mcafee encrypted usb manager adminb2b-download.mcafee.com/products/evaluation/... · mcafee...

McAfee® Encrypted USB Manager 3.1 Deployment and Administration Guide

ii

COPYRIGHTCopyright © 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSSAFEBOOT is a registered trademark or trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Microsoft® and Windows® are registered trademarks of Microsoft Corporation. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

AttributionsRefer to the product Release Notes.

CONTACT INFORMATIONDownload Site http://www.mcafee.com/us/downloads/

Technical Support http://www.mcafee.com/us/support/KnowledgeBase Search (includes access to product documentation)http://knowledge.mcafee.com/McAfee Technical Support ServicePortal (Logon credentials required)https://mysupport.mcafee.com/eservice_enu/start.swe

Customer ServiceWebhttp://www.mcafee.com/us/support/index.htmlhttp://www.mcafee.com/us/about/contact/index.html

Phone — US, Canada, and Latin America toll-free:+1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time

Contact information for other countries can be accessed online by selecting a link under Worldwide Offices at:http://www.mcafee.com/us/about/contact/index.html

Contents

Introducing McAfee Encrypted USB Manager ...................................... 5
What’s new ................................................................................................ 5Benefits ...................................................................................................... 6Capabilities ................................................................................................ 7Supported devices ...................................................................................... 7Supported software ................................................................................... 8Product overview ....................................................................................... 8
Management console .............................................................................. 8End-user software .................................................................................. 9

Licensing .................................................................................................. 10

Installing and upgrading Manager .................................................... 11Setting up a Manager device database ..................................................... 11

Database authentication options ............................................................. 12Configuring ADAM for Manager ................................................................ 12Setting up Manager to use certificates ..................................................... 13

Configuring the Certificate template ........................................................ 14Registering for an Enrollment Agent Certificate ......................................... 14Setting up a key recovery system ........................................................... 14

Setting up Manager to use RSA SecurID tokens ....................................... 16Controlling access to the McAfee Encrypted USB Manager RSA Web Service . 17

Installing Manager ................................................................................... 19Contents of Installation CD .................................................................... 19

Configuring Manager ................................................................................ 19Creating a custom installation .................................................................. 21Installing the client .................................................................................. 21Upgrading Manager .................................................................................. 22

Deploying McAfee Encrypted USB Devices ........................................ 23The deployment cycle ............................................................................... 23

Initialization ......................................................................................... 23Issuance ............................................................................................. 24Personalization ..................................................................................... 25Usage ................................................................................................. 25

The role of the administrator ................................................................... 26Initialization Officer ............................................................................... 26Issuance Officer ................................................................................... 26Help Desk Operator .............................................................................. 26Security Officer .................................................................................... 27

Help Desk support .................................................................................... 27

Initializing devices ............................................................................ 28Creating initialization profiles .................................................................. 28Editing and deleting initialization profiles ................................................ 30Applying initialization profiles to devices ................................................. 30

Erasing devices ........................................................................................ 31

Issuing devices to users ................................................................... 33

3

ContentsMcAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

Creating usage profiles ............................................................................ 33Password policies .................................................................................. 35

Managing usage profiles .......................................................................... 36Applying new usage profiles to devices .................................................... 36Adding users to devices ........................................................................... 37Removing users from devices .................................................................. 37Revoking users and devices ..................................................................... 38

Revoking a user ................................................................................... 38Revoking a device ................................................................................. 38

Issuing and managing credentials .................................................... 39Creating credential profiles ...................................................................... 39

Certificate profiles ................................................................................ 39RSA SecurID profiles ............................................................................. 40

Copying, editing and deleting profiles ...................................................... 40Issuing credentials to users ..................................................................... 41Removing credentials ............................................................................... 42Performing a key recovery operation ....................................................... 42

Managing devices ............................................................................. 44Viewing device database statistics ........................................................... 44Upgrading device firmware ...................................................................... 44Recovering data ....................................................................................... 45Rescuing devices ...................................................................................... 45Viewing device information ...................................................................... 46Generating reports ................................................................................... 46

Managing portable content ............................................................... 48Creating a portable content file ................................................................ 48

Adding and deleting content ................................................................... 49Copying, renaming, and moving items in the navigation pane ..................... 50

Exporting portable content ...................................................................... 50Updating portable content on devices ...................................................... 50

Creating a portable software package ...................................................... 51Distributing the portable software package ............................................... 51Installing the portable software package .................................................. 51

Configuring Web Login Config .................................................................. 51Creating applications ............................................................................. 52Adding credentials ................................................................................ 52Adding forms ....................................................................................... 53

Configuring the Connector menu .............................................................. 54General ............................................................................................... 55System Tray Menu ................................................................................ 56

Configuring the client ............................................................................... 57

Glossary ............................................................................................ 58

Index ................................................................................................ 60

4

Introducing McAfee Encrypted USB Manager

McAfee Encrypted USB Manager (formerly SafeBoot® for USB Enterprise) is a scalable
software solution for managing large deployments of Portable Security Devices from McAfee. With McAfee Encrypted USB Manager (referred to as Manager throughout the rest of the document), you can control devices through their complete life cycle, from initialization through to delivery to end users and eventual recycling.
This guide provides a general overview of Manager and the deployment process. It also describes the administrative steps involved in deploying and managing devices.

