Endpoint Encryption for PC 6.1.0 and Mac 1.0.0 ... - Errors - McAfee
Endpoint Encryption for PC 6.1.0 and Mac 1.0.0 ... - Errors - McAfee
Endpoint Encryption for PC 6.1.0 and Mac 1.0.0 ... - Errors - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong><br />
<strong>1.0.0</strong> (EE<strong>Mac</strong>)<br />
Product Guide
COPYRIGHT<br />
Copyright © 2011 <strong>McAfee</strong>, Inc. All Rights Reserved.<br />
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any <strong>for</strong>m<br />
or by any means without the written permission of <strong>McAfee</strong>, Inc., or its suppliers or affiliate companies.<br />
TRADEMARK ATTRIBUTIONS<br />
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE<br />
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,<br />
WEBSHIELD are registered trademarks or trademarks of <strong>McAfee</strong>, Inc. <strong>and</strong>/or its affiliates in the US <strong>and</strong>/or other countries. <strong>McAfee</strong> Red in<br />
connection with security is distinctive of <strong>McAfee</strong> br<strong>and</strong> products. All other registered <strong>and</strong> unregistered trademarks herein are the sole property<br />
of their respective owners.<br />
LICENSE INFORMATION<br />
License Agreement<br />
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,<br />
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH<br />
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS<br />
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,<br />
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU<br />
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN<br />
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.<br />
2<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Contents<br />
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
Comprehensive <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
What is <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
How <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Installing the EE<strong>PC</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Install the EE<strong>PC</strong> extensions using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Install the Help extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Check in the EE<strong>PC</strong> software packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Configure automation task <strong>for</strong> LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Deploy EE<strong>PC</strong> to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Assign policy to users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Configure UBP en<strong>for</strong>cement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
En<strong>for</strong>ce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
Upgrading from EE<strong>PC</strong> 6.0.x to EE<strong>PC</strong> 6.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Supported versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Configure UBP en<strong>for</strong>cement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
User experience summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
Uninstalling the EE<strong>PC</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
Deactivate the EE<strong>PC</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
3
4<br />
Contents<br />
Remove EE<strong>PC</strong> from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
Remove the EE<strong>PC</strong> extensions from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Remove the EE<strong>PC</strong> software packages from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Manually uninstall EE<strong>PC</strong> from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
Installing the EE<strong>Mac</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
Deploy <strong>McAfee</strong> Agent to <strong>Mac</strong> OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
Install the EE<strong>Mac</strong> extensions using <strong>McAfee</strong> ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
Check in the EE<strong>Mac</strong> software packages (EEAgent <strong>and</strong> EE<strong>Mac</strong>) to ePolicy Orchestrator. . . . . . . . . . . . . . . . . 33<br />
Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
Configure automation tasks <strong>for</strong> LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
Deploy EE<strong>Mac</strong> to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
En<strong>for</strong>ce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
Deploying the st<strong>and</strong>alone versions of EE<strong>Mac</strong> to the client systems. . . . . . . . . . . . . . . . . 40<br />
Deploy the st<strong>and</strong>alone version of EEAgent on <strong>Mac</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
Deploy the st<strong>and</strong>alone version of EE<strong>Mac</strong> on <strong>Mac</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
Uninstalling the EE<strong>Mac</strong> client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
Deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
Remove EE<strong>Mac</strong> from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
Remove the EE<strong>Mac</strong> extensions from <strong>McAfee</strong> ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
Remove the EE<strong>Mac</strong> packages from <strong>McAfee</strong> ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
Manually uninstall EE<strong>Mac</strong> from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
Policy categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
Create a policy from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Edit the EE policy settings from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Assign a policy to a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
En<strong>for</strong>ce EE policies on a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
View the list of users assigned to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
Remove users from a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Contents<br />
Edit user inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
How EE<strong>PC</strong> controls the Windows logon mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
Enable Single Sign On (SSO) on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
Synchronize the EE<strong>PC</strong> password with the Windows password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58<br />
Modify the token type associated with a system or a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59<br />
Configure password content rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60<br />
Manage a disabled user in Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60<br />
Configure the global user in<strong>for</strong>mation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
Manage the logon hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
Define EE permission sets <strong>for</strong> <strong>McAfee</strong> ePO users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
Managing client computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
Add a system to an existing system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
Move systems between groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<br />
Select the disks <strong>for</strong> encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
Enable or disable the automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
Set the priority of encryption providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
Maintain a list of non-compatible products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
Manage the default <strong>and</strong> customized themes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
Assign a customized theme to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
Manage simple words. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
Managing EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Create EE custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
View the st<strong>and</strong>ard EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Create the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
View the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
Report the encrypted <strong>and</strong> decrypted systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76<br />
Recovering users <strong>and</strong> systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Enable or disable the self recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Per<strong>for</strong>m the self recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
Enable or disable the administrator recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
Per<strong>for</strong>m the administrator (system <strong>and</strong> user) recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . 79<br />
Generate the response code <strong>for</strong> the administrator (system <strong>and</strong> user) recovery. . . . . . . . . . . . . . . . . . . . . . . . 80<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
5
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
With data breaches on the rise, it is important to protect in<strong>for</strong>mation assets <strong>and</strong> comply with<br />
privacy regulations. <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> delivers powerful encryption that protects data<br />
from unauthorized access, loss, <strong>and</strong> exposure.<br />
Contents<br />
Comprehensive <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
What is <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
How <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> works<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> product components<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> features<br />
Audience<br />
Conventions<br />
Finding product documentation<br />
Requirements<br />
Comprehensive <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
The <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> (EE) suite provides multiple layers of defense against data<br />
loss with several integrated modules that address specific areas of risk. The suite provides<br />
protection <strong>for</strong> individual <strong>PC</strong>s, roaming laptops, <strong>and</strong> <strong>Mac</strong>Books with 64-bit EFI. This guide discusses<br />
these <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> Solutions:<br />
• <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong><br />
• <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong><br />
NOTE: This guide indicates <strong>Endpoint</strong> <strong>Encryption</strong> (EE) as the term to describe EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
The content that refers to the term <strong>Endpoint</strong> <strong>Encryption</strong> (EE) is applicable to both EE<strong>PC</strong> <strong>and</strong><br />
EE<strong>Mac</strong>. Procedures <strong>and</strong> other details that are different <strong>for</strong> EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong> setup are described<br />
in separate sections indicating its individual product name, <strong>for</strong> example EE<strong>PC</strong> or EE<strong>Mac</strong>.<br />
What is <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
6<br />
To ensure data protection in today’s dynamic IT environment, we need to protect what matters<br />
most – the data. <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> (EE) is a strong cryptographic facility <strong>for</strong> denying<br />
unauthorized access to data stored on any system or disk when it is not in use. It prevents the<br />
loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong<br />
access control using Pre-Boot Authentication <strong>and</strong> a powerful encryption engine.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
How <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> works<br />
To log on to a system, the user must first authenticate through the Pre-Boot environment. On<br />
a successful authentication, the client system's operating system (Microsoft Windows or <strong>Mac</strong><br />
OS X) loads <strong>and</strong> gives access to normal system operation. <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> is<br />
completely transparent to the user <strong>and</strong> has little impact on per<strong>for</strong>mance of the computer.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> is the encryption software installed on client systems. It is deployed<br />
<strong>and</strong> managed through ePolicy Orchestrator using policies. A policy is a set of rules that determine<br />
how the EE<strong>PC</strong> software functions on the user’s computer.<br />
How <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> works<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> protects the data on a system by taking control of the hard disk<br />
from the operating system. The <strong>Endpoint</strong> <strong>Encryption</strong> driver encrypts all data written to the disk;<br />
it also decrypts the data read off the disk.<br />
The client software is installed on the client system. After the installation, the system synchronizes<br />
with ePolicy Orchestrator (<strong>McAfee</strong> ePO) <strong>and</strong> acquires the user data, token data, <strong>and</strong> Pre-Boot<br />
graphics. When this is complete, the user authenticates <strong>and</strong> logs on through the Pre-Boot<br />
environment, which loads the operating system, <strong>and</strong> uses the system as normal.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> product components<br />
Use the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software to protect your systems from potential data loss.<br />
We recommend that you define the policies <strong>and</strong> needs of your system <strong>and</strong> configure the product<br />
accordingly.<br />
Each <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> component or feature plays a part in protecting your systems.<br />
<strong>McAfee</strong> ePO Administration<br />
The ePolicy Orchestrator server provides a scalable plat<strong>for</strong>m <strong>for</strong> centralized policy management<br />
<strong>and</strong> en<strong>for</strong>cement of your security products <strong>and</strong> systems on which they reside. The ePolicy<br />
Orchestrator Administration console allows the administrator to manage the <strong>McAfee</strong> <strong>Endpoint</strong><br />
<strong>Encryption</strong> policies in the client computer. It also allows you to deploy <strong>and</strong> manage the <strong>McAfee</strong><br />
<strong>Endpoint</strong> <strong>Encryption</strong> products such as EE<strong>PC</strong>, EE<strong>Mac</strong> <strong>and</strong> so on. It provides comprehensive<br />
reporting <strong>and</strong> product deployment capabilities; all through a single point of control.<br />
NOTE: This guide does not provide detailed in<strong>for</strong>mation about installing or using ePolicy<br />
Orchestrator software. See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6.<br />
Policies<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> is managed through ePolicy Orchestrator using a combination of<br />
user <strong>and</strong> product-based policies. The ePolicy Orchestrator console allows the administrator to<br />
en<strong>for</strong>ce policies across groups of computers or on a single computer. Any new policy en<strong>for</strong>cement<br />
through <strong>McAfee</strong> ePO overrides the existing policy that is already set on the individual systems.<br />
For in<strong>for</strong>mation regarding policies <strong>and</strong> how they are en<strong>for</strong>ced, see the ePolicy Orchestrator<br />
product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
7
8<br />
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> product components<br />
EE<strong>PC</strong>/EE<strong>Mac</strong><br />
The EE<strong>PC</strong>/EE<strong>Mac</strong> extension installed in ePolicy Orchestrator defines the encryption algorithm,<br />
product settings, <strong>and</strong> server settings <strong>for</strong> the client system. The EE<strong>PC</strong>/EE<strong>Mac</strong> software package<br />
checked in to ePolicy Orchestrator defines the actual <strong>Endpoint</strong> <strong>Encryption</strong> software that is<br />
installed on the client system.<br />
EE Admin<br />
The EE Administration system (EE Admin) defines the generic endpoint encryption settings <strong>for</strong><br />
product-based policies, user-based policies, <strong>and</strong> server settings <strong>for</strong> the users. This is common<br />
<strong>for</strong> both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
LDAP Server<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> acquires users through the Windows Active Directory (AD). You<br />
must have a registered LDAP server (AD) to use Policy Assignment Rules, to enable dynamically<br />
assigned permission sets, <strong>and</strong> to enable manual <strong>and</strong> automatic user account creation.<br />
Client system components<br />
The client system, <strong>for</strong> ePolicy Orchestrator to communicate, should be configured with the<br />
components such as:<br />
• For EE<strong>PC</strong><br />
• <strong>McAfee</strong> Agent <strong>for</strong> Windows<br />
• Windows operating system<br />
• For EE<strong>Mac</strong><br />
• <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong><br />
• <strong>Mac</strong> OS X plat<strong>for</strong>m<br />
The ePolicy Orchestrator server deploys the EE Agent, <strong>and</strong> the EE product to the client system.<br />
The user needs to install the <strong>McAfee</strong> Agent on a <strong>Mac</strong> client system using install.sh file that<br />
needs to be picked up from the Windows-based system where the <strong>McAfee</strong> ePO server is installed.<br />
However, on Windows-based systems, ePolicy Orchestrator itself deploys the <strong>McAfee</strong> Agent to<br />
the client system.<br />
For more details <strong>and</strong> procedures, See the ePolicy Orchestrator product documentation <strong>for</strong><br />
versions 4.5 <strong>and</strong> 4.6.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> product components are depicted in Figure 1.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Figure 1: Product components<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> features<br />
Audience<br />
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> features<br />
• <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> leverages the <strong>McAfee</strong> ePolicy Orchestrator infrastructure <strong>for</strong><br />
automated security reporting, monitoring, deployment, <strong>and</strong> policy administration.<br />
• EE<strong>PC</strong>/EE<strong>Mac</strong> integrates itself fully into ePolicy Orchestrator management software so that<br />
the management can now be per<strong>for</strong>med from this console.<br />
• Enables transparent encryption without hindering users or system per<strong>for</strong>mance.<br />
• En<strong>for</strong>ces strong access control with Pre-Boot Authentication.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> documentation is carefully researched <strong>and</strong> written <strong>for</strong> the target<br />
audience.<br />
The in<strong>for</strong>mation in this guide is intended primarily <strong>for</strong>:<br />
• Administrators — People who implement <strong>and</strong> en<strong>for</strong>ce the company's security program.<br />
• Users — People who are responsible <strong>for</strong> configuring the product options on their systems,<br />
or <strong>for</strong> updating their systems.<br />
Conventions<br />
This guide uses the following typographical conventions.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
9
Book title or Emphasis<br />
Bold<br />
User input or Path<br />
Code<br />
User interface<br />
Hypertext blue<br />
Note<br />
Tip<br />
Important/Caution<br />
Warning<br />
Title of a book, chapter, or topic; introduction of a new<br />
term; emphasis.<br />
Text that is strongly emphasized.<br />
Comm<strong>and</strong>s <strong>and</strong> other text that the user types; the path<br />
of a folder or program.<br />
A code sample.<br />
Finding product documentation<br />
Words in the user interface including options, menus,<br />
buttons, <strong>and</strong> dialog boxes.<br />
A live link to a topic or to a website.<br />
Additional in<strong>for</strong>mation, like an alternate method of<br />
accessing an option.<br />
Suggestions <strong>and</strong> recommendations.<br />
Valuable advice to protect your computer system, software<br />
installation, network, business, or data.<br />
Critical advice to prevent bodily harm when using a<br />
hardware product.<br />
<strong>McAfee</strong> provides the in<strong>for</strong>mation you need during each phase of product implementation, from<br />
installing to using <strong>and</strong> troubleshooting. After a product is released, in<strong>for</strong>mation about the product<br />
is entered into the <strong>McAfee</strong> online KnowledgeBase.<br />
1 Go to the <strong>McAfee</strong> Technical Support ServicePortal at http://mysupport.mcafee.com.<br />
2 Under Self Service, access the type of in<strong>for</strong>mation you need:<br />
To access...<br />
Requirements<br />
10<br />
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
Finding product documentation<br />
Do this...<br />
User documentation 1 Click Product Documentation.<br />
2 Select a Product, then select a Version.<br />
3 Select a product document.<br />
KnowledgeBase • Click Search the KnowledgeBase <strong>for</strong> answers to your product questions.<br />
System requirements<br />
Systems<br />
<strong>McAfee</strong> ePO server systems<br />
• Click Browse the KnowledgeBase <strong>for</strong> articles listed by product <strong>and</strong><br />
version.<br />
Requirements<br />
See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6<br />
Client systems <strong>for</strong> EE<strong>PC</strong> • CPU: Pentium III 1 GHz or higher<br />
• RAM: 512 MB minimum (1 GB recommended)<br />
• Hard Disk: 200 MB minimum free disk space<br />
Client systems <strong>for</strong> EE<strong>Mac</strong> • CPU: EE<strong>Mac</strong> works on all Intel-based <strong>Mac</strong> CPU with 64-bit EFI<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
Requirements<br />
Systems<br />
Software requirements<br />
Software<br />
Requirements<br />
• RAM: 1 GB minimum<br />
• Hard Disk: 200 MB minimum free disk space<br />
Requirements<br />
<strong>McAfee</strong> management software • EE<strong>PC</strong> 6.1—See the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> 6.1 Release<br />
Notes<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong><br />
software (<strong>for</strong> Windows)<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong><br />
software (<strong>for</strong> <strong>Mac</strong> OS X)<br />
Microsoft “Windows Installer 3.0<br />
Redistributable” package (<strong>for</strong> <strong>McAfee</strong><br />
ePO)<br />
Microsoft “.NET Framework 2.0<br />
Redistributable” package (<strong>for</strong> <strong>McAfee</strong><br />
ePO)<br />
Microsoft MSXML 6 (<strong>for</strong> ePO)<br />
Operating system requirements<br />
Systems<br />
<strong>McAfee</strong> ePO server systems<br />
• EE<strong>Mac</strong> 1.0—See the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> 1.0<br />
Release Notes<br />
• Extensions<br />
• EEADMIN.ZIP<br />
• EE<strong>PC</strong>.ZIP<br />
• help_ee_100.ZIP<br />
• EE<strong>PC</strong> software package<br />
• MfeEE<strong>PC</strong>.ZIP<br />
