0 (EEMac)
Product Guide
COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Contents
Introducing McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Comprehensive McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 What is McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 How McAfee Endpoint Encryption works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 McAfee Endpoint Encryption product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 McAfee Endpoint Encryption features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2. . . . . . . . . . . . . . . . . . . 23
Supported versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configure UBP enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 User experience summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Contents
Remove EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Remove the EEPC extensions from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Remove the EEPC software packages from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Manually uninstall EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Contents
Synchronize the EEPC password with the Windows password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Modify the token type associated with a system or a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configure password content rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Manage a disabled user in Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configure the global user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Manage the logon hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Define EE permission sets for McAfee ePO users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Managing EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Create EE custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 View the standard EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Create the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 View the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Report the encrypted and decrypted systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
To log on to a system, the user must first authenticate through the Pre-Boot environment. On a successful authentication, the client system's operating system (Microsoft Windows or Mac OS X) loads and gives access to normal system operation. McAfee Endpoint Encryption is completely transparent to the user and has little impact on performance of the computer. McAfee Endpoint Encryption is the encryption software installed on client systems. It is deployed and managed through McAfee ePolicy Orchestrator using policies. A policy is a set of rules that determine how McAfee Endpoint Encryption software functions on the users computer.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
EEPC/EEMac The EEPC/EEMac extension installed in ePolicy Orchestrator defines the encryption algorithm, product settings, and server settings for the client system. The EEPC/EEMac software package checked in to ePolicy Orchestrator defines the actual Endpoint Encryption software that is installed on the client system. EE Admin The EE Administration system (EE Admin) defines the generic endpoint encryption settings for product-based policies, user-based policies, and server settings for the users. This is common for both EEPC and EEMac. LDAP Server McAfee Endpoint Encryption acquires users through the Windows Active Directory (AD). You must have a registered LDAP server (AD) to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable manual and automatic user account creation. Client system components The client system, for ePolicy Orchestrator to communicate, should be configured with the components such as: For EEPC McAfee Agent for Windows Windows operating system For EEMac McAfee Agent for Mac Mac OS X platform The ePolicy Orchestrator server deploys the EE Agent, and the EE product to the client system. The user needs to install the McAfee Agent on a Mac client system using install.sh file that needs to be picked up from the Windows-based system where the ePolicy Orchestrator server is installed. However, on Windows-based systems, ePolicy Orchestrator itself deploys the McAfee Agent to the client system. For more details and procedures, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. McAfee Endpoint Encryption product components are depicted in Figure 1.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Audience
McAfee Endpoint Encryption documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who are responsible for configuring the product options on their systems, or for updating their systems.
Conventions
This guide uses the following typographical conventions.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Additional information, like an alternate method of accessing an option. Suggestions and recommendations. Valuable advice to protect your computer system, software installation, network, business, or data. Critical advice to prevent bodily harm when using a hardware product.
Requirements
System requirements
Systems McAfee ePO server systems Requirements See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6 Client systems for EEMac CPU: Pentium III 1 GHz or higher RAM: 512 MB minimum (1 GB recommended) Hard Disk: 200 MB minimum free disk space CPU: EEMac works on all Intel-based Mac CPU with 64-bit EFI
10
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Systems
Requirements RAM: 1 GB minimum Hard Disk: 200 MB minimum free disk space
Software requirements
Software McAfee management software Requirements EEPC 6.1 Patch 2See the McAfee Endpoint Encryption for PC 6.1 Release Notes EEMac 1.0See the McAfee Endpoint Encryption for Mac 1.0 Release Notes Extensions EEADMIN.ZIP EEPC.ZIP help_ee_112.ZIP
EE Agent MfeEEAgent.ZIP
Microsoft Windows Installer 3.0 Redistributable package (for McAfee ePO) Microsoft .NET Framework 2.0 Redistributable package (for McAfee ePO) Microsoft MSXML 6 (for ePO)
See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6
See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6
See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
11
Software Leopard: 10.5.8 Snow Leopard: 10.6.0 and later (32- and 64-bit)
12
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
13
Restart the client system to complete the installation of the EEPC software. After restarting, it communicates with the ePolicy Orchestrator server and pulls down the assigned Endpoint Encryption policies and encrypts the system as per the defined policies. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart. The summary of the client installation process is depicted in Figure 2.
Figure 2: Process overview of installation The overall EEPC installation and deployment process can be simplified into the following steps. NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator and has the McAfee Agent installed on various systems which successfully communicate with the ePolicy Orchestrator server. 1 2 3 4 5 6 7 8 9 Install the EEAdmin and EEPC extensions into ePolicy Orchestrator. Check in the EEPC software packages (MfeEEPC.ZIP and MfeEEAgent.ZIP) to ePolicy Orchestrator. Configure the registered server (Windows Active Directory). Configure and run the automation task for LDAP Synchronization. Deploy the Endpoint Encryption Agent to the client. Deploy the EEPC software package to the client. Restart the client system. You should now be able to see the Quick Settings | Endpoint Encryption Status option in McAfee Agent System Tray on the client system. Add users to a system or a group of systems. Create a product settings policy or edit the default policy, then assign it to a system or a group of systems.
14
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Installing the EEPC client Install the EEPC extensions using ePolicy Orchestrator
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of users on a system. Configure UBP enforcement if required. NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after adding the user and enforcing the policies correctly. 11 Verify the Endpoint Encryption System Status by right-clicking McAfee Agent System Tray on the client system, then clicking Quick Settings | Endpoint Encryption Status.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
15
Click OK.
16
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Installing the EEPC client Configure automation task for LDAP synchronization
Select Active Directory from LDAP server type, then type the Domain name or the Server name. NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the McAfee ePO system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present.
Type the User name. NOTE: The User name should be of the format: domain\Username for Active Directory accounts.
