The user is then prompted to change this password and enroll for
self‑recovery.
After initializing your token, the self‑recovery enrollment dialog box appears. The default
self‑recovery setting for Offline Activation has been configured to prompt for these recovery
questions:
•
What is your favorite color?
•
What is your pet's name?
•
What is your favorite musician?
Once recovery enrollment is complete, the client system boots to Windows.
Perform recovery tasks using EETech
Every EEPC client system that is activated using the offline activation package has a machine key,
which is encrypted with the Key Server Public Key from the McAfee ePO server. The encrypted machine
key is stored in a recovery information file (xml) on the client system. Any user trying to enable the
recovery procedures on the client systems should get the decrypted machine key from the client
system.
Before you begin
Please be informed that only the McAfee ePO administrator can decrypt the machine key in
the recovery information file, because the decryption requires access to the private key
from the McAfee ePO server.
Task
1
Insert your choice of removable media like USB drive, to the client system that has been activated
using the offline activation package.
2
Copy the EERecovery.xml file from the default location (C:\) to the removable media.
The default location can be changed when creating the offline activation package from the command
prompt. You can specify the ‑ ‑Recovery arg to define a different file name and location. For
example, an external drive or USB drive.
40
3
Copy the recovery information file (EERecovery.xml) to a temporary location on the McAfee ePO
system.
4
On the McAfee ePO server, Click Menu | Systems | System Tree, then select the System Tree tab.
McAfee Endpoint Encryption 7.0
Product Guide
3
EEPC offline activation
Perform recovery tasks using EETech
5
Click Actions | Endpoint Encryption | Decrypt Offline recovery file. The Decrypt offline recovery file page
appears.
6
Browse and select the recovery information file to be decrypted, then click OK. The Export recovery
information page with the Export information (.xml) file appears.
7
Right‑click the .xml file and save it to the inserted removable media like USB drive.
8
Restart the unrecoverable system using the EETech (Standalone) boot disk. This loads the McAfee
EETech interface.
9
Click Actions | Enable USB. EETech is now able to access the USB drive, which has the recovery
information file.
10 Click Authorize under Authorization. The Authorize dialog box appears.
11 Type the daily Authorization/Access Code and click OK. On typing the correct authorization code for the
day, the Authorization status changes to Authorized.
12 Click File under Authentication, then browse and select the Recovery Information File(.xml) from the USB
drive, then click OK. On selecting the right file, the Authentication status changes to Authenticated with File.
You might now perform any recovery task using the procedures given in the McAfee EETech User
Guide.
McAfee Endpoint Encryption 7.0
Product Guide
41
3
EEPC offline activation
Perform recovery tasks using EETech
42
McAfee Endpoint Encryption 7.0
Product Guide
4
Installing EEMac
This chapter covers the high‑level process of installing, upgrading, and uninstalling the EEMac client.
Contents
Installing the EEMac client
Upgrading from EEMac 1.x/6.x to EEMac 7.0
Uninstalling the EEMac client
Installing the EEMac client
The EEMac extensions, agent, and the software packages are checked in to McAfee ePO for the
management functionality. This is necessary before deploying the software and configuring the
policies.
Before installing EEMac, make sure that any competitor's encryption products are removed from the
client system. Also, avoid installing any other encryption products after installing EEMac.
Overview of the installation process
The EEMac client software is deployed from the McAfee ePO server and installed on the client system
through the McAfee Agent. The installation of EEMac creates the Pre‑Boot File System (PBFS) on the
client system at the time of activation.
The client system requires a restart to complete the installation. After the restart, the client
communicates with the McAfee ePO server, pulls down the assigned Endpoint Encryption policies, and
encrypts the system according to the defined polices. The assigned user can be initialized through the
Pre‑Boot screen after the subsequent restart.
If you want to uninstall EEMac 1.x/6.x and then install EEMac 7.0, make sure to restart the system after
uninstalling EEMac 1.x/6.x.
The overall EEMac installation and deployment process can be simplified into the following steps.
This assumes that the user has already successfully installed McAfee ePO and has the McAfee Agent
installed on various systems, which successfully communicate with the McAfee ePO server.
1
Install the EEAdmin and EEMac extensions into the McAfee ePO server.
2
Check in the EEMac software packages (MfeEeMac‑7.0.0.x.zip and MfeEEAgent‑7.0.0.x.zip) to the
McAfee ePO server.
3
Configure the registered server (Windows Active Directory).
4
Configure and run the automation task for LDAP Synchronization.
5
Deploy the Endpoint Encryption Agent to the client system.
McAfee Endpoint Encryption 7.0
Product Guide
43
4
Installing EEMac
Installing the EEMac client
6
Deploy the EEMac software package to the client system.
7
Restart the client system. You should now be able to see the Encryption icon | McAfee Endpoint Encryption
System Status option on the menu bar that is present on the desktop of the client.
8
Add users to a system or a group of systems.
9
Create a product settings policy or edit the default policy, then assign it to a system or a group of
systems.
10 Create a user‑based policy or edit the default policy, then assign it to a user or a group of users on
a system.
The Endpoint Encryption System Status changes from Inactive to Active only after adding the user and
enforcing the policies correctly.
11 Verify the Endpoint Encryption System Status by clicking the Encryption icon | McAfee Endpoint Encryption System
Status option on the menu bar that is present on the desktop of the client.
If the Endpoint Encryption system state is Active, it displays the list of volumes and whether they are
encrypted or decrypted.
Deploy McAfee Agent to the Mac OS X client
You need to install the McAfee Agent on a Mac client system using the install.sh file. You can get this
file from the Windows‑based system where McAfee ePO is installed.
The client system is automatically added to the System Tree in ePolicy Orchestrator on successful
installation of the McAfee Agent for Mac on the Mac client system.
If you are installing the EEMac 7.0 on the Mac OS X Mountain Lion (10.8.x) client system, we
recommend that you install the McAfee Agent 4.6 Patch 2 package.
For more details and procedures, see the product documentation for your version of McAfee ePO.
You should install the McAfee Agent for Mac using the command Terminal on the Mac. After installing
the McAfee Agent for Mac OS X, the Mac client system communicates back to the McAfee ePO server.
This process usually takes some time.
Select This group and all subgroups in Filter in the System Tree page, then refresh ePolicy Orchestrator. The
ePolicy Orchestrator displays the Mac client system details under System Tree | Systems after the first
agent‑to‑server communication.
Task
1
Check in the McAfee Agent for Mac OS X package to the master repository.
2
Copy the install.sh file from this location on the Windows‑based system.
C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3700MACX
\Install\0409 for 32‑bit systems.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software\Current
\EPOAGENT3700MACX\Install\0409 for 64‑bit systems.
‑or‑
44
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEMac
Installing the EEMac client
4
Download the Agent installation package using ePolicy Orchestrator as follows:
1
Click Menu | Systems | System Tree | System Tree Actions | New Systems on the McAfee ePO server. The
New Systems page appears.
2
Select Create and download agent installation package from How to add systems.
3
Select Non‑Windows and McAfee Agent for Mac OS X 4.5 Patch 4/4.6/4.6 Patch 1 from Select Agent Package, and
deselect Use Credentials, then click OK. The Download file page appears.
4
Click the install link to open the file, or right‑click the link to download and save the file.
3
Place the copied install.sh file on the desktop.
4
On the Terminal, type this command to go to the location where the install.sh file is present:
cd /Users/<user>/Desktop.
5
Deploy the McAfee Agent on the Mac client with one of these commands:
•
sudo ./install.sh ‑i (for a fresh installation)
•
sudo ./install.sh –u (for an upgrade of the agent)
Type the administrator password if prompted.
The installation path of McAfee Agent is /Library/McAfee/cma/
The uninstall path of McAfee Agent is /Library/McAfee/cma/uninstall.sh
6
To monitor the McAfee Agent logs, run the command sudo tail ‑F /Library/McAfee/cma/
scratch/etc/log and provide the administrator password when prompted.
Deploy McAfee Agent to Mac OS X client through SSH
You can also deploy McAfee Agent to Mac systems through Secure Shell (SSH).
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Select the Push agents and add systems to the current group (My Organization) field.
3
In the Target systems field, add the IP address of the system where you want to deploy the McAfee
Agent.
4
In the Agent version field, select Non‑Windows, then select McAfee Agent for Mac OS X from the drop‑down
list.
This requires SSH or remote login to be enabled on Mac for the specific Administrator user whose
credentials are used for deployment of McAfee Agent for Mac OS X. Remote login(SSH) can be
enabled in Mac by enabling the Remote Login option under System Preferences | Sharing | Remote Login.
5
In the Credentials for agent installation field, enter administrator credentials of the Mac.
6
Click OK to trigger the McAfee Agent deployment on the Mac system.
To view the deployed McAfee Agent, click Menu | Automation | Server Task Log.
McAfee Endpoint Encryption 7.0
Product Guide
45
4
Installing EEMac
Installing the EEMac client
Install the EEMac extensions
You can view and configure the policies and settings of EEMac by installing the product extensions into
the repository on the McAfee ePO server.
Before you begin
•
You must have appropriate permissions to perform this task.
•
You must install the extensions in order: EEADMIN.zip first, then EEMac.zip.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears.
3
Click Browse and select the extension file EEADMIN.zip, then click OK. The Install Extension page
appears with the extension name and version details.
4
Click OK.
5
Repeat steps 2 through 4 to install the EEMac.zip extension.
Check in the EEMac software packages
The software packages EEAgent and EEMac need to be checked in to the master repository so that you
can deploy the software to the client system using ePolicy Orchestrator. You must check in two
packages: MfeEeMac‑7.0.0.x.zip and MfeEEAgent‑7.0.0.x.zip.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Before checking in the software packages, make sure there are no pull or replication
tasks running.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard
opens.
3
From the Package type list, select Product or Update (.zip), then browse to and select the MfeEeMac‑7.0.0.x.zip
package file.
4
Click Next to display the Package Options page.
5
Click Save to check in the package.
6
Repeat steps 2 through 5 to install the MfeEEAgent‑7.0.0.x.zip package.
The new package appears in the Packages in Master Repository list on the Master Repository page
under the respective branch in the repository.
46
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEMac
Installing the EEMac client
4
Register Windows Active Directory
You must register Windows Active Directory with McAfee ePO to in order to create EEMac users.
Before you begin
•
You must have a registered AD to enable dynamically assigned permission sets and
automatic user account creation.
•
Make sure you have the appropriate rights to modify server settings, permission sets,
users, and registered servers.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Configuration | Registered Servers, then click New Server to open the Registered Server Builder
wizard.
3
From the Server type drop‑down list on the Description page, select LDAP Server, specify a unique
user‑friendly name and any details, then click Next.
4
On the Details page:
a
Type the Domain name or the Server name.
Use DNS‑style domain name. While using DNS‑style domain name, make sure that the system is
configured with appropriate DNS setting and can resolve the DNS‑style domain name of the
Active Directory. The Server name is the name or IP address of the system where the Windows
Active Directory is present.
b
Type the User name.
The User name should be of the format: domain\Username for Active Directory accounts.
c
Type the Password and confirm it.
d
Click Test Connection to verify that the connection to the server works, then click Save.
Configure automation task for LDAP synchronization
You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and
McAfee Endpoint Encryption software. Run this task to synchronize EEMac with the user Active
Directory.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Automation | Server Tasks to open the Server Tasks page.
3
Click Actions | New Task to open the Server Task Builder wizard.
4
On the Description page, name the task, add a description about the task, select Enabled under
Schedule status, then click Next.
5
From the Actions drop‑down list, select EE LDAP Server User/Group Synchronization and accept the default
values.
McAfee Endpoint Encryption 7.0
Product Guide
47
4
Installing EEMac
Installing the EEMac client
6
Click Next to open the Schedule page.
7
Schedule the task, then click Next to display the Summary page.
8
Review the task details, then click Save.
You can run this task immediately by clicking Run next to the task on the Server Tasks page.
Deploy EEMac to the client system
The McAfee ePO repository infrastructure allows you to deploy the EEMac product to your managed
systems from a central location. Once you have checked in the software package, use this Product
Deployment client task to install the product on managed systems.
Before you begin
You must have appropriate permissions to perform this task.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
1
Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then
click Actions | New Task. The New Task dialog box appears.
2
Ensure that Product Deployment is selected, then click OK.
3
Type a name for the task you are creating and add any notes.
4
Next to Target platforms, select Mac to use the deployment.
5
Next to Products and components set the following:
a
Select Endpoint Encryption Agent for Mac OS X 7.0.0.x to specify the version of the EEAgent to be
deployed.
b
Click + and select Endpoint Encryption for Mac OS X 7.0.0.x to specify the version of the EEMac package
to be deployed.
c
Set the Action to Install, then select the Language of the package, and the Branch.
6
Click Menu | Systems | System Tree | Systems, then select the system on which you want to deploy
product and click Actions | Agent | Modify Tasks on a single system.
7
Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears.
8
On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created for deploying product.
9
Next to Tags, select the desired platforms to which you are deploying the packages, then click Next:
•
Send this task to all computers
•
Send this task to only computers that have the following criteria — Use one of the edit links to configure the
criteria.
10 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
11 Review the summary, then click Save.
48
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEMac
Installing the EEMac client
4
Send an agent wake-up call
The client computer gets the policy update whenever it connects to the McAfee ePO server (during the
next ASCI). The policy update can be scheduled or forced. The agent wake‑up call option forces the
policy update to the client system. For information on adding a new system, see the product
documentation for your version of McAfee ePO.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Systems | System Tree, then select a system or group of system(s) from the left pane.
3
Select the System Name(s) of that group.
4
Click Actions | Agents | Wake Up Agents from the drop‑down menu.
5
Select a Wake‑up call type and a Randomization period (0‑60 minutes) by which the system(s) respond to
the wake‑up call sent by ePolicy Orchestrator.
6
Select Get full product properties for the agent(s) to send complete properties instead of sending only
the properties that have changed since the last agent‑to‑server communication.
7
Select Force complete policy and task update for the agent to send the complete policy and task update.
8
Click OK.
To view the status of the agent wake‑up call, navigate to Menu | Automation | Server Task Log.
Add users to a system
Use ePolicy Orchestrator to add the EEMac users to the client system. The EEMac software can be
activated on a client system only after you add a user and enforce the required encryption policies
correctly.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Data Protection | Encryption Users to open the My Organization page.
2
Select a group or system(s) from the System Tree pane on the left.
To add users to a particular system, select the required system from the System tab under the My
Organization pane on the right.
3
Click Actions | Endpoint Encryption | Add Users to open the Add Endpoint Encryption Users page.
4
Add users: Click + in the Users field, browse to the users list, select the Users, then click OK.
5
Add groups: Click + in the From the groups field, browse to the users groups list, select the groups,
then click OK.
McAfee Endpoint Encryption 7.0
Product Guide
49
4
Installing EEMac
Installing the EEMac client
6
Add an organizational unit: Click + in the From the organizational units field, browse to the organizational
unit list, select the unit, then click OK.
7
In the Add Endpoint Encryption Users page, click OK.
Assign a policy to a system
You can assign the required policy in the Policy Catalog to any system or system group. Assignment
allows you to define policy settings once for a specific need, then apply the policy to multiple locations.
Before you begin
You must have appropriate permissions to perform this task.
When you assign a new policy to a particular group, all child groups and systems that are set to inherit
the policy from this assignment point, get the set policies.
Task
1
Click Menu | Systems | System Tree, then on the Systems tab under System Tree, select a group. All the
systems within this group (but not its subgroups) appear in the details pane.
2
Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.x. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Setting policy category, then click Edit Assignments.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned policy drop‑down list, select the Product Setting policy.
From this location, you can edit the selected policy, or create a new policy.
7
Select whether to lock policy inheritance so that any systems that inherit this policy can't have
another one assigned in its place.
8
When modifying the default policy or creating the new policy, select any one of the disk encryption
options other than None, by navigating to Encryption (tab) | Encrypt. The default option None does not
initiate the encryption.
Make sure that you select the correct encryption provider and set the priority, as appropriate.
9
Click Save.
Enforce EEMac policies on a system
Enable or disable policy enforcement for EEMac on a system. Policy enforcement is enabled by default,
and is inherited in the System Tree. For more details and procedures on how to perform this task, see
the product documentation for your version of McAfee ePO.
Before you begin
You must have appropriate permissions to perform this task.
50
McAfee Endpoint Encryption 7.0
Product Guide
4
Installing EEMac
Installing the EEMac client
Task
1
Click Menu | Systems | System Tree | Systems tab, then under System Tree, select the group where the
system belongs. The list of systems belonging to this group appears in the details pane.
2
Select a system, then click Actions | Agent | Modify Policies on a Single System.
3
Select Endpoint Encryption 7.0.0, then click Enforcing next to Enforcement status.
4
If you want to change the enforcement status you must first select Break inheritance and assign the policy
and settings below.
5
Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click Save.
After restarting, it communicates with the McAfee ePO server and pulls down the assigned McAfee
Endpoint Encryption policies and encrypts the system according to the defined policies. The assigned
user can be initialized through the Pre‑Boot screen after the subsequent restart.
Edit the client tasks
The McAfee ePO server allows you to create and schedule client tasks that run on managed systems.
You can define tasks for the entire System Tree, for a specific group, or for an individual system. Like
policy settings, client tasks are inherited from parent groups in the System Tree.
Before you begin
You must have appropriate permissions to perform this task.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
1
Click Menu | Policy | Client Task Catalog, then select McAfee Agent | Product Deployment as Client Task Types.
2
Click the task to edit. The Client Task Builder wizard opens.
3
Edit the task settings as needed, then click Save.
The managed systems receive these changes during the next agent‑to‑server communication.
How to run the MER tool for EEMac
The Minimum Escalation Requirements (MER) tool is used to collect diagnostic data for EEMac and
your operating system.
To run this tool, you need to have sudo privileges. After you authenticate, a diagnostic report log
(EEMACMERReport.zip) is created and located in your home directory.
You can run the MER tool using sudo privileges as follows:
sudo /Library/McAfee/ee/Mac/EpeMERTool
The usage of the MER tool is as follows:
sudo <Path to the Binary>/EpeMERTool [‑a | ‑h | ‑s | ‑p | ‑m | ‑v]
The MER tool has two options, service and common. Service options perform various tool operations
and common options provide information about how to use the tool and the list of service options
available.