• EE Agent<br />
• MfeEEAgent.ZIP<br />
• Extensions<br />
• EEADMIN.ZIP<br />
• EEMAC.ZIP<br />
• help_ee_100.ZIP<br />
• EE<strong>Mac</strong> software package<br />
• MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.x.ZIP<br />
• EE<strong>Mac</strong> Agent<br />
• MfeEEAgent-<strong>1.0.0</strong>.x.ZIP<br />
See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6<br />
See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6<br />
See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6<br />
Software<br />
See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5<br />
<strong>and</strong> 4.6<br />
Client systems <strong>for</strong> EE<strong>PC</strong> • Windows Server 2003 SP1 or later (32-bit only)<br />
• Windows Server 2008 (32- <strong>and</strong> 64-bit)<br />
• Windows XP Professional SP3 (32-bit only)<br />
• Windows Vista SP1 or later (32- <strong>and</strong> 64-bit)<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
• Windows 7 <strong>and</strong> SP1 (32- <strong>and</strong> 64-bit), (Not XP Mode)<br />
11
12<br />
Introducing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
Requirements<br />
Systems<br />
Software<br />
Client systems <strong>for</strong> EE<strong>Mac</strong> • Leopard: 10.5.8<br />
Hardware support <strong>for</strong> <strong>Mac</strong><br />
Systems<br />
<strong>Mac</strong>Books with 64-bit EFI<br />
• Snow Leopard: 10.6.0 <strong>and</strong> later (32- <strong>and</strong> 64-bit)<br />
Types<br />
<strong>Mac</strong>Book, <strong>Mac</strong>Book Pro, <strong>and</strong> <strong>Mac</strong>Book Air<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>PC</strong> client<br />
The <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> extensions <strong>and</strong> the software packages are checked in to the<br />
<strong>McAfee</strong> ePO server <strong>for</strong> the management functionality. This is necessary be<strong>for</strong>e deploying the<br />
software <strong>and</strong> configuring the policies.<br />
CAUTION: Be<strong>for</strong>e you begin, make sure that you remove any competitor's encryption products<br />
from your system. Also, do not install any other encryption products after installing EE<strong>PC</strong>.<br />
This release supports migrating your EE<strong>PC</strong> 5.x.x installed systems <strong>and</strong> upgrading EE<strong>PC</strong> 6.0.x<br />
installed systems to EE<strong>PC</strong> 6.1. For more details <strong>and</strong> procedures on migrating your EE<strong>PC</strong> 5.x.x<br />
installed systems to EE<strong>PC</strong> 6.1, see the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> 6.1 Migration Guide.<br />
• In this guide, EE<strong>PC</strong> 5.x.x refers to EE<strong>PC</strong> 5.1.7 <strong>and</strong> later versions<br />
• EE<strong>PC</strong> 6.0.x refers to EE<strong>PC</strong> 6.0, 6.0 Patch 1 <strong>and</strong> Patch 2 versions<br />
Contents<br />
Summary of the client installation process<br />
Install the EE<strong>PC</strong> extensions using ePolicy Orchestrator<br />
Install the Help extension<br />
Check in the EE<strong>PC</strong> software packages<br />
Register Windows Active Directory<br />
Configure automation task <strong>for</strong> LDAP synchronization<br />
Deploy EE<strong>PC</strong> to the client system<br />
Add users to a system<br />
Assign policy to users<br />
Assign a policy to a system<br />
En<strong>for</strong>ce EE policies on a system<br />
Edit the client tasks<br />
Summary of the client installation process<br />
The EE<strong>PC</strong> client software is deployed from the <strong>McAfee</strong> ePO server <strong>and</strong> installed through <strong>McAfee</strong><br />
Agent. The installation of EE<strong>PC</strong> creates the Pre-Boot File System (PBFS) in the client system at<br />
the activation time.<br />
Restart the client system to complete the installation of the EE<strong>PC</strong> software. After restarting, it<br />
communicates with the ePolicy Orchestrator server <strong>and</strong> pulls down the assigned <strong>Endpoint</strong><br />
<strong>Encryption</strong> policies <strong>and</strong> encrypts the system as per the defined polices. The assigned user can<br />
be initialized through the Pre-Boot screen after the subsequent restart. The summary of the<br />
client installation process is depicted in Figure 2.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
13
14<br />
Installing the EE<strong>PC</strong> client<br />
Summary of the client installation process<br />
Figure 2: Process overview of installation<br />
The overall EE<strong>PC</strong> installation <strong>and</strong> deployment process can be simplified into the following steps.<br />
NOTE: This assumes that the user has already successfully installed <strong>McAfee</strong> ePO <strong>and</strong> has the<br />
<strong>McAfee</strong> Agent installed on various systems which successfully communicate with <strong>McAfee</strong> ePO.<br />
1 Install the EEAdmin <strong>and</strong> EE<strong>PC</strong> extensions into ePolicy Orchestrator.<br />
2 Check in the EE<strong>PC</strong> software packages (MfeEE<strong>PC</strong>.ZIP <strong>and</strong> MfeEEAgent.ZIP) to ePolicy<br />
Orchestrator.<br />
3 Configure the registered server (Windows Active Directory).<br />
4 Configure <strong>and</strong> run the automation task <strong>for</strong> LDAP Synchronization.<br />
5 Deploy the <strong>Endpoint</strong> <strong>Encryption</strong> Agent to the client.<br />
6 Deploy the EE<strong>PC</strong> software package to the client.<br />
7 Restart the client system. You should now be able to see the Quick Settings | <strong>Endpoint</strong><br />
<strong>Encryption</strong> Status option in <strong>McAfee</strong> Agent System Tray on the client system.<br />
8 Add users to a system or a group of systems.<br />
9 Create a product settings policy or edit the default policy, then assign it to a system or a<br />
group of systems.<br />
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of<br />
users on a system.<br />
NOTE: The <strong>Endpoint</strong> <strong>Encryption</strong> System Status changes from Inactive to Active only after<br />
adding the user <strong>and</strong> en<strong>for</strong>cing the policies correctly.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>PC</strong> client<br />
Install the EE<strong>PC</strong> extensions using ePolicy Orchestrator<br />
11 Verify the <strong>Endpoint</strong> <strong>Encryption</strong> System Status by right-clicking <strong>McAfee</strong> Agent System Tray<br />
on the client system, then clicking Quick Settings | <strong>Endpoint</strong> <strong>Encryption</strong> Status.<br />
Install the EE<strong>PC</strong> extensions using ePolicy<br />
Orchestrator<br />
Install the EE<strong>PC</strong> extensions on the ePolicy Orchestrator server using the Software tab. There<br />
are two extension files in .ZIP <strong>for</strong>mat <strong>for</strong> EE<strong>PC</strong>.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
You must install the extensions in order: EEADMIN.ZIP first, then EE<strong>PC</strong>.ZIP.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Extensions | Install Extension to open the Install Extension<br />
dialog box.<br />
3 Click Browse <strong>and</strong> select the extension file EEADMIN.ZIP, then click OK. The Install<br />
Extension page appears with the extension name <strong>and</strong> version details.<br />
NOTE: The extension file EEADMIN.ZIP is a prerequisite <strong>for</strong> the extension file EE<strong>PC</strong>.ZIP.<br />
4 Click OK.<br />
5 Repeat steps 2 <strong>and</strong> 3 to install the EE<strong>PC</strong>.ZIP extension.<br />
Install the Help extension<br />
You can install the Help extension separately on the ePolicy Orchestrator server using the<br />
Software tab. The Help extension is a .ZIP file.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog<br />
box appears.<br />
3 Click Browse <strong>and</strong> select the extension file help_ee_100.ZIP, then click OK. The Install<br />
Extension page appears with the extension name <strong>and</strong> version details.<br />
4 Click OK.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
15
Check in the EE<strong>PC</strong> software packages<br />
Use ePolicy Orchestrator to check in the EE<strong>PC</strong> software packages to the master repository.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Be<strong>for</strong>e checking in the software packages, make sure there are no pull or replication tasks<br />
running.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Master Repository, then click Actions | Check In Package.<br />
The Check In Package wizard opens.<br />
3 From the Package type list, select Product or Update (.ZIP), then browse <strong>and</strong> select<br />
the MfeEE<strong>PC</strong>.ZIP package file.<br />
4 Click Next to open the Package Options page.<br />
5 Click Save to begin checking in the package. When the package is checked in, it appears<br />
in the Packages in Master Repository list on the Master Repository page.<br />
6 Repeat steps 2 through 5 to install the MfeEEAgent.ZIP package.<br />
Register Windows Active Directory<br />
16<br />
Installing the EE<strong>PC</strong> client<br />
Check in the EE<strong>PC</strong> software packages<br />
Use this option to register a Windows Active Directory. You must have a registered LDAP server<br />
to use Policy Assignment Rules, to enable dynamically assigned permission sets, <strong>and</strong> to enable<br />
automatic <strong>and</strong> manual user account assignment.<br />
Be<strong>for</strong>e you begin<br />
Make sure you have the appropriate rights to modify the server settings, permission sets, users,<br />
<strong>and</strong> registered servers.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Configuration | Registered Servers, then click New Server. The<br />
Registered Server Builder wizard opens.<br />
3 From the Server type drop-down list on the Description page, select LDAP Server, specify<br />
a unique name (a user-friendly name) <strong>and</strong> any details, then click Next. The Details page<br />
appears.<br />
4 Select Active Directory from LDAP server type, then type the Domain name or the<br />
Server name.<br />
NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the<br />
<strong>McAfee</strong> ePO system is configured with appropriate DNS setting <strong>and</strong> can resolve the DNS-style<br />
domain name of the Active Directory. The Server name is the name or IP address of the<br />
system where the Windows Active Directory is present.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>PC</strong> client<br />
Configure automation task <strong>for</strong> LDAP synchronization<br />
5 Type the User name.<br />
NOTE: The User name should be of the <strong>for</strong>mat: domain\Username <strong>for</strong> Active Directory accounts.<br />
6 Type the Password <strong>and</strong> confirm it.<br />
7 Click Test Connection to ensure that the connection to the server works, then click Save.<br />
Configure automation task <strong>for</strong> LDAP synchronization<br />
You can create many tasks that run at scheduled intervals to manage the <strong>McAfee</strong> ePO server<br />
<strong>and</strong> <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software. Run this task to synchronize with the user Active<br />
Directory.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Automation | Server Tasks to open the Server Tasks page.<br />
3 Click Actions | New Task. The Server Task Builder wizard opens.<br />
4 On the Description page, name the task, type some notes about the task, <strong>and</strong> choose<br />
whether it is enabled, then click Next. The Actions page appears.<br />
5 From the Actions drop-down list, select EE LDAP Server User/Group Synchronization<br />
<strong>and</strong> accept the default values.<br />
6 Click Next to open the Schedule page.<br />
7 Schedule the task, then click Next to display the Summary page.<br />
8 Review the task details, then click Save.<br />
NOTE: In addition to the task running at the scheduled time, you can run this task<br />
immediately by clicking Run next to the task on the Server Tasks page.<br />
Deploy EE<strong>PC</strong> to the client system<br />
Set up the client task to automatically install the EE<strong>PC</strong> software on the client computers. For<br />
more details <strong>and</strong> procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator product<br />
documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
17
2 Click Menu | Systems | System Tree, then select a group or system(s) from the System<br />
Tree pane on the left.<br />
3 On the Client Tasks tab, click Actions, then select New Task from the drop-down menu.<br />
The Client Task Builder wizard opens with the Description page.<br />
4 Type a Name <strong>and</strong> Notes <strong>for</strong> the task, select the Type as Product Deployment from<br />
the drop-down list, select whether the task should be sent to all computers or to tagged<br />
computers, then click Next. The Configuration page appears.<br />
5 Select the Target plat<strong>for</strong>m as Windows.<br />
6 From the Products <strong>and</strong> components drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> Agent<br />
<strong>for</strong> <strong>PC</strong> 1.1.0.x to specify the version of the agent to deploy <strong>and</strong>, if needed, additional<br />
comm<strong>and</strong>-line parameters.<br />
7 Select the Action as Install.<br />
NOTE: If you are working in a Windows environment, check whether to run the task at<br />
each policy en<strong>for</strong>cement interval.<br />
8 Click Next to open the Schedule page.<br />
9 Change the Schedule Type as required <strong>and</strong> click Next. The Summary page appears.<br />
10 Verify the task’s details, then click Save. The new deployment task is sent to the client<br />
computers at the next agent-server communication.<br />
11 Send an agent wake-up call.<br />
Follow the same procedure to deploy <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> <strong>6.1.0</strong>.x. We recommend<br />
that you deploy <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> <strong>PC</strong> 1.1.0.x be<strong>for</strong>e deploying <strong>Endpoint</strong><br />
<strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> <strong>6.1.0</strong>.x.<br />
TIP: We recommend that you create separate client tasks <strong>for</strong> deploying <strong>Endpoint</strong> <strong>Encryption</strong><br />
Agent <strong>for</strong> <strong>PC</strong> 1.1.0.x <strong>and</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> <strong>6.1.0</strong>.x, then deploy them in sequence.<br />
12 Restart the client system when prompted after installing the <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong><br />
<strong>6.1.0</strong>.x package.<br />
Send an agent wake-up call<br />
18<br />
Installing the EE<strong>PC</strong> client<br />
Deploy EE<strong>PC</strong> to the client system<br />
The client gets the policy update whenever it connects to the <strong>McAfee</strong> ePO server (during next<br />
ASCI). The policy update can be scheduled or <strong>for</strong>ced. The agent wake-up call option <strong>for</strong>ces the<br />
policy update to the client system.<br />
NOTE: For in<strong>for</strong>mation on adding a new system, see the ePolicy Orchestrator product<br />
documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator<br />
2 Click Menu | Systems | System Tree.<br />
3 Select a system group from the System Tree.<br />
4 Select the System Name(s) of that group.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>PC</strong> client<br />
Add users to a system<br />
5 Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up<br />
Agents page appears.<br />
6 Select a Wake-up call type <strong>and</strong> a R<strong>and</strong>omization period (0-60 minutes) by which the<br />
system(s) respond to the wake-up call sent by ePolicy Orchestrator.<br />
7 Select Get full product properties <strong>for</strong> the agent(s) to send complete properties instead<br />
of sending only the properties that have changed since the last agent-to-server<br />
communication.<br />
8 Click OK.<br />
NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent<br />
wake-up call.<br />
Add users to a system<br />
Use ePolicy Orchestrator to add the EE<strong>PC</strong> users to the client system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Users to open the My Organization page.<br />
2 Select a group or system(s) from the System Tree pane on the left.<br />
NOTE: To add users to a particular system, select the required system from the System<br />
Tab under the My Organization pane on the right.<br />
3 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | Add Users to open the Add <strong>Endpoint</strong> <strong>Encryption</strong><br />
Users page.<br />
4 Add users: Click + in the Users field, browse to the users list, select the Users, then click<br />
OK.<br />
5 Add groups: Click + in the From the groups field, browse to the users groups list, select<br />
the groups, then click OK.<br />
6 Add an organizational unit: Click + in the From the organizational units field, browse<br />
to the organizational unit list, select the unit, then click OK.<br />
7 In the Add <strong>Endpoint</strong> <strong>Encryption</strong> Users page, click OK.<br />
Assign policy to users<br />
Use this task to assign a policy at a user level. For more details <strong>and</strong> procedures on how to<br />
per<strong>for</strong>m this task, See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
19
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Policy | Policy Assignment Rules to open the Policy Assignment Rules<br />
page.<br />
2 Click Actions | New Assignment Rule. The Policy Assignment Builder wizard opens with<br />
Details page.<br />
3 Type the Name <strong>and</strong> Description, then click Next. The user Selection Criteria page opens.<br />
4 Select the user by choosing the selection criteria, then click Next. The Assigned Policies<br />
page opens.<br />
5 Click Add. The Choose a policy to assign dialog box appears.<br />
6 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0.<br />
7 From the policy Category drop-down list, select the User Based Policy.<br />
8 From the Policy drop-down list, select the desired policy, then click OK. The Summary page<br />
opens.<br />
9 Click Save.<br />
Configure UBP en<strong>for</strong>cement<br />
20<br />
Installing the EE<strong>PC</strong> client<br />
Assign policy to users<br />
By default, all users inherit the default User Based Policy assigned to the system. To allow a<br />
user to use the required User Based Policies, you must enable UBP en<strong>for</strong>cement <strong>for</strong> that user.<br />
This overrides the default UBP on the system. If not, the user inherits the default UBP.<br />
User Based Policies in EEC 6.1<br />
A requirement of EEC 6.1 is that you need to specify which groups of users are allowed or not<br />
allowed to use the Policy Assignment Rules. The allowed users get their required User Based<br />
Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User<br />
Based Policies assigned to the system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Reporting | Queries. The Queries page opens.<br />
2 Select <strong>Endpoint</strong> <strong>Encryption</strong> from Shared Groups in Groups pane. The st<strong>and</strong>ard EE<br />
query list appears.<br />
3 Run the EE: Users query to list all the <strong>Endpoint</strong> <strong>Encryption</strong> Users.<br />
4 Select a user from the list to en<strong>for</strong>ce the policy.<br />
5 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | Configure UBP en<strong>for</strong>cement. The Configure<br />
UBP en<strong>for</strong>cement page appears with Enable <strong>and</strong> Disable options.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>PC</strong> client<br />
Assign a policy to a system<br />
6 Select Enable or Disable, then click OK to configure the UBP en<strong>for</strong>cement. On selecting<br />
Enable, Policy Assignment Rules are enabled <strong>for</strong> the selected users, <strong>and</strong> a specifc UBP is<br />
assigned to the user according to the ruled defined.<br />
NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies<br />
are deployed to each client in addition to the user-based policy <strong>for</strong> the logged on user<br />
configured with UBP en<strong>for</strong>cement.<br />
Assign a policy to a system<br />
Use ePolicy Orchestrator to assign a policy to a specific set of managed systems. You can assign<br />
policies be<strong>for</strong>e or after deploying <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then select a group under System<br />
Tree. All the systems within this group (but not its subgroups) appear in the details pane.<br />
2 Select the target system, then click Actions | Agent | Modify Policies on a Single<br />
System. The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> are listed with the system’s assigned policy.<br />
4 Select the Product Setting policy category, then click Edit Assignments.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned policy drop-down list, select the Product Setting policy.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 Select whether to lock policy inheritance to prevent any systems that inherit this policy<br />
from having another one assigned in its place.<br />
8 When modifying the default policy or creating the new policy, select any one of the disk<br />
encryption options other than None, by navigating to <strong>Encryption</strong> (tab) | Encrypt. The<br />
default option None does not initiate the encryption.<br />
9 Click Save.<br />
En<strong>for</strong>ce EE policies on a system<br />
Enable or disable policy en<strong>for</strong>cement <strong>for</strong> <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> on a system. Policy<br />
en<strong>for</strong>cement is enabled by default, <strong>and</strong> is inherited in the System Tree.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
21
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then under System Tree, select the<br />
group where the system belongs. The list of systems belonging to this group appears in<br />
the details pane.<br />
2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The<br />
Policy Assignment page appears.<br />
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0, then click En<strong>for</strong>cing next to En<strong>for</strong>cement status.<br />
The En<strong>for</strong>cement page appears.<br />
4 To change the en<strong>for</strong>cement status, select Break inheritance <strong>and</strong> assign the policy<br />
<strong>and</strong> settings below.<br />
5 Next to En<strong>for</strong>cement status, select En<strong>for</strong>cing or Not en<strong>for</strong>cing accordingly, then click<br />
Save.<br />
After restarting, the client system communicates with the ePolicy Orchestrator server <strong>and</strong><br />
pulls down the assigned <strong>Endpoint</strong> <strong>Encryption</strong> policies <strong>and</strong> encrypts the system according<br />
to the defined policies. The assigned user can be initialized through the Pre-Boot screen<br />
after the subsequent restart.<br />
Edit the client tasks<br />
22<br />
Installing the EE<strong>PC</strong> client<br />
Edit the client tasks<br />
Edit a client task’s settings or schedule in<strong>for</strong>mation <strong>for</strong> any existing task. For more details <strong>and</strong><br />
procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator product documentation<br />
<strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Client Tasks, then select a group where the<br />
required client task was in the System Tree.<br />
2 Click Edit Settings next to the task. The Client Task Builder wizard opens.<br />
3 Edit the task settings as needed, then click Save.<br />
The managed systems receive these changes the next time the agent communicates with the<br />
server.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Upgrading from EE<strong>PC</strong> 6.0.x to EE<strong>PC</strong> 6.1<br />
The primary goal of upgrading EE<strong>PC</strong> 6.0 <strong>and</strong> EE<strong>PC</strong> 6.0 Patch 1 <strong>and</strong> Patch 2 to EE<strong>PC</strong> 6.1 is to<br />
update the components while maintaining all of the existing encryption, policies, users,<br />
authentication details, Single Sign On (SSO) details, audit, <strong>and</strong> tokens.<br />
Contents<br />
Supported versions<br />
Overview of the upgrade process<br />
User experience summary<br />
Supported versions<br />
EE<strong>PC</strong> 6.1 supports the client upgrade from EE<strong>PC</strong> 6.0, EE<strong>PC</strong> 6.0 Patch 1, <strong>and</strong> Patch 2.<br />
Overview of the upgrade process<br />
Use the following high-level process to upgrade EE<strong>PC</strong> 6.0.x client.<br />
1 Install the necessary EE<strong>PC</strong> 6.1 extensions on the ePolicy Orchestrator server. You can also<br />
upgrade the 6.0.x extensions with 6.1 extensions.<br />
2 Check in the EE<strong>PC</strong> <strong>and</strong> EEAgent packages to <strong>McAfee</strong> ePO.<br />
3 Define the appropriate policy settings <strong>for</strong> 6.1, if you need to change the policies defined<br />
<strong>for</strong> 6.0.x.<br />
NOTE: Make sure that you have en<strong>for</strong>ced the required user-based policy to the user assigned<br />
to the client system.<br />
A requirement of EE<strong>PC</strong> 6.1 is that you need to specify which groups of users are allowed<br />
or not allowed to use the Policy Assignment Rules. The allowed users get their required<br />
User Based Policies. Users that are not allowed to use the Policy Assignment Rules inherit<br />
the default User Based Policies assigned to the system.<br />
4 Deploy EE<strong>PC</strong> 6.1 to the client system where 6.0.x is currently installed. This upgrades the<br />
EE<strong>PC</strong> 6.0.x client files into EE<strong>PC</strong> 6.1 client files.<br />
TIP: We recommend that you create separate client tasks <strong>for</strong> deploying the <strong>Endpoint</strong><br />
<strong>Encryption</strong> Agent <strong>for</strong> <strong>PC</strong> 1.1.0.x <strong>and</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> <strong>6.1.0</strong>.x, then deploy them<br />
in sequence.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
23
5 Restart the client system after each deployment task completion. After restarting the client<br />
system, the new files <strong>and</strong> drivers are in place. The EE<strong>PC</strong> 6.1 encryption status dialog box<br />
shows the status as Active throughout the upgrade process.<br />
NOTE: After the upgrade, the only visible change is the version numbers in various modules<br />
lists.<br />
Configure UBP en<strong>for</strong>cement<br />
By default, all users inherit the default User Based Policy assigned to the system. To allow a<br />
user to use the required User Based Policies, you must enable UBP en<strong>for</strong>cement <strong>for</strong> that user.<br />
This overrides the default UBP on the system. If not, the user inherits the default UBP.<br />
A requirement of EE<strong>PC</strong> 6.1 is that you need to specify which groups of users are allowed or not<br />
allowed to use the Policy Assignment Rules. The allowed users get their required User Based<br />
Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User<br />
Based Policies assigned to the system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Reporting | Queries. The Queries` page opens.<br />
2 Select <strong>Endpoint</strong> <strong>Encryption</strong> from Shared Groups in Groups pane. The st<strong>and</strong>ard EE<br />
query list appears.<br />
3 Run the EE: Users query to list all the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> Users.<br />
4 Select a user from the list to en<strong>for</strong>ce the policy.<br />
5 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | Configure UBP en<strong>for</strong>cement. The Configure<br />
UBP en<strong>for</strong>cement page appears with Enable <strong>and</strong> Disable options.<br />
6 Select Enable or Disable, then click OK to configure the UBP en<strong>for</strong>cement. On selecting<br />
Enable, Policy Assignment Rules are enabled <strong>for</strong> the selected users, <strong>and</strong> a specifc UBP is<br />
assigned to the user according to the ruled defined.<br />
NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies<br />
are deployed to each client in addition to the user-based policy <strong>for</strong> the logged on user<br />
configured with UBP en<strong>for</strong>cement.<br />
User experience summary<br />
24<br />
Upgrading from EE<strong>PC</strong> 6.0.x to EE<strong>PC</strong> 6.1<br />
User experience summary<br />
This table highlights the summary of different phases <strong>and</strong> its status be<strong>for</strong>e, during, <strong>and</strong> after<br />
the client upgrade from EE<strong>PC</strong> 6.0.x to EE<strong>PC</strong> 6.1.<br />
Table 1: User experience summary<br />
State<br />
Be<strong>for</strong>e deploying EE<strong>PC</strong> 6.1<br />
packages<br />
Pre-Boot<br />
EE<strong>PC</strong> 6.0.x<br />
Windows<br />
EE Logon<br />
EE<strong>PC</strong> 6.0<br />
Comments<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
The client system has EE<strong>PC</strong> 6.0.x installed
Upgrading from EE<strong>PC</strong> 6.0.x to EE<strong>PC</strong> 6.1<br />
User experience summary<br />
State<br />
During the deployment of<br />
EE<strong>PC</strong> 6.1 to the client<br />
After restarting the system<br />
due to the EE<strong>PC</strong> v6.1<br />
deployment<br />
Pre-Boot<br />
EE<strong>PC</strong> 6.0.x<br />
EE<strong>PC</strong> 6.1<br />
Windows<br />
EE Logon<br />
EE<strong>PC</strong> 6.0<br />
EE<strong>PC</strong> 6.1<br />
Comments<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
The EE<strong>PC</strong> 6.1 deployment <strong>for</strong>ces to restart the client system<br />
• The 6.0.x status remains as Active throughout the<br />
upgrade process<br />
• The user credentials <strong>for</strong> both Windows <strong>and</strong> Pre-Boot<br />
logons are the same as 6.0.x <strong>for</strong> 6.1<br />
• SSO to Windows continues to function as it did be<strong>for</strong>e the<br />
upgrade<br />
25
Uninstalling the EE<strong>PC</strong> client<br />
To uninstall EE<strong>PC</strong> from the client, you need to:<br />
• disable the EE<strong>PC</strong> product setting policy<br />
• make sure that the <strong>Endpoint</strong> <strong>Encryption</strong> System Status is Inactive<br />
• uninstall EE<strong>PC</strong> from the client.<br />
Contents<br />
Deactivate the EE<strong>PC</strong> client<br />
Remove EE<strong>PC</strong> from the client system<br />
Remove the EE<strong>PC</strong> extensions from ePolicy Orchestrator<br />
Remove the EE<strong>PC</strong> software packages from ePolicy Orchestrator<br />
Manually uninstall EE<strong>PC</strong> from the client system<br />
Deactivate the EE<strong>PC</strong> client<br />
26<br />
Use ePolicy Orchestrator to deactivate the EE<strong>PC</strong> client.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then select a group under System<br />
Tree. All the systems within this group (but not its subgroups) appear in the details pane.<br />
2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The<br />
Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0 . The policy categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> are listed with the system’s assigned policy.<br />
4 Select the Product Setting policy category, then click Edit Assignments.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below that is present next to Inherit from.<br />
6 From the Assigned policy drop-down list, select the desired product setting policy.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 Select whether to lock policy inheritance to prevent any systems that inherit this policy<br />
from having another one assigned in its place.<br />
8 On the General tab, deselect Enable policy.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Uninstalling the EE<strong>PC</strong> client<br />
Remove EE<strong>PC</strong> from the client system<br />
9 Click Save in the Policy Settings page, then click Save in the Product Settings page.<br />
10 Send an agent wake-up call.<br />
NOTE: On disabling the product setting policy, all the encrypted drives get decrypted <strong>and</strong><br />
the <strong>Endpoint</strong> <strong>Encryption</strong> status becomes Inactive. This may take a few hours depending<br />
on the number <strong>and</strong> size of the encrypted drives.<br />
Remove EE<strong>PC</strong> from the client system<br />
Set up the client task to automatically remove the EE<strong>PC</strong> software from the client computers.<br />
For more details <strong>and</strong> procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator<br />
product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing EE<strong>PC</strong> from the client<br />
system.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Systems | System Tree, then select a required group or system(s) from<br />
the System Tree.<br />
3 On the Client Tasks tab, click Actions, then select New Task from the drop-down menu.<br />
The Client Task Builder wizard opens with the Description page.<br />
4 Type a Name <strong>and</strong> Notes <strong>for</strong> the task, select the Type as Product Deployment from<br />
the drop-down list, select whether the task should be sent to all computers or to tagged<br />
computers, then click Next. The Configuration page appears.<br />
5 Select the Target plat<strong>for</strong>m as Windows.<br />
6 From the Products <strong>and</strong> components drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong><br />
<strong>6.1.0</strong>.x to specify the version of EE<strong>PC</strong> to remove <strong>and</strong>, if needed, additional comm<strong>and</strong>-line<br />
parameters.<br />
7 Select the Action as Remove.<br />
NOTE: If you are working in a Windows environment, check whether to run the task at<br />
each policy en<strong>for</strong>cement interval.<br />
8 Click Next to open the Schedule page.<br />
9 Change the Schedule Type as required <strong>and</strong> click Next. The Summary page appears.<br />
10 Verify the task’s details, then click Save. The new deployment task is sent to the client<br />
computers at the next agent-server communication.<br />
11 Send an agent wake-up call.<br />
NOTE: Follow the same procedure to remove <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> Windows<br />
1.1.0.x from the client system. We recommend that you remove <strong>Endpoint</strong> <strong>Encryption</strong><br />
<strong>for</strong> <strong>PC</strong> <strong>6.1.0</strong>.x be<strong>for</strong>e removing <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> Windows 1.1.0.x.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
27
Remove the EE<strong>PC</strong> extensions from ePolicy<br />
Orchestrator<br />
To uninstall the EE<strong>PC</strong> extension <strong>and</strong> the checked in packages, you need to remove them from<br />
the <strong>McAfee</strong> ePO server.<br />
In case of both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong> are being managed by a single <strong>McAfee</strong> ePO server, you can<br />
remove the EEAdmin extension only when the <strong>McAfee</strong> ePO management is not required <strong>for</strong><br />
both products.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing the EE<strong>PC</strong> extension from<br />
the <strong>McAfee</strong> ePO server.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Extensions, then select <strong>Endpoint</strong> <strong>Encryption</strong> . The Extension<br />
page appears with the extension name <strong>and</strong> version details.<br />
3 On the Extension page, click Remove. The Remove extension confirmation page appears.<br />
4 Click OK to remove the extension.<br />
NOTE: You need to follow the same procedure to remove both the extension files EE<strong>PC</strong>.ZIP<br />
<strong>and</strong> EEADMIN.ZIP, however, extension file EE<strong>PC</strong>.ZIP needs to be removed first.<br />
Remove the EE<strong>PC</strong> software packages from ePolicy<br />
Orchestrator<br />
28<br />
Uninstalling the EE<strong>PC</strong> client<br />
Remove the EE<strong>PC</strong> extensions from ePolicy Orchestrator<br />
Use <strong>McAfee</strong> ePO to remove the EE<strong>PC</strong> software packages.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing the EE<strong>PC</strong> software package<br />
from <strong>McAfee</strong> ePO.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Master Repository. The Packages in Master Repository page<br />
appears with the list of software packages <strong>and</strong> their details.<br />
3 Click Delete against the EE<strong>PC</strong> software packages. The Delete package confirmation page<br />
appears.<br />
4 Click OK to delete the EE<strong>PC</strong> software package from the ePO master repository.<br />
NOTE: You need to follow the same procedure to remove both the packages MfeEEAgent.ZIP<br />
<strong>and</strong> MfeEE<strong>PC</strong>.ZIP. You can also use this procedure to remove the themes <strong>and</strong> simple words<br />
packages that are automatically added to the master repository.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Uninstalling the EE<strong>PC</strong> client<br />
Manually uninstall EE<strong>PC</strong> from the client system<br />
Manually uninstall EE<strong>PC</strong> from the client system<br />
Use this task to manually uninstall EE<strong>PC</strong> from the client system.<br />
Be<strong>for</strong>e you begin<br />
Make sure that you deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e initiating the manual<br />
removal process.<br />
You must have administrator privileges to per<strong>for</strong>m this task.<br />
Task<br />
1 On the client system, after deactivating the <strong>Endpoint</strong> <strong>Encryption</strong> Agent, browse to the<br />
following registry values <strong>and</strong> double-click the Uninstall comm<strong>and</strong>. The Edit String dialog<br />
box appears.<br />
• For EE Agent on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network<br />
Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000.<br />
• For EE<strong>PC</strong> on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network<br />
Associates\ePolicy Orchestrator\Application Plugins\EE<strong>PC</strong>.<br />
• For EE Agent on 64-bit system:<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network<br />
Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000.<br />
• For EE<strong>PC</strong> on 64-bit system:<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network<br />
Associates\ePolicy Orchestrator\Application Plugins\EE<strong>PC</strong>.<br />
2 Copy the Value data from the Edit String dialog box, paste <strong>and</strong> run it on the comm<strong>and</strong><br />
prompt. You can retain /q <strong>and</strong> add /norestart comm<strong>and</strong>s to run a silent removal <strong>and</strong> to avoid<br />
restarting the system after the uninstalling the EE<strong>PC</strong>.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
29
Installing the EE<strong>Mac</strong> client<br />
The EE<strong>Mac</strong> extensions, agent, <strong>and</strong> the software packages are checked in to <strong>McAfee</strong> ePO <strong>for</strong><br />
the management functionality. This is necessary be<strong>for</strong>e deploying the software <strong>and</strong> configuring<br />
the policies.<br />
CAUTION: Be<strong>for</strong>e you begin, make sure that any competitor's encryption products are removed<br />
from the client system be<strong>for</strong>e installing EE<strong>Mac</strong>. Also, avoid installing any other encryption<br />
products after installing EE<strong>Mac</strong>.<br />
Contents<br />
Summary of the client installation process<br />
Deploy <strong>McAfee</strong> Agent to <strong>Mac</strong> OS X client<br />
Install the EE<strong>Mac</strong> extensions using <strong>McAfee</strong> ePO<br />
Check in the EE<strong>Mac</strong> software packages (EEAgent <strong>and</strong> EE<strong>Mac</strong>) to ePolicy Orchestrator<br />
Register Windows Active Directory<br />
Configure automation tasks <strong>for</strong> LDAP synchronization<br />
Deploy EE<strong>Mac</strong> to the client system<br />
Add users to a system<br />
Assign a policy to a system<br />
En<strong>for</strong>ce EE policies on a system<br />
Summary of the client installation process<br />
30<br />
The EE<strong>Mac</strong> client software is deployed from the <strong>McAfee</strong> ePO server <strong>and</strong> installed through <strong>McAfee</strong><br />
Agent. The installation of EE<strong>Mac</strong> installs the Pre-Boot File System (PBFS) on the client system.<br />
The client system requires a restart to complete the installation of the EE<strong>Mac</strong> software. After<br />
the restart, it communicates with ePolicy Orchestrator <strong>and</strong> pulls down the assigned <strong>Endpoint</strong><br />
<strong>Encryption</strong> policies <strong>and</strong> encrypts the system according to the defined polices. The assigned user<br />
can be initialized through the Pre-Boot screen after the subsequent restart. The summary of<br />
the client installation process is depicted in Figure 3.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>Mac</strong> client<br />
Summary of the client installation process<br />
Figure 3: Process overview of installation<br />
The overall EE<strong>Mac</strong> installation <strong>and</strong> deployment process can be simplified into following steps:<br />
NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator <strong>and</strong><br />
has the <strong>McAfee</strong> Agent installed on various systems which successfully communicate with the<br />
<strong>McAfee</strong> ePO server.<br />
1 Install the EEAdmin <strong>and</strong> EE<strong>Mac</strong> extensions into the <strong>McAfee</strong> ePO server.<br />
2 Check in the EE<strong>Mac</strong> software packages (MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.x.ZIP <strong>and</strong> MfeEEAgent-<strong>1.0.0</strong>.x.ZIP)<br />
to the <strong>McAfee</strong> ePO server.<br />
3 Configure the registered server (Windows Active Directory).<br />
4 Configure <strong>and</strong> run the automation task <strong>for</strong> LDAP Synchronization.<br />
5 Deploy the <strong>Endpoint</strong> <strong>Encryption</strong> Agent to the <strong>Mac</strong> client.<br />
6 Deploy the <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> to the <strong>Mac</strong> client.<br />
7 Restart the client system. You should now be able to see the <strong>Encryption</strong> icon | <strong>McAfee</strong><br />
<strong>Endpoint</strong> <strong>Encryption</strong> System Status option on the menu bar that is present on the desktop<br />
of the client.<br />
8 Add users to a system or a group of systems.<br />
9 Create a product settings policy or edit the default policy, then assign it to a system or a<br />
group of systems.<br />
10 Create a user-based policy or edit the default policy, then assign it to a user or a group of<br />
users on a system.<br />
NOTE: The <strong>Endpoint</strong> <strong>Encryption</strong> System Status changes from Inactive to Active only after<br />
adding the user <strong>and</strong> en<strong>for</strong>cing the policies correctly.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
31
11 Verify the <strong>Endpoint</strong> <strong>Encryption</strong> System Status by clicking the <strong>Encryption</strong> icon | <strong>McAfee</strong><br />
<strong>Endpoint</strong> <strong>Encryption</strong> System Status option on the menu bar that is present on the desktop<br />
of the client. If the <strong>Endpoint</strong> <strong>Encryption</strong> system state is Active, it displays the system<br />
partition/volume list under Volume Status. Volume status that is either Encrypted or<br />
Decrypted is also displayed <strong>for</strong> each partition/volume.<br />
Deploy <strong>McAfee</strong> Agent to <strong>Mac</strong> OS X client<br />
32<br />
Installing the EE<strong>Mac</strong> client<br />
Deploy <strong>McAfee</strong> Agent to <strong>Mac</strong> OS X client<br />
It is not possible to deploy <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> through <strong>McAfee</strong> ePO. You need to install the<br />
<strong>McAfee</strong> Agent on a <strong>Mac</strong> client system using the install.sh file. You can get this file from the<br />
Windows-based system where <strong>McAfee</strong> ePO is installed.<br />
The client system is automatically added to the System Tree in ePolicy Orchestrator on successful<br />
installation of the <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> on the <strong>Mac</strong> client system.<br />
For more details <strong>and</strong> procedures, See the ePolicy Orchestrator product documentation <strong>for</strong><br />
versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
You should install the <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> using the comm<strong>and</strong> Terminal on the <strong>Mac</strong>. After<br />
installing the <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X, the <strong>Mac</strong> client system communicates back to the<br />
<strong>McAfee</strong> ePO server. This process usually takes some time.<br />
Select This group <strong>and</strong> all subgroups in Filter in the System Tree page, then refresh ePolicy<br />
Orchestrator. The ePolicy Orchestrator displays the <strong>Mac</strong> client system details under System<br />
Tree | Systems after the first agent-to-server communication.<br />
1 Check in the <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X package to the master repository.<br />
2 Copy the install.sh file from this location on the Windows-based system.<br />
C:\Program File\<strong>McAfee</strong>\ePolicy<br />
Orchestrator\DB\Software\Current\EPOAGENT3700MACX\Install\0409<br />
To download the Agent installation package using ePolicy Orchestrator:<br />
1 click Menu | Systems | System Tree | System Tree Actions | New Systems on<br />
the <strong>McAfee</strong> ePO server. The New Systems page appears.<br />
2 Select Create <strong>and</strong> download agent installation package from How to add<br />
systems.<br />
3 Select Non-Windows <strong>and</strong> <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X 4.5/4.6 from Select<br />
Agent Package, <strong>and</strong> deselect Use Credentials, then click OK. The Download file<br />
page appears.<br />
4 Click the install link to open the file, or right-click the link to download <strong>and</strong> save the<br />
file.<br />
3 Place the copied install.sh file in the desktop.<br />
4 On the Terminal, type this comm<strong>and</strong> to go to the location where the install.sh file is<br />
present cd /Users//Desktop.<br />
5 Deploy the <strong>McAfee</strong> Agent on the <strong>Mac</strong> client with one of these comm<strong>and</strong>s:<br />
• sudo ./install.sh -i (<strong>for</strong> a fresh installation)<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>Mac</strong> client<br />
