poc installation guide for mcafee eeff v4.2.x using mcafee ... · endpoint encryption for files and...
Post on 17-Jun-2020
10 Views
Preview:
TRANSCRIPT
1
POC Installation Guide for McAfee EEFF v4.2.x
using McAfee ePO 4.6 and ePO 5.0.1
New Deployments Only – Windows Deployment
2
Table of Contents
1 Introduction 4
1.1 System requirements 4 1.2 High level process 5 1.3 Troubleshooting Considerations 5
2 Downloading software 6
2.1 Download ePolicy Orchestrator v4.6 & Documentation 7 2.2 Download McAfee Agent 4.6 (or above) & Documentation 8 2.3 Download McAfee EEFF 4.2 9
3 Installation of ePO Components 10
3.1 Check in the EEFF extension into ePO 4.6 10 3.2 Check in the EEFF client package into ePO 4.6 11
4 Registering Windows Active Directory 12
5 Using the Product Deployment task to deploy products to managed systems 14
6 Deploying EEFF to client machines 18
6.1 Via a Wake up agent Creating and scheduling client tasks 18 6.2 Perform following on the Endpoint System 19 6.3 Installing EEFF from the Endpoint System 21
7 User Case: Removable Media Encryption 24
7.1 Creating a EEFF key for Removable USB Media recovery 24 7.2 Policy Creation 27 7.3 Grant Key for Removable USB Media Policy 30 7.4 Password Rules for Removable USB Media Encryption 32 7.5 Assign Policy via the System Tree 33 7.6 Enforce policy update via Agent Wake-Up 36 7.7 Using McAfee Removable Media Encryption 38 7.8 Use this task to initialize a removable media. 39 7.9 Recovery access 44
7.9.1 Password Recovery via Pop GUI 44 7.9.2 Password Recovery via McAfee Tray Icon 45
7.10 Moving an Encrypted file protected with EEFF key to protected USB Device 47 7.11 Troubleshooting tips 47 7.12 Check USB Reporting capabilities 49
7.12.1 Create a customized report “Top 10 removable media users” 50
8 User Case: Folder Encryption for Local Folders 52
8.1 Creating a key for all Enterprise Users 52 8.2 Creating Policy for Folder Encryption 55 8.3 Grant Key for Corp Key 59 8.4 Assigning Policy to Systems 61 8.5 Wake up agent to enforce policy update 63 8.6 Using Folder Policy for Corp Users 65
9 User Case: Folder Encryption for HR Share 67
3
9.1 Wake up agent to enforce policy update 71 9.2 Using Folder Policy for Corp Users 73
10 User Driven Actions 75
10.1 Wake up agent to enforce policy update 77 10.2 Explicit Encryption 80 10.3 Explicit Decryption 81 10.4 Creation of Self Extractors 82
11 Conclusion 84
11.1 Further Information 84
4
1 Introduction
This POC guide provides a step-by-step instruction on how to download, install and use
Endpoint Encryption File and Folder v4.2.x (EEFF 4). It covers three main areas Removable
media encryption, Using folder policies for local and network encryption and also user driven
actions. This POC guide does not cover upgrading from Version 3.x.For information on
upgrading please refer to the Migration Guide (EEFF_4.x_Migration_Guide.pdf) which can be
downloaded from the McAfee download site.
For additional detailed subjects, refer to the standard set of documents available on the McAfee
Site and the Best Practices for McAfee Endpoint Encryption for Files and Folders v4.x (EEFF 4).
The links for these documents are referenced in Section 11 below.
This guide will cover the following use cases
Removable Media Encryption
Local Folder Encryption using Folder Encryption
Network Folder Encryption
User Driven Actions
Please be aware that the screenshots in this document may not reflect the latest available version of Endpoint Encryption for Files and Folders. But it’s based on the functionality of Endpoint Encryption for Files and Folders 4.2 or higher.
1.1 System requirements
McAfee ePolicy Orchestrator 4.6 (minimum Patch 6)
McAfee ePO 4.6 Patch 2 can be used if Role Based Key Management is not required
McAfee ePO 5.0 Patch 1 support is also offered with EEFF v4.2 McAfee Agent for Windows 4.8 (minimum Patch 1)
McAfee Agent for Windows 4.6 (minimum Patch 1) can be used if Key Cache Expiry is not required
5
1.2 High level process
Navigate to the product software download site and use temporary grant number to gain access.
Download ePolicy Orchestrator v4.6 Download McAfee Agent 4.6 (or above) Install ePolicy Orchestrator v4.6 Check EEFF extensions in to ePO 4.6 Check EEFF packages in to ePO 4.6 Register your Active Directory server Create ePO server task for Active Directory Sync Create client tasks to deploy the EEFF components Create EEFF Keys Create Policies Test for successful deployment and encryption on an endpoint
1.3 Troubleshooting Considerations
For the POC it is recommended to make the following changes on the endpoint systems which will assist in using the dump files create by Windows Operating Systems
Configure Dump files settings on endpoint systems
Windows XP 1 Select Control panel | System | Advanced 2 Click Settings button for Startup and Recovery 3 Deselect Automatically Restart under system Failure 4 Under “Write debugging information” (drop down list), select “Kernel dump”. Windows 7
1 Select Control Panel | System and Security | System 2 Select Advanced system settings (option on left) 3 Click Settings button for Startup and Recovery. 4 Under section Write debugging information Select Kernel dump. 5 Deselect Automatically Restart under System Failure, this will ensure the endpoint system
stops after dump has been written and provides time to boot up into “Safe Mode” Obtaining Dump files
If a crash occurs and the dump file written, press Ctrl-Alt-Delete and boot up in “Safe Mode” using F8. Make sure to select just “Safe Mode” and not “SafeMode with networking” !
Once the machine boots into “Safe Mode”, restart and boot up normally again and copy the “C:\windows\memory.dmp” to a safe location (please also zip this file). The reason for booting
into “Safe Mode” is that EEFF encrypts the pagefile.sys (which is partially used for the dump file), which will make Windows unable to recognize it. In “Safe Mode”, the EEFF driver is not active and will not encrypt the pagefile.
6
For additional information please refer to
http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx
This article also makes reference to a Microsoft KB: http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3b244139
2 Downloading software
Upon receiving your grant number you’ll need to access the software download portal from the following link below.
https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us
Type in your grant number on the product download website to access the evaluation software required.
7
2.1 Download ePolicy Orchestrator v4.6 & Documentation
Download ePO 4.6 (minimum Patch 6 or higher)
Download Documentation
8
2.2 Download McAfee Agent 4.6 (or above) & Documentation
Download McAfee Agent 4.8
Download Documentation
9
2.3 Download McAfee EEFF 4.2
The document.zip contains following documents:
10
3 Installation of ePO Components
This POC guide will assume you have already installed McAfee ePO and the McAfee Agent to the system. If this has not been performed, please refer to McAfee ePO product and installation documents.
The following files should be what have been downloaded during section 2 above. If you are missing any of the following files please revisit the download section.
EEFF software files
Note: The migration utility is in its own directory.
Before you begin
Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers.
Ensure your ePO server version is at 4.6 with Patch 6 or higher Ensure your McAfee Agent version is at least McAfee Agent 4.8 Patch 1 or higher Note the hostname or IP address of an Active Directory Domain Controller / AD Server Read the readme for known issues and other important information Consider engaging McAfee professional services to assist in your production installation
The files required for the extensions are:
1. EEFF-extension-4.2.x.zip
2. MfeEEFF_Client_4.2.x.zip
3. help_eeff_4x.zip (optional, but recommended)
3.1 Check in the EEFF extension into ePO 4.6
1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Software | Extensions | Install Extension the Install Extension dialog box
appears. 3 Click Browse and select the extension file (EEFF-extension-4.2.x.zip) 4 Click OK
11
5 Click Install Extension 6 Click Browse and select the extension file (help_eeff_42x.zip) 7 Click OK
The Install Extension page appears with the extension name and version details.