McAfee Endpoint Encryption 7.0
Product Guide
51
4
Installing EEMac
Upgrading from EEMac 1.x/6.x to EEMac 7.0
Table 4-1
Service options
Service options
Description
‑a, ‑‑all
Collects system, product and McAfee Agent information.
‑s, ‑‑system details
Collects system information.
‑p, ‑‑product details
Collects McAfee Endpoint Encryption for Mac OS X information.
‑m, ‑‑ma details
Collects McAfee Agent information.
Table 4-2
Common options
Common options Description
‑h, ‑‑help
Displays a list of all commands available in the McAfee Endpoint Encryption for
Mac OS X MER tool, with explanatory information.
‑v, ‑‑version
Displays the version of the McAfee Endpoint Encryption for Mac OS X MER tool.
Upgrading from EEMac 1.x/6.x to EEMac 7.0
The primary goal of upgrading is to update the product components while maintaining all of the
existing encryption, policies, users, authentication details, audit, and tokens.
Overview of the upgrade process
Use this high‑level process to upgrade EEMac 1.x and 6.x client systems.
1
Install the required EEMac 7.0 extensions on the McAfee ePO server. You can also upgrade the
1.x/6.x extensions with 7.0 extensions.
2
Check in the Endpoint Encryption Agent for Mac OS X 7.0.0.x and Endpoint Encryption for Mac OS
X 7.0.0.x packages to the McAfee ePO server.
Make sure that you delete all instances of EEMac 1.x/6.x and hotfixes before you check in EEMac 7.0
packages to McAfee ePO.
3
Define the appropriate policy settings for 7.0 as needed.
4
Deploy EEAgent 7.0.0.x and EEMac 7.0.0.x to the client system.
5
Restart the client system after the deployment task. After restarting the client system, the new
files and drivers are in place. The EEMac 7.0 encryption status dialog box shows the status as
Active throughout the upgrade process.
After the upgrade, the only visible change is the version numbers in various modules lists.
52
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEMac
Uninstalling the EEMac client
4
User experience summary
This table highlights the summary of the user experience during the client upgrade from EEMac 1.x
and EEMac 6.x.
State
Pre‑Boot
Mac OS X
Before
deployment
EEMac 1.x/6.x EEMac 1.x/6.x The client system has EEMac 1.x/6.x installed.
During
deployment
EEMac 1.x/6.x EEMac 1.x/6.x The EEMac 7.0 deployment forces the restart of
the client system.
After deployment
and restart
EEMac 7.0
EEMac 7.0
Comments
• The EEMac 1.x/6.x status remains as Active
throughout the upgrade process.
• The user credentials for both Mac OS X and
Pre‑Boot logons are the same as EEMac 1.x/6.x
for EEMac 7.0.
Uninstalling the EEMac client
To uninstall EEMac from the client, the Endpoint Encryption for Mac extensions and the software
packages need to be removed, and the policy settings have to be disabled.
Here are some important steps involved in removing the software.
1
Disable all EEMac product setting policies.
2
Make sure that the Endpoint Encryption System Status is Inactive.
3
Uninstall EEMac from the client system.
Deactivate the Endpoint Encryption Agent
To deactivate the Endpoint Encryption Agent on the client system, you need to modify the product
setting policy of EEMac on the McAfee ePO console.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Systems | System Tree | Systems, then select a group under System Tree. All the systems
within this group (but not its subgroups) appear in the details pane.
2
Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.x. The policy Categories under Endpoint
Encryption are listed with the system’s assigned policy.
4
Select the Product Setting policy category, then click Edit Assignments.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned policy drop‑down list, select a product setting policy.
From this location, you can edit the selected policy, or create a new policy.
7
Select whether to lock policy inheritance so that any systems that inherit this policy can't have
another one assigned in its place.
McAfee Endpoint Encryption 7.0
Product Guide
53
4
Installing EEMac
Uninstalling the EEMac client
8
On the General tab, deselect Enable policy.
9
Click Save in the Policy Settings page, then click Save in the Product Settings page.
10 Send an agent wake‑up call.
On disabling the product setting policy, all the encrypted drives get decrypted, and the Endpoint
Encryption status becomes Inactive. This can take a few hours depending on the number and size of
the encrypted drives.
Remove EEMac from the client system
The McAfee ePO repository infrastructure allows you to remove the EEMac product from your managed
systems from a central location. To remove the software package from the client system, use this
Product Deployment client task.
Before you begin
Make sure that you deactivate the Endpoint Encryption Agent before removing EEMac from
the client system.
For more details and procedures on how to perform this task, see the product documentation for your
version of McAfee ePO.
Task
54
1
Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then
click Actions | New Task. The New Task dialog box appears.
2
Ensure that Product Deployment is selected, then click OK.
3
Type a name for the task you are creating and add any notes.
4
Next to Target platforms, select Mac to use the deployment.
5
Next to Products and components set the following:
a
Select Endpoint Encryption for Mac OS X 7.0.0.x to specify the version of the EEMac package to be
removed.
b
Click + and select Endpoint Encryption Agent for Mac OS X 7.0.0.x to specify the version of the EEAgent to
be removed.
c
Set the Action to Remove.
6
Click Menu | Systems | System Tree | Systems, then select the system on which you want to remove the
product and click Actions | Agent | Modify Tasks on a single system.
7
Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears.
8
On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created for removing product.
9
Next to Tags, select the desired platforms from which you are removing the packages, then click
Next:
•
Send this task to all computers
•
Send this task to only computers that have the following criteria — Use one of the edit links to configure the
criteria.
McAfee Endpoint Encryption 7.0
Product Guide
Installing EEMac
Uninstalling the EEMac client
4
10 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
11 Review the summary, then click Save.
Remove the EEMac extensions
To uninstall the EEMac extension and the checked in packages, you need to remove them from the
McAfee ePO server.
Before you begin
Make sure that you deactivate the Endpoint Encryption Agent before removing the EEMac
extension from McAfee ePO.
Because EEPC and EEMac are being managed by a single McAfee ePO server, you can remove the
EEAdmin extension only when the McAfee ePO management is not required for both products.
You need to remove both extensions EEMac.zip and EEADMIN.zip in the order by following the below
procedure.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Extensions, then select Endpoint Encryption. The Extension page appears with the
extension name and version details.
3
Click Remove. The Remove extension confirmation page appears.
4
Click OK to remove the extension.
Follow the same procedure to remove both the extension files EEMac.zip and EEADMIN.zip, however,
extension file EEMac.zip needs to be removed first.
Remove the EEMac software packages
When you deactivate and remove the EEMac software from the client system, you need to remove the
EEMac software packages from the McAfee ePO server.
Before you begin
Make sure that you deactivate the Endpoint Encryption Agent before removing the EEMac
package from McAfee ePO.
You need to remove both the software packages MfeEEAgent‑7.0.0.x.zip and MfeEeMac‑7.0.0.x.zip in
the order by following the below procedure.
Task
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Master Repository. The Packages in Master Repository page appears with the list
of software packages and their details.
3
Click Delete next to the EEMac software packages.
4
Click OK to confirm.
5
Follow the same procedure to remove both the packages MfeEEAgent‑7.0.0.x.zip and
MfeEeMac‑7.0.0.x.zip.
McAfee Endpoint Encryption 7.0
Product Guide
55
4
Installing EEMac
Uninstalling the EEMac client
Manually uninstall EEMac from the client system
Although McAfee ePO has all the required features for removing the product from the client system,
you can also manually uninstall EEMac from the client system.
Before you begin
•
You must have sudo privileges to perform this task.
•
Make sure that you deactivate the Endpoint Encryption Agent before initiating the
manual removal process.
Task
56
1
Run the command sudo /Library/McAfee/ee/Mac/uninstall. This removes the EEMac software
package from the client system.
2
Run the command sudo /Library/McAfee/ee/Agent/uninstall. This removes the EEAgent from
the client system.
3
Restart the client system.
McAfee Endpoint Encryption 7.0
Product Guide
5
Managing McAfee Endpoint Encryption
policies
Managing McAfee Endpoint Encryption from a single location is achieved by integrating the EE software
into ePolicy Orchestrator, which is a central feature of McAfee ePO itself. This is accomplished through
the combination of product policies.
Are you configuring policies for the first time?
When configuring policies for the first time:
1
Plan product policies for the segments of your System Tree.
2
Create and assign policies to groups and systems.
This information is applicable to both EEPC and EEMac.
Contents
Policy management
Policy categories
Create a policy from the Policy Catalog
Edit EE policy settings from Policy Catalog
Assign a policy to a system group
Enforce EE policies on a system group
Policy management
A policy is a collection of settings that you create, configure, and enforce. Policies make sure that the
managed client computer is configured and performs accordingly.
Policy settings are the primary interface for configuring the client computer and its components. The
McAfee ePO server allows you to configure policy settings for Endpoint Encryption clients and other
managed systems from a central location.
Policy categories
Policy settings for McAfee Endpoint Encryption are grouped under category. Each policy category
refers to a specific subset of policy settings. On the Policy Catalog page, policies appear under Endpoint
Encryption and the individual policies appear under a specific category.
When you open or edit an existing policy or create a new policy under Endpoint Encryption, the policy
product settings are organized across tabs such as General, Encryption, Log On, Recovery, Boot Options, Theme,
and Encryption Providers. The user‑based policy settings are organized across tabs such as Authentication,
Password, Password Content Rules, and Self‑Recovery.
McAfee Endpoint Encryption 7.0
Product Guide
57
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
Settings
Options
Description
General
Enable policy
Enables the set policies on the client computers.
Logging level
Allows the administrator to set a different logging level for
each client computer that has the specific policy setting
assigned.
To overwrite the logging level defined in the ePolicy
Orchestrator console, the LoggingLevelOverride registry key
needs to be set on the client system.
• None — Does not create any log for the client system
managed by McAfee ePO.
• Error — Logs only error messages.
• Error and Warnings — Logs the error and warning messages.
• Error, Warnings, and Informational — Logs the error and warning
messages with more descriptions.
• Error, Warnings, Informational and Debug — Logs the error, warning,
and debug messages.
Allow temporary automatic
booting
Allows the administrator to run the temporary autoboot tool
on the client system, so that it can automatically boot without
prompting for a Pre‑Boot Authentication. For more information
on how to configure and run the temporary autoboot, see
Enable or disable the temporary automatic booting.
If you enable this option, be aware that McAfee Endpoint
Encryption does not protect the data on the drive when it is
not in use.
Expire users who do not
login
Allows the administrator to control and manage the users who
have not logged on to the client system. Enabling this option
forces the user account, which is not initialized, to expire
after a number of hours as set in the policy.
Allow users to create
endpoint info file
Enabling this option allows the user to collect client system
details such as the list of assigned users, policy settings,
recovery, and Endpoint Encryption Status.
After enabling this option, the user will see a new button Save
Machine info in:
• Windows — McAfee Agent Tray | Quick Settings | Show Endpoint
Encryption Status
• Mac — Encryption icon on the menu bar that is present on the
desktop of the client.
You can click this button and save the text file for later
reference.
58
McAfee Endpoint Encryption 7.0
Product Guide
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Encryption
Encrypt
Allows you to select the required encryption type and to set
the encryption priority.
Encryption type
• None — Does not encrypt any disk.
• All disks — Encrypts all disks in a system.
• Boot disk only — Encrypts only the boot disk.
• All disks except boot disk — Encrypts all disks except the boot
disk (not recommended)
Selected partitions: Allows you to select the required partitions of
the client system and select them to be encrypted. You can
select the required partitions by specifying the Windows or
Mac drive letters/volume names. Partition level encryption is
not applicable to client systems using OPAL encryption.
Do not assign a drive letter to the Windows 7 hidden system
partition on your client system. Doing so, will stop the EEPC
software from being activated on the client system.
The Encryption type options such as None, All disks except boot disk,
and Selected partitions are not applicable to self‑encrypting drives
in Opal mode.
This table also lists the encryption providers (PC Software and
PC Opal) available with the software. You can change and set
the encryption priority by moving the encryption provider
rows up and down, as appropriate.
By default, software encryption will be used on both Opal and
non‑Opal systems in this version of EEPC. To ensure that Opal
technology is chosen in preference to software encryption, we
recommend that you always set Opal as the default
encryption provider, by moving it to the top of the list on the
Encryption Providers page. This ensures that Opal locking will
be used on Opal drives.
Make sure that you select the required encryption type, as
appropriate. Policy enforcement might fail on client systems
if you select an unsupported encryption type.
Log On (Endpoint Enable automatic booting
Encryption)
On selecting, the client system boots automatically without
prompting for a Pre‑Boot Authentication. The expiration date
for the auto booting can also be set.
If required, the user can select the UTC time standard option.
If you enable this option, be aware that the McAfee
Endpoint Encryption software does not protect the data on
the drive when it is not in use.
Log on message
Type a message that appears to the client user.
Do not display previous user On enabling this option, the client system does not display
name at log on
the user name of the last logged on user automatically on all
EEPC logon dialog boxes.
McAfee Endpoint Encryption 7.0
Product Guide
59
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Enable on screen keyboard
This option enables the Pre‑Boot On‑Screen Keyboard (OSK)
and the associated Wacom serial pen driver. When this option
is enabled, the pen driver finds a supported pen hardware
(Panasonic CF‑H1 and Samsung Slate 7) and displays the
OSK.
If you do not select this option, the BIOS will use mouse
emulation. In such a situation, the BIOS will treat the
digitizer as a standard mouse, which might lead to the
cursor being out of sync with the stylus on USB connected
Wacom pen digitizers.
• Always display on screen keyboard — Forces the Pre‑Boot to always
display a clickable on‑screen keyboard regardless of
whether the pen driver finds suitable hardware or not.
Make sure to note that this is only valid for BIOS based
hardware. On UEFI, we should note that the digitizer is
managed by the UEFI software, so the UEFI
implementation needs to contain drivers for the digitizer.
Add local domain users (and • Disabled — Selecting this option does not add any local
tag with 'EE:ALDU')
domain users to the client system.
The Mac client
systems that
are added to
Active Directory
through
Directory Utility
application are
only supported
by the ALDU
feature. The
ALDU feature is
not supported
on Mac systems
that use third
party tools like
CentrifyDC for
Mac, AdmitMac
to connect to
the Active
Directory.
Enable accessibility
(Windows BIOS
systems only)
• Add all previous and current local domain users of the system — On
selecting this option, any domain users who have previously
and are currently logged on to the system, are able to
authenticate through the Pre‑Boot, even if the administrator
has not explicitly assigned the user to the client system.
• Only add currently logged on local domain user(s); activation is dependent on
a successful user assignment — On selecting this option, only the
domain users who are logged on to the current Windows
session, are added to the system and hence EEPC is
activated, even if the administrator has not explicitly
assigned the user to the client system.
If you select this option, at least one user should be
added to the client system for a successful EEPC or EEMac
activation on the client. The activation doesn't happen
until a user logs on to Windows or Mac OS X.
This option is helpful to visually challenged users. If selected,
the system gives a beep as a signal when the user moves the
focus from one field to the next using mouse or keyboard, in
the Pre‑Boot environment.
The USB audio functionality allows the visually impaired users
to listen to an audio signal (spoken word) as a guidance when
the user moves the cursor from one field to the next, in the
Pre‑Boot environment. The USB speakers and headphones
can be used to listen to the audio signal.
For more details see Enable Accessibility (USB audio devices)
in the Pre‑Boot environment.
60
McAfee Endpoint Encryption 7.0
Product Guide
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Disable pre‑boot
authentication when not
synchronized
On selecting this option, the user is blocked from logging on
to PBA in the client system, if the client system is not
synchronized with the McAfee ePO server for the set number
of days.
When the user is blocked from logging on to PBA, the user
should request the administrator to perform the Administrator
Recovery to unlock the client system. This allows the client
system to boot and communicate with the McAfee ePO server.
The client system will continue to block the user from
logging on to the system until the synchronization with
ePolicy Orchestrator happens.
Read username from
smartcard
This feature is
supported on
the
Gemalto .Net
V2+ tokens,
and PIV and
CAC tokens.
On selecting this option, the available user information on the
client system is automatically retrieved from the inserted
smartcard; hence the Authentication window does not prompt
for a user name. The user can then authenticate just by
typing the correct PIN.
You need to enable the matching rules that are required for
matching smartcard user principle name (UPN) names with
EEPC user names.
• Match certificate user name field up to @ sign — Match the certificate
user name up to the @ sign of the user name. For example,
if the UPN is SomeUser@SomeDomain.com and the EEPC
user name is SomeUser, a match is found.
• Hide user name during authentication — On selecting
this option, the EEPC user name does not appear in the
Authentication window.
Log On
(Windows
only)
Enable SSO
This option enables Single Sign On.
• Must match user name — This option ensures the SSO details
are only captured when the user’s Endpoint Encryption and
Windows user names match. This ensures that the SSO
data captured is replayed for the user for which it was
captured. When you select the Enable SSO option, the Must
match user name option is also enabled by default.
• Using smart card PIN — This option allows EEPC to capture the
smart card PIN for SSO.
• Synchronize Endpoint Encryption password with Windows — If selected,
the Endpoint Encryption password synchronizes to match
the Windows password when the Windows password is
changed on the client system. For example, if users change
their password on the client, the Endpoint Encryption
password is also changed to the same value.
• Allow user to cancel SSO — This option allows the user to cancel
the SSO to Windows in Pre‑Boot. When this option is
enabled, the user has an additional checkbox at the bottom
of the Pre‑Boot logon dialog box.
Lock workstation when
inactive
McAfee Endpoint Encryption 7.0
The client system is locked when it is inactive for the set
time.
Product Guide
61
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Recovery
Enabled
The Recovery option is enabled by default. If enabled, this
activates the Administrator Recovery option in the client system.
Key size
This drop‑down list contains the options to select the recovery
key size. The recovery Response Code size depends on this
recovery key size. However, this does not affect the size of
the challenge code.
• Low — This refers to a recovery key size that creates a short
Response Code for the recovery.
• Medium — This refers to a recovery key size that creates a
medium size Response Code for the recovery.
• High — This refers to a recovery key size that creates a
lengthy Response Code for the recovery.
• Full — This refers to a recovery key size that creates a
Response Code, with the maximum number of characters,
for the recovery.
Message
Displays a text message when you select Recovery. This may
include information such as your help desk contact details.