Install the EE<strong>Mac</strong> extensions using <strong>McAfee</strong> ePO<br />
• sudo ./install.sh –u (<strong>for</strong> an upgrade of the agent)<br />
NOTE: Type the administrator password if prompted.<br />
The installation path of <strong>McAfee</strong> Agent is /Library/<strong>McAfee</strong>/cma/<br />
The uninstall path of <strong>McAfee</strong> Agent is /Library/<strong>McAfee</strong>/cma/uninstall.sh<br />
6 To monitor the <strong>McAfee</strong> Agent logs, run the comm<strong>and</strong> sudo tail -f<br />
/Library/<strong>McAfee</strong>/cma/scratch/etc/log <strong>and</strong> provide the administrator password when prompted.<br />
Install the EE<strong>Mac</strong> extensions using <strong>McAfee</strong> ePO<br />
You can install the EE<strong>Mac</strong> extensions on the ePolicy Orchestrator server using the Software tab.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
You must install the extensions in order: EEADMIN.ZIP first, then EE<strong>Mac</strong>.ZIP.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog<br />
box appears.<br />
3 Click Browse <strong>and</strong> select the extension file EEADMIN.ZIP, then click OK. The Install<br />
Extension page appears with the extension name <strong>and</strong> version details.<br />
4 Click OK.<br />
5 Repeat steps 2 <strong>and</strong> 4 to install the EE<strong>Mac</strong>.ZIP extension.<br />
Check in the EE<strong>Mac</strong> software packages (EEAgent<br />
<strong>and</strong> EE<strong>Mac</strong>) to ePolicy Orchestrator<br />
Use ePolicy Orchestrator to check in the EE<strong>Mac</strong> software packages (EEAgent <strong>and</strong> EE<strong>Mac</strong>) to<br />
the master repository.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Be<strong>for</strong>e checking in the software packages, make sure there are no pull or replication tasks<br />
running.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Master Repository, then click Actions | Check In Package.<br />
The Check In Package wizard opens.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
33
3 From the Package type list, select Product or Update (.ZIP) , then browse to <strong>and</strong> select<br />
the MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.x.ZIP package file.<br />
4 Click Next to display the Package Options page.<br />
5 Click Save to begin checking in the package. Wait while the package is checked in.<br />
6 Repeat steps 2 through 5 to install the MfeEEAgent-<strong>1.0.0</strong>.x.ZIP package.<br />
The new package appears in the Packages in Master Repository list on the Master Repository<br />
page.<br />
Register Windows Active Directory<br />
Use this option to register a Windows Active Directory.<br />
Be<strong>for</strong>e you begin<br />
• You must have a registered AD to enable dynamically assigned permission sets <strong>and</strong> automatic<br />
user account creation.<br />
• Make sure you have the appropriate rights to modify server settings, permission sets, users,<br />
<strong>and</strong> registered servers.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Configuration | Registered Servers, then click New Server. The<br />
Registered Server Builder wizard opens.<br />
3 From the Server type drop-down list on the Description page, select LDAP Server, specify<br />
a unique name (a user-friendly name) <strong>and</strong> any details, then click Next. The Details page<br />
appears.<br />
4 Type the Domain name or the Server name.<br />
NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the<br />
system is configured with appropriate DNS setting <strong>and</strong> can resolve the DNS-style domain<br />
name of the Active Directory. The Server name is the name or IP address of the system<br />
where the Windows Active Directory is present.<br />
5 Type the User name.<br />
NOTE: The User name should be of the <strong>for</strong>mat: domain\Username <strong>for</strong> Active Directory accounts.<br />
6 Type the Password <strong>and</strong> confirm it.<br />
7 Click Test Connection to ensure that the connection to the server works, then click Save.<br />
Configure automation tasks <strong>for</strong> LDAP<br />
synchronization<br />
34<br />
Installing the EE<strong>Mac</strong> client<br />
Register Windows Active Directory<br />
You can create many tasks that run at scheduled intervals to manage the <strong>McAfee</strong> ePO server<br />
<strong>and</strong> <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>Mac</strong> client<br />
Deploy EE<strong>Mac</strong> to the client system<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Automation | Server Tasks, The Server Tasks page opens.<br />
3 Click Actions | New Task. The Server Task Builder wizard opens.<br />
4 On the Description page, name the task, type some notes about the task, <strong>and</strong> choose<br />
whether it is enabled, then click Next. The Actions page appears.<br />
5 From the Actions drop-down list, select EE LDAP Server User/Group Synchronization<br />
<strong>and</strong> accept the default values.<br />
6 Click Next. The Schedule page appears.<br />
7 Schedule the task, then click Next to display the Summary page.<br />
8 Review the task details, then click Save.<br />
NOTE: In addition to the task running at the scheduled time, you can run this task<br />
immediately by clicking Run next to the task on the Server Tasks page.<br />
Deploy EE<strong>Mac</strong> to the client system<br />
Use this task to set up the client task to automatically install the EE<strong>Mac</strong> to the client computers.<br />
For more details <strong>and</strong> procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator<br />
product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Systems | System Tree <strong>and</strong> select a required group or system(s) from the<br />
System Tree pane on the left.<br />
3 On the Client Tasks tab, click Actions, then select New Task from the drop-down menu.<br />
The Client Task Builder wizard opens with the Description page.<br />
4 Type a Name <strong>and</strong> Notes <strong>for</strong> the task, select the Type as Product Deployment from<br />
the drop-down list, select whether the task should be sent to all computers or to tagged<br />
computers, then click Next. The Configuration page appears.<br />
5 Select the Target plat<strong>for</strong>m as <strong>Mac</strong>.<br />
6 From the Products <strong>and</strong> components drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> Agent<br />
<strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X to specify the version of the agent to deploy <strong>and</strong>, if needed,<br />
additional comm<strong>and</strong>-line parameters.<br />
7 Select the Action as Install.<br />
8 Click Next to open the Schedule page.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
35
9 Change the Schedule Type as required <strong>and</strong> click Next. The Summary page appears.<br />
10 Verify the task’s details, then click Save. The new deployment task is sent to the client<br />
computers at the next agent-server communication.<br />
11 Send an agent wake-up call.<br />
Follow the same procedure to deploy <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X. We<br />
recommend that you deploy <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X be<strong>for</strong>e<br />
deploying <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X.<br />
TIP: We recommend that you create separate client tasks <strong>for</strong> deploying <strong>Endpoint</strong> <strong>Encryption</strong><br />
Agent <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X <strong>and</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X, then deploy<br />
them in sequence.<br />
Send an agent wake-up call<br />
The client gets the policy update whenever it connects to the <strong>McAfee</strong> ePO server. The policy<br />
update can be scheduled or <strong>for</strong>ced. The agent wake-up call option <strong>for</strong>ces the policy update to<br />
the client system.<br />
NOTE: For more in<strong>for</strong>mation on adding a new system, see the ePolicy Orchestrator product<br />
documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator<br />
2 Click Menu | Systems | System Tree.<br />
3 Select a system group from the System Tree.<br />
4 Select the System Name(s) of that group.<br />
5 Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up<br />
Agents page appears.<br />
6 Select a Wake-up call type <strong>and</strong> a R<strong>and</strong>omization period (0-60 minutes) by which the<br />
system(s) respond to the wake-up call sent by the ePO server.<br />
7 Select Get full product properties <strong>for</strong> the agent(s) to send complete properties instead<br />
of sending only the properties that have changed since the last agent-to-server<br />
communication.<br />
8 Click OK.<br />
NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent<br />
wake-up call.<br />
Add users to a system<br />
36<br />
Installing the EE<strong>Mac</strong> client<br />
Add users to a system<br />
Use ePolicy Orchestrator to add the EE<strong>Mac</strong> users to the client system.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>Mac</strong> client<br />
Assign a policy to a system<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Users. The My Organization page opens.<br />
2 Select a required group or system(s) from the System Tree pane on the left.<br />
NOTE: To add users to a particular system, select the required system from the System<br />
Tab under My Organization pane on the right.<br />
3 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | Add Users. The Add <strong>Endpoint</strong> <strong>Encryption</strong> Users<br />
page opens.<br />
4 Add users: Click + in the Users field, browse to the users list, select the Users, then click<br />
OK.<br />
5 Add groups: Click + in the From the groups field, browse to the users groups list, select<br />
the groups, then click OK.<br />
6 Add an organizational unit: Click + in the From the organizational units field, browse<br />
to the organizational unit list, select the unit, then click OK.<br />
7 In the Add <strong>Endpoint</strong> <strong>Encryption</strong> Users page, click OK.<br />
Assign a policy to a system<br />
Assign a policy to a specific set of managed systems. You can assign policies be<strong>for</strong>e or after<br />
deploying the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then select a group under System<br />
Tree. All the systems within this group (but not its subgroups) appear in the details pane.<br />
2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The<br />
Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.x. The policy categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> are listed with the system’s assigned policy.<br />
4 Select the Product Setting policy category, then click Edit Assignments.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned policy drop-down list, select the Product Setting policy.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 Choose whether to lock policy inheritance to prevent any systems that inherit this policy<br />
from having another one assigned in its place.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
37
8 While modifying the default policy or creating the new policy, select any one of the disk<br />
encryption options other than None, by navigating to <strong>Encryption</strong> (tab) | Encrypt. The<br />
default option None does not initiate the encryption.<br />
9 Click Save.<br />
En<strong>for</strong>ce EE policies on a system<br />
Enable or disable policy en<strong>for</strong>cement <strong>for</strong> EE on a system. Policy en<strong>for</strong>cement is enabled by<br />
default, <strong>and</strong> is inherited in the System Tree. For more details <strong>and</strong> procedures on how to per<strong>for</strong>m<br />
this task, See the ePolicy Orchestrator product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then select a group under System<br />
Tree where the system belongs. The list of systems belonging to this group appears in the<br />
details pane.<br />
2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The<br />
Policy Assignment page appears.<br />
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.x, then click En<strong>for</strong>cing next to En<strong>for</strong>cement status.<br />
The En<strong>for</strong>cement page appears.<br />
4 If you want to change the en<strong>for</strong>cement status you must first select Break inheritance<br />
<strong>and</strong> assign the policy <strong>and</strong> settings below.<br />
5 Next to En<strong>for</strong>cement status, select En<strong>for</strong>cing or Not en<strong>for</strong>cing accordingly, then click<br />
Save.<br />
After restarting, it communicates with the ePolicy Orchestrator server <strong>and</strong> pulls down the<br />
assigned <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies <strong>and</strong> encrypts the system according to the<br />
defined policies. The assigned user can be initialized through the Pre-Boot screen after the<br />
subsequent restart.<br />
Edit the client tasks<br />
38<br />
Installing the EE<strong>Mac</strong> client<br />
En<strong>for</strong>ce EE policies on a system<br />
Edit a client task’s settings or to schedule in<strong>for</strong>mation <strong>for</strong> any existing task. For more details<br />
<strong>and</strong> procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator product documentation<br />
<strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Installing the EE<strong>Mac</strong> client<br />
Edit the client tasks<br />
1 Click Menu | Systems | System Tree | Client Tasks, then select the group where the<br />
desired client task was in the System Tree.<br />
2 Click Edit Settings next to the task. The Client Task Builder wizard opens.<br />
3 Edit the task settings as needed, then click Save.<br />
The managed systems receive these changes the next time the agents communicate with the<br />
server.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
39
Deploying the st<strong>and</strong>alone versions of EE<strong>Mac</strong><br />
to the client systems<br />
The EE<strong>Mac</strong> product allows the deployment of st<strong>and</strong>alone versions of EE<strong>Mac</strong> to the client systems.<br />
Contents<br />
Deploy the st<strong>and</strong>alone version of EEAgent on <strong>Mac</strong> client<br />
Deploy the st<strong>and</strong>alone version of EE<strong>Mac</strong> on <strong>Mac</strong> client<br />
Deploy the st<strong>and</strong>alone version of EEAgent on <strong>Mac</strong><br />
client<br />
You can install the st<strong>and</strong>alone version of EEAgent on the <strong>Mac</strong> client using the given package<br />
MfeEeAgent-<strong>1.0.0</strong>.X.dmg.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
1 Copy the MfeEeAgent-<strong>1.0.0</strong>.X.dmg file to a location in the <strong>Mac</strong> client.<br />
2 Double-click the MfeEeAgent-<strong>1.0.0</strong>.X.dmg file to begin the installation. The<br />
MfeEeAgent-<strong>1.0.0</strong>.X screen appears with the package file MfeEeAgent.pkg.<br />
3 Double-click the MfeEeAgent.pkg file. The Install <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong><br />
<strong>Mac</strong> OS X Installer screen appears <strong>and</strong> this displays the Introduction option.<br />
4 Click Install on the Installation Type page to initiate the installation of the EEAgent on the<br />
<strong>Mac</strong> client. On clicking Install option, the Installation page appears, then the Summary<br />
page appears.<br />
5 Click Close to complete the installation.<br />
Deploy the st<strong>and</strong>alone version of EE<strong>Mac</strong> on <strong>Mac</strong><br />
client<br />
40<br />
You can install the st<strong>and</strong>alone version of EE<strong>Mac</strong> on the <strong>Mac</strong> client using the given package<br />
MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.X.dmg.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Deploying the st<strong>and</strong>alone versions of EE<strong>Mac</strong> to the client systems<br />
Deploy the st<strong>and</strong>alone version of EE<strong>Mac</strong> on <strong>Mac</strong> client<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
1 Copy the MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.X.dmg file to a location in the <strong>Mac</strong> client.<br />
2 Double-click the MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.X.dmg file to begin the installation. The<br />
MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.X screen appears with the package file MfeEe<strong>Mac</strong>.pkg.<br />
3 Double-click the MfeEe<strong>Mac</strong>.pkg file. The Install <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> OS<br />
X screen appears <strong>and</strong> this displays the Introduction option.<br />
4 Click Continue. The Installation Type page appears.<br />
5 Click Install on the Installation Type page to initiate the installation of the EE<strong>Mac</strong> on the<br />
<strong>Mac</strong> client. The confirmation message to restart the system after the installation appears.<br />
6 Click Continue Installation to initiate the installation. On clicking Continue Installation,<br />
the Installation page appears, then the Summary page appears with Restart option. You<br />
must restart the system to complete the installation of the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong><br />
<strong>Mac</strong>.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
41
Uninstalling the EE<strong>Mac</strong> client<br />
To uninstall EE<strong>Mac</strong> from the client, you need to:<br />
• disable all EE<strong>Mac</strong> product setting policies<br />
• make sure that the <strong>Endpoint</strong> <strong>Encryption</strong> System Status is Inactive<br />
• uninstall EE<strong>Mac</strong> from the client.<br />
Contents<br />
Deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent<br />
Remove EE<strong>Mac</strong> from the client system<br />
Remove the EE<strong>Mac</strong> extensions from <strong>McAfee</strong> ePO<br />
Remove the EE<strong>Mac</strong> packages from <strong>McAfee</strong> ePO<br />
Manually uninstall EE<strong>Mac</strong> from the client system<br />
Deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent<br />
42<br />
Use this task to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent on the client system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems, then select a group under System<br />
Tree. All the systems within this group (but not its subgroups) appear in the details pane.<br />
2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The<br />
Policy Assignment page <strong>for</strong> that system appears.<br />
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.x from the product drop-down list. The policy categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> are listed with the system’s assigned policy.<br />
4 Select the Product Setting policy category, then click Edit Assignments.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the product setting policy from the Assigned policy drop-down list.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 Choose whether to lock policy inheritance to prevent any systems that inherit this policy<br />
from having another one assigned in its place.<br />
8 On the General tab, deselect Enable policy.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Uninstalling the EE<strong>Mac</strong> client<br />
Remove EE<strong>Mac</strong> from the client system<br />
9 Click Save in the Policy Settings page, then click Save in the Product Settings page.<br />
10 Send an agent wake-up call.<br />
NOTE: On disabling the product setting policy, all the encrypted drives get decrypted <strong>and</strong><br />
the <strong>Endpoint</strong> <strong>Encryption</strong> status becomes Inactive. This may take a few hours depending<br />
on the number <strong>and</strong> size of the encrypted drives.<br />
Remove EE<strong>Mac</strong> from the client system<br />
Use ePolicy Orchestrator to set up the client task to automatically remove EE<strong>Mac</strong> from the client<br />
computers.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing EE<strong>Mac</strong> from the client<br />
system.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Systems | System Tree <strong>and</strong> select a required group or system(s) from the<br />
System Tree pane on the left.<br />
3 On the Client Tasks tab, click Actions, then select New Task from the drop-down menu.<br />
The Client Task Builder wizard opens with the Description page.<br />
4 Type a Name <strong>and</strong> Notes <strong>for</strong> the task, select the Type as Product Deployment from<br />
the drop-down list, select whether the task should be sent to all computers or to tagged<br />
computers, then click Next. The Configuration page appears.<br />
5 Select the Target plat<strong>for</strong>m as <strong>Mac</strong>.<br />
6 From the Products <strong>and</strong> components drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong><br />
OS X <strong>1.0.0</strong>.X to specify the version of the product to remove <strong>and</strong>, if needed, additional<br />
comm<strong>and</strong>-line parameters.<br />
7 Select the Action as Remove.<br />
8 Click Next to open the Schedule page.<br />
9 Change the Schedule Type as required <strong>and</strong> click Next. The Summary page appears.<br />
10 Verify the task’s details, then click Save. The new deployment task is sent to the client<br />
computers at the next agent-server communication.<br />
11 Send an agent wake-up call.<br />
NOTE: Follow the same procedure to remove <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X<br />
<strong>1.0.0</strong>.X from the client system. We recommend that you remove <strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong><br />
<strong>Mac</strong> OS X <strong>1.0.0</strong>.X be<strong>for</strong>e removing <strong>Endpoint</strong> <strong>Encryption</strong> Agent <strong>for</strong> <strong>Mac</strong> OS X <strong>1.0.0</strong>.X.<br />
Remove the EE<strong>Mac</strong> extensions from <strong>McAfee</strong> ePO<br />
To uninstall the EE<strong>Mac</strong> extension <strong>and</strong> the checked in packages, you just need to remove them<br />
from the <strong>McAfee</strong> ePO server.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
43
In case of both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong> are being managed by a single <strong>McAfee</strong> ePO server, you can<br />
remove the EEAdmin extension only when <strong>McAfee</strong> ePO management is not required <strong>for</strong> both<br />
products.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing the EE<strong>Mac</strong> extension from<br />
the <strong>McAfee</strong> ePO server.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Extensions, then select <strong>Endpoint</strong> <strong>Encryption</strong> . The Extension<br />
page appears with the extension name <strong>and</strong> version details.<br />
3 Click Remove. The Remove extension confirmation page appears.<br />
4 Click OK to remove the extension.<br />
NOTE: Follow the same procedure to remove both the extension files EE<strong>Mac</strong>.ZIP <strong>and</strong><br />
EEADMIN.ZIP, however, extension file EE<strong>Mac</strong>.ZIP needs to be removed first.<br />
Remove the EE<strong>Mac</strong> packages from <strong>McAfee</strong> ePO<br />
Use this task to remove the EE<strong>Mac</strong> package from the <strong>McAfee</strong> ePO server.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e removing the EE<strong>Mac</strong> package from<br />