6 7
Type the Password and confirm it. Click Test Connection to ensure that the connection to the server works, then click Save.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
17
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Systems | System Tree, then select a system or group of system(s) from the System Tree pane on the left. On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page. Type a Name and Notes for the task, select the Type as Product Deployment from the drop-down list, select whether the task should be sent to all computers or to tagged computers, then click Next. The Configuration page appears. Select the Target platform as Windows. From the Products and components drop-down list, select Endpoint Encryption Agent for Windows 1.1.2.x to specify the version of the agent to deploy and, if needed, additional command-line parameters. Select the Action as Install. NOTE: If you are working in a Windows environment, check whether to run the task at each policy enforcement interval. 8 9 Click Next to open the Schedule page. Change the Schedule Type as required and click Next. The Summary page appears.
5 6
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. Follow the same procedure to deploy Endpoint Encryption for PC 6.1.2.x. We recommend that you deploy Endpoint Encryption Agent for Windows 1.1.2.x before deploying Endpoint Encryption for PC 6.1.2.x. TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption Agent for Windows 1.1.2.x and Endpoint Encryption for PC 6.1.2.x, then deploy them in sequence. 12 Restart the client system when prompted after installing the Endpoint Encryption for PC 6.1.2.x package.
18
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 Log on to the ePolicy Orchestrator server as an administrator Click Menu | Systems | System Tree. Select a system group from the System Tree. Select the System Name(s) of that group. Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up Agents page appears. Select a Wake-up call type and a Randomization period (0-60 minutes) by which the system(s) respond to the wake-up call sent by ePolicy Orchestrator. Select Get full product properties for the agent(s) to send complete properties instead of sending only the properties that have changed since the last agent-to-server communication. Select Force complete policy and task update for the agent to send the complete policy and task update. Click OK. NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent wake-up call.
8 9
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
19
20
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
3 4 5 6
Run the EE: Users query to list all the Endpoint Encryption Users. Select a user (or users) from the list to enforce the policy. Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page appears with Enable and Disable options. Select Enable or Disable, then click OK to configure the UBP enforcement state. On selecting Enable, Policy Assignment Rules are enabled for the selected users, and a specific UBP is assigned to the user according to the rule defined. NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies are deployed to each client in addition to the user-based policy for the logged on user configured with UBP enforcement.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
21
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree | Systems tab, then under System Tree, select the group where the system belongs. The list of systems belonging to this group appears in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page appears. Select Endpoint Encryption 1.1.2, then click Enforcing next to Enforcement status. The Enforcement page appears. To change the enforcement status, select Break inheritance and assign the policy and settings below. Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click Save. After restarting, the client system communicates with the ePolicy Orchestrator server and pulls down the assigned Endpoint Encryption policies and encrypts the system according to the defined policies. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart.
2 3 4 5
The managed systems receive these changes the next time the agent communicates with the server.
22
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2
The primary goal of upgrading EEPC 6.0 x, EEPC 6.1, and EEPC 6.1 Patch 1 to EEPC 6.1 Patch 2 is to update the components while maintaining all of the existing encryption, policies, users, authentication details, Single Sign On (SSO) details, audit, and tokens. Contents Supported versions Overview of the upgrade process User experience summary
Supported versions
EEPC 6.1 Patch 2 supports the client upgrade from EEPC 6.0.x, EEPC 6.1 and EEPC 6.1 Patch 1.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
23
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2 Overview of the upgrade process
Restart the client system after each deployment task completion. After restarting the client system, the new files and drivers are in place. The EEPC 6.1 Patch 2 encryption status dialog box shows the status as Active throughout the upgrade process. NOTE: After the upgrade, the only visible change is the version numbers in various modules lists.
24
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2 User experience summary
Before deploying EEPC 6.1 EEPC EEPC 6.0.x, Patch 2 packages 6.0.x, or or 6.1, or 6.1, or 6.1 6.1 Patch 1 Patch 1 During the deployment of EEPC 6.1 Patch 2 to the client EEPC EEPC 6.0.x, 6.0.x, or or 6.1, or 6.1, or 6.1 6.1 Patch 1 Patch 1 EEPC 6.1 Patch 2
The client system has EEPC 6.0.x, or 6.1, or 6.1 Patch 1 installed
The EEPC 6.1 Patch 2 deployment forces the restart of the client system
After restarting the system EEPC 6.1 due to the EEPC 6.1 Patch Patch 2 2 deployment
The 6.0.x, or 6.1, or 6.1 Patch 1 status remains as Active throughout the upgrade process The user credentials for both Windows and Pre-Boot logons are the same as 6.0.x, or 6.1, or 6.1 Patch 1 for 6.1 Patch 2 SSO to Windows continues to function as it did before the upgrade
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
25
26
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Uninstalling the EEPC client Remove EEPC from the client system
Click Save in the Policy Settings page, then click Save in the Product Settings page.
10 Send an agent wake-up call. NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and the Endpoint Encryption status becomes Inactive. This may take a few hours depending on the number and size of the encrypted drives.
5 6
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Windows 1.1.2.x from the client system. We recommend that you remove Endpoint Encryption for PC 6.1.2.x before removing Endpoint Encryption Agent for Windows 1.1.2.x.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
27
Uninstalling the EEPC client Remove the EEPC extensions from ePolicy Orchestrator
28
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Uninstalling the EEPC client Manually uninstall EEPC from the client system
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
29
30
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Figure 3: Process overview of installation The overall EEMac installation and deployment process can be simplified into following steps: NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator and has the McAfee Agent installed on various systems which successfully communicate with the McAfee ePO server. 1 2 3 4 5 6 7 Install the EEAdmin and EEMac extensions into the McAfee ePO server. Check in the EEMac software packages (MfeEeMac-1.0.0.x.ZIP and MfeEEAgent-1.0.0.x.ZIP) to the McAfee ePO server. Configure the registered server (Windows Active Directory). Configure and run the automation task for LDAP Synchronization. Deploy the Endpoint Encryption Agent to the Mac client. Deploy the Endpoint Encryption for Mac to the Mac client. Restart the client system. You should now be able to see the Encryption icon | McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client. Add users to a system or a group of systems. Create a product settings policy or edit the default policy, then assign it to a system or a group of systems.
8 9
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of users on a system. NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after adding the user and enforcing the policies correctly.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
31
11 Verify the Endpoint Encryption System Status by clicking the Encryption icon | McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client. If the Endpoint Encryption system state is Active, it displays the system partition/volume list under Volume Status. Volume status that is either Encrypted or Decrypted is also displayed for each partition/volume.
