Ee 112 Product Guide En-Us

McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.
0 (EEMac)
Product Guide
COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.0 (EEMac) Product Guide
Contents
Introducing McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Comprehensive McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 What is McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 How McAfee Endpoint Encryption works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 McAfee Endpoint Encryption product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 McAfee Endpoint Encryption features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installing the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Install the EEPC extensions using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Install the Help extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Check in the EEPC software packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configure automation task for LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Deploy EEPC to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Assign policy to users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configure UBP enforcement for EEPC 6.1 Patch 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Enforce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2. . . . . . . . . . . . . . . . . . . 23
Supported versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configure UBP enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 User experience summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Uninstalling the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Deactivate the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Contents
Remove EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Remove the EEPC extensions from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Remove the EEPC software packages from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Manually uninstall EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Installing the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Deploy McAfee Agent to Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Install the EEMac extensions using McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator. . . . . . . . . . . . . . . . . 33 Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configure automation tasks for LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Deploy EEMac to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Enforce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Uninstalling the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Deactivate the Endpoint Encryption Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Remove EEMac from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Remove the EEMac extensions from McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Remove the EEMac packages from McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Manually uninstall EEMac from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Managing McAfee Endpoint Encryption policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Policy categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Create a policy from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Edit the EE policy settings from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Assign a policy to a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Enforce EE policies on a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Managing McAfee Endpoint Encryption users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

View the list of users assigned to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Remove users from a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Edit user inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 How EEPC controls the Windows logon mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Enable Single-Sign-On (SSO) on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Contents
Synchronize the EEPC password with the Windows password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Modify the token type associated with a system or a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configure password content rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Manage a disabled user in Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configure the global user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Manage the logon hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Define EE permission sets for McAfee ePO users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Managing client computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Add a system to an existing system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Move systems between groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Select the disks for encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Enable or disable the automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Set the priority of encryption providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Maintain a list of non-compatible products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Manage the default and customized themes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Assign a customized theme to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Manage simple words. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Managing EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Create EE custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 View the standard EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Create the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 View the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Report the encrypted and decrypted systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Enable or disable the self recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Perform the self recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Enable or disable the administrator recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Perform the administrator (system and user) recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . 78 Generate the response code for the administrator (system and user) recovery. . . . . . . . . . . . . . . . . . . . . . . . 79
FIPS 140-2 certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Pre-requisites to use EEPC in FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Install EEPC client packages in FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Impact of FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Uninstall EEPC client packages in FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Introducing McAfee Endpoint Encryption

With data breaches on the rise, it is important to protect information assets and comply with privacy regulations. McAfee Endpoint Encryption delivers powerful encryption that protects data from unauthorized access, loss, and exposure. Contents Comprehensive McAfee Endpoint Encryption What is McAfee Endpoint Encryption How McAfee Endpoint Encryption works McAfee Endpoint Encryption product components McAfee Endpoint Encryption features Audience Conventions Finding product documentation Requirements
Comprehensive McAfee Endpoint Encryption

The McAfee Endpoint Encryption (EE) suite provides multiple layers of defense against data loss with several integrated modules that address specific areas of risk. The suite provides protection for individual PCs, roaming laptops, and MacBooks with 64-bit EFI. This guide discusses these McAfee Endpoint Encryption Solutions: McAfee Endpoint Encryption for PC McAfee Endpoint Encryption for Mac NOTE: This guide indicates Endpoint Encryption (EE) as the term to describe EEPC and EEMac. The content that refers to the term Endpoint Encryption (EE) is applicable to both EEPC and EEMac. Procedures and other details that are different for EEPC and EEMac setup are described in separate sections indicating its individual product name, for example EEPC or EEMac.
What is McAfee Endpoint Encryption

To ensure data protection in todays dynamic IT environment, we need to protect what matters most the data. McAfee Endpoint Encryption (EE) is a strong cryptographic facility for denying unauthorized access to data stored on any system or disk when it is not in use. It prevents the loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong access control using Pre-Boot Authentication and a powerful encryption engine.
Introducing McAfee Endpoint Encryption How McAfee Endpoint Encryption works
To log on to a system, the user must first authenticate through the Pre-Boot environment. On a successful authentication, the client system's operating system (Microsoft Windows or Mac OS X) loads and gives access to normal system operation. McAfee Endpoint Encryption is completely transparent to the user and has little impact on performance of the computer. McAfee Endpoint Encryption is the encryption software installed on client systems. It is deployed and managed through McAfee ePolicy Orchestrator using policies. A policy is a set of rules that determine how McAfee Endpoint Encryption software functions on the users computer.
How McAfee Endpoint Encryption works

McAfee Endpoint Encryption protects the data on a system by taking control of the hard disk from the operating system. The Endpoint Encryption driver encrypts all data written to the disk; it also decrypts the data read off the disk. The client software is installed on the client system. After the installation, the system synchronizes with the ePolicy Orchestrator server and acquires the user data, token data, and Pre-Boot graphics. When this is complete, the user authenticates and logs on through the Pre-Boot environment, which loads the operating system, and uses the system as normal.
McAfee Endpoint Encryption product components

Use the McAfee Endpoint Encryption software to protect your systems from potential data loss. We recommend that you define the policies and needs of your system and configure the product accordingly. Each McAfee Endpoint Encryption component or feature plays a part in protecting your systems. McAfee ePolicy Orchestrator Administration The ePolicy Orchestrator server provides a scalable platform for centralized policy management and enforcement of your security products and systems on which they reside. The ePolicy Orchestrator Administration console allows the administrator to manage the McAfee Endpoint Encryption policies in the client computer. It also allows you to deploy and manage the McAfee Endpoint Encryption products. It provides comprehensive reporting and product deployment capabilities; all through a single point of control. NOTE: This guide does not provide detailed information about installing or using the ePolicy Orchestrator software. See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Policies McAfee Endpoint Encryption is managed through ePolicy Orchestrator using a combination of user and product-based policies. The ePolicy Orchestrator console allows the administrator to enforce policies across groups of computers or on a single computer. Any new policy enforcement through ePolicy Orchestrator overrides the existing policy that is already set on the individual systems. For information regarding policies and how they are enforced, see the ePolicy Orchestrator product documentation for versions 4.5 and 4.6.
Introducing McAfee Endpoint Encryption McAfee Endpoint Encryption product components
EEPC/EEMac The EEPC/EEMac extension installed in ePolicy Orchestrator defines the encryption algorithm, product settings, and server settings for the client system. The EEPC/EEMac software package checked in to ePolicy Orchestrator defines the actual Endpoint Encryption software that is installed on the client system. EE Admin The EE Administration system (EE Admin) defines the generic endpoint encryption settings for product-based policies, user-based policies, and server settings for the users. This is common for both EEPC and EEMac. LDAP Server McAfee Endpoint Encryption acquires users through the Windows Active Directory (AD). You must have a registered LDAP server (AD) to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable manual and automatic user account creation. Client system components The client system, for ePolicy Orchestrator to communicate, should be configured with the components such as: For EEPC McAfee Agent for Windows Windows operating system For EEMac McAfee Agent for Mac Mac OS X platform The ePolicy Orchestrator server deploys the EE Agent, and the EE product to the client system. The user needs to install the McAfee Agent on a Mac client system using install.sh file that needs to be picked up from the Windows-based system where the ePolicy Orchestrator server is installed. However, on Windows-based systems, ePolicy Orchestrator itself deploys the McAfee Agent to the client system. For more details and procedures, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. McAfee Endpoint Encryption product components are depicted in Figure 1.
Introducing McAfee Endpoint Encryption McAfee Endpoint Encryption features
Figure 1: Product components
McAfee Endpoint Encryption features

McAfee Endpoint Encryption leverages the McAfee ePolicy Orchestrator infrastructure for automated security reporting, monitoring, deployment, and policy administration. EEPC/EEMac integrates itself fully into ePolicy Orchestrator management software so that the management can now be performed from this console. Enables transparent encryption without hindering users or system performance. Enforces strong access control with Pre-Boot Authentication.
Audience
McAfee Endpoint Encryption documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who are responsible for configuring the product options on their systems, or for updating their systems.
Conventions
This guide uses the following typographical conventions.
Introducing McAfee Endpoint Encryption Finding product documentation
Book title or Emphasis

Bold
Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Additional information, like an alternate method of accessing an option. Suggestions and recommendations. Valuable advice to protect your computer system, software installation, network, business, or data. Critical advice to prevent bodily harm when using a hardware product.
User input or Path Code

User interface Hypertext blue Note Tip Important/Caution Warning
Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 2 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. Under Self Service, access the type of information you need:
To access... User documentation Do this... 1 2 3 KnowledgeBase Click Product Documentation. Select a Product, then select a Version. Select a product document. Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.
Requirements
System requirements
Systems McAfee ePO server systems Requirements See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6 Client systems for EEMac CPU: Pentium III 1 GHz or higher RAM: 512 MB minimum (1 GB recommended) Hard Disk: 200 MB minimum free disk space CPU: EEMac works on all Intel-based Mac CPU with 64-bit EFI
Client systems for EEPC
10
Introducing McAfee Endpoint Encryption Requirements
Systems
Requirements RAM: 1 GB minimum Hard Disk: 200 MB minimum free disk space
Software requirements
Software McAfee management software Requirements EEPC 6.1 Patch 2See the McAfee Endpoint Encryption for PC 6.1 Release Notes EEMac 1.0See the McAfee Endpoint Encryption for Mac 1.0 Release Notes Extensions EEADMIN.ZIP EEPC.ZIP help_ee_112.ZIP
McAfee Endpoint Encryption for PC software (for Windows)
EEPC software package MfeEEPC.ZIP
EE Agent MfeEEAgent.ZIP
McAfee Endpoint Encryption for Mac software (for Mac OS X)
Extensions EEADMIN.ZIP EEMAC.ZIP help_ee_100.ZIP
EEMac software package MfeEeMac-1.0.0.x.ZIP
EEMac Agent MfeEEAgent-1.0.0.x.ZIP
Microsoft Windows Installer 3.0 Redistributable package (for McAfee ePO) Microsoft .NET Framework 2.0 Redistributable package (for McAfee ePO) Microsoft MSXML 6 (for ePO)
See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6
Operating system requirements

Systems McAfee ePO server systems Software See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6 Windows Server 2003 SP1 or later (32-bit only) Windows Server 2008 (32- and 64-bit) Windows XP Professional SP3 (32-bit only) Windows Vista SP1 or later (32- and 64-bit) Windows 7 and SP1 (32- and 64-bit), (Not XP Mode)
Client systems for EEPC
11
Introducing McAfee Endpoint Encryption Requirements
Systems Client systems for EEMac
Software Leopard: 10.5.8 Snow Leopard: 10.6.0 and later (32- and 64-bit)
Hardware support for Mac

Systems MacBooks with 64-bit EFI Types MacBook, MacBook Pro, and MacBook Air
12
Installing the EEPC client

The Endpoint Encryption for PC extensions and the software packages are checked in to the ePolicy Orchestrator server for the management functionality. This is necessary before deploying the software and configuring the policies. CAUTION: Before you begin, make sure that you remove any competitor's encryption products from your system. Also, do not install any other encryption products after installing EEPC. This release supports migrating your EEPC 5.x.x installed systems and upgrading EEPC 6.0.x, 6.1, and 6.1 Patch 1 installed systems to EEPC 6.1 Patch 2. For more details and procedures on migrating your EEPC 5.x.x installed systems to EEPC 6.1 Patch 2, see the McAfee Endpoint Encryption for PC 6.1 Patch 2 Migration Guide. In this guide, EEPC 5.x.x refers to EEPC 5.1.7 and later versions EEPC 6.0.x refers to EEPC 6.0, 6.0 Patch 1 and Patch 2 versions NOTE: EEPC 6.1 Patch 2 allows systems to remain encrypted during a major Windows upgrade or system re-image process. This process is known as Operating System (OS) Refresh, where you can refresh the OS without decrypting the disk. For more information about accomplishing the OS Refresh, refer to the KnowledgeBase article available at https://kc.mcafee.com/corporate/index?page=content&id=KB73035. Contents Summary of the client installation process Install the EEPC extensions using ePolicy Orchestrator Install the Help extension Check in the EEPC software packages Register Windows Active Directory Configure automation task for LDAP synchronization Deploy EEPC to the client system Add users to a system Assign policy to users Assign a policy to a system Enforce EE policies on a system Edit the client tasks
Summary of the client installation process

The EEPC client software is deployed from the ePolicy Orchestrator server and installed through McAfee Agent. The installation of EEPC creates the Pre-Boot File System (PBFS) in the client system at the activation time.
13
Installing the EEPC client Summary of the client installation process
Restart the client system to complete the installation of the EEPC software. After restarting, it communicates with the ePolicy Orchestrator server and pulls down the assigned Endpoint Encryption policies and encrypts the system as per the defined policies. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart. The summary of the client installation process is depicted in Figure 2.
Figure 2: Process overview of installation The overall EEPC installation and deployment process can be simplified into the following steps. NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator and has the McAfee Agent installed on various systems which successfully communicate with the ePolicy Orchestrator server. 1 2 3 4 5 6 7 8 9 Install the EEAdmin and EEPC extensions into ePolicy Orchestrator. Check in the EEPC software packages (MfeEEPC.ZIP and MfeEEAgent.ZIP) to ePolicy Orchestrator. Configure the registered server (Windows Active Directory). Configure and run the automation task for LDAP Synchronization. Deploy the Endpoint Encryption Agent to the client. Deploy the EEPC software package to the client. Restart the client system. You should now be able to see the Quick Settings | Endpoint Encryption Status option in McAfee Agent System Tray on the client system. Add users to a system or a group of systems. Create a product settings policy or edit the default policy, then assign it to a system or a group of systems.
14
Installing the EEPC client Install the EEPC extensions using ePolicy Orchestrator
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of users on a system. Configure UBP enforcement if required. NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after adding the user and enforcing the policies correctly. 11 Verify the Endpoint Encryption System Status by right-clicking McAfee Agent System Tray on the client system, then clicking Quick Settings | Endpoint Encryption Status.
Install the EEPC extensions using ePolicy Orchestrator

Install the EEPC extensions on the ePolicy Orchestrator server using the Software tab. There are two extension files in .ZIP format for EEPC. Before you begin You must have appropriate permissions to perform this task. You must install the extensions in order: EEADMIN.ZIP first, then EEPC.ZIP. Task For option definitions, click ? in the interface. 1 2 3 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions | Install Extension to open the Install Extension dialog box. Click Browse and select the extension file EEADMIN.ZIP, then click OK. The Install Extension page appears with the extension name and version details. NOTE: The extension file EEADMIN.ZIP is a prerequisite for the extension file EEPC.ZIP. 4 5 Click OK. Repeat steps 2 and 3 to install the EEPC.ZIP extension.
Install the Help extension

You can install the Help extension separately on the ePolicy Orchestrator server using the Software tab. The Help extension is a .ZIP file. Before you begin You must have appropriate permissions to perform this task. Task 1 2 3 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears. Click Browse and select the extension file help_ee_112.ZIP, then click OK. The Install Extension page appears with the extension name and version details.
15
Installing the EEPC client Check in the EEPC software packages
Click OK.
Check in the EEPC software packages

Use ePolicy Orchestrator to check in the EEPC software packages to the master repository. Before you begin You must have appropriate permissions to perform this task. Before checking in the software packages, make sure there are no pull or replication tasks running. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens. From the Package type list, select Product or Update (.ZIP), then browse and select the MfeEEPC.ZIP package file. Click Next to open the Package Options page. Click Save to begin checking in the package. When the package is checked in, it appears in the Packages in Master Repository list on the Master Repository page. Repeat steps 2 through 5 to install the MfeEEAgent.ZIP package.
Register Windows Active Directory

Use this option to register a Windows Active Directory. You must have a registered LDAP server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic and manual user account assignment. Before you begin Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers. Task For option definitions, click ? in the interface. 1 2 3 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Configuration | Registered Servers, then click New Server. The Registered Server Builder wizard opens. From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user-friendly name) and any details, then click Next. The Details page appears.
16
Installing the EEPC client Configure automation task for LDAP synchronization
Select Active Directory from LDAP server type, then type the Domain name or the Server name. NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the McAfee ePO system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present.
Type the User name. NOTE: The User name should be of the format: domain\Username for Active Directory accounts.
6 7
Type the Password and confirm it. Click Test Connection to ensure that the connection to the server works, then click Save.
Configure automation task for LDAP synchronization

You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and McAfee Endpoint Encryption software. Run this task to synchronize with the user Active Directory. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 8 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Automation | Server Tasks to open the Server Tasks page. Click Actions | New Task. The Server Task Builder wizard opens. On the Description page, name the task, type some notes about the task, and check enabled, then click Next. The Actions page appears. From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values. Click Next to open the Schedule page. Schedule the task, then click Next to display the Summary page. Review the task details, then click Save. NOTE: In addition to the task running at the scheduled time, you can run this task immediately by clicking Run next to the task on the Server Tasks page.
Deploy EEPC to the client system

Set up the client task to automatically install the EEPC software on the client computers. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6.
17
Installing the EEPC client Deploy EEPC to the client system
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Systems | System Tree, then select a system or group of system(s) from the System Tree pane on the left. On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page. Type a Name and Notes for the task, select the Type as Product Deployment from the drop-down list, select whether the task should be sent to all computers or to tagged computers, then click Next. The Configuration page appears. Select the Target platform as Windows. From the Products and components drop-down list, select Endpoint Encryption Agent for Windows 1.1.2.x to specify the version of the agent to deploy and, if needed, additional command-line parameters. Select the Action as Install. NOTE: If you are working in a Windows environment, check whether to run the task at each policy enforcement interval. 8 9 Click Next to open the Schedule page. Change the Schedule Type as required and click Next. The Summary page appears.
5 6
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. Follow the same procedure to deploy Endpoint Encryption for PC 6.1.2.x. We recommend that you deploy Endpoint Encryption Agent for Windows 1.1.2.x before deploying Endpoint Encryption for PC 6.1.2.x. TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption Agent for Windows 1.1.2.x and Endpoint Encryption for PC 6.1.2.x, then deploy them in sequence. 12 Restart the client system when prompted after installing the Endpoint Encryption for PC 6.1.2.x package.
Send an agent wake-up call

The client gets the policy update whenever it connects to the McAfee ePO server (during next ASCI). The policy update can be scheduled or forced. The agent wake-up call option forces the policy update to the client system. NOTE: For information on adding a new system, see the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task.
18
Installing the EEPC client Add users to a system
Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 Log on to the ePolicy Orchestrator server as an administrator Click Menu | Systems | System Tree. Select a system group from the System Tree. Select the System Name(s) of that group. Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up Agents page appears. Select a Wake-up call type and a Randomization period (0-60 minutes) by which the system(s) respond to the wake-up call sent by ePolicy Orchestrator. Select Get full product properties for the agent(s) to send complete properties instead of sending only the properties that have changed since the last agent-to-server communication. Select Force complete policy and task update for the agent to send the complete policy and task update. Click OK. NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent wake-up call.
8 9
Add users to a system

Use ePolicy Orchestrator to add the EEPC users to the client system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Data Protection | Encryption Users to open the My Organization page. Select a group or system(s) from the System Tree pane on the left. NOTE: To add users to a particular system, select the required system from the System Tab under the My Organization pane on the right. 3 4 5 6 7 Click Actions | Endpoint Encryption | Add Users to open the Add Endpoint Encryption Users page. Add users: Click + in the Users field, browse to the users list, select the Users, then click OK. Add groups: Click + in the From the groups field, browse to the users groups list, select the groups, then click OK. Add an organizational unit: Click + in the From the organizational units field, browse to the organizational unit list, select the unit, then click OK. In the Add Endpoint Encryption Users page, click OK.
19
Installing the EEPC client Assign policy to users
Assign policy to users

Use this task to assign a policy at a user level. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 8 9 Click Menu | Policy | Policy Assignment Rules to open the Policy Assignment Rules page. Click Actions | New Assignment Rule. The Policy Assignment Builder wizard opens with Details page. Type the Name and Description, then click Next. The user Selection Criteria page opens. Select the user by choosing the selection criteria, then click Next. The Assigned Policies page opens. Click Add. The Choose a policy to assign dialog box appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. From the policy Category drop-down list, select the User Based Policy. From the Policy drop-down list, select the desired policy, then click OK. The Summary page opens. Click Save.
Configure UBP enforcement for EEPC 6.1 Patch 2

By default, all users inherit the default User-Based Policy assigned to a system and are prevented from using Policy Assignment Rules for EEPC 6.1 Patch 2 UBP in order to provide maximum system scalability. To allow a user to use a non-default User Based Policy, you must enable UBP enforcement for that user. This allows Policy Assignment Rules to be executed to select a specific non-default UBP for the user. If not enabled, Policy Assignment Rules will not be executed and the user will inherit the default UBP. User Based Policies in EEPC 6.1 Patch 2 A requirement of EEPC 6.1 Patch 2 is that you need to specify which groups of users are allowed or not allowed to use the Policy Assignment Rules. The allowed users get their required User Based Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User Based Policies assigned to the system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries. The Queries page opens. Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE query list appears.
20
Installing the EEPC client Assign a policy to a system
3 4 5 6
Run the EE: Users query to list all the Endpoint Encryption Users. Select a user (or users) from the list to enforce the policy. Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page appears with Enable and Disable options. Select Enable or Disable, then click OK to configure the UBP enforcement state. On selecting Enable, Policy Assignment Rules are enabled for the selected users, and a specific UBP is assigned to the user according to the rule defined. NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies are deployed to each client in addition to the user-based policy for the logged on user configured with UBP enforcement.
Assign a policy to a system

Use ePolicy Orchestrator to assign a policy to a specific set of managed systems. You can assign policies before or after deploying the McAfee Endpoint Encryption for PC software. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree | Systems tab, then select a group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane. Select the target system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy categories under Endpoint Encryption are listed with the systems assigned policy. Select the Product Setting policy category, then click Edit Assignments. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select the Product Setting policy. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 Select whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place. When modifying the default policy or creating the new policy, select any one of the disk encryption options other than None, by navigating to Encryption (tab) | Encrypt. The default option None does not initiate the encryption. Click Save.
Enforce EE policies on a system

Enable or disable policy enforcement for McAfee Endpoint Encryption on a system. Policy enforcement is enabled by default, and is inherited in the System Tree.
21
Installing the EEPC client Edit the client tasks
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree | Systems tab, then under System Tree, select the group where the system belongs. The list of systems belonging to this group appears in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page appears. Select Endpoint Encryption 1.1.2, then click Enforcing next to Enforcement status. The Enforcement page appears. To change the enforcement status, select Break inheritance and assign the policy and settings below. Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click Save. After restarting, the client system communicates with the ePolicy Orchestrator server and pulls down the assigned Endpoint Encryption policies and encrypts the system according to the defined policies. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart.
2 3 4 5
Edit the client tasks

Edit a client tasks settings or schedule information for any existing task. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 Click Menu | Systems | System Tree | Client Tasks tab, then select a group where the required client task was in the System Tree. Click Edit Settings next to the task. The Client Task Builder wizard opens. Edit the task settings as needed, then click Save.
The managed systems receive these changes the next time the agent communicates with the server.
22
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2
The primary goal of upgrading EEPC 6.0 x, EEPC 6.1, and EEPC 6.1 Patch 1 to EEPC 6.1 Patch 2 is to update the components while maintaining all of the existing encryption, policies, users, authentication details, Single Sign On (SSO) details, audit, and tokens. Contents Supported versions Overview of the upgrade process User experience summary
Supported versions
EEPC 6.1 Patch 2 supports the client upgrade from EEPC 6.0.x, EEPC 6.1 and EEPC 6.1 Patch 1.
Overview of the upgrade process

Use the following high-level process to upgrade EEPC 6.0.x, 6.1, and 6.1 Patch 1 client. 1 2 3 Install the necessary EEPC 6.1 Patch 2 extensions on the ePolicy Orchestrator server. You can also upgrade the 6.0.x extensions with 6.1 Patch 2 extensions. Check in the EEPC and EEAgent packages to the ePolicy Orchestrator server. Define the appropriate policy settings for 6.1 Patch 2, if you need to change the policies defined for 6.0.x. NOTE: Make sure that you have assigned the required UBP to the user assigned to the client system. Refer to the Configure UBP enforcement section for more details. A requirement of EEPC 6.1 Patch 2 is that you need to specify which groups of users are allowed or not allowed to use the Policy Assignment Rules. The allowed users get their required User Based Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User Based Policies assigned to the system. 4 Deploy EEPC 6.1 Patch 2 to the client system where EEPC 6.0.x, 6.1, or 6.1 Patch 1 are currently installed. TIP: We recommend that you create separate client tasks for deploying the Endpoint Encryption Agent for Windows 1.1.2.x and Endpoint Encryption for PC 6.1.2.x, then deploy them in sequence. Make sure to add the NOREBOOT option in the EEAgent package to prevent the deployment task from restarting the system twice.
23
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2 Overview of the upgrade process
Restart the client system after each deployment task completion. After restarting the client system, the new files and drivers are in place. The EEPC 6.1 Patch 2 encryption status dialog box shows the status as Active throughout the upgrade process. NOTE: After the upgrade, the only visible change is the version numbers in various modules lists.
Configure UBP enforcement

By default, all users inherit the default User-Based Policy assigned to a system and are prevented from using Policy Assignment Rules for EEPC UBP in order to provide maximum system scalability. To allow a user to use a non-default User Based Policy, you must enable UBP enforcement for that user. This allows Policy Assignment Rules to be executed to select a specific non-default UBP for the user. If not enabled, Policy Assignment Rules will not be executed and the user will inherit the default UBP. A requirement of EEPC 6.1 Patch 2 is that you need to specify which groups of users are allowed or not allowed to use the Policy Assignment Rules. The allowed users get their required User Based Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User Based Policies assigned to the system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Reporting | Queries. The Queries` page opens. Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE query list appears. Run the EE: Users query to list all the McAfee Endpoint Encryption Users. Select a user from the list to enforce the policy. Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page appears with Enable and Disable options. Select Enable or Disable, then click OK to configure the UBP enforcement. On selecting Enable, Policy Assignment Rules are enabled for the selected users, and a specifc UBP is assigned to the user according to the ruled defined. NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies are deployed to each client in addition to the user-based policy for the logged on user configured with UBP enforcement.
24
Upgrading from EEPC 6.0.x and 6.1 Patch 1 to EEPC 6.1 Patch 2 User experience summary
User experience summary

This table highlights the summary of different phases and its status before, during, and after the client upgrade from EEPC 6.0.x, 6.1, and 6.1 Patch 1 to EEPC 6.1 Patch 2. Table 1: User experience summary
State Pre-Boot Windows EE Logon Comments
Before deploying EEPC 6.1 EEPC EEPC 6.0.x, Patch 2 packages 6.0.x, or or 6.1, or 6.1, or 6.1 6.1 Patch 1 Patch 1 During the deployment of EEPC 6.1 Patch 2 to the client EEPC EEPC 6.0.x, 6.0.x, or or 6.1, or 6.1, or 6.1 6.1 Patch 1 Patch 1 EEPC 6.1 Patch 2
The client system has EEPC 6.0.x, or 6.1, or 6.1 Patch 1 installed
The EEPC 6.1 Patch 2 deployment forces the restart of the client system
After restarting the system EEPC 6.1 due to the EEPC 6.1 Patch Patch 2 2 deployment
The 6.0.x, or 6.1, or 6.1 Patch 1 status remains as Active throughout the upgrade process The user credentials for both Windows and Pre-Boot logons are the same as 6.0.x, or 6.1, or 6.1 Patch 1 for 6.1 Patch 2 SSO to Windows continues to function as it did before the upgrade
25
Uninstalling the EEPC client

To uninstall EEPC from the client, you need to: disable the EEPC product setting policy make sure that the Endpoint Encryption System Status is Inactive uninstall EEPC from the client. Contents Deactivate the EEPC client Remove EEPC from the client system Remove the EEPC extensions from ePolicy Orchestrator Remove the EEPC software packages from ePolicy Orchestrator Manually uninstall EEPC from the client system
Deactivate the EEPC client

Use ePolicy Orchestrator to deactivate the EEPC client. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree | Systems, then select a group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the product drop-down list, select Endpoint Encryption 1.1.2 . The policy categories under Endpoint Encryption are listed with the systems assigned policy. Select the Product Setting policy category, then click Edit Assignments. If the policy is inherited, select Break inheritance and assign the policy and settings below that is present next to Inherit from. From the Assigned policy drop-down list, select the desired product setting policy. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 Select whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place. On the General tab, deselect Enable policy.
26
Uninstalling the EEPC client Remove EEPC from the client system
Click Save in the Policy Settings page, then click Save in the Product Settings page.
10 Send an agent wake-up call. NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and the Endpoint Encryption status becomes Inactive. This may take a few hours depending on the number and size of the encrypted drives.
Remove EEPC from the client system

Set up the client task to automatically remove the EEPC software from the client computers. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin Ensure to deactivate the Endpoint Encryption client before removing EEPC from the client system. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Systems | System Tree, then select a required group or system(s) from the System Tree. On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page. Type a Name and Notes for the task, select the Type as Product Deployment from the drop-down list, select whether the task should be sent to all computers or to tagged computers, then click Next. The Configuration page appears. Select the Target platform as Windows. From the Products and components drop-down list, select Endpoint Encryption for PC 6.1.2.x to specify the version of EEPC to remove and, if needed, additional command-line parameters. Select the Action as Remove. NOTE: If you are working in a Windows environment, check whether to run the task at each policy enforcement interval. 8 9 Click Next to open the Schedule page. Change the Schedule Type as required and click Next. The Summary page appears.
5 6
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Windows 1.1.2.x from the client system. We recommend that you remove Endpoint Encryption for PC 6.1.2.x before removing Endpoint Encryption Agent for Windows 1.1.2.x.
27
Uninstalling the EEPC client Remove the EEPC extensions from ePolicy Orchestrator
Remove the EEPC extensions from ePolicy Orchestrator

To uninstall the EEPC extension and the checked in packages, you need to remove them from the McAfee ePO server. In case of both EEPC and EEMac are being managed by a single McAfee ePO server, you can remove the EEAdmin extension only when the McAfee ePO management is not required for both products. Before you begin Ensure to deactivate the Endpoint Encryption client before removing the EEPC extension from the McAfee ePO server. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions, then select Endpoint Encryption . The Extension page appears with the extension name and version details. On the Extension page, click Remove. The Remove extension confirmation page appears. Click OK to remove the extension. NOTE: You need to follow the same procedure to remove both the extension EEPC and EEADMIN, however, extension EEPC needs to be removed first.
Remove the EEPC software packages from ePolicy Orchestrator

Use McAfee ePO to remove the EEPC software packages. Before you begin Ensure to deactivate the Endpoint Encryption client before removing the EEPC software package from McAfee ePO. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Master Repository. The Packages in Master Repository page appears with the list of software packages and their details. Click Delete against the EEPC software packages. The Delete package confirmation page appears. Click OK to delete the EEPC software package from the ePO master repository. NOTE: You need to follow the same procedure to remove both the packages MfeEEAgent.ZIP and MfeEEPC.ZIP. You can also use this procedure to remove the themes and simple words packages that are automatically added to the master repository.
28
Uninstalling the EEPC client Manually uninstall EEPC from the client system
Manually uninstall EEPC from the client system

Use this task to manually uninstall EEPC from the client system. Before you begin Make sure that you deactivate the Endpoint Encryption client before initiating the manual removal process. You must have administrator privileges to perform this task. Task 1 On the client system, after deactivating the Endpoint Encryption Agent, browse to the following registry values and double-click the Uninstall command. The Edit String dialog box appears. For EE Agent on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000. For EEPC on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\EEPC. For EE Agent on 64-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000. For EEPC on 64-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\EEPC. 2 Copy the Value data from the Edit String dialog box, paste and run it on the command prompt. You can retain /q and add /norestart commands to run a silent removal and to avoid restarting the system after the uninstalling the EEPC. NOTE: The uninstall option switch /q might not work for Windows Vista and Win 7, where User Access Control(UAC) is set to protect.
29
Installing the EEMac client

The EEMac extensions, agent, and the software packages are checked in to McAfee ePO for the management functionality. This is necessary before deploying the software and configuring the policies. CAUTION: Before you begin, make sure that any competitor's encryption products are removed from the client system before installing EEMac. Also, avoid installing any other encryption products after installing EEMac. Contents Summary of the client installation process Deploy McAfee Agent to Mac OS X client Install the EEMac extensions using McAfee ePO Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator Register Windows Active Directory Configure automation tasks for LDAP synchronization Deploy EEMac to the client system Add users to a system Assign a policy to a system Enforce EE policies on a system
Summary of the client installation process

The EEMac client software is deployed from the McAfee ePO server and installed through McAfee Agent. The installation of EEMac installs the Pre-Boot File System (PBFS) on the client system. The client system requires a restart to complete the installation of the EEMac software. After the restart, it communicates with ePolicy Orchestrator and pulls down the assigned Endpoint Encryption policies and encrypts the system according to the defined polices. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart. The summary of the client installation process is depicted in Figure 3.
30
Installing the EEMac client Summary of the client installation process
Figure 3: Process overview of installation The overall EEMac installation and deployment process can be simplified into following steps: NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator and has the McAfee Agent installed on various systems which successfully communicate with the McAfee ePO server. 1 2 3 4 5 6 7 Install the EEAdmin and EEMac extensions into the McAfee ePO server. Check in the EEMac software packages (MfeEeMac-1.0.0.x.ZIP and MfeEEAgent-1.0.0.x.ZIP) to the McAfee ePO server. Configure the registered server (Windows Active Directory). Configure and run the automation task for LDAP Synchronization. Deploy the Endpoint Encryption Agent to the Mac client. Deploy the Endpoint Encryption for Mac to the Mac client. Restart the client system. You should now be able to see the Encryption icon | McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client. Add users to a system or a group of systems. Create a product settings policy or edit the default policy, then assign it to a system or a group of systems.
8 9
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of users on a system. NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after adding the user and enforcing the policies correctly.
31
Installing the EEMac client Deploy McAfee Agent to Mac OS X client
11 Verify the Endpoint Encryption System Status by clicking the Encryption icon | McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client. If the Endpoint Encryption system state is Active, it displays the system partition/volume list under Volume Status. Volume status that is either Encrypted or Decrypted is also displayed for each partition/volume.
Deploy McAfee Agent to Mac OS X client

It is not possible to deploy McAfee Agent for Mac through McAfee ePO. You need to install the McAfee Agent on a Mac client system using the install.sh file. You can get this file from the Windows-based system where McAfee ePO is installed. The client system is automatically added to the System Tree in ePolicy Orchestrator on successful installation of the McAfee Agent for Mac on the Mac client system. For more details and procedures, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task You should install the McAfee Agent for Mac using the command Terminal on the Mac. After installing the McAfee Agent for Mac OS X, the Mac client system communicates back to the McAfee ePO server. This process usually takes some time. Select This group and all subgroups in Filter in the System Tree page, then refresh ePolicy Orchestrator. The ePolicy Orchestrator displays the Mac client system details under System Tree | Systems after the first agent-to-server communication. 1 2 Check in the McAfee Agent for Mac OS X package to the master repository. Copy the install.sh file from this location on the Windows-based system. C:\Program File\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3700MACX\Install\0409 To download the Agent installation package using ePolicy Orchestrator: 1 2 3 click Menu | Systems | System Tree | System Tree Actions | New Systems on the McAfee ePO server. The New Systems page appears. Select Create and download agent installation package from How to add systems. Select Non-Windows and McAfee Agent for Mac OS X 4.5/4.6 from Select Agent Package, and deselect Use Credentials, then click OK. The Download file page appears. Click the install link to open the file, or right-click the link to download and save the file.
4 3 4 5
Place the copied install.sh file in the desktop. On the Terminal, type this command to go to the location where the install.sh file is present cd /Users/<user>/Desktop. Deploy the McAfee Agent on the Mac client with one of these commands: sudo ./install.sh -i (for a fresh installation)
32
Installing the EEMac client Install the EEMac extensions using McAfee ePO
sudo ./install.sh u (for an upgrade of the agent) NOTE: Type the administrator password if prompted. The installation path of McAfee Agent is /Library/McAfee/cma/ The uninstall path of McAfee Agent is /Library/McAfee/cma/uninstall.sh 6 To monitor the McAfee Agent logs, run the command sudo tail -f /Library/McAfee/cma/scratch/etc/log and provide the administrator password when prompted.
Install the EEMac extensions using McAfee ePO

You can install the EEMac extensions on the ePolicy Orchestrator server using the Software tab. Before you begin You must have appropriate permissions to perform this task. You must install the extensions in order: EEADMIN.ZIP first, then EEMac.ZIP. Task For option definitions, click ? in the interface. 1 2 3 4 5 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears. Click Browse and select the extension file EEADMIN.ZIP, then click OK. The Install Extension page appears with the extension name and version details. Click OK. Repeat steps 2 and 4 to install the EEMac.ZIP extension.
Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator
Use ePolicy Orchestrator to check in the EEMac software packages (EEAgent and EEMac) to the master repository. Before you begin You must have appropriate permissions to perform this task. Before checking in the software packages, make sure there are no pull or replication tasks running. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens.
33
Installing the EEMac client Register Windows Active Directory
3 4 5 6
From the Package type list, select Product or Update (.ZIP) , then browse to and select the MfeEeMac-1.0.0.x.ZIP package file. Click Next to display the Package Options page. Click Save to begin checking in the package. Wait while the package is checked in. Repeat steps 2 through 5 to install the MfeEEAgent-1.0.0.x.ZIP package.
The new package appears in the Packages in Master Repository list on the Master Repository page.
Register Windows Active Directory

Use this option to register a Windows Active Directory. Before you begin You must have a registered AD to enable dynamically assigned permission sets and automatic user account creation. Make sure you have the appropriate rights to modify server settings, permission sets, users, and registered servers. Task For option definitions, click ? in the interface. 1 2 3 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Configuration | Registered Servers, then click New Server. The Registered Server Builder wizard opens. From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user-friendly name) and any details, then click Next. The Details page appears. Type the Domain name or the Server name. NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present. 5 Type the User name. NOTE: The User name should be of the format: domain\Username for Active Directory accounts. 6 7 Type the Password and confirm it. Click Test Connection to ensure that the connection to the server works, then click Save.
Configure automation tasks for LDAP synchronization

You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and McAfee Endpoint Encryption software.
34
Installing the EEMac client Deploy EEMac to the client system
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 8 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Automation | Server Tasks, The Server Tasks page opens. Click Actions | New Task. The Server Task Builder wizard opens. On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears. From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values. Click Next. The Schedule page appears. Schedule the task, then click Next to display the Summary page. Review the task details, then click Save. NOTE: In addition to the task running at the scheduled time, you can run this task immediately by clicking Run next to the task on the Server Tasks page.
Deploy EEMac to the client system

Use this task to set up the client task to automatically install the EEMac to the client computers. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Systems | System Tree and select a required group or system(s) from the System Tree pane on the left. On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page. Type a Name and Notes for the task, select the Type as Product Deployment from the drop-down list, select whether the task should be sent to all computers or to tagged computers, then click Next. The Configuration page appears. Select the Target platform as Mac. From the Products and components drop-down list, select Endpoint Encryption Agent for Mac OS X 1.0.0.X to specify the version of the agent to deploy and, if needed, additional command-line parameters. Select the Action as Install. Click Next to open the Schedule page.
5 6
7 8
35
Installing the EEMac client Add users to a system
Change the Schedule Type as required and click Next. The Summary page appears.
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. Follow the same procedure to deploy Endpoint Encryption for Mac OS X 1.0.0.X. We recommend that you deploy Endpoint Encryption Agent for Mac OS X 1.0.0.X before deploying Endpoint Encryption for Mac OS X 1.0.0.X. TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption Agent for Mac OS X 1.0.0.X and Endpoint Encryption for Mac OS X 1.0.0.X, then deploy them in sequence.
Send an agent wake-up call

The client gets the policy update whenever it connects to the McAfee ePO server. The policy update can be scheduled or forced. The agent wake-up call option forces the policy update to the client system. NOTE: For more information on adding a new system, see the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 Log on to the ePolicy Orchestrator server as an administrator Click Menu | Systems | System Tree. Select a system group from the System Tree. Select the System Name(s) of that group. Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up Agents page appears. Select a Wake-up call type and a Randomization period (0-60 minutes) by which the system(s) respond to the wake-up call sent by the ePO server. Select Get full product properties for the agent(s) to send complete properties instead of sending only the properties that have changed since the last agent-to-server communication. Click OK. NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent wake-up call.
Add users to a system

Use ePolicy Orchestrator to add the EEMac users to the client system.
36
Installing the EEMac client Assign a policy to a system
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Data Protection | Encryption Users. The My Organization page opens. Select a required group or system(s) from the System Tree pane on the left. NOTE: To add users to a particular system, select the required system from the System Tab under My Organization pane on the right. 3 4 5 6 7 Click Actions | Endpoint Encryption | Add Users. The Add Endpoint Encryption Users page opens. Add users: Click + in the Users field, browse to the users list, select the Users, then click OK. Add groups: Click + in the From the groups field, browse to the users groups list, select the groups, then click OK. Add an organizational unit: Click + in the From the organizational units field, browse to the organizational unit list, select the unit, then click OK. In the Add Endpoint Encryption Users page, click OK.
Assign a policy to a system

Assign a policy to a specific set of managed systems. You can assign policies before or after deploying the McAfee Endpoint Encryption software. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree | Systems, then select a group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.x. The policy categories under Endpoint Encryption are listed with the systems assigned policy. Select the Product Setting policy category, then click Edit Assignments. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select the Product Setting policy. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 Choose whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place.
37
Installing the EEMac client Enforce EE policies on a system
While modifying the default policy or creating the new policy, select any one of the disk encryption options other than None, by navigating to Encryption (tab) | Encrypt. The default option None does not initiate the encryption. Click Save.
Enforce EE policies on a system

Enable or disable policy enforcement for EE on a system. Policy enforcement is enabled by default, and is inherited in the System Tree. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree | Systems, then select a group under System Tree where the system belongs. The list of systems belonging to this group appears in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page appears. Select Endpoint Encryption 1.1.x, then click Enforcing next to Enforcement status. The Enforcement page appears. If you want to change the enforcement status you must first select Break inheritance and assign the policy and settings below. Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click Save. After restarting, it communicates with the ePolicy Orchestrator server and pulls down the assigned McAfee Endpoint Encryption policies and encrypts the system according to the defined policies. The assigned user can be initialized through the Pre-Boot screen after the subsequent restart.
2 3 4 5
Edit the client tasks

Edit a client tasks settings or to schedule information for any existing task. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface.
38
Installing the EEMac client Edit the client tasks
1 2 3
Click Menu | Systems | System Tree | Client Tasks, then select the group where the desired client task was in the System Tree. Click Edit Settings next to the task. The Client Task Builder wizard opens. Edit the task settings as needed, then click Save.
The managed systems receive these changes the next time the agents communicate with the server.
39
Uninstalling the EEMac client

To uninstall EEMac from the client, you need to: disable all EEMac product setting policies make sure that the Endpoint Encryption System Status is Inactive uninstall EEMac from the client. Contents Deactivate the Endpoint Encryption Agent Remove EEMac from the client system Remove the EEMac extensions from McAfee ePO Remove the EEMac packages from McAfee ePO Manually uninstall EEMac from the client system
Deactivate the Endpoint Encryption Agent

Use this task to deactivate the Endpoint Encryption Agent on the client system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree | Systems, then select a group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane. Select a system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. Select Endpoint Encryption 1.1.x from the product drop-down list. The policy categories under Endpoint Encryption are listed with the systems assigned policy. Select the Product Setting policy category, then click Edit Assignments. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the product setting policy from the Assigned policy drop-down list. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 Choose whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place. On the General tab, deselect Enable policy.
40
Uninstalling the EEMac client Remove EEMac from the client system
Click Save in the Policy Settings page, then click Save in the Product Settings page.
10 Send an agent wake-up call. NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and the Endpoint Encryption status becomes Inactive. This may take a few hours depending on the number and size of the encrypted drives.
Remove EEMac from the client system

Use ePolicy Orchestrator to set up the client task to automatically remove EEMac from the client computers. Before you begin Ensure to deactivate the Endpoint Encryption Agent before removing EEMac from the client system. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Systems | System Tree and select a required group or system(s) from the System Tree pane on the left. On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page. Type a Name and Notes for the task, select the Type as Product Deployment from the drop-down list, select whether the task should be sent to all computers or to tagged computers, then click Next. The Configuration page appears. Select the Target platform as Mac. From the Products and components drop-down list, select Endpoint Encryption for Mac OS X 1.0.0.X to specify the version of the product to remove and, if needed, additional command-line parameters. Select the Action as Remove. Click Next to open the Schedule page. Change the Schedule Type as required and click Next. The Summary page appears.
5 6
7 8 9
10 Verify the tasks details, then click Save. The new deployment task is sent to the client computers at the next agent-server communication. 11 Send an agent wake-up call. NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Mac OS X 1.0.0.X from the client system. We recommend that you remove Endpoint Encryption for Mac OS X 1.0.0.X before removing Endpoint Encryption Agent for Mac OS X 1.0.0.X.
Remove the EEMac extensions from McAfee ePO

To uninstall the EEMac extension and the checked in packages, you just need to remove them from the McAfee ePO server.
41
Uninstalling the EEMac client Remove the EEMac packages from McAfee ePO
In case of both EEPC and EEMac are being managed by a single McAfee ePO server, you can remove the EEAdmin extension only when McAfee ePO management is not required for both products. Before you begin Ensure to deactivate the Endpoint Encryption Agent before removing the EEMac extension from the McAfee ePO server. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions, then select Endpoint Encryption . The Extension page appears with the extension name and version details. Click Remove. The Remove extension confirmation page appears. Click OK to remove the extension. NOTE: Follow the same procedure to remove both the extension files EEMac.ZIP and EEADMIN.ZIP, however, extension file EEMac.ZIP needs to be removed first.
Remove the EEMac packages from McAfee ePO

Use this task to remove the EEMac package from the McAfee ePO server. Before you begin Ensure to deactivate the Endpoint Encryption Agent before removing the EEMac package from McAfee ePO. Task For option definitions, click ? in the interface. 1 2 3 4 Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Master Repository. The Packages in Master Repository page appears with the list of software packages and their details. Click Delete against the EEMac software packages. The Delete package confirmation page appears. Click OK to delete the EEMac software package from the ePO master repository. NOTE: You need to follow the same procedure to remove both the packages MfeEEAgent-1.0.0.x.ZIP and MfeEeMac-1.0.0.x.ZIP.
Manually uninstall EEMac from the client system

Use this task to manually uninstall the EEMac from the client system. Before you begin Ensure to deactivate the Endpoint Encryption Agent before initiating the manual uninstall process.
42
Uninstalling the EEMac client Manually uninstall EEMac from the client system
Task 1 After deactivating the Endpoint Encryption Agent, open the Terminal and run sudo /Library/McAfee/ee/Agent/uninstall command to uninstall the EEAgent and type the administrator password if prompted. Run the command /Library/McAfee/ee/Mac/uninstall. This removes the EEMac software package from the client system. Run the command /Library/McAfee/ee/Agent/uninstall. This removes the EEAgent from the client system.
2 3
43
Managing McAfee Endpoint Encryption policies

Managing McAfee Endpoint Encryption from a single location is achieved by integrating EE software into ePolicy Orchestrator which is a central feature of McAfee ePO itself. This is accomplished through the combination of product policies. Are you configuring policies for the first time? When configuring policies for the first time: 1 2 Plan product policies for the segments of your System Tree. Create and assign policies to groups and systems.
NOTE: This section is applicable to both EEPC and EEMac. Contents Policy management Policy categories Create a policy from Policy Catalog Edit the EE policy settings from Policy Catalog Assign a policy to a system group Enforce EE policies on a system group
Policy management
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that the managed client computer is configured and performs accordingly. Policy settings are the primary interface for configuring the client computer and its components. The ePolicy Orchestrator server allows you to configure policy settings for Endpoint Encryption clients and other managed systems from a central location.
Policy categories
Policy settings for McAfee Endpoint Encryption are grouped under category. Each policy category refers to a specific subset of policy settings. In the Policy Catalog page, policies appear under Endpoint Encryption and the individual policies appear under specific category. When you open or edit an existing policy or create a new policy under Endpoint Encryption, the policy product settings are organized across tabs such as General, Encryption, Log On, Recovery, Boot Options, Theme, and Encryption Providers. The user based policy settings are organized
44
Managing McAfee Endpoint Encryption policies Policy categories
across tabs such as Authentication, Password, Password Content Rules, and Self-Recovery. Table 2: Product setting policies
Settings General Options Enable Policy Logging level Description Enables the set policies on the client computers. This policy setting allows the administrator to manually set different logging level for each client computer which has the specific policy setting assigned. NOTE: To overwrite the logging level defined in the ePolicy Orchestrator console, the LoggingLevelOverride registry key needs to be set. None Setting this option does not create any log. Error Setting this option logs the error messages only. Error and WarningsSetting this option logs the error and warning messages. Error, Warnings, and InformationalSetting this option logs the error and warning messages with more descriptions. Error, Warnings, Informational and DebugSetting this option logs the error and warning messages with more descriptions in the debug mode.
Allow Temporary Automatic Booting
This option allows the administrator to run the scripts on the the client system, so that it can automatically boot without prompting for a Pre-Boot Authentication temporarily. NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use.
Encryption
Encrypt
This drop-down list contains the options to select an encryption type. NoneDoes not encrypt any disk. All DisksEncrypts all disks in a system. Boot OnlyEncrypts only the boot disk. All Disks except Boot DiskEncrypts all disks except the boot disk (not recommended)
Encryption Provider Priority Log On (Endpoint Encryption) Enable Automatic Booting
Lists the installed encryption providers and allows you to set the priority. On selecting, the client system boots automatically without prompting for a Pre-Boot Authentication. The expiration date for the auto booting can also be set. If required, the user can select the UTC time standard option. NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use.
45
Settings
Options Log on Message Do not display previous user name at log on Enable on screen keyboard
Description Type a message that appears to the user on all Endpoint Encryption logon pages. Hides the ID of the last logged on user in all McAfee Endpoint Encryption logon dialog boxes.
This option enables the Pre-Boot On-Screen Keyboard (OSK) and the associated Wacom serial NOTE: This option is not pen driver. When this option is enabled, the pen applicable to Mac client systems. driver finds a supported pen hardware and displays the OSK. Always display onscreen keyboardForces the Pre-Boot to always display a clickable on-screen keyboard regardless of whether the pen driver finds suitable hardware or not. This option is very useful to TabletPC users. DisabledSelecting this option does not add any local doamin users to the client system. Add all previous and current local domain users of the systemOn selecting this option, any domain users who have previously and are currently logged on to the system, are able to authenticate through the Pre-Boot, even if the administrator has not explicitly assigned the user to the client system. Only add currently logged on local domain user(s); activation is dependent on a successful user assignmentOn selecting this option, only the domain users who are logged on to the current Windows session, are added to the system and hence EEPC is activated, even if the administrator has not explicitly assigned the user to the client system. NOTE: If you select this option, at least one user should be added to the client system for a successful EEPC activation on the client.The activation will not happen until a user logs on to Windows. Enable Accessibility This option is helpful to visually impaired users. If selected, the system gives a beep as a signal NOTE: This option is not when the user moves the cursor from one field applicable to Mac client systems. to the next. Disable Pre-Boot Authentication When selecting this option, the user is blocked when not synchronized from logging on to PBA in the client system, if the client system is not synchronized with the ePolicy Orchestrator for the set number of days. When the user is blocked from logging on to PBA, the user should request the administrator to perform the Administrator Recovery to unlock the client system. This allows the client system to boot and communicate with the ePolicy Orchestrator server. NOTE: The client system will continue to block the user from logging on to the system until the synchronization with ePolicy Orchestrator happens.
Add local domain users
NOTE: This option is not applicable to Mac client systems.
46
Settings Log On (Windows only) NOTE: These options are not applicable to Mac client systems.
Options Enable SSO
Description This option enables the Single Sign On. Must match user nameThis option ensures the SSO details are only captured when the users Endpoint Encryption and Windows IDs match. This ensures that the SSO data captured is replayed for the user for which it was captured. Using smart card PINThis option allows the administrator to capture the smart card PIN for SSO. Synchronize Endpoint Encryption password with WindowsIf selected, the Endpoint Encryption password synchronizes with the Windows password. For example, if the client system password changes, the Endpoint Encryption password also changes accordingly. Allow user to cancel SSOThis option allows the user to cancel the SSO to Windows in the Pre-Boot only. When this option is enabled, the user has an additional checkbox at the bottom of the Pre-Boot logon dialog.
Require Endpoint Encryption log McAfee Endpoint Encryption takes control of the on normal windows logon screen and screen saver logon. You will be prompted for your EEPC credentials while logging on. Require logon when token is removedThe client system prompts for log on when any of the tokens is removed.
Lock workstation when inactive Recovery Enabled
The client system is locked when it is inactive for the set time. The recovery option is enabled by default. If enabled, this activates the Administrator Recovery option in the client system. This drop-down list contains the options to select the recovery key size. The recovery Response Code size depends on this recovery key size. However, this does not affect the size of the Client Code. LowThis refers to a recovery key size that creates a short Response Code for the recovery. MediumThis refers to a recovery key size that creates a medium size Response Code for the recovery. HighThis refers to a recovery key size that creates a lengthy Response Code for the recovery. FullThis refers to a recovery key size that creates a Response Code, with the maximum number of characters, for the recovery.
Key Size
Message
Displays a text message when you select Recovery. This may include information such as your help desk contact details.
47
Settings Boot Options NOTE: These options are not applicable to Mac client systems.
Options Enable Boot Manager
Description This activates the built in pre-boot partition manager. This allows you to select the primary partition on the hard disk that you wish to boot. Naming of the partition is also possible with the boot manager. The time out for the booting to start can also be set. Forces the Endpoint Encryption Pre-Boot code to always initialize the USB stack.
Always enable pre-boot USB support
Enable pre-boot PCMCIA support If selected, the policy enables pre-boot PCMCIA support. Graphics Mode Allows you to select the screen resolution for a system or a system group. The default option is Automatic. This drop-down list contains the options to select a theme. Displays the preview of the selected theme. The preview is not available for shared policies from another McAfee ePO. This causes EEPC to boot a built-in fixed MBR instead of the original MBR that was on the system after pre-boot logon. It is used to avoid problems with some systems that had other software that runs from the MBR and no longer work if EEPC is installed. Some boot records contain the incorrect number of sides. Selecting this option fixes this on the client system. This is available only when you install the EEPC extension. This is for maintaining the compatibility with some systems where the disk 0 is not the boot disk. Selecting this option forces the users to assume that the boot disk is the one that contains the Windows directory but not disk 0.
Theme
Select theme Preview
Encryption Providers NOTE: These options are not applicable to Mac client systems.
Use compatible MBR
Fix OS boot record sides
Use Windows system drive as boot disk
Table 3: User based policies

Settings Authentication Options Token Type Description This specifies the authentication token, for example, password, smartcard, and so on. EEMac currently supports the Password token only. Certificate Rule McAfee Endpoint Encryption enhances the use of PKI and tokens to allow users to authenticate NOTE: This option is not using their certificates. By using certificate rules, applicable to Mac client systems. you can quickly make your Endpoint Encryption enterprise aware of all certificate-holding users, and can allow them to be allocated to PCs using Endpoint Encryption without having to create new smart cards or other forms of token for them to use. Provide LDAP user certificateThis provides the latest LDAP user certificate. Enforce certificate validity period on clientBy default this is enabled to enforce certificate validity period for the added certificate rule.
48
Settings
Options
Description Use latest certificateThis uses the latest certificate available.
Logon Hours
This defines the day and the timeline when the user can log on to the client system. The restrictions are applied using the Apply Restrictions option. The default password is 12345, if the administrator changes the default password, then the newly set password will be the new default password for this policy under the User Based Policy category. Do not prompt for default passwordSetting this option will capture the user's credentials automatically without having to make them use a default password on Pre-Boot Authentication. For example, the users can be captured through the Add Local Domain User option and can authenticate through the Pre-Boot without the default password. Enable password history__changes (1-100)This keeps track of the specified number of previous passwords set by the user and does not allow the user to set the same passwords again. Prevent changeThis option prevents the user from changing the password. Require change after__days (1-366)This specifies the number of days after which the system prompts the user to change the password. Warn user__days (0-30)This specifies the number of days before which the system prompts the user with a warning message about the number of days left for the password expiry. Timeout password entry after__invalid attempts (3-20)This option specifies the number of invalid password entries after which the system times out the password attempts. Maximum disable time__minutes (1-64)This specifies the maximum timeout duration for the timeout password entry. Invalid password after__invalid attempts (3-100)This specifies the number of attempts a user can make before the password becomes invalid.
Password
Default password
Password change
Incorrect passwords
Password Content Rules
Password length
This specifies the number of characters in a user password. Minimum (3-40)Defines the minimum number of characters for a user password. Maximum (3-255)Defines the maximum number of characters for a user password.
49
Settings
Options Enforce password content
Description This specifies the number of different characters like alpha, numeric, alphanumeric, and symbols that are required to form a password. AlphaThis specifies the number of letter that must be present in a user password. NumericSpecifies the number of numeric characters that must be present in a user password. AlphanumericSpecifies the number of alphanumeric characters that must be present in a user password. SymbolsSpecifies the number of symbols that must be present in a user password.
Password content restrictions
This specifies the password content restrictions for the user password. No anagramsA word or phrase spelled by rearranging the letters of another word or phrase cannot be a password. No palindromesA word or phrase that reads the same backward as forward can not be a password. No sequencesThe new password cannot be in sequence with the previous password. Can't be user name A user name cannot be set as a password. Windows content rulesThis demands to follow the standard Windows password content rule like a Windows password should contain at least three of the following: Lower case letters Upper case letters Numbers Symbols and special characters
No simple words These are the set of words defined as simple words that cannot be used as passwords.
Self-Recovery
Enable Self Recovery
This option enables the self recovery.
Invalidate self recovery after No. This specifies the number of attempts after which of attempts the self recovery is disabled. Questions to be answered Specifies the number of questions to be answered by the user to perform the self recovery. This lists the default questions for the selected language, also provides an option to add more questions. NOTE: If a language does not have enough questions or has an error on it, the language appears in red.
50
Settings
Options
Description
Logons before forcing user to set Specifies the number of Logons before forcing the answers user to set answers.
Table 4: Server setting policies

Settings General Options Description If user is disabled in LDAP Server This option allows you to disable, delete or ignore the user if the user has been disabled in the LDAP Server. Batch size for retrieving users This option allows the administrator to send the users to the client in batches rather than sending all of them at a time. Specify the number of users that are sent in each batch. Increasing the batch size increases the amount of memory required on the server and the client. But, this reduces the number of data channel messages required to be sent between the client and server.
Machine key re-use
Machine key re-use option is used to activate the system with the existing key present in the McAfee NOTE: This option is not ePO server. This option is highly useful when a applicable to Mac client systems. boot disk gets corrupted and the user cannot access the system. The boot disk corrupted system's disks other than boot disks can be recovered by activating it with the same key from McAfee ePO. User Information Fields Used to add user information fields. You can add user information by specifying a question and the LDAP attribute name related to the user. Specifies the algorithm AES-256-CBC for the software encryption. Allows you to set the size of the pre-boot file system. Increasing the size of the PBFS will increase the number of users that can be successfully assigned to the client system. The size is specified in MB from 20 MB to 200 MB. Use this option to manage the list of products that are not compatible with McAfee Endpoint Encryption. You can also import a non compatible product rule that can detect and add the non compatible product to the list. Use this option to add and customize a theme that is used as a background in the Pre-Boot Authentication page. Use this option to create a group which can have a number of simple words. This will not be available for shared policy from another McAfee ePO. Use this option to delete a group. Use this option to browse to a text file with a number of simple words that cannot be used as passwords. You can also select an encoding type for the file.
Mac OS X Software or PC software
Algorithm Pre-boot storage size 50MB (20-200)
Non Compatible Products
Manage Non Compatible Products
Themes
Manage Themes
Simple Words
Add Group
Remove Group Import words to group
Regenerate Missing Simple Word This compiles all the simple word groups and Package creates the simple words package files (.xml file). Tokens Manage Tokens Use this option to add and manage extra token definitions. This allows the user to deploy and
51
Managing McAfee Endpoint Encryption policies Create a policy from Policy Catalog
Settings
Options
Description manage the additional token modules any time after the initial installation as required by the user.
Create a policy from Policy Catalog

Create a new policy from the Policy Catalog. By default, policies created here are not assigned to any groups or systems. When you create a policy here, you are adding a custom policy to the Policy Catalog. You can create policies before or after the McAfee Endpoint Encryption software is deployed. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 Click Menu | Policy | Policy Catalog, the Policy Catalog page opens. Click Actions | New Policy. The Create New Policy dialog box appears. Select the policy Category from the drop-down list. Select the policy you want to duplicate from the Create a policy based on this existing policy drop-down list. Type a name for the new policy. Type a description into the Notes field, if required, then click OK. The Policy Settings wizard opens. Edit the policy settings on each tab as needed and click Save.
Edit the EE policy settings from Policy Catalog

Use ePolicy Orchestrator to modify the settings of a policy. Before you begin Your user account must have appropriate permissions to edit policy settings for the desired product. Task For option definitions, click ? in the interface. 1 2 3 4 Click Menu | Policy | Policy Catalog, then from the Product drop-down list, select Endpoint Encryption 1.1.2. Select the policy Category from the drop-down list. All created policies for the selected category appear in the details pane. Locate the policy, then click Edit Settings next to it. Edit the settings as needed, then click Save.
52
Managing McAfee Endpoint Encryption policies Assign a policy to a system group
Assign a policy to a system group

Assign a policy to multiple managed systems within a group. You can assign policies before or after deploying McAfee Endpoint Encryption. Task For option definitions, click ? in the interface. 1 2 3 4 Click Menu | Systems | System Tree | Systems, then select a group in the System Tree. All the systems within this group (but not its subgroups) appear in the details pane. Select a system, then click Actions | Agent | Set Policy & Inheritance. The Assign Policies page appears. From the product drop-down list, select Endpoint Encryption 1.1.2. Select the Category, and Policy from the drop-down list, then click Save.
Enforce EE policies on a system group

Enable or disable policy enforcement for a product on a System Tree group. Policy enforcement is enabled by default, and is inherited in the System Tree. Task For option definitions, click ? in the interface. 1 2 3 4 5 Click Menu | Systems | System Tree | Assigned Policies, then select a group in the System Tree. Select Endpoint Encryption from the Product drop-down list, then click Enforcing next to Enforcement Status. The Enforcement page appears. To change the enforcement status, you must first select Break inheritance and assign the policy and settings below. Next to Enforcement status, select Enforcing or Not enforcing accordingly. Select whether to lock policy inheritance to prevent breaking enforcement for groups and systems that inherit this policy, then click Save.
53
Managing McAfee Endpoint Encryption users

The ePolicy Orchestrator server allows administrators to assign users from Windows Active Directory to McAfee Endpoint Encryption managed systems. The user's authentication credentials, token type, and the user information fields are managed from the McAfee ePO server. McAfee Endpoint Encryption gives the administrator the freedom of adding and removing the users to and from systems or system groups at any time. Assigning users retrieves the properties from Windows Active Directory. NOTE: This information is applicable to both Windows-based systems and Mac-based systems running McAfee Endpoint Encryption. Contents View the list of users assigned to a system Remove users from a system Edit user inheritance How EEPC controls the Windows logon mechanism Enable Single-Sign-On (SSO) on a system Synchronize the EEPC password with the Windows password Modify the token type associated with a system or a system group Configure password content rules Manage a disabled user in Windows Active Directory Configure the global user information Manage the logon hours Define EE permission sets for McAfee ePO users
View the list of users assigned to a system

Use ePolicy Orchestrator to view the list of Endpoint Encryption users assigned to the client system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Data Protection | Encryption Users. The My Organization page opens. From the System Tree pane, select a system from a particular group.
54
Managing McAfee Endpoint Encryption users Remove users from a system
Click Actions | Endpoint Encryption | View Users. The Encryption Users page appears with a list of users for the selected system. NOTE: This does not display the user groups that are assigned at the branch level.
Remove users from a system

Using McAfee Endpoint Encryption, you can remove users from a client system. Ensure you have assigned the user at system level or branch level. If a user is assigned at branch level, the user would be sent to the client even after removing the system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 Click Menu | Data Protection | Encryption Users. The My Organization page opens. Select a system from a particular group from the System Tree pane on the left. Click Actions | Endpoint Encryption | View Users. The Encryption Users page for the selected system with the list of user opens. Select the User name from the list. Click Actions | Endpoint Encryption | Delete Users. The Confirmation page appears. Click Yes or No to delete or retain the selected user.
Edit user inheritance

Add users to a group or delete selected users from a group. You can also group users at different organizational levels and edit the inheritance as required. It is to assign multiple users to systems without having to work on the individual systems. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 Click Menu | Data Protection | Encryption Users. The My Organization page opens. Select the Organizational Unit from the System Tree and click Group Users tab. Click Edit in Inheritance broken. The Edit Group Inheritance page appears. Select Break inheritance, then click OK. The user Inheritance broken status: TrueSpecifies that the inheritance is broken. When you have a group of systems, you could break the inheritance in McAfee ePO, and then add the selected users to the group users from that level down. It means that all of the selected users are assigned to those systems from that node and any children.
55
Managing McAfee Endpoint Encryption users How EEPC controls the Windows logon mechanism
FalseSpecifies that the inheritance is not broken, which means that the selected users are assigned to the all the systems present in the selected group.
How EEPC controls the Windows logon mechanism

EEPC intercepts the Windows Logon mechanism using a Passthrough Shim Gina on Windows 2003, and XP and a Credential Provider on Vista. On Windows 2000 and XP operating systems, a custom .ini file (EPEPCGINA.INI) is used to help EEPC analyze the logon page and port the credentials into the correct boxes on the logon page. In Windows VISTA, Microsoft has replaced the original MSGINA (Graphical Identification and Authentication) with a new method called Microsoft Credential Provider. EEPC supports the Single Sign On architecture and implements a Credential Provider to communicate with Windows. EEPC displays each token as a potential logon method. While logging on to EEPC, it prompts for your Windows credentials only for the first time and EEPC stores the Windows credentials securely. On subsequent logon events, EEPC retrieves the stored Windows credentials to log on.
Enable Single-Sign-On (SSO) on a system

Enable SSO on a system which allows the user to log on to the system with a single authentication process. It allows auto log on to the system once the user authenticates through the Pre-Boot Authentication page. NOTE: The SSO feature is applicable for Windows-based systems only. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree, then select a group under System Tree pane on the left. Select the target System, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned Policy drop-down list, select the desired policy, then click Edit Policy. The policy settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Log On tab, select Enable SSO under Windows pane.
56
Managing McAfee Endpoint Encryption users Synchronize the EEPC password with the Windows password
If required, select the options Must match user name, Synchronize Endpoint Encryption password with Windows, Allow user to cancel SSO, and Using smart card PIN. a Must match user nameThis option ensures the SSO details are only captured when the users Endpoint Encryption and Windows IDs match. b Using smart card PINThis option allows the administrator to capture the smart card PIN for SSO. c Synchronize Endpoint Encryption password with WindowsThis matches the EEPC password to Windows password, so that the user needs to authenticate only the Pre-Boot Authentication page with Windows password. d Allow user to cancel SSOThis option allows the user to cancel the SSO to Windows in the Pre-Boot only. When this option is enabled, the user has an additional checkbox at the bottom of the Pre-Boot logon dialog box. This setting lasts for a single boot only.
Click Save in Policy Settings page, then click Save in Product Settings page.
10 Send an agent wake-up call.
Synchronize the EEPC password with the Windows password

Use this task to synchronize the EEPC password with the Windows password. This matches the EEPC password to the Windows password, so that the user needs to authenticate on the Pre-Boot Authentication page with Windows password. NOTE: This feature is applicable to Windows-based systems only. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree. The systems page appears. Select the desired group under System Tree pane on the left. Select the desired System, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. Select Endpoint Encryption 1.1.2 from the Product drop-down list. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select the required policy, then click Edit Policy. The policy settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Log On tab, click Enable SSO, then select Synchronize Endpoint Encryption password with Windows under Windows pane.
57
Managing McAfee Endpoint Encryption users Modify the token type associated with a system or a system group
Click Save in the Policy Settings page, then click Save in the Product Settings page. NOTE: Ensure that the Windows password adheres to the EEPC password restriction policy. Otherwise, the password synchronization doesn't run.
Send an agent wake-up call.
Modify the token type associated with a system or a system group

McAfee Endpoint Encryption supports different logon tokens, for example, Passwords, Starcos SmartCards, and Actividentity PKI SmartCard. The token type associated with a system or a system group can be modified using this task. You can create a new user-based policy with a required token type and deploy it to the required system or a system group or can edit an existing policy and deploy the same to a target system or a system group. NOTE: EEMac currently supports the Password token only. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree. The systems page appears. Select a group under System Tree pane on the left. Select a System, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. Select Endpoint Encryption 1.1.2 from the Product drop-down list. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select the policy, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Authentication tab, select the required Token Type from the Token Type drop-down list. NOTE: McAfee Endpoint Encryption uses the information present in a public certificate store of a PKI to look up users and encrypt their unique Endpoint Encryption key with the public key available in their certificate. This certificate needs to be configured while selecting the Actividentity PKI SmartCard token. 8 9 Click Save in the Policy Settings page, then click Save in the User Based Policies settings page. Send an agent wake-up call.
58
Managing McAfee Endpoint Encryption users Configure password content rules
Configure password content rules

Use this task to configure the password content rules. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree. The Systems page appears. Select the group under System Tree. Select the System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 9 From the Password Content Rules tab, type the Password Length in the Minimum and Maximum field. In Enforce password content, type the number of Alpha, Numeric, Alphanumeric, and Symbols characters required to form a password. Select or deselect the options to define the password content restriction rules from Password content restrictions.
10 Click Save in the Policy Settings page, then click Save in the User Based Policies settings page. 11 Send an agent wake-up call.
Manage a disabled user in Windows Active Directory

Use this task to disable, delete or ignore a user who has been disabled in the LDAP/AD server. Before you begin Make sure that the server task EE LDAP server user or group synchronization is enabled. Task For option definitions, click ? in the interface. 1 2 Click Menu | Configuration | Server Settings. The Server Settings page appears. Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint Encryption page opens with General tab.
59
Managing McAfee Endpoint Encryption users Configure the global user information
Select Disable, Ignore or Delete from the If user disable in directory drop-down list if the user has been disabled in the Active Directory. NOTE: Options in the drop-down list are applicable only to users disabled in the Active Directory.
Click Save.
Configure the global user information

Use this task to configure the user information fields. Before you begin Make sure that the server task EE LDAP server user or group synchronization is enabled. Task For option definitions, click ? in the interface. 1 2 3 4 Click Menu | Configuration | Server Settings. The Server Settings page appears. Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint Encryption page opens with General tab. Click Add next to the User Information Fields. Type the Question relating to the user, then select the required user attribute name from the Ldap Attribute Name list. NOTE: The above Ldap refers to Windows Active Directory. 5 6 Click + or - in the interface to add or remove user information fields. Click Save. NOTE: User information fields can be set by selecting the individual user in the EE User Query. To display the users, click Menu | Reporting | Queries | Shared Groups | Endpoint Encryption, then click Run in EE: Users.
Manage the logon hours

Control and limit the timeline when a user can log on to the McAfee Endpoint Encryption client system. This option does not force the users to log out from the current session, although the current time is scheduled to be part of the logon restriction. However, once the user logs out from the system, the user will not be able to log on to the system until the next allowed logon hour. NOTE: Logon hours policy is applied only when the user is not logged on. Task For option definitions, click ? in the interface. 1 2 Click Menu | Systems | System Tree then select a group under System Tree. Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears.
60
Managing McAfee Endpoint Encryption users Define EE permission sets for McAfee ePO users
3 4 5 6
Select Endpoint Encryption 1.1.2 from the Product drop-down list. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the User Based Policy category, then click Edit Assignments. The User Based Policies page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the desired policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
7 8 9
From the Authentication tab, select Apply restrictions in Logon Hours, then schedule the logon timing by blocking or allowing different logon hours. Click Save in the policy settings page, then click Save in the User Based Policies settings page. Send an agent wake-up call.
Define EE permission sets for McAfee ePO users

In McAfee ePO, administrator rights management determines what actions ePolicy Orchestrator users can perform while administering the McAfee Endpoint Encryption software. The administrator is able to set up Endpoint Encryption product-specific permission sets to the different users and systems on McAfee ePO. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 7 Click Menu | User Management | Permission Sets. The Permission Sets page opens. Click New Permission Set. The New Permission Set page opens. Type a permission set name in the Name field. Select the Active Directory groups mapped to this permission set. To add a new Active Directory group, click Add, browse to the group and click OK. Select the Server name, then click Save. The Permission Set page appears. Click Edit next to Endpoint Encryption present under the newly created permission set. The Edit Permission Set page opens. Select the required permission setting, then click Save. NOTE: You can assign this new permission set to an existing or a new McAfee ePO user using Menu | User Management | Users.
61
Managing client computers

The system management helps the administrators to import system information from Active Directory server into McAfee ePO. This is useful in the process of installing EE and assigning the users to the systems. NOTE: This section is applicable to both EEPC and EEMac. Contents Add a system to an existing system group Move systems between groups Select the disks for encryption Enable or disable the automatic booting Set the priority of encryption providers Maintain a list of non-compatible products Manage the default and customized themes Manage simple words
Add a system to an existing system group

Use ePolicy Orchestrator to import systems from your Network Neighborhood to groups for working with EEPC. You can also import a network domain or Active Directory container. NOTE: While managing the client systems for EEMac, the client system is automatically added to the System Tree in McAfee ePO on successful installation of the McAfee Agent for Mac on the Mac client system, and so you do not have to add the Mac client manually. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 Click Menu | Systems | System Tree, then in the System Tree Actions menu click New Systems. The New Systems page appears. Select the required option from How to add systems. In the Systems to add field, type the NetBIOS name for each system in the text box, separated by commas, spaces, or line breaks. Alternatively, click Browse to select the systems. If you select Push agents and add systems to the current group, you can enable automatic System Tree sorting. Do this to apply the sorting criteria to these systems.
62
Managing client computers Move systems between groups
Type the following options:

Option Agent version Installation path Credentials for agent installation Action Select the agent version to deploy Configure the agent installation path or accept the default Type valid credentials to install the agent: Number of attempts Domain: Type the domain of the system User name: Type the login user name Password: Type the login password
Type an integer for the specified number of attempts, or use zero for continuous attempts Type the interval in number of seconds between two attempts Type the number of minutes before stopping the connection Select either one specific Agent Handler or all Agent Handlers
Retry interval Abort After Connect using
Click OK. For more details and procedures on how to perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6.
Move systems between groups

Move systems from one group to another in the System Tree. You can move systems from any page that displays a table of systems, including the results of a query. NOTE: In addition to the steps below, you can also drag-and-drop systems from the Systems table to any group in the System Tree. Even if you have a perfectly organized System Tree that mirrors your network hierarchy, and uses automated tasks and tools to regularly synchronize your System Tree, you may need to move systems manually between groups. For example, you may need to periodically move systems from the Lost&Found group. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 Click Menu | Systems | System Tree | Systems and then browse to and select the systems. Click Actions | Directory Management | Move Systems. The Select New Group page appears. Select whether to enable or disable or not to change the System Tree sorting on the selected systems when they are moved. Select the group to place the systems, then click OK.
63
Managing client computers Select the disks for encryption
Select the disks for encryption

Use ePolicy Orchestrator to select which disks, according to your requirements, need to be encrypted. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree then select a group under System Tree. Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Encryption tab, select the disk(s) to be encrypted from the Encrypt drop-down list. NOTE: To initiate the encryption on the client, the user must select any one of the options other than None. The default option None does not initiate the encryption. 8 9 On the Policy Settings page, click Save, then click Save in the Product Settings page. Send an agent wake-up call.
Enable or disable the automatic booting

Use ePolicy Orchestrator to enable or disable the automatic booting on the client computer. The Endpoint Encryption Pre-Boot logon environment allows to select a logon method and to provide authentication credentials such as user id and password. If the user provides the correct authentication details, the McAfee Endpoint Encryption boot code starts the crypt driver in memory and boots the original operating system of the protected systems. Enabling the automatic booting will remove the Pre-Boot Authentication from the client system. NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't protect the data on the drive when it is not in use. Before you begin You must have appropriate permissions to perform this task.
64
Managing client computers Set the priority of encryption providers
Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree then select a group under System Tree. Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 From the Log On tab, select or deselect Enable Automatic Booting under Endpoint Encryption pane to disable or enable the Pre-Boot environment. A security warning message This will remove the pre-boot authentication. Are you sure? appears. Click Yes or No to enable or disable the automatic booting. Set the expiration date and time for the automatic booting if required.
8 9
10 Click Save in the policy settings page, then click Save in the Product Settings page. 11 Send an agent wake-up call.
Set the priority of encryption providers

Use this task to set the priority of encryption providers. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree, then select a group under System Tree. Select a System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select the desired policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
65
Managing client computers Maintain a list of non-compatible products
From the Encryption tab, select the Encryption Provider from the Encryption Provider Priority list. In case of more than one encryption provider, the priority can be set by moving between the encryption providers using Move Up and Move Down options. Click Save in the Policy Settings page, then click Save in the Product Settings page. Send an agent wake-up call.
8 9
Maintain a list of non-compatible products

Use ePolicy Orchestrator to create and maintain a list of non-compatible products. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Configuration | Server Settings. The Server Settings page appears. Click Endpoint Encryption in Setting Categories pane, then click Manage Non Compatible Products option present at the right. The Endpoint Encryption Non Compatible Products page appears with a list of products that are not compatible with McAfee Endpoint Encryption. To import a non compatible product, click Actions | Import Non Compatible Product Rule. The Import Non Compatible Product Rule page appears. Browse and select the .xml file that defines the rule to detect the non-compatible product, then click OK. This detects the corresponding product that is not compatible with Endpoint Encryption and adds it to the non-compatible product list.
3 4
Manage the default and customized themes

Add and manage a theme that will be used as a background in the Pre-Boot Authentication page. The Endpoint Encryption Themes package is added automatically to the master repository (Menu | Software | Master Repository) after installing the EEAdmin.ZIP extension in ePolicy Orchestrator. The default theme is downloaded to the client when the EEAgent and EEPC software package deployment task is sent to the client computers. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 Click Menu | Configuration | Server Settings. The Server Settings page appears. Click Endpoint Encryption in Setting Categories pane, then click Manage Themes option present at the right. The Endpoint Encryption Theme page opens. Click Actions | Add. The Install new theme page appears.
66
Managing client computers Manage the default and customized themes
4 5 6
Type a theme name in the Name field, then select Create a new theme based on an existing theme option. Select a theme from the Based on drop-down list. Browse to the Background Image, then click OK. This creates the new theme package at C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EETHEME\DAT\0000 folder. NOTE: You can also browse and install a theme package using Select Theme package to install option.
Download the custom themes on the client using one of the following: Update Now option under Menu | Systems | System Tree | Actions | Agent in ePolicy Orchestrator Product Update task Update Security from the client NOTE: All themes have a unique ID for identification. When you run the update task, the theme IDs are verified against the existing theme IDs on the client, then the new theme is downloaded to the client. The downloaded theme packages are stored in the following folder in the client system: EEPC C:\Program files\McAfee\Endpoint Encryption Agent\Repository\Themes EEMac /Library/McAfee/ee/Agent/Repository/Themes
Change the theme in the Product Setting Policy and send an agent wake-up call to apply the customized theme.
Assign a customized theme to a system

Use ePolicy Orchestrator to assign a theme to a system. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 Click Menu | Systems | System Tree. The Systems page appears. Select the group under System Tree. Select the System (s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
67
Managing client computers Manage simple words
Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
7 8 9
From the Theme tab, select the desired customized theme from the Select theme drop-down list. Click Save in the policy settings page, then click Save in the Product Settings page. Send an agent wake-up call.
Manage simple words

Use ePolicy Orchestrator to add and manage simple words that cannot be used as passwords. The Endpoint Encryption Simple Words are added automatically to the master repository (Menu | Software | Master Repository) after installing the EEAdmin.ZIP extension in ePolicy Orchestrator. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Configuration | Server Settings. The Server Settings page appears. Click Endpoint Encryption in Setting Categories pane, then click Manage Simple Words option present at the right. The Manage Simple Words page opens. Click Group Actions | Add Group. The Add Group window appears. Type the name of the group and click OK to create the Simple Word group. Click Actions | Add and type the simple words that cannot be used as passwords. Click Group Actions | Regenerate Missing Simple Word Package and click Yes in the confirmation message window to create the simple words package. This creates the simple words package (.xml file) for the simple words group at C \Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EESWORD\DAT\0000 folder. Download the simple word package on the client using one of these methods: Update Now option under Menu | Systems | System Tree | Actions | Agent in ePolicy Orchestrator Product Update task Update Security from the client NOTE: All simple word packages (.xml file) have a unique ID for identification. When you run the update task, the package IDs are verified against the existing package IDs on the client, then the new package file is downloaded to the client. The downloaded simple word packages are stored in the following folder in the client system: EEPC - C:\Program files\McAfee\Endpoint Encryption Agent\Repository\SimpleWords
68
Managing client computers Manage simple words
EEMac - /Library/McAfee/ee/Agent/Repository/SimpleWords 8 Enable the No simple words option under User Based policies | Password Content Rules, select the required word group from the drop-down list, then send an agent wake-up call to apply the policy to the client.
69
Managing EE reports
McAfee Endpoint Encryption queries are configurable objects that retrieve and display data from the database. These queries can be displayed in charts and tables. Any query results can be exported to a variety of formats, any of which can be downloaded or sent as an attachment to an email message. Most queries can be used as dashboard monitors. NOTE: This section is relevant to both EEPC and EEMac. Contents Queries as dashboard monitors Create EE custom queries View the standard EE reports Create the EE dashboard View the EE dashboard Report the encrypted and decrypted systems
Queries as dashboard monitors

Most queries can be used as a dashboard monitor (except those using a table to display the initial results). Dashboard monitors are refreshed automatically on a user-configured interval (five minutes by default). Exported results McAfee Endpoint Encryption query results can be exported to four different formats. Exported results are historical data and are not refreshed like other monitors when used as dashboard monitors. Like query results and query-based monitors displayed in the console, you can drill down into the HTML exports for more detailed information. Reports are available in several formats: CSV Use the data in a spreadsheet application (for example, Microsoft Excel). XML Transform the data for other purposes. HTML View the exported results as a web page. PDF Print the results.
Create EE custom queries

Use this option to create Endpoint Encryption custom queries with the Query Builder wizard.
70
Managing EE reports View the standard EE reports
Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries, then click Actions | New Query. The Query Builder wizard opens. On the Result Type page, select Others from the Feature Group pane and Endpoint Encryption Result Type for the query, then click Next. The Chart page appears. NOTE: This choice determines the options available on subsequent pages of the wizard. 3 Select the type of chart or table to display the primary results of the query, then click Next. The Columns page appears. NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the query. 4 Select the columns to be included in the query, then click Next. The Filter page appears. NOTE: If you selected Table on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table. 5 Select properties to narrow the search results, then click Run. The Unsaved Query page displays the results of the query, which is actionable, so you can take any available actions on items in any tables or drill-down tables. NOTE: Selected properties appear in the content pane with operators that can specify criteria used to narrow the data that is returned for that property. If the query didnt appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of this query. If you dont need to save the query, click Close. 6 If this is a query you want to use again, click Save and continue to the next step. The Save Query page appears. Type a name for the query, add any notes, and select one of the following: New GroupType the new group name and select either: Private group (My Groups) Public group (Shared Groups) Existing GroupSelect the group from the list of Shared Groups. 7 Click Save.
View the standard EE reports

Use this option to run and view the standard Endpoint Encryption report from the Queries page. Before you begin You must have appropriate permissions to perform this task.
71
Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries. The Queries page opens. Select Endpoint Encryption from Shared Groups in Groups pane, The standard EE query list appears.
Query EE: Disk Status EE: Disk Status (Rollup) Description Displays the status of the disk. Displays the EE: Disk Status compiled from various ePolicy Orchestrators. Displays which encryption provider is active on each system. Displays the version of the endpoint encryption installed in systems. Displays the EE: Installed version details compiled from various ePolicy Orchestrators. Displays the log details and the results of the v5.x.x user import. Displays the details about the assignments of the user group, machines, and users. Displays Endpoint Encryption client events. Lists all endpoint encryption users. From here, the user can use the following options to manage the users in the selected system: Clear SSO detailsClears the SSO details of the selected user (only for Windows) Force User To Change PasswordPrompts the user to change the password in the EE authentication. Reset TokenResets the token for the selected user User InformationMaintains the user information with a list questions and answers
EE: Encryption Provider EE: Installed version
EE: Installed Version Rollup
EE: Migration log (Windows only)
EE: Migration lookup (Windows only)
EE: Product client events EE: Users
EE: V5 Audit (Windows only)
Displays the imported audit logs from v5.x.x. Be aware that if only you selected the audit option during the export process, the audit log will be displayed. Displays the EE: Volume Status. Displays the EE: Volume Status compiled from various ePolicy Orchestrators.
EE: Volume Status EE: Volume Status (Rollup)
3 4
Select a query from the Queries list. Click Actions | Run. The query results appear. Drill down into the report and take actions on items as necessary. Available actions depend on the permissions of the user. NOTE: The user has an option to edit the query and to view the details of the query.
Click Close when finished. While implementing and enforcing the Endpoint Encryption policies that control how sensitive data is encrypted, the administrators can monitor real-time client events and generate reports using the EE: Product client events query.
72
Event ID 30000
Event Logon Event
Event Description This event is reported in McAfee ePO whenever a Pre-Boot or an Endpoint Encryption logon happens. This event is reported in McAfee ePO whenever the user changes the EE password. This event is reported in McAfee ePO whenever the EE password is invalidated after a fixed number of unsuccessful login attempts. This event is reported in McAfee ePO when the user changes the default password during the first pre-boot logon. This event is reported in McAfee ePO whenever the system restarts after making EE active. This event is reported in McAfee ePO for every successful Administrator Recovery. This event is reported in McAfee ePO for every successful Self Recovery. This event is reported in McAfee ePO whenever the Self Recovery is invalidated after a fixed number of unsuccessful login attempts. This event is reported in McAfee ePO when the encryption starts on the client system. This event is reported in McAfee ePO when the encryption pauses on the client system. This event is reported in McAfee ePO when the encryption finishes on the client system. This event is reported in McAfee ePO when the specified volume encryption/decryption starts. This event is reported in McAfee ePO when the specified volume encryption/decryption is completed. This event is reported in McAfee ePO when a policy change is initiated. This event is reported in McAfee ePO when the policy change is completed. This event is reported in McAfee ePO when the EE activation starts on the client system. This event is reported in McAfee ePO when the EE activation is completed on the client system. This event is reported in McAfee ePO whenever an exception occurs on the client system. This event is reported in McAfee ePO whenever the Emergency Recovery is initiated. This event is reported in McAfee ePO whenever the Emergency Recovery is completed. This event is reported in McAfee ePO whenever the Upgrade process is initiated. This event is reported in McAfee ePO whenever the Upgrade process is complete.
30001
Password Changed Event
30002
Password Invalidated Event
30003
Token Initialization Event
30004
System Boot Event
30005
Administrator Recovery Event
30006
Self Recovery Event
30007
Self Recovery Invalidated Event
30008
Crypt Start Event
30009
Crypt Paused Event
30010
Crypt Complete Event
30011
Crypt Volume Start Event
30012
Crypt Volume Complete Event
30013
Policy Change Start Event
30014
Policy Change Complete Event
30015
Activation Start Event
30016
Activation Complete Event
30017
General Exception Event
30018
Emergency Recovery Start
30019
Emergency Recovery Complete
30020
Upgrade Start
30021
Upgrade Complete
73
Managing EE reports Create the EE dashboard
Event ID 30022
Event User Update Error
Event Description This event is reported in McAfee ePO whenever a user update error occurs. This event is reported in McAfee ePO whenever the encryption key is not available. This event is reported in McAfee ePO when the installation is stopped in a Mac with 32-bit EFI. This event is reported in McAfee ePO when the installation is disrupted in an unsupported Mac platforms. This event is reported in McAfee ePO when the installation is stopped in an unsupported Mac OS X. This event is reported in McAfee ePO for every successful EEPC or EEMac deployment. This event is reported in McAfee ePO for every deployment failure of EEPC or EEMac .
30026
Encryption Key Not Available
30027
Installation Aborted: 32-bit EFI unsupported Installation Aborted: Mac platform unsupported Installation Aborted: Mac OS X version unsupported Deployment Successful
30028
30029
2411
2422
Deployment Failure
Create the EE dashboard

Use this option to create the Endpoint Encryption dashboard. Before you begin You must have appropriate permission to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards. The Manage Dashboards page appears. Click New Dashboard. Type a name and select a size for the dashboard. For each monitor, click New Monitor, select the monitor from the shared groups Endpoint Encryption to display in the dashboard, then click OK. Click Save, then select whether to make this dashboard active. Active dashboards appear on the tab bar of Dashboards. Optionally, you can make this dashboard public from the Manage Dashboards page by clicking Make Public NOTE: All new dashboards are saved to the private My Dashboards category.
View the EE dashboard

Use this option to make the Endpoint Encryption dashboard to be part of your active set.
74
Managing EE reports Report the encrypted and decrypted systems
Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Dashboards, then click Options | Select Active Dashboards. The Select Active Dashboards page appears. Select Endpoint Encryption from the Available Dashboards list, then click OK.
Report the encrypted and decrypted systems

Determine the encryption status of any managed client systems. To know the system disk status is to know the client system's encryption and decryption status. The disk status such as encrypted and decrypted denotes the client system's encryption and decryption status. Before you begin You must have appropriate permission to perform this task. Task For option definitions, click ? in the interface. 1 2 Click Menu | Reporting | Queries. The Queries page opens. Click Shared Groups | Endpoint Encryption from the Groups pane. NOTE: Edit the EE: Disk Status query to display the system details in table format. This would give you a simplified view of the system and the encryption status. Make sure to include the State (Disk) column in the table. 3 Click Run in the EE: Disk Status from the Queries list. The EE: Disk Status page appears with the list of client systems and their details configured in the query. The State (Disk) column indicates the system status as Encrypted or Decrypted.
75
Recovering users and systems

Resetting a remote users password or replacing the user's logon token if it has been lost requires a challenge and response procedure. NOTE: This section is applicable to both EEPC and EEMac. Contents Enable or disable the self recovery functionality Perform the self recovery on the client computer Enable or disable the administrator recovery functionality Perform the administrator (system and user) recovery on the client computer Generate the response code for the administrator (system and user) recovery
Enable or disable the self recovery functionality

The Self Recovery option allows the user to reset a forgotten password by answering a set of security questions. A list of security questions is set by the administrator using McAfee ePO. If the answers from the user match what has been stored with their self recovery information, they can proceed through the recovery process. Use McAfee ePO to enable or disable the self recovery functionality in the client computer. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree, then select a group under System Tree. Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Locate a User Based Policies policy category, then click Edit Assignments. The User Based Policies page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. Select a policy from the Assigned policy drop-down list, then click Edit Policy. The Policy Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy.
76
Recovering users and systems Perform the self recovery on the client computer
7 8 9
On the Self-Recovery tab, select or deselect Enable Self-Recovery to enable or disable the self recovery functionality to the specified user or user group. Select Invalidate Self-Recovery after No.of attempts and type the number of attempts. Type the number of Questions to be answered to perform the self recovery. The client user will be prompted with these questions while trying to recover the user account at the client system.
10 Type the number of Logons before forcing user to set answers to determine how many times a user can log on without setting their Self Recovery questions and answers. 11 Click + to create a new question, then select the question Language and also type the Min Answer Length the user must type while configuring the answer to this question. NOTE: Answers to these questions are typed by the user on the client system during the recovery process. User is prompted for recovery enrollment during every logon. The user is allowed to cancel the enrollment until the user exceeds the specified number of logon attempt. After exceeding the defined number of logon attempt, the Cancel button is disabled and the user is forced to enroll for self recovery. 12 Click Save in the User Based Policies page. 13 Send an agent wake-up call.
Perform the self recovery on the client computer

Use this option to recover the user on the client computer, if the user's password or the logon token has been lost. Before you begin Ensure that you have successfully enrolled for self recovery on the client system. This task should be performed by the client user on the client computer. Task 1 2 3 4 5 Click Options | Recovery. The Recovery dialog box appears. Select the Recovery Type as Self Recovery. Type the User name and click OK. The Recovery dialog box appears with the questions that the user answered while enrolling for the self recovery. Type the answers for the prompted questions and click Finish. The Change Password dialog box appears. Type and confirm the New Password and click OK.
Enable or disable the administrator recovery functionality