Allow users to re‑enroll
self‑recovery information at
PBA
On enabling this option, the client user's self‑recovery details
can be reset, then the user will have to re‑enroll their
self‑recovery details with new self‑recovery answers.
Before resetting the self‑recovery questions on the client
system, make sure that you have enabled the Enable Self
Recovery option under User Based Policy | Self‑recovery.
Once this option is enabled, the Pre‑Boot Authentication (user
name) screen will have a new checkbox Reset self‑recovery. On
selecting the Reset self‑recovery checkbox, the user will be
prompted for a password and then the self‑recovery
enrollment.
Only initialized users can reset their self‑recovery details.
Boot Options
(Windows
only)
62
Enable Boot Manager
McAfee Endpoint Encryption 7.0
Enabling this option activates the built in pre‑boot partition
manager. This allows you to select the primary partition on
the hard disk that you wish to boot. Naming of the partition is
also possible with the boot manager. The time out for the
booting to start can also be set.
Product Guide
Managing McAfee Endpoint Encryption policies
Policy categories
5
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Always enable pre‑boot USB Forces the Endpoint Encryption Pre‑Boot code to always
support
initialize the USB stack.
USB audio functionality allows the visually impaired users to
listen to an audio signal (spoken word) as a guidance when
the user moves the cursor from one field to the next, in the
Pre‑Boot environment. The USB speakers and headphones
can be used to listen to the audio signal.
You will notice an improper synchronization of the mouse
cursor and the stylus on USB connected Wacom pen
digitizers. To avoid this, make sure to enable this option.
For more details see Enable Accessibility (USB audio devices)
in the Pre‑Boot environment.
Theme
Out‑of‑Band
(Windows
only)
Enable pre‑boot PCMCIA
support
If selected, the policy enables pre‑boot PCMCIA support.
Graphics mode
Allows you to select the screen resolution for a system or a
system group. The default option is Automatic.
Select theme
This drop‑down list contains the options to select a theme.
Preview
Displays the preview of the selected theme. The preview is
not available for shared policies from another McAfee ePO.
Enable at PBA
Enable this option to enable the EEPC out‑of‑band
management features through policies and then perform
actions on Intel® AMT provisioned client systems.
You can enable this option only if you have installed the
Endpoint Encryption : Out Of Band Management
extension in McAfee ePO.
McAfee Endpoint Encryption 7.0
Product Guide
63
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table
5-1 Product
policies
(continued)
Settings
Options
Description
Encryption
Providers
PC Software
• Use compatible MBR — This causes EEPC to boot a built‑in fixed
MBR instead of the original MBR that was on the system
after pre‑boot logon.
It is used to avoid problems with some systems that had
other software that runs from the MBR and no longer
work if EEPC is installed.
• Fix OS boot record sides — Some boot records report an
incorrect number of sides. Selecting this option fixes this on
the client system. This is available only when you install the
EEPC extension.
• Use windows system drive as boot disk — This is for maintaining the
compatibility with some systems where the disk 0 is not the
boot disk. Selecting this option forces the users product to
assume that the boot disk is the one that contains the
Windows directory but not disk 0.
• Enable Pre‑Boot Smart Check (BIOS based systems only) — Modifies the
EEPC activation sequence and creates a pre‑activation
stage, where the hardware compatibility checking is
performed prior to actual activation and subsequent
encryption.
• Force system restart once activation completes — This option is
selected by default when you select the Enable Pre‑Boot Smart
Check (BIOS based systems only) option to restart your system
after activation.
Opal
Require all disks to be Opal — This option requires all the drives in
your client system to be Opal for the PC Opal encryption
provider to be activated.
Mac Software
• Allow software updates — Allows the user to perform the
software update for Mac OS X from the Apple update server.
• Allow software updates but warn users — Allows the user to perform
the software update for Mac OS X from the Apple update
server. However, the following notification is displayed
before the software update is performed: Applying Operating
System or Firmware updates to systems with McAfee Endpoint
Encryption for Mac installed can potentially cause problems. For
more information, refer to the KnowledgeBase article
KB68921.
• Block software updates — Blocks the user from performing the
software update for Mac OS X from the Apple update server.
It also displays the following notification: Software updates
have been blocked by McAfee Endpoint Encryption for Mac. For more
information, please contact your System Administrator.
64
McAfee Endpoint Encryption 7.0
Product Guide
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table 5-2 User based policies
Settings
Options
Description
Authentication
Token type
This specifies the authentication token, for example, password,
smartcard, and so on.
Certificate rule
McAfee Endpoint Encryption enhances the use of PKI and tokens to
allow users to authenticate using their certificates. By using certificate
rules, you can quickly make your Endpoint Encryption enterprise aware
of all certificate‑holding users, and can allow them to be allocated to
PCs using Endpoint Encryption without having to create new smart
cards or other forms of token for them to use.
• Provide LDAP user certificate — This provides the latest LDAP user
certificate.
• Enforce certificate validity period on client — By default this is enabled to
enforce certificate validity period for the added certificate rule.
• Use latest certificate — This uses the latest certificate available.
Logon Hours
Password
This defines the day and the timeline when the user can log on to the
client system. The restrictions are applied using the Apply Restrictions
option.
Default password Change default password — The default password is 12345. If the
administrator changes the default password, then the newly set
password will be the new default password for this policy under the
User Based Policy category.
• Do not prompt for default password — Setting this option will skip default
password entry and ask the user to immediately enter an encryption
password.
Password change • Enable password history__changes (1‑100) — This keeps track of the specified
number of previous passwords set by the user and does not allow
the user to set previous passwords again.
• Prevent change — This option prevents the user from changing the
password.
• Require change after__days (1‑366) — This specifies the number of days
after which the system prompts the user to change the password.
• Warn user__days (0‑30) — This specifies the number of days before
which the system prompts the user with a warning message about
the number of days left for the password expiry.
Incorrect
passwords
• Timeout password entry after__invalid attempts (3‑20) — This option specifies the
number of invalid password entries after which the system times out
the password attempts.
• Maximum disable time__minutes (1‑64) — This specifies the maximum
timeout duration for the timeout password entry.
• Invalidate password after__invalid attempts (3‑100) — This specifies the number
of wrong attempts a user can make before the password becomes
invalid.
Password
Content Rules
Password length
This specifies the number of characters in a user password.
• Minimum (3‑40) — Defines the minimum number of characters for a user
password.
• Maximum (3‑255) — Defines the maximum number of characters for a
user password.
McAfee Endpoint Encryption 7.0
Product Guide
65
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table 5-2 User based policies (continued)
Settings
Options
Description
Enforce
This specifies the number of different characters like alpha, numeric,
password content alphanumeric, and symbols that are required to form a password.
rules
• Alpha — This specifies the number of letters that must be present in a
user password.
• Numeric — Specifies the number of numeric characters that must be
present in a user password.
• Alphanumeric — Specifies the number of alphanumeric characters that
must be present in a user password.
• Symbols — Specifies the number of symbols that must be present in a
user password.
Password
content
restrictions
This specifies the password content restrictions for the user password.
• No anagrams — A word or phrase spelled by rearranging the letters of a
previous password can't be a password.
• No palindromes — A word or phrase that reads the same backward as
forward can't be a password.
• No sequences — The new password can't be in sequence with the
previous password.
• Can't be user name — A user name can't be set as a password.
• Windows content rules — Follow the standard Windows password content
rule; a Windows password should contain at least three of the
following:
• Lowercase letters
• Uppercase letters
• Numbers
• Symbols and special characters
• No simple words — These are the set of words defined as simple words
that cannot be used as passwords.
Self‑recovery
Enable
self‑recovery
This option enables self‑recovery for users assigned to the system.
Invalidate
self‑recovery
after no. of
invalid attempts
This specifies the number of attempts after which self‑recovery is
disabled.
Questions to be
answered
Specifies the number of questions to be answered by the user to
perform the self‑recovery.
This lists the default questions for the selected language, also provides
an option to add more questions.
If a language does not have enough questions or has an error on it,
the language appears in red.
66
McAfee Endpoint Encryption 7.0
Product Guide
5
Managing McAfee Endpoint Encryption policies
Policy categories
Table 5-2 User based policies (continued)
Settings
Options
Description
Logons before
forcing user to
set answers
Specifies the number of Logons before forcing the user to set answers.
Questions
Allows you to select a language, set the question, and set the
minimum answer length. This lists the default questions for the
selected language, also provides an option to add more questions.
If a language does not have enough questions or has an error on it,
the language appears in red.
Table 5-3 Server setting policies
Settings
Options
General
If user is disabled in This option allows you to disable, delete or ignore the user if the
LDAP Server
user has been disabled in the LDAP Server.
Batch size for
retrieving users
Description
This option allows the system to send users to the client in batches
rather than sending all of them at a time. Specify the number of
users that are sent in each batch. Increasing the batch size
increases the amount of memory required on the server and the
client. But, this reduces the number of recommended messages
required to be sent between the client and server.
Machine key re‑use Machine key re‑use option is used to activate the system with the
(Windows only) existing key present in the McAfee ePO server. This option is highly
useful when a boot disk gets corrupted and the user can't access the
system. The boot disk corrupted system's disks other than the boot
disk can be recovered by activating it with the same key from
McAfee ePO.
Machine key re‑use is not applicable to systems having
self‑encrypting (Opal) drives.
Mac OS X
Software or PC
software
User Information
Fields
Used to add user information fields. You can add user information by
specifying a question and the LDAP attribute name related to the
user.
Algorithm
Specifies the algorithm AES‑256‑CBC for the software encryption.
Pre‑boot storage
size 50MB (20‑100)
Allows you to set the size of the pre‑boot file system. Increasing the
size of the PBFS will increase the number of users that can be
successfully assigned to the client system. The size is specified in
MB from 20 MB to 100 MB. If you are assigning a large set of users
to the system, the PBFS size must be 100 MB.
The default Pre‑Boot storage size for PC software is 20 MB and for
Mac software is 50 MB.
PC Opal
Pre‑boot storage
size 50MB (20‑100)
Allows you to set the size of the pre‑boot file system for the client
systems with self‑encrypting (Opal) drives. Increasing the size of
the PBFS will increase the number of users that can be successfully
assigned to the client system. The size is specified in MB from 20
MB to 100 MB. If you are assigning a large set of users to the
system, the PBFS size must be 100 MB.
Incompatible
Products
Manage
incompatible
products
Use this option to manage the list of products that are not
compatible with McAfee Endpoint Encryption. You can also import an
incompatible product rule that can detect and add the incompatible
product to the list. You cannot activate EEPC on a client system
where these incompatible products are present.
McAfee Endpoint Encryption 7.0
Product Guide
67
5
Managing McAfee Endpoint Encryption policies
Create a policy from the Policy Catalog
Table 5-3 Server setting policies (continued)
Settings
Options
Description
Themes
Manage Themes
Use this option to add and customize a theme that is used as a
background in the Pre‑Boot Authentication page.
Simple Words
Add group
Use this option to create a group which can have a number of
simple words. This will not be available for shared policy from
another McAfee ePO.
Remove group
Use this option to delete a group.
Import words to
group
Use this option to browse to a text file with a number of simple
words that can't be used as passwords. You can also select an
encoding type for the file.
Regenerate missing This compiles all the simple word groups and creates the simple
simple word
words package files (.xml file).
package
Tokens
Manage Tokens
Use this option to add and manage extra token definitions. This
allows the user to deploy and manage additional token modules any
time after the initial installation as required by the user.
Create a policy from the Policy Catalog
By default, policies created here are not assigned to any groups or systems. When you create a policy
here, you are adding a custom policy to the Policy Catalog.
You can create policies before or after the McAfee Endpoint Encryption software is deployed.
Task
1
Click Menu | Policy | Policy Catalog.
2
Click Actions | New Policy.
3
Select the policy Category from the drop‑down list.
4
Select the policy you want to duplicate from the Create a policy based on this existing policy drop‑down list.
5
Type a name for the new policy.
6
Type a description in the Notes field, if required, then click OK. The Policy Settings wizard opens.
7
Edit the policy settings on each tab as needed and click Save.
Edit EE policy settings from Policy Catalog
You need to modify and assign the Endpoint Encryption policies to systems or users, as appropriate, in
order to meet your corporate requirements. Use McAfee ePO to modify the settings of a policy.
Before you begin
Your user account must have appropriate permissions to edit policy settings for the
required product.
68
McAfee Endpoint Encryption 7.0
Product Guide
Managing McAfee Endpoint Encryption policies
Assign a policy to a system group
5
Task
1
Click Menu | Policy | Policy Catalog, then from the Product drop‑down list, select Endpoint Encryption 7.0.0.
2
Select the policy Category from the drop‑down list. All created policies for the selected category
appear in the details pane.
3
Click the required policy, edit the required settings, then click Save.
Assign a policy to a system group
Assign a policy to multiple managed systems within a group. You can assign policies before or after
deploying McAfee Endpoint Encryption to the client systems.
Task
1
Click Menu | Systems | System Tree | Systems, then select a group in the System Tree. All the systems
within this group (but not its subgroups) appear in the details pane.
2
Select a system, then click Actions | Agent | Set Policy & Inheritance. The Assign Policies page appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0.
4
Select the Category and Policy from the drop‑down list, then click Save.
Enforce EE policies on a system group
Enable or disable policy enforcement for a product on a System Tree group. Policy enforcement is
enabled by default, and is inherited in the System Tree.
Task
1
Click Menu | Systems | System Tree | Assigned Policies, then select a group in the System Tree.
2
Select Endpoint Encryption from the Product drop‑down list, then click Enforcing next to Enforcement Status.
The Enforcement page appears.
3
To change the enforcement status, you must first select Break inheritance and assign the policy and settings
below.
4
Next to Enforcement status, select Enforcing or Not enforcing accordingly.
5
Select whether to lock policy inheritance so that groups and systems that inherit this policy can't
break enforcement, then click Save.
McAfee Endpoint Encryption 7.0
Product Guide
69
5
Managing McAfee Endpoint Encryption policies
Enforce EE policies on a system group
70
McAfee Endpoint Encryption 7.0
Product Guide
6
Managing McAfee Endpoint Encryption
users
The McAfee ePO server allows administrators to assign users from Windows Active Directory to McAfee
Endpoint Encryption managed systems.
The user's authentication credentials, token type, and the user information fields are managed from
the McAfee ePO server. McAfee Endpoint Encryption gives the administrator the freedom of adding and
removing the users to and from systems or system groups at any time.
This information is applicable to both Windows‑based systems and Mac‑based systems running McAfee
Endpoint Encryption.
Contents
View the list of users assigned to a system
Remove users from a system
Edit user inheritance
How EEPC controls the Windows logon mechanism
Enable Single-Sign-On (SSO) on a system
Synchronize the EEPC password with the Windows password
Configure password content rules
Manage a disabled user in Windows Active Directory
Managing the blacklist rule with the ALDU function
Configure global user information
Manage logon hours
Define EE permission sets for McAfee ePO users
View the list of users assigned to a system
You can use the McAfee ePO server to add the EE users to the client system, and view them using this
task. The Endpoint Encryption software can be activated on a client system only after adding one or
more users and enforcing the required encryption policies correctly.
Before you begin
You must have appropriate permissions to perform this task.
McAfee Endpoint Encryption 7.0
Product Guide
71
6
Managing McAfee Endpoint Encryption users
Remove users from a system
Task
1
Click Menu | Data Protection | Encryption Users to open the My Organization page.
2
From the System Tree pane, select a system from a group.
3
Click Actions | Endpoint Encryption | View Users. The Encryption Users page appears with a list of users for
the selected system.
This does not display the user groups that are assigned at the branch level.
Remove users from a system
Using McAfee Endpoint Encryption, you can remove users from a client system. Make sure that you
have assigned the user at system level or branch level. If a user is assigned at branch level, the user
would be sent to the client system even after removing the system.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Data Protection | Encryption Users to open the My Organization page.
2
Select a system from a particular group from the System Tree pane on the left.
3
Click Actions | Endpoint Encryption | View Users. The Encryption Users page for the selected system with
the list of user opens.
4
Select the User name from the list.
5
Click Actions | Endpoint Encryption | Delete Users. The Confirmation page appears. Click Yes or No to delete
or retain the selected user.
Edit user inheritance
Add users to a group or delete selected users from a group. You can also group users at different
organizational levels and edit the inheritance as required. It is used to assign multiple users to
systems without having to work on the individual systems.
Before you begin
You must have appropriate permissions to perform this task.
Task
72
1
Click Menu | Data Protection | Encryption Users. The My Organization page opens.
2
Select the Organizational Unit from the System Tree and click the Group Users tab.
3
Click Edit in Inheritance broken to open the Edit Group Inheritance page.
4
Select Break inheritance, then click OK.
McAfee Endpoint Encryption 7.0
Product Guide
Managing McAfee Endpoint Encryption users
How EEPC controls the Windows logon mechanism
6
The user Inheritance broken status:
•
True — Specifies that the inheritance is broken. Breaking inheritance on a branch prevents
inheritance of users and/or groups from any parent branch. It has no effect to users and/or
groups assigned to the branch or child.
•
False — Specifies that the inheritance is not broken. When inheritance is not broken on a branch,
it will inherit users and/or groups from the parent until the inheritance is broken.
How EEPC controls the Windows logon mechanism
EEPC intercepts the Windows Logon mechanism using a Passthrough Shim Gina on Windows 2003, XP and
a Credential Provider on Vista.
On Windows 2000 and XP operating systems, a custom .ini file (EPEPCGINA.INI) is used to help EEPC
analyze the logon page and port the credentials into the correct boxes on the logon page. In Windows
Vista, Microsoft has replaced the original MSGINA (Graphical Identification and Authentication) with a
new method called Microsoft Credential Provider.
EEPC supports the Single Sign On architecture and implements a Credential Provider to communicate with
Windows. EEPC displays each token as a potential logon method. While logging on to EEPC, it prompts
for your Windows credentials only for the first time and EEPC stores the Windows credentials securely.
On subsequent logon events, EEPC retrieves the stored Windows credentials to log on.
Enable Single-Sign-On (SSO) on a system
Enable SSO on a system allows the user to log on to the system with a single authentication process.
It allows auto logon to the operating system once the user authenticates through the Pre‑Boot
Authentication page.
The SSO feature is applicable to Windows‑based systems only.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree pane on the left.