4 3 4 5
Place the copied install.sh file in the desktop. On the Terminal, type this command to go to the location where the install.sh file is present cd /Users/<user>/Desktop. Deploy the McAfee Agent on the Mac client with one of these commands: sudo ./install.sh -i (for a fresh installation)
32
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Installing the EEMac client Install the EEMac extensions using McAfee ePO
sudo ./install.sh u (for an upgrade of the agent) NOTE: Type the administrator password if prompted. The installation path of McAfee Agent is /Library/McAfee/cma/ The uninstall path of McAfee Agent is /Library/McAfee/cma/uninstall.sh 6 To monitor the McAfee Agent logs, run the command sudo tail -f /Library/McAfee/cma/scratch/etc/log and provide the administrator password when prompted.
Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator
Use ePolicy Orchestrator to check in the EEMac software packages (EEAgent and EEMac) to the master repository. Before you begin You must have appropriate permissions to perform this task. Before checking in the software packages, make sure there are no pull or replication tasks running. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
33
3 4 5 6
From the Package type list, select Product or Update (.ZIP) , then browse to and select the MfeEeMac-1.0.0.x.ZIP package file. Click Next to display the Package Options page. Click Save to begin checking in the package. Wait while the package is checked in. Repeat steps 2 through 5 to install the MfeEEAgent-1.0.0.x.ZIP package.
The new package appears in the Packages in Master Repository list on the Master Repository page.
34
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 8 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Automation | Server Tasks, The Server Tasks page opens. Click Actions | New Task. The Server Task Builder wizard opens. On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears. From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values. Click Next. The Schedule page appears. Schedule the task, then click Next to display the Summary page. Review the task details, then click Save. NOTE: In addition to the task running at the scheduled time, you can run this task immediately by clicking Run next to the task on the Server Tasks page.
5 6
7 8
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
35
Change the Schedule Type as required and click Next. The Summary page appears.
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. Follow the same procedure to deploy Endpoint Encryption for Mac OS X 1.0.0.X. We recommend that you deploy Endpoint Encryption Agent for Mac OS X 1.0.0.X before deploying Endpoint Encryption for Mac OS X 1.0.0.X. TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption Agent for Mac OS X 1.0.0.X and Endpoint Encryption for Mac OS X 1.0.0.X, then deploy them in sequence.
36
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Data Protection | Encryption Users. The My Organization page opens. Select a required group or system(s) from the System Tree pane on the left. NOTE: To add users to a particular system, select the required system from the System Tab under My Organization pane on the right. 3 4 5 6 7 Click Actions | Endpoint Encryption | Add Users. The Add Endpoint Encryption Users page opens. Add users: Click + in the Users field, browse to the users list, select the Users, then click OK. Add groups: Click + in the From the groups field, browse to the users groups list, select the groups, then click OK. Add an organizational unit: Click + in the From the organizational units field, browse to the organizational unit list, select the unit, then click OK. In the Add Endpoint Encryption Users page, click OK.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
37
While modifying the default policy or creating the new policy, select any one of the disk encryption options other than None, by navigating to Encryption (tab) | Encrypt. The default option None does not initiate the encryption. Click Save.
2 3 4 5
38
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
1 2 3
Click Menu | Systems | System Tree | Client Tasks, then select the group where the desired client task was in the System Tree. Click Edit Settings next to the task. The Client Task Builder wizard opens. Edit the task settings as needed, then click Save.
The managed systems receive these changes the next time the agents communicate with the server.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
39
40
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Uninstalling the EEMac client Remove EEMac from the client system
Click Save in the Policy Settings page, then click Save in the Product Settings page.
10 Send an agent wake-up call. NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and the Endpoint Encryption status becomes Inactive. This may take a few hours depending on the number and size of the encrypted drives.
5 6
7 8 9
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Mac OS X 1.0.0.X from the client system. We recommend that you remove Endpoint Encryption for Mac OS X 1.0.0.X before removing Endpoint Encryption Agent for Mac OS X 1.0.0.X.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
41
Uninstalling the EEMac client Remove the EEMac packages from McAfee ePO
In case of both EEPC and EEMac are being managed by a single McAfee ePO server, you can remove the EEAdmin extension only when McAfee ePO management is not required for both products. Before you begin Ensure to deactivate the Endpoint Encryption Agent before removing the EEMac extension from the McAfee ePO server. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions, then select Endpoint Encryption . The Extension page appears with the extension name and version details. Click Remove. The Remove extension confirmation page appears. Click OK to remove the extension. NOTE: Follow the same procedure to remove both the extension files EEMac.ZIP and EEADMIN.ZIP, however, extension file EEMac.ZIP needs to be removed first.
42
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Uninstalling the EEMac client Manually uninstall EEMac from the client system
Task 1 After deactivating the Endpoint Encryption Agent, open the Terminal and run sudo /Library/McAfee/ee/Agent/uninstall command to uninstall the EEAgent and type the administrator password if prompted. Run the command /Library/McAfee/ee/Mac/uninstall. This removes the EEMac software package from the client system. Run the command /Library/McAfee/ee/Agent/uninstall. This removes the EEAgent from the client system.
2 3
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
43
NOTE: This section is applicable to both EEPC and EEMac. Contents Policy management Policy categories Create a policy from Policy Catalog Edit the EE policy settings from Policy Catalog Assign a policy to a system group Enforce EE policies on a system group
Policy management
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that the managed client computer is configured and performs accordingly. Policy settings are the primary interface for configuring the client computer and its components. The ePolicy Orchestrator server allows you to configure policy settings for Endpoint Encryption clients and other managed systems from a central location.