This chapter contains information about the following:

What’s newBenefits and capabilities of ManagerSupported devicesSupported softwareManager product overviewLicensingProfessional services

What’s new

Manager 3.1This version provides support for McAfee Standard Driverless Encrypted USB devices. McAfee Standard Driverless Encrypted USB is a single-user device that allows only password authentication. The default read-only image is built-in and cannot be upgraded or modified. You can use McAfee Standard Driverless Encrypted USB on computers running only Microsoft Windows. The following operations are not available with McAfee Standard Driverless Encrypted USB devices: partition sizing, upgrading firmware (does not use a management code), rescuing devices, and issuing credentials.

Manager 3.0 includes the following new features:Portable content file enhancements—The Portable Content Manager (PCM) application provides a graphical interface to create and manage the portable con-tent file for the read-only partition of devices. Administrators can also use PCM to configure McAfee applications, such as Web Login Config, Connector, and McAfee Encrypted USB—Managed. For more information, see “Managing portable content” on page 48.Support for credential management—Administrators can now issue certificates and RSA SecurID tokens to users with Manager. End users can manage certificates and RSA SecurID tokens with McAfee Encrypted USB—Managed. For more informa-tion, see “Issuing and managing credentials” on page 39.

5

Introducing McAfee Encrypted USB ManagerBenefits

McAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

Built-in reporting capability—You can now generate pre-configured reports using Manager. Reports provide auditing data and information about devices, users, and deployment status. For more information, see “Generating reports” on page 46.Enhanced data recovery options—When you create a usage profile you can set data recovery options. When users cannot authenticate to their device, Help Desk operators can re-establish device access (default setting) or you can permanently erase all device so that it is inaccessible to both the user and the administrator. For more information, see “Creating usage profiles” on page 33.

Features added in Manager 2.4:Enhanced password configuration—Allows you to add complex password rules to a usage profile, such as retry limits, minimum password length, minimum num-ber of characters (special, numeric, alphabetical), a password reuse threshold, and a minimum and maximum lifetime for the password. For more information, see “Password policies” on page 35.Two-factor authentication—You can now require users to authenticate using two-factor (biometric and password) authentication. For more information, see “Usage profile settings” on page 33.Profile status—You can change the status of a usage or initialization profile to indicate whether it is active or inactive. For more information, see“Editing and deleting initialization profiles” on page 30 and “Managing usage profiles” on page 36.Support for Mac OS X with McAfee Encrypted USB—Managed.

BenefitsManager provides the following main benefits.

ControlA managed deployment of McAfee Encrypted USB Devices allows you to:

Control device configurations and security policies that determine how devices can be used.Provide help desk support when necessary for end users who have problems authenticating.Perform data recovery operations on a device (for audit and compliance reasons) without the user being present.

Efficient administrationAdministrative tasks use concise workflows that allow you to process devices efficiently with minimum effort. Administrators can create profiles that contain parameters for device configuration and user settings. Profiles allow administrators to initialize and issue devices to users in batches whereby they plug in a device, apply the appropriate profile, and move on to the next device.

Immediate end-user productivityDuring initialization, devices are pre-configured with everything end users need. No software installation on end user workstations is necessary. Client wizards guide end users through common tasks so that user training is not required and end users can start using devices as soon as they receive them.

6

Introducing McAfee Encrypted USB ManagerCapabilities


Simplified and scalableMinimal effort is required to deploy Manager. Other than hosting the device database, no other servers are needed. Simplified management operations ensure maximum efficiency when initializing, issuing, and updating devices.

CapabilitiesManager provides the following capabilities that facilitate administrative operations.

Supported devicesManager supports the following McAfee Encrypted USB Devices:

McAfee Zero Footprint Biometric Encrypted USB (formerly SafeBoot for USB Phan-tom Bio)McAfee Zero Footprint Non-Biometric Encrypted USB (formerly SafeBoot for USB Phantom Non-Bio)McAfee Standard Driverless Encrypted USBMcAfee Encrypted USB Hard Disk (formerly SafeBoot for USB Hard Disk)

Table 1-1: Important Manager capabilities

Capability Description

Policies for device configuration and use

You can create multiple device profiles to define device configurations and security policies for different user groups or departments. Profiles ensure the efficiency of the initialization and issuance processes. For more information about these processes, see “Initializing devices” on page 28 and “Issuing devices to users” on page 33.

Credential management

Credential profiles let you define certificate or RSA SecurID token settings so that you can issue credentials to users.

Device rescue Help desk operators can securely reset the authentication mechanism of a device over the phone to assist users who can no longer authenticate to their device.