<strong>McAfee</strong> ePO.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Log on to the ePolicy Orchestrator server as an administrator.<br />
2 Click Menu | Software | Master Repository. The Packages in Master Repository page<br />
appears with the list of software packages <strong>and</strong> their details.<br />
3 Click Delete against the EE<strong>Mac</strong> software packages. The Delete package confirmation page<br />
appears.<br />
4 Click OK to delete the EE<strong>Mac</strong> software package from the ePO master repository.<br />
NOTE: You need to follow the same procedure to remove both the packages<br />
MfeEEAgent-<strong>1.0.0</strong>.x.ZIP <strong>and</strong> MfeEe<strong>Mac</strong>-<strong>1.0.0</strong>.x.ZIP.<br />
Manually uninstall EE<strong>Mac</strong> from the client system<br />
44<br />
Uninstalling the EE<strong>Mac</strong> client<br />
Remove the EE<strong>Mac</strong> packages from <strong>McAfee</strong> ePO<br />
Use this task to manually uninstall the EE<strong>Mac</strong> from the client system.<br />
Be<strong>for</strong>e you begin<br />
Ensure to deactivate the <strong>Endpoint</strong> <strong>Encryption</strong> Agent be<strong>for</strong>e initiating the manual uninstall process.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Uninstalling the EE<strong>Mac</strong> client<br />
Manually uninstall EE<strong>Mac</strong> from the client system<br />
Task<br />
1 After deactivating the <strong>Endpoint</strong> <strong>Encryption</strong> Agent, open the Terminal <strong>and</strong> run sudo<br />
/Library/<strong>McAfee</strong>/ee/Agent/uninstall comm<strong>and</strong> to uninstall the EEAgent <strong>and</strong> type the<br />
administrator password if prompted.<br />
2 Run the comm<strong>and</strong> /Library/<strong>McAfee</strong>/ee/<strong>Mac</strong>/uninstall. This removes the EE<strong>Mac</strong> software package<br />
from the client system.<br />
3 Run the comm<strong>and</strong> /Library/<strong>McAfee</strong>/ee/Agent/uninstall. This removes the EEAgent from the<br />
client system.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
45
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> from a single location is achieved by integrating EE<br />
software into ePolicy Orchestrator which is a central feature of <strong>McAfee</strong> ePO itself. This is<br />
accomplished through the combination of product policies.<br />
Are you configuring policies <strong>for</strong> the first time?<br />
When configuring policies <strong>for</strong> the first time:<br />
1 Plan product policies <strong>for</strong> the segments of your System Tree.<br />
2 Create <strong>and</strong> assign policies to groups <strong>and</strong> systems.<br />
NOTE: This section is applicable to both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
Contents<br />
Policy management<br />
Policy categories<br />
Create a policy from Policy Catalog<br />
Edit the EE policy settings from Policy Catalog<br />
Assign a policy to a system group<br />
En<strong>for</strong>ce EE policies on a system group<br />
Policy management<br />
A policy is a collection of settings that you create, configure, then en<strong>for</strong>ce. Policies ensure that<br />
the managed client computer is configured <strong>and</strong> per<strong>for</strong>ms accordingly.<br />
Policy settings are the primary interface <strong>for</strong> configuring the client computer <strong>and</strong> its components.<br />
The ePolicy Orchestrator server allows you to configure policy settings <strong>for</strong> <strong>Endpoint</strong> <strong>Encryption</strong><br />
clients <strong>and</strong> other managed systems from a central location.<br />
Policy categories<br />
46<br />
Policy settings <strong>for</strong> <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> are grouped under category. Each policy category<br />
refers to a specific subset of policy settings. In the Policy Catalog page, policies appear under<br />
<strong>Endpoint</strong> <strong>Encryption</strong> <strong>and</strong> the individual policies appear under specific category. When you open<br />
or edit an existing policy or create a new policy under <strong>Endpoint</strong> <strong>Encryption</strong>, the policy product<br />
settings are organized across tabs such as General, <strong>Encryption</strong>, Log On, Recovery, Boot<br />
Options, Theme, <strong>and</strong> <strong>Encryption</strong> Providers. The user based policy settings are organized<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
across tabs such as Authentication, Password, Password Content Rules, <strong>and</strong><br />
Self-Recovery.<br />
Table 2: Product setting policies<br />
Settings<br />
General<br />
<strong>Encryption</strong><br />
Log On (<strong>Endpoint</strong><br />
<strong>Encryption</strong>)<br />
Options<br />
Enable Policy<br />
Encrypt<br />
<strong>Encryption</strong> Provider Priority<br />
Enable Automatic Booting<br />
Log on Message<br />
Do not display previous user<br />
name at log on<br />
Enable on screen keyboard<br />
NOTE: This option is not<br />
applicable to <strong>Mac</strong> client systems.<br />
Add local domain users<br />
NOTE: This option is not<br />
applicable to <strong>Mac</strong> client systems.<br />
Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
Enables the set policies on the client computers.<br />
This drop-down list contains the options to select<br />
an encryption type.<br />
• None—Does not encrypt any disk.<br />
• All Disks—Encrypts all disks in a system.<br />
• Boot Only—Encrypts only the boot disk.<br />
• All Disks except Boot Disk—Encrypts all<br />
disks except the boot disk (not recommended)<br />
Lists the installed encryption providers <strong>and</strong> allows<br />
you to set the priority.<br />
On selecting, the client system boots automatically<br />
without prompting <strong>for</strong> a Pre-Boot Authentication.<br />
The expiration date <strong>for</strong> the auto booting can also<br />
be set.<br />
If required, the user can select the UTC time<br />
st<strong>and</strong>ard option.<br />
NOTE: If you enable this option, be aware that<br />
the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software doesn't<br />
protect the data on the drive when it is not in use.<br />
Type a message that appears to the user on all<br />
<strong>Endpoint</strong> <strong>Encryption</strong> logon pages.<br />
Hides the ID of the last logged on user in all<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> logon dialog boxes.<br />
This option enables the Pre-Boot On-Screen<br />
Keyboard (OSK) <strong>and</strong> the associated Wacom serial<br />
pen driver. When this option is enabled, the pen<br />
driver finds a supported pen hardware <strong>and</strong><br />
displays the OSK.<br />
• Always display onscreen<br />
keyboard—Forces the Pre-Boot to always<br />
display a clickable on-screen keyboard<br />
regardless of whether the pen driver finds<br />
suitable hardware or not. This option is very<br />
useful to Tablet<strong>PC</strong> users.<br />
On selecting this option, any domain users who<br />
have previously logged on to the system, are able<br />
to authenticate through the Pre-Boot, even if the<br />
administrator has not explicitly assigned the user<br />
to the client system.<br />
This option adds the previously logged in domain<br />
users to the client system. If this is enabled, the<br />
EEAgent queries the system <strong>for</strong> the domain<br />
users that have logged on to the client at any<br />
point of time. EEAgent will then send the<br />
collected data to the <strong>McAfee</strong> ePO server. The<br />
collected data is a list of user names <strong>and</strong> the<br />
domain names.<br />
47
48<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
Settings<br />
Log On (Windows only)<br />
NOTE: These options are not<br />
applicable to <strong>Mac</strong> client systems.<br />
Recovery<br />
Options<br />
Enable Accessibility<br />
NOTE: This option is not<br />
applicable to <strong>Mac</strong> client systems.<br />
Enable SSO<br />
Require <strong>Endpoint</strong> <strong>Encryption</strong> log<br />
on<br />
Lock workstation when inactive<br />
Enabled<br />
Key Size<br />
Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
This option is helpful to visually impaired users.<br />
If selected, the system gives a beep as a signal<br />
when the user moves the cursor from one field<br />
to the next.<br />
This option enables the Single Sign On.<br />
• Must match user name—This option<br />
ensures the SSO details are only captured<br />
when the user’s <strong>Endpoint</strong> <strong>Encryption</strong> <strong>and</strong><br />
Windows IDs match. This ensures that the<br />
SSO data captured is replayed <strong>for</strong> the user<br />
<strong>for</strong> which it was captured.<br />
• Using smart card PIN—This option allows<br />
the administrator to specify a smart card PIN<br />
as authentication.<br />
• Synchronize <strong>Endpoint</strong> <strong>Encryption</strong><br />
password with Windows—If selected, the<br />
<strong>Endpoint</strong> <strong>Encryption</strong> password synchronizes<br />
with the Windows password. For example, if<br />
the client system password changes, the<br />
<strong>Endpoint</strong> <strong>Encryption</strong> password also changes<br />
accordingly.<br />
• Allow user to cancel SSO—This option<br />
allows the user to cancel the SSO to Windows<br />
in the Pre-Boot only. When this option is<br />
enabled, the user has an additional checkbox<br />
at the bottom of the Pre-Boot logon dialog.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> takes control of the<br />
normal windows logon screen <strong>and</strong> screen saver<br />
logon. You will be prompted <strong>for</strong> your EE<strong>PC</strong><br />
credentials while logging on.<br />
• Require logon when token is<br />
removed—The client system prompts <strong>for</strong> log<br />
on when any of the tokens is removed.<br />
The client system is locked when it is inactive <strong>for</strong><br />
the set time.<br />
The recovery option is enabled by default. If<br />
enabled, this activates the Administrator Recovery<br />
option in the client system.<br />
This drop-down list contains the options to select<br />
the recovery key size. The recovery Response<br />
Code size depends on this recovery key size.<br />
However, this does not affect the size of the Client<br />
Code.<br />
• Low—This refers to a recovery key size that<br />
creates a short Response Code <strong>for</strong> the<br />
recovery.<br />
• Medium—This refers to a recovery key size<br />
that creates a medium size Response Code<br />
<strong>for</strong> the recovery.<br />
• High—This refers to a recovery key size that<br />
creates a lengthy Response Code <strong>for</strong> the<br />
recovery.<br />
• Full—This refers to a recovery key size that<br />
creates a Response Code, with the maximum<br />
number of characters, <strong>for</strong> the recovery.
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
Settings<br />
Boot Options<br />
NOTE: These options are not<br />
applicable to <strong>Mac</strong> client systems.<br />
Theme<br />
<strong>Encryption</strong> Providers<br />
NOTE: These options are not<br />
applicable to <strong>Mac</strong> client systems.<br />
Table 3: User based policies<br />
Settings<br />
Authentication<br />
Options<br />
Message<br />
Enable Boot Manager<br />
Always enable pre-boot USB<br />
support<br />
Enable pre-boot <strong>PC</strong>MCIA support<br />
Graphics Mode<br />
Select Theme<br />
Preview<br />
User Compatible MBR<br />
Fix OS Boot Record Sides<br />
Use Windows system drive as<br />
boot disk<br />
Options<br />
Token Type<br />
Certificate Rule<br />
NOTE: This option is not<br />
applicable to <strong>Mac</strong> client systems.<br />
Description<br />
Displays a text message when you select<br />
Recovery. This may include in<strong>for</strong>mation such as<br />
your help desk contact details.<br />
This activates the built in pre-boot partition<br />
manager. This allows you to select the primary<br />
partition on the hard disk that you wish to boot.<br />
Naming of the partition is also possible with the<br />
boot manager. The time out <strong>for</strong> the booting to<br />
start can also be set.<br />
Forces the <strong>Endpoint</strong> <strong>Encryption</strong> Pre-Boot code to<br />
always initialize the USB stack.<br />
If selected, the policy enables pre-boot <strong>PC</strong>MCIA<br />
support.<br />
Allows you to select the screen resolution <strong>for</strong> a<br />
system or a system group. The default option is<br />
Automatic.<br />
This drop-down list contains the options to select<br />
a theme.<br />
Displays the preview of the selected theme. The<br />
preview is not available <strong>for</strong> shared policies from<br />
another <strong>McAfee</strong> ePO.<br />
This causes EE<strong>PC</strong> to boot a built-in fixed MBR<br />
instead of the original MBR that was on the<br />
system after pre-boot logon. It is used to avoid<br />
problems with some systems that had other<br />
software that runs from the MBR <strong>and</strong> no longer<br />
work if EE<strong>PC</strong> is installed.<br />
Some boot records contain the incorrect number<br />
of sides. Selecting this option fixes this on the<br />
client system. This is available only when you<br />
install the EE<strong>PC</strong> extension.<br />
This is <strong>for</strong> maintaining the compatibility with some<br />
systems where the disk 0 is not the boot disk.<br />
Selecting this option <strong>for</strong>ces the users to assume<br />
that the boot disk is the one that contains the<br />
Windows directory but not disk 0.<br />
Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
This specifies the authentication token, <strong>for</strong><br />
example, password, smartcard, <strong>and</strong> so on.<br />
EE<strong>Mac</strong> currently supports the Password token<br />
only.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> enhances the use of<br />
PKI <strong>and</strong> tokens to allow users to authenticate<br />
using their certificates. By using certificate rules,<br />
you can quickly make your <strong>Endpoint</strong> <strong>Encryption</strong><br />
enterprise aware of all certificate-holding users,<br />
<strong>and</strong> can allow them to be allocated to <strong>PC</strong>s using<br />
<strong>Endpoint</strong> <strong>Encryption</strong> without having to create new<br />
smart cards or other <strong>for</strong>ms of token <strong>for</strong> them to<br />
use.<br />
• Provide LDAP user certificate—This<br />
provided the latest LDAP user certificate<br />
49
50<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
Settings<br />
Password<br />
Password Content Rules<br />
Options<br />
Logon Hours<br />
Default password<br />
Description<br />
• En<strong>for</strong>ce certificate validity period on<br />
client—By default this is enabled to en<strong>for</strong>ce<br />
certificate validity period <strong>for</strong> the added<br />
certificate rule.<br />
• Use latest certificate—This uses the latest<br />
certificate available.<br />
This defines the day <strong>and</strong> the timeline when the<br />
user can log on to the client system. The<br />
restrictions are applied using the Apply<br />
Restrictions option.<br />
The default password is 12345, if the<br />
administrator changes the default password, then<br />
the newly set password will be the new default<br />
password <strong>for</strong> this policy under the User Based<br />
Policy category.<br />
Password change • Enable password history__changes<br />
(1-100)—This keeps track of the specified<br />
number of previous passwords set by the user<br />
<strong>and</strong> does not allow the user to set the same<br />
passwords again.<br />
• Prevent change—This option prevents the<br />
user from changing the password.<br />
• Require change after__days<br />
(1-366)—This specifies the number of days<br />
after which the system prompts the user to<br />
change the password.<br />
• Warn user__days (0-30)—This specifies<br />
the number of days be<strong>for</strong>e which the system<br />
prompts the user with a warning message<br />
about the number of days left <strong>for</strong> the<br />
password expiry.<br />
Incorrect passwords • Timeout password entry after__invalid<br />
attempts (3-20)—This option specifies the<br />
number of invalid password entries after<br />
which the system times out the password<br />
attempts.<br />
Password length<br />
En<strong>for</strong>ce password content<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
• Maximum disable time__minutes<br />
(1-64)—This specifies the maximum timeout<br />
duration <strong>for</strong> the timeout password entry.<br />
• Invalid password after__invalid<br />
attempts (3-100)—This specifies the<br />
number of attempts a user can make be<strong>for</strong>e<br />
the password becomes invalid.<br />
This specifies the number of characters in a user<br />
password.<br />
• Minimum (3-40)—Defines the minimum<br />
number of characters <strong>for</strong> a user password.<br />
• Maximum (3-255)—Defines the maximum<br />
number of characters <strong>for</strong> a user password.<br />
This specifies the number of different characters<br />
like alpha, numeric, alphanumeric, <strong>and</strong> symbols<br />
that are required to <strong>for</strong>m a password.<br />
• Alpha—This specifies the number of letter<br />
that must be present in a user password.
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
Settings<br />
Self-Recovery<br />
Table 4: Server setting policies<br />
Settings<br />
General<br />
Options<br />
Password content restrictions<br />
Enable Self Recovery<br />
Invalidate self recovery after No.<br />
of attempts<br />
Questions to be answered<br />
Logons be<strong>for</strong>e <strong>for</strong>cing user to set<br />
answers<br />
Options<br />
If user is disabled in LDAP Server<br />
Description<br />
• Numeric—Specifies the number of numeric<br />
characters that must be present in a user<br />
password.<br />
• Alphanumeric—Specifies the number of<br />
alphanumeric characters that must be present<br />
in a user password.<br />
• Symbols—Specifies the number of symbols<br />
that must be present in a user password.<br />
This specifies the password content restrictions<br />
<strong>for</strong> the user password.<br />
• No anagrams—A word or phrase spelled by<br />
rearranging the letters of another word or<br />
phrase cannot be a password.<br />
• No palindromes—A word or phrase that<br />
reads the same backward as <strong>for</strong>ward can not<br />
be a password.<br />
• No sequences—The new password cannot<br />
be in sequence with the previous password.<br />
• Can't be user name— A user name cannot<br />
be set as a password.<br />
• Windows content rules—This dem<strong>and</strong>s to<br />
follow the st<strong>and</strong>ard Windows password<br />
content rule like a Windows password should<br />
contain at least three of the following:<br />
• Lower case letters<br />
• Upper case letters<br />
• Numbers<br />
• Symbols <strong>and</strong> special characters<br />
• No simple words— These are the set of<br />
words defined as simple words that cannot<br />
be used as passwords.<br />
This option enables the self recovery.<br />
This specifies the number of attempts after which<br />
the self recovery is disabled.<br />
Specifies the number of questions to be answered<br />
by the user to per<strong>for</strong>m the self recovery.<br />
This lists the default questions <strong>for</strong> the selected<br />
language, also provides an option to add more<br />
questions.<br />
NOTE: If a language does not have enough<br />
questions or has an error on it, the language<br />
appears in red.<br />
Specifies the number of Logons be<strong>for</strong>e <strong>for</strong>cing the<br />
user to set answers.<br />
Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
This option allows you to disable, delete or ignore<br />
the user if the user has been disabled in the LDAP<br />
Server.<br />
51
52<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Policy categories<br />
Settings<br />
<strong>Mac</strong> OS X Software or <strong>PC</strong><br />
software<br />
Non Compatible Products<br />
Themes<br />
Simple Words<br />
Tokens<br />
Options<br />
Batch size <strong>for</strong> retrieving users<br />
<strong>Mac</strong>hine key re-use<br />
NOTE: This option is not<br />
applicable to <strong>Mac</strong> client systems.<br />
User In<strong>for</strong>mation Fields<br />
Algorithm<br />
Pre-boot storage size 50MB<br />
(20-200)<br />
Manage Non Compatible<br />
Products<br />
Manage Themes<br />
Add Group<br />
Remove Group<br />
Import words to group<br />
Regenerate Missing Simple Word<br />
Package<br />
Manage Tokens<br />
Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
This option allows the administrator to send the<br />
users to the client in batches rather than sending<br />
all of them at a time. Specify the number of users<br />
that are sent in each batch. Increasing the batch<br />
size increases the amount of memory required on<br />
the server <strong>and</strong> the client. But, this reduces the<br />
number of data channel messages required to be<br />
sent between the client <strong>and</strong> server.<br />
<strong>Mac</strong>hine key re-use option is used to activate the<br />
system with the existing key present in the <strong>McAfee</strong><br />
ePO server. This option is highly useful when a<br />
boot disk gets corrupted <strong>and</strong> the user cannot<br />
access the system. The boot disk corrupted<br />
system's disks other than boot disks can be<br />
recovered by activating it with the same key from<br />
<strong>McAfee</strong> ePO.<br />
Used to add user in<strong>for</strong>mation fields. You can add<br />
user in<strong>for</strong>mation by specifying a question <strong>and</strong> the<br />
LDAP attribute name related to the user.<br />
Specifies the algorithm AES-256-CBC <strong>for</strong> the<br />
software encryption.<br />
Allows you to set the size of the pre-boot file<br />
system. Increasing the size of the PBFS will<br />
increase the number of users that can be<br />
successfully assigned to the client system. The<br />
size is specified in MB from 20 MB to 200 MB.<br />
Use this option to manage the list of products that<br />
are not compatible with <strong>McAfee</strong> <strong>Endpoint</strong><br />
<strong>Encryption</strong>. You can also import a non compatible<br />
product rule that can detect <strong>and</strong> add the non<br />
compatible product to the list.<br />
Use this option to add <strong>and</strong> customize a theme<br />
that is used as a background in the Pre-Boot<br />
Authentication page.<br />
Use this option to create a group which can have<br />
a number of simple words. This will not be<br />
available <strong>for</strong> shared policy from another <strong>McAfee</strong><br />
ePO.<br />
Use this option to delete a group.<br />
Use this option to browse to a text file with a<br />
number of simple words that cannot be used as<br />
passwords. You can also select an encoding type<br />
<strong>for</strong> the file.<br />
This compiles all the simple word groups <strong>and</strong><br />
creates the simple words package files (.xml file).<br />
Use this option to add <strong>and</strong> manage extra token<br />
definitions. This allows the user to deploy <strong>and</strong><br />
manage the additional token modules any time<br />
after the initial installation as required by the user.