Policy categories
Policy settings for McAfee Endpoint Encryption are grouped under category. Each policy category refers to a specific subset of policy settings. In the Policy Catalog page, policies appear under Endpoint Encryption and the individual policies appear under specific category. When you open or edit an existing policy or create a new policy under Endpoint Encryption, the policy product settings are organized across tabs such as General, Encryption, Log On, Recovery, Boot Options, Theme, and Encryption Providers. The user based policy settings are organized
44
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
across tabs such as Authentication, Password, Password Content Rules, and Self-Recovery. Table 2: Product setting policies
Settings General Options Enable Policy Logging level Description Enables the set policies on the client computers. This policy setting allows the administrator to manually set different logging level for each client computer which has the specific policy setting assigned. NOTE: To overwrite the logging level defined in the ePolicy Orchestrator console, the LoggingLevelOverride registry key needs to be set. None Setting this option does not create any log. Error Setting this option logs the error messages only. Error and WarningsSetting this option logs the error and warning messages. Error, Warnings, and InformationalSetting this option logs the error and warning messages with more descriptions. Error, Warnings, Informational and DebugSetting this option logs the error and warning messages with more descriptions in the debug mode.
This option allows the administrator to run the scripts on the the client system, so that it can automatically boot without prompting for a Pre-Boot Authentication temporarily. NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use.
Encryption
Encrypt
This drop-down list contains the options to select an encryption type. NoneDoes not encrypt any disk. All DisksEncrypts all disks in a system. Boot OnlyEncrypts only the boot disk. All Disks except Boot DiskEncrypts all disks except the boot disk (not recommended)
Lists the installed encryption providers and allows you to set the priority. On selecting, the client system boots automatically without prompting for a Pre-Boot Authentication. The expiration date for the auto booting can also be set. If required, the user can select the UTC time standard option. NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
45
Settings
Options Log on Message Do not display previous user name at log on Enable on screen keyboard
Description Type a message that appears to the user on all Endpoint Encryption logon pages. Hides the ID of the last logged on user in all McAfee Endpoint Encryption logon dialog boxes.
This option enables the Pre-Boot On-Screen Keyboard (OSK) and the associated Wacom serial NOTE: This option is not pen driver. When this option is enabled, the pen applicable to Mac client systems. driver finds a supported pen hardware and displays the OSK. Always display onscreen keyboardForces the Pre-Boot to always display a clickable on-screen keyboard regardless of whether the pen driver finds suitable hardware or not. This option is very useful to TabletPC users. DisabledSelecting this option does not add any local doamin users to the client system. Add all previous and current local domain users of the systemOn selecting this option, any domain users who have previously and are currently logged on to the system, are able to authenticate through the Pre-Boot, even if the administrator has not explicitly assigned the user to the client system. Only add currently logged on local domain user(s); activation is dependent on a successful user assignmentOn selecting this option, only the domain users who are logged on to the current Windows session, are added to the system and hence EEPC is activated, even if the administrator has not explicitly assigned the user to the client system. NOTE: If you select this option, at least one user should be added to the client system for a successful EEPC activation on the client.The activation will not happen until a user logs on to Windows. Enable Accessibility This option is helpful to visually impaired users. If selected, the system gives a beep as a signal NOTE: This option is not when the user moves the cursor from one field applicable to Mac client systems. to the next. Disable Pre-Boot Authentication When selecting this option, the user is blocked when not synchronized from logging on to PBA in the client system, if the client system is not synchronized with the ePolicy Orchestrator for the set number of days. When the user is blocked from logging on to PBA, the user should request the administrator to perform the Administrator Recovery to unlock the client system. This allows the client system to boot and communicate with the ePolicy Orchestrator server. NOTE: The client system will continue to block the user from logging on to the system until the synchronization with ePolicy Orchestrator happens.
46
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Settings Log On (Windows only) NOTE: These options are not applicable to Mac client systems.
Description This option enables the Single Sign On. Must match user nameThis option ensures the SSO details are only captured when the users Endpoint Encryption and Windows IDs match. This ensures that the SSO data captured is replayed for the user for which it was captured. Using smart card PINThis option allows the administrator to capture the smart card PIN for SSO. Synchronize Endpoint Encryption password with WindowsIf selected, the Endpoint Encryption password synchronizes with the Windows password. For example, if the client system password changes, the Endpoint Encryption password also changes accordingly. Allow user to cancel SSOThis option allows the user to cancel the SSO to Windows in the Pre-Boot only. When this option is enabled, the user has an additional checkbox at the bottom of the Pre-Boot logon dialog.
Require Endpoint Encryption log McAfee Endpoint Encryption takes control of the on normal windows logon screen and screen saver logon. You will be prompted for your EEPC credentials while logging on. Require logon when token is removedThe client system prompts for log on when any of the tokens is removed.
The client system is locked when it is inactive for the set time. The recovery option is enabled by default. If enabled, this activates the Administrator Recovery option in the client system. This drop-down list contains the options to select the recovery key size. The recovery Response Code size depends on this recovery key size. However, this does not affect the size of the Client Code. LowThis refers to a recovery key size that creates a short Response Code for the recovery. MediumThis refers to a recovery key size that creates a medium size Response Code for the recovery. HighThis refers to a recovery key size that creates a lengthy Response Code for the recovery. FullThis refers to a recovery key size that creates a Response Code, with the maximum number of characters, for the recovery.
Key Size
Message
Displays a text message when you select Recovery. This may include information such as your help desk contact details.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
47
Settings Boot Options NOTE: These options are not applicable to Mac client systems.
Description This activates the built in pre-boot partition manager. This allows you to select the primary partition on the hard disk that you wish to boot. Naming of the partition is also possible with the boot manager. The time out for the booting to start can also be set. Forces the Endpoint Encryption Pre-Boot code to always initialize the USB stack.
Enable pre-boot PCMCIA support If selected, the policy enables pre-boot PCMCIA support. Graphics Mode Allows you to select the screen resolution for a system or a system group. The default option is Automatic. This drop-down list contains the options to select a theme. Displays the preview of the selected theme. The preview is not available for shared policies from another McAfee ePO. This causes EEPC to boot a built-in fixed MBR instead of the original MBR that was on the system after pre-boot logon. It is used to avoid problems with some systems that had other software that runs from the MBR and no longer work if EEPC is installed. Some boot records contain the incorrect number of sides. Selecting this option fixes this on the client system. This is available only when you install the EEPC extension. This is for maintaining the compatibility with some systems where the disk 0 is not the boot disk. Selecting this option forces the users to assume that the boot disk is the one that contains the Windows directory but not disk 0.