Data recovery Encrypted data may need to be recovered for security audits or due to the termination of employment. Security Officers can recover data from a user’s device without the user being present.

Portable software updates

You can create portable software packages for end users to upgrade the read-only partitions of their devices. This lets you manage and provide additional applications to end users as your portable application needs change.

Self-enrollment To increase scalability and minimize administrator workload, end users can enroll their own fingers on a device for biometric authentication. For more information, see “Personalization” on page 25.

Separation of administrative roles

The management software component of Manager contains four main functional modules that correspond to four administrative roles. Modules can be installed together or separately to allow your company to separate management roles. For more information about administrative roles, see “The role of the administrator” on page 26.

Audit trails All administrative operations performed using Manager are logged.

Corporate directory integration

Manager integrates directly with the existing corporate directory to bind users to devices during the issuance process so you do not have to maintain a separate repository for user data.

7

Introducing McAfee Encrypted USB ManagerSupported software


McAfee Standard Encrypted USB (formerly SafeBoot for USB Standard)

Supported softwareThe following software is supported with Manager.

Product overviewMcAfee Encrypted USB Manager includes a management console and end user software.

Management consoleManager is an installed suite of utilities that administrators use to control devices and perform the following operations:

Device initializationDevice issuanceDevice rescue and help desk supportData recoveryCredential (certificates and RSA SecurID tokens)

Table 1-2: Software

Component Supported software

Web browser (required for user interface with Microsoft Windows only)

Microsoft Internet Explorer 7.0 Internet Explorer 6.0

Databases IBM Informix Dynamic Server 9.4Microsoft SQL Server 2005 SP1 Microsoft SQL Server 2000 SP4Microsoft SQL Express

Note: Professional Services can help configure other databases.

User directory Windows 2003 Active DirectoryActive Directory Application Mode (ADAM)

Note: Professional Services can help configure other directories.

Certificate authorities Microsoft

McAfee Encrypted USB—Managed

Microsoft Windows 2000 SP4 (Client Help Desk is unavailable after a user authenticates)Windows XP SP2Windows Vista (Business and Enterprise editions)Mac OS X

Manager Initialization, Issuance, and Data Recovery processes:

Windows XP SP2Windows Vista (Business and Enterprise editions)

Help Desk processes:

Windows 2000 SP4 Windows XP SP2

8

Introducing McAfee Encrypted USB ManagerProduct overview


Generating reportsLicense management

The initialization and issuance operations are designed as efficient workflows so that you can deploy many devices in a short period of time. You can have multiple Manager computers that connect to one device database to allow distribution and delegation of administrative responsibilities.

The following illustration demonstrates the architecture of Manager.

Figure 1-1: Manager

End-user softwareMcAfee Encrypted USB—Managed (referred to as “client” in the rest of the document) is portable software that is pre-installed on the read-only partition of devices during the initialization process. End users are guided through wizards and workflows to perform the following operations:

Personalize a new device by enrolling fingers for biometric authentication, setting a password, or bothManage existing authentication settings by updating finger enrollments or changing passwordsManage digital identitiesView device status informationRescue a device with assistance from the Help Desk

Other portable software programs can be installed on the device with the client to provide necessary applications to your end users. The following illustration demonstrates a typical device configuration for an issued device.

Figure 1-2: Issued device with the client

9

Introducing McAfee Encrypted USB ManagerLicensing


LicensingLicenses are distributed using license files that allow you to manage a set number of devices per device database. To obtain a license file, contact your sales representative at McAfee. Manager will notify you when the device database is approaching the device limit and will indicate the number of devices still available to be issued. The corporate license is checked each time a device is added to ensure that the number of devices in the database does not exceed the site license.

When you purchase a new license file from McAfee or upgrade an existing license file, you must import the file to the device database using Manager.

To view current license informationFrom the main menu of Manager, click License Management.The Current License Information section contains details such as, license status and maximum number of devices allowed.

To import a license file1 From the main menu of Manager, click License Management.2 In the Tasks section, click Import License File.3 Select the license file, type the activation code, and then click Import.

10

Installing and upgrading Manager

McAfee Encrypted USB Manager contains four modules that you can install together or
divide among multiple workstations according to the administrative role that will use the module. By default, Manager installs all four modules. For more information about administrative roles, see “The role of the administrator” on page 26.
Before you install Manager, you should create an Manager device database on your server and run the McAfee Encrypted USB Manager SQL script (located on the installation CD) to configure the database. You can also configure ADAM.

Manager supports credential issuance. You can set up authentication credentials, such as certificates or RSA SecurID tokens, so that you can issue them to end users. For more information about issuing credentials using Manager, see “Issuing credentials to users” on page 41.

As part of the installation process, you must configure Manager to correspond to your company’s network environment. You can complete the configuration using one of the following methods:

Modify Manager on each workstation after you install it.Modify Manager on the first workstation and use the modified version to create a custom installation. You can distribute the custom installation of Manager for each subsequent install.