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
Create a policy from Policy Catalog<br />
Create a policy from Policy Catalog<br />
Create a new policy from the Policy Catalog. By default, policies created here are not assigned<br />
to any groups or systems. When you create a policy here, you are adding a custom policy to<br />
the Policy Catalog.<br />
You can create policies be<strong>for</strong>e or after the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software is deployed.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Policy | Policy Catalog, the Policy Catalog page opens.<br />
2 Click Actions | New Policy. The Create New Policy dialog box appears.<br />
3 Select the policy Category from the drop-down list.<br />
4 Select the policy you want to duplicate from the Create a policy based on this existing policy<br />
drop-down list.<br />
5 Type a name <strong>for</strong> the new policy.<br />
6 Type a description into the Notes field, if required, then click OK. The Policy Settings<br />
wizard opens.<br />
7 Edit the policy settings on each tab as needed <strong>and</strong> click Save.<br />
Edit the EE policy settings from Policy Catalog<br />
Use ePolicy Orchestrator to modify the settings of a policy.<br />
Be<strong>for</strong>e you begin<br />
Your user account must have appropriate permissions to edit policy settings <strong>for</strong> the desired<br />
product.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Policy | Policy Catalog, then from the Product drop-down list, select<br />
<strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0.<br />
2 Select the policy Category from the drop-down list. All created policies <strong>for</strong> the selected<br />
category appear in the details pane.<br />
3 Locate the policy, then click Edit Settings next to it.<br />
4 Edit the settings as needed, then click Save.<br />
Assign a policy to a system group<br />
Assign a policy to multiple managed systems within a group. You can assign policies be<strong>for</strong>e or<br />
after deploying <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>.<br />
Task<br />
For option definitions, click ? in the interface.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
53
1 Click Menu | Systems | System Tree | Systems, then select a group in the System<br />
Tree. All the systems within this group (but not its subgroups) appear in the details pane.<br />
2 Select a system, then click Actions | Agent | Set Policy & Inheritance. The Assign<br />
Policies page appears.<br />
3 From the product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0.<br />
4 Select the Category, <strong>and</strong> Policy from the drop-down list, then click Save.<br />
En<strong>for</strong>ce EE policies on a system group<br />
54<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> policies<br />
En<strong>for</strong>ce EE policies on a system group<br />
Enable or disable policy en<strong>for</strong>cement <strong>for</strong> a product on a System Tree group. Policy en<strong>for</strong>cement<br />
is enabled by default, <strong>and</strong> is inherited in the System Tree.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Assigned Policies, then select a group in the<br />
System Tree.<br />
2 Select <strong>Endpoint</strong> <strong>Encryption</strong> from the Product drop-down list, then click En<strong>for</strong>cing next<br />
to En<strong>for</strong>cement Status. The En<strong>for</strong>cement page appears.<br />
3 To change the en<strong>for</strong>cement status, you must first select Break inheritance <strong>and</strong> assign<br />
the policy <strong>and</strong> settings below.<br />
4 Next to En<strong>for</strong>cement status, select En<strong>for</strong>cing or Not en<strong>for</strong>cing accordingly.<br />
5 Select whether to lock policy inheritance to prevent breaking en<strong>for</strong>cement <strong>for</strong> groups <strong>and</strong><br />
systems that inherit this policy, then click Save.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
The ePolicy Orchestrator server allows administrators to assign users from Windows Active<br />
Directory to <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> managed systems. The user's authentication credentials,<br />
token type, <strong>and</strong> the user in<strong>for</strong>mation fields are managed from the <strong>McAfee</strong> ePO server. <strong>McAfee</strong><br />
<strong>Endpoint</strong> <strong>Encryption</strong> gives the administrator the freedom of adding <strong>and</strong> removing the users to<br />
<strong>and</strong> from systems or system groups at any time. Assigning users retrieves the properties from<br />
Windows Active Directory.<br />
NOTE: This in<strong>for</strong>mation is applicable to both Windows-based systems <strong>and</strong> <strong>Mac</strong>-based systems<br />
running <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>.<br />
Contents<br />
View the list of users assigned to a system<br />
Remove users from a system<br />
Edit user inheritance<br />
How EE<strong>PC</strong> controls the Windows logon mechanism<br />
Enable Single Sign On (SSO) on a system<br />
Synchronize the EE<strong>PC</strong> password with the Windows password<br />
Modify the token type associated with a system or a system group<br />
Configure password content rules<br />
Manage a disabled user in Windows Active Directory<br />
Configure the global user in<strong>for</strong>mation<br />
Manage the logon hours<br />
Define EE permission sets <strong>for</strong> <strong>McAfee</strong> ePO users<br />
View the list of users assigned to a system<br />
Use ePolicy Orchestrator to view the list of <strong>Endpoint</strong> <strong>Encryption</strong> users assigned to the client<br />
system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Users. The My Organization page opens.<br />
2 From the System Tree pane, select a system from a particular group.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
55
3 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | View Users. The <strong>Encryption</strong> Users page appears<br />
with a list of users <strong>for</strong> the selected system.<br />
NOTE: This does not display the user groups that are assigned at the branch level.<br />
Remove users from a system<br />
Using <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong>, you can remove users from a client system. Ensure you<br />
have assigned the user at system level or branch level. If a user is assigned at branch level,<br />
the user would be sent to the client even after removing the system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Users. The My Organization page opens.<br />
2 Select a system from a particular group from the System Tree pane on the left.<br />
3 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | View Users. The <strong>Encryption</strong> Users page <strong>for</strong> the<br />
selected system with the list of user opens.<br />
4 Select the User name from the list.<br />
5 Click Actions | <strong>Endpoint</strong> <strong>Encryption</strong> | Delete Users. The Confirmation page appears.<br />
Click Yes or No to delete or retain the selected user.<br />
Edit user inheritance<br />
56<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Remove users from a system<br />
Add users to a group or delete selected users from a group. You can also group users at different<br />
organizational levels <strong>and</strong> edit the inheritance as required. It is to assign multiple users to systems<br />
without having to work on the individual systems.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Users. The My Organization page opens.<br />
2 Select the Organizational Unit from the System Tree <strong>and</strong> click Group Users tab.<br />
3 Click Edit in Inheritance broken. The Edit Group Inheritance page appears.<br />
4 Select Break inheritance, then click OK.<br />
The user Inheritance broken status:<br />
• True—Specifies that the inheritance is broken. When you have a group of systems, you<br />
could break the inheritance in <strong>McAfee</strong> ePO, <strong>and</strong> then add the selected users to the group<br />
users from that level down. It means that all of the selected users are assigned to those<br />
systems from that node <strong>and</strong> any children.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
How EE<strong>PC</strong> controls the Windows logon mechanism<br />
• False—Specifies that the inheritance is not broken, which means that the selected users<br />
are assigned to the all the systems present in the selected group.<br />
How EE<strong>PC</strong> controls the Windows logon mechanism<br />
EE<strong>PC</strong> intercepts the Windows Logon mechanism using a Passthrough Shim Gina on Windows<br />
2003, <strong>and</strong> XP <strong>and</strong> a Credential Provider on Vista. On Windows 2000 <strong>and</strong> XP operating systems,<br />
a custom .ini file (EPE<strong>PC</strong>GINA.INI) is used to help EE<strong>PC</strong> analyze the logon page <strong>and</strong> port the<br />
credentials into the correct boxes on the logon page. In Windows VISTA, Microsoft has replaced<br />
the original MSGINA (Graphical Identification <strong>and</strong> Authentication) with a new method called<br />
Microsoft Credential Provider.<br />
EE<strong>PC</strong> supports the Single Sign On architecture <strong>and</strong> implements a Credential Provider to<br />
communicate with Windows. EE<strong>PC</strong> displays each token as a potential logon method. While<br />
logging on to EE<strong>PC</strong>, it prompts <strong>for</strong> your Windows credentials only <strong>for</strong> the first time <strong>and</strong> EE<strong>PC</strong><br />
stores the Windows credentials securely. On subsequent logon events, EE<strong>PC</strong> retrieves the stored<br />
Windows credentials to log on.<br />
Enable Single Sign On (SSO) on a system<br />
Enable SSO on a system which allows the user to log on to the system with a single<br />
authentication process. It allows auto log on to the system once the user authenticates through<br />
the Pre-Boot Authentication page.<br />
NOTE: The SSO feature is applicable <strong>for</strong> Windows-based systems only.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree, then select a group under System Tree pane on<br />
the left.<br />
2 Select the target System, then click Actions | Agent | Modify Policies on a Single<br />
System. The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned Policy drop-down list, select the desired policy, then click Edit Policy.<br />
The policy settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Log On tab, select Enable SSO under Windows pane.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
57
8 If required, select the options Must match user name, Synchronize <strong>Endpoint</strong><br />
<strong>Encryption</strong> password with Windows, <strong>and</strong> Using smart card PIN.<br />
a Must match user name—This option ensures the SSO details are only captured when<br />
the user’s <strong>Endpoint</strong> <strong>Encryption</strong> <strong>and</strong> Windows IDs match.<br />
b Using smart card PIN—This option allows the administrator to specify a smart card<br />
PIN as authentication.<br />
c Synchronize <strong>Endpoint</strong> <strong>Encryption</strong> password with Windows—This matches the<br />
EE<strong>PC</strong> password to Windows password, so that the user needs to authenticate only the<br />
Pre-Boot Authentication page.<br />
9 Click Save in Policy Settings page, then click Save in Product Settings page.<br />
10 Send an agent wake-up call.<br />
Synchronize the EE<strong>PC</strong> password with the Windows<br />
password<br />
58<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Synchronize the EE<strong>PC</strong> password with the Windows password<br />
Use this task to synchronize the EE<strong>PC</strong> password with the Windows password. This matches the<br />
EE<strong>PC</strong> password to the Windows password, so that the user needs to authenticate on the Pre-Boot<br />
Authentication page only.<br />
NOTE: This feature is applicable to Windows-based systems only.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree. The systems page appears. Select the desired<br />
group under System Tree pane on the left.<br />
2 Select the desired System, then click Actions | Agent | Modify Policies on a Single<br />
System. The Policy Assignment page <strong>for</strong> that system appears.<br />
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0 from the Product drop-down list. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned policy drop-down list, select the required policy, then click Edit Policy.<br />
The policy settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Log On tab, click Enable SSO, then select Synchronize <strong>Endpoint</strong> <strong>Encryption</strong><br />
password with Windows under Windows pane.<br />
8 Click Save in the Policy Settings page, then click Save in the Product Settings page.<br />
NOTE: Ensure that the Windows password adheres to the EE<strong>PC</strong> password restriction policy.<br />
Otherwise, the password synchronization doesn't run.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Modify the token type associated with a system or a system group<br />
9 Send an agent wake-up call.<br />
Modify the token type associated with a system or<br />
a system group<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> supports different logon tokens, <strong>for</strong> example, Passwords, Starcos<br />
SmartCards, <strong>and</strong> Actividentity PKI SmartCard. The token type associated with a system or a<br />
system group can be modified using this task. You can create a new user-based policy with a<br />
required token type <strong>and</strong> deploy it to the required system or a system group or can edit an<br />
existing policy <strong>and</strong> deploy the same to a target system or a system group.<br />
NOTE: EE<strong>Mac</strong> currently supports the Password token only.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree. The systems page appears. Select a group under<br />
System Tree pane on the left.<br />
2 Select a System, then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0 from the Product drop-down list. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the User Based Policy category, then click Edit Assignments. The User Based<br />
Policies page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned policy drop-down list, select the policy, then click Edit Policy. The<br />
Policy Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Authentication tab, select the required Token Type from the Token Type<br />
drop-down list.<br />
NOTE: <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> uses the in<strong>for</strong>mation present in a public certificate store<br />
of a PKI to look up users <strong>and</strong> encrypt their unique <strong>Endpoint</strong> <strong>Encryption</strong> key with the public<br />
key available in their certificate. This certificate needs to be configured while selecting the<br />
Actividentity PKI SmartCard token.<br />
8 Click Save in the Policy Settings page, then click Save in the User Based Policies settings<br />
page.<br />
9 Send an agent wake-up call.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
59
Configure password content rules<br />
Use this task to configure the password content rules.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree. The Systems page appears. Select the group<br />
under System Tree.<br />
2 Select the System (s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the User Based Policy category, then click Edit Assignments. The User Based<br />
Policies page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy<br />
Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Password Content Rules tab, type the Password Length in the Minimum <strong>and</strong><br />
Maximum field.<br />
8 In En<strong>for</strong>ce password content, type the number of Alpha, Numeric, Alphanumeric, <strong>and</strong><br />
Symbols characters required to <strong>for</strong>m a password.<br />
9 Select or deselect the options to define the password content restriction rules from Password<br />
content restrictions.<br />
10 Click Save in the Policy Settings page, then click Save in the User Based Policies settings<br />
page.<br />
11 Send an agent wake-up call.<br />
Manage a disabled user in Windows Active Directory<br />
60<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Configure password content rules<br />
Use this task to disable, delete or ignore a user who has been disabled in the LDAP/AD server.<br />
Be<strong>for</strong>e you begin<br />
Make sure that the server task EE LDAP server user or group synchronization is enabled.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Configuration | Server Settings. The Server Settings page appears.<br />
2 Click <strong>Endpoint</strong> <strong>Encryption</strong> in Setting Categories pane, then click Edit. The Edit <strong>Endpoint</strong><br />
<strong>Encryption</strong> page opens with General tab.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Configure the global user in<strong>for</strong>mation<br />
3 Select Disable, Ignore or Delete from the If user disable in directory drop-down list if<br />
the user has been disabled in the Active Directory.<br />
NOTE: Options in the drop-down list are applicable only to users disabled in the Active<br />
Directory.<br />
4 Click Save.<br />
Configure the global user in<strong>for</strong>mation<br />
Use this task to configure the user in<strong>for</strong>mation fields.<br />
Be<strong>for</strong>e you begin<br />
Make sure that the server task EE LDAP server user or group synchronization is enabled.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Configuration | Server Settings. The Server Settings page appears.<br />
2 Click <strong>Endpoint</strong> <strong>Encryption</strong> in Setting Categories pane, then click Edit. The Edit <strong>Endpoint</strong><br />
<strong>Encryption</strong> page opens with General tab.<br />
3 Click Add next to the User In<strong>for</strong>mation Fields.<br />
4 Type the Question relating to the user, then select the required user attribute name from<br />
the Ldap Attribute Name list.<br />
NOTE: The above Ldap refers to Windows Active Directory.<br />
5 Click + or - in the interface to add or remove user in<strong>for</strong>mation fields.<br />
6 Click Save.<br />
NOTE: User in<strong>for</strong>mation fields can be set by selecting the individual user in the EE User<br />
Query. To display the users, click Menu | Reporting | Queries | Shared Groups |<br />
<strong>Endpoint</strong> <strong>Encryption</strong>, then click Run in EE: Users.<br />
Manage the logon hours<br />
Control <strong>and</strong> limit the timeline when a user can log on to the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> client<br />
system. This option does not <strong>for</strong>ce the users to log out from the current session, although the<br />
current time is scheduled to be part of the logon restriction. However, once the user logs out<br />
from the system, the user will not be able to log on to the system until the next allowed logon<br />
hour.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree then select a group under System Tree.<br />
2 Select a System (s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
61
3 Select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0 from the Product drop-down list. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the User Based Policy category, then click Edit Assignments. The User Based<br />
Policies page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the desired policy from the Assigned policy drop-down list, then click Edit Policy.<br />
The Policy Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Authentication tab, select Apply restrictions in Logon Hours, then schedule the<br />
logon timing by blocking or allowing different logon hours.<br />
8 Click Save in the policy settings page, then click Save in the User Based Policies settings<br />
page.<br />
9 Send an agent wake-up call.<br />
Define EE permission sets <strong>for</strong> <strong>McAfee</strong> ePO users<br />
62<br />
Managing <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> users<br />
Define EE permission sets <strong>for</strong> <strong>McAfee</strong> ePO users<br />
In <strong>McAfee</strong> ePO, administrator rights management determines what actions ePolicy Orchestrator<br />
users can per<strong>for</strong>m while administering the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software. The<br />
administrator is able to set up <strong>Endpoint</strong> <strong>Encryption</strong> product-specific permission sets to the<br />
different users <strong>and</strong> systems on <strong>McAfee</strong> ePO.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | User Management | Permission Sets. The Permission Sets page opens.<br />
2 Click New Permission Set. The New Permission Set page opens.<br />
3 Type a permission set name in the Name field.<br />
4 Select the Active Directory groups mapped to this permission set. To add a new<br />
Active Directory group, click Add, browse to the group <strong>and</strong> click OK.<br />
5 Select the Server name, then click Save. The Permission Set page appears.<br />
6 Click Edit next to <strong>Endpoint</strong> <strong>Encryption</strong> present under the newly created permission set.<br />
The Edit Permission Set page opens.<br />
7 Select the required permission setting, then click Save.<br />
NOTE: You can assign this new permission set to an existing or a new <strong>McAfee</strong> ePO user<br />
using Menu | User Management | Users.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing client computers<br />
The system management helps the administrators to import system in<strong>for</strong>mation from Active<br />
Directory server into <strong>McAfee</strong> ePO. This is useful in the process of installing EE <strong>and</strong> assigning<br />
the users to the systems.<br />
NOTE: This section is applicable to both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
Contents<br />
Add a system to an existing system group<br />
Move systems between groups<br />
Select the disks <strong>for</strong> encryption<br />
Enable or disable the automatic booting<br />
Set the priority of encryption providers<br />
Maintain a list of non-compatible products<br />
Manage the default <strong>and</strong> customized themes<br />
Manage simple words<br />
Add a system to an existing system group<br />
Use ePolicy Orchestrator to import systems from your Network Neighborhood to groups <strong>for</strong><br />
working with EE<strong>PC</strong>. You can also import a network domain or Active Directory container.<br />
NOTE: While managing the client systems <strong>for</strong> EE<strong>Mac</strong>, the client system is automatically added<br />
to the System Tree in <strong>McAfee</strong> ePO on successful installation of the <strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong> on<br />
the <strong>Mac</strong> client system, <strong>and</strong> so you do not have to add the <strong>Mac</strong> client manually.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree, then in the System Tree Actions menu click New<br />
Systems. The New Systems page appears.<br />
2 Select the required option from How to add systems.<br />
3 In the Systems to add field, type the NetBIOS name <strong>for</strong> each system in the text box,<br />
separated by commas, spaces, or line breaks. Alternatively, click Browse to select the<br />
systems.<br />
4 If you select Push agents <strong>and</strong> add systems to the current group, you can enable<br />
automatic System Tree sorting. Do this to apply the sorting criteria to these systems.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
63
Type the following options:<br />
Option<br />
Agent version<br />
Installation path<br />
Credentials <strong>for</strong> agent installation<br />
Number of attempts<br />
Retry interval<br />
Abort After<br />
Connect using<br />
Action<br />