Theme
Encryption Providers NOTE: These options are not applicable to Mac client systems.
48
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Settings
Options
Logon Hours
This defines the day and the timeline when the user can log on to the client system. The restrictions are applied using the Apply Restrictions option. The default password is 12345, if the administrator changes the default password, then the newly set password will be the new default password for this policy under the User Based Policy category. Do not prompt for default passwordSetting this option will capture the user's credentials automatically without having to make them use a default password on Pre-Boot Authentication. For example, the users can be captured through the Add Local Domain User option and can authenticate through the Pre-Boot without the default password. Enable password history__changes (1-100)This keeps track of the specified number of previous passwords set by the user and does not allow the user to set the same passwords again. Prevent changeThis option prevents the user from changing the password. Require change after__days (1-366)This specifies the number of days after which the system prompts the user to change the password. Warn user__days (0-30)This specifies the number of days before which the system prompts the user with a warning message about the number of days left for the password expiry. Timeout password entry after__invalid attempts (3-20)This option specifies the number of invalid password entries after which the system times out the password attempts. Maximum disable time__minutes (1-64)This specifies the maximum timeout duration for the timeout password entry. Invalid password after__invalid attempts (3-100)This specifies the number of attempts a user can make before the password becomes invalid.
Password
Default password
Password change
Incorrect passwords
Password length
This specifies the number of characters in a user password. Minimum (3-40)Defines the minimum number of characters for a user password. Maximum (3-255)Defines the maximum number of characters for a user password.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
49
Settings
Description This specifies the number of different characters like alpha, numeric, alphanumeric, and symbols that are required to form a password. AlphaThis specifies the number of letter that must be present in a user password. NumericSpecifies the number of numeric characters that must be present in a user password. AlphanumericSpecifies the number of alphanumeric characters that must be present in a user password. SymbolsSpecifies the number of symbols that must be present in a user password.
This specifies the password content restrictions for the user password. No anagramsA word or phrase spelled by rearranging the letters of another word or phrase cannot be a password. No palindromesA word or phrase that reads the same backward as forward can not be a password. No sequencesThe new password cannot be in sequence with the previous password. Can't be user name A user name cannot be set as a password. Windows content rulesThis demands to follow the standard Windows password content rule like a Windows password should contain at least three of the following: Lower case letters Upper case letters Numbers Symbols and special characters
No simple words These are the set of words defined as simple words that cannot be used as passwords.
Self-Recovery
Invalidate self recovery after No. This specifies the number of attempts after which of attempts the self recovery is disabled. Questions to be answered Specifies the number of questions to be answered by the user to perform the self recovery. This lists the default questions for the selected language, also provides an option to add more questions. NOTE: If a language does not have enough questions or has an error on it, the language appears in red.
50
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Settings
Options
Description
Logons before forcing user to set Specifies the number of Logons before forcing the answers user to set answers.
Machine key re-use option is used to activate the system with the existing key present in the McAfee NOTE: This option is not ePO server. This option is highly useful when a applicable to Mac client systems. boot disk gets corrupted and the user cannot access the system. The boot disk corrupted system's disks other than boot disks can be recovered by activating it with the same key from McAfee ePO. User Information Fields Used to add user information fields. You can add user information by specifying a question and the LDAP attribute name related to the user. Specifies the algorithm AES-256-CBC for the software encryption. Allows you to set the size of the pre-boot file system. Increasing the size of the PBFS will increase the number of users that can be successfully assigned to the client system. The size is specified in MB from 20 MB to 200 MB. Use this option to manage the list of products that are not compatible with McAfee Endpoint Encryption. You can also import a non compatible product rule that can detect and add the non compatible product to the list. Use this option to add and customize a theme that is used as a background in the Pre-Boot Authentication page. Use this option to create a group which can have a number of simple words. This will not be available for shared policy from another McAfee ePO. Use this option to delete a group. Use this option to browse to a text file with a number of simple words that cannot be used as passwords. You can also select an encoding type for the file.
Themes
Manage Themes
Simple Words
Add Group
Regenerate Missing Simple Word This compiles all the simple word groups and Package creates the simple words package files (.xml file). Tokens Manage Tokens Use this option to add and manage extra token definitions. This allows the user to deploy and
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
51
Managing McAfee Endpoint Encryption policies Create a policy from Policy Catalog
Settings
Options
Description manage the additional token modules any time after the initial installation as required by the user.
52
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
53
54
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Click Actions | Endpoint Encryption | View Users. The Encryption Users page appears with a list of users for the selected system. NOTE: This does not display the user groups that are assigned at the branch level.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
55
Managing McAfee Endpoint Encryption users How EEPC controls the Windows logon mechanism
FalseSpecifies that the inheritance is not broken, which means that the selected users are assigned to the all the systems present in the selected group.
56
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Managing McAfee Endpoint Encryption users Synchronize the EEPC password with the Windows password
If required, select the options Must match user name, Synchronize Endpoint Encryption password with Windows, Allow user to cancel SSO, and Using smart card PIN. a Must match user nameThis option ensures the SSO details are only captured when the users Endpoint Encryption and Windows IDs match. b Using smart card PINThis option allows the administrator to capture the smart card PIN for SSO. c Synchronize Endpoint Encryption password with WindowsThis matches the EEPC password to Windows password, so that the user needs to authenticate only the Pre-Boot Authentication page with Windows password. d Allow user to cancel SSOThis option allows the user to cancel the SSO to Windows in the Pre-Boot only. When this option is enabled, the user has an additional checkbox at the bottom of the Pre-Boot logon dialog box. This setting lasts for a single boot only.
Click Save in Policy Settings page, then click Save in Product Settings page.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
57
Managing McAfee Endpoint Encryption users Modify the token type associated with a system or a system group
Click Save in the Policy Settings page, then click Save in the Product Settings page. NOTE: Ensure that the Windows password adheres to the EEPC password restriction policy. Otherwise, the password synchronization doesn't run.