If you want to deploy McAfee Standard Encrypted USB devices, you must install the client. You can also upgrade from a previous version of Manager.

This chapter contains information about:

Setting up a Manager device databaseConfiguring ADAM for ManagerSetting up Manager to use certificatesSetting up Manager to use RSA SecurID tokensInstalling ManagerConfiguring ManagerCreating a custom installationInstalling the clientUpgrading Manager

Setting up a Manager device databaseOn the device database server, create a new database to contain the Manager device information. After you create the database, run the McAfee Encrypted USB Manager SQL script. You should create the database and run the script against the database server before you install and configure Manager. Use the database script that corresponds to the server you are using. The script file is located in the following directory path on the installation CD (where D is the CD drive):

IBM Informix Dynamic Server 9.4D:\Database Configuration Scripts\Informix\9.4\McAfee Encrypted USB Manager.sql

11

Installing and upgrading ManagerConfiguring ADAM for Manager


Microsoft SQL Server 2005D:\Database Configuration Scripts\Microsoft SQL Server\2005\McAfee Encrypted USB Manager.sql

Microsoft SQL Server 2000D:\Database Configuration Scripts\Microsoft SQL Server\2000\McAfee Encrypted USB Manager.sql

The script creates database tables, indexes and data on the Manager database. If you are upgrading from a previous version of Manager, the scripts are located in the Upgrade folder for the appropriate database server. For more information, see “Upgrading Manager” on page 22

Note: When setting up the database, if you are not using Windows pass-through authentication, you should create database account(s) to be used during the connection to the database.

Database authentication optionsIt is strongly recommended that you set controls on the device database that restrict access to only authorized persons.

Options for controlling access1 Windows pass-through authentication—reuses Windows Domain Login creden-

tials2 Database login accounts—involves setting up database user names, passwords

and permissions on the device database server if not using Windows pass-through authentication.

You can configure the database login to prompt the operator when using Manager, or to automatically log on to the database. When you include login credentials in the Presenter.ini file, the system assumes that automatic login has been config-ured.

Configuring ADAM for ManagerIf you are using Active Directory Application Mode (ADAM) as the LDAP directory, you must configure ADAM to work correctly with Manager. Configuration involves the following steps (in order):

Selecting appropriate settings when you create the ADAM instanceEditing your registry settings Allowing anonymous LDAP binding to an ADAM instanceSetting properties for the LDAP Manager

Note: LDAP Manager is an advanced Windows-based LDAP editor and browser. You can download it from the Web. You can also use other LDAP editors to manage ADAM.

To select settings when creating an ADAM instance1 Add service permission to the Windows account you specified in previous steps.2 Select the user who is currently logged on.3 Import the selected LDIF files for this instance of ADAM.4 Add all available LDF files.

12

Installing and upgrading ManagerSetting up Manager to use certificates


Tip: For more information about creating an ADAM instance, see documentation from Microsoft regarding ADAM.

To edit registry settings1 On the taskbar, click Start, and then click Run.2 Type Regedit and click OK.3 In the Registry Editor, navigate to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa4 In the details pane, right-click forceguest, and then click Modify.5 In Value data, type 0, and then click OK.

To allow anonymous LDAP binding to an ADAM instance1 On the taskbar, click Start, point to All Programs, point to ADAM, and then click

ADAM ADSI Edit.2 Connect and bind to the configuration directory partition of the ADAM instance on

which you want to allow anonymous Lightweight Directory Access Protocol (LDAP) binding.

3 In the console tree, double-click the following:

configuration directory partition (CN=Configuration,CN={GUID})

services container (CN=Services)Windows NT container (CN=Windows NT)

4 Right-click the directory service container (CN=Directory Service), and then click Properties.

5 In the Attributes area, click dsHeuristics, and then click Edit.6 In the Value area, modify the value of the seventh character in the attribute

(counting from the left) to 2, as follows:

0000002001001

To set properties in LDAP ManagerInclude the following property settings in the LDAP Manager application:

Connection Name: for example ManagerLDAP Server name: localhostUsername: admin username for user who is currently logged on to the com-puterPassword: your passwordSelect NTLM for authenticationAnd ConnectClick Directory, and complete any necessary steps, for example, create users.

Tip: You must manually refresh the LDAP Manager application or the LDAP Editor by clicking F5 to show your changes.

Setting up Manager to use certificatesIf you want to use Manager to issue certificates to end users, you must configure the certificate template and register for an enrollment agent certificate. You can also set up a key recovery system.

13



Configuring the Certificate templateYou must configure the certificate templates on the Certificate Server before you can issue certificates to users in Manager. The certificate templates must allow an Enrollment Agent to issue the certificate to a user on their behalf.

To configure the certificate template1 Right-click the certificate template and click Properties.2 Click the Issuance Requirements tab, and then select the This number of

authorized signatures check box. Use the default settings for the other options.3 Click Apply.