Select the agent version to deploy<br />
Configure the agent installation path or accept the default<br />
Type valid credentials to install the agent:<br />
• Domain: Type the domain of the system<br />
• User name: Type the login user name<br />
• Password: Type the login password<br />
Type an integer <strong>for</strong> the specified number of attempts, or use<br />
zero <strong>for</strong> continuous attempts<br />
Type the interval in number of seconds between two attempts<br />
Type the number of minutes be<strong>for</strong>e stopping the connection<br />
Select either one specific Agent H<strong>and</strong>ler or all Agent H<strong>and</strong>lers<br />
5 Click OK.<br />
For more details <strong>and</strong> procedures on how to per<strong>for</strong>m this task, See the ePolicy Orchestrator<br />
product documentation <strong>for</strong> versions 4.5 <strong>and</strong> 4.6.<br />
Move systems between groups<br />
64<br />
Managing client computers<br />
Move systems between groups<br />
Move systems from one group to another in the System Tree. You can move systems from any<br />
page that displays a table of systems, including the results of a query.<br />
NOTE: In addition to the steps below, you can also drag-<strong>and</strong>-drop systems from the Systems<br />
table to any group in the System Tree.<br />
Even if you have a perfectly organized System Tree that mirrors your network hierarchy, <strong>and</strong><br />
uses automated tasks <strong>and</strong> tools to regularly synchronize your System Tree, you may need to<br />
move systems manually between groups. For example, you may need to periodically move<br />
systems from the Lost&Found group.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree | Systems <strong>and</strong> then browse to <strong>and</strong> select the<br />
systems.<br />
2 Click Actions | Directory Management | Move Systems. The Select New Group page<br />
appears.<br />
3 Select whether to enable or disable or not to change the System Tree sorting on the selected<br />
systems when they are moved.<br />
4 Select the group to place the systems, then click OK.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing client computers<br />
Select the disks <strong>for</strong> encryption<br />
Select the disks <strong>for</strong> encryption<br />
Use ePolicy Orchestrator to select which disks, according to your requirements, need to be<br />
encrypted.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree then select a group under System Tree.<br />
2 Select a System (s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy<br />
Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the <strong>Encryption</strong> tab, select the disk(s) to be encrypted from the Encrypt drop-down<br />
list.<br />
NOTE: To initiate the encryption on the client, the user must select any one of the options<br />
other than None. The default option None does not initiate the encryption.<br />
8 On the Policy Settings page, click Save, then click Save in the Product Settings page.<br />
9 Send an agent wake-up call.<br />
Enable or disable the automatic booting<br />
Use ePolicy Orchestrator to enable or disable the automatic booting on the client computer.<br />
The <strong>Endpoint</strong> <strong>Encryption</strong> Pre-Boot logon environment allows to select a login method <strong>and</strong> to<br />
provide authentication credentials such as user id <strong>and</strong> password. If the user provides the correct<br />
authentication details, the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> boot code starts the crypt driver in<br />
memory <strong>and</strong> boots the original operating system of the protected systems.<br />
Enabling the automatic booting will remove the Pre-Boot Authentication from the client system.<br />
NOTE: If you enable this option, be aware that the <strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> software doesn't<br />
protect the data on the drive when it is not in use.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
65
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree then select a group under System Tree.<br />
2 Select a System(s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy<br />
Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Log On tab, select or deselect Enable Automatic Booting under <strong>Endpoint</strong><br />
<strong>Encryption</strong> pane to disable or enable the Pre-Boot environment. A security warning message<br />
This will remove the pre-boot authentication. Are you sure? appears.<br />
8 Click Yes or No to enable or disable the automatic booting.<br />
9 Set the expiration date <strong>and</strong> time <strong>for</strong> the automatic booting if required.<br />
10 Click Save in the policy settings page, then click Save in the Product Settings page.<br />
11 Send an agent wake-up call.<br />
Set the priority of encryption providers<br />
66<br />
Managing client computers<br />
Set the priority of encryption providers<br />
Use this task to set the priority of encryption providers.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree, then select a group under System Tree.<br />
2 Select a System (s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select the desired policy from the Assigned policy drop-down list, then click Edit Policy.<br />
The Policy Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing client computers<br />
Maintain a list of non-compatible products<br />
7 From the <strong>Encryption</strong> tab, select the <strong>Encryption</strong> Provider from the <strong>Encryption</strong> Provider<br />
Priority list. In case of more than one encryption provider, the priority can be set by moving<br />
between the encryption providers using Move Up <strong>and</strong> Move Down options.<br />
8 Click Save in the Policy Settings page, then click Save in the Product Settings page.<br />
9 Send an agent wake-up call.<br />
Maintain a list of non-compatible products<br />
Use ePolicy Orchestrator to create <strong>and</strong> maintain a list of non-compatible products.<br />
Be<strong>for</strong>e you begin<br />
Make sure that the server task EE LDAP server user/group synchronization is enabled.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Configuration | Server Settings. The Server Settings page appears.<br />
2 Click <strong>Endpoint</strong> <strong>Encryption</strong> in Setting Categories pane, then click Manage Non<br />
Compatible Products option present at the right. The <strong>Endpoint</strong> <strong>Encryption</strong> Non Compatible<br />
Products page appears with a list of products that are not compatible with <strong>McAfee</strong> <strong>Endpoint</strong><br />
<strong>Encryption</strong>.<br />
3 To import a non compatible product, click Actions | Import Non Compatible Product<br />
Rule. The Import Non Compatible Product Rule page appears.<br />
4 Browse <strong>and</strong> select the .xml file that defines the rule to detect the non-compatible product,<br />
then click OK. This detects the corresponding product that is not compatible with <strong>Endpoint</strong><br />
<strong>Encryption</strong> <strong>and</strong> adds it to the non-compatible product list.<br />
Manage the default <strong>and</strong> customized themes<br />
Add <strong>and</strong> manage a theme that will be used as a background in the Pre-Boot Authentication<br />
page. The <strong>Endpoint</strong> <strong>Encryption</strong> Themes package is added automatically to the master repository<br />
(Menu | Software | Master Repository) after installing the EEAdmin.ZIP extension in<br />
ePolicy Orchestrator. The default theme is downloaded to the client when the EEAgent <strong>and</strong><br />
EE<strong>PC</strong> software package deployment task is sent to the client computers.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Configuration | Server Settings. The Server Settings page appears.<br />
2 Click <strong>Endpoint</strong> <strong>Encryption</strong> in Setting Categories pane, then click Manage Themes option<br />
present at the right. The <strong>Endpoint</strong> <strong>Encryption</strong> Theme page opens.<br />
3 Click Actions | Add. The Install new theme page appears.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
67
4 Type a theme name in the Name field, then select Create a new theme based on an<br />
existing theme option.<br />
5 Select a theme from the Based on drop-down list.<br />
6 Browse to the Background Image, then click OK. This creates the new theme package<br />
at C:\Program<br />
Files\<strong>McAfee</strong>\ePolicyOrchestrator\DB\Software\Current\EETHEME\DAT\0000<br />
folder.<br />
NOTE: You can also browse <strong>and</strong> install a theme package using Select Theme package<br />
to install option.<br />
7 Download the custom themes on the client using one of the following:<br />
• Update Now option under Menu | Systems | System Tree | Actions | Agent in<br />
ePolicy Orchestrator<br />
• Product Update task<br />
• Update Security from the client<br />
NOTE: All themes have a unique ID <strong>for</strong> identification. When you run the update task, the<br />
theme IDs are verified against the existing theme IDs on the client, then the new theme<br />
is downloaded to the client.<br />
The downloaded theme packages are stored in the following folder in the client system:<br />
• EE<strong>PC</strong> - C:\Program files\<strong>McAfee</strong>\<strong>Endpoint</strong> <strong>Encryption</strong><br />
Agent\Repository\Themes<br />
• EE<strong>Mac</strong> - /Library/<strong>McAfee</strong>/ee/Agent/Repository/Themes<br />
8 Change the theme in the Product Setting Policy <strong>and</strong> send an agent wake-up call to<br />
apply the customized theme.<br />
Assign a customized theme to a system<br />
68<br />
Managing client computers<br />
Manage the default <strong>and</strong> customized themes<br />
Use ePolicy Orchestrator to assign a theme to a system.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree. The Systems page appears. Select the group<br />
under System Tree.<br />
2 Select the System (s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing client computers<br />
Manage simple words<br />
6 Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy<br />
Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 From the Theme tab, select the desired customized theme from the Select theme<br />
drop-down list.<br />
8 Click Save in the policy settings page, then click Save in the Product Settings page.<br />
9 Send an agent wake-up call.<br />
Manage simple words<br />
Use ePolicy Orchestrator to add <strong>and</strong> manage simple words that cannot be used as passwords.<br />
The <strong>Endpoint</strong> <strong>Encryption</strong> Simple Words are added automatically to the master repository (Menu<br />
| Software | Master Repository) after installing the EEAdmin.ZIP extension in ePolicy<br />
Orchestrator.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Configuration | Server Settings. The Server Settings page appears.<br />
2 Click <strong>Endpoint</strong> <strong>Encryption</strong> in Setting Categories pane, then click Manage Simple Words<br />
option present at the right. The Manage Simple Words page opens.<br />
3 Click Group Actions | Add Group. The Add Group window appears.<br />
4 Type the name of the group <strong>and</strong> click OK to create the Simple Word group.<br />
5 Click Actions | Add <strong>and</strong> type the simple words that cannot be used as passwords.<br />
6 Click Group Actions | Regenerate Missing Simple Word Package <strong>and</strong> click Yes in<br />
the confirmation message window to create the simple words package.This creates the<br />
simple words package (.xml file) <strong>for</strong> the simple words group at C \Program<br />
Files\<strong>McAfee</strong>\ePolicyOrchestrator\DB\Software\Current\EESWORD\DAT\0000<br />
folder.<br />
7 Download the simple word package on the client using one of these methods:<br />
• Update Now option under Menu | Systems | System Tree | Actions | Agent in<br />
ePolicy Orchestrator<br />
• Product Update task<br />
• Update Security from the client<br />
NOTE: All simple word packages (.xml file) have a unique ID <strong>for</strong> identification. When you<br />
run the update task, the package IDs are verified against the existing package IDs on the<br />
client, then the new package file is downloaded to the client.<br />
The downloaded simple word packages are stored in the following folder in the client<br />
system:<br />
• EE<strong>PC</strong> - C:\Program files\<strong>McAfee</strong>\<strong>Endpoint</strong> <strong>Encryption</strong><br />
Agent\Repository\SimpleWords<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
69
70<br />
Managing client computers<br />
Manage simple words<br />
• EE<strong>Mac</strong> - /Library/<strong>McAfee</strong>/ee/Agent/Repository/SimpleWords<br />
8 Enable the No simple words option under User Based policies | Password Content<br />
Rules <strong>and</strong> send an agent wake-up call to apply the policy to the client.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing EE reports<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> queries are configurable objects that retrieve <strong>and</strong> display data from<br />
the database. These queries can be displayed in charts <strong>and</strong> tables. Any query results can be<br />
exported to a variety of <strong>for</strong>mats, any of which can be downloaded or sent as an attachment to<br />
an email message. Most queries can be used as dashboard monitors.<br />
NOTE: This section is relevant to both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
Contents<br />
Queries as dashboard monitors<br />
Create EE custom queries<br />
View the st<strong>and</strong>ard EE reports<br />
Create the EE dashboard<br />
View the EE dashboard<br />
Report the encrypted <strong>and</strong> decrypted systems<br />
Queries as dashboard monitors<br />
Most queries can be used as a dashboard monitor (except those using a table to display the<br />
initial results). Dashboard monitors are refreshed automatically on a user-configured interval<br />
(five minutes by default).<br />
Exported results<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> query results can be exported to four different <strong>for</strong>mats. Exported<br />
results are historical data <strong>and</strong> are not refreshed like other monitors when used as dashboard<br />
monitors. Like query results <strong>and</strong> query-based monitors displayed in the console, you can drill<br />
down into the HTML exports <strong>for</strong> more detailed in<strong>for</strong>mation.<br />
Reports are available in several <strong>for</strong>mats:<br />
• CSV — Use the data in a spreadsheet application (<strong>for</strong> example, Microsoft Excel).<br />
• XML — Trans<strong>for</strong>m the data <strong>for</strong> other purposes.<br />
• HTML — View the exported results as a web page.<br />
• PDF — Print the results.<br />
Create EE custom queries<br />
Use this option to create <strong>Endpoint</strong> <strong>Encryption</strong> custom queries with the Query Builder wizard.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
71
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Reporting | Queries, then click Actions | New Query. The Query Builder<br />
wizard opens.<br />
2 On the Result Type page, select Others from the Feature Group pane <strong>and</strong> <strong>Endpoint</strong><br />
<strong>Encryption</strong> Result Type <strong>for</strong> the query, then click Next. The Chart page appears.<br />
NOTE: This choice determines the options available on subsequent pages of the wizard.<br />
3 Select the type of chart or table to display the primary results of the query, then click Next.<br />
The Columns page appears.<br />
NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the<br />
query.<br />
4 Select the columns to be included in the query, then click Next. The Filter page appears.<br />
NOTE: If you selected Table on the Chart page, the columns you select here are the<br />
columns of that table. Otherwise, these are the columns that make up the query details<br />
table.<br />
5 Select properties to narrow the search results, then click Run. The Unsaved Query page<br />
displays the results of the query, which is actionable, so you can take any available actions<br />
on items in any tables or drill-down tables.<br />
NOTE: Selected properties appear in the content pane with operators that can specify<br />
criteria used to narrow the data that is returned <strong>for</strong> that property.<br />
• If the query didn’t appear to return the expected results, click Edit Query to go back<br />
to the Query Builder <strong>and</strong> edit the details of this query.<br />
• If you don’t need to save the query, click Close.<br />
• If this is a query you want to use again, click Save <strong>and</strong> continue to the next step.<br />
6 The Save Query page appears. Type a name <strong>for</strong> the query, add any notes, <strong>and</strong> select one<br />
of the following:<br />
• New Group—Type the new group name <strong>and</strong> select either:<br />
• Private group (My Groups)<br />
• Public group (Shared Groups)<br />
• Existing Group—Select the group from the list of Shared Groups.<br />
7 Click Save.<br />
View the st<strong>and</strong>ard EE reports<br />
72<br />
Managing EE reports<br />
View the st<strong>and</strong>ard EE reports<br />
Use this option to run <strong>and</strong> view the st<strong>and</strong>ard <strong>Endpoint</strong> <strong>Encryption</strong> report from the Queries<br />
page.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Managing EE reports<br />
View the st<strong>and</strong>ard EE reports<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Reporting | Queries. The Queries page opens.<br />
2 Select <strong>Endpoint</strong> <strong>Encryption</strong> from Shared Groups in Groups pane, The st<strong>and</strong>ard EE query<br />
list appears.<br />
Query<br />
EE: Disk Status<br />
EE: Disk Status (Rollup)<br />
EE: <strong>Encryption</strong> Provider<br />
EE: Volume Status<br />
EE: Volume Status (Rollup)<br />
EE: Installed version<br />
EE: Installed Version Rollup<br />
EE: Users<br />
EE: Product client events<br />
EE: Migration log (Windows only)<br />
EE: Migration lookup (Windows only)<br />
EE: V5 Audit (Windows only)<br />
3 Select a query from the Queries list.<br />
Description<br />
Displays the status of the disk.<br />
Displays the EE: Disk Status compiled from various ePolicy<br />
Orchestrators.<br />
Displays which encryption provider is active on each system.<br />
Displays the EE: Volume Status.<br />
Displays the EE: Volume Status compiled from various ePolicy<br />
Orchestrators.<br />
Displays the version of the endpoint encryption installed in<br />
systems.<br />
Displays the EE: Installed version details compiled from various<br />
ePolicy Orchestrators.<br />
Lists all endpoint encryption users. From here, the user can<br />
use the following options to manage the users in the selected<br />
system:<br />
• Clear SSO details—Clears the SSO details of the selected<br />
user (only <strong>for</strong> Windows)<br />
• Force User To Change Password—Prompts the user<br />
to change the password in the EE authentication.<br />
• Reset Token—Resets the token <strong>for</strong> the selected user<br />
• User In<strong>for</strong>mation—Maintains the user in<strong>for</strong>mation with<br />
a list questions <strong>and</strong> answers<br />
Displays <strong>Endpoint</strong> <strong>Encryption</strong> client events.<br />
Displays the log details <strong>and</strong> the results of the v5.x.x user<br />
import.<br />
Displays the details about the assignments of the user group,<br />
machines, <strong>and</strong> users.<br />
Displays the imported audit logs from v5.x.x. Be aware that<br />
if only you selected the audit option during the export process,<br />
the audit log will be displayed.<br />
4 Click Actions | Run. The query results appear. Drill down into the report <strong>and</strong> take actions<br />
on items as necessary. Available actions depend on the permissions of the user.<br />
NOTE: The user has an option to edit the query <strong>and</strong> to view the details of the query.<br />
5 Click Close when finished.<br />
While implementing <strong>and</strong> en<strong>for</strong>cing the <strong>Endpoint</strong> <strong>Encryption</strong> policies that control how sensitive<br />
data is encrypted, the administrators can monitor real-time client events <strong>and</strong> generate<br />
reports using the EE: Product client events query.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
73
74<br />
Managing EE reports<br />
View the st<strong>and</strong>ard EE reports<br />
Event ID<br />
30000<br />
30001<br />
30002<br />
30003<br />
30004<br />
30005<br />
30006<br />
30007<br />
30008<br />
30009<br />
30010<br />
30011<br />
30012<br />
30013<br />
30014<br />
30015<br />
30016<br />
30017<br />
30018<br />
30019<br />
30020<br />
30021<br />
Event<br />
Logon Event<br />
Password Changed Event<br />
Password Invalidated Event<br />
Token Initialization Event<br />
System Boot Event<br />
Administrator Recovery Event<br />
Self Recovery Event<br />
Self Recovery Invalidated Event<br />
Crypt Start Event<br />
Crypt Paused Event<br />
Crypt Complete Event<br />
Crypt Volume Start Event<br />
Crypt Volume Complete Event<br />
Policy Change Start Event<br />
Policy Change Complete Event<br />
Activation Start Event<br />
Activation Complete Event<br />
General Exception Event<br />
Emergency Recovery Start<br />
Emergency Recovery Complete<br />
Upgrade Start<br />
Upgrade Complete<br />
Event Description<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
This event is reported in <strong>McAfee</strong> ePO whenever a Pre-Boot<br />
or an <strong>Endpoint</strong> <strong>Encryption</strong> logon happens.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the user<br />
changes the EE password.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the EE<br />
password is invalidated after a fixed number of unsuccessful<br />
login attempts.<br />
This event is reported in <strong>McAfee</strong> ePO when the user changes<br />
the default password during the first pre-boot logon.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the system<br />
restarts after making EE active.<br />
This event is reported in <strong>McAfee</strong> ePO <strong>for</strong> every successful<br />
Administrator Recovery.<br />
This event is reported in <strong>McAfee</strong> ePO <strong>for</strong> every successful<br />
Self Recovery.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the Self<br />
Recovery is invalidated after a fixed number of unsuccessful<br />
login attempts.<br />
This event is reported in <strong>McAfee</strong> ePO when the encryption<br />
starts on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO when the encryption<br />
pauses on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO when the encryption<br />
finishes on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO when the specified<br />
volume encryption/decryption starts.<br />
This event is reported in <strong>McAfee</strong> ePO when the specified<br />
volume encryption/decryption is completed.<br />
This event is reported in <strong>McAfee</strong> ePO when a policy change<br />
is initiated.<br />
This event is reported in <strong>McAfee</strong> ePO when the policy change<br />
is completed.<br />
This event is reported in <strong>McAfee</strong> ePO when the EE activation<br />
starts on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO when the EE activation<br />
is completed on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO whenever an exception<br />
occurs on the client system.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the<br />
Emergency Recovery is initiated.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the<br />
Emergency Recovery is completed.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the Upgrade<br />
process is initiated.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the Upgrade<br />
process is complete.