3.2 Check in the EEFF client package into ePO 4.6
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Menu | Software | Master Repository 3 Click Actions | Check In Package. The Check In Package wizard opens. 4 Select Product or Update (.ZIP) from the Package type list, then browse to and select the
package file (MfeEEFF_Client_4.2.x). 5 Click Next. The Package Options page appears. 6 Click Save to begin checking in the package. Wait while the package is checked in. 7 The new package appears in the Packages in Master Repository list on the Master Repository
page.
12
4 Registering Windows Active Directory
Use this option to register a Windows Active Directory. You must have a registered LDAP server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic and manual user account assignment. Before you begin
Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers. Note!
As there are no changes made to the AD schema a read-only account can be used for the POC an individual account can be used, for production a Service Account is recommended. Task
For option definitions, click? in the interface. 1 Log on to ePolicy Orchestrator server as an administrator. 2 Click Menu | Configuration | Registered Servers, then click New Server. The
Registered Server Builder wizard opens. 3 From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user-friendly name) and any details, click Next. The Details page appears. 4 Select Active Directory from LDAP server type, then type the Domain name or the Server name.
Note!
Use DNS-style domain name. While using DNS-style domain name, ensure that the McAfee ePO system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present. 5 Type the User name.
Note! The User name should be of the format: domain\Username for Active Directory accounts. 6 Type the Password and confirm it. 7 Click Test Connection to ensure that the connection to the server works
13
8 Click Save.
14
5 Using the Product Deployment task to deploy products to managed systems
Use these tasks to deploy products to managed systems with the Product Deployment client task. ePolicy Orchestrator allows you to create this task for a single system, or for groups of the System Tree.
Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then click Actions | New Task. The New Task dialog box appears. 2 Ensure that Product Deployment is selected, click OK.
3 Type a name for the task you are creating and add any notes
4 Next to Target platforms, select the type(s) of platform to use the deployment. Windows is
selected by default
15
5 Next to Products and components set the following:
Products and components: Endpoint Encryption for Files and Folders 4.2.0 Action: Install Language: Language Neutral Branch: Current
6 Click Save. 7 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required
group in the System Tree. (TORENC)
8 Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard
appears.
9 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select the task you created for deploying product. (Deploy EEFF)
16
10 Next to Tags, select the desired platforms to which you are deploying the packages, click Next
11 On the Schedule page, select whether the schedule is enabled, and specify the schedule details, click Next. (for pushing out the deployment task through a wake-up agent, Set schedule type to Run Immediately
17
12 Review the summary, then click Save. The client task will have been associated to the
System Tree group.
18
6 Deploying EEFF to client machines
There are two methods to deploy EEFF to the endpoint System. This can be accomplished through ePO or directly from the endpoint system.
6.1 Via a Wake up agent Creating and scheduling client tasks
Task
For option definitions, click? in the interface. 1 Click Menu | Systems | System Tree | Systems, select the desired group in the System
Tree, then click on the machine
2 Select system (Win701)
3 Click Wakeup Agent
19
4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system
6.2 Perform following on the Endpoint System
1 Right click McAfee Shield 2 Select McAfee Agent Status Monitor
The agent status monitor will show the deployment task that was received via the wake up call from ePO
20
3 When Prompted Reboot the system
The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation 4 Right click McAfee Shield 5 Click About
21
6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders
4.2 has been installed
6 Click OK
6.3 Installing EEFF from the Endpoint System
1 Right click McAfee Shield 2 Select McAfee Agent Status Monitor
3 Click Collect and Send props
22
23
4 When prompted Reboot the system
The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation 5 Click About 6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders
4.2 has been installed
7 Click OK
24
7 User Case: Removable Media Encryption
Options “Allow Encryption (with offsite access)” and “Enforce Encryption (with offsite access)” of the Removable Media Policy allow for password authentication and portable access to any USB removable media. These options were formerly known as EERM (Endpoint Encryption for Removable Media).
Removable Media policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the policy at the system tree level. Please refer to KB for further detailed information http://mysupport.mcafee.com for updated articles referring to Removable Media Encryption
7.1 Creating a EEFF key for Removable USB Media recovery
Task
For option definitions, click? in the interface. 1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Click Actions | Create New Key. The Create a New Key dialog box appears.
25
3 Type a name EERM Recovery Key and description for the key Used for recovery.
4 Select Never expire key or an expiration date as required.
5 Click OK
26
The key just created will be displayed in the Key management, note the State of the key is Active
27
7.2 Policy Creation
Use this task to create the policy for Removable USB Media, login to McAfee ePO Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Removable Media (UBP) Category from the drop-down lists.
4 Click My Default. The policy options will be displayed
28
5 Set the following settings
Select Enforce Encryption (with offsite access)
Protected Area set to User Managed
6 Authentication Methods set to Either. Recovery Methods select Use recovery key and click the browse button at the right
7 Select EERM Recovery Key from the drop down menu
9 Click OK Step 10 is optional!
29
10 Define an individual text for pop up message when inserting an unprotected removable media device by editing the Customize UI Text displayed on inserting media text box
Following message will appear if the Customize UI Text displayed on inserting media text
box is blank:
Note!
In case of using the default message, the message will be displayed in the language based on the operating system and which is supported by Endpoint Encryption for Files and Folders. As soon as an individual text is configured there would be the need to configure a separate policy for every language. 11 Click Save.
30
7.3 Grant Key for Removable USB Media Policy
Use this task to grant key , login to McAfee ePO Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Grant Keys (UBP) Category from the drop-down lists.
7 Click My Default
31
8 Select the EERM Recovery Key
9 Click the button 10 Selected key will appear under selected keys, select the EERM Recovery key
11 Click Save
32
7.4 Password Rules for Removable USB Media Encryption
Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Password Rules Category from the drop-down lists.
7 Click My Default
33
8 Set Password rules to your needs Note!
Password rules applies for EERM, User Local Keys and Self-Extractor files
7.5 Assign Policy via the System Tree
Use this task to assign a policy to multiple managed nodes within a group. The policy that is used in the Use case is created at the System Tree level. These types of policies can be assigned via Policy Assignment Rules (PAR) by create a User PAR or System PAR. For more information on using Policy Assignment Rules for assignment of policies please refer to following KB Articles: KB 72719 How to create Endpoint Encryption for Files and Folders 4.x Policies
KB 72775 Policy assignment interpretations in Endpoint Encryption for Files and Folders 4.x
at https://kc.mcafee.com
34
Task
For option definitions, click? in the interface. 1 Click Menu | Systems | System Tree | Systems, then select the desired group in the
System Tree.
2 Click Assigned Policies 3 Select Endpoint Encryption for Files and Folders 4.2.0 from product drop-down
list.
4 Make sure that the My Default policy is assigned for Removable Media and grant Keys
35
5 Click Edit Assignments to change policy assignment if needed.
6 Click Save
36
7.6 Enforce policy update via Agent Wake-Up
Task
For option definitions, click? in the interface. 1 Click Menu | Systems | System Tree | Systems, select the desired group in the System
Tree, then click on the machine
2 Select System by selecting the check box
3 Click Wakeup Agent 4 Select Force complete policy and task update
37
5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor…
9 Check if policies have been updated
38
7.7 Using McAfee Removable Media Encryption
To check if the policy got enforced perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
2 Expand Removable Media Policies, and check the policy on the client
When you insert a non-protected removable device on a client with EEFF installed and the policy for removable media enabled, a notification dialog box appears prompting to initialize the device. Alternatively, you can initialize the removable media using McAfee Endpoint Encryption for Files and Folders client console.
Formatted: Font: (Default) Arial, 11 pt, Fontcolor: Black
39
7.8 Use this task to initialize a removable media.
1 Right click McAfee Shield 2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
Formatted: Font: (Default) Arial, 11 pt, Fontcolor: Black
40
2 On the left pane, click Initialize device. The Initialize Removable Media window appears.
Formatted: Font: (Default) Arial, 11 pt, Fontcolor: Black
41
3 Provide a volume label.
4 In the Authentication section select Authentication Password and enter a password. • For the password method, type a password that conforms to the My Default | Password Rules policy. Note!
The recovery methods available depends on the removable media encryption policy enforced on the system or the user.