2
Select the target System, then click Actions | Agent | Modify Policies on a Single System. The Policy
Assignment page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned Policy drop‑down list, select a policy, then click Edit Policy. The policy settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
From the Log On tab, select Enable SSO under Windows pane.
McAfee Endpoint Encryption 7.0
Product Guide
73
6
Managing McAfee Endpoint Encryption users
Synchronize the EEPC password with the Windows password
8
9
If required, select these options:
•
Must match user name — This option makes sure that the SSO details are only captured when the
user’s Endpoint Encryption and Windows user name match.
•
Using smart card PIN — This option allows the administrator to capture the smart card PIN for SSO.
•
Synchronize Endpoint Encryption password with Windows — When the user changes on the client, it
synchronizes the new password to the EEPC user as well.
•
Allow user to cancel SSO — This option allows the user to cancel the SSO to Windows in the Pre‑Boot
only. When this option is enabled, the user has an additional checkbox at the bottom of the
Pre‑Boot logon dialog box. This setting lasts for a single boot only.
Click Save in Policy Settings page, then click Save in Product Settings page.
10 Send an agent wake‑up call.
Synchronize the EEPC password with the Windows password
Use this task to synchronize the EEPC password with the Windows password. This synchronizes the
Windows password to the EEPC password, so the user needs to authenticate on the Pre‑Boot
Authentication page with Windows password.
This feature is applicable to Windows‑based systems only.
Task
1
Click Menu | Systems | System Tree. The systems page appears. Select a group under System Tree pane
on the left.
2
Select a System, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
Select Endpoint Encryption 7.0.0 from the Product drop‑down list. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned Policy drop‑down list, select the required policy, then click Edit Policy. The policy
settings page appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Log On tab, click Enable SSO, then select Synchronize Endpoint Encryption password with Windows under
Windows pane.
8
Click Save in the Policy Settings page, then click Save in the Product Settings page.
Make sure that the Windows password adheres to the EEPC password restriction policy. Otherwise,
the password synchronization does not run.
9
74
Send an agent wake‑up call.
McAfee Endpoint Encryption 7.0
Product Guide
Managing McAfee Endpoint Encryption users
Configure password content rules
6
Configure password content rules
This policy setting determines whether the EEPC passwords must meet complexity requirements.
Complexity requirements are enforced when the updated policy is assigned to the required user on a
system.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Systems | System Tree. The Systems page appears. Select the group under System Tree.
2
Select the System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Password Content Rules tab, type the Password Length in the Minimum and Maximum field.
8
In Enforce password content, type the number of Alpha, Numeric, Alphanumeric, and Symbols characters
required to form a password.
9
Select or deselect the options to define the password content restriction rules from Password
content restrictions.
10 Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
11 Send an agent wake‑up call.
When changing Windows password and synchronizing to EEPC password, Windows does not provide
old password.
Manage a disabled user in Windows Active Directory
Use this task to disable, delete, or ignore a user who has been disabled in the LDAP/AD server.
Task
1
Click Menu | Configuration | Server Settings. The Server Settings page appears.
2
Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint Encryption page
opens with General tab.
3
Select Disable, Ignore or Delete from the If user disable in directory drop‑down list.
Options in the drop‑down list are applicable only to users disabled in the Active Directory.
4
Click Save.
McAfee Endpoint Encryption 7.0
Product Guide
75
6
Managing McAfee Endpoint Encryption users
Managing the blacklist rule with the ALDU function
Managing the blacklist rule with the ALDU function
With the Add Local Domain User (ALDU) function, domain users who have previously and are currently
logged on to the client system, are able to authenticate through the Pre‑Boot, even if the
administrator has not explicitly assigned the user to the client system.
While this captures the regular users of the system, in some cases, an administrator who has
previously configured the system, is also granted access. This might be applicable to some users;
however, it might not be applicable to some other users.
To address this, you can use the Add Local Domain User Settings policy and add a blacklist of users to
the ALDU functionality. Users added to the blacklist are excluded from the list of users assigned by the
ALDU function.
Prioritization of policy assignment rules is not applicable to the ALDU blacklist policy.
Add an ALDU blacklist policy
You can add regular expressions to blacklist user accounts. Any users who match the configured
regular expression are excluded from the ALDU list. Regular Expression ECMA 262 standard is
supported with the ALDU blacklist policy.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Make sure that you have installed the EEAdmin extension to McAfee ePO.
Task
1
Click Menu | Systems | System Tree then select a group under System Tree.
2
Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Add Local Domain User Settings policy category, then click Edit Assignments. The Add Local
Domain User Settings page appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
76
Click Add from Regular expression and type the regular expressions that help to exclude the local
domain users from being assigned to the client system.
•
\\\\domainname\\username — This blacklists the specified user from the given domain.
•
\\\\.*\\username — This blacklists the specified user name from all the domains available.
McAfee Endpoint Encryption 7.0
Product Guide
Managing McAfee Endpoint Encryption users
Configure global user information
6
•
\\\\.*\\a.* — This blacklists all the user name that starts with the letter "a" from all the
domains available.
•
\\\\.*\\[a‑n]* — This blacklists all the user name that starts with the letter "a" to "n", from all
the domains available.
You can add multiple regular expressions under a single policy. All comparisons are case‑insensitive.
8
Click Test to verify the regular expression. The test expression screen appears.
9
Type the user name in the Value field and validate the specified regular expression.
10 On the Policy Settings page, click Save, then click Save in the Product Settings page.
11 Send an agent wake‑up call.
Users already assigned will not be removed from the system, once a blacklist is assigned.
During the next ASCI, this rule is applied to the new local domain users assigned to the client system
where the policy is enforced.
You can also add or remove a blacklist rule to or from an existing ALDU blacklist policy.
Configure global user information
Global users have read and write permissions to all operations. You can create additional global
administrator accounts for people who require global administrator rights. Use this task to configure
the user information fields available in Server Settings within EEPC.
Task
1
Click Menu | Configuration | Server Settings. The Server Settings page appears.
2
Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint Encryption page
opens with General tab.
3
Click Add next to the User Information Fields.
4
Type the Question relating to the user, then select the required user attribute name from the LDAP
Attribute Name list.
LDAP refers to Windows Active Directory.
5
Click + or ‑ in the interface to add or remove user information fields.
6
Click Save.
User information fields can be set by selecting the individual user in the EE User Query. To display
the users, click Menu | Reporting | Queries | Shared Groups | Endpoint Encryption then click Run in EE:Users.
McAfee Endpoint Encryption 7.0
Product Guide
77
6
Managing McAfee Endpoint Encryption users
Manage logon hours
Manage logon hours
Control and limit the timeline when a user can log on to the McAfee Endpoint Encryption client system.
This option does not force the users to log out from the current session, although the current time is
scheduled to be part of the logon restriction. However, once the user logs out from the system, the
user will not be able to log on to the client system until the next allowed logon hour.
Logon hours policy is applied only when the user is not logged on.
Task
1
Click Menu | Systems | System Tree then select a group under System Tree.
2
Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
3
Select Endpoint Encryption 7.0.0 from the Product drop‑down list. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select a policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
From the Authentication tab, select Apply restrictions in Logon Hours, then schedule the logon timing by
blocking or allowing different logon hours.
8
Click Save in the policy settings page, then click Save in the User Based Policies settings page.
9
Send an agent wake‑up call.
Define EE permission sets for McAfee ePO users
User accounts provide a means for users to access and use the McAfee Endpoint Encryption software.
They are associated with permission sets that define what users are allowed to do with the software.
You must create user accounts and permission sets to accommodate the needs of each user that logs
on to the McAfee ePO server.
The administrator is able to set up Endpoint Encryption product‑specific permission sets to the
different users and systems on McAfee ePO.
Task
78
1
Click Menu | User Management | Permission Sets to open the Permission Sets page.
2
Click New Permission Set to open the New Permission Set page.
3
Type a permission set name in the Name field.
4
Select the Active Directory groups mapped to this permission set. To add a new Active Directory group, click
Add, then browse to the group, and then click OK.
5
Select the Server name, then click Save. The Permission Set page appears.
McAfee Endpoint Encryption 7.0
Product Guide
Managing McAfee Endpoint Encryption users
Define EE permission sets for McAfee ePO users
6
Click Edit next to Endpoint Encryption present under the newly created permission set. The Edit
Permission Set page opens.
7
Select the required permission setting, then click Save.
6
You can assign this new permission set to an existing or a new McAfee ePO user using Menu | User
Management | Users.
McAfee Endpoint Encryption 7.0
Product Guide
79
6
Managing McAfee Endpoint Encryption users
Define EE permission sets for McAfee ePO users
80
McAfee Endpoint Encryption 7.0
Product Guide
7
Managing client computers
System management helps administrators import system information from the Active Directory server
into McAfee ePO. This is useful in the process of installing Endpoint Encryption and assigning the users
to the systems.
This information is applicable to both EEPC and EEMac.
Contents
Add a system to an existing system group
Move systems between groups
Select the disks for encryption
Enable or disable the automatic booting
Enable or disable the temporary automatic booting for PC
Enable or disable the temporary automatic booting for Mac
Set the priority of encryption providers
Maintain a list of incompatible products
Enable Accessibility (USB audio devices) in the Pre-Boot environment
Allow user to update self-recovery answers
Manage the default and customized themes
Assign a customized theme to a system
Manage simple words
Endpoint Encryption system recovery
Add a system to an existing system group
Use ePolicy Orchestrator to import systems from your Network Neighborhood to groups for working
with EEPC. You can also import a network domain or Active Directory container.
While managing the client systems for EEMac, the client system is automatically added to the System
Tree in McAfee ePO on successful installation of the McAfee Agent for Mac on the Mac client system, and
so you do not have to add the Mac client manually.
Task
1
Click Menu | Systems | System Tree, then in the System Tree Actions menu, click New Systems. The New
Systems page appears.
2
Select the required option from How to add systems.
3
In the Systems to add field, type the NetBIOS name for each system in the text box, separated by
commas, spaces, or line breaks. Alternatively, click Browse to select the systems.
4
If you select Push agents and add systems to the current group, you can enable automatic System Tree sorting.
Do this to apply the sorting criteria to these systems.
McAfee Endpoint Encryption 7.0
Product Guide
81
7
Managing client computers
Move systems between groups
Type the following options:
Option
Action
Agent version
Select the agent version to deploy.
Installation path
Configure the agent installation path or accept the default.
Credentials for agent installation
Type valid credentials to install the agent:
• Domain: Type the domain of the system
• User name: Type the login user name
• Password: Type the login password
Number of attempts
Type an integer for the specified number of attempts, or use zero for
continuous attempts.
Retry interval
Type the interval in number of seconds between two attempts.
Abort After
Type the number of minutes before stopping the connection.
Connect using (McAfee ePO 4.6) Select the connection used for the deployment as either:
or Push Agent using (McAfee ePO
• Selected Agent Handler — Select the server from the list
4.6)
• All Agent Handlers
5
Click OK.
For more details and procedures on how to perform this task, see the product documentation for
your version of McAfee ePO.
Move systems between groups
Move systems from one group to another in the System Tree. You can move systems from any page
that displays a table of systems, including the results of a query.
In addition to the steps below, you can also drag‑and‑drop systems from the Systems table to any
group in the System Tree.
Even if you have a perfectly organized System Tree that mirrors your network hierarchy, and uses
automated tasks and tools to regularly synchronize your System Tree, you may need to move systems
manually between groups. For example, you may need to periodically move systems from the
Lost&Found group.
Task
82
1
Click Menu | Systems | System Tree | Systems, then browse and select the systems.
2
Click Actions | Directory Management | Move Systems. The Select New Group page appears.
3
Select whether to enable or disable or not to change the System Tree sorting on the selected
systems when they are moved.
4
Select the group to place the systems, then click OK.
McAfee Endpoint Encryption 7.0
Product Guide
7
Managing client computers
Select the disks for encryption
Select the disks for encryption
To encrypt the target disk on your client system, you need to select the required encryption type and
set the encryption priority from the Product Setting policy available with the EEPC product.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Encryption tab, select the disk(s) to be encrypted. For the Self‑Encrypting (Opal) drives, you
should select either All disks or Boot only. The Encryption type options such as None, All disks except boot disk,
and Selected partitions are not applicable to Self‑Encrypting (Opal) drives.
To initiate the encryption on the client, the user must select any one of the options other than None.
The default option None does not initiate the encryption.
8
On the Policy Settings page, click Save, then click Save in the Product Settings page.
9
Send an agent wake‑up call.
Enable or disable the automatic booting
The Endpoint Encryption Pre‑Boot logon environment allows you to select a logon method and to
require authentication credentials such as user name and password. If the user provides the correct
authentication details, the McAfee Endpoint Encryption boot code starts the crypt driver in memory
and boots the original operating system of the protected system.
Enabling automatic booting will remove the Pre‑Boot Authentication from the client system.
If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the
data on the drive when it is not in use.
Task
1
Click Menu | Systems | System Tree then select a group under System Tree.
2
Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
McAfee Endpoint Encryption 7.0
Product Guide
83
7
Managing client computers
Enable or disable the temporary automatic booting for PC
3
On the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned Policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
From the Log On tab, select or deselect Enable automatic booting under the Endpoint Encryption pane to
disable or enable the Pre‑Boot environment. A security warning message This will remove the pre‑boot
authentication. Are you sure? appears.
8
Click Yes or No to enable or disable the automatic booting.
9
Set the expiration date and time for the automatic booting, if required.
10 Click Save in the policy settings page, then click Save in the Product Settings page.
11 Send an agent wake‑up call.
Enable or disable the temporary automatic booting for PC
Endpoint Encryption for PC allows you to turn (on or off) the Pre‑Boot authentication screen, with a
client‑side utility. This eliminates the need to modify the policy in McAfee ePO, and fully automates
patching and other client management scenarios.
Task
1
Download and install EEPC 7.0.
2
Open the Endpoint Encryption Admin Tools directory, extract EEAdminTools.zip, and locate the
EpeTemporaryAutoboot.exe file.
This file must be distributed to your client systems.
3
Log on to McAfee ePO and navigate to Menu | Policy | Policy Catalog, select Endpoint Encryption 7.0.0 from
the Product drop‑down menu, then select Product Settings from the Category drop‑down.
4
Click the policy that you want to change.
5
On the General tab, select Allow temporary automatic booting.
If this option is not selected, you can't use EpeTemporaryAutoboot.exe on the client system.
84
6
Send an agent wake‑up call, so that the client systems receive this new policy. You can now use
this feature on the client systems.
7
Write a script or use a client management application to run EpeTemporaryAutoboot.exe.
McAfee Endpoint Encryption 7.0
Product Guide
Managing client computers
Enable or disable the temporary automatic booting for Mac
7
There are four basic options available that must be run with administrator privileges on the client
system.
•
Temporarily reboot for X number of reboots. Example syntax: EpeTemporaryAutoboot.exe ‑‑
number‑of‑reboots 3.
•
Temporarily reboot for X number of minutes. Example syntax: EpeTemporaryAutoboot.exe ‑‑
timeout‑in‑minutes 15.
•
To clear the temporary autoboot. Example syntax: EpeTemporaryAutoboot.exe ‑‑clear.
•
For help. Example syntax: EpeTemporaryAutoboot.exe ‑‑help.
Enable or disable the temporary automatic booting for Mac
Endpoint Encryption for Mac allows you to turn (on or off) the Pre‑Boot authentication screen, with a
client‑side utility. This eliminates the need to modify the policy in ePolicy Orchestrator, and fully
automates patching and other client management scenarios.
Task
1
Download and install EEMac 7.0.
2
Extract EEMAC70_EN.zip and open the Endpoint Encryption Misc directory.
3
Open the Endpoint Encryption Admin Tools directory, extract EEAdminTools.zip, and locate the
EpeTemporaryAutoboot file.
This file must be distributed to your client systems.
4
Log on to McAfee ePolicy Orchestrator and navigate to Menu | Policy | Policy Catalog, select Endpoint
Encryption 7.0.0 (or later) from the Product drop‑down menu, and then select Product Settings from the
Category drop down.
5
Click on the policy that you want to change.
6
On the General tab, select Allow temporary automatic booting.
If this option is not selected, you can't use EpeTemporaryAutoboot on the client.
7
Send an agent wake‑up call, so that the client systems receive this new policy. You can now use
this feature on the client systems.
8
Write a script or use a client management application to run EpeTemporaryAutoboot.
There are two basic options available that must be run with administrator privileges on the client
system.
•
Temporarily reboot for X number of reboots. Example syntax: sudo <path to file>/
EpeTemporaryAutoboot ‑‑ number‑of‑reboots 3.
•
Temporarily reboot for X number of minutes. Example syntax: sudo <path to file>/
EpeTemporaryAutoboot ‑‑ timeout‑in‑minutes 15.
Set the priority of encryption providers
The priority of the encryption providers (PC Software and PC Opal or Mac OS X Software) can be set
using the Product Setting policy available with McAfee Endpoint Encryption. You can change and set
McAfee Endpoint Encryption 7.0
Product Guide
85
7
Managing client computers
Maintain a list of incompatible products
the encryption priority by moving the encryption provider rows up and down, as appropriate. The
encryption priority determines your preference of encryption technology.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select a policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Encryption tab, set the Encryption Provider priority by moving the encryption provider rows up
and down, as appropriate. The encryption priority determines the order of encryption on the client
systems.
By default, software encryption will be used on both Opal and non‑Opal systems in this version of
EEPC. To ensure that Opal technology is chosen in preference to software encryption, we
recommend that you always set Opal as the default encryption provider by moving it to the top of
the list on the Encryption Providers page. This will make sure that Opal management will be used on
Opal drives; non‑Opal drives will default to software encryption.
8
Click Save in the Policy Settings page, then click Save in the Product Settings page.
9
Send an agent wake‑up call.
Maintain a list of incompatible products
Using McAfee ePO, you can create and import a rule with a set of product names that are to be
indicated as incompatible with EEPC.
Before you begin
You must have appropriate permissions to perform this task.
Task
86
1
Click Menu | Configuration | Server Settings. The Server Settings page appears.
2
Click Endpoint Encryption in the Setting Categories pane, then click Manage incompatible products option present
at the right. The Endpoint Encryption incompatible products page appears with a list of products
that are not compatible with McAfee Endpoint Encryption.