58
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
10 Click Save in the Policy Settings page, then click Save in the User Based Policies settings page. 11 Send an agent wake-up call.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
59
Managing McAfee Endpoint Encryption users Configure the global user information
Select Disable, Ignore or Delete from the If user disable in directory drop-down list if the user has been disabled in the Active Directory. NOTE: Options in the drop-down list are applicable only to users disabled in the Active Directory.
Click Save.
60
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Managing McAfee Endpoint Encryption users Define EE permission sets for McAfee ePO users
3 4 5 6
Select Endpoint Encryption 1.1.2 from the Product drop-down list. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the desired policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
7 8 9
From the Authentication tab, select Apply restrictions in Logon Hours, then schedule the logon timing by blocking or allowing different logon hours. Click Save in the policy settings page, then click Save in the User Based Policies settings page. Send an agent wake-up call.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
61
62
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Type an integer for the specified number of attempts, or use zero for continuous attempts Type the interval in number of seconds between two attempts Type the number of minutes before stopping the connection Select either one specific Agent Handler or all Agent Handlers
Click OK. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
63
64
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree then select a group under System Tree. Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Log On tab, select or deselect Enable Automatic Booting under Endpoint Encryption pane to disable or enable the Pre-Boot environment. A security warning message This will remove the pre-boot authentication. Are you sure? appears. Click Yes or No to enable or disable the automatic booting. Set the expiration date and time for the automatic booting if required.
8 9
10 Click Save in the policy settings page, then click Save in the Product Settings page. 11 Send an agent wake-up call.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
65
From the Encryption tab, select the Encryption Provider from the Encryption Provider Priority list. In case of more than one encryption provider, the priority can be set by moving between the encryption providers using Move Up and Move Down options. Click Save in the Policy Settings page, then click Save in the Product Settings page. Send an agent wake-up call.
8 9
3 4
66
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
4 5 6
Type a theme name in the Name field, then select Create a new theme based on an existing theme option. Select a theme from the Based on drop-down list. Browse to the Background Image, then click OK. This creates the new theme package at C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EETHEME\DAT\0000 folder. NOTE: You can also browse and install a theme package using Select Theme package to install option.
Download the custom themes on the client using one of the following: Update Now option under Menu | Systems | System Tree | Actions | Agent in ePolicy Orchestrator Product Update task Update Security from the client NOTE: All themes have a unique ID for identification. When you run the update task, the theme IDs are verified against the existing theme IDs on the client, then the new theme is downloaded to the client. The downloaded theme packages are stored in the following folder in the client system: EEPC C:\Program files\McAfee\Endpoint Encryption Agent\Repository\Themes EEMac /Library/McAfee/ee/Agent/Repository/Themes
Change the theme in the Product Setting Policy and send an agent wake-up call to apply the customized theme.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
67
Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
7 8 9
From the Theme tab, select the desired customized theme from the Select theme drop-down list. Click Save in the policy settings page, then click Save in the Product Settings page. Send an agent wake-up call.
68
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
EEMac - /Library/McAfee/ee/Agent/Repository/SimpleWords 8 Enable the No simple words option under User Based policies | Password Content Rules, select the required word group from the drop-down list, then send an agent wake-up call to apply the policy to the client.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
69
Managing EE reports
McAfee Endpoint Encryption queries are configurable objects that retrieve and display data from the database. These queries can be displayed in charts and tables. Any query results can be exported to a variety of formats, any of which can be downloaded or sent as an attachment to an email message. Most queries can be used as dashboard monitors. NOTE: This section is relevant to both EEPC and EEMac. Contents Queries as dashboard monitors Create EE custom queries View the standard EE reports Create the EE dashboard View the EE dashboard Report the encrypted and decrypted systems
70
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries, then click Actions | New Query. The Query Builder wizard opens. On the Result Type page, select Others from the Feature Group pane and Endpoint Encryption Result Type for the query, then click Next. The Chart page appears. NOTE: This choice determines the options available on subsequent pages of the wizard. 3 Select the type of chart or table to display the primary results of the query, then click Next. The Columns page appears. NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the query. 4 Select the columns to be included in the query, then click Next. The Filter page appears. NOTE: If you selected Table on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table. 5 Select properties to narrow the search results, then click Run. The Unsaved Query page displays the results of the query, which is actionable, so you can take any available actions on items in any tables or drill-down tables. NOTE: Selected properties appear in the content pane with operators that can specify criteria used to narrow the data that is returned for that property. If the query didnt appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of this query. If you dont need to save the query, click Close. 6 If this is a query you want to use again, click Save and continue to the next step. The Save Query page appears. Type a name for the query, add any notes, and select one of the following: New GroupType the new group name and select either: Private group (My Groups) Public group (Shared Groups) Existing GroupSelect the group from the list of Shared Groups. 7 Click Save.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
71
Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries. The Queries page opens. Select Endpoint Encryption from Shared Groups in Groups pane, The standard EE query list appears.
Query EE: Disk Status EE: Disk Status (Rollup) Description Displays the status of the disk. Displays the EE: Disk Status compiled from various ePolicy Orchestrators. Displays which encryption provider is active on each system. Displays the version of the endpoint encryption installed in systems. Displays the EE: Installed version details compiled from various ePolicy Orchestrators. Displays the log details and the results of the v5.x.x user import. Displays the details about the assignments of the user group, machines, and users. Displays Endpoint Encryption client events. Lists all endpoint encryption users. From here, the user can use the following options to manage the users in the selected system: Clear SSO detailsClears the SSO details of the selected user (only for Windows) Force User To Change PasswordPrompts the user to change the password in the EE authentication. Reset TokenResets the token for the selected user User InformationMaintains the user information with a list questions and answers
Displays the imported audit logs from v5.x.x. Be aware that if only you selected the audit option during the export process, the audit log will be displayed. Displays the EE: Volume Status. Displays the EE: Volume Status compiled from various ePolicy Orchestrators.
3 4
Select a query from the Queries list. Click Actions | Run. The query results appear. Drill down into the report and take actions on items as necessary. Available actions depend on the permissions of the user. NOTE: The user has an option to edit the query and to view the details of the query.
Click Close when finished. While implementing and enforcing the Endpoint Encryption policies that control how sensitive data is encrypted, the administrators can monitor real-time client events and generate reports using the EE: Product client events query.