5 Select Initialize
Existing data on the device will not be affected. An encrypted container will be created and a directory called “Unprotected Files” will also be created. All existing data will be moved to the unprotected files directory.
42
6 Options available are Yes, No and Cancel click Yes
If the following screen is displayed the password does not meet the complexity rules defined in the My Default | Password Rules policy, please reenter a valid password
7 This will create the new volume
43
8 Confirmation the Initialization is complete will be displayed
44
7.9 Recovery access
To recover access to an encrypted USB device, perform one of the following two tasks on the endpoint point system.
7.9.1 Password Recovery via Pop GUI
1 Plug in the Device, the following will be displayed
2 Click Recover
3 Because the policy is set to use a recovery key and because the key is available on this system, the key is immediately used and the device is unlocked. Click OK
45
4 Enter Password and repeat Password. If the password supplied does not meet the minimum
complexity an informational window will be displayed. 5 Click OK
7.9.2 Password Recovery via McAfee Tray Icon
1 Right click McAfee Shield 2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
46
2 Click Recover Media 3 Click Recover
4 The Recovery key option will be the only available. Click Recovery
5 Enter Password and repeat Password. If the password supplied does not meet the minimum
complexity an informational window will be displayed. 6 Click OK
47
7.10 Moving an Encrypted file protected with EEFF key to protected USB Device
Note!
When moving a file from an endpoint system that has been protected with an EEFF Key to an EERM protected device, the file level encryption will be removed. Instead, the file will be protected by residing in the encrypted EERM container. Removing the “dual encryption” makes it possible to access that file from systems that do not have the EEFF client software installed.
7.11 Troubleshooting tips
When attempting to initialize a device to be protected, there might be an error seen which is shown below;
The following should be checked as a possibility 1 Ensure the Recovery has been granted access to be used for recovery, check the Grant Key
Policy in ePO or check the manage features for the available keys
2 Check the File system on the device to ensure the File system is recognized 3 Check the Device Hardware
48
If the above does not resolve the issue with initialization a SR will have to be raised with McAfee Support in this instance it is advisable to obtain the trace file, refer to the product guide.
49
7.12 Check USB Reporting capabilities
Task
For option definitions, click? in the interface. 1 Click Menu | Reporting | Queries & Reports | Shared Groups | EEFF Queries, select Run
from the Removable Media Device Events
System Information
User Info (DomainName\UserName)
Time Stamp
Agent GUID Initialization
Initialization State (FAILED, CANCELLED, SUCCESSFUL)
Backup State (NONE, FAILED, CANCELLED, SUCCESSFUL)
Backup Size
Time taken for initialization
Time taken for backup
Size of protected part (Valid only when initialization has completed successfully)
User Response (ACCEPTED, REJECTED (when user selects to Yes/No for EERM initialization prompt))
Device Information
Size (Bytes)
File System of device (FAT, NTFS, EERM : in case EERM protected devices)
Vendor Name
Product Name
Exempted (YES, NO, UNKNOWN)
Protected (only EERM protected devices are considered protected) (YES, NO, UNKNOWN)
50
7.12.1 Create a customized report “Top 10 removable media users”
Task
For option definitions, click? in the interface. 1 Click Menu | Reporting | Queries & Reports 2 Click Actions | New 3 Click Endpoint Encryption for Files and Folders from Feature Group 4 Click Removable Media Device Events | Next
5 Click Single Group Summary Table from Display Result As 6 Choose Number of Removable Media Device Events from the Values are: drop down list 7 Choose User Name from the Labels are drop down list 8 Choose 10 as Maximum items
9 Click Next
51
10 Add User Name to the Selected Colums 11 Click Next 12 Click Run to show the results
52
8 User Case: Folder Encryption for Local Folders
EEFF policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the EERM policy at the system tree level. Please refer to Knowledge Base articles for further detailed information on this subject.