McAfee Endpoint Encryption 7.0
Product Guide
7
Managing client computers
Enable Accessibility (USB audio devices) in the Pre-Boot environment
3
To import an incompatible product definition, click Actions | Import incompatible product rule. The Import
incompatible product rule page appears.
4
Browse and select the .xml file that defines the rule to detect the incompatible product, then click
OK. This adds it to the incompatible product list.
Enable Accessibility (USB audio devices) in the Pre-Boot
environment
The USB audio functionality allows visually challenged users to listen to a voice (spoken words) as a
guidance when the user moves the focus from one field to the next using mouse or keyboard in the
Pre‑Boot environment. This feature is not applicable to EEMac.
Before you begin
•
Make sure that you have installed the EEAdmin extension on the McAfee ePO server.
•
Make sure that you have enabled the Enable Accessibility option under Log On | Endpoint
Encryption.
This allows any external USB audio device to be used and to play back pre‑recorded audio files. These
vocal prompts can represent an indication of which control or option has the focus (that is, Username,
Password, OK button and so on) and specific error conditions.
When installing or updating the product, the vocal prompts are installed on the client system only.
Only when the policy setting is enabled, the audio files are transferred to the PBFS. This saves space
in the PBFS for system, which does not need this functionality.
508 compliance audio is not available under UEFI due to the lack of audio drivers in the UEFI
environment.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree
2
Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
Select the policy from the Assigned Policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
6
On the Boot Options tab, select Always enable pre‑boot USB support to enable USB on the client system.
Make sure that you also enable the Enable Accessibility option under Log On | Endpoint Encryption.
7
Click Save in the policy settings page, then click Save in the Product Settings page.
8
Send an agent wake‑up call.
McAfee Endpoint Encryption 7.0
Product Guide
87
7
Managing client computers
Allow user to update self-recovery answers
When the user tries to authenticate on the client system, after enforcing this policy, the user can listen
to the audio guidance in the Pre‑Boot environment.
This functionality provides the audio guidance in the English language only.
Allow user to update self-recovery answers
The client user's self‑recovery details can be reset using the Allow users to re‑enroll self‑recovery information at
PBA option available with Product Setting Policy.
Before you begin
Make sure that you have enabled the Enable Self‑recovery option under User Based Policy |
Self‑recovery.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select a policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Recovery tab, enable the Allow users to re‑enroll self‑recovery information at PBA option.
8
Click Save in the Policy Settings page, then click Save in the Product Settings page.
9
Send an agent wake‑up call.
Once this policy is saved and enforced to the client system, the Pre‑Boot Authentication (Username)
screen will have a new checkbox Reset Self Recovery. On selecting the Reset Self Recovery checkbox, the user
will be prompted for a password and then the self‑recovery enrollment. The user should then enroll the
self‑recovery details with new self‑recovery answers.
Only initialized users can reset their self‑recovery details.
Manage the default and customized themes
The default theme is downloaded to the client system when the EEAgent and EEPC software package
deployment task is sent to the client computers. Add and manage a theme that will be used as a
background in the Pre‑Boot Authentication page.
Before you begin
You must have appropriate permissions to perform this task.
88
McAfee Endpoint Encryption 7.0
Product Guide
7
Managing client computers
Assign a customized theme to a system
The Endpoint Encryption Themes package is added automatically to the master repository (Menu |
Software | Master Repository) after installing the EEAdmin.zip extension in ePolicy Orchestrator.
If you are already using customized themes with EEPC 6.1 Patch 2 or above, you need to recreate your
custom themes from EEPC 7.0 default theme, after upgrade. This will make sure that EEPC 7.0 User
Interface is displayed, as appropriate. Failing to do so will continue to display the 6.1 Patch 2 or above
user interface and audio, which will result in missing the User Interface controls.
Task
1
Click Menu | Configuration | Server Settings. The Server Settings page appears.
2
Click Endpoint Encryption in Setting Categories pane, then click Manage Themes option present at the
right. The Endpoint Encryption Theme page opens.
3
Click Actions | Add. The Install new theme page appears.
4
Type a theme name in the Name field, then select Create a new theme based on an existing theme option.
5
Select a theme from the Based on drop‑down list.
6
Browse to the Background Image, then click OK. This creates the new theme package in the C:
\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EETHEME\DAT\0000 folder.
You can also browse and install a theme package using the Select Theme package to install option.
7
Download the custom themes on the client using one of the following:
•
Update Now option under Menu | Systems | System Tree | Actions | Agent in ePolicy Orchestrator
•
Product Update task
•
Update Security from the client
All themes have a unique ID for identification. When you run the update task, the theme IDs are
verified against the existing theme IDs on the client, then the new theme is downloaded to the client
if it has changed.
The downloaded theme packages are stored in the following folder in the client system:
8
•
EEPC — C:\Program files\McAfee\Endpoint Encryption Agent\Repository\Themes
•
EEMac — /Library/McAfee/ee/Agent/Repository/Themes
Change the theme in the Product Setting Policy and send an agent wake‑up call to apply the customized
theme.
Assign a customized theme to a system
You can customize an existing theme and assign it to a client system and the customized theme can
be used as a background in the Pre‑Boot Authentication page.
Before you begin
You must have appropriate permissions to perform this task.
McAfee Endpoint Encryption 7.0
Product Guide
89
7
Managing client computers
Manage simple words
Task
1
Click Menu | Systems | System Tree. The Systems page appears. Select the group under System Tree.
2
Select the System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select the policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
From the Theme tab, select the required customized theme from the Select theme drop‑down list.
8
Click Save in the policy settings page, then click Save in the Product Settings page.
9
Send an agent wake‑up call.
Manage simple words
Use ePolicy Orchestrator to add and manage simple words that can't be used as passwords. The
Endpoint Encryption simple words are added to the master repository (Menu | Software | Master Repository)
when you click the Regenerate Missing Simple Word package in Manage Simple Words that will be
available after installing the EEAdmin.zip extension in ePolicy Orchestrator.
Before you begin
You must have appropriate permissions to perform this task.
Task
90
1
Click Menu | Configuration | Server Settings. The Server Settings page appears.
2
Click Endpoint Encryption in Setting Categories pane, then click Manage simple words option present at the
right. The Manage simple words page opens.
3
Click Group Actions | Add group. The Add group window appears.
4
Type the name of the group and click OK to create the Simple word group.
5
Click Actions | Add and type the simple words that can't be used as passwords.
6
Click Group Actions | Regenerate missing simple word package and click Yes in the confirmation message
window to create the simple words package. This creates the simple words package (.xml file) for
the simple words group in the C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current
\EESWORD\DAT\0000 folder.
McAfee Endpoint Encryption 7.0
Product Guide
Managing client computers
Endpoint Encryption system recovery
7
7
Download the simple word package on the client using one of these methods:
•
Update Now option under Menu | Systems | System Tree | Actions | Agent in ePolicy Orchestrator
•
Product Update task
•
Update Security from the client
All simple word packages (.xml file) have a unique ID for identification. When you run the update
task, the package IDs are verified against the existing package IDs on the client, then the new
package file is downloaded to the client if it has changed.
The downloaded simple word packages are stored in the following folder in the client system:
8
•
EEPC — C:\Program files\McAfee\Endpoint Encryption Agent\Repository\SimpleWords
•
EEMac — /Library/McAfee/ee/Agent/Repository/SimpleWords
Enable the No simple words option under User Based policies | Password Content Rules, select the required
word group from the drop‑down list, then send an agent wake‑up call to apply the policy to the
client.
Endpoint Encryption system recovery
The purpose of encrypting the client's data is to control access to the data by controlling access to the
encryption keys. It is important that keys are not accessible to users.
The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as
Machine Keys. Each system has its own unique Machine Key. The Machine Key is stored in the McAfee
ePO database to be used for client recovery, when required. There are four different system recovery
options available in Endpoint Encryption that can be navigated through: Menu | Systems | System Tree |
System | Actions | Endpoint Encryption.
Table 7-1
Endpoint Encryption system recovery
Option
Description
Destroy all
recovery
information
When you want to secure‑erase the drives in your EEPC installed system, remove all
users from the system (including those inherited from parent branches in the system
tree). This will result in making the disks inaccessible through normal authentication
as there are no longer any users assigned to the system. You need to then destroy
the recovery information for the system using the option Menu | Systems | System Tree |
Systems | Actions | Endpoint Encryption | Destroy All Recovery Information in the McAfee ePO
console. This means that the system can never be recovered.
Key Re‑use
This option is used to activate the system with the existing key present in the McAfee
ePO server. This option is highly useful when a boot disk gets corrupted and the user
cannot access the system. The boot disk corrupted system's disks other than the boot
disks can be recovered by activating it with the same key from McAfee ePO.
McAfee Endpoint Encryption 7.0
Product Guide
91
7
Managing client computers
Endpoint Encryption system recovery
Table 7-1
Endpoint Encryption system recovery (continued)
Option
Description
Export recovery
information
This option is used to export the recovery information file (.xml) for the desired client
system from McAfee ePO. Every client system that is encrypted using EEPC has a
recovery information file in McAfee ePO. Any user trying to enable the recovery
procedures on the client systems should get the file from the McAfee ePO
administrator for EEPC. For more information, see the EETech User Guide.
The recovery information file has a general format of client system name.xml.
Export recovery
information
based on Disk
Keycheck
This option is used to export the recovery information file (.xml) for a disk of a client
system from McAfee ePO. Every disk of a client system has a disk keycheck value. For
instance, if a client system has a disk called 'Disk1', you can recover that client
system (when on unrecoverable state) using the keycheck value of 'Disk1'. However,
if a new disk 'Disk2' is installed and activated in that same client system, you must
use the keycheck value of 'Disk2' and the keycheck value of 'Disk1' loses priority.
To perform this task, you need to access the client system using EETech and obtain
the disk keycheck value using the Disk Information option from the EETech user interface.
• In McAfee ePO, click Actions | Endpoint Encryption | Export recovery information based on Disk
Keycheck and enter the obtained disk keycheck value in the Key Check field.
• The recovery information file (.xml) appears, and export it to the inserted
removable media.
• Use this file to authenticate to the client system using EETech. For more
information, see the EETech User Guide.
What happens to the Machine Key when you delete an Endpoint Encryption active
system from ePolicy Orchestrator?
The Machine Key remains in the ePolicy Orchestrator database; however, the key association with the
client system is lost when the client system is deleted from ePolicy Orchestrator. When the client
system reports back to ePolicy Orchestrator during the next ASCI, it will appear as a new node. A new
node does not have any users assigned to the client system. The administrator must therefore assign
users to allow logon, assign administrative users to the McAfee ePO branch where the systems are
added (by default Lost&Found), or enable the Add local domain user option in the Product Setting Policy. Also,
the administrator must configure the required policies in ePolicy Orchestrator.
The next agent to server communication after adding the users and configuring the policies will make
sure:
•
The Machine Key is re‑associated with the client system and the recovery key is available.
When the associated Machine Key is not present with the new node, ePolicy Orchestrator sends a
Machine Key request. If the user is logged on to the client system, an agent to server
communication between the client and the McAfee ePO server ensures the Machine Key is updated
in ePolicy Orchestrator and the users are updated on the client. Thereafter, the Machine Key will be
available and admin recovery and policy enforcement will work.
•
The users are assigned to the client system. Therefore, these users can straightaway log on to the
client system.
You cannot log on to the client system before a proper agent to server communication occurs. In this
situation, the re‑association of the Machine Key can be performed using EETools. The recovery key will
also be available; this can be used with the EETech tool to recover the client system.
For EETool details and procedures, refer to the KnowledgeBase article: https://kc.mcafee.com/
corporate/index?page=content&id=KB582699
92
McAfee Endpoint Encryption 7.0
Product Guide
8
McAfee Endpoint Encryption out-of-band
management
Intel® Active Management Technology (Intel® AMT) is a hardware‑based technology for remotely
managing and securing Intel® AMT systems using out‑of‑band communication.
It is part of the Intel® Management Engine built into systems with Intel® vPro technology that allows
network administrators to enhance the ability to maintain, manage, and protect the Intel® AMT client
systems through hardware‑assisted security and manageability capabilities.
Out‑of‑band management allows the administrator to connect to a computer's management controller
when the computer is turned off, in sleep or hibernate mode, or unresponsive through the operating
system.
The EEDeep extension available with the EEPC product in conjunction with the McAfee® ePO Deep
Command product uses the Intel® AMT feature to allow out‑of‑band encryption management of Intel®
AMT systems, locked at the EEPC Pre‑Boot screen.
Contents
The EEDeep extension
Enable the out-of-band feature
Configure the Out Of Band - Remediation functionality
Configure the Out Of Band - Unlock PBA feature
Configure the Out Of Band - User Management feature
The EEDeep extension
The Intel® AMT out‑of‑band feature within EEPC 7.0 provides system actions that include Out Of Band
‑ Remediation, Out Of Band ‑ Unlock PBA, and Out Of Band ‑ User Management.
For more information about these actions, see the Configure the Out Of Band ‑ Remediation
feature, Configure the Out Of Band ‑ Unlock PBA feature, and Configure the Out Of Band ‑
User Management feature sections. These actions are available on the McAfee ePO console only
after installing the EEDeep extension.
You must install the McAfee Deep Command product extensions before installing the EEDeep extension.
For more information about requirements for configuring your Intel®AMT systems, see the ePO Deep
Command Product Guide.
Enable the out-of-band feature
Using McAfee ePO, you can enable the EEPC out‑of‑band management features through policies and
then perform actions on Intel® AMT provisioned client systems. To enable the out‑of‑band features of
McAfee Endpoint Encryption 7.0
Product Guide
93
8
McAfee Endpoint Encryption out-of-band management
Configure the Out Of Band - Remediation functionality
the configured out‑of‑band settings, you need to enable the Product Settings Policy Out‑of‑Band | Enable at
PBA.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Make sure that your client system meets the requirements for Intel® AMT out‑of‑band
management. For more information about Intel® AMT configurations and settings, see
the ePO Deep Command Product Guide.
Task
1
Log on to the ePolicy Orchestrator server as a user with valid EEPC permissions being assigned.
2
Click Menu | Systems | System Tree.
3
Select a system(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment
page for that system appears.
4
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system’s assigned policy.
5
Click Edit Assignment corresponding to the Product Settings Policy to open the Endpoint Encryption 7.0.0 :
Product Settings page.
6
If the policy is inherited, in the Inherit from field, select the Break inheritance and assign the policy and settings
below option.
7
From the Assigned policy drop‑down list, select the Product Settings Policy, then click Edit Policy. The
Policy Settings page appears.
From this location, you can edit the selected policy or create a new policy.
8
Click the Out‑of‑Band tab, then select the Enable at PBA option.
9
Click Save in the Policy Settings page, then click Save in the Endpoint Encryption 7.0.0 : Product Settings page.
10 Send an agent wake‑up call.
The EEPC out‑of‑band functionality is enabled successfully.
Configure the Out Of Band - Remediation functionality
Using McAfee ePO, you can select a managed system and perform an emergency boot or restore the
MBR (assuming that the managed system is connected to a network) by remotely forcing a reboot of
the system from a specialist disk image. Even though EEDeep is able to determine which specialist
disk image to use for each task dependent on the type of system, you can also manually select a disk
image using the McAfee ePO console.
Before you begin
94
•
You must have appropriate permissions to perform this task.
•
Make sure that your client system meets the requirements for Intel® AMT out‑of‑band
management. For more information about Intel® AMT configurations and settings, see
the ePO Deep Command Product Guide.
McAfee Endpoint Encryption 7.0
Product Guide
8
McAfee Endpoint Encryption out-of-band management
Configure the Out Of Band - Unlock PBA feature
Task
1
Log on to the ePolicy Orchestrator server as a user with valid EEPC permissions being assigned.
2
Click Menu | Systems | System Tree.
3
Select a system(s), then click Actions | Endpoint Encryption | Out Of Band ‑ Remediation to open the Out Of
Band ‑ Remediation screen.
4
Select either of these options as applicable:
•
Emergency Boot: Select this option to perform an Emergency Boot on the client system. The
Automatic option will automatically deploy the correct type of image to the system; however,
you can either select MBR recovery image, or MBR OPAL recovery image from the Disk image to use
drop‑down list, if you are aware of your system's hardware.
•
Restore Endpoint Encryption MBR: Select this option to restore the MBR on the client system. The
Automatic option will automatically deploy the correct type of image to the system; however,
you can select MBR recovery image from the Disk image to use drop‑down list, if you are aware of your
system's hardware.
Make sure to note that these options are not supported for UEFI systems.
5
Click OK.
Configure the Out Of Band - Unlock PBA feature
Use this feature to remotely unlock the PBA of Intel® AMT configured/provisioned client systems, so
they can automatically boot and bypass PBA. This enables patching processes or security update
deployment in your organization on unattended encrypted machines.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Make sure that your client system meets the requirements for Intel® AMT out‑of‑band
management. For more information about Intel® AMT configurations and settings, see
the ePO Deep Command Product Guide.
Make sure to note that this is a secure unlock that requires an automated authentication through the
server, in contrast to the insecure autoboot feature, which doesn't require authentication to be
performed.
There are different ways of performing this action:
•
Unlock a system or group temporarily for a specific number of times (reboots).
•
Unlock a system or group temporarily for a specific time period.
•
Unlock a system or group permanently with a schedule during specific hours during the week.
•
Unlock a system or group permanently.
Each type of unlock can be configured in two ways as follows:
•
Enterprise network only (Client Initiated Local Access (CILA) only) ‑ Automated authentication through PBA
will only occur if the system is located inside the trusted enterprise network.
•
Any network ‑ Automated authentication through PBA will occur if the system is located inside or
outside the trusted enterprise network.
McAfee Endpoint Encryption 7.0
Product Guide
95
8
McAfee Endpoint Encryption out-of-band management
Configure the Out Of Band - Unlock PBA feature
Task
1
Log on to the ePolicy Orchestrator server as a user with valid EEPC permissions being assigned.
2
Click Menu | Systems | System Tree.
3
Select a system(s), click Actions | Endpoint Encryption | Out Of Band ‑ Unlock PBA to open the Endpoint
Encryption: Out Of Band ‑ Unlock PBA page.
4
Select the Client Initiated Local Access (CILA) only checkbox to restrict unlocks within the enterprise
network.
Enabling the Disable listening for CILA/CIRA messages on Agent Handlers (This will prevent CILA/CIRA and EEPC Unlock
from working) option (under Menu | Configuration | Server Settings | Edit Intel® AMT Credentials of the McAfee ePO
Deep Command product) will prevent the CILA/CIRA and EEPC unlock features from working.
The next time when a user restarts that client system, PBA will appear but it will bypass
automatically after a period of time.
5
In the Bypass pre‑boot authentication field, select either of these preferred options:
•
Number of times: Type a preferred number from 1 to 32 to pass through PBA that many times
without requiring to authenticate manually.
•
From ‑ Until: Specify the required date and time within which PBA will be remotely unlocked.
Make sure to note that the default time standard in the McAfee ePO server is UTC.
•
Schedule: Specify the day and time for a week within which PBA will be remotely unlocked. The
unlock indicator signifies that unlocking of PBA is allowed and the lock indicator signifies that
unlocking of PBA is prevented in that time period.
•
Permanently: To remotely unlock the PBA of the client system each time the system is booted.
The next time when a user restarts that client system, PBA will appear but it will bypass
automatically after a period of time. The PBA page has the machine name and ID, that allows a
user to give exact system details to the Helpdesk, so that it is easy for the administrator to identify
the system that requires the OOB action.
6
Click Save.
To enforce the configured out‑of‑band unlock PBA settings, you need to enable the Product Settings
Policy Out‑of‑Band | Enable at PBA.
In Queries & Reports | Shared Groups | Endpoint Encryption OOB | EE : OOB Action Queue | Run an Action appears in
the Action queue for the action selected. There are two different actions like Permanent and
Transient. The Action queue will disappear from the EE : OOB action Queue page after the intended
action is performed. However, if the action is Permanent in nature, the action will not disappear.
96
McAfee Endpoint Encryption 7.0
Product Guide
8
McAfee Endpoint Encryption out-of-band management
Configure the Out Of Band - User Management feature
Configure the Out Of Band - User Management feature
Using McAfee ePO, you can remotely reset the password of a user of an encrypted system while it is in
the Pre‑Boot environment. The user is then able to log on through Pre‑Boot using their new password,
and is then forced to change their password immediately.
Before you begin
•
You must have appropriate permissions to perform this task.
•
Make sure that your client system meets the requirements for Intel® AMT out‑of‑band
management. For more information about Intel® AMT configurations and settings, see
the ePO Deep Command Product Guide.
Task
1
Log on to the ePolicy Orchestrator server as a user with valid EEPC permissions being assigned.
2
Click Menu | Systems | System Tree.
3
Select the required system, then click Actions | Endpoint Encryption | Out Of Band ‑ User Management to open
the OOB User Management page.
The Select action pane appears with the Reset user's password token option selected.
4
Click Next to open the Select user pane.
The Select user page lists only the users with password token data.
5
Select the required user and click Next.
You can select only one user at a time.
6
In the Configure pane, in the Password field, type a temporary password.
7
In the Confirm field, type the same temporary password.
If a user performs an OOB password reset, the administrator provides a temporary password, which
the users might have to type in PBA. If policy requires that the default password is required, the
users must type the new temporary password before entering a new password. If policy requires
that no default password required, they don't have to type the temporary password and will instead
have to type their new password immediately.
8
Click Save.
In Queries & Reports | Shared Groups | Endpoint Encryption OOB | EE : OOB Action Queue | Run an Action appears in
the Action queue for the action selected. There are two different actions like Permanent and
Transient. The Action queue will disappear from the EE : OOB action Queue page after the intended
action is performed. However, if the action is Permanent in nature, the action will not disappear.
Moreover, once the password is reset, the user will hear a beep sound to confirm the password
change.
The next time when a user restarts that client system, the user has to enter the temporary
password that is created by the administrator from McAfee ePO and on entering the password, the
user is forced to enter a new password. The user needs to provide the new password and perform
the user enrollment.
McAfee Endpoint Encryption 7.0
Product Guide
97
8
McAfee Endpoint Encryption out-of-band management
Configure the Out Of Band - User Management feature
98
McAfee Endpoint Encryption 7.0
Product Guide
9
Configuring and managing tokens/
readers
McAfee Endpoint Encryption supports different logon tokens, for example, Passwords, Stored Value
SmartCards, PKI SmartCards, CAC SmartCards, and Biometric tokens. This section describes how to
configure the EEPC software offers to support these SmartCards.
Contents
Modify the token type associated with a system or group
How to use a Stored Value token in Endpoint Encryption for PC
How to use a PKI token in Endpoint Encryption
How to use a Self-Initializing token in Endpoint Encryption
Setup scenarios for the 'Read Username from Smartcard' feature
How to use a Biometric token in Endpoint Encryption for PC
Modify the token type associated with a system or group
You can create a new User‑Based Policy with a required token type and deploy it to the required
system or a system group or can edit an existing policy and deploy the same to a target system or a
system group.
Before you begin
These requirements are assumed in the following steps:
•
The user is already created in Active Directory.
•
EE is installed on at least the minimum supported McAfee ePO versions.
•
The server task EE LDAP Server User/Group Synchronization is scheduled and run
normally between McAfee ePO and Windows Active Directory.
Please note that User‑Based Policies are not available for EEMac and the token assignment is
system‑based and not user‑based.
Task
1
Click Menu | Systems | System Tree to open the Systems page. Select a group under System Tree pane on
the left.
2
Select a System, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
Select Endpoint Encryption 7.0.0 from the Product drop‑down list. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
McAfee Endpoint Encryption 7.0
Product Guide
99
9
Configuring and managing tokens/readers
How to use a Stored Value token in Endpoint Encryption for PC
4
Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned policy drop‑down list, select the policy, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Authentication tab, from the Token type drop‑down list, select the required Token type.
For SmartCards that conform to the PKI, PIV, or CAC standards, McAfee Endpoint Encryption uses
the information present in a public certificate store of a PKI smartcard to look up users and encrypt
their unique Endpoint Encryption key with the public key available in their certificate. This certificate
needs to be configured while selecting the PKI SmartCard token.
8
Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
9
Send an agent wake‑up call.
How to use a Stored Value token in Endpoint Encryption for PC
A Stored Value token supported in EEPC stores some token data on the token itself. You have to
initialize these tokens with EEPC before you can use them for authentication. The token needs to
contain the necessary token data to allow successful authentication of the user.
When is the Stored Value token initialized and what initializes it
The Stored Value token is initialized the first time the user logs on to the Pre‑Boot environment or the
Windows authentication page. EEPC, primarily the Pre‑Boot environment, is responsible for initializing
the token. The initialization process does not require access to the Active Directory.
Associate a Stored Value token with a system or group
You can add a user or group to a system and associate a Stored Value token with that user(s). This
section explains how to use a Stored Value token with a single user.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Perform the steps as mentioned in the Modify the token type associated with a system or
group section to create or edit a User‑Based Policy with the Stored Value token type and deploy it
to the required system or group.
2
In the Policy Settings page, in the Authentication tab, from the Token type drop‑down list, select the
required token type, then click Save.
3
Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4
Send an agent wake‑up call.
How to make Single-Sign-On (SSO) work
If you have selected SSO to be enforced in your policy, the initial boot does not capture the SSO
credentials for this user. For the first boot sequence, the user has to authenticate twice. This allows
100
McAfee Endpoint Encryption 7.0
Product Guide
9
Configuring and managing tokens/readers
How to use a PKI token in Endpoint Encryption
EEPC to capture the relevant information. On subsequent boots, the user only has to authenticate in
Pre‑Boot.
How to use a PKI token in Endpoint Encryption
A PKI token is a smartcard supported in EE that finds the necessary certificate information for the user
in a PKI store (such as Active Directory) and used to initialize the EE token data. You must initialize
these tokens before they can be used to authenticate a user.
When is the PKI token initialized and what initializes it
The McAfee ePO extensions initializes the token using the relevant certificate information present in
Active Directory. This information is obtained through the Lightweight Directory Access Protocol
(LDAP) synchronization task that is created when EE is first installed into McAfee ePO, and before
users are assigned to systems.
The token data for the user is contained in the PBFS on the client. It can be successfully unlocked
when the user presents the appropriate smartcard (that matches the certificate information found in
Active Directory) and the correct PIN.
Associate a PKI token with a system or group
You can add a user or group to a system and associate a PKI token with that user(s). This section
explains how to use a PKI token with a single user.
Task
1
Perform the steps as mentioned in the Modify the token type associated with a system or
group section to create or edit a User‑Based Policy with the PKI token type and deploy it to the
required system or group.
2
In the Policy Settings page, in the Authentication tab, from the Token type drop‑down list, select the
required token type, then click Save.
3
Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4
Send an agent wake‑up call.
For EEMac the Policy Assignment Rule selection criteria only uses System Properties, which allows
you to assign the rule to System(s) in a group. Because of this only a single token type can be
assigned to a Mac system at a time. As a result, all users on the Mac client need to use the same
token type.
How to make SSO work for EEPC
If you have selected SSO to be enforced in your policy, the initial boot does not capture the SSO
credentials for this user. For the first boot sequence, the user has to authenticate twice. This allows
EEPC to capture the relevant information. On subsequent boots, the user only has to authenticate in
Pre‑Boot.
How to use a Self-Initializing token in Endpoint Encryption
A Self‑Initializing token is a form of PKI token, but rather than referencing certificate information and
pre‑initializing the token data in McAfee ePO, the client sees the card and performs the necessary
initialization steps. Only the client performs the initialization of the token data. One of the assumptions
McAfee Endpoint Encryption 7.0
Product Guide
101
9
Configuring and managing tokens/readers
Setup scenarios for the 'Read Username from Smartcard' feature
for using a Self‑Initializing token is that the necessary certificate information cannot be referenced in
Active Directory or any other supported Directory Service.
When is the Self‑Initializing token initialized and what initializes it
The token is initialized the first time the card is presented to EE, which happens in the Pre‑Boot
environment.
Associate a Self-Initializing token with a system or group
You can add a user or group to a system and associate a Self‑Initializing token with that user(s). This
section explains how to use a Self‑Initializing token with a single user.
Task
1
Perform the steps as mentioned in the Modify the token type associated with a system or
group section to create or edit a User‑Based Policy with the Self‑Initializing token type and deploy
it to the required system or group.
2
In the Policy Settings page, in the Authentication tab, from the Token type drop‑down list, select the
required token type, then click Save.
3
Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4
Send an agent wake‑up call.
For EEMac the Policy Assignment Rule selection criteria only uses System Properties, which allows
you to assign the rule to System(s) in a group. Because of this only a single token type can be
assigned to a Mac system at a time. As a result, all users on the Mac client need to use the same
token type.
How to make SSO work for EEPC
If you have selected SSO to be enforced in your policy, the initial boot does not capture the SSO
credentials for this user. For the first boot sequence, the user has to authenticate twice. This allows
EEPC to capture the relevant information. On subsequent boots, the user only has to authenticate in
Pre‑Boot.
Setup scenarios for the 'Read Username from Smartcard'
feature
You can set up your environment using the new EE feature Read Username from Smartcard.
Before you begin
•
Make sure that you have enabled the Read Username from Smartcard option under Product Settings | My
Default | Log On
•
Make sure you have scheduled and run the EE LDAP Sync.
These examples are scenarios that are provided to help you with the installation:
•
Set up using the Subject field
•
Set up using the Subject Alternative Name ‑ Other Name field
These things are important to be aware before you set up your environment.
102
McAfee Endpoint Encryption 7.0
Product Guide
9
Configuring and managing tokens/readers
Setup scenarios for the 'Read Username from Smartcard' feature
Find the Read Username from Smartcard feature in McAfee ePO
1
Click Menu | Policy | Policy Catalog
2
In the Product Settings category, click My Default, and click the Log On tab.
Find the LDAP Sync Task User Name attribute field in McAfee ePO
1
Click Menu | Automation | Server Tasks
2
Select the server task name you created for your LDAP Sync Task
3
Under Actions click Edit.
4
On the Server Task Builder screen, click Actions.
Set up using the Subject field
This example shows setting up your environment using the Subject field.
•
The user has a token that supports the Read Username from Smartcard feature.
•
The user wants to log on as User1, which is the EEPC username.
•
The username that the user wants to log on as (User1) resides in the Subject field on the
certificate (for example: CN=User1,DC=DomainComponent,DC=com).
•
Therefore, under McAfee ePO Logon Product Settings, the user should select Subject as the
certificate field that contain the username.
•
Because the user wants to match the whole certificate field, deselect Match certificate username
field up to the @ sign.
•
The user should check their EE LDAP Sync Task User Name attribute field in McAfee ePO. In this
situation, the field distinguishedname is the correct field to use because it contains the exact
same information as the cert field Subject, so a valid comparison can be made.
•
Finally, the user should run their EE LDAP Sync Task, and synch their product policy onto the
system they want to use the Poll Card feature on.
It is essential to understand that the distinguishedname LDAP attribute is now being used, if the user
ever has to log on manually at the Pre‑Boot Authentication stage, they have to type in the
distinguished name into the User name field. (for example,
CN=User1,DC=DomainComponent,DC=com).
Set up using the Subject Alternative Name - Other Name field
This example shows setting up your environment using the Subject Alternative Name ‑ Other
Name field.
•
The user has a token that supports the Read Username from Smartcard feature.
•
The user wants to log on as User2, which is the EEPC username.
•
The user wants to poll the Subject Alternative Name ‑ Other Name field on the certificate. The
username that the user wants to log on as ( User2 ) resides in the Subject Alternative Name ‑
Other Name field on the certificate (for example, Other Name: Principal
Name=User2@domain.com).
•
Under McAfee ePO Logon Product Settings, the user should select Subject Alternative Name ‑
Other Name because the certificate field that contains the username.
•
Because the user wants to match only the username from the certificate field, and not the whole
certificate field, select Match certificate username field up to @ sign.
McAfee Endpoint Encryption 7.0
Product Guide
103
9
Configuring and managing tokens/readers
How to use a Biometric token in Endpoint Encryption for PC
•
The user should check their EE LDAP Sync Task User Name attribute field in ePO. In this situation,
the default samaccountname is the correct field to use because this contains the EEPC username
User2, which the user normally logs on with, and this field can be found on the cert field Subject
Alternative Name ‑ Other Name.
•
Finally, the user should run their EE LDAP Sync Task, and synchronize their product policy onto
the system they wish to use the Poll Card feature on.
How to use a Biometric token in Endpoint Encryption for PC
A Biometric token allows fingerprints to authenticate to EEPC instead of using passwords. Currently,
EEPC 7.0 supports two Biometric fingerprint readers in specific laptop models.
These Biometric readers are manufactured by UPEK and Validity. For more information about
supported laptops, see the Endpoint Encryption 7.0 supported readers KnowledgeBase article.
Make sure to note that Biometric tokens are supported in single user mode only (that is, the user has to
register on each system on which they want to use fingerprints). The fingerprint template is not
distributed across multiple systems.
How to use a UPEK Biometric token in Endpoint Encryption for
PC
To use the UPEK Biometric token, you need to first enable it in McAfee ePO by creating a User‑Based
Policy and synchronizing it with the client system(s).
In the client system, you need to install the Protector Suite 2011 software and configure it accordingly
to use your fingerprints to authenticate to EEPC.
Enable the UPEK Biometric token in McAfee ePO
You need to first enable the UPEK Biometric token by creating a User‑Based Policy in McAfee ePO and
then synchronize it with the client system(s).
Before you begin
You must have appropriate permissions to perform this task.
If you are modifying an active password for a user (where the user has already logged on and changed
the default password) when you set the token type to UPEK Fingerprint Reader, the password for logging into
EEPC will be reset to the system default password, which is "12345" unless it has been modified.
Task
104
1
Perform the steps as mentioned in the Modify the token type associated with a system or
group section to create or edit a User‑Based Policy with the Biometric token type and deploy it to
the required system or group.
2
In the Policy Settings page, in the Authentication tab, from the Token type drop‑down list, select Upek
Fingerprint Reader, then click Save.
3
Click Save in the Policy Settings page, then click Save in the User‑Based Policies settings page.
4
Send an agent wake‑up call.
McAfee Endpoint Encryption 7.0
Product Guide
Configuring and managing tokens/readers
How to use a Biometric token in Endpoint Encryption for PC
9
Set up the client system and enroll your fingerprints
You must set up your client system by first installing the Protector Suite 2011 software and then
enrolling your fingerprints to authenticate to EEPC without using passwords.
The Protector Suite 2011 software is available in http://support.authentec.com/Downloads.aspx.
Currently Protector Suite (common) is supported.
Task
1
Run the Protector Suite 2011 setup on the client system.
2
Run through the Protector Suite 2011 Setup wizard by selecting the default settings.
The Protector Suite 2011 software is installed successfully.
3
Click Yes to restart your system when a notification message to restart the system appears.
After you authenticate to EEPC (through password) and Windows, click the Protector Suite 2011 icon in
the System Tray.
4
In the End User Agreement screen, click Accept. The Enrollment Mode Selection screen appears.
5
Verify that you have selected the Enrollment to the biometric device option, then click Apply.
6
Close Protector Suite and restart your system.
7
When the EEPC logon screen appears, type the Username you have assigned to the UPEK token type,
and click Next.
8
Enter the default password 12345, and click Logon. After Windows boots, the Fingerprint Reader Registration
window appears.
9
Click Register to open the User Fingerprint Enrollment page.
10 Uncheck Run interactive tutorial and click Next.
11 Click Skip Tutorial to open the Enrollment screen.
12 Select a square object that is corresponding to your desired finger, which you want to enroll, then
click Next.
13 Scan your appropriate finger to register your fingerprint.
Keep scanning until the progress bar reaches 100%.
14 Click No when the message Do you want to enable power‑on fingerprint security? appears, then click OK.
The Enrollment screen for user's fingers appears.
15 Repeat steps 11 through 12 to scan your second desired finger.
After a few moments (10‑15 seconds), a pop‑up saying "You've successfully enrolled" appears.
16 Click Next to open the Finish screen.
17 Click Finish.
The fingerprint reader registration is completed successfully.
McAfee Endpoint Encryption 7.0
Product Guide
105
9
Configuring and managing tokens/readers
How to use a Biometric token in Endpoint Encryption for PC
You can now use fingerprints to authenticate to EEPC instead of passwords.