72
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Event ID 30000
Event Description This event is reported in McAfee ePO whenever a Pre-Boot or an Endpoint Encryption logon happens. This event is reported in McAfee ePO whenever the user changes the EE password. This event is reported in McAfee ePO whenever the EE password is invalidated after a fixed number of unsuccessful login attempts. This event is reported in McAfee ePO when the user changes the default password during the first pre-boot logon. This event is reported in McAfee ePO whenever the system restarts after making EE active. This event is reported in McAfee ePO for every successful Administrator Recovery. This event is reported in McAfee ePO for every successful Self Recovery. This event is reported in McAfee ePO whenever the Self Recovery is invalidated after a fixed number of unsuccessful login attempts. This event is reported in McAfee ePO when the encryption starts on the client system. This event is reported in McAfee ePO when the encryption pauses on the client system. This event is reported in McAfee ePO when the encryption finishes on the client system. This event is reported in McAfee ePO when the specified volume encryption/decryption starts. This event is reported in McAfee ePO when the specified volume encryption/decryption is completed. This event is reported in McAfee ePO when a policy change is initiated. This event is reported in McAfee ePO when the policy change is completed. This event is reported in McAfee ePO when the EE activation starts on the client system. This event is reported in McAfee ePO when the EE activation is completed on the client system. This event is reported in McAfee ePO whenever an exception occurs on the client system. This event is reported in McAfee ePO whenever the Emergency Recovery is initiated. This event is reported in McAfee ePO whenever the Emergency Recovery is completed. This event is reported in McAfee ePO whenever the Upgrade process is initiated. This event is reported in McAfee ePO whenever the Upgrade process is complete.
30001
30002
30003
30004
30005
30006
30007
30008
30009
30010
30011
30012
30013
30014
30015
30016
30017
30018
30019
30020
Upgrade Start
30021
Upgrade Complete
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
73
Event ID 30022
Event Description This event is reported in McAfee ePO whenever a user update error occurs. This event is reported in McAfee ePO whenever the encryption key is not available. This event is reported in McAfee ePO when the installation is stopped in a Mac with 32-bit EFI. This event is reported in McAfee ePO when the installation is disrupted in an unsupported Mac platforms. This event is reported in McAfee ePO when the installation is stopped in an unsupported Mac OS X. This event is reported in McAfee ePO for every successful EEPC or EEMac deployment. This event is reported in McAfee ePO for every deployment failure of EEPC or EEMac .
30026
30027
Installation Aborted: 32-bit EFI unsupported Installation Aborted: Mac platform unsupported Installation Aborted: Mac OS X version unsupported Deployment Successful
30028
30029
2411
2422
Deployment Failure
74
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Dashboards, then click Options | Select Active Dashboards. The Select Active Dashboards page appears. Select Endpoint Encryption from the Available Dashboards list, then click OK.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
75
76
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Recovering users and systems Perform the self recovery on the client computer
7 8 9
On the Self-Recovery tab, select or deselect Enable Self-Recovery to enable or disable the self recovery functionality to the specified user or user group. Select Invalidate Self-Recovery after No.of attempts and type the number of attempts. Type the number of Questions to be answered to perform the self recovery. The client user will be prompted with these questions while trying to recover the user account at the client system.
10 Type the number of Logons before forcing user to set answers to determine how many times a user can log on without setting their Self Recovery questions and answers. 11 Click + to create a new question, then select the question Language and also type the Min Answer Length the user must type while configuring the answer to this question. NOTE: Answers to these questions are typed by the user on the client system during the recovery process. User is prompted for recovery enrollment during every logon. The user is allowed to cancel the enrollment until the user exceeds the specified number of logon attempt. After exceeding the defined number of logon attempt, the Cancel button is disabled and the user is forced to enroll for self recovery. 12 Click Save in the User Based Policies page. 13 Send an agent wake-up call.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
77
Recovering users and systems Perform the administrator (system and user) recovery on the client computer
challenge and response procedure to be followed. The users should start their system and click the Recovery button from the Endpoint Encryption Pre-Boot logon page. This option needs to be enabled in the McAfee ePO server before performing this task at the client systems. Use ePolicy Orchestrator to enable or disable the administrator (system and user) recovery functionality in the client computer. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree, then select a group under System Tree. Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select a product setting policy, then click Edit Policy. The Policy Product Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 9 On the Recovery tab, select or deselect Enabled to enable or disable the system recovery functionality. Select the required Recovery Key size from the Key size drop-down list, then type the Message to appear on the recovery page. Click Save in the User Based Policies page.
Perform the administrator (system and user) recovery on the client computer
Use this task on the client computer, if the user's password or the logon token have been lost, to recover the user or the system. Before you begin Make sure that the client user performs this task in the client system. Task For option definitions, click ? in the interface. 1 2 Restart the client system. Click Options | Recovery.
78
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Recovering users and systems Generate the response code for the administrator (system and user) recovery
Select the Recovery Type as Administrator Recovery and click OK. The Recovery dialog box appears with the Challenge Code. NOTE: The client user should read the Challenge Code and get the Response Code from the administrator who manages McAfee ePO.
Enter the Response Code in the Line field, then click Enter. NOTE: Each line of the code is checked when it is entered.
Click Finish. NOTE: Generated Response code depends on the recovery key size set in the policy and the selected recovery type that is machine recovery or user recovery.