8.1 Creating a key for all Enterprise Users
Task
For option definitions, click? in the interface 1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears
2 Click Actions | Create New Key. The Create a New Key dialog box appears
53
3 Type a name Corp Key and description for the key, Key for all Domain Users
4 Select Never expire key or an expiration date as required
54
5 Click OK
The Corp Key just created will be displayed in the Key management, note the State of the key is Active
Repeat Steps above 2 thru 5 for creating a Key for HR 1 Click Actions | Create New Key. The Create a New Key dialog box appears 2 Type a name HR key and description for the key, Key for HR 3 Select Never expire key or an expiration date as required 4 Click OK
55
8.2 Creating Policy for Folder Encryption
Use this task to create the policy for folder encryption, login to McAfee ePO Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Folder Encryption (UBP) from the drop-down lists.
4 Click Duplicate on the McAfee Default policy. Duplicate Existing Policy window is displayed
56
5 Type Corp Document Policy add a Description in the notes field 6 Click OK 7 Click Corp Documents Policy
57
8 The policy options will be displayed for the path Click the Right Arrow
Select [Documents]
10 Click Browse next to Key:
11 Select Corp key by using the browse button
12 Click Save
58
Repeat Steps above 2 thru 8 for creating a folder policy for HR
2 Click Duplicate on the McAfee Default policy. Duplicate Existing Policy window is displayed 3 Type HR Folder Policy add a Description in the notes field 4 Click OK 5 Click HR Folder Policy 6 The Folder Encryption Options will be displayed for the path Enter UNC path to Share 7 Click Browse next to Key: 8 Select the HR key by using the browse button 9 Click Save
59
8.3 Grant Key for Corp Key
Use this task to make Corp Key available via Grant Key policy Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Grant Keys (UBP) Category from the drop-down lists.
4 Click My Default
60
5 Select the Corp Key
6 Click the button 7 Selected key will appear under selected keys, select the Corp key
8 Click Save
61
8.4 Assigning Policy to Systems
Use this task to assign the policy to machines Task
For option definitions, click? in the interface. 1 Click Menu | Policy | System Tree
2 Click My Organization | Assigned Policies to assign the folder policy to this group
3 Click Edit Assignment on Actions
62
4 Select Corp Documents Policy from the Drop list Assigned Policy
5 Click Save
63
8.5 Wake up agent to enforce policy update
Task
For option definitions, click? in the interface. 1 Click Menu | Systems | System Tree | Systems, select the desired group in the System
Tree, then click on the machine
2 Select system (Win701)
3 Click Wakeup Agent
64
4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor
65
8.6 Using Folder Policy for Corp Users
To check the EERM policy received from ePO perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS] Available Keys EERM Recovery Key and Corp Key
3 Open My Documents
66
You can see visually the files in the my documents are encrypted represented with the Padlock icon.
67
9 User Case: Folder Encryption for HR Share
Use this task to create the policy for folder encryption, login to McAfee ePO. The HR key that will be used was created in 8. If this step was missed please revisit Section 8.1 Creating a key for all Enterprise Users – Step 6.
Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Assignment Rules
2 Click New Assignment Rule
3 Type a name for the New Policy Assignment Rule and Description
68
4 Select User Based Rule Type 5 Click Add Policy
6 Select Product Endpoint Encryption for Files and Folders Category Folder Encryption Policy HR Folder 7 Click + 8 Select Product Endpoint Encryption for Files and Folders Category Grant Keys (multi-slot) Policy HR Grant Key Policy
69
9 Click Next. This will display the Policy Assignment builder
10 Click next to group Membership
11 Click Browse Button next to group membership
70
12 Find HR group Select the HR group
13 Click OK
14 Click Next
71
15 Click Save. The HR Policy Assignment Rule will show
9.1 Wake up agent to enforce policy update
Task
For option definitions, click? in the interface. 1 Click Menu | Systems | System Tree | Systems, select the desired group in the System
Tree, then click on the machine
2 Select system (Win701)
72
3 Click Wakeup Agent
4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated.
73
9.2 Using Folder Policy for Corp Users
To check the EERM policy received from ePO perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS] and \\epo46srv\HR Available Keys EERM Recovery Key and Corp Key and HR Key
3 Open My Documents
74
You can see visually the files in the my documents are encrypted represented with the Padlock icon.
Open the \\epo46srv\HR share you can see the documents are encrypted with the HR KEY. Copy a file from the HR share to the C:\drive. Login as a non HR user, you should not have access to the files in the HR share.