The client system prompts for authentication at the Pre-Boot logon page to access the system. When a user forgets the password or is disabled in the Active Directory or loses his token, the user cannot log on to the system. Resetting the users password, unlocking the disabled user, replacing their logon token if it has been lost, and performing machine recovery require a
77
Recovering users and systems Perform the administrator (system and user) recovery on the client computer
challenge and response procedure to be followed. The users should start their system and click the Recovery button from the Endpoint Encryption Pre-Boot logon page. This option needs to be enabled in the McAfee ePO server before performing this task at the client systems. Use ePolicy Orchestrator to enable or disable the administrator (system and user) recovery functionality in the client computer. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 2 3 4 5 6 Click Menu | Systems | System Tree, then select a group under System Tree. Select a System(s), then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears. From the Product drop-down list, select Endpoint Encryption 1.1.2. The policy Categories under Endpoint Encryption appear with the system's assigned policy. Select the Product Settings policy category, then click Edit Assignments. The Product Settings page appears. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from. From the Assigned policy drop-down list, select a product setting policy, then click Edit Policy. The Policy Product Settings page appears. NOTE: From this location, you can edit the selected policy, or create a new policy. 7 8 9 On the Recovery tab, select or deselect Enabled to enable or disable the system recovery functionality. Select the required Recovery Key size from the Key size drop-down list, then type the Message to appear on the recovery page. Click Save in the User Based Policies page.
10 Send an agent wake-up call.
Perform the administrator (system and user) recovery on the client computer
Use this task on the client computer, if the user's password or the logon token have been lost, to recover the user or the system. Before you begin Make sure that the client user performs this task in the client system. Task For option definitions, click ? in the interface. 1 2 Restart the client system. Click Options | Recovery.
78
Recovering users and systems Generate the response code for the administrator (system and user) recovery
Select the Recovery Type as Administrator Recovery and click OK. The Recovery dialog box appears with the Challenge Code. NOTE: The client user should read the Challenge Code and get the Response Code from the administrator who manages McAfee ePO.
Enter the Response Code in the Line field, then click Enter. NOTE: Each line of the code is checked when it is entered.
Click Finish. NOTE: Generated Response code depends on the recovery key size set in the policy and the selected recovery type that is machine recovery or user recovery.
Generate the response code for the administrator (system and user) recovery
Use this task to generate the response code for the administrator (system and user) recovery. Before you begin Make sure that McAfee ePO administrator performes this task in McAfee ePO. Task For option definitions, click ? in the interface. 1 Click Menu | Data Protection | Encryption Recovery. The Endpoint Encryption Recovery wizard opens with the text field for Challenge Code. NOTE: Ask the client user to read the challenge code that appears in the recovery process page to the administrator. 2 3 Type the Challenge Code and click Next. The Recovery Type page opens. Select the required recovery type from the Recovery Type list, then click Next. The Response Code page opens with the response code(s). NOTE: Generated Response code depends on the recovery key size set in the policy and the selected recovery type that is machine recovery or user recovery. 4 Read out the response code to the user.
79
FIPS 140-2 certification

The 140 series of Federal Information Processing Standards (FIPS) is an U.S. government computer security standards that specify requirements for cryptography modules. The client-side components of EEPC 6.1 Patch 2 are submitted for FIPS 140-2 certification. The EEAdmin and EEPC extensions (installed on McAfee ePO) consume the certified cryptography provided by McAfee ePO running in FIPS mode, and thus do not need to be certified independently. The current status of this certification is available in the NIST website. Contents Pre-requisites to use EEPC in FIPS mode Install EEPC client packages in FIPS mode Impact of FIPS mode Uninstall EEPC client packages in FIPS mode
Pre-requisites to use EEPC in FIPS mode

For EEPC 6.1 Patch 2 to be in compliance with FIPS 140-2, the software should meet the following conditions. McAfee ePO installed in FIPS mode EEPC client package checked in FIPS mode If you don't install both McAfee ePO and EEPC in FIPS mode, the configuration doesn't operate in the FIPS certified manner. NOTE: EEPC must be operating in FIPS mode at the time of activation of a client to ensure that keys are generated in a FIPS approved manner. Upgrading an active EEPC client to a FIPS mode version of EEPC 6.1.2 does not imply that the client is now running in FIPS mode. An active client should be decrypted, deactivated, and then reactivated using a FIPS mode client install in order to be FIPS compliant.
Install EEPC client packages in FIPS mode

For the EEPC client to operate in FIPS mode, install the EEPC client package in FIPS mode before activating EEPC on the client. This is to make sure that encryption keys are generated in a FIPS certified manner during the activation process. If EEPC is already installed on systems without enabling the FIPS mode, do the following tasks to make it operate in the FIPS mode. Decrypt the client systems
80
FIPS 140-2 certification Impact of FIPS mode
Deactivate EEPC on the client systems Remove the EEPC product from the client systems Reinstall EEPC in the FIPS mode Deploy EEPC through a McAfee ePO deployment task To install EEPC client packages in FIPS mode using a McAfee ePO deployment task, make sure to add the keyword FIPS as the command line of the EEPC deployment task in McAfee ePO. Deploy EEPC through a third-party deployment software To install EEPC client packages in FIPS mode using a third-party deployment software, make sure to pass the parameter FIPS_MODE=0 or 1 when you install the EEPC client package, as per the following command:
msiexec.exe / q / I FIPS_MODE=0 or msiexec.exe / q / I FIPS_MODE=1
Impact of FIPS mode

In FIPS mode, certain self-tests are performed in Windows and Pre-Boot environments. These self-tests might impact the performance of the Pre-Boot. If self-tests of FIPS fail, the failed components of the system stop completely, in one of the following ways. If the Windows EEPC FIPS component fails self-test, the system doesn't activate or enforce policies. If the Windows EEPC driver fails self-test, the driver performs a bug-check (BSOD). If the Pre-Boot EEPC FIPS component fails self-test, Pre-Boot stops functioning. Move your mouse in Pre-Boot Additionally, FIPS 140-2 defines minimum requirements for entropy during key generation. This might lead to key generation errors in Pre-Boot where insufficient entropy (randomness) is available at the point of key generation. To make sure this, you can supply entropy (randomness) into Pre-Boot by moving the mouse in a random fashion before you perform the action that produced the error.
Uninstall EEPC client packages in FIPS mode

The removal of EEPC client packages in FIPS mode doesn't vary from the normal removal of the EEPC client. For more information about uninstalling the EEPC client, refer to the Uninstalling the EEPC client section.
81
Index
A
administrator recovery disabling 77 enabling 77 performing 78 agent wake-up call sending 18 audience for this guide 9 auto booting disabling 64 enabling 64 automation 18, 34 configuring 18 EE components (continued) McAfee ePO 7 EE custom queries creating 70 viewing 71 EE dashboard creating 74 EE dashboards viewing 74 EE permission creating 61 defining 61 EE policies assigning the policy 21 breaking inheritance 21 enforcing 21 managing 44 EE system status active 25 inactive 25 EE users removing 55 viewing 54 EEMac removing from the client EE Agent 41 EEMac 41 uninstalling 42 EEMac client installing 30 uninstalling deactivate EE Agent 40 disable policies 40 EEMac deployment selecting target platform 35 setting up the client task 35 updating packages 35 upgrading agents 35 EEMac installation adding users 30 checking in packages 30 deploying packages 30 installing extension 30 EEPC removing from the client EE Agent 27 EEPC 27 uninstalling 29 EEPC client installing 13 migrating 13 uninstalling deactivate EE Agent 26 disable policies 26 EEPC deployment selecting target platform 17
C
challenge code 78 client managing 9 client computers EEMac 62 EEPC 62 managing 62 client task for EE Agent 23 for EEPC 23 client tasks editing 22 conventions used in this guide 9 customized theme applying 66
D
disk decrypting 64 encrypting 64 disk status decrypted 75 encrypted 75 documentation typographical conventions 9 documentation for products, finding 10
E
EE Agent deactivating 26 EE Agent for Mac deactivating 40 EE components client system 7 EE Admin 7 EEMac 7 EEPC 7 LDAP Server 7
82
Index
EEPC deployment (continued) setting up the client task 17 updating packages 17 upgrading agents 17 EEPC installation adding users 13 checking in packages 13 deploying packages 13 installing extension 13 enabling and disabling policy enforcement 53 encryption providers setting priority 65 Endpoint Encryption 6, 7, 34 decrypting 7 disk encryption 6 EEMac 6 EEPC 6 encrypting 7 Pre-Boot 7 Pre-Boot Authentication 6 Endpoint Encryption for Mac 6 Endpoint Encryption for PC 6 extension 15, 28, 33, 41 installing EEAdmin 15 installing EEADMIN 33 installing EEMac 33 installing EEPC 15 removing EEADMIN 28, 41 EEMac 41 EEPC 28
Log On enabling Must match user name 56 enabling SSO 56 enabling Synchronize EE password with Windows 56 logon enabling SSO 57 synchronizing the EE password 57 logon hours managing allowing 60 blocking 60
M
McAfee Agent for Mac deploying 32 McAfee ServicePortal, accessing 10 migration 13 missing simple word package regenerate 68
N
no simple words enabling 68 non-compatible products maintaining a list 66
P
password content rules configuring 59 policies assigning 26, 40 assigning the policy 53 assigning to a system 21, 53 assigning to a system group 53 breaking inheritance 26, 40, 53 configuring 44 creating 44, 52 creating a policy 21 editing 44, 52 editing a policy 21 enforcing 44, 53 product settings boot options 44 encryption 44 encryption providers 44 logon 44 recovery 44 theme 44 server settings general 44 Mac OS X software 44 non-compatible products 44 PC software 44 simple words 44 themes 44 tokens 44 user-based policies authentication 44 password 44 password content rules 44 self recovery 44 Policies assigning to users 20 assignment rule 20
F
FIPS impact 81 uninstalling 81 FIPS mode installing 80 pre-requisites 80
G
group synchronization 34 group users breaking inheritance 55
H
help extension installing 15
K
KnowledgeBase, Technical Support ServicePortal 10
L
LDAP Active Directory 16 domain name 16 server type 16 user name 16 LDAP Server 34 LDAP servers adding 16 registering 16 testing connection 16
83
Index
Pre-Boot removing 64
Q
queries about 70 dashboard monitor 70
systems adding 62 importing 62 moving 63
T
Technical Support ServicePortal at McAfee 10 theme assigning customized theme 67 creating a new theme 66 installing theme package 66 selecting background image 66 token type modifying 58
R
recovery changing password 77 EEMac 76 EEPC 76 reporting decrypted 75 encrypted 75 requirements, system operating system 10 software 10 response code obtaining 78 Response Code generating 79
U
UBP enforcement configuring 20 disabling 20 enabling 20 upgrade 23, 25 deploying EEPC packages 23 installing extension 23 supported versions 23 user experience after restarting 25 before deploying 25 during the deployment 25 user disabled in AD managing 59 user password resetting 77 users adding EEMac users from group 36 from organizational unit 36 adding EEPC users from group 19 from organizational unit 19 assigning 54 managing 54
S
self recovery disabling 76 enabling 76 performing 77 server task automation 17 EE LDAP synchronization group synchronization 17 synchronization 17 ServicePortal, finding product documentation 10 simple words adding 68 managing 68 simple words group creating 68 Single Sign On enabling 56 software packages checking in packages checking in MfeEEAgent 16, 33 checking in MfeEeMac 33 checking in MfeEEPC 16 removing MfeEEAgent 28, 42 MfeEeMac 42 MfeEEPC 28 synchronization 34 system gropus adding 62 importing 62 system groups moving manually 63
V
versions EEPC EEPC EEPC EEPC EEPC 6.0 6.0 6.0 6.1 6.1 25 Patch Patch Patch Patch 1 2 1 2 25 25 25 25
W
windows logon controlling 56 MSGINA 56 Single Sign On 56
84

Ee 112 Product Guide En-Us

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ee 112 Product Guide En-Us

Diunggah oleh

Hak Cipta:

Format Tersedia

McAfee Endpoint Encryption - 6.1 Patch 2 (EEPC) and 1.0.

Installing the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Uninstalling the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Installing the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Uninstalling the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Managing McAfee Endpoint Encryption policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Managing McAfee Endpoint Encryption users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Managing client computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

FIPS 140-2 certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Introducing McAfee Endpoint Encryption

Comprehensive McAfee Endpoint Encryption

What is McAfee Endpoint Encryption

Introducing McAfee Endpoint Encryption How McAfee Endpoint Encryption works

How McAfee Endpoint Encryption works

McAfee Endpoint Encryption product components

Introducing McAfee Endpoint Encryption McAfee Endpoint Encryption product components

Introducing McAfee Endpoint Encryption McAfee Endpoint Encryption features

Figure 1: Product components

McAfee Endpoint Encryption features

Introducing McAfee Endpoint Encryption Finding product documentation

Book title or Emphasis

User input or Path Code

Finding product documentation

Client systems for EEPC

Introducing McAfee Endpoint Encryption Requirements

McAfee Endpoint Encryption for PC software (for Windows)

EEPC software package MfeEEPC.ZIP

McAfee Endpoint Encryption for Mac software (for Mac OS X)

Extensions EEADMIN.ZIP EEMAC.ZIP help_ee_100.ZIP

EEMac software package MfeEeMac-1.0.0.x.ZIP

EEMac Agent MfeEEAgent-1.0.0.x.ZIP

Operating system requirements

Client systems for EEPC

Introducing McAfee Endpoint Encryption Requirements

Systems Client systems for EEMac

Hardware support for Mac

Installing the EEPC client

Summary of the client installation process

Installing the EEPC client Summary of the client installation process

Install the EEPC extensions using ePolicy Orchestrator

Install the Help extension

Installing the EEPC client Check in the EEPC software packages

Check in the EEPC software packages

Register Windows Active Directory

Configure automation task for LDAP synchronization

Deploy EEPC to the client system

Installing the EEPC client Deploy EEPC to the client system

Send an agent wake-up call

Installing the EEPC client Add users to a system

Add users to a system

Installing the EEPC client Assign policy to users

Assign policy to users

Configure UBP enforcement for EEPC 6.1 Patch 2

Installing the EEPC client Assign a policy to a system

Assign a policy to a system

Enforce EE policies on a system

Installing the EEPC client Edit the client tasks

Edit the client tasks

Overview of the upgrade process

Configure UBP enforcement

User experience summary