You can use the Protector Suite 2011 software to customize the default settings. If you delete all the
users' fingerprints from the reader using the Protector Suite 2011 software, you will lose the
authentication data and wouldn't be able to log on at PBA.
How to use a Validity Biometric token in Endpoint Encryption
for PC
To use the Validity Biometric token, you need to first enable it in McAfee ePO by creating a User‑Based
Policy and synchronizing it with the client system(s). To do this task, you need to perform the steps
mentioned in the Enable the UPEK Biometric token in McAfee ePO section.
Task
1
Log on to the client system's PBA by entering the system's default password, then log on to
Windows to open the Fingerprint Reader Registration.
2
Click Register to open the User Fingerprint Enrollment page.
3
Select a button, as appropriate, for the required finger.
4
Scan your finger, as appropriate, to register your fingerprint.
Keep scanning until the progress bar is complete.
5
Click OK when the dialog box opens with the Congratulations, your fingerprints have been registered with Endpoint
Encryption message.
The fingerprint reader registration is complete.
You can now use fingerprints to authenticate to EEPC instead of passwords.
106
McAfee Endpoint Encryption 7.0
Product Guide
10
Managing EE reports
McAfee Endpoint Encryption queries are configurable objects that retrieve and display data from the
database. These queries can be displayed in charts and tables.
Any query results can be exported to a variety of formats, any of which can be downloaded or sent as
an attachment to an email message. Most queries can be used as dashboard monitors.
This information is applicable to both EEPC and EEMac.
Contents
Queries as dashboard monitors
Create EE custom queries
View the standard EE reports
Endpoint Encryption client events
Create the EE dashboard
View the EE dashboard
Report the encrypted and decrypted systems
Queries as dashboard monitors
Most queries can be used as a dashboard monitor (except those using a table to display the initial
results). Dashboard monitors are refreshed automatically on a user‑configured interval (five minutes
by default).
Exported results
McAfee Endpoint Encryption query results can be exported to four different formats. Exported results
are historical data and are not refreshed like other monitors when used as dashboard monitors. Like
query results and query‑based monitors displayed in the console, you can drill down into the HTML
exports for more detailed information.
Reports are available in several formats:
•
CSV — Use the data in a spreadsheet application (for example, Microsoft Excel).
•
XML — Transform the data for other purposes.
•
HTML — View the exported results as a web page.
•
PDF — Print the results.
McAfee Endpoint Encryption 7.0
Product Guide
107
10
Managing EE reports
Create EE custom queries
Create EE custom queries
You can create queries that retrieve and display the details like disk status, users, encryption provider,
and product client events for Endpoint Encryption. With this wizard you can configure which data is
retrieved and displayed, and how it is displayed.
Before you begin
You must have appropriate permissions to perform this task.
Task
1
Click Menu | Reporting | Queries & Reports, then click Actions | New. The Query Builder wizard opens.
2
On the Result Type page, select Endpoint Encryption, then select Result Type for the query, and click Next.
The Chart page appears.
This choice determines the options available on subsequent pages of the wizard.
3
Select the type of chart or table to display the primary results of the query, then click Next. The
Columns page appears.
If you select Boolean Pie Chart, you must configure the criteria to include in the query.
4
Select the columns to be included in the query, then click Next. The Filter page appears.
If you had selected Table on the Chart page, the columns you select here are the columns of that
table. Otherwise, these are the columns that make up the query details table.
5
Select properties to narrow the search results, then click Run. The Unsaved Query page displays the
results of the query, which is actionable, so you can take any available actions on items in any
tables or drill‑down tables.
Selected properties appear in the content pane with operators that can specify criteria used to
narrow the data that is returned for that property.
6
•
If the query didn’t appear to return the expected results, click Edit Query to go back to the Query
Builder and edit the details of this query.
•
If you don’t need to save the query, click Close.
•
If this is a query you want to use again, click Save and continue to the next step.
The Save Query page appears. Type a name for the query, add any notes, and select one of the
following:
•
•
7
New Group — Type the new group name and select either:
•
Private group (My Groups)
•
Public group (Shared Groups)
Existing Group — Select the group from the list of Shared Groups.
Click Save.
View the standard EE reports
Run and view the standard Endpoint Encryption reports from the Queries page.
Before you begin
You must have appropriate permissions to perform this task.
108
McAfee Endpoint Encryption 7.0
Product Guide
Managing EE reports
View the standard EE reports
10
Task
1
Click Menu | Reporting | Queries & Reports to open the Query page.
2
Select Endpoint Encryption from Shared Groups in the Groups pane to open the Standard EE query list.
To open EE: Out‑of‑band action queue, select Endpoint Encryption Out‑of‑band from Shared Groups in the Groups
pane.
Query
Description
EE: Disk Status
Displays the status of the disk.
If a disk has a volume that is not assigned, then the disk status in queries
would be displayed as partially encrypted, despite all assigned volumes being
shown as encrypted.
EE: Disk Status (Rollup) Displays the EE: Disk Status compiled from various ePolicy Orchestrators.
EEPC 7.0 supports both Full and Incremental rollup reports. For more details on
how to create the rollup reports, see the product documentation for your
version of McAfee ePO.
EE: Encryption Provider Displays which encryption provider is active on each system.
EE: Installed version
Displays the version of the Endpoint Encryption installed in systems.
EE: Installed Version
(Rollup)
Displays the EE: Installed version details compiled from various ePolicy
Orchestrators.
EEPC 7.0 supports both Full and Incremental rollup reports. For more details on
how to create the rollup reports, See the product documentation for your
version of McAfee ePO.
EE: Migration log
(Windows only)
Displays the log details and the results of the v5.x.x user import.
EE: Migration Lookup
(Windows only)
Displays the details about the assignments of the user group, machines, and
users.
EE: Product Client
Events
Displays Endpoint Encryption client events.
EE: Users
Lists all endpoint encryption users. From here, the user can use the following
options to manage the users in the selected system:
• Clear SSO details — Clears the SSO details of the selected user (only for
Windows).
• Configure UBP enforcement — Allows a user to use a non‑default User Based
Policy.
• Force user to change password — Prompts the user to change the password in the
EE authentication.
• Reset Token — Resets the token associated with the selected user.
• Reset self‑recovery — The client user's self‑recovery details is reset, then the
user has to enroll the self‑recovery details with new self‑recovery answers.
• User Information — Maintains the user information with a list of questions and
answers.
EE: V5 Audit
(Windows only)
Displays the imported audit logs from v5.x.x. Be aware that if you had only
selected the audit option during the export process, the audit log will be
displayed.
McAfee Endpoint Encryption 7.0
Product Guide
109
10
Managing EE reports
Endpoint Encryption client events
Query
Description
EE: Volume Status
Displays the encryption status of the disk volumes. For self‑encrypted (Opal)
drives, the EE: Volume Status appears blank without any details because it
does not allow volume level encryption.
EE: Volume Status
(Rollup)
Displays the EE: Volume Status compiled from various ePolicy Orchestrators.
EEPC 7.0 supports both Full and Incremental rollup reports. For more details on
how to create the rollup reports, see the product documentation for your
version of McAfee ePO.
EE: Out‑of‑band action
queue
Displays the Endpoint Encryption out‑of‑band action queue details.
3
Select a query from the Queries list.
4
Click Actions | Run. The query results appear. Drill down into the report and take actions on items as
necessary. Available actions depend on the permissions of the user.
The user has an option to edit the query and to view the details of the query.
5
Click Close when finished.
Endpoint Encryption client events
While implementing and enforcing the Endpoint Encryption policies that control how sensitive data is
encrypted, the administrators can monitor real‑time client events and generate reports using the EE:
Product client events query.
110
Event ID Event
Event Description
30000
Logon Event
This event is reported in McAfee ePO whenever a Pre‑Boot
happens.
30001
Password Changed Event
This event is reported in McAfee ePO whenever the user
changes the EE password.
30002
Password Invalidated Event
This event is reported in McAfee ePO whenever the EE
password is invalidated after a fixed number of unsuccessful
login attempts.
30003
Token Initialization Event
This event is reported in McAfee ePO when the user changes
the default password during the first pre‑boot logon.
30004
System Boot Event
This event is reported in McAfee ePO whenever the system
restarts after making EE active.
30005
Administrator Recovery
Event
This event is reported in McAfee ePO for every successful
Administrator Recovery.
30006
Self‑recovery Event
This event is reported in McAfee ePO for every successful
Self‑recovery.
30007
Self‑recovery Invalidated
Event
This event is reported in McAfee ePO whenever the
Self‑recovery is invalidated after a fixed number of
unsuccessful login attempts.
30008
Crypt Start Event
This event is reported in McAfee ePO when the encryption
starts on the client system.
30009
Crypt Paused Event
This event is reported in McAfee ePO when the encryption
pauses on the client system.
30010
Crypt Complete Event
This event is reported in McAfee ePO when the encryption
finishes on the client system.
McAfee Endpoint Encryption 7.0
Product Guide
Managing EE reports
Endpoint Encryption client events
10
Event ID Event
Event Description
30011
Crypt Volume Start Event
This event is reported in McAfee ePO when the specified
volume encryption/decryption starts.
30012
Crypt Volume Complete
Event
This event is reported in McAfee ePO when the specified
volume encryption/decryption is completed.
30013
Policy Change Start Event
This event is reported in McAfee ePO when a policy change
is initiated.
30014
Policy Change Complete
Event
This event is reported in McAfee ePO when the policy
change is completed.
30015
Activation Start Event
This event is reported in McAfee ePO when the EE activation
starts on the client system.
30016
Activation Complete Event
This event is reported in McAfee ePO when the EE activation
is completed on the client system.
30017
General Exception Event
This event is reported in McAfee ePO whenever an exception
occurs on the client system.
30018
Emergency Recovery Start
This event is reported in McAfee ePO whenever the
Emergency Recovery is initiated.
30019
Emergency Recovery
Complete
This event is reported in McAfee ePO whenever the
Emergency Recovery is completed.
30020
Upgrade Start
This event is reported in McAfee ePO whenever the Upgrade
process is initiated.
30021
Upgrade Complete
This event is reported in McAfee ePO whenever the Upgrade
process is complete.
30022
User Update Error
This event is reported in McAfee ePO whenever a user
update error occurs.
30026
Encryption Key Not
Available
This event is reported in McAfee ePO whenever the
encryption key is not available.
30027
Provider Not Installed:
32‑bit EFI unsupported
This event is reported in McAfee ePO when the provider is
not installed in a Mac with 32‑bit EFI.
30028
Provider Not Installed: Mac
platform unsupported
This event is reported in McAfee ePO when the provider is
not installed in an unsupported Mac platform.
30029
Provider Not Installed: Mac
OS X version unsupported
This event is reported in McAfee ePO when the provider is
not installed in an unsupported Mac OS X.
30031
Automatic Booting Activated This event is reported in McAfee ePO when the automatic
booting is activated.
30032
System Automatically
Booted
This event is reported in McAfee ePO when the system is
booted automatically.
30033
Automatic Booting
Deactivated
This event is reported in McAfee ePO when the automatic
booting is deactivated.
30034
User Expired
This event is reported in McAfee ePO when the user account
is expired.
30035
Provider Not Installed
This event is reported in McAfee ePO when the encryption
provider is not installed.
30036
Endpoint Encryption ‑
This event is reported in McAfee ePO when the activation of
Activation Failure: Boot Disk Endpoint Encryption is failed because the boot disk is
Not Supported
unsupported.
30037
Endpoint Encryption ‑
Activation Failure:
Unsupported Algorithm
McAfee Endpoint Encryption 7.0
This event is reported in McAfee ePO when the activation of
Endpoint Encryption is failed because the algorithm is
unsupported.
Product Guide
111
10
Managing EE reports
Create the EE dashboard
Event ID Event
Event Description
30038
Endpoint Encryption ‑
This event is reported in McAfee ePO when the activation of
Activation Failure: Boot Disk Endpoint Encryption is failed because the boot disk is not
is not GPT
GPT.
30039
Endpoint Encryption
Activation Failure: Can't
Find ESP Partition
30040
Endpoint Encryption ‑
This event is reported in McAfee ePO when the activation of
Activation Failure: Mounting Endpoint Encryption is failed because the mounting of the
ESP Failed
ESP partition is failed.
30041
Endpoint Encryption ‑
Activation Failure: Failed to
Shrink OS Partition
30042
Endpoint Encryption ‑
This event is reported in McAfee ePO when the activation of
Activation Failure: Failed to Endpoint Encryption is failed because the creation of an EPE
create EPE partition on boot partition on boot disk is failed.
disk
30043
Endpoint Encryption ‑
This event is reported in McAfee ePO when the activation of
Activation Failure: Could not Endpoint Encryption is failed because the boot disk is not
find Boot Disk
found.
30044
Recovered From Audit Log
Corruption
This event is reported in McAfee ePO when the audit log
corruption is recovered.
30045
Activation Failure
This event is reported in McAfee ePO when the Endpoint
Encryption activation is failed.
30046
Deactivation Event
This event is reported in McAfee ePO when the event is
deactivated.
30050
Endpoint Encryption ‑ Out of This event is reported in McAfee ePO when the Out Of Band
band : Unlock PBA
‑ Unlock PBA feature is enabled.
30051
Endpoint Encryption ‑ Out of This event is reported in McAfee ePO when the Out Of Band
band : Reset User Password ‑ Reset User Password feature is enabled.
30060
Pre‑Boot Smart Check :
System has started to
deactivate after failing tests
This event is reported when Pre‑Boot Smart Check starts to
deactivate the machine after failing its tests.
30061
Pre‑Boot Smart Check :
System has completed
deactivating after failing
tests
This event is reported when Pre‑Boot Smart Check
completes deactivation after failing its tests.
2411
Deployment Successful
This event is reported in McAfee ePO for every successful
EEPC or EEMac deployment.
2412
Deployment Failure
This event is reported in McAfee ePO for every deployment
failure of EEPC or EEMac.
This event is reported in McAfee ePO when the activation of
Endpoint Encryption is failed because the ESP partition is
not found.
This event is reported in McAfee ePO when the activation of
Endpoint Encryption is failed because the shrinking of the
OS partition is failed.
Create the EE dashboard
Dashboards are collections of user‑selected and configured monitors that provide current data about
your environment. You can create your own dashboards from query results or use ePolicy
Orchestrators default dashboards.
Before you begin
You must have appropriate permission to perform this task.
112
McAfee Endpoint Encryption 7.0
Product Guide
Managing EE reports
View the EE dashboard
10
Task
1
Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards. The Manage Dashboards page
appears.
2
Click New Dashboard.
3
Type a name.
4
For each monitor, click New Monitor, select the monitor from the shared groups Endpoint Encryption to
display in the dashboard, then click OK.
5
Click Save.
6
Optionally, you can make this dashboard public by editing the dashboard and choosing PUBLIC.
All new dashboards are saved to the private My Dashboards category.
View the EE dashboard
You can select and configure monitors that provide current data about your data protection status and
other environments and make them part of your active set of dashboards.
Task
1
Click Menu | Reporting | Dashboards, then select a Private dashboard.
2
Open the Endpoint Encryption queries to view the selected dashboard.
Report the encrypted and decrypted systems
Determine the encryption status of any managed client systems. To know the system's disk and
volume status is to know the client system's encryption and decryption status. The disk and volume
status such as Encrypted and Decrypted denote the client system's encryption and decryption status.
Task
1
Click Menu | Reporting | Queries & Reports to open the Query page.
2
Click Shared Groups | Endpoint Encryption from the Groups pane.
Edit the EE: Disk Status and EE: Volume Status queries to display the system details in table format. This
would give you a simplified view of the system and the encryption status. Make sure to include the
State (Disk) and State (Volume) columns respectively in the table.
3
Click Run in the EE: Disk Status and EE: Volume Status from the Queries list. The EE: Disk Status and EE: Volume
Status pages appear accordingly with the list of client systems and their details configured in the
query. The State (Disk) and State (Volume) columns indicate the system's status as Encrypted or Decrypted.
McAfee Endpoint Encryption 7.0
Product Guide
113
10
Managing EE reports
Report the encrypted and decrypted systems
114
McAfee Endpoint Encryption 7.0
Product Guide
11
Recovering users and systems
Resetting a remote user’s password or replacing the user's logon token if it has been lost requires a
challenge and response procedure.
This information is applicable to both EEPC and EEMac.
Contents
Enable or disable the self-recovery functionality
Perform the self-recovery on the client computer
Enable or disable the administrator recovery functionality
Perform administrator recovery on the client computer
Generate the response code for the administrator recovery
End user self-recovery in Mac systems
Enable or disable the self-recovery functionality
The Self‑recovery option allows the user to reset a forgotten password by answering a set of security
questions. A list of security questions is set by the administrator using McAfee ePO. If the answers
from the user match what has been stored with their self‑recovery information, they can proceed
through the recovery process.
Use McAfee ePO to enable or disable the self‑recovery functionality in the client computer.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Locate a User Based Policies policy category, then click Edit Assignments. The User Based Policies page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
Select a policy from the Assigned policy drop‑down list, then click Edit Policy. The Policy Settings page
appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Self‑recovery tab, select or deselect Enable Self‑recovery to enable or disable the self‑recovery
functionality to the specified user or user group.
McAfee Endpoint Encryption 7.0
Product Guide
115
11
Recovering users and systems
Perform the self-recovery on the client computer
8
Select Invalidate self‑recovery after no.of attempts and type the number of attempts.
The self‑recovery token will be invalidated if the user types invalid answers for more than the
number of attempts specified in the policy.
9
Type the number of Questions to be answered to perform the self‑recovery. The client user will be
prompted with these questions while trying to recover the user account at the client system.
10 Type the number of Logons before forcing user to set answers to determine how many times a user can log
on without setting their Self‑recovery questions and answers.
11 Click + to create a new question, then select the question Language and also type the Min answer length
the user must type while enrolling the answer to this question.
Answers to these questions are typed by the user on the client system during the recovery process.
User is prompted for recovery enrollment during every logon. The user is allowed to cancel the
enrollment until the user exceeds the specified number of logon attempts. After exceeding the
defined number of logon attempts, the Cancel button is disabled and the user is forced to enroll for
self‑recovery.
12 Click Save in the User Based Policies page.
13 Send an agent wake‑up call.
Perform the self-recovery on the client computer
Use this option to recover the user on the client computer, if the user's password or the logon token
has been lost.