75
10 User Driven Actions
There are additional options that can be provided to users to allow for additional Functionality that are controlled by the user on the end point system. These are optional functionally controlled via policy through ePO. Some of the most common features include:
Creation of Self Extracting files
Explicit Encryption
Explicit Decryption
Use this task to turn on User Driven Options, login to McAfee ePO Task
For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog
2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select General (UBP) Category from the drop-down lists.
4 Click My Default. The policy options will be displayed
76
5 Select Allow Explicit Encrypt | Allow Explicit Decrypt
6 Click Save
77
10.1 Wake up agent to enforce policy update
1 Click Menu | Systems | System Tree | Systems, select the desired group in the System
Tree, then click on the machine
2 Select system (Win701)
3 Click Wakeup Agent
4 Select Force complete policy and task update
78
5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor
To check the EERM policy received from ePO perform the following on the endpoint system. 10 Right click McAfee Shield 11 Select McAfee Manage Features | Endpoint Encryption for Files and Folders
12 Expand Simple Policies, note the following settings should be enabled
79
Enable “Decrypt”: Yes Enable “Encrypt”: Yes Enable Self Extractors: Yes
80
10.2 Explicit Encryption
The Encrypt option on the context menu allows you to manually encrypt a file or a folder. This
option is unavailable to the users if the file or the folder has been encrypted by policy.
Perform this task from the endpoint System
1 Right Click a file
2 Select McAfee Endpoint Encryption
3 Select Encrypt
4 Select Key to use for Encryption the list is derived from the available keys provided by the policy – Choose Corp Key from drop down list
5 Select OK
This can also be used if a file is to be encrypted with the HR key therefore making it shareable only by the group that has been granted access to the key.
81
10.3 Explicit Decryption
The Decrypt option on the context menu allows you to manually decrypt a file or folder. This
option is unavailable to the users if the folder has been encrypted by policy.
Perform this task from the endpoint System.
Right Click a file that has been encrypted with EEFF, denoted by the padlock icon, looking at
the properties and selecting the Encryption Tab will provide the details of which key was used for encrypting the file
1 Right Click a file
2 Select McAfee Endpoint Encryption
3 Select Decrypt
The file is decrypted in this instance the padlock icon has been removed
82
10.4 Creation of Self Extractors
Self-Extractors are password-encrypted executable files that can also be decrypted on non-EEFF client systems. The password used to create the Self-Extractor is required to read it. You can change the name of the Self-Extractor. By default, it is named as its source file/folder with the *.exe extension.
1 Right Click a file
2 Select McAfee Endpoint Encryption
3 Select Create Self-Extractor (filename.xxx.exe)
4 Enter a Password and Confirm
If the following screen is displayed the password does not meet the complexity rules defined in the My Default | Password Rules policy, please reenter a valid password
83
5 Click OK
The file will be successfully created
To use the file click on the file and you will be prompted for the password
84
11 Conclusion
This POC guide has provided a step by step guide on how to install and configure McAfee Endpoint Encryption for Files and Folder, along with step by step instructions on how to configure the following User Cases:
Removable Media Encryption
Local Folder Encryption using Folder Encryption
Network Folder Encryption
User Driven Actions
11.1 Further Information
For further information please refer to the following documentation and reference material:
Release Notes readme_en-us.html
Product Guide eeff_420_product_guide_en-us.pdf
User Guide eeff_420_user_guide_en-us.pdf
Migration Guide eeff_420_migration_guide_en-us.pdf
Other Useful Links
Knowledge Based articles
https://kc.mcafee.com/corporate/index?page=home (Searchable)
https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=3&pl=0 (by Product)
McAfee Use Case for Removable USB Media Encryption
https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/14/how-to-handle-removable-media-encryption-with-endpoint-encryption-for-files-and-folders-41
McAfee Support Site
https://mysupport.mcafee.com/Eservice/Default.aspx
McAfee Product Download Site
http://www.mcafee.com/us/downloads/downloads.aspx
McAfee Technical Video Channel
http://www.youtube.com/McAfeeTechnical
top related