Generate the response code for the administrator (system and user) recovery
Use this task to generate the response code for the administrator (system and user) recovery. Before you begin Make sure that McAfee ePO administrator performes this task in McAfee ePO. Task For option definitions, click ? in the interface. 1 Click Menu | Data Protection | Encryption Recovery. The Endpoint Encryption Recovery wizard opens with the text field for Challenge Code. NOTE: Ask the client user to read the challenge code that appears in the recovery process page to the administrator. 2 3 Type the Challenge Code and click Next. The Recovery Type page opens. Select the required recovery type from the Recovery Type list, then click Next. The Response Code page opens with the response code(s). NOTE: Generated Response code depends on the recovery key size set in the policy and the selected recovery type that is machine recovery or user recovery. 4 Read out the response code to the user.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
79
80
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Deactivate EEPC on the client systems Remove the EEPC product from the client systems Reinstall EEPC in the FIPS mode Deploy EEPC through a McAfee ePO deployment task To install EEPC client packages in FIPS mode using a McAfee ePO deployment task, make sure to add the keyword FIPS as the command line of the EEPC deployment task in McAfee ePO. Deploy EEPC through a third-party deployment software To install EEPC client packages in FIPS mode using a third-party deployment software, make sure to pass the parameter FIPS_MODE=0 or 1 when you install the EEPC client package, as per the following command:
msiexec.exe / q / I FIPS_MODE=0 or msiexec.exe / q / I FIPS_MODE=1
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
81
Index
A
administrator recovery disabling 77 enabling 77 performing 78 agent wake-up call sending 18 audience for this guide 9 auto booting disabling 64 enabling 64 automation 18, 34 configuring 18 EE components (continued) McAfee ePO 7 EE custom queries creating 70 viewing 71 EE dashboard creating 74 EE dashboards viewing 74 EE permission creating 61 defining 61 EE policies assigning the policy 21 breaking inheritance 21 enforcing 21 managing 44 EE system status active 25 inactive 25 EE users removing 55 viewing 54 EEMac removing from the client EE Agent 41 EEMac 41 uninstalling 42 EEMac client installing 30 uninstalling deactivate EE Agent 40 disable policies 40 EEMac deployment selecting target platform 35 setting up the client task 35 updating packages 35 upgrading agents 35 EEMac installation adding users 30 checking in packages 30 deploying packages 30 installing extension 30 EEPC removing from the client EE Agent 27 EEPC 27 uninstalling 29 EEPC client installing 13 migrating 13 uninstalling deactivate EE Agent 26 disable policies 26 EEPC deployment selecting target platform 17
C
challenge code 78 client managing 9 client computers EEMac 62 EEPC 62 managing 62 client task for EE Agent 23 for EEPC 23 client tasks editing 22 conventions used in this guide 9 customized theme applying 66
D
disk decrypting 64 encrypting 64 disk status decrypted 75 encrypted 75 documentation typographical conventions 9 documentation for products, finding 10
E
EE Agent deactivating 26 EE Agent for Mac deactivating 40 EE components client system 7 EE Admin 7 EEMac 7 EEPC 7 LDAP Server 7
82
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Index
EEPC deployment (continued) setting up the client task 17 updating packages 17 upgrading agents 17 EEPC installation adding users 13 checking in packages 13 deploying packages 13 installing extension 13 enabling and disabling policy enforcement 53 encryption providers setting priority 65 Endpoint Encryption 6, 7, 34 decrypting 7 disk encryption 6 EEMac 6 EEPC 6 encrypting 7 Pre-Boot 7 Pre-Boot Authentication 6 Endpoint Encryption for Mac 6 Endpoint Encryption for PC 6 extension 15, 28, 33, 41 installing EEAdmin 15 installing EEADMIN 33 installing EEMac 33 installing EEPC 15 removing EEADMIN 28, 41 EEMac 41 EEPC 28
Log On enabling Must match user name 56 enabling SSO 56 enabling Synchronize EE password with Windows 56 logon enabling SSO 57 synchronizing the EE password 57 logon hours managing allowing 60 blocking 60
M
McAfee Agent for Mac deploying 32 McAfee ServicePortal, accessing 10 migration 13 missing simple word package regenerate 68
N
no simple words enabling 68 non-compatible products maintaining a list 66
P
password content rules configuring 59 policies assigning 26, 40 assigning the policy 53 assigning to a system 21, 53 assigning to a system group 53 breaking inheritance 26, 40, 53 configuring 44 creating 44, 52 creating a policy 21 editing 44, 52 editing a policy 21 enforcing 44, 53 product settings boot options 44 encryption 44 encryption providers 44 logon 44 recovery 44 theme 44 server settings general 44 Mac OS X software 44 non-compatible products 44 PC software 44 simple words 44 themes 44 tokens 44 user-based policies authentication 44 password 44 password content rules 44 self recovery 44 Policies assigning to users 20 assignment rule 20
F
FIPS impact 81 uninstalling 81 FIPS mode installing 80 pre-requisites 80
G
group synchronization 34 group users breaking inheritance 55
H
help extension installing 15
K
KnowledgeBase, Technical Support ServicePortal 10
L
LDAP Active Directory 16 domain name 16 server type 16 user name 16 LDAP Server 34 LDAP servers adding 16 registering 16 testing connection 16
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
83
Index
Pre-Boot removing 64
Q
queries about 70 dashboard monitor 70
T
Technical Support ServicePortal at McAfee 10 theme assigning customized theme 67 creating a new theme 66 installing theme package 66 selecting background image 66 token type modifying 58
R
recovery changing password 77 EEMac 76 EEPC 76 reporting decrypted 75 encrypted 75 requirements, system operating system 10 software 10 response code obtaining 78 Response Code generating 79
U
UBP enforcement configuring 20 disabling 20 enabling 20 upgrade 23, 25 deploying EEPC packages 23 installing extension 23 supported versions 23 user experience after restarting 25 before deploying 25 during the deployment 25 user disabled in AD managing 59 user password resetting 77 users adding EEMac users from group 36 from organizational unit 36 adding EEPC users from group 19 from organizational unit 19 assigning 54 managing 54
S
self recovery disabling 76 enabling 76 performing 77 server task automation 17 EE LDAP synchronization group synchronization 17 synchronization 17 ServicePortal, finding product documentation 10 simple words adding 68 managing 68 simple words group creating 68 Single Sign On enabling 56 software packages checking in packages checking in MfeEEAgent 16, 33 checking in MfeEeMac 33 checking in MfeEEPC 16 removing MfeEEAgent 28, 42 MfeEeMac 42 MfeEEPC 28 synchronization 34 system gropus adding 62 importing 62 system groups moving manually 63
V
versions EEPC EEPC EEPC EEPC EEPC 6.0 6.0 6.0 6.1 6.1 25 Patch Patch Patch Patch 1 2 1 2 25 25 25 25
W
windows logon controlling 56 MSGINA 56 Single Sign On 56
84
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide