Endpoint Encryption for PC 6.1.0 and Mac 1.0.0 ... - Errors - McAfee

McAfee Endpoint Encryption - 6.1.0 (EEPC) and 

1.0.0 (EEMac) 

Product Guide

COPYRIGHT 

Copyright © 2011 McAfee, Inc. All Rights Reserved. 

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form 

or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. 

TRADEMARK ATTRIBUTIONS 

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE 

EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, 

WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in 

connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property 

of their respective owners. 

LICENSE INFORMATION 

License Agreement 

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, 

WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH 

TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS 

THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, 

A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU 

DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN 

THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 

2 

McAfee Endpoint Encryption - 6.1.0 (EEPC) and 1.0.0 (EEMac) Product Guide

Contents 

Introducing McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 

Comprehensive McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 

What is McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 

How McAfee Endpoint Encryption works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 

McAfee Endpoint Encryption product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 

McAfee Endpoint Encryption features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 

Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 

Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

Installing the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Install the EEPC extensions using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Install the Help extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Check in the EEPC software packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 

Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 

Configure automation task for LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Deploy EEPC to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 

Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 

Assign policy to users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 

Configure UBP enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 

Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

Enforce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 

Upgrading from EEPC 6.0.x to EEPC 6.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 

Supported versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 

Overview of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 

Configure UBP enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 

User experience summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 

Uninstalling the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

Deactivate the EEPC client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

McAfee Endpoint Encryption - 6.1.0 (EEPC) and 1.0.0 (EEMac) Product Guide 

3

4 

Contents 

Remove EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 

Remove the EEPC extensions from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

Remove the EEPC software packages from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

Manually uninstall EEPC from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 

Installing the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 

Summary of the client installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 

Deploy McAfee Agent to Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 

Install the EEMac extensions using McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator. . . . . . . . . . . . . . . . . 33 

Register Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

Configure automation tasks for LDAP synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

Deploy EEMac to the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 

Send an agent wake-up call. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Add users to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Assign a policy to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

Enforce EE policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 

Edit the client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 

Deploying the standalone versions of EEMac to the client systems. . . . . . . . . . . . . . . . . 40 

Deploy the standalone version of EEAgent on Mac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 

Deploy the standalone version of EEMac on Mac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 

Uninstalling the EEMac client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 

Deactivate the Endpoint Encryption Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 

Remove EEMac from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 

Remove the EEMac extensions from McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 

Remove the EEMac packages from McAfee ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 

Manually uninstall EEMac from the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 

Managing McAfee Endpoint Encryption policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 

Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 

Policy categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 

Create a policy from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Edit the EE policy settings from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Assign a policy to a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Enforce EE policies on a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 

Managing McAfee Endpoint Encryption users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 

View the list of users assigned to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 

Remove users from a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 


Contents 

Edit user inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 

How EEPC controls the Windows logon mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 

Enable Single Sign On (SSO) on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 

Synchronize the EEPC password with the Windows password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 

Modify the token type associated with a system or a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 

Configure password content rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 

Manage a disabled user in Windows Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 

Configure the global user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

Manage the logon hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

Define EE permission sets for McAfee ePO users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 

Managing client computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 

Add a system to an existing system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 

Move systems between groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 

Select the disks for encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 

Enable or disable the automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 

Set the priority of encryption providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 

Maintain a list of non-compatible products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 

Manage the default and customized themes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 

Assign a customized theme to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 

Manage simple words. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 

Managing EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 

Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 

Create EE custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 

View the standard EE reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

Create the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

View the EE dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

Report the encrypted and decrypted systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 

Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 

Enable or disable the self recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 

Perform the self recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

Enable or disable the administrator recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

Perform the administrator (system and user) recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . 79 

Generate the response code for the administrator (system and user) recovery. . . . . . . . . . . . . . . . . . . . . . . . 80 


5

Introducing McAfee Endpoint Encryption 

With data breaches on the rise, it is important to protect information assets and comply with 

privacy regulations. McAfee Endpoint Encryption delivers powerful encryption that protects data 

from unauthorized access, loss, and exposure. 

Contents 

Comprehensive McAfee Endpoint Encryption 

What is McAfee Endpoint Encryption 

How McAfee Endpoint Encryption works 

McAfee Endpoint Encryption product components 

McAfee Endpoint Encryption features 

Audience 

Conventions 

Finding product documentation 

Requirements 

Comprehensive McAfee Endpoint Encryption 

The McAfee Endpoint Encryption (EE) suite provides multiple layers of defense against data 

loss with several integrated modules that address specific areas of risk. The suite provides 

protection for individual PCs, roaming laptops, and MacBooks with 64-bit EFI. This guide discusses 

these McAfee Endpoint Encryption Solutions: 

• McAfee Endpoint Encryption for PC 

• McAfee Endpoint Encryption for Mac 

NOTE: This guide indicates Endpoint Encryption (EE) as the term to describe EEPC and EEMac. 

The content that refers to the term Endpoint Encryption (EE) is applicable to both EEPC and 

EEMac. Procedures and other details that are different for EEPC and EEMac setup are described 

in separate sections indicating its individual product name, for example EEPC or EEMac. 

What is McAfee Endpoint Encryption 

6 

To ensure data protection in today’s dynamic IT environment, we need to protect what matters 

most – the data. McAfee Endpoint Encryption (EE) is a strong cryptographic facility for denying 

unauthorized access to data stored on any system or disk when it is not in use. It prevents the 

loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong 

access control using Pre-Boot Authentication and a powerful encryption engine. 




To log on to a system, the user must first authenticate through the Pre-Boot environment. On 

a successful authentication, the client system's operating system (Microsoft Windows or Mac 

OS X) loads and gives access to normal system operation. McAfee Endpoint Encryption is 

completely transparent to the user and has little impact on performance of the computer. 

McAfee Endpoint Encryption is the encryption software installed on client systems. It is deployed 

and managed through ePolicy Orchestrator using policies. A policy is a set of rules that determine 

how the EEPC software functions on the user’s computer. 


McAfee Endpoint Encryption protects the data on a system by taking control of the hard disk 

from the operating system. The Endpoint Encryption driver encrypts all data written to the disk; 

it also decrypts the data read off the disk. 

The client software is installed on the client system. After the installation, the system synchronizes 

with ePolicy Orchestrator (McAfee ePO) and acquires the user data, token data, and Pre-Boot 

graphics. When this is complete, the user authenticates and logs on through the Pre-Boot 

environment, which loads the operating system, and uses the system as normal. 


Use the McAfee Endpoint Encryption software to protect your systems from potential data loss. 

We recommend that you define the policies and needs of your system and configure the product 

accordingly. 

Each McAfee Endpoint Encryption component or feature plays a part in protecting your systems. 

McAfee ePO Administration 

The ePolicy Orchestrator server provides a scalable platform for centralized policy management 

and enforcement of your security products and systems on which they reside. The ePolicy 

Orchestrator Administration console allows the administrator to manage the McAfee Endpoint 

Encryption policies in the client computer. It also allows you to deploy and manage the McAfee 

Endpoint Encryption products such as EEPC, EEMac and so on. It provides comprehensive 

reporting and product deployment capabilities; all through a single point of control. 

NOTE: This guide does not provide detailed information about installing or using ePolicy 

Orchestrator software. See the ePolicy Orchestrator product documentation for versions 4.5 

and 4.6. 

Policies 

McAfee Endpoint Encryption is managed through ePolicy Orchestrator using a combination of 

user and product-based policies. The ePolicy Orchestrator console allows the administrator to 

enforce policies across groups of computers or on a single computer. Any new policy enforcement 

through McAfee ePO overrides the existing policy that is already set on the individual systems. 

For information regarding policies and how they are enforced, see the ePolicy Orchestrator 

product documentation for versions 4.5 and 4.6. 


7

8 



EEPC/EEMac 

The EEPC/EEMac extension installed in ePolicy Orchestrator defines the encryption algorithm, 

product settings, and server settings for the client system. The EEPC/EEMac software package 

checked in to ePolicy Orchestrator defines the actual Endpoint Encryption software that is 

installed on the client system. 

EE Admin 

The EE Administration system (EE Admin) defines the generic endpoint encryption settings for 

product-based policies, user-based policies, and server settings for the users. This is common 

for both EEPC and EEMac. 

LDAP Server 

McAfee Endpoint Encryption acquires users through the Windows Active Directory (AD). You 

must have a registered LDAP server (AD) to use Policy Assignment Rules, to enable dynamically 

assigned permission sets, and to enable manual and automatic user account creation. 

Client system components 

The client system, for ePolicy Orchestrator to communicate, should be configured with the 

components such as: 

• For EEPC 

• McAfee Agent for Windows 

• Windows operating system 

• For EEMac 

• McAfee Agent for Mac 

• Mac OS X platform 

The ePolicy Orchestrator server deploys the EE Agent, and the EE product to the client system. 

The user needs to install the McAfee Agent on a Mac client system using install.sh file that 

needs to be picked up from the Windows-based system where the McAfee ePO server is installed. 

However, on Windows-based systems, ePolicy Orchestrator itself deploys the McAfee Agent to 

the client system. 

For more details and procedures, See the ePolicy Orchestrator product documentation for 

versions 4.5 and 4.6. 

McAfee Endpoint Encryption product components are depicted in Figure 1. 


Figure 1: Product components 


Audience 



• McAfee Endpoint Encryption leverages the McAfee ePolicy Orchestrator infrastructure for 

automated security reporting, monitoring, deployment, and policy administration. 

• EEPC/EEMac integrates itself fully into ePolicy Orchestrator management software so that 

the management can now be performed from this console. 

• Enables transparent encryption without hindering users or system performance. 

• Enforces strong access control with Pre-Boot Authentication. 

McAfee Endpoint Encryption documentation is carefully researched and written for the target 

audience. 

The information in this guide is intended primarily for: 

• Administrators — People who implement and enforce the company's security program. 

• Users — People who are responsible for configuring the product options on their systems, 

or for updating their systems. 

Conventions 

This guide uses the following typographical conventions. 


9

Book title or Emphasis 

Bold 

User input or Path 

Code 

User interface 

Hypertext blue 

Note 

Tip 

Important/Caution 

Warning 

Title of a book, chapter, or topic; introduction of a new 

term; emphasis. 

Text that is strongly emphasized. 

Commands and other text that the user types; the path 

of a folder or program. 

A code sample. 


Words in the user interface including options, menus, 

buttons, and dialog boxes. 

A live link to a topic or to a website. 

Additional information, like an alternate method of 

accessing an option. 

Suggestions and recommendations. 

Valuable advice to protect your computer system, software 

installation, network, business, or data. 

Critical advice to prevent bodily harm when using a 

hardware product. 

McAfee provides the information you need during each phase of product implementation, from 

installing to using and troubleshooting. After a product is released, information about the product 

is entered into the McAfee online KnowledgeBase. 

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 

2 Under Self Service, access the type of information you need: 

To access... 

Requirements 

10 



Do this... 

User documentation 1 Click Product Documentation. 

2 Select a Product, then select a Version. 

3 Select a product document. 

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions. 

System requirements 

Systems 

McAfee ePO server systems 

• Click Browse the KnowledgeBase for articles listed by product and 

version. 

Requirements 

See the ePolicy Orchestrator product documentation for versions 4.5 

and 4.6 

Client systems for EEPC • CPU: Pentium III 1 GHz or higher 

• RAM: 512 MB minimum (1 GB recommended) 

• Hard Disk: 200 MB minimum free disk space 

Client systems for EEMac • CPU: EEMac works on all Intel-based Mac CPU with 64-bit EFI 



Requirements 

Systems 

Software requirements 

Software 

Requirements 

• RAM: 1 GB minimum 

• Hard Disk: 200 MB minimum free disk space 

Requirements 

McAfee management software • EEPC 6.1—See the McAfee Endpoint Encryption for PC 6.1 Release 

Notes 

McAfee Endpoint Encryption for PC 

software (for Windows) 

McAfee Endpoint Encryption for Mac 

software (for Mac OS X) 

Microsoft “Windows Installer 3.0 

Redistributable” package (for McAfee 

ePO) 

Microsoft “.NET Framework 2.0 

Redistributable” package (for McAfee 

ePO) 

Microsoft MSXML 6 (for ePO) 

Operating system requirements 

Systems 

McAfee ePO server systems 

• EEMac 1.0—See the McAfee Endpoint Encryption for Mac 1.0 

Release Notes 

• Extensions 

• EEADMIN.ZIP 

• EEPC.ZIP 

• help_ee_100.ZIP 

• EEPC software package 

• MfeEEPC.ZIP 

• EE Agent 

• MfeEEAgent.ZIP 

• Extensions 

• EEADMIN.ZIP 

• EEMAC.ZIP 

• help_ee_100.ZIP 

• EEMac software package 

• MfeEeMac-1.0.0.x.ZIP 

• EEMac Agent 

• MfeEEAgent-1.0.0.x.ZIP 







Software 



Client systems for EEPC • Windows Server 2003 SP1 or later (32-bit only) 

• Windows Server 2008 (32- and 64-bit) 

• Windows XP Professional SP3 (32-bit only) 

• Windows Vista SP1 or later (32- and 64-bit) 


• Windows 7 and SP1 (32- and 64-bit), (Not XP Mode) 

11

12 


Requirements 

Systems 

Software 

Client systems for EEMac • Leopard: 10.5.8 

Hardware support for Mac 

Systems 

MacBooks with 64-bit EFI 

• Snow Leopard: 10.6.0 and later (32- and 64-bit) 

Types 

MacBook, MacBook Pro, and MacBook Air 


Installing the EEPC client 

The Endpoint Encryption for PC extensions and the software packages are checked in to the 

McAfee ePO server for the management functionality. This is necessary before deploying the 

software and configuring the policies. 

CAUTION: Before you begin, make sure that you remove any competitor's encryption products 

from your system. Also, do not install any other encryption products after installing EEPC. 