Registering for an Enrollment Agent Certificate The Enrollment Agent administrator must have an Enrollment Agent certificate so that the administrator can issue certificates using Manager. You must complete the registration process before you install or start Manager. The following procedure describes one way to register. However, you should use the method that is appropriate to your business practices.

To register for an Enrollment Agent certificate1 Log on as the domain administrator to the computer where Manager is installed.2 In a Web browser, type the following URL:

http://<servername>/certsrv3 Click Request a certificate, and then click Advanced certificate request.4 Click Create and submit a request to this CA.5 From the Certificate Template list, click Enrollment Agent.

Use the default settings for the other options.6 Click Submit. If a Warning dialog box appears, click Yes to continue. 7 Click Install this certificate.

Setting up a key recovery systemIf you want to provide a method for key recovery, you must do the following:

Create a Key Recovery CertificateEnable key recovery on the Certificate Authority

Create a Key Recovery CertificateThe key recovery certificate is used by the Certificate Authority to protect the private decryption keys of users. You must complete the following three steps to create the key recovery certificate:

Create and submit a request for a key recovery certificateApprove the certificate request in the Microsoft Management Console (MMC) Install the key recovery certificate

To create and submit a request for a key recovery certificate1 Log on to the Certificate Server as the user who will perform the key recovery oper-

ation.

14



2 In a Web browser, type the following URL: http://<servername>/certsrv

If asked for credentials, use the domain credentials for the user who will perform the certificate recovery operation.If a message appears that indicates “Content is blocked for security reasons”, add the Web page to the “trusted” zone.

3 Click Request a certificate, and then click Advanced certificate request.4 Click Create and submit a request to this CA.5 From the Certificate Template list, click Key Recovery Agent. 6 Click Submit. If a Warning dialog box appears, click Yes to continue.

A page will display to indicate that the request has been received.

To approve the certificate request1 In the MMC, click to the expand the Certification Authority node by clicking the

Plus (+) sign. 2 Click the Certificate Authority and then double-click the Pending Requests

folder to view the request you submitted in the procedure “To create and submit a request for a key recovery certificate” on page 14.

3 Right-click the request, click All Tasks, and then click Issue.

To install the key recovery certificate1 In a Web browser, return to the following URL by typing,

http://<servername>/certsrv2 Click View the status of a pending certificate request.3 Click the certificate that you approved in the procedure “To approve the certificate

request” on page 15. 4 Click Install this certificate. If a Warning dialog box appears, click Yes to continue.

Note: It is recommended that you create a backup of the certificate and private key by exporting them to a file. Save the file in a secure location. Creating a backup ensures that you can still perform a key recovery operation if the existing key recovery certificate and key pair become lost or damaged.

Enable key recovery on the Certificate AuthorityOnce you install the key recovery certificate, you must set up the certificate server for key recovery. For information about performing a key recovery operation, see “Performing a key recovery operation” on page 42.

To enable key recovery 1 In the MMC, click to the expand the Certification Authority node by clicking the

Plus (+) sign. 2 Right-click the name of your Certificate Authority and click Properties. 3 Click the Recovery Agents tab, and then click Archive the Key.4 Click Add.5 Select your key recovery certificate and click Apply.

Note: You can verify that the certificate status has changed to “valid” by closing the Properties window and reopening it to the Recovery Agents tab to view the certificate status.

15

Installing and upgrading ManagerSetting up Manager to use RSA SecurID tokens


Setting up Manager to use RSA SecurID tokensThe McAfee Encrypted USB Manager RSA Web Service is an optional component of Manager. You must install the Web Service if you want to issue RSA SecurID tokens to end users. RSA SecurID tokens are used for strong authentication when a user logs on to access network or corporate resources remotely.

You must install the McAfee Encrypted USB Manager RSA Web Service on the server where RSA Authentication Manager is installed. RSA Authentication Manager must be installed with an Internet Information Services (IIS) Web server on a Windows Server 2003 operating system. You must also ensure that the IIS server is configured to allow ASP.net extensions.

After you install the McAfee Encrypted USB Manager RSA Web Service, you must configure the TokenIssuance file to define Host Agents used with RSA Authentication Manager. Host Agents are the IP addresses of Agents that are installed with an application to control security for that application. The end user can authenticate to the Agent using the RSA SecurID token and gain access to the application, for example Citrix. The TokenIssuance file contains other variables that you can configure if necessary.

You can also control access to the McAfee Encrypted USB Manager RSA Web Service.

To install the McAfee Encrypted USB Manager RSA Web Service1 On the Manager Installation CD, in the RSAWebServiceSetup folder, double-click

the Setup.exe file to start the installation and follow the instructions in the Install wizard.

2 If you have multiple Sites, select the Site where you want to install the Web service application.

3 You must also provide a name for the Virtual Directory of the Web service Web application.

4 When the wizard prompts you for a User ID and password, type the same User ID and password that was used to log on to Windows when RSA Authentication Man-ager was installed (if necessary, use the Administrator account ID and password).