Before you begin
Make sure that you have successfully enrolled for self‑recovery on the client system. This
task should be performed by the client user on the client computer.
Task
1
Click Options | Recovery. The Recovery dialog box appears.
2
Select the Recovery Type as Self‑recovery.
3
Type the User name and click OK. The Recovery dialog box appears with the questions that the user
answered while enrolling for the self‑recovery.
4
Type the answers for the prompted questions and click Finish. The Change Password dialog box
appears.
5
Type and confirm the New Password and click OK.
Enable or disable the administrator recovery functionality
The client system prompts for authentication at the Pre‑Boot logon page to access the system. When a
user forgets the password or is disabled in the Active Directory or loses his token, the user can't log
on to the system.
Resetting the user’s password, unlocking the disabled user, replacing their logon token if it has been
lost, and performing machine recovery require a challenge and response procedure to be followed. The
users should start their system and click the Recovery button from the Endpoint Encryption Pre‑Boot
116
McAfee Endpoint Encryption 7.0
Product Guide
Recovering users and systems
Perform administrator recovery on the client computer
11
logon page. This option needs to be enabled in the McAfee ePO server before performing this task at
the client systems.
Use ePolicy Orchestrator to enable or disable the administrator (system and user) recovery
functionality in the client computer.
Task
1
Click Menu | Systems | System Tree, then select a group under System Tree.
2
Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page
for that system appears.
3
From the Product drop‑down list, select Endpoint Encryption 7.0.0. The policy Categories under Endpoint
Encryption appears with the system's assigned policy.
4
Select the Product Settings policy category, then click Edit Assignments. The Product Settings page
appears.
5
If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6
From the Assigned policy drop‑down list, select a product setting policy, then click Edit Policy. The Policy
Product Settings page appears.
From this location, you can edit the selected policy, or create a new policy.
7
On the Recovery tab, select or deselect Enabled to enable or disable the system recovery functionality.
8
Select the required recovery key size from the Key size drop‑down list, then type the Message to
appear on the recovery page.
9
Click Save in the User Based Policies page.
10 Send an agent wake‑up call.
Perform administrator recovery on the client computer
Use this task on the client computer, if the user's password or the logon token have been lost, to
recover the user or the system.
Before you begin
Make sure that the client user performs this task in the client system.
Task
1
Restart the client system.
2
Click Options | Recovery.
3
Select the Recovery type as Administrator Recovery and click OK. The Recovery dialog box appears with the
Challenge Code.
The client user should read the Challenge Code and get the Response Code from the administrator who
manages McAfee ePO. Also, it is the Administrator's responsibility to authenticate that the client user
is who they claim to be.
McAfee Endpoint Encryption 7.0
Product Guide
117
11
Recovering users and systems
Generate the response code for the administrator recovery
4
Enter the Response Code in the Line field, then click Enter.
Each line of the code is checked when it is entered.
5
Click Finish.
Generated Response code depends on the recovery key size set in the policy and the selected
recovery type, that is, machine recovery or user recovery.
Generate the response code for the administrator recovery
The administrator types the challenge code, provided by the user, on the McAfee ePO console and
generates the response code required for the administrator (system and user) recovery.
Before you begin
Make sure that McAfee ePO administrator performs this task in McAfee ePO.
Task
1
Click Menu | Data Protection | Encryption Recovery. The Endpoint Encryption Recovery wizard opens with
the text field for Challenge Code.
Ask the client user to read the challenge code that appears in the recovery process page to the
administrator. Also, it is the administrator's responsibility to authenticate that the client user is who
they claim to be.
2
Type the Challenge Code and click Next. The Recovery Type page opens.
3
Select the required recovery type from the Recovery Type list, then click Next. The Response Code
page opens with the response code(s).
Generated Response code depends on the recovery key size set in the policy and the selected
recovery type that is system recovery or user recovery.
4
Read out the response code to the user.
End user self-recovery in Mac systems
The end user self‑recovery feature allows an end user to self‑remediate most of the Pre‑Boot issues on
a Mac OS X system, without contacting the administrator. This functionality is automatically installed
on each client when you install the EEMac 7.0 software.
The end user self‑recovery functionality offers these features:
118
•
McAfee Pre‑Boot — When any SMC or firmware update interrupts the normal usage of the
Pre‑Boot environment, the end user can use this feature to quickly recover the Pre‑Boot and
authenticate as normal. After a successful authentication, this functionality will make sure that the
Mac is configured to boot, without any issues, during the next reboot.
•
McAfee Recovery (Emergency Boot) — The end user can use this feature to perform an
emergency boot when an EEMac installed system fails to boot or its PBFS is corrupt. This option is
also useful when the McAfee Pre‑Boot option does not fix the boot issues in your Mac system. You
can perform the emergency boot on a Mac system without needing any external media.
McAfee Endpoint Encryption 7.0
Product Guide
Recovering users and systems
End user self-recovery in Mac systems
11
Perform end user self-recovery on a Mac system
You might need to perform the end user self recovery when any SMC or firmware update interrupts
the normal usage of the Pre‑Boot environment.
Before you begin
•
Make sure that the client user performs this task in the client system.
•
You must have appropriate permissions to perform this task.
Task
For option definitions, click ? in the interface.
1
Boot the unrecoverable system while holding down the Option (or alt) key in the Apple keyboard.
The Boot Menu appears with these recovery options:
•
McAfee Pre‑Boot
•
McAfee Recovery
•
Recovery HD (The standard Mac OS X recovery)
2
Click McAfee Pre‑Boot to quickly recover the Pre‑Boot and authenticate as normal. After a successful
authentication, this functionality will make sure that the Mac is configured to boot, without any
issues, during the next reboot.
3
Click McAfee Recovery to perform the emergency boot when the system fails to boot or its PBFS is
corrupt. This option is also useful when the McAfee Pre‑Boot option does not fix the boot issues in
your Mac system. You can perform the emergency boot on the Mac system without needing any
external media.
The users need to authenticate before performing the emergency boot. For more details on how to
authenticate and perform the emergency boot, refer to the EETech for Mac User Guide.
After the emergency boot, the client system boots into Mac OS X. If it is connected to the ePolicy
Orchestrator server, then the system synchronizes with the server and fully repairs itself by
retrieving the policies, users, and tokens.
McAfee Endpoint Encryption 7.0
Product Guide
119
11
Recovering users and systems
End user self-recovery in Mac systems
120
McAfee Endpoint Encryption 7.0
Product Guide
12
FIPS 140-2 certification
The 140 series of Federal Information Processing Standards (FIPS) is a U.S. government computer
security standards that specify requirements for cryptography modules.
The client‑side components of EEPC 6.1 Patch 3 are FIPS 140‑2 certified and these cryptographic
modules are included in EEPC 7.0 and thus the FIPS certification that is now awarded for EEPC 6.1
Patch 3 is rolled on to EEPC 7.0, when installed in FIPS mode. The EEAdmin and EEPC (installed on
McAfee ePO) consume the certified cryptography provided by McAfee ePO running in FIPS mode, and
thus do not need to be certified independently.
The current status of this certification is available in the NIST website.
Contents
Pre-requisites to use EEPC in FIPS mode
Install the EEPC client packages in FIPS mode
Impact of FIPS mode
Uninstalling the EEPC client packages in FIPS mode
Pre-requisites to use EEPC in FIPS mode
For EEPC 7.0 to be in compliance with FIPS 140‑2, the software should meet these conditions.
•
McAfee ePO (4.6 Patch 4) installed in FIPS mode
•
EEPC client package installed on the client in FIPS mode
If you don't install both McAfee ePO and Endpoint Encryption in FIPS mode, the configuration does not
operate in a FIPS certified manner.
EEPC must be operating in FIPS mode at the time of activation of a client to ensure that keys are
generated in a FIPS approved manner. Upgrading an active EEPC client to a FIPS mode version of EEPC
7.0 does not imply that the client is now running with FIPS quality keys. An EEPC active client should be
decrypted, deactivated, and then reactivated using a FIPS mode client installation in order to be FIPS
compliant.
Install the EEPC client packages in FIPS mode
For the EEPC client to operate in FIPS mode, install the EEPC client package in FIPS mode before
activating EEPC on the client.
This is to make sure that encryption keys are generated in a FIPS certified manner during the
activation process.
McAfee Endpoint Encryption 7.0
Product Guide
121
12
FIPS 140-2 certification
Impact of FIPS mode
If EEPC is already installed on systems without enabling the FIPS mode, do the following tasks to
make it operate in the FIPS mode.
•
Decrypt the client systems
•
Deactivate EEPC on the client systems
•
Remove the EEPC product from the client systems
•
Reinstall EEPC in the FIPS mode
Deploy EEPC through a McAfee ePO deployment task
To install EEPC client packages in FIPS mode using a McAfee ePO deployment task, make sure to add
the keyword FIPS on the command line of the EEPC deployment task in McAfee ePO.
Deploy EEPC through a third‑party deployment software
To install EEPC client packages in FIPS mode using a third‑party deployment software, make sure to
pass the parameter FIPS_MODE=0 to or 1 when you install the EEPC client package, as per the
following command:
msiexec.exe / q / I FIPS_MODE=0 or msiexec.exe / q / I FIPS_MODE=1
•
FIPS_MODE=0 — This turns off the FIPS mode
•
FIPS_MODE=1 — This turns on the FIPS mode
Impact of FIPS mode
In FIPS mode, certain self‑tests are performed in Windows and Pre‑Boot environments.
These self‑tests might impact the performance of the Pre‑Boot.
If self‑tests of FIPS fail, the failed components of the system stop completely, in one of the following
ways.
•
If the Windows EEPC FIPS component fails self‑test, the system doesn't activate or enforce policies.
•
If the Windows EEPC driver fails self‑test, the driver performs a bug‑check (BSOD).
•
If the Pre‑Boot EEPC FIPS component fails self‑test, Pre‑Boot stops functioning.
Move your mouse in Pre‑Boot
Additionally, FIPS 140‑2 defines minimum requirements for entropy during key generation. This might
lead to key generation errors in Pre‑Boot where insufficient entropy (randomness) is available at the
point of key generation. To avoid this, you can supply entropy (randomness) into Pre‑Boot by moving
the mouse in a (such as in a recovery scenario) random fashion before you perform the action that
produced the error.
Uninstalling the EEPC client packages in FIPS mode
The removal of EEPC client packages in FIPS mode doesn't vary from the normal removal of the EEPC
client.
For more information about uninstalling the EEPC client, see Uninstalling the EEPC client.
122
McAfee Endpoint Encryption 7.0
Product Guide
13
Common Criteria EAL2+ mode operation
To use your implementation of Endpoint Encryption for PC in its Common Criteria mode of operation,
make sure that the following conditions are met.
•
You need to install EEPC in FIPS mode
•
You need to invalidate user's password after 10 or less invalid logon attempts
•
You need to encrypt all hard disks
•
You need to force users to log on with PBA
Contents
Administrator guidance
User guidance
Administrator guidance
To comply with Common Criteria regulations, an administrator must apply these policy settings in the
Policy Catalog page before installing EEPC.
•
For each User‑Based Policy that is assigned to one or more EEPC clients, make sure that you enable
the Invalidate password after nn invalid attempts option under User‑Based Policy | Password | Incorrect passwords.
Also make sure that the nn variable is greater than or equal to 10.
•
For Product Settings that are assigned to one or more EEPC clients, make sure of the following:
•
On the General tab, the Enable policy checkbox is selected.
•
On the Encryption tab, the Encrypt field is set to All disks.
•
On the Logon and General tabs, the Enable automatic booting option is disabled.
User guidance
Administrators should make sure that the users are aware on how to construct strong passwords,
which is mentioned in the following:
•
Use passwords with eight characters or more.
•
Do not use words that are available in the dictionary.
•
Do not use a name, or any variation of the account name or administrator identity.
McAfee Endpoint Encryption 7.0
Product Guide
123
13
124
Common Criteria EAL2+ mode operation
User guidance
•
Do not use accessible information such as phone numbers, birthdays, license plates, or social
security numbers.
•
Use a mixture of upper and lower case letters, as well as digits or punctuation. When choosing a
new password, make sure it is unrelated to any previous password.
McAfee Endpoint Encryption 7.0
Product Guide
Index
A
about this guide 7
Active Directory
adding users 19, 47
permission sets 78
registering 19, 47
synchronizing 20, 47
administrator guidance, Common Criteria mode 123
administrator recovery
enabling and disabling 116
performing 117
response code 118
agent wake-up call, sending 21, 49
answers, self-recovery 115
auto booting
enabling and disabling 83
policies 57
automatic booting, temporary
Endpoint Encryption for Mac 85
Endpoint Encryption for PC 84
B
blacklist policies
adding and removing 76
configuring 76
client software, Endpoint Encryption for PC (continued)
upgrading 28
client tasks, editing 26, 51
conventions and icons used in this guide 7
customized theme
assigning to a system 89
creating 88
D
dashboards, Endpoint Encryption
creating 112
viewing 113
disk encryption
encrypting and decrypting 10
Pre-Boot Authentication 9
disk status
encryption and decryption 113
reporting 108
disks
encrypting 83
partitions 57
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
E
C
challenge code, generating 117
client computers
adding users 23
assigning theme 89
encrypting 83
managing 81
client events, viewing 108
client software, Endpoint Encryption for Mac
deactivating 53
installing 43
uninstalling 56
client software, Endpoint Encryption for PC
deactivating 29
FIPS mode 121
installing 17
uninstalling 31
McAfee Endpoint Encryption 7.0
EEDeep extension 93
EEGO 15
enable accessibility
audio signal 57, 87
enabling USB support 57
encryption providers
PC Opal and PC software 57
setting priority 85
encryption type
all disks and boot disks 83
selecting 57
Endpoint Encryption
password 75
synchronizing 20
Endpoint Encryption for Mac
about 43
Product Guide
125
Index
Endpoint Encryption for Mac (continued)
installing 43
removing 53
temporary automatic booting 85
upgrading 52, 53
Endpoint Encryption for Mac, upgrading 52
Endpoint Encryption for PC
about 17
mode 121, 123
removing 29, 122
temporary automatic booting 84
upgrading 28
Endpoint Encryption for PC, upgrading 28
Endpoint Encryption password, synchronizing 74
extensions, Endpoint Encryption for Mac
installing 46
removing 55
uninstalling 53
upgrading 52
extensions, Endpoint Encryption for PC
FIPS mode 121
installing 18
removing 31
uninstalling 29
upgrading 28
F
features, centralized management and Pre-Boot 12
FIPS mode, installing 121
G
group users
adding systems 23
assigning policy 23
breaking inheritance 72
removing 72
user information 77
viewing 71
I
incompatible products
adding rule 86
server settings 57
installation
Mac extensions 46
PC extensions 18
using third-party tool 22
Intel® Active Management Technology 12, 93–95, 97
Intel® vPro technology 93
K
KnowledgeBase
entropy 121
126
McAfee Endpoint Encryption 7.0
KnowledgeBase (continued)
operating system refresh 17
L
local domain users
adding 76
blacklisting 76
logon hours
applying restrictions 57
managing 78
M
McAfee Agent for Mac, downloading and deploying 44
McAfee ServicePortal, accessing 8
MER tool, using 51
O
out-of-band
remediation 93, 94
unlock PBA 93, 95
user management 93, 97
out-of-band, enabling 93
P
packages, installing
EEMac 46
EEPC 19
password, changing 116
passwords, Endpoint Encryption
changing 116
configuring content rules 75
permission sets, Endpoint Encryption
defining 78
policies
assigning to systems 25, 50, 69
assigning to users 23
configuring 28, 52, 57, 69
creating 57, 68
disabling 29, 53
editing 57, 68
enforcing 25, 50, 57, 69
managing 57
password content rules 75
product settings 57
user-based 57
Pre-Boot
enabling accessibility 87
FIPS mode performance 122
removing 83–85
product components
client system 10
extensions 10
LDAP Server 10
Product Guide
Index
product components (continued)
McAfee ePO 10
policies 10
software packages 10
product setting policy
automatic booting 83
boot options 57
disabling 29, 53
enabling accessibility 87
encryption 57
encryption provider 57, 85
encryption type 83
incompatible products 86
logon 57
managing themes 88
recovery 57
temporary automatic booting 84, 85
theme 57
updating self-recovery information 88
product version, reporting 108
Q
queries, Endpoint Encryption
creating 108
dashboard monitor 107
running 108
R
recovery key size, changing 116
regular expression, adding and testing 76
reports, Endpoint Encryption
encryption and decryption 113
exporting results 107
managing 107
viewing 108
requirements testing, EEGO 15
requirements testing, pre-boot smart check 15
requirements, Endpoint Encryption 13
response code
generating 118
getting 117
restriction, logon hours 78
S
self-recovery 115
enabling and disabling 115
enabling and resetting 88
performing 116
self-tests, FIPS mode 122
server settings, Endpoint Encryption
general 57
incompatible products 57
simple words 57
themes 57
McAfee Endpoint Encryption 7.0
server settings, Endpoint Encryption (continued)
tokens 57
ServicePortal, finding product documentation 8
simple words
adding and managing 90
creating 90
Single Sign On, enabling and canceling 73
software package, Endpoint Encryption for Mac
removing 54
software package, Endpoint Encryption for PC
removing 29–31
upgrading 28
software packages, Endpoint Encryption for Mac
checking in 46
deploying 48
removing 53, 55
upgrading 52
software packages, Endpoint Encryption for PC
checking in 19
deploying 20
system group, moving 82
systems
adding and importing 81
recovery 115
T
Technical Support, finding product information 8
theme package
creating and customizing 88
installing 88
token certificates, configuring 99
token type, modifying 99
U
user attribute, selecting 77
user guidance, Common Criteria mode 123
user information 77
user information, configuring 77
user-based policies
authentication 57
configuring 24
enabling self-recovery 115
password 57
password content rules 57
self-recovery 57
user, changing password 116
users
adding 23, 49
assigning 71
managing 71, 75
policies 57
recovery 115
removing 72
reporting 108
Product Guide
127
Index
users (continued)
resetting self-recovery information 88
viewing 71
Windows logon (continued)
MSGINA 73
Single Sign On 73
word package, regenerating 90
V
volume status, reporting 108
W
Windows logon
controlling 73
128
McAfee Endpoint Encryption 7.0
Product Guide
00