This release supports migrating your EEPC 5.x.x installed systems and upgrading EEPC 6.0.x 

installed systems to EEPC 6.1. For more details and procedures on migrating your EEPC 5.x.x 

installed systems to EEPC 6.1, see the McAfee Endpoint Encryption for PC 6.1 Migration Guide. 

• In this guide, EEPC 5.x.x refers to EEPC 5.1.7 and later versions 

• EEPC 6.0.x refers to EEPC 6.0, 6.0 Patch 1 and Patch 2 versions 

Contents 

Summary of the client installation process 

Install the EEPC extensions using ePolicy Orchestrator 

Install the Help extension 

Check in the EEPC software packages 

Register Windows Active Directory 

Configure automation task for LDAP synchronization 

Deploy EEPC to the client system 

Add users to a system 

Assign policy to users 

Assign a policy to a system 

Enforce EE policies on a system 

Edit the client tasks 


The EEPC client software is deployed from the McAfee ePO server and installed through McAfee 

Agent. The installation of EEPC creates the Pre-Boot File System (PBFS) in the client system at 

the activation time. 

Restart the client system to complete the installation of the EEPC software. After restarting, it 

communicates with the ePolicy Orchestrator server and pulls down the assigned Endpoint 

Encryption policies and encrypts the system as per the defined polices. The assigned user can 

be initialized through the Pre-Boot screen after the subsequent restart. The summary of the 

client installation process is depicted in Figure 2. 


13

14 



Figure 2: Process overview of installation 

The overall EEPC installation and deployment process can be simplified into the following steps. 

NOTE: This assumes that the user has already successfully installed McAfee ePO and has the 

McAfee Agent installed on various systems which successfully communicate with McAfee ePO. 

1 Install the EEAdmin and EEPC extensions into ePolicy Orchestrator. 

2 Check in the EEPC software packages (MfeEEPC.ZIP and MfeEEAgent.ZIP) to ePolicy 

Orchestrator. 

3 Configure the registered server (Windows Active Directory). 

4 Configure and run the automation task for LDAP Synchronization. 

5 Deploy the Endpoint Encryption Agent to the client. 

6 Deploy the EEPC software package to the client. 

7 Restart the client system. You should now be able to see the Quick Settings | Endpoint 

Encryption Status option in McAfee Agent System Tray on the client system. 

8 Add users to a system or a group of systems. 

9 Create a product settings policy or edit the default policy, then assign it to a system or a 

group of systems. 

10 Create a user-based policy or edit the default policy, then assign it to a user or a group of 

users on a system. 

NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after 

adding the user and enforcing the policies correctly. 



Install the EEPC extensions using ePolicy Orchestrator 

11 Verify the Endpoint Encryption System Status by right-clicking McAfee Agent System Tray 

on the client system, then clicking Quick Settings | Endpoint Encryption Status. 

Install the EEPC extensions using ePolicy 

Orchestrator 

Install the EEPC extensions on the ePolicy Orchestrator server using the Software tab. There 

are two extension files in .ZIP format for EEPC. 

Before you begin 

You must have appropriate permissions to perform this task. 

You must install the extensions in order: EEADMIN.ZIP first, then EEPC.ZIP. 

Task 

For option definitions, click ? in the interface. 

1 Log on to the ePolicy Orchestrator server as an administrator. 

2 Click Menu | Software | Extensions | Install Extension to open the Install Extension 

dialog box. 

3 Click Browse and select the extension file EEADMIN.ZIP, then click OK. The Install 

Extension page appears with the extension name and version details. 

NOTE: The extension file EEADMIN.ZIP is a prerequisite for the extension file EEPC.ZIP. 

4 Click OK. 

5 Repeat steps 2 and 3 to install the EEPC.ZIP extension. 

Install the Help extension 

You can install the Help extension separately on the ePolicy Orchestrator server using the 

Software tab. The Help extension is a .ZIP file. 



Task 


2 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog 

box appears. 

3 Click Browse and select the extension file help_ee_100.ZIP, then click OK. The Install 


4 Click OK. 


15


Use ePolicy Orchestrator to check in the EEPC software packages to the master repository. 



Before checking in the software packages, make sure there are no pull or replication tasks 

running. 

Task 



2 Click Menu | Software | Master Repository, then click Actions | Check In Package. 

The Check In Package wizard opens. 

3 From the Package type list, select Product or Update (.ZIP), then browse and select 

the MfeEEPC.ZIP package file. 

4 Click Next to open the Package Options page. 

5 Click Save to begin checking in the package. When the package is checked in, it appears 

in the Packages in Master Repository list on the Master Repository page. 

6 Repeat steps 2 through 5 to install the MfeEEAgent.ZIP package. 


16 



Use this option to register a Windows Active Directory. You must have a registered LDAP server 

to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable 

automatic and manual user account assignment. 


Make sure you have the appropriate rights to modify the server settings, permission sets, users, 

and registered servers. 

Task 



2 Click Menu | Configuration | Registered Servers, then click New Server. The 

Registered Server Builder wizard opens. 

3 From the Server type drop-down list on the Description page, select LDAP Server, specify 

a unique name (a user-friendly name) and any details, then click Next. The Details page 

appears. 

4 Select Active Directory from LDAP server type, then type the Domain name or the 

Server name. 

NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the 

McAfee ePO system is configured with appropriate DNS setting and can resolve the DNS-style 

domain name of the Active Directory. The Server name is the name or IP address of the 

system where the Windows Active Directory is present. 




5 Type the User name. 

NOTE: The User name should be of the format: domain\Username for Active Directory accounts. 

6 Type the Password and confirm it. 

7 Click Test Connection to ensure that the connection to the server works, then click Save. 


You can create many tasks that run at scheduled intervals to manage the McAfee ePO server 

and McAfee Endpoint Encryption software. Run this task to synchronize with the user Active 

Directory. 



Task 



2 Click Menu | Automation | Server Tasks to open the Server Tasks page. 

3 Click Actions | New Task. The Server Task Builder wizard opens. 

4 On the Description page, name the task, type some notes about the task, and choose 

whether it is enabled, then click Next. The Actions page appears. 

5 From the Actions drop-down list, select EE LDAP Server User/Group Synchronization 

and accept the default values. 

6 Click Next to open the Schedule page. 

7 Schedule the task, then click Next to display the Summary page. 

8 Review the task details, then click Save. 

NOTE: In addition to the task running at the scheduled time, you can run this task 

immediately by clicking Run next to the task on the Server Tasks page. 


Set up the client task to automatically install the EEPC software on the client computers. For 

more details and procedures on how to perform this task, See the ePolicy Orchestrator product 

documentation for versions 4.5 and 4.6. 



Task 




17

2 Click Menu | Systems | System Tree, then select a group or system(s) from the System 

Tree pane on the left. 

3 On the Client Tasks tab, click Actions, then select New Task from the drop-down menu. 

The Client Task Builder wizard opens with the Description page. 

4 Type a Name and Notes for the task, select the Type as Product Deployment from 

the drop-down list, select whether the task should be sent to all computers or to tagged 

computers, then click Next. The Configuration page appears. 

5 Select the Target platform as Windows. 

6 From the Products and components drop-down list, select Endpoint Encryption Agent 

for PC 1.1.0.x to specify the version of the agent to deploy and, if needed, additional 

command-line parameters. 

7 Select the Action as Install. 

NOTE: If you are working in a Windows environment, check whether to run the task at 

each policy enforcement interval. 


9 Change the Schedule Type as required and click Next. The Summary page appears. 

10 Verify the task’s details, then click Save. The new deployment task is sent to the client 

computers at the next agent-server communication. 

11 Send an agent wake-up call. 

Follow the same procedure to deploy Endpoint Encryption for PC 6.1.0.x. We recommend 

that you deploy Endpoint Encryption Agent for PC 1.1.0.x before deploying Endpoint 

Encryption for PC 6.1.0.x. 

TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption 

Agent for PC 1.1.0.x and Endpoint Encryption for PC 6.1.0.x, then deploy them in sequence. 

12 Restart the client system when prompted after installing the Endpoint Encryption for PC 

6.1.0.x package. 

Send an agent wake-up call 

18 



The client gets the policy update whenever it connects to the McAfee ePO server (during next 

ASCI). The policy update can be scheduled or forced. The agent wake-up call option forces the 

policy update to the client system. 

NOTE: For information on adding a new system, see the ePolicy Orchestrator product 




Task 


1 Log on to the ePolicy Orchestrator server as an administrator 

2 Click Menu | Systems | System Tree. 

3 Select a system group from the System Tree. 

4 Select the System Name(s) of that group. 




5 Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up 

Agents page appears. 

6 Select a Wake-up call type and a Randomization period (0-60 minutes) by which the 

system(s) respond to the wake-up call sent by ePolicy Orchestrator. 

7 Select Get full product properties for the agent(s) to send complete properties instead 

of sending only the properties that have changed since the last agent-to-server 

communication. 

8 Click OK. 

NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent 

wake-up call. 


Use ePolicy Orchestrator to add the EEPC users to the client system. 



Task 


1 Click Menu | Data Protection | Encryption Users to open the My Organization page. 

2 Select a group or system(s) from the System Tree pane on the left. 

NOTE: To add users to a particular system, select the required system from the System 

Tab under the My Organization pane on the right. 

3 Click Actions | Endpoint Encryption | Add Users to open the Add Endpoint Encryption 

Users page. 

4 Add users: Click + in the Users field, browse to the users list, select the Users, then click 

OK. 

5 Add groups: Click + in the From the groups field, browse to the users groups list, select 

the groups, then click OK. 

6 Add an organizational unit: Click + in the From the organizational units field, browse 

to the organizational unit list, select the unit, then click OK. 

7 In the Add Endpoint Encryption Users page, click OK. 


Use this task to assign a policy at a user level. For more details and procedures on how to 

perform this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. 




19



Task 


1 Click Menu | Policy | Policy Assignment Rules to open the Policy Assignment Rules 

page. 

2 Click Actions | New Assignment Rule. The Policy Assignment Builder wizard opens with 

Details page. 

3 Type the Name and Description, then click Next. The user Selection Criteria page opens. 

4 Select the user by choosing the selection criteria, then click Next. The Assigned Policies 

page opens. 

5 Click Add. The Choose a policy to assign dialog box appears. 

6 From the Product drop-down list, select Endpoint Encryption 1.1.0. 

7 From the policy Category drop-down list, select the User Based Policy. 

8 From the Policy drop-down list, select the desired policy, then click OK. The Summary page 

opens. 

9 Click Save. 

Configure UBP enforcement 

20 



By default, all users inherit the default User Based Policy assigned to the system. To allow a 

user to use the required User Based Policies, you must enable UBP enforcement for that user. 

This overrides the default UBP on the system. If not, the user inherits the default UBP. 

User Based Policies in EEC 6.1 

A requirement of EEC 6.1 is that you need to specify which groups of users are allowed or not 

allowed to use the Policy Assignment Rules. The allowed users get their required User Based 

Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User 

Based Policies assigned to the system. 



Task 


1 Click Menu | Reporting | Queries. The Queries page opens. 

2 Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE 

query list appears. 

3 Run the EE: Users query to list all the Endpoint Encryption Users. 

4 Select a user from the list to enforce the policy. 

5 Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure 

UBP enforcement page appears with Enable and Disable options. 




6 Select Enable or Disable, then click OK to configure the UBP enforcement. On selecting 

Enable, Policy Assignment Rules are enabled for the selected users, and a specifc UBP is 

assigned to the user according to the ruled defined. 

NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies 

are deployed to each client in addition to the user-based policy for the logged on user 

configured with UBP enforcement. 


Use ePolicy Orchestrator to assign a policy to a specific set of managed systems. You can assign 

policies before or after deploying McAfee Endpoint Encryption software. 



Task 


1 Click Menu | Systems | System Tree | Systems, then select a group under System 

Tree. All the systems within this group (but not its subgroups) appear in the details pane. 

2 Select the target system, then click Actions | Agent | Modify Policies on a Single 

System. The Policy Assignment page for that system appears. 

3 From the Product drop-down list, select Endpoint Encryption 1.1.0. The policy categories 

under Endpoint Encryption are listed with the system’s assigned policy. 

4 Select the Product Setting policy category, then click Edit Assignments. 

5 If the policy is inherited, select Break inheritance and assign the policy and settings 

below next to Inherit from. 

6 From the Assigned policy drop-down list, select the Product Setting policy. 

NOTE: From this location, you can edit the selected policy, or create a new policy. 

7 Select whether to lock policy inheritance to prevent any systems that inherit this policy 

from having another one assigned in its place. 

8 When modifying the default policy or creating the new policy, select any one of the disk 

encryption options other than None, by navigating to Encryption (tab) | Encrypt. The 

default option None does not initiate the encryption. 

9 Click Save. 


Enable or disable policy enforcement for McAfee Endpoint Encryption on a system. Policy 

enforcement is enabled by default, and is inherited in the System Tree. 




21

Task 


1 Click Menu | Systems | System Tree | Systems, then under System Tree, select the 

group where the system belongs. The list of systems belonging to this group appears in 

the details pane. 

2 Select a system, then click Actions | Agent | Modify Policies on a Single System. The 

Policy Assignment page appears. 

3 Select Endpoint Encryption 1.1.0, then click Enforcing next to Enforcement status. 

The Enforcement page appears. 

4 To change the enforcement status, select Break inheritance and assign the policy 

and settings below. 

5 Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click 

Save. 

After restarting, the client system communicates with the ePolicy Orchestrator server and 

pulls down the assigned Endpoint Encryption policies and encrypts the system according 

to the defined policies. The assigned user can be initialized through the Pre-Boot screen 

after the subsequent restart. 


22 



Edit a client task’s settings or schedule information for any existing task. For more details and 

procedures on how to perform this task, See the ePolicy Orchestrator product documentation 

for versions 4.5 and 4.6. 



Task 


1 Click Menu | Systems | System Tree | Client Tasks, then select a group where the 

required client task was in the System Tree. 

2 Click Edit Settings next to the task. The Client Task Builder wizard opens. 

3 Edit the task settings as needed, then click Save. 

The managed systems receive these changes the next time the agent communicates with the 

server. 