5 Complete the remaining steps in the installation wizard.

After you finish the installation, your McAfee Encrypted USB Manager RSA Web Ser-vice address is: http://[Site]/[Virtual Directory]/RSAManagerService.asmx

Site is the Web address or DNS name of the Web site that you selected during the installation. Virtual Directory was created in Step 3.

To enable ASP.net extensions on the IIS Server1 Click Start, click Control Panel, and then double-click Administrative Tools. 2 Double-click Internet Information Services (IIS) Manager, and then double-

click the computer running IIS. 3 Double-click the Web Service Extensions folder.4 Ensure that the status of the ASP.net server extensions is set to Allowed.

If the status is Prohibited, click the server extension, and then click Allow.

To configure Host Agents1 In a text editor, open the TokenIssuance.ini file that is located in the following

directory:C:\Program Files\McAfee\RSA Webservice Setup\Config

16



2 In the Agents area, after the Equal (=) sign, type the IP addresses for each Agent that is used with RSA Authentication Manager. You can add agents if you require more than the default number that is listed.

To configure other variables in the TokenIssuance file1 In a text editor, open the TokenIssuance.ini file that is located in the following

directory:C:\Program Files\McAfee\RSA Webservice Setup\Config (where C is the drive on which you installed the RSA WebService)

2 Locate the variable you want to configure and after the Equal (=) sign, type the action that you want to occur. The following table provides a list of variables, possi-ble actions that you can set, and the default action that is currently set.

Controlling access to the McAfee Encrypted USB Manager RSA Web Service

You can secure the McAfee Encrypted USB Manager RSA Web Service by granting access to designated:

Users—by enabling Windows Integrated AuthenticationWorkstations, workstation groups, or workstations in a particular domain—by set-ting IP address and domain name restrictions

Granting access to designated usersYou can permit only designated users to access the McAfee Encrypted USB Manager RSA Web Service using Windows Integrated Authentication. Windows Integrated Authentication allows transparent, user-based authentication between the client workstation and Web server. You must perform the following steps to enable Windows Integrated Authentication.

Set the authentication mode in the configuration file for the McAfee Encrypted USB Manager RSA Web Service

Table 1-1: Variables in TokenIssuance.ini file

Variable Name Possible Actions Default Action

UserAlreadyPresentUser exists in RSA Server

ERRORREUSE

REUSE

UserNotPresentUser does not exist in RSA Server

ERRORCREATE

CREATE

SoftTokenPresentAction to take if the user already has a token

ADDREPLACERESCINDREVOKEERROR

RESCIND

ReplaceTokenAction to take for the PIN when the token is replaced

KEEPINNEWPIN

NEWPIN

MinTimeToDeathMinimum time (in days) for which the token is valid

Any non-negative number 30 days

DefaultShell /bin/sh

17



Set the authentication mode for the McAfee Encrypted USB Manager RSA Web Ser-vice virtual directoryConfigure the list of users who can access the McAfee Encrypted USB Manager RSA Web Service

To set the authentication mode in the configuration file1 Click Start, click Control Panel, and then double-click Administrative Tools. 2 Double-click Internet Information Services (IIS) Manager, and then double-

click the computer running IIS. 3 Double-click the Web Sites folder and click McAfee Encrypted USB Manager

RSA Web Service.4 Right-click the Web Config folder and click Properties.5 Click the ASP.NET tab and click Edit Configuration.6 Click the Authentication tab and then in the Authentications Settings area,

select Windows from the Authentication Mode list.

To set the authentication mode for the McAfee Encrypted USB Manager RSA Web Service virtual directory1 Right-click the McAfee Encrypted USB Manager RSA Web Service virtual direc-

tory and click Properties.

2 Click the Directory Security tab.3 In the Authentication and access control area, click Edit.4 Click to clear the Enable anonymous access check box.5 In the Authentication access area, click the Integrated Windows authentica-

tion check box.

To configure the list of users1 Right-click the McAfee Encrypted USB Manager RSA Web Service virtual direc-

tory and click Permissions.2 Do one of the following:

To add users, select the user/group and click Add.To remove users, select the user/group and click Remove.

Granting access to designated workstations, groups, or workstations in a specific domain

You can set IP address and domain name restrictions to allow access to the McAfee Encrypted USB Manager RSA Web Service to only designated workstations, workstation groups, or workstations that belong to a specific domain.

18

Installing and upgrading ManagerInstalling Manager


To set IP address or domain-based access1 Right-click the McAfee Encrypted USB Manager RSA Web Service virtual direc-

tory and click Properties. See step one of the “To set the authentication mode for the McAfee Encrypted USB Manager RSA Web Service virtual directory” on page 18.

2 Click the Directory Security tab.3 In the IP address and domain name access area, click Edit. 4 Click the Denied access option to deny Web Service access to computers that are

not included in the list.5 If you want to add other exceptions to the list, click Add and select the appropriate

settings.