Managing EE reports<br />
Create the EE dashboard<br />
Event ID<br />
30022<br />
30026<br />
30027<br />
30028<br />
30029<br />
2411<br />
Event<br />
User Update Error<br />
<strong>Encryption</strong> Key Not Available<br />
Installation Aborted: 32-bit EFI<br />
unsupported<br />
Installation Aborted: <strong>Mac</strong> plat<strong>for</strong>m<br />
unsupported<br />
Installation Aborted: <strong>Mac</strong> OS X<br />
version unsupported<br />
Deployment Successful<br />
Create the EE dashboard<br />
Event Description<br />
Use this option to create the <strong>Endpoint</strong> <strong>Encryption</strong> dashboard.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permission to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
This event is reported in <strong>McAfee</strong> ePO whenever a user update<br />
error occurs.<br />
This event is reported in <strong>McAfee</strong> ePO whenever the encryption<br />
key is not available.<br />
This event is reported in <strong>McAfee</strong> ePO when the installation<br />
is stopped in a <strong>Mac</strong> with 32-bit EFI.<br />
This event is reported in <strong>McAfee</strong> ePO when the installation<br />
is disrupted in an unsupported <strong>Mac</strong> plat<strong>for</strong>ms.<br />
This event is reported in <strong>McAfee</strong> ePO when the installation<br />
is stopped in an unsupported <strong>Mac</strong> OS X.<br />
This event is reported in <strong>McAfee</strong> ePO <strong>for</strong> every successful<br />
EE<strong>PC</strong> or EE<strong>Mac</strong> deployment.<br />
1 Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards.<br />
The Manage Dashboards page appears.<br />
2 Click New Dashboard.<br />
3 Type a name <strong>and</strong> select a size <strong>for</strong> the dashboard.<br />
4 For each monitor, click New Monitor, select the monitor from the shared groups <strong>Endpoint</strong><br />
<strong>Encryption</strong> to display in the dashboard, then click OK.<br />
5 Click Save, then select whether to make this dashboard active. Active dashboards appear<br />
on the tab bar of Dashboards.<br />
6 Optionally, you can make this dashboard public from the Manage Dashboards page by<br />
clicking Make Public<br />
NOTE: All new dashboards are saved to the private My Dashboards category.<br />
View the EE dashboard<br />
Use this option to make the <strong>Endpoint</strong> <strong>Encryption</strong> dashboard to be part of your active set.<br />
Task<br />
For option definitions, click ? in the interface.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
75
1 Click Menu | Reporting | Dashboards, then click Options | Select Active Dashboards.<br />
The Select Active Dashboards page appears.<br />
2 Select <strong>Endpoint</strong> <strong>Encryption</strong> from the Available Dashboards list, then click OK.<br />
Report the encrypted <strong>and</strong> decrypted systems<br />
76<br />
Managing EE reports<br />
Report the encrypted <strong>and</strong> decrypted systems<br />
Determine the encryption status of any managed client systems. To know the system disk status<br />
is to know the client system's encryption <strong>and</strong> decryption status. The disk status such as encrypted<br />
<strong>and</strong> decrypted denotes the client system's encryption <strong>and</strong> decryption status.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permission to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Reporting | Queries. The Queries page opens.<br />
2 Click Shared Groups | <strong>Endpoint</strong> <strong>Encryption</strong> from the Groups pane.<br />
NOTE: Edit the query to display the system details in table <strong>for</strong>mat. This would give you a<br />
simplified view of the system <strong>and</strong> the encryption status. Make sure to include the State<br />
(Disk) column in the table.<br />
3 Click Run in the EE: Disk Status from the Queries list. The EE: Disk Status page appears<br />
with the list of client systems <strong>and</strong> their details configured in the query. The State (Disk)<br />
column indicates the system status as Encrypted or Decrypted.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Recovering users <strong>and</strong> systems<br />
Resetting a remote user’s password or replacing the user's logon token if it has been lost requires<br />
a challenge <strong>and</strong> response procedure.<br />
NOTE: This section is applicable to both EE<strong>PC</strong> <strong>and</strong> EE<strong>Mac</strong>.<br />
Contents<br />
Enable or disable the self recovery functionality<br />
Per<strong>for</strong>m the self recovery on the client computer<br />
Enable or disable the administrator recovery functionality<br />
Per<strong>for</strong>m the administrator (system <strong>and</strong> user) recovery on the client computer<br />
Generate the response code <strong>for</strong> the administrator (system <strong>and</strong> user) recovery<br />
Enable or disable the self recovery functionality<br />
The Self Recovery option allows the user to reset a <strong>for</strong>gotten password by answering a set of<br />
security questions. A list of security questions is set by the administrator using <strong>McAfee</strong> ePO. If<br />
the answers from the user match what has been stored with their self recovery in<strong>for</strong>mation,<br />
they can proceed through the recovery process.<br />
Use <strong>McAfee</strong> ePO to enable or disable the self recovery functionality in the client computer.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree, then select a group under System Tree.<br />
2 Select a System(s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Locate a User Based Policies policy category, then click Edit Assignments. The User<br />
Based Policies page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 Select a policy from the Assigned policy drop-down list, then click Edit Policy. The Policy<br />
Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
77
7 On the Self-Recovery tab, select or deselect Enable Self-Recovery to enable or disable<br />
the self recovery functionality to the specified user or user group.<br />
8 Select Invalidate Self-Recovery after No.of attempts <strong>and</strong> type the number of attempts.<br />
9 Type the number of Questions to be answered to per<strong>for</strong>m the self recovery. The client<br />
user will be prompted with these questions while trying to recover the user account at the<br />
client system.<br />
10 Type the number of Logons be<strong>for</strong>e <strong>for</strong>cing user to set answers to determine how<br />
many times a user can log on without setting their Self Recovery questions <strong>and</strong> answers.<br />
11 Click + to create a new question, then select the question Language <strong>and</strong> also type the<br />
Min Answer Length the user must type while configuring the answer to this question.<br />
NOTE: Answers to these questions are typed by the user on the client system during the<br />
recovery process. User is prompted <strong>for</strong> recovery enrollment during every logon. The user<br />
is allowed to cancel the enrollment until the user exceeds the specified number of logon<br />
attempt. After exceeding the defined number of logon attempt, the Cancel button is<br />
disabled <strong>and</strong> the user is <strong>for</strong>ced to enroll <strong>for</strong> self recovery.<br />
12 Click Save in the Policy Settings page, then click Save in the Product Settings page.<br />
13 Send an agent wake-up call.<br />
Per<strong>for</strong>m the self recovery on the client computer<br />
Use this option to recover the user on the client computer, if the user's password or the logon<br />
token has been lost.<br />
Be<strong>for</strong>e you begin<br />
Ensure that you have successfully enrolled <strong>for</strong> self recovery on the client system. This task<br />
should be per<strong>for</strong>med by the client user on the client computer.<br />
Task<br />
1 Click Options | Recovery. The Recovery dialog box appears.<br />
2 Select the Recovery Type as Self Recovery.<br />
3 Type the User name <strong>and</strong> click OK. The Recovery dialog box appears with the questions<br />
that the user answered while enrolling <strong>for</strong> the self recovery.<br />
4 Type the answers <strong>for</strong> the prompted questions <strong>and</strong> click Finish. The Change Password<br />
dialog box appears.<br />
5 Type <strong>and</strong> confirm the New Password <strong>and</strong> click OK.<br />
Enable or disable the administrator recovery<br />
functionality<br />
78<br />
Recovering users <strong>and</strong> systems<br />
Per<strong>for</strong>m the self recovery on the client computer<br />
The client system prompts <strong>for</strong> authentication at the Pre-Boot logon page to access the system.<br />
When a user <strong>for</strong>gets the password or is disabled in the Active Directory or loses his token, the<br />
user cannot log on to the system. Resetting the user’s password, unlocking the disabled user,<br />
replacing their logon token if it has been lost, <strong>and</strong> per<strong>for</strong>ming machine recovery require a<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Recovering users <strong>and</strong> systems<br />
Per<strong>for</strong>m the administrator (system <strong>and</strong> user) recovery on the client computer<br />
challenge <strong>and</strong> response procedure to be followed. The users should start their system <strong>and</strong> click<br />
the Recovery button from the <strong>Endpoint</strong> <strong>Encryption</strong> Pre-Boot logon page. This option needs to<br />
be enabled in the <strong>McAfee</strong> ePO server be<strong>for</strong>e per<strong>for</strong>ming this task at the client systems.<br />
Use ePolicy Orchestrator to enable or disable the administrator (system <strong>and</strong> user) recovery<br />
functionality in the client computer.<br />
Be<strong>for</strong>e you begin<br />
You must have appropriate permissions to per<strong>for</strong>m this task.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Systems | System Tree, then select a group under System Tree.<br />
2 Select a System(s), then click Actions | Agent | Modify Policies on a Single System.<br />
The Policy Assignment page <strong>for</strong> that system appears.<br />
3 From the Product drop-down list, select <strong>Endpoint</strong> <strong>Encryption</strong> 1.1.0. The policy Categories<br />
under <strong>Endpoint</strong> <strong>Encryption</strong> appear with the system's assigned policy.<br />
4 Select the Product Settings policy category, then click Edit Assignments. The Product<br />
Settings page appears.<br />
5 If the policy is inherited, select Break inheritance <strong>and</strong> assign the policy <strong>and</strong> settings<br />
below next to Inherit from.<br />
6 From the Assigned policy drop-down list, select a product setting policy, then click Edit<br />
Policy. The Policy Product Settings page appears.<br />
NOTE: From this location, you can edit the selected policy, or create a new policy.<br />
7 On the Recovery tab, select or deselect Enabled to enable or disable the system recovery<br />
functionality.<br />
8 Select the required Recovery Key size from the Key size drop-down list, then type the<br />
Message to appear on the recovery page.<br />
9 Click Save in the Policy Recovery page, then click Save in the Product Settings page.<br />
10 Send an agent wake-up call.<br />
Per<strong>for</strong>m the administrator (system <strong>and</strong> user)<br />
recovery on the client computer<br />
Use this task on the client computer, if the user's password or the logon token have been lost,<br />
to recover the user or the system.<br />
Be<strong>for</strong>e you begin<br />
Make sure that the client user per<strong>for</strong>ms this task in the client system.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Restart the client system.<br />
2 Click Options | Recovery.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
79
3 Select the Recovery Type as Administrator Recovery <strong>and</strong> click OK. The Recovery<br />
dialog box appears with the Challenge Code.<br />
NOTE: The client user should read the Challenge Code <strong>and</strong> get the Response Code<br />
from the administrator who manages <strong>McAfee</strong> ePO.<br />
4 Enter the Response Code in the Line field, then click Enter.<br />
NOTE: Each line of the code is checked when it is entered.<br />
5 Click Finish.<br />
NOTE: Generated Response code depends on the recovery key size set in the policy <strong>and</strong><br />
the selected recovery type that is machine recovery or user recovery.<br />
Generate the response code <strong>for</strong> the administrator<br />
(system <strong>and</strong> user) recovery<br />
80<br />
Recovering users <strong>and</strong> systems<br />
Generate the response code <strong>for</strong> the administrator (system <strong>and</strong> user) recovery<br />
Use this task to generate the response code <strong>for</strong> the administrator (system <strong>and</strong> user) recovery.<br />
Be<strong>for</strong>e you begin<br />
Make sure that <strong>McAfee</strong> ePO administrator per<strong>for</strong>mes this task in <strong>McAfee</strong> ePO.<br />
Task<br />
For option definitions, click ? in the interface.<br />
1 Click Menu | Data Protection | <strong>Encryption</strong> Recovery. The <strong>Endpoint</strong> <strong>Encryption</strong> Recovery<br />
wizard opens with the text field <strong>for</strong> Challenge Code.<br />
NOTE: Ask the client user to read the challenge code that appears in the recovery process<br />
page to the administrator.<br />
2 Type the Challenge Code <strong>and</strong> click Next. The Recovery Type page opens.<br />
3 Select the required recovery type from the Recovery Type list, then click Next. The<br />
Response Code page opens with the response code(s).<br />
NOTE: Generated Response code depends on the recovery key size set in the policy <strong>and</strong><br />
the selected recovery type that is machine recovery or user recovery.<br />
4 Read out the response code to the user.<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide
Index<br />
A<br />
administrator recovery<br />
disabling 78<br />
enabling 78<br />
per<strong>for</strong>ming 79<br />
agent wake-up call<br />
sending 18<br />
audience <strong>for</strong> this guide 9<br />
auto booting<br />
disabling 65<br />
enabling 65<br />
automation 18, 34<br />
configuring 18<br />
C<br />
challenge code 79<br />
client<br />
managing 9<br />
client computers<br />
EE<strong>Mac</strong> 63<br />
EE<strong>PC</strong> 63<br />
managing 63<br />
client task<br />
<strong>for</strong> EE Agent 23<br />
<strong>for</strong> EE<strong>PC</strong> 23<br />
client tasks<br />
editing 22<br />
conventions used in this guide 9<br />
customized theme<br />
applying 67<br />
D<br />
disk<br />
decrypting 65<br />
encrypting 65<br />
disk status<br />
decrypted 76<br />
encrypted 76<br />
documentation<br />
typographical conventions 9<br />
documentation <strong>for</strong> products, finding 10<br />
E<br />
EE Agent<br />
deactivating 26<br />
EE Agent <strong>for</strong> <strong>Mac</strong><br />
deactivating 42<br />
EE components<br />
client system 7<br />
EE Admin 7<br />
EE<strong>Mac</strong> 7<br />
EE<strong>PC</strong> 7<br />
LDAP Server 7<br />
EE components (continued)<br />
<strong>McAfee</strong> ePO 7<br />
EE custom queries<br />
creating 71<br />
viewing 72<br />
EE dashboard<br />
creating 75<br />
EE dashboards<br />
viewing 75<br />
EE permission<br />
creating 62<br />
defining 62<br />
EE policies<br />
assigning the policy 21<br />
breaking inheritance 21<br />
en<strong>for</strong>cing 21<br />
managing 46<br />
EE system status<br />
active 24<br />
inactive 24<br />
EE users<br />
removing 56<br />
viewing 55<br />
EE<strong>Mac</strong><br />
removing from the client<br />
EE Agent 43<br />
EE<strong>Mac</strong> 43<br />
uninstalling 44<br />
EE<strong>Mac</strong> client<br />
installing 30<br />
uninstalling<br />
deactivate EE Agent 42<br />
disable policies 42<br />
EE<strong>Mac</strong> deployment<br />
selecting target plat<strong>for</strong>m 35<br />
setting up the client task 35<br />
updating packages 35<br />
upgrading agents 35<br />
EE<strong>Mac</strong> installation<br />
adding users 30<br />
checking in packages 30<br />
deploying packages 30<br />
installing extension 30<br />
EE<strong>Mac</strong> st<strong>and</strong>alone<br />
installing 40<br />
EE<strong>Mac</strong> st<strong>and</strong>alone installation<br />
installing MfeEeAgent 40<br />
installing MfeEe<strong>Mac</strong> 40<br />
EE<strong>PC</strong><br />
removing from the client<br />
EE Agent 27<br />
EE<strong>PC</strong> 27<br />
uninstalling 29<br />
EE<strong>PC</strong> client<br />
installing 13<br />
migrating 13<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
81
EE<strong>PC</strong> client (continued)<br />
uninstalling<br />
deactivate EE Agent 26<br />
disable policies 26<br />
EE<strong>PC</strong> deployment<br />
selecting target plat<strong>for</strong>m 17<br />
setting up the client task 17<br />
updating packages 17<br />
upgrading agents 17<br />
EE<strong>PC</strong> installation<br />
adding users 13<br />
checking in packages 13<br />
deploying packages 13<br />
installing extension 13<br />
enabling <strong>and</strong> disabling policy en<strong>for</strong>cement 54<br />
encryption providers<br />
setting priority 66<br />
<strong>Endpoint</strong> <strong>Encryption</strong> 6, 7, 34<br />
decrypting 7<br />
disk encryption 6<br />
EE<strong>Mac</strong> 6<br />
EE<strong>PC</strong> 6<br />
encrypting 7<br />
Pre-Boot 7<br />
Pre-Boot Authentication 6<br />
<strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>Mac</strong> 6<br />
<strong>Endpoint</strong> <strong>Encryption</strong> <strong>for</strong> <strong>PC</strong> 6<br />
extension 15, 28, 33, 43<br />
installing EEAdmin 15<br />
installing EEADMIN 33<br />
installing EE<strong>Mac</strong> 33<br />
installing EE<strong>PC</strong> 15<br />
removing<br />
EEADMIN 28, 43<br />
EE<strong>Mac</strong> 43<br />
EE<strong>PC</strong> 28<br />
G<br />
group synchronization 34<br />
group users<br />
breaking inheritance 56<br />
H<br />
help extension<br />
installing 15<br />
K<br />
KnowledgeBase, Technical Support ServicePortal 10<br />
L<br />
LDAP<br />
Active Directory 16<br />
domain name 16<br />
server type 16<br />
user name 16<br />
LDAP Server 34<br />
LDAP servers<br />
adding 16<br />
registering 16<br />
testing connection 16<br />
Log On<br />
enabling Must match user name 57<br />
enabling SSO 57<br />
enabling Synchronize EE password with Windows 57<br />
82<br />
Index<br />
logon<br />
enabling SSO 58<br />
synchronizing the EE password 58<br />
logon hours<br />
managing<br />
allowing 61<br />
blocking 61<br />
M<br />
<strong>McAfee</strong> Agent <strong>for</strong> <strong>Mac</strong><br />
deploying 32<br />
<strong>McAfee</strong> ServicePortal, accessing 10<br />
migration 13<br />
missing simple word package<br />
regenerate 69<br />
N<br />
no simple words<br />
enabling 69<br />
non-compatible products<br />
maintaining a list 67<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
P<br />
password content rules<br />
configuring 60<br />
policies<br />
assigning 26, 42<br />
assigning the policy 54<br />
assigning to a system 21, 53<br />
assigning to a system group 53<br />
breaking inheritance 26, 42, 54<br />
configuring 46<br />
creating 46, 53<br />
creating a policy 21<br />
editing 46, 53<br />
editing a policy 21<br />
en<strong>for</strong>cing 46, 54<br />
product settings<br />
boot options 46<br />
encryption 46<br />
encryption providers 46<br />
logon 46<br />
recovery 46<br />
theme 46<br />
server settings<br />
general 46<br />
<strong>Mac</strong> OS X software 46<br />
non-compatible products 46<br />
<strong>PC</strong> software 46<br />
simple words 46<br />
themes 46<br />
tokens 46<br />
user-based policies<br />
authentication 46<br />
password 46<br />
password content rules 46<br />
self recovery 46<br />
Policies<br />
assigning to users 19<br />
assignment rule 19<br />
Pre-Boot<br />
removing 65
Index<br />
Q<br />
queries<br />
about 71<br />
dashboard monitor 71<br />
R<br />
recovery<br />
changing password 78<br />
EE<strong>Mac</strong> 77<br />
EE<strong>PC</strong> 77<br />
reporting<br />
decrypted 76<br />
encrypted 76<br />
requirements, system<br />
operating system 10<br />
software 10<br />
response code<br />
obtaining 79<br />
Response Code<br />
generating 80<br />
S<br />
self recovery<br />
disabling 77<br />
enabling 77<br />
per<strong>for</strong>ming 78<br />
server task<br />
automation 17<br />
EE LDAP synchronization<br />
group synchronization 17<br />
synchronization 17<br />
ServicePortal, finding product documentation 10<br />
simple words<br />
adding 69<br />
managing 69<br />
simple words group<br />
creating 69<br />
Single Sign On<br />
enabling 57<br />
software packages<br />
checking in packages<br />
checking in MfeEEAgent 16, 33<br />
checking in MfeEe<strong>Mac</strong> 33<br />
checking in MfeEE<strong>PC</strong> 16<br />
removing<br />
MfeEEAgent 28, 44<br />
MfeEe<strong>Mac</strong> 44<br />
MfeEE<strong>PC</strong> 28<br />
synchronization 34<br />
system gropus<br />
adding 63<br />
importing 63<br />
system groups<br />
moving manually 64<br />
systems<br />
adding 63<br />
systems (continued)<br />
importing 63<br />
moving 64<br />
T<br />
Technical Support ServicePortal<br />
at <strong>McAfee</strong> 10<br />
theme<br />
assigning customized theme 68<br />
creating a new theme 67<br />
installing theme package 67<br />
selecting background image 67<br />
token type<br />
modifying 59<br />
U<br />
UBP en<strong>for</strong>cement<br />
configuring 20<br />
disabling 20<br />
enabling 20<br />
upgrade 23, 24<br />
deploying EE<strong>PC</strong> packages 23<br />
installing extension 23<br />
supported versions 23<br />
user experience<br />
after restarting 24<br />
be<strong>for</strong>e deploying 24<br />
during the deployment 24<br />
user disabled in AD<br />
managing 60<br />
user password<br />
resetting 78<br />
users<br />
adding EE<strong>Mac</strong> users<br />
from group 36<br />
from organizational unit 36<br />
adding EE<strong>PC</strong> users<br />
from group 19<br />
from organizational unit 19<br />
assigning 55<br />
managing 55<br />
V<br />
versions<br />
EE<strong>PC</strong> 6.0 24<br />
EE<strong>PC</strong> 6.0 Patch 1 24<br />
EE<strong>PC</strong> 6.0 Patch 2 24<br />
EE<strong>PC</strong> 6.1 24<br />
W<br />
windows logon<br />
controlling 57<br />
MSGINA 57<br />
Single Sign On 57<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide<br />
83
84<br />
Index<br />
<strong>McAfee</strong> <strong>Endpoint</strong> <strong>Encryption</strong> - <strong>6.1.0</strong> (EE<strong>PC</strong>) <strong>and</strong> <strong>1.0.0</strong> (EE<strong>Mac</strong>) Product Guide