Upgrading from EEPC 6.0.x to EEPC 6.1 

The primary goal of upgrading EEPC 6.0 and EEPC 6.0 Patch 1 and Patch 2 to EEPC 6.1 is to 

update the components while maintaining all of the existing encryption, policies, users, 

authentication details, Single Sign On (SSO) details, audit, and tokens. 

Contents 

Supported versions 

Overview of the upgrade process 

User experience summary 

Supported versions 

EEPC 6.1 supports the client upgrade from EEPC 6.0, EEPC 6.0 Patch 1, and Patch 2. 

Overview of the upgrade process 

Use the following high-level process to upgrade EEPC 6.0.x client. 

1 Install the necessary EEPC 6.1 extensions on the ePolicy Orchestrator server. You can also 

upgrade the 6.0.x extensions with 6.1 extensions. 

2 Check in the EEPC and EEAgent packages to McAfee ePO. 

3 Define the appropriate policy settings for 6.1, if you need to change the policies defined 

for 6.0.x. 

NOTE: Make sure that you have enforced the required user-based policy to the user assigned 

to the client system. 

A requirement of EEPC 6.1 is that you need to specify which groups of users are allowed 

or not allowed to use the Policy Assignment Rules. The allowed users get their required 

User Based Policies. Users that are not allowed to use the Policy Assignment Rules inherit 

the default User Based Policies assigned to the system. 

4 Deploy EEPC 6.1 to the client system where 6.0.x is currently installed. This upgrades the 

EEPC 6.0.x client files into EEPC 6.1 client files. 

TIP: We recommend that you create separate client tasks for deploying the Endpoint 

Encryption Agent for PC 1.1.0.x and Endpoint Encryption for PC 6.1.0.x, then deploy them 

in sequence. 


23

5 Restart the client system after each deployment task completion. After restarting the client 

system, the new files and drivers are in place. The EEPC 6.1 encryption status dialog box 

shows the status as Active throughout the upgrade process. 

NOTE: After the upgrade, the only visible change is the version numbers in various modules 

lists. 

Configure UBP enforcement 

By default, all users inherit the default User Based Policy assigned to the system. To allow a 

user to use the required User Based Policies, you must enable UBP enforcement for that user. 

This overrides the default UBP on the system. If not, the user inherits the default UBP. 

A requirement of EEPC 6.1 is that you need to specify which groups of users are allowed or not 

allowed to use the Policy Assignment Rules. The allowed users get their required User Based 

Policies. Users that are not allowed to use the Policy Assignment Rules inherit the default User 

Based Policies assigned to the system. 



Task 


1 Click Menu | Reporting | Queries. The Queries` page opens. 

2 Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE 

query list appears. 

3 Run the EE: Users query to list all the McAfee Endpoint Encryption Users. 

4 Select a user from the list to enforce the policy. 

5 Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure 

UBP enforcement page appears with Enable and Disable options. 

6 Select Enable or Disable, then click OK to configure the UBP enforcement. On selecting 

Enable, Policy Assignment Rules are enabled for the selected users, and a specifc UBP is 

assigned to the user according to the ruled defined. 

NOTE: At each ASCI, ePolicy Orchestrator ensures that all the relevant user-based policies 

are deployed to each client in addition to the user-based policy for the logged on user 

configured with UBP enforcement. 


24 



This table highlights the summary of different phases and its status before, during, and after 

the client upgrade from EEPC 6.0.x to EEPC 6.1. 

Table 1: User experience summary 

State 

Before deploying EEPC 6.1 

packages 

Pre-Boot 

EEPC 6.0.x 

Windows 

EE Logon 

EEPC 6.0 

Comments 


The client system has EEPC 6.0.x installed



State 

During the deployment of 

EEPC 6.1 to the client 

After restarting the system 

due to the EEPC v6.1 

deployment 

Pre-Boot 

EEPC 6.0.x 


Windows 

EE Logon 



Comments 


The EEPC 6.1 deployment forces to restart the client system 

• The 6.0.x status remains as Active throughout the 

upgrade process 

• The user credentials for both Windows and Pre-Boot 

logons are the same as 6.0.x for 6.1 

• SSO to Windows continues to function as it did before the 

upgrade 

25

Uninstalling the EEPC client 

To uninstall EEPC from the client, you need to: 

• disable the EEPC product setting policy 

• make sure that the Endpoint Encryption System Status is Inactive 

• uninstall EEPC from the client. 

Contents 

Deactivate the EEPC client 

Remove EEPC from the client system 

Remove the EEPC extensions from ePolicy Orchestrator 

Remove the EEPC software packages from ePolicy Orchestrator 

Manually uninstall EEPC from the client system 

Deactivate the EEPC client 

26 

Use ePolicy Orchestrator to deactivate the EEPC client. 



Task 





Policy Assignment page for that system appears. 

3 From the product drop-down list, select Endpoint Encryption 1.1.0 . The policy categories 




below that is present next to Inherit from. 

6 From the Assigned policy drop-down list, select the desired product setting policy. 


7 Select whether to lock policy inheritance to prevent any systems that inherit this policy 


8 On the General tab, deselect Enable policy. 




9 Click Save in the Policy Settings page, then click Save in the Product Settings page. 


NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and 

the Endpoint Encryption status becomes Inactive. This may take a few hours depending 

on the number and size of the encrypted drives. 


Set up the client task to automatically remove the EEPC software from the client computers. 

For more details and procedures on how to perform this task, See the ePolicy Orchestrator 



Ensure to deactivate the Endpoint Encryption Agent before removing EEPC from the client 

system. 

Task 



2 Click Menu | Systems | System Tree, then select a required group or system(s) from 

the System Tree. 






5 Select the Target platform as Windows. 

6 From the Products and components drop-down list, select Endpoint Encryption for PC 

6.1.0.x to specify the version of EEPC to remove and, if needed, additional command-line 

parameters. 

7 Select the Action as Remove. 

NOTE: If you are working in a Windows environment, check whether to run the task at 

each policy enforcement interval. 






NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Windows 

1.1.0.x from the client system. We recommend that you remove Endpoint Encryption 

for PC 6.1.0.x before removing Endpoint Encryption Agent for Windows 1.1.0.x. 


27

Remove the EEPC extensions from ePolicy 

Orchestrator 

To uninstall the EEPC extension and the checked in packages, you need to remove them from 

the McAfee ePO server. 

In case of both EEPC and EEMac are being managed by a single McAfee ePO server, you can 

remove the EEAdmin extension only when the McAfee ePO management is not required for 

both products. 


Ensure to deactivate the Endpoint Encryption Agent before removing the EEPC extension from 


Task 



2 Click Menu | Software | Extensions, then select Endpoint Encryption . The Extension 

page appears with the extension name and version details. 

3 On the Extension page, click Remove. The Remove extension confirmation page appears. 

4 Click OK to remove the extension. 

NOTE: You need to follow the same procedure to remove both the extension files EEPC.ZIP 

and EEADMIN.ZIP, however, extension file EEPC.ZIP needs to be removed first. 

Remove the EEPC software packages from ePolicy 

Orchestrator 

28 


Remove the EEPC extensions from ePolicy Orchestrator 

Use McAfee ePO to remove the EEPC software packages. 


Ensure to deactivate the Endpoint Encryption Agent before removing the EEPC software package 

from McAfee ePO. 

Task 



2 Click Menu | Software | Master Repository. The Packages in Master Repository page 

appears with the list of software packages and their details. 

3 Click Delete against the EEPC software packages. The Delete package confirmation page 

appears. 

4 Click OK to delete the EEPC software package from the ePO master repository. 

NOTE: You need to follow the same procedure to remove both the packages MfeEEAgent.ZIP 

and MfeEEPC.ZIP. You can also use this procedure to remove the themes and simple words 

packages that are automatically added to the master repository. 





Use this task to manually uninstall EEPC from the client system. 


Make sure that you deactivate the Endpoint Encryption Agent before initiating the manual 

removal process. 

You must have administrator privileges to perform this task. 

Task 

1 On the client system, after deactivating the Endpoint Encryption Agent, browse to the 

following registry values and double-click the Uninstall command. The Edit String dialog 

box appears. 

• For EE Agent on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network 

Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000. 

• For EEPC on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Network 

Associates\ePolicy Orchestrator\Application Plugins\EEPC. 

• For EE Agent on 64-bit system: 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network 

Associates\ePolicy Orchestrator\Application Plugins\EEADMIN_1000. 

• For EEPC on 64-bit system: 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network 

Associates\ePolicy Orchestrator\Application Plugins\EEPC. 

2 Copy the Value data from the Edit String dialog box, paste and run it on the command 

prompt. You can retain /q and add /norestart commands to run a silent removal and to avoid 

restarting the system after the uninstalling the EEPC. 


29

Installing the EEMac client 

The EEMac extensions, agent, and the software packages are checked in to McAfee ePO for 

the management functionality. This is necessary before deploying the software and configuring 

the policies. 

CAUTION: Before you begin, make sure that any competitor's encryption products are removed 

from the client system before installing EEMac. Also, avoid installing any other encryption 

products after installing EEMac. 

Contents 


Deploy McAfee Agent to Mac OS X client 

Install the EEMac extensions using McAfee ePO 

Check in the EEMac software packages (EEAgent and EEMac) to ePolicy Orchestrator 


Configure automation tasks for LDAP synchronization 

Deploy EEMac to the client system 





30 

The EEMac client software is deployed from the McAfee ePO server and installed through McAfee 

Agent. The installation of EEMac installs the Pre-Boot File System (PBFS) on the client system. 

The client system requires a restart to complete the installation of the EEMac software. After 

the restart, it communicates with ePolicy Orchestrator and pulls down the assigned Endpoint 

Encryption policies and encrypts the system according to the defined polices. The assigned user 

can be initialized through the Pre-Boot screen after the subsequent restart. The summary of 

the client installation process is depicted in Figure 3. 




Figure 3: Process overview of installation 

The overall EEMac installation and deployment process can be simplified into following steps: 

NOTE: This assumes that the user has already successfully installed ePolicy Orchestrator and 

has the McAfee Agent installed on various systems which successfully communicate with the 

McAfee ePO server. 

1 Install the EEAdmin and EEMac extensions into the McAfee ePO server. 

2 Check in the EEMac software packages (MfeEeMac-1.0.0.x.ZIP and MfeEEAgent-1.0.0.x.ZIP) 

to the McAfee ePO server. 

3 Configure the registered server (Windows Active Directory). 

4 Configure and run the automation task for LDAP Synchronization. 

5 Deploy the Endpoint Encryption Agent to the Mac client. 

6 Deploy the Endpoint Encryption for Mac to the Mac client. 

7 Restart the client system. You should now be able to see the Encryption icon | McAfee 

Endpoint Encryption System Status option on the menu bar that is present on the desktop 

of the client. 

8 Add users to a system or a group of systems. 

9 Create a product settings policy or edit the default policy, then assign it to a system or a 

group of systems. 

10 Create a user-based policy or edit the default policy, then assign it to a user or a group of 

users on a system. 

NOTE: The Endpoint Encryption System Status changes from Inactive to Active only after 

adding the user and enforcing the policies correctly. 


31

11 Verify the Endpoint Encryption System Status by clicking the Encryption icon | McAfee 

Endpoint Encryption System Status option on the menu bar that is present on the desktop 

of the client. If the Endpoint Encryption system state is Active, it displays the system 

partition/volume list under Volume Status. Volume status that is either Encrypted or 

Decrypted is also displayed for each partition/volume. 


32 



It is not possible to deploy McAfee Agent for Mac through McAfee ePO. You need to install the 

McAfee Agent on a Mac client system using the install.sh file. You can get this file from the 

Windows-based system where McAfee ePO is installed. 

The client system is automatically added to the System Tree in ePolicy Orchestrator on successful 

installation of the McAfee Agent for Mac on the Mac client system. 

For more details and procedures, See the ePolicy Orchestrator product documentation for 

versions 4.5 and 4.6. 



Task 

You should install the McAfee Agent for Mac using the command Terminal on the Mac. After 

installing the McAfee Agent for Mac OS X, the Mac client system communicates back to the 

McAfee ePO server. This process usually takes some time. 

Select This group and all subgroups in Filter in the System Tree page, then refresh ePolicy 

Orchestrator. The ePolicy Orchestrator displays the Mac client system details under System 

Tree | Systems after the first agent-to-server communication. 

1 Check in the McAfee Agent for Mac OS X package to the master repository. 

2 Copy the install.sh file from this location on the Windows-based system. 

C:\Program File\McAfee\ePolicy 

Orchestrator\DB\Software\Current\EPOAGENT3700MACX\Install\0409 

To download the Agent installation package using ePolicy Orchestrator: 

1 click Menu | Systems | System Tree | System Tree Actions | New Systems on 

the McAfee ePO server. The New Systems page appears. 

2 Select Create and download agent installation package from How to add 

systems. 

3 Select Non-Windows and McAfee Agent for Mac OS X 4.5/4.6 from Select 

Agent Package, and deselect Use Credentials, then click OK. The Download file 

page appears. 

4 Click the install link to open the file, or right-click the link to download and save the 

file. 

3 Place the copied install.sh file in the desktop. 

4 On the Terminal, type this command to go to the location where the install.sh file is 

present cd /Users//Desktop. 

5 Deploy the McAfee Agent on the Mac client with one of these commands: 

• sudo ./install.sh -i (for a fresh installation) 




• sudo ./install.sh –u (for an upgrade of the agent) 

NOTE: Type the administrator password if prompted. 

The installation path of McAfee Agent is /Library/McAfee/cma/ 

The uninstall path of McAfee Agent is /Library/McAfee/cma/uninstall.sh 

6 To monitor the McAfee Agent logs, run the command sudo tail -f 

/Library/McAfee/cma/scratch/etc/log and provide the administrator password when prompted. 


You can install the EEMac extensions on the ePolicy Orchestrator server using the Software tab. 



You must install the extensions in order: EEADMIN.ZIP first, then EEMac.ZIP. 

Task 



2 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog 

box appears. 

3 Click Browse and select the extension file EEADMIN.ZIP, then click OK. The Install 


4 Click OK. 

5 Repeat steps 2 and 4 to install the EEMac.ZIP extension. 

Check in the EEMac software packages (EEAgent 

and EEMac) to ePolicy Orchestrator 

Use ePolicy Orchestrator to check in the EEMac software packages (EEAgent and EEMac) to 

the master repository. 



Before checking in the software packages, make sure there are no pull or replication tasks 

running. 

Task 



2 Click Menu | Software | Master Repository, then click Actions | Check In Package. 

The Check In Package wizard opens. 


33

3 From the Package type list, select Product or Update (.ZIP) , then browse to and select 

the MfeEeMac-1.0.0.x.ZIP package file. 

4 Click Next to display the Package Options page. 

5 Click Save to begin checking in the package. Wait while the package is checked in. 

6 Repeat steps 2 through 5 to install the MfeEEAgent-1.0.0.x.ZIP package. 

The new package appears in the Packages in Master Repository list on the Master Repository 

page. 


Use this option to register a Windows Active Directory. 


• You must have a registered AD to enable dynamically assigned permission sets and automatic 

user account creation. 

• Make sure you have the appropriate rights to modify server settings, permission sets, users, 

and registered servers. 

Task 



2 Click Menu | Configuration | Registered Servers, then click New Server. The 

Registered Server Builder wizard opens. 

3 From the Server type drop-down list on the Description page, select LDAP Server, specify 

a unique name (a user-friendly name) and any details, then click Next. The Details page 

appears. 

4 Type the Domain name or the Server name. 

NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the 

system is configured with appropriate DNS setting and can resolve the DNS-style domain 

name of the Active Directory. The Server name is the name or IP address of the system 

where the Windows Active Directory is present. 

5 Type the User name. 

NOTE: The User name should be of the format: domain\Username for Active Directory accounts. 

6 Type the Password and confirm it. 

7 Click Test Connection to ensure that the connection to the server works, then click Save. 

Configure automation tasks for LDAP 

synchronization 

34 



You can create many tasks that run at scheduled intervals to manage the McAfee ePO server 

and McAfee Endpoint Encryption software. 






Task 



2 Click Menu | Automation | Server Tasks, The Server Tasks page opens. 

3 Click Actions | New Task. The Server Task Builder wizard opens. 

4 On the Description page, name the task, type some notes about the task, and choose 

whether it is enabled, then click Next. The Actions page appears. 

5 From the Actions drop-down list, select EE LDAP Server User/Group Synchronization 

and accept the default values. 

6 Click Next. The Schedule page appears. 

7 Schedule the task, then click Next to display the Summary page. 

8 Review the task details, then click Save. 

NOTE: In addition to the task running at the scheduled time, you can run this task 

immediately by clicking Run next to the task on the Server Tasks page. 


Use this task to set up the client task to automatically install the EEMac to the client computers. 





Task 



2 Click Menu | Systems | System Tree and select a required group or system(s) from the 

System Tree pane on the left. 






5 Select the Target platform as Mac. 

6 From the Products and components drop-down list, select Endpoint Encryption Agent 

for Mac OS X 1.0.0.X to specify the version of the agent to deploy and, if needed, 

additional command-line parameters. 

7 Select the Action as Install. 



35





Follow the same procedure to deploy Endpoint Encryption for Mac OS X 1.0.0.X. We 

recommend that you deploy Endpoint Encryption Agent for Mac OS X 1.0.0.X before 

deploying Endpoint Encryption for Mac OS X 1.0.0.X. 

TIP: We recommend that you create separate client tasks for deploying Endpoint Encryption 

Agent for Mac OS X 1.0.0.X and Endpoint Encryption for Mac OS X 1.0.0.X, then deploy 

them in sequence. 

Send an agent wake-up call 

The client gets the policy update whenever it connects to the McAfee ePO server. The policy 

update can be scheduled or forced. The agent wake-up call option forces the policy update to 

the client system. 

NOTE: For more information on adding a new system, see the ePolicy Orchestrator product 




Task 


1 Log on to the ePolicy Orchestrator server as an administrator 

2 Click Menu | Systems | System Tree. 

3 Select a system group from the System Tree. 

4 Select the System Name(s) of that group. 

5 Click Actions | Agents | Wake Up Agents from the drop-down menu. The Wake Up 

Agents page appears. 

6 Select a Wake-up call type and a Randomization period (0-60 minutes) by which the 

system(s) respond to the wake-up call sent by the ePO server. 

7 Select Get full product properties for the agent(s) to send complete properties instead 

of sending only the properties that have changed since the last agent-to-server 

communication. 

8 Click OK. 

NOTE: Navigate to Menu | Automation | Server Task Log to see the status of the agent 

wake-up call. 


36 



Use ePolicy Orchestrator to add the EEMac users to the client system. 






Task 


1 Click Menu | Data Protection | Encryption Users. The My Organization page opens. 

2 Select a required group or system(s) from the System Tree pane on the left. 

NOTE: To add users to a particular system, select the required system from the System 

Tab under My Organization pane on the right. 

3 Click Actions | Endpoint Encryption | Add Users. The Add Endpoint Encryption Users 

page opens. 

4 Add users: Click + in the Users field, browse to the users list, select the Users, then click 

OK. 

5 Add groups: Click + in the From the groups field, browse to the users groups list, select 

the groups, then click OK. 

6 Add an organizational unit: Click + in the From the organizational units field, browse 

to the organizational unit list, select the unit, then click OK. 

7 In the Add Endpoint Encryption Users page, click OK. 


Assign a policy to a specific set of managed systems. You can assign policies before or after 

deploying the McAfee Endpoint Encryption software. 



Task 






3 From the Product drop-down list, select Endpoint Encryption 1.1.x. The policy categories 





6 From the Assigned policy drop-down list, select the Product Setting policy. 


7 Choose whether to lock policy inheritance to prevent any systems that inherit this policy 



37

8 While modifying the default policy or creating the new policy, select any one of the disk 

encryption options other than None, by navigating to Encryption (tab) | Encrypt. The 

default option None does not initiate the encryption. 

9 Click Save. 


Enable or disable policy enforcement for EE on a system. Policy enforcement is enabled by 

default, and is inherited in the System Tree. For more details and procedures on how to perform 

this task, See the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. 



Task 



Tree where the system belongs. The list of systems belonging to this group appears in the 

details pane. 


Policy Assignment page appears. 

3 Select Endpoint Encryption 1.1.x, then click Enforcing next to Enforcement status. 

The Enforcement page appears. 

4 If you want to change the enforcement status you must first select Break inheritance 

and assign the policy and settings below. 

5 Next to Enforcement status, select Enforcing or Not enforcing accordingly, then click 

Save. 

After restarting, it communicates with the ePolicy Orchestrator server and pulls down the 

assigned McAfee Endpoint Encryption policies and encrypts the system according to the 

defined policies. The assigned user can be initialized through the Pre-Boot screen after the 

subsequent restart. 


38 



Edit a client task’s settings or to schedule information for any existing task. For more details 

and procedures on how to perform this task, See the ePolicy Orchestrator product documentation 

for versions 4.5 and 4.6. 



Task 





1 Click Menu | Systems | System Tree | Client Tasks, then select the group where the 

desired client task was in the System Tree. 

2 Click Edit Settings next to the task. The Client Task Builder wizard opens. 

3 Edit the task settings as needed, then click Save. 

The managed systems receive these changes the next time the agents communicate with the 

server. 


39

Deploying the standalone versions of EEMac 

to the client systems 

The EEMac product allows the deployment of standalone versions of EEMac to the client systems. 

Contents 

Deploy the standalone version of EEAgent on Mac client 

Deploy the standalone version of EEMac on Mac client 

Deploy the standalone version of EEAgent on Mac 

client 

You can install the standalone version of EEAgent on the Mac client using the given package 

MfeEeAgent-1.0.0.X.dmg. 



Task 

1 Copy the MfeEeAgent-1.0.0.X.dmg file to a location in the Mac client. 

2 Double-click the MfeEeAgent-1.0.0.X.dmg file to begin the installation. The 

MfeEeAgent-1.0.0.X screen appears with the package file MfeEeAgent.pkg. 

3 Double-click the MfeEeAgent.pkg file. The Install McAfee Endpoint Encryption Agent for 

Mac OS X Installer screen appears and this displays the Introduction option. 

4 Click Install on the Installation Type page to initiate the installation of the EEAgent on the 

Mac client. On clicking Install option, the Installation page appears, then the Summary 

page appears. 

5 Click Close to complete the installation. 

Deploy the standalone version of EEMac on Mac 

client 

40 

You can install the standalone version of EEMac on the Mac client using the given package 

MfeEeMac-1.0.0.X.dmg. 


Deploying the standalone versions of EEMac to the client systems 

Deploy the standalone version of EEMac on Mac client 



Task 

1 Copy the MfeEeMac-1.0.0.X.dmg file to a location in the Mac client. 

2 Double-click the MfeEeMac-1.0.0.X.dmg file to begin the installation. The 

MfeEeMac-1.0.0.X screen appears with the package file MfeEeMac.pkg. 

3 Double-click the MfeEeMac.pkg file. The Install McAfee Endpoint Encryption for Mac OS 

X screen appears and this displays the Introduction option. 

4 Click Continue. The Installation Type page appears. 

5 Click Install on the Installation Type page to initiate the installation of the EEMac on the 

Mac client. The confirmation message to restart the system after the installation appears. 

6 Click Continue Installation to initiate the installation. On clicking Continue Installation, 

the Installation page appears, then the Summary page appears with Restart option. You 

must restart the system to complete the installation of the McAfee Endpoint Encryption for 

Mac. 


41

Uninstalling the EEMac client 

To uninstall EEMac from the client, you need to: 

• disable all EEMac product setting policies 

• make sure that the Endpoint Encryption System Status is Inactive 

• uninstall EEMac from the client. 

Contents 

Deactivate the Endpoint Encryption Agent 

Remove EEMac from the client system 

Remove the EEMac extensions from McAfee ePO 

Remove the EEMac packages from McAfee ePO 

Manually uninstall EEMac from the client system 

Deactivate the Endpoint Encryption Agent 

42 

Use this task to deactivate the Endpoint Encryption Agent on the client system. 



Task 






3 Select Endpoint Encryption 1.1.x from the product drop-down list. The policy categories 





6 Select the product setting policy from the Assigned policy drop-down list. 


7 Choose whether to lock policy inheritance to prevent any systems that inherit this policy 


8 On the General tab, deselect Enable policy. 






NOTE: On disabling the product setting policy, all the encrypted drives get decrypted and 

the Endpoint Encryption status becomes Inactive. This may take a few hours depending 

on the number and size of the encrypted drives. 


Use ePolicy Orchestrator to set up the client task to automatically remove EEMac from the client 

computers. 


Ensure to deactivate the Endpoint Encryption Agent before removing EEMac from the client 

system. 

Task 



2 Click Menu | Systems | System Tree and select a required group or system(s) from the 







5 Select the Target platform as Mac. 

6 From the Products and components drop-down list, select Endpoint Encryption for Mac 

OS X 1.0.0.X to specify the version of the product to remove and, if needed, additional 

command-line parameters. 

7 Select the Action as Remove. 






NOTE: Follow the same procedure to remove Endpoint Encryption Agent for Mac OS X 

1.0.0.X from the client system. We recommend that you remove Endpoint Encryption for 

Mac OS X 1.0.0.X before removing Endpoint Encryption Agent for Mac OS X 1.0.0.X. 

Remove the EEMac extensions from McAfee ePO 

To uninstall the EEMac extension and the checked in packages, you just need to remove them 

from the McAfee ePO server. 


43

In case of both EEPC and EEMac are being managed by a single McAfee ePO server, you can 

remove the EEAdmin extension only when McAfee ePO management is not required for both 

products. 


Ensure to deactivate the Endpoint Encryption Agent before removing the EEMac extension from 


Task 



2 Click Menu | Software | Extensions, then select Endpoint Encryption . The Extension 

page appears with the extension name and version details. 

3 Click Remove. The Remove extension confirmation page appears. 

4 Click OK to remove the extension. 

NOTE: Follow the same procedure to remove both the extension files EEMac.ZIP and 

EEADMIN.ZIP, however, extension file EEMac.ZIP needs to be removed first. 


Use this task to remove the EEMac package from the McAfee ePO server. 


Ensure to deactivate the Endpoint Encryption Agent before removing the EEMac package from 

McAfee ePO. 

Task 



2 Click Menu | Software | Master Repository. The Packages in Master Repository page 

appears with the list of software packages and their details. 

3 Click Delete against the EEMac software packages. The Delete package confirmation page 

appears. 

4 Click OK to delete the EEMac software package from the ePO master repository. 

NOTE: You need to follow the same procedure to remove both the packages 

MfeEEAgent-1.0.0.x.ZIP and MfeEeMac-1.0.0.x.ZIP. 


44 



Use this task to manually uninstall the EEMac from the client system. 


Ensure to deactivate the Endpoint Encryption Agent before initiating the manual uninstall process. 




Task 

1 After deactivating the Endpoint Encryption Agent, open the Terminal and run sudo 

/Library/McAfee/ee/Agent/uninstall command to uninstall the EEAgent and type the 

administrator password if prompted. 

2 Run the command /Library/McAfee/ee/Mac/uninstall. This removes the EEMac software package 

from the client system. 

3 Run the command /Library/McAfee/ee/Agent/uninstall. This removes the EEAgent from the 

client system. 


45

Managing McAfee Endpoint Encryption policies 

Managing McAfee Endpoint Encryption from a single location is achieved by integrating EE 

software into ePolicy Orchestrator which is a central feature of McAfee ePO itself. This is 

accomplished through the combination of product policies. 

Are you configuring policies for the first time? 

When configuring policies for the first time: 

1 Plan product policies for the segments of your System Tree. 

2 Create and assign policies to groups and systems. 

NOTE: This section is applicable to both EEPC and EEMac. 

Contents 

Policy management 

Policy categories 

Create a policy from Policy Catalog 

Edit the EE policy settings from Policy Catalog 

Assign a policy to a system group 

Enforce EE policies on a system group 

Policy management 

A policy is a collection of settings that you create, configure, then enforce. Policies ensure that 

the managed client computer is configured and performs accordingly. 

Policy settings are the primary interface for configuring the client computer and its components. 

The ePolicy Orchestrator server allows you to configure policy settings for Endpoint Encryption 

clients and other managed systems from a central location. 


46 

Policy settings for McAfee Endpoint Encryption are grouped under category. Each policy category 

refers to a specific subset of policy settings. In the Policy Catalog page, policies appear under 

Endpoint Encryption and the individual policies appear under specific category. When you open 

or edit an existing policy or create a new policy under Endpoint Encryption, the policy product 

settings are organized across tabs such as General, Encryption, Log On, Recovery, Boot 

Options, Theme, and Encryption Providers. The user based policy settings are organized 




across tabs such as Authentication, Password, Password Content Rules, and 

Self-Recovery. 

Table 2: Product setting policies 

Settings 

General 

Encryption 

Log On (Endpoint 

Encryption) 

Options 

Enable Policy 

Encrypt 

Encryption Provider Priority 

Enable Automatic Booting 

Log on Message 

Do not display previous user 

name at log on 

Enable on screen keyboard 

NOTE: This option is not 

applicable to Mac client systems. 

Add local domain users 



Description 


Enables the set policies on the client computers. 

This drop-down list contains the options to select 

an encryption type. 

• None—Does not encrypt any disk. 

• All Disks—Encrypts all disks in a system. 

• Boot Only—Encrypts only the boot disk. 

• All Disks except Boot Disk—Encrypts all 

disks except the boot disk (not recommended) 

Lists the installed encryption providers and allows 

you to set the priority. 

On selecting, the client system boots automatically 

without prompting for a Pre-Boot Authentication. 

The expiration date for the auto booting can also 

be set. 

If required, the user can select the UTC time 

standard option. 

NOTE: If you enable this option, be aware that 

the McAfee Endpoint Encryption software doesn't 

protect the data on the drive when it is not in use. 

Type a message that appears to the user on all 

Endpoint Encryption logon pages. 

Hides the ID of the last logged on user in all 

McAfee Endpoint Encryption logon dialog boxes. 

This option enables the Pre-Boot On-Screen 

Keyboard (OSK) and the associated Wacom serial 

pen driver. When this option is enabled, the pen 

driver finds a supported pen hardware and 

displays the OSK. 

• Always display onscreen 

keyboard—Forces the Pre-Boot to always 

display a clickable on-screen keyboard 

regardless of whether the pen driver finds 

suitable hardware or not. This option is very 

useful to TabletPC users. 

On selecting this option, any domain users who 

have previously logged on to the system, are able 

to authenticate through the Pre-Boot, even if the 

administrator has not explicitly assigned the user 

to the client system. 

This option adds the previously logged in domain 

users to the client system. If this is enabled, the 

EEAgent queries the system for the domain 

users that have logged on to the client at any 

point of time. EEAgent will then send the 

collected data to the McAfee ePO server. The 

collected data is a list of user names and the 

domain names. 

47

48 



Settings 

Log On (Windows only) 

NOTE: These options are not 


Recovery 

Options 

Enable Accessibility 



Enable SSO 

Require Endpoint Encryption log 

on 

Lock workstation when inactive 

Enabled 

Key Size 

Description 


This option is helpful to visually impaired users. 

If selected, the system gives a beep as a signal 

when the user moves the cursor from one field 

to the next. 

This option enables the Single Sign On. 

• Must match user name—This option 

ensures the SSO details are only captured 

when the user’s Endpoint Encryption and 

Windows IDs match. This ensures that the 

SSO data captured is replayed for the user 

for which it was captured. 

• Using smart card PIN—This option allows 

the administrator to specify a smart card PIN 

as authentication. 

• Synchronize Endpoint Encryption 

password with Windows—If selected, the 

Endpoint Encryption password synchronizes 

with the Windows password. For example, if 

the client system password changes, the 

Endpoint Encryption password also changes 

accordingly. 

• Allow user to cancel SSO—This option 

allows the user to cancel the SSO to Windows 

in the Pre-Boot only. When this option is 

enabled, the user has an additional checkbox 

at the bottom of the Pre-Boot logon dialog. 

McAfee Endpoint Encryption takes control of the 

normal windows logon screen and screen saver 

logon. You will be prompted for your EEPC 

credentials while logging on. 

• Require logon when token is 

removed—The client system prompts for log 

on when any of the tokens is removed. 

The client system is locked when it is inactive for 

the set time. 

The recovery option is enabled by default. If 

enabled, this activates the Administrator Recovery 

option in the client system. 


the recovery key size. The recovery Response 

Code size depends on this recovery key size. 

However, this does not affect the size of the Client 

Code. 

• Low—This refers to a recovery key size that 

creates a short Response Code for the 

recovery. 

• Medium—This refers to a recovery key size 

that creates a medium size Response Code 

for the recovery. 

• High—This refers to a recovery key size that 

creates a lengthy Response Code for the 

recovery. 

• Full—This refers to a recovery key size that 

creates a Response Code, with the maximum 

number of characters, for the recovery.



Settings 

Boot Options 



Theme 

Encryption Providers 



Table 3: User based policies 

Settings 

Authentication 

Options 

Message 

Enable Boot Manager 

Always enable pre-boot USB 

support 

Enable pre-boot PCMCIA support 

Graphics Mode 

Select Theme 

Preview 

User Compatible MBR 

Fix OS Boot Record Sides 

Use Windows system drive as 

boot disk 

Options 

Token Type 

Certificate Rule 



Description 

Displays a text message when you select 

Recovery. This may include information such as 

your help desk contact details. 

This activates the built in pre-boot partition 

manager. This allows you to select the primary 

partition on the hard disk that you wish to boot. 

Naming of the partition is also possible with the 

boot manager. The time out for the booting to 

start can also be set. 

Forces the Endpoint Encryption Pre-Boot code to 

always initialize the USB stack. 

If selected, the policy enables pre-boot PCMCIA 

support. 

Allows you to select the screen resolution for a 

system or a system group. The default option is 

Automatic. 


a theme. 

Displays the preview of the selected theme. The 

preview is not available for shared policies from 

another McAfee ePO. 

This causes EEPC to boot a built-in fixed MBR 

instead of the original MBR that was on the 

system after pre-boot logon. It is used to avoid 

problems with some systems that had other 

software that runs from the MBR and no longer 

work if EEPC is installed. 

Some boot records contain the incorrect number 

of sides. Selecting this option fixes this on the 

client system. This is available only when you 

install the EEPC extension. 

This is for maintaining the compatibility with some 

systems where the disk 0 is not the boot disk. 

Selecting this option forces the users to assume 

that the boot disk is the one that contains the 

Windows directory but not disk 0. 

Description 


This specifies the authentication token, for 

example, password, smartcard, and so on. 

EEMac currently supports the Password token 

only. 

McAfee Endpoint Encryption enhances the use of 

PKI and tokens to allow users to authenticate 

using their certificates. By using certificate rules, 

you can quickly make your Endpoint Encryption 

enterprise aware of all certificate-holding users, 

and can allow them to be allocated to PCs using 

Endpoint Encryption without having to create new 

smart cards or other forms of token for them to 

use. 

• Provide LDAP user certificate—This 

provided the latest LDAP user certificate 

49

50 



Settings 

Password 

Password Content Rules 

Options 

Logon Hours 

Default password 

Description 

• Enforce certificate validity period on 

client—By default this is enabled to enforce 

certificate validity period for the added 

certificate rule. 

• Use latest certificate—This uses the latest 

certificate available. 

This defines the day and the timeline when the 

user can log on to the client system. The 

restrictions are applied using the Apply 

Restrictions option. 

The default password is 12345, if the 

administrator changes the default password, then 

the newly set password will be the new default 

password for this policy under the User Based 

Policy category. 

Password change • Enable password history__changes 

(1-100)—This keeps track of the specified 

number of previous passwords set by the user 

and does not allow the user to set the same 

passwords again. 

• Prevent change—This option prevents the 

user from changing the password. 

• Require change after__days 

(1-366)—This specifies the number of days 

after which the system prompts the user to 

change the password. 

• Warn user__days (0-30)—This specifies 

the number of days before which the system 

prompts the user with a warning message 

about the number of days left for the 

password expiry. 

Incorrect passwords • Timeout password entry after__invalid 

attempts (3-20)—This option specifies the 

number of invalid password entries after 

which the system times out the password 

attempts. 

Password length 

Enforce password content 


• Maximum disable time__minutes 

(1-64)—This specifies the maximum timeout 

duration for the timeout password entry. 

• Invalid password after__invalid 

attempts (3-100)—This specifies the 

number of attempts a user can make before 

the password becomes invalid. 

This specifies the number of characters in a user 

password. 

• Minimum (3-40)—Defines the minimum 

number of characters for a user password. 

• Maximum (3-255)—Defines the maximum 

number of characters for a user password. 

This specifies the number of different characters 

like alpha, numeric, alphanumeric, and symbols 

that are required to form a password. 

• Alpha—This specifies the number of letter 

that must be present in a user password.



Settings 

Self-Recovery 

Table 4: Server setting policies 

Settings 

General 

Options 

Password content restrictions 

Enable Self Recovery 

Invalidate self recovery after No. 

of attempts 

Questions to be answered 

Logons before forcing user to set 

answers 

Options 

If user is disabled in LDAP Server 

Description 

• Numeric—Specifies the number of numeric 

characters that must be present in a user 

password. 

• Alphanumeric—Specifies the number of 

alphanumeric characters that must be present 

in a user password. 

• Symbols—Specifies the number of symbols 

that must be present in a user password. 

This specifies the password content restrictions 

for the user password. 

• No anagrams—A word or phrase spelled by 

rearranging the letters of another word or 

phrase cannot be a password. 

• No palindromes—A word or phrase that 

reads the same backward as forward can not 

be a password. 

• No sequences—The new password cannot 

be in sequence with the previous password. 

• Can't be user name— A user name cannot 

be set as a password. 

• Windows content rules—This demands to 

follow the standard Windows password 

content rule like a Windows password should 

contain at least three of the following: 

• Lower case letters 

• Upper case letters 

• Numbers 

• Symbols and special characters 

• No simple words— These are the set of 

words defined as simple words that cannot 

be used as passwords. 

This option enables the self recovery. 

This specifies the number of attempts after which 

the self recovery is disabled. 

Specifies the number of questions to be answered 

by the user to perform the self recovery. 

This lists the default questions for the selected 

language, also provides an option to add more 

questions. 

NOTE: If a language does not have enough 

questions or has an error on it, the language 

appears in red. 

Specifies the number of Logons before forcing the 

user to set answers. 

Description 


This option allows you to disable, delete or ignore 

the user if the user has been disabled in the LDAP 

Server. 

51

52 



Settings 

Mac OS X Software or PC 

software 

Non Compatible Products 

Themes 

Simple Words 

Tokens 

Options 

Batch size for retrieving users 

Machine key re-use 



User Information Fields 

Algorithm 

Pre-boot storage size 50MB 

(20-200) 

Manage Non Compatible 

Products 

Manage Themes 

Add Group 

Remove Group 

Import words to group 

Regenerate Missing Simple Word 

Package 

Manage Tokens 

Description 


This option allows the administrator to send the 

users to the client in batches rather than sending 

all of them at a time. Specify the number of users 

that are sent in each batch. Increasing the batch 

size increases the amount of memory required on 

the server and the client. But, this reduces the 

number of data channel messages required to be 

sent between the client and server. 

Machine key re-use option is used to activate the 

system with the existing key present in the McAfee 

ePO server. This option is highly useful when a 

boot disk gets corrupted and the user cannot 

access the system. The boot disk corrupted 

system's disks other than boot disks can be 

recovered by activating it with the same key from 

McAfee ePO. 

Used to add user information fields. You can add 

user information by specifying a question and the 

LDAP attribute name related to the user. 

Specifies the algorithm AES-256-CBC for the 

software encryption. 

Allows you to set the size of the pre-boot file 

system. Increasing the size of the PBFS will 

increase the number of users that can be 

successfully assigned to the client system. The 

size is specified in MB from 20 MB to 200 MB. 

Use this option to manage the list of products that 

are not compatible with McAfee Endpoint 

Encryption. You can also import a non compatible 

product rule that can detect and add the non 

compatible product to the list. 

Use this option to add and customize a theme 

that is used as a background in the Pre-Boot 

Authentication page. 

Use this option to create a group which can have 

a number of simple words. This will not be 

available for shared policy from another McAfee 

ePO. 

Use this option to delete a group. 

Use this option to browse to a text file with a 

number of simple words that cannot be used as 

passwords. You can also select an encoding type 

for the file. 

This compiles all the simple word groups and 

creates the simple words package files (.xml file). 

Use this option to add and manage extra token 

definitions. This allows the user to deploy and 

manage the additional token modules any time 

after the initial installation as required by the user.




Create a new policy from the Policy Catalog. By default, policies created here are not assigned 

to any groups or systems. When you create a policy here, you are adding a custom policy to 

the Policy Catalog. 

You can create policies before or after the McAfee Endpoint Encryption software is deployed. 

Task 


1 Click Menu | Policy | Policy Catalog, the Policy Catalog page opens. 

2 Click Actions | New Policy. The Create New Policy dialog box appears. 

3 Select the policy Category from the drop-down list. 

4 Select the policy you want to duplicate from the Create a policy based on this existing policy 

drop-down list. 

5 Type a name for the new policy. 

6 Type a description into the Notes field, if required, then click OK. The Policy Settings 

wizard opens. 

7 Edit the policy settings on each tab as needed and click Save. 

Edit the EE policy settings from Policy Catalog 

Use ePolicy Orchestrator to modify the settings of a policy. 


Your user account must have appropriate permissions to edit policy settings for the desired 

product. 

Task 


1 Click Menu | Policy | Policy Catalog, then from the Product drop-down list, select 

Endpoint Encryption 1.1.0. 

2 Select the policy Category from the drop-down list. All created policies for the selected 

category appear in the details pane. 

3 Locate the policy, then click Edit Settings next to it. 

4 Edit the settings as needed, then click Save. 

Assign a policy to a system group 

Assign a policy to multiple managed systems within a group. You can assign policies before or 

after deploying McAfee Endpoint Encryption. 

Task 



53

1 Click Menu | Systems | System Tree | Systems, then select a group in the System 


2 Select a system, then click Actions | Agent | Set Policy & Inheritance. The Assign 

Policies page appears. 

3 From the product drop-down list, select Endpoint Encryption 1.1.0. 

4 Select the Category, and Policy from the drop-down list, then click Save. 


54 



Enable or disable policy enforcement for a product on a System Tree group. Policy enforcement 

is enabled by default, and is inherited in the System Tree. 

Task 


1 Click Menu | Systems | System Tree | Assigned Policies, then select a group in the 

System Tree. 

2 Select Endpoint Encryption from the Product drop-down list, then click Enforcing next 

to Enforcement Status. The Enforcement page appears. 

3 To change the enforcement status, you must first select Break inheritance and assign 

the policy and settings below. 

4 Next to Enforcement status, select Enforcing or Not enforcing accordingly. 

5 Select whether to lock policy inheritance to prevent breaking enforcement for groups and 

systems that inherit this policy, then click Save. 


Managing McAfee Endpoint Encryption users 

The ePolicy Orchestrator server allows administrators to assign users from Windows Active 

Directory to McAfee Endpoint Encryption managed systems. The user's authentication credentials, 

token type, and the user information fields are managed from the McAfee ePO server. McAfee 

Endpoint Encryption gives the administrator the freedom of adding and removing the users to 

and from systems or system groups at any time. Assigning users retrieves the properties from 

Windows Active Directory. 

NOTE: This information is applicable to both Windows-based systems and Mac-based systems 

running McAfee Endpoint Encryption. 

Contents 

View the list of users assigned to a system 

Remove users from a system 

Edit user inheritance 

How EEPC controls the Windows logon mechanism 

Enable Single Sign On (SSO) on a system 

Synchronize the EEPC password with the Windows password 

Modify the token type associated with a system or a system group 

Configure password content rules 

Manage a disabled user in Windows Active Directory 

Configure the global user information 

Manage the logon hours 

Define EE permission sets for McAfee ePO users 

View the list of users assigned to a system 

Use ePolicy Orchestrator to view the list of Endpoint Encryption users assigned to the client 

system. 



Task 



2 From the System Tree pane, select a system from a particular group. 


55

3 Click Actions | Endpoint Encryption | View Users. The Encryption Users page appears 

with a list of users for the selected system. 

NOTE: This does not display the user groups that are assigned at the branch level. 


Using McAfee Endpoint Encryption, you can remove users from a client system. Ensure you 

have assigned the user at system level or branch level. If a user is assigned at branch level, 

the user would be sent to the client even after removing the system. 



Task 



2 Select a system from a particular group from the System Tree pane on the left. 

3 Click Actions | Endpoint Encryption | View Users. The Encryption Users page for the 

selected system with the list of user opens. 

4 Select the User name from the list. 

5 Click Actions | Endpoint Encryption | Delete Users. The Confirmation page appears. 

Click Yes or No to delete or retain the selected user. 

Edit user inheritance 

56 



Add users to a group or delete selected users from a group. You can also group users at different 

organizational levels and edit the inheritance as required. It is to assign multiple users to systems 

without having to work on the individual systems. 



Task 



2 Select the Organizational Unit from the System Tree and click Group Users tab. 

3 Click Edit in Inheritance broken. The Edit Group Inheritance page appears. 

4 Select Break inheritance, then click OK. 

The user Inheritance broken status: 

• True—Specifies that the inheritance is broken. When you have a group of systems, you 

could break the inheritance in McAfee ePO, and then add the selected users to the group 

users from that level down. It means that all of the selected users are assigned to those 

systems from that node and any children. 




• False—Specifies that the inheritance is not broken, which means that the selected users 

are assigned to the all the systems present in the selected group. 


EEPC intercepts the Windows Logon mechanism using a Passthrough Shim Gina on Windows 

2003, and XP and a Credential Provider on Vista. On Windows 2000 and XP operating systems, 

a custom .ini file (EPEPCGINA.INI) is used to help EEPC analyze the logon page and port the 

credentials into the correct boxes on the logon page. In Windows VISTA, Microsoft has replaced 

the original MSGINA (Graphical Identification and Authentication) with a new method called 

Microsoft Credential Provider. 

EEPC supports the Single Sign On architecture and implements a Credential Provider to 

communicate with Windows. EEPC displays each token as a potential logon method. While 

logging on to EEPC, it prompts for your Windows credentials only for the first time and EEPC 

stores the Windows credentials securely. On subsequent logon events, EEPC retrieves the stored 

Windows credentials to log on. 

Enable Single Sign On (SSO) on a system 

Enable SSO on a system which allows the user to log on to the system with a single 

authentication process. It allows auto log on to the system once the user authenticates through 

the Pre-Boot Authentication page. 

NOTE: The SSO feature is applicable for Windows-based systems only. 



Task 


1 Click Menu | Systems | System Tree, then select a group under System Tree pane on 

the left. 

2 Select the target System, then click Actions | Agent | Modify Policies on a Single 


3 From the Product drop-down list, select Endpoint Encryption 1.1.0. The policy Categories 

under Endpoint Encryption appear with the system's assigned policy. 

4 Select the Product Settings policy category, then click Edit Assignments. The Product 

Settings page appears. 



6 From the Assigned Policy drop-down list, select the desired policy, then click Edit Policy. 

The policy settings page appears. 


7 From the Log On tab, select Enable SSO under Windows pane. 


57

8 If required, select the options Must match user name, Synchronize Endpoint 

Encryption password with Windows, and Using smart card PIN. 

a Must match user name—This option ensures the SSO details are only captured when 

the user’s Endpoint Encryption and Windows IDs match. 

b Using smart card PIN—This option allows the administrator to specify a smart card 

PIN as authentication. 

c Synchronize Endpoint Encryption password with Windows—This matches the 

EEPC password to Windows password, so that the user needs to authenticate only the 

Pre-Boot Authentication page. 

9 Click Save in Policy Settings page, then click Save in Product Settings page. 


Synchronize the EEPC password with the Windows 

password 

58 


Synchronize the EEPC password with the Windows password 

Use this task to synchronize the EEPC password with the Windows password. This matches the 

EEPC password to the Windows password, so that the user needs to authenticate on the Pre-Boot 

Authentication page only. 

NOTE: This feature is applicable to Windows-based systems only. 



Task 


1 Click Menu | Systems | System Tree. The systems page appears. Select the desired 

group under System Tree pane on the left. 

2 Select the desired System, then click Actions | Agent | Modify Policies on a Single 


3 Select Endpoint Encryption 1.1.0 from the Product drop-down list. The policy Categories 






6 From the Assigned policy drop-down list, select the required policy, then click Edit Policy. 

The policy settings page appears. 


7 From the Log On tab, click Enable SSO, then select Synchronize Endpoint Encryption 

password with Windows under Windows pane. 


NOTE: Ensure that the Windows password adheres to the EEPC password restriction policy. 

Otherwise, the password synchronization doesn't run. 



Modify the token type associated with a system or a system group 


Modify the token type associated with a system or 

a system group 

McAfee Endpoint Encryption supports different logon tokens, for example, Passwords, Starcos 

SmartCards, and Actividentity PKI SmartCard. The token type associated with a system or a 

system group can be modified using this task. You can create a new user-based policy with a 

required token type and deploy it to the required system or a system group or can edit an 

existing policy and deploy the same to a target system or a system group. 

NOTE: EEMac currently supports the Password token only. 



Task 


1 Click Menu | Systems | System Tree. The systems page appears. Select a group under 


2 Select a System, then click Actions | Agent | Modify Policies on a Single System. 

The Policy Assignment page for that system appears. 



4 Select the User Based Policy category, then click Edit Assignments. The User Based 




6 From the Assigned policy drop-down list, select the policy, then click Edit Policy. The 

Policy Settings page appears. 


7 From the Authentication tab, select the required Token Type from the Token Type 


NOTE: McAfee Endpoint Encryption uses the information present in a public certificate store 

of a PKI to look up users and encrypt their unique Endpoint Encryption key with the public 

key available in their certificate. This certificate needs to be configured while selecting the 

Actividentity PKI SmartCard token. 

8 Click Save in the Policy Settings page, then click Save in the User Based Policies settings 

page. 



59


Use this task to configure the password content rules. 



Task 


1 Click Menu | Systems | System Tree. The Systems page appears. Select the group 

under System Tree. 

2 Select the System (s), then click Actions | Agent | Modify Policies on a Single System. 








6 Select the policy from the Assigned policy drop-down list, then click Edit Policy. The Policy 



7 From the Password Content Rules tab, type the Password Length in the Minimum and 

Maximum field. 

8 In Enforce password content, type the number of Alpha, Numeric, Alphanumeric, and 

Symbols characters required to form a password. 

9 Select or deselect the options to define the password content restriction rules from Password 

content restrictions. 

10 Click Save in the Policy Settings page, then click Save in the User Based Policies settings 

page. 


Manage a disabled user in Windows Active Directory 

60 



Use this task to disable, delete or ignore a user who has been disabled in the LDAP/AD server. 


Make sure that the server task EE LDAP server user or group synchronization is enabled. 

Task 


1 Click Menu | Configuration | Server Settings. The Server Settings page appears. 

2 Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint 

Encryption page opens with General tab. 




3 Select Disable, Ignore or Delete from the If user disable in directory drop-down list if 

the user has been disabled in the Active Directory. 

NOTE: Options in the drop-down list are applicable only to users disabled in the Active 

Directory. 

4 Click Save. 


Use this task to configure the user information fields. 


Make sure that the server task EE LDAP server user or group synchronization is enabled. 

Task 



2 Click Endpoint Encryption in Setting Categories pane, then click Edit. The Edit Endpoint 

Encryption page opens with General tab. 

3 Click Add next to the User Information Fields. 

4 Type the Question relating to the user, then select the required user attribute name from 

the Ldap Attribute Name list. 

NOTE: The above Ldap refers to Windows Active Directory. 

5 Click + or - in the interface to add or remove user information fields. 

6 Click Save. 

NOTE: User information fields can be set by selecting the individual user in the EE User 

Query. To display the users, click Menu | Reporting | Queries | Shared Groups | 

Endpoint Encryption, then click Run in EE: Users. 

Manage the logon hours 

Control and limit the timeline when a user can log on to the McAfee Endpoint Encryption client 

system. This option does not force the users to log out from the current session, although the 

current time is scheduled to be part of the logon restriction. However, once the user logs out 

from the system, the user will not be able to log on to the system until the next allowed logon 

hour. 

Task 


1 Click Menu | Systems | System Tree then select a group under System Tree. 

2 Select a System (s), then click Actions | Agent | Modify Policies on a Single System. 



61







6 Select the desired policy from the Assigned policy drop-down list, then click Edit Policy. 

The Policy Settings page appears. 


7 From the Authentication tab, select Apply restrictions in Logon Hours, then schedule the 

logon timing by blocking or allowing different logon hours. 

8 Click Save in the policy settings page, then click Save in the User Based Policies settings 

page. 



62 



In McAfee ePO, administrator rights management determines what actions ePolicy Orchestrator 

users can perform while administering the McAfee Endpoint Encryption software. The 

administrator is able to set up Endpoint Encryption product-specific permission sets to the 

different users and systems on McAfee ePO. 



Task 


1 Click Menu | User Management | Permission Sets. The Permission Sets page opens. 

2 Click New Permission Set. The New Permission Set page opens. 

3 Type a permission set name in the Name field. 

4 Select the Active Directory groups mapped to this permission set. To add a new 

Active Directory group, click Add, browse to the group and click OK. 

5 Select the Server name, then click Save. The Permission Set page appears. 

6 Click Edit next to Endpoint Encryption present under the newly created permission set. 

The Edit Permission Set page opens. 

7 Select the required permission setting, then click Save. 

NOTE: You can assign this new permission set to an existing or a new McAfee ePO user 

using Menu | User Management | Users. 


Managing client computers 

The system management helps the administrators to import system information from Active 

Directory server into McAfee ePO. This is useful in the process of installing EE and assigning 

the users to the systems. 


Contents 

Add a system to an existing system group 

Move systems between groups 

Select the disks for encryption 

Enable or disable the automatic booting 

Set the priority of encryption providers 

Maintain a list of non-compatible products 

Manage the default and customized themes 

Manage simple words 

Add a system to an existing system group 

Use ePolicy Orchestrator to import systems from your Network Neighborhood to groups for 

working with EEPC. You can also import a network domain or Active Directory container. 

NOTE: While managing the client systems for EEMac, the client system is automatically added 

to the System Tree in McAfee ePO on successful installation of the McAfee Agent for Mac on 

the Mac client system, and so you do not have to add the Mac client manually. 



Task 


1 Click Menu | Systems | System Tree, then in the System Tree Actions menu click New 

Systems. The New Systems page appears. 

2 Select the required option from How to add systems. 

3 In the Systems to add field, type the NetBIOS name for each system in the text box, 

separated by commas, spaces, or line breaks. Alternatively, click Browse to select the 

systems. 

4 If you select Push agents and add systems to the current group, you can enable 

automatic System Tree sorting. Do this to apply the sorting criteria to these systems. 


63

Type the following options: 

Option 

Agent version 

Installation path 

Credentials for agent installation 

Number of attempts 

Retry interval 

Abort After 

Connect using 

Action 

Select the agent version to deploy 

Configure the agent installation path or accept the default 

Type valid credentials to install the agent: 

• Domain: Type the domain of the system 

• User name: Type the login user name 

• Password: Type the login password 

Type an integer for the specified number of attempts, or use 

zero for continuous attempts 

Type the interval in number of seconds between two attempts 

Type the number of minutes before stopping the connection 

Select either one specific Agent Handler or all Agent Handlers 

5 Click OK. 




64 



Move systems from one group to another in the System Tree. You can move systems from any 

page that displays a table of systems, including the results of a query. 

NOTE: In addition to the steps below, you can also drag-and-drop systems from the Systems 

table to any group in the System Tree. 

Even if you have a perfectly organized System Tree that mirrors your network hierarchy, and 

uses automated tasks and tools to regularly synchronize your System Tree, you may need to 

move systems manually between groups. For example, you may need to periodically move 

systems from the Lost&Found group. 



Task 


1 Click Menu | Systems | System Tree | Systems and then browse to and select the 

systems. 

2 Click Actions | Directory Management | Move Systems. The Select New Group page 

appears. 

3 Select whether to enable or disable or not to change the System Tree sorting on the selected 

systems when they are moved. 

4 Select the group to place the systems, then click OK. 





Use ePolicy Orchestrator to select which disks, according to your requirements, need to be 

encrypted. 



Task 














7 From the Encryption tab, select the disk(s) to be encrypted from the Encrypt drop-down 

list. 

NOTE: To initiate the encryption on the client, the user must select any one of the options 

other than None. The default option None does not initiate the encryption. 

8 On the Policy Settings page, click Save, then click Save in the Product Settings page. 


Enable or disable the automatic booting 

Use ePolicy Orchestrator to enable or disable the automatic booting on the client computer. 

The Endpoint Encryption Pre-Boot logon environment allows to select a login method and to 

provide authentication credentials such as user id and password. If the user provides the correct 

authentication details, the McAfee Endpoint Encryption boot code starts the crypt driver in 

memory and boots the original operating system of the protected systems. 

Enabling the automatic booting will remove the Pre-Boot Authentication from the client system. 

NOTE: If you enable this option, be aware that the McAfee Endpoint Encryption software doesn't 

protect the data on the drive when it is not in use. 




65

Task 



2 Select a System(s), then click Actions | Agent | Modify Policies on a Single System. 











7 From the Log On tab, select or deselect Enable Automatic Booting under Endpoint 

Encryption pane to disable or enable the Pre-Boot environment. A security warning message 

This will remove the pre-boot authentication. Are you sure? appears. 

8 Click Yes or No to enable or disable the automatic booting. 

9 Set the expiration date and time for the automatic booting if required. 

10 Click Save in the policy settings page, then click Save in the Product Settings page. 



66 



Use this task to set the priority of encryption providers. 



Task 


1 Click Menu | Systems | System Tree, then select a group under System Tree. 









6 Select the desired policy from the Assigned policy drop-down list, then click Edit Policy. 

The Policy Settings page appears. 





7 From the Encryption tab, select the Encryption Provider from the Encryption Provider 

Priority list. In case of more than one encryption provider, the priority can be set by moving 

between the encryption providers using Move Up and Move Down options. 




Use ePolicy Orchestrator to create and maintain a list of non-compatible products. 


Make sure that the server task EE LDAP server user/group synchronization is enabled. 

Task 



2 Click Endpoint Encryption in Setting Categories pane, then click Manage Non 

Compatible Products option present at the right. The Endpoint Encryption Non Compatible 

Products page appears with a list of products that are not compatible with McAfee Endpoint 

Encryption. 

3 To import a non compatible product, click Actions | Import Non Compatible Product 

Rule. The Import Non Compatible Product Rule page appears. 

4 Browse and select the .xml file that defines the rule to detect the non-compatible product, 

then click OK. This detects the corresponding product that is not compatible with Endpoint 

Encryption and adds it to the non-compatible product list. 


Add and manage a theme that will be used as a background in the Pre-Boot Authentication 

page. The Endpoint Encryption Themes package is added automatically to the master repository 

(Menu | Software | Master Repository) after installing the EEAdmin.ZIP extension in 

ePolicy Orchestrator. The default theme is downloaded to the client when the EEAgent and 

EEPC software package deployment task is sent to the client computers. 



Task 



2 Click Endpoint Encryption in Setting Categories pane, then click Manage Themes option 

present at the right. The Endpoint Encryption Theme page opens. 

3 Click Actions | Add. The Install new theme page appears. 


67

4 Type a theme name in the Name field, then select Create a new theme based on an 

existing theme option. 

5 Select a theme from the Based on drop-down list. 

6 Browse to the Background Image, then click OK. This creates the new theme package 

at C:\Program 

Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EETHEME\DAT\0000 

folder. 

NOTE: You can also browse and install a theme package using Select Theme package 

to install option. 

7 Download the custom themes on the client using one of the following: 

• Update Now option under Menu | Systems | System Tree | Actions | Agent in 

ePolicy Orchestrator 

• Product Update task 

• Update Security from the client 

NOTE: All themes have a unique ID for identification. When you run the update task, the 

theme IDs are verified against the existing theme IDs on the client, then the new theme 

is downloaded to the client. 

The downloaded theme packages are stored in the following folder in the client system: 

• EEPC - C:\Program files\McAfee\Endpoint Encryption 

Agent\Repository\Themes 

• EEMac - /Library/McAfee/ee/Agent/Repository/Themes 

8 Change the theme in the Product Setting Policy and send an agent wake-up call to 

apply the customized theme. 

Assign a customized theme to a system 

68 



Use ePolicy Orchestrator to assign a theme to a system. 



Task 


1 Click Menu | Systems | System Tree. The Systems page appears. Select the group 

under System Tree. 

2 Select the System (s), then click Actions | Agent | Modify Policies on a Single System. 














7 From the Theme tab, select the desired customized theme from the Select theme 


8 Click Save in the policy settings page, then click Save in the Product Settings page. 



Use ePolicy Orchestrator to add and manage simple words that cannot be used as passwords. 

The Endpoint Encryption Simple Words are added automatically to the master repository (Menu 

| Software | Master Repository) after installing the EEAdmin.ZIP extension in ePolicy 

Orchestrator. 



Task 



2 Click Endpoint Encryption in Setting Categories pane, then click Manage Simple Words 

option present at the right. The Manage Simple Words page opens. 

3 Click Group Actions | Add Group. The Add Group window appears. 

4 Type the name of the group and click OK to create the Simple Word group. 

5 Click Actions | Add and type the simple words that cannot be used as passwords. 

6 Click Group Actions | Regenerate Missing Simple Word Package and click Yes in 

the confirmation message window to create the simple words package.This creates the 

simple words package (.xml file) for the simple words group at C \Program 

Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EESWORD\DAT\0000 

folder. 

7 Download the simple word package on the client using one of these methods: 

• Update Now option under Menu | Systems | System Tree | Actions | Agent in 

ePolicy Orchestrator 

• Product Update task 

• Update Security from the client 

NOTE: All simple word packages (.xml file) have a unique ID for identification. When you 

run the update task, the package IDs are verified against the existing package IDs on the 

client, then the new package file is downloaded to the client. 

The downloaded simple word packages are stored in the following folder in the client 

system: 

• EEPC - C:\Program files\McAfee\Endpoint Encryption 

Agent\Repository\SimpleWords 


69

70 



• EEMac - /Library/McAfee/ee/Agent/Repository/SimpleWords 

8 Enable the No simple words option under User Based policies | Password Content 

Rules and send an agent wake-up call to apply the policy to the client. 


Managing EE reports 

McAfee Endpoint Encryption queries are configurable objects that retrieve and display data from 

the database. These queries can be displayed in charts and tables. Any query results can be 

exported to a variety of formats, any of which can be downloaded or sent as an attachment to 

an email message. Most queries can be used as dashboard monitors. 

NOTE: This section is relevant to both EEPC and EEMac. 

Contents 

Queries as dashboard monitors 

Create EE custom queries 

View the standard EE reports 

Create the EE dashboard 

View the EE dashboard 

Report the encrypted and decrypted systems 

Queries as dashboard monitors 

Most queries can be used as a dashboard monitor (except those using a table to display the 

initial results). Dashboard monitors are refreshed automatically on a user-configured interval 

(five minutes by default). 

Exported results 

McAfee Endpoint Encryption query results can be exported to four different formats. Exported 

results are historical data and are not refreshed like other monitors when used as dashboard 

monitors. Like query results and query-based monitors displayed in the console, you can drill 

down into the HTML exports for more detailed information. 

Reports are available in several formats: 

• CSV — Use the data in a spreadsheet application (for example, Microsoft Excel). 

• XML — Transform the data for other purposes. 

• HTML — View the exported results as a web page. 

• PDF — Print the results. 

Create EE custom queries 

Use this option to create Endpoint Encryption custom queries with the Query Builder wizard. 


71



Task 


1 Click Menu | Reporting | Queries, then click Actions | New Query. The Query Builder 

wizard opens. 

2 On the Result Type page, select Others from the Feature Group pane and Endpoint 

Encryption Result Type for the query, then click Next. The Chart page appears. 

NOTE: This choice determines the options available on subsequent pages of the wizard. 

3 Select the type of chart or table to display the primary results of the query, then click Next. 

The Columns page appears. 

NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the 

query. 

4 Select the columns to be included in the query, then click Next. The Filter page appears. 

NOTE: If you selected Table on the Chart page, the columns you select here are the 

columns of that table. Otherwise, these are the columns that make up the query details 

table. 

5 Select properties to narrow the search results, then click Run. The Unsaved Query page 

displays the results of the query, which is actionable, so you can take any available actions 

on items in any tables or drill-down tables. 

NOTE: Selected properties appear in the content pane with operators that can specify 

criteria used to narrow the data that is returned for that property. 

• If the query didn’t appear to return the expected results, click Edit Query to go back 

to the Query Builder and edit the details of this query. 

• If you don’t need to save the query, click Close. 

• If this is a query you want to use again, click Save and continue to the next step. 

6 The Save Query page appears. Type a name for the query, add any notes, and select one 

of the following: 

• New Group—Type the new group name and select either: 

• Private group (My Groups) 

• Public group (Shared Groups) 

• Existing Group—Select the group from the list of Shared Groups. 

7 Click Save. 


72 



Use this option to run and view the standard Endpoint Encryption report from the Queries 

page. 






Task 



2 Select Endpoint Encryption from Shared Groups in Groups pane, The standard EE query 

list appears. 

Query 

EE: Disk Status 

EE: Disk Status (Rollup) 

EE: Encryption Provider 

EE: Volume Status 

EE: Volume Status (Rollup) 

EE: Installed version 

EE: Installed Version Rollup 

EE: Users 

EE: Product client events 

EE: Migration log (Windows only) 

EE: Migration lookup (Windows only) 

EE: V5 Audit (Windows only) 

3 Select a query from the Queries list. 

Description 

Displays the status of the disk. 

Displays the EE: Disk Status compiled from various ePolicy 

Orchestrators. 

Displays which encryption provider is active on each system. 

Displays the EE: Volume Status. 

Displays the EE: Volume Status compiled from various ePolicy 

Orchestrators. 

Displays the version of the endpoint encryption installed in 

systems. 

Displays the EE: Installed version details compiled from various 

ePolicy Orchestrators. 

Lists all endpoint encryption users. From here, the user can 

use the following options to manage the users in the selected 

system: 

• Clear SSO details—Clears the SSO details of the selected 

user (only for Windows) 

• Force User To Change Password—Prompts the user 

to change the password in the EE authentication. 

• Reset Token—Resets the token for the selected user 

• User Information—Maintains the user information with 

a list questions and answers 

Displays Endpoint Encryption client events. 

Displays the log details and the results of the v5.x.x user 

import. 

Displays the details about the assignments of the user group, 

machines, and users. 

Displays the imported audit logs from v5.x.x. Be aware that 

if only you selected the audit option during the export process, 

the audit log will be displayed. 

4 Click Actions | Run. The query results appear. Drill down into the report and take actions 

on items as necessary. Available actions depend on the permissions of the user. 

NOTE: The user has an option to edit the query and to view the details of the query. 

5 Click Close when finished. 

While implementing and enforcing the Endpoint Encryption policies that control how sensitive 

data is encrypted, the administrators can monitor real-time client events and generate 

reports using the EE: Product client events query. 


73

74 



Event ID 

30000 

30001 

30002 

30003 

30004 

30005 

30006 

30007 

30008 

30009 

30010 

30011 

30012 

30013 

30014 

30015 

30016 

30017 

30018 

30019 

30020 

30021 

Event 

Logon Event 

Password Changed Event 

Password Invalidated Event 

Token Initialization Event 

System Boot Event 

Administrator Recovery Event 

Self Recovery Event 

Self Recovery Invalidated Event 

Crypt Start Event 

Crypt Paused Event 

Crypt Complete Event 

Crypt Volume Start Event 

Crypt Volume Complete Event 

Policy Change Start Event 

Policy Change Complete Event 

Activation Start Event 

Activation Complete Event 

General Exception Event 

Emergency Recovery Start 

Emergency Recovery Complete 

Upgrade Start 

Upgrade Complete 

Event Description 


This event is reported in McAfee ePO whenever a Pre-Boot 

or an Endpoint Encryption logon happens. 

This event is reported in McAfee ePO whenever the user 

changes the EE password. 

This event is reported in McAfee ePO whenever the EE 

password is invalidated after a fixed number of unsuccessful 

login attempts. 

This event is reported in McAfee ePO when the user changes 

the default password during the first pre-boot logon. 

This event is reported in McAfee ePO whenever the system 

restarts after making EE active. 

This event is reported in McAfee ePO for every successful 

Administrator Recovery. 


Self Recovery. 

This event is reported in McAfee ePO whenever the Self 

Recovery is invalidated after a fixed number of unsuccessful 

login attempts. 

This event is reported in McAfee ePO when the encryption 

starts on the client system. 


pauses on the client system. 


finishes on the client system. 

This event is reported in McAfee ePO when the specified 

volume encryption/decryption starts. 

This event is reported in McAfee ePO when the specified 

volume encryption/decryption is completed. 

This event is reported in McAfee ePO when a policy change 

is initiated. 

This event is reported in McAfee ePO when the policy change 

is completed. 

This event is reported in McAfee ePO when the EE activation 

starts on the client system. 

This event is reported in McAfee ePO when the EE activation 

is completed on the client system. 

This event is reported in McAfee ePO whenever an exception 

occurs on the client system. 

This event is reported in McAfee ePO whenever the 

Emergency Recovery is initiated. 

This event is reported in McAfee ePO whenever the 

Emergency Recovery is completed. 

This event is reported in McAfee ePO whenever the Upgrade 

process is initiated. 

This event is reported in McAfee ePO whenever the Upgrade 

process is complete.



Event ID 

30022 

30026 

30027 

30028 

30029 

2411 

Event 

User Update Error 

Encryption Key Not Available 

Installation Aborted: 32-bit EFI 

unsupported 

Installation Aborted: Mac platform 

unsupported 

Installation Aborted: Mac OS X 

version unsupported 

Deployment Successful 


Event Description 

Use this option to create the Endpoint Encryption dashboard. 


You must have appropriate permission to perform this task. 

Task 


This event is reported in McAfee ePO whenever a user update 

error occurs. 

This event is reported in McAfee ePO whenever the encryption 

key is not available. 

This event is reported in McAfee ePO when the installation 

is stopped in a Mac with 32-bit EFI. 


is disrupted in an unsupported Mac platforms. 


is stopped in an unsupported Mac OS X. 


EEPC or EEMac deployment. 

1 Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards. 

The Manage Dashboards page appears. 

2 Click New Dashboard. 

3 Type a name and select a size for the dashboard. 

4 For each monitor, click New Monitor, select the monitor from the shared groups Endpoint 

Encryption to display in the dashboard, then click OK. 

5 Click Save, then select whether to make this dashboard active. Active dashboards appear 

on the tab bar of Dashboards. 

6 Optionally, you can make this dashboard public from the Manage Dashboards page by 

clicking Make Public 

NOTE: All new dashboards are saved to the private My Dashboards category. 

View the EE dashboard 

Use this option to make the Endpoint Encryption dashboard to be part of your active set. 

Task 



75

1 Click Menu | Reporting | Dashboards, then click Options | Select Active Dashboards. 

The Select Active Dashboards page appears. 

2 Select Endpoint Encryption from the Available Dashboards list, then click OK. 


76 



Determine the encryption status of any managed client systems. To know the system disk status 

is to know the client system's encryption and decryption status. The disk status such as encrypted 

and decrypted denotes the client system's encryption and decryption status. 


You must have appropriate permission to perform this task. 

Task 



2 Click Shared Groups | Endpoint Encryption from the Groups pane. 

NOTE: Edit the query to display the system details in table format. This would give you a 

simplified view of the system and the encryption status. Make sure to include the State 

(Disk) column in the table. 

3 Click Run in the EE: Disk Status from the Queries list. The EE: Disk Status page appears 

with the list of client systems and their details configured in the query. The State (Disk) 

column indicates the system status as Encrypted or Decrypted. 


Recovering users and systems 

Resetting a remote user’s password or replacing the user's logon token if it has been lost requires 

a challenge and response procedure. 


Contents 

Enable or disable the self recovery functionality 

Perform the self recovery on the client computer 

Enable or disable the administrator recovery functionality 

Perform the administrator (system and user) recovery on the client computer 

Generate the response code for the administrator (system and user) recovery 

Enable or disable the self recovery functionality 

The Self Recovery option allows the user to reset a forgotten password by answering a set of 

security questions. A list of security questions is set by the administrator using McAfee ePO. If 

the answers from the user match what has been stored with their self recovery information, 

they can proceed through the recovery process. 

Use McAfee ePO to enable or disable the self recovery functionality in the client computer. 



Task 







4 Locate a User Based Policies policy category, then click Edit Assignments. The User 

Based Policies page appears. 



6 Select a policy from the Assigned policy drop-down list, then click Edit Policy. The Policy 




77

7 On the Self-Recovery tab, select or deselect Enable Self-Recovery to enable or disable 

the self recovery functionality to the specified user or user group. 

8 Select Invalidate Self-Recovery after No.of attempts and type the number of attempts. 

9 Type the number of Questions to be answered to perform the self recovery. The client 

user will be prompted with these questions while trying to recover the user account at the 

client system. 

10 Type the number of Logons before forcing user to set answers to determine how 

many times a user can log on without setting their Self Recovery questions and answers. 

11 Click + to create a new question, then select the question Language and also type the 

Min Answer Length the user must type while configuring the answer to this question. 

NOTE: Answers to these questions are typed by the user on the client system during the 

recovery process. User is prompted for recovery enrollment during every logon. The user 

is allowed to cancel the enrollment until the user exceeds the specified number of logon 

attempt. After exceeding the defined number of logon attempt, the Cancel button is 

disabled and the user is forced to enroll for self recovery. 




Use this option to recover the user on the client computer, if the user's password or the logon 

token has been lost. 


Ensure that you have successfully enrolled for self recovery on the client system. This task 

should be performed by the client user on the client computer. 

Task 

1 Click Options | Recovery. The Recovery dialog box appears. 

2 Select the Recovery Type as Self Recovery. 

3 Type the User name and click OK. The Recovery dialog box appears with the questions 

that the user answered while enrolling for the self recovery. 

4 Type the answers for the prompted questions and click Finish. The Change Password 

dialog box appears. 

5 Type and confirm the New Password and click OK. 

Enable or disable the administrator recovery 

functionality 

78 



The client system prompts for authentication at the Pre-Boot logon page to access the system. 

When a user forgets the password or is disabled in the Active Directory or loses his token, the 

user cannot log on to the system. Resetting the user’s password, unlocking the disabled user, 

replacing their logon token if it has been lost, and performing machine recovery require a 



Perform the administrator (system and user) recovery on the client computer 

challenge and response procedure to be followed. The users should start their system and click 

the Recovery button from the Endpoint Encryption Pre-Boot logon page. This option needs to 

be enabled in the McAfee ePO server before performing this task at the client systems. 

Use ePolicy Orchestrator to enable or disable the administrator (system and user) recovery 

functionality in the client computer. 



Task 











6 From the Assigned policy drop-down list, select a product setting policy, then click Edit 

Policy. The Policy Product Settings page appears. 


7 On the Recovery tab, select or deselect Enabled to enable or disable the system recovery 

functionality. 

8 Select the required Recovery Key size from the Key size drop-down list, then type the 

Message to appear on the recovery page. 

9 Click Save in the Policy Recovery page, then click Save in the Product Settings page. 


Perform the administrator (system and user) 

recovery on the client computer 

Use this task on the client computer, if the user's password or the logon token have been lost, 

to recover the user or the system. 


Make sure that the client user performs this task in the client system. 

Task 


1 Restart the client system. 

2 Click Options | Recovery. 


79

3 Select the Recovery Type as Administrator Recovery and click OK. The Recovery 

dialog box appears with the Challenge Code. 

NOTE: The client user should read the Challenge Code and get the Response Code 

from the administrator who manages McAfee ePO. 

4 Enter the Response Code in the Line field, then click Enter. 

NOTE: Each line of the code is checked when it is entered. 

5 Click Finish. 

NOTE: Generated Response code depends on the recovery key size set in the policy and 

the selected recovery type that is machine recovery or user recovery. 

Generate the response code for the administrator 

(system and user) recovery 

80 


Generate the response code for the administrator (system and user) recovery 

Use this task to generate the response code for the administrator (system and user) recovery. 


Make sure that McAfee ePO administrator performes this task in McAfee ePO. 

Task 


1 Click Menu | Data Protection | Encryption Recovery. The Endpoint Encryption Recovery 

wizard opens with the text field for Challenge Code. 

NOTE: Ask the client user to read the challenge code that appears in the recovery process 

page to the administrator. 

2 Type the Challenge Code and click Next. The Recovery Type page opens. 

3 Select the required recovery type from the Recovery Type list, then click Next. The 

Response Code page opens with the response code(s). 

NOTE: Generated Response code depends on the recovery key size set in the policy and 

the selected recovery type that is machine recovery or user recovery. 

4 Read out the response code to the user. 


Index 

A 

administrator recovery 

disabling 78 

enabling 78 

performing 79 

agent wake-up call 

sending 18 

audience for this guide 9 

auto booting 

disabling 65 

enabling 65 

automation 18, 34 

configuring 18 

C 

challenge code 79 

client 

managing 9 

client computers 

EEMac 63 

EEPC 63 

managing 63 

client task 

for EE Agent 23 

for EEPC 23 

client tasks 

editing 22 

conventions used in this guide 9 

customized theme 

applying 67 

D 

disk 

decrypting 65 

encrypting 65 

disk status 

decrypted 76 

encrypted 76 

documentation 

typographical conventions 9 

documentation for products, finding 10 

E 

EE Agent 

deactivating 26 

EE Agent for Mac 

deactivating 42 

EE components 

client system 7 

EE Admin 7 



LDAP Server 7 

EE components (continued) 

McAfee ePO 7 

EE custom queries 

creating 71 

viewing 72 

EE dashboard 

creating 75 

EE dashboards 

viewing 75 

EE permission 

creating 62 

defining 62 

EE policies 

assigning the policy 21 

breaking inheritance 21 

enforcing 21 

managing 46 

EE system status 

active 24 

inactive 24 

EE users 

removing 56 

viewing 55 

EEMac 

removing from the client 

EE Agent 43 


uninstalling 44 

EEMac client 

installing 30 

uninstalling 

deactivate EE Agent 42 

disable policies 42 

EEMac deployment 

selecting target platform 35 

setting up the client task 35 

updating packages 35 

upgrading agents 35 

EEMac installation 

adding users 30 

checking in packages 30 

deploying packages 30 

installing extension 30 

EEMac standalone 

installing 40 

EEMac standalone installation 

installing MfeEeAgent 40 

installing MfeEeMac 40 

EEPC 

removing from the client 

EE Agent 27 


uninstalling 29 

EEPC client 

installing 13 

migrating 13 


81

EEPC client (continued) 

uninstalling 

deactivate EE Agent 26 

disable policies 26 

EEPC deployment 

selecting target platform 17 

setting up the client task 17 

updating packages 17 

upgrading agents 17 

EEPC installation 

adding users 13 

checking in packages 13 

deploying packages 13 


enabling and disabling policy enforcement 54 

encryption providers 

setting priority 66 

Endpoint Encryption 6, 7, 34 

decrypting 7 

disk encryption 6 



encrypting 7 

Pre-Boot 7 

Pre-Boot Authentication 6 

Endpoint Encryption for Mac 6 

Endpoint Encryption for PC 6 

extension 15, 28, 33, 43 

installing EEAdmin 15 

installing EEADMIN 33 

installing EEMac 33 

installing EEPC 15 

removing 

EEADMIN 28, 43 



G 

group synchronization 34 

group users 

breaking inheritance 56 

H 

help extension 

installing 15 

K 

KnowledgeBase, Technical Support ServicePortal 10 

L 

LDAP 

Active Directory 16 

domain name 16 

server type 16 

user name 16 

LDAP Server 34 

LDAP servers 

adding 16 

registering 16 

testing connection 16 

Log On 

enabling Must match user name 57 

enabling SSO 57 

enabling Synchronize EE password with Windows 57 

82 

Index 

logon 

enabling SSO 58 

synchronizing the EE password 58 

logon hours 

managing 

allowing 61 

blocking 61 

M 

McAfee Agent for Mac 

deploying 32 

McAfee ServicePortal, accessing 10 

migration 13 

missing simple word package 

regenerate 69 

N 

no simple words 

enabling 69 

non-compatible products 

maintaining a list 67 


P 

password content rules 


policies 

assigning 26, 42 

assigning the policy 54 

assigning to a system 21, 53 

assigning to a system group 53 

breaking inheritance 26, 42, 54 


creating 46, 53 

creating a policy 21 

editing 46, 53 

editing a policy 21 

enforcing 46, 54 

product settings 

boot options 46 

encryption 46 

encryption providers 46 

logon 46 

recovery 46 

theme 46 

server settings 

general 46 

Mac OS X software 46 

non-compatible products 46 

PC software 46 

simple words 46 

themes 46 

tokens 46 

user-based policies 

authentication 46 

password 46 

password content rules 46 

self recovery 46 

Policies 

assigning to users 19 

assignment rule 19 

Pre-Boot 

removing 65

Index 

Q 

queries 

about 71 

dashboard monitor 71 

R 

recovery 

changing password 78 



reporting 

decrypted 76 

encrypted 76 

requirements, system 

operating system 10 

software 10 

response code 

obtaining 79 

Response Code 

generating 80 

S 

self recovery 

disabling 77 

enabling 77 

performing 78 

server task 

automation 17 

EE LDAP synchronization 

group synchronization 17 

synchronization 17 

ServicePortal, finding product documentation 10 

simple words 

adding 69 

managing 69 

simple words group 

creating 69 

Single Sign On 

enabling 57 

software packages 

checking in packages 

checking in MfeEEAgent 16, 33 

checking in MfeEeMac 33 

checking in MfeEEPC 16 

removing 

MfeEEAgent 28, 44 

MfeEeMac 44 

MfeEEPC 28 

synchronization 34 

system gropus 

adding 63 

importing 63 

system groups 

moving manually 64 

systems 

adding 63 

systems (continued) 

importing 63 

moving 64 

T 

Technical Support ServicePortal 

at McAfee 10 

theme 

assigning customized theme 68 

creating a new theme 67 

installing theme package 67 

selecting background image 67 

token type 

modifying 59 

U 

UBP enforcement 


disabling 20 

enabling 20 

upgrade 23, 24 

deploying EEPC packages 23 


supported versions 23 

user experience 

after restarting 24 

before deploying 24 

during the deployment 24 

user disabled in AD 

managing 60 

user password 

resetting 78 

users 

adding EEMac users 

from group 36 

from organizational unit 36 

adding EEPC users 

from group 19 

from organizational unit 19 

assigning 55 

managing 55 

V 

versions 

EEPC 6.0 24 

EEPC 6.0 Patch 1 24 

EEPC 6.0 Patch 2 24 

EEPC 6.1 24 

W 

windows logon 

controlling 57 

MSGINA 57 

Single Sign On 57 


83

84 

Index

Endpoint Encryption for PC 6.1.0 and Mac 1.0.0 ... - Errors - McAfee

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?