Installing ManagerYou can install Manager using the setup wizard on the Installation CD. The installation allows you to select which modules—Device Initialization, Device Issuance, Data Recovery, and Help Desk—to install.

Contents of Installation CDThe following software, documentation, and utilities are included on the Manager Installation CD.

Installation executable fileDatabase configuration scripts to create the device databaseDocumentationManagerSetup for ManagerRSAWebServiceSetup to install the McAfee Encrypted USB Manager RSA Web Ser-vice for RSA SecurID token issuance

To install ManagerOn the Manager Installation CD, in the ManagerSetup folder, double-click the Setup.exe file to start the installation and follow the instructions in the Install wizard.

Note: After you install Manager, you must set parameters such as, e-mail and LDAP settings, and the database connection string. For more information, see “Configuring Manager” on page 19.

Configuring ManagerAfter you install Manager, you must configure Manager by completing the following steps:

1 Creating an ODBC Data Source Name (DSN) on each workstation where Manager is installed (if one does not already exist). The Encrypted USB Manager Configuration Assistant references the database connection string for the ODBC DSN.

2 Setting the following parameters using the Encrypted USB Manager Configuration Assistant:

E-mail settings—used when issuing devices; settings include the e-mail server, user name, password, and e-mail address.Database connectionLDAP server settings

19

Installing and upgrading ManagerConfiguring Manager


3 Customizing the e-mail message (if required) that users receive when the device is ready for use.

Note 1: You must also configure the Help Desk contact number that appears in the client. End users will dial this number for assistance if they cannot authenticate to their device. For more information, see “Configuring the client” on page 57.

Note 2: For information about installing the configured version of Manager on other computers, see “Creating a custom installation” on page 21.

To create the ODBC DSNFollow the instructions in the Microsoft Windows ODBC Data Source Administrator wizard and select the following settings where appropriate:

Use SQL Server as the driver for which you want to set up a data source.The data source name should match the ODBC DSN string to be used in the Encrypted USB Manager Configuration Assistant where the default name is Manager.Change the default database to the Manager database that you created on the SQL Server.

To set parameters in the Encrypted USB Manager Configuration Assistant1 On the Start menu, click Programs, McAfee, and then click Encrypted USB

Manager Configuration Assistant.2 Follow the instructions in the configuration wizard.

For the Database Connection String, you can leave username and password data blank if the workstations used are part of the Active Directory Domain and the Windows SQL Server has been set up with pass-though authentication enabled. You can also leave these parameters blank if the user is to be asked for credentials. For LDAP settings, you can leave username and password boxes blank if the workstations used are part of the Active Directory Domain.

Note: If you are using Active Directory Application Mode (ADAM), you must configure it correctly before running the Encrypted USB Manager Configuration Assistant. For more information, see “Configuring ADAM for Manager” on page 12.

To customize the e-mail message1 If you want to change the text in the subject line of the generated e-mail message,

open the Presenter.ini file in a text editor from the following location:C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1\Config (where C is the drive on which you installed Manager)

2 In the EMAIL section, replace the text “New McAfee Device” for the IssuedSub-ject= setting with your customized subject text.

3 If you want to customize the text of the e-mail message, open the IssuedMes-sage.txt file in a text editor and edit the text. The file is located in the following directory path:

C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1\Config (where C is the drive on which you installed Manager)

Note: The “%USERNAME%” and “%PASSWORD%” text strings that appear in the text of the default e-mail message are replaced with the actual device user name and password when the message is generated.

20

Installing and upgrading ManagerCreating a custom installation


Creating a custom installationWhen you install Manager on multiple computers, you can manually configure each installation or you can modify the first installation and install the modified version on subsequent computers.

Creating a custom installation involves copying the original contents of the Manager installation CD to your workstation. After you install and configure the first instance of Manager, you replace the original files with the configured version, and then create a new installation CD.

To create a custom Manager installation1 Copy the CD image from the installation CD to your workstation.2 Complete all of the steps in the section “Configuring Manager” on page 19. 3 Copy the Presenter.ini and IssuedMessage.txt files from the following location:

C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1\Config (where C is the drive on which you installed Manager)

4 Replace the original Presenter.ini and IssuedMessage.txt files in the CD image folder on your workstation by pasting the configured files (copied in step three). The copied CD image folder is located in the following directory path:C:\Manager\ManagerSetup\Config (where C:\Manager is the directory to which you copied the CD image).

5 If you customized the Help Desk contact number in the McAfee Encrypted USB—Managed, you can include the change in the custom installation. Copy the Porta-bleContentFiles folder from the following location:C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1(where C is the drive on which you installed Manager).

Replace the original PortableContentFiles folder in the CD image folder on your workstation, located in the following directory path:C:\Manager\ManagerSetup (where C:\ is the directory to which you cop-ied the CD image).

6 The installation setup has now been configured to your company’s environment. You can create a new installation CD based on the custom install configuration.

Note: You must create the ODBC DSN on each workstation where you want to install a custom version of Manager.

Installing the clientFor most devices, the client requires no installation as it is loaded on the read-only partition of the device during the initialization process. However, McAfee Standard Encrypted USB does not have a read-only partition on which to load the client. Therefore, for this device, you must install the client on the client workstation.

To install the client1 On the client Installation CD, in the ClientSetup folder, double-click the Setup.exe

file to start the installation.If the CD AutoRun feature is enabled on your computer, the installation starts auto-matically.

2 Follow the instructions in the Install wizard.

Tip: The installation wizard puts an icon on the desktop and in the Start menu to start the client.

21

Installing and upgrading ManagerUpgrading Manager


Upgrading Manager

ManagerYou can upgrade to McAfee Encrypted USB Manager 3.1 from a previous version using the setup wizard on the Installation CD.

To upgrade Manager1 Uninstall the previous version of Manager. You must back up the issuedmes-

sage.txt file. You should also copy the database, LDAP, and e-mail settings in the presenter.ini file (for future reference). The issuedmessage.txt and presenter.ini file are located in the following folder:C:\Program Files\McAfee\McAfee Encrypted USB Manager 2.x\Config (where C is the drive on which you installed Manager)

2 On the Manager Installation CD, in the ManagerSetup folder, double-click the Setup.exe file to start the upgrade process and follow the instructions in the Install wizard.

Note 1: After you upgrade Manager, you must reconfigure all previously set parameters, such as e-mail and LDAP settings, and the database connection string. For more information, see “Configuring Manager” on page 19. Note 2: If you backed up the old Presenter.ini file, do not use it to replace the new file that installed during the upgrade process. Otherwise, required settings in the new file will be overwritten.

Note 3: You can access the upgrade scripts for the server in the Upgrade folder, for example, D:\Database Configuration Scripts\Microsoft SQL Server\2005\Upgrade\McAfee Encrypted USB Manager.sql (where D is the CD drive).

The clientWhen you upgrade Manager, a new default portable content file that contains the client is automatically installed. You can configure this file and then create a new software package to distribute and install on devices. For more information, see “Updating portable content on devices” on page 50.

When you upgrade McAfee Standard Encrypted USB devices, use the client Installation CD and complete the instructions in the following procedure, “Installing the client” on page 21.

22

Deploying McAfee Encrypted USB Devices

Understanding the administrative tasks involved in each phase of the deployment cycle
can help you plan and administer your device deployment. You can assign tasks to administrators based on four defined roles.
This chapter contains the following information:

A description of a typical deployment cycleAn outline of the different administrative rolesThe role of the Help Desk

The deployment cycleBefore you deploy McAfee Encrypted USB Devices, it is important to understand the stages involved in a deployment cycle. One administrator can perform all tasks or you can separate the tasks among multiple administrators. For more information, see “The role of the administrator” on page 26.

The following illustration provides a visual overview of a managed deployment cycle.

Figure 1-1: Deployment cycle

InitializationInitialization is the first phase after your company receives its devices from McAfee. Initializing a device prepares it for issuance. Your company takes control of the device during this phase. An initialized device has no defined users and no corporate security policies set. You can create initialization profiles to simplify this phase and allow batch initialization of devices. Initialization Officers perform the following tasks to initialize devices:

23

Deploying McAfee Encrypted USB DevicesThe deployment cycle


n

es

Create initialization profilesBefore you can initialize a device, you must create an initialization profile. Initialization profiles contain the policies that determine how a device is configured, for example, the size of a partition and the software to put on the device. Initialization Officers set the following parameters when creating a profile:

Public and read-only partition sizeRead-only drive typeRead-only partition contents (including the client and other portable software)Management code

Initialize devicesOnce you create the initialization profiles, you can then initialize many devices efficiently using a selected profile. McAfee Encrypted USB Manager configures the device with the parameters you set in the profile. Each time you initialize a device, Manager checks the corporate license to verify that the total number of initialized devices does not exceed the site license.

The initialization process binds a device to your company and configures the read-only partition with the portable software you want to deploy. The read-only partition software must include the client (does not apply to McAfee Standard Encrypted USB).

Other initialization tasksErasing a device Creating software update packagesUpdating an existing device with a different device profileUpgrading firmware for existing devicesImporting an existing device that is not currently managed by Manager

Note: For more information about how to perform the tasks during this phase of deployment, see “Initializing devices” on page 28.

IssuanceIssuance is the next phase of deployment following initialization where device users are defined along with security policies. During this phase, an issuance officer configures the device with security policies and other settings that prepare the device for usage. Security policies and other settings are created and maintained in usage profiles. The issuance officer also binds devices to corporate users prior to delivery to the end user. The issuance process involves the following operations.

Create a usage profileWhen you create a usage profile, you can set the following policies:

Method used to deploy devices to users (provisioning mode)Number of device usersAbility to share private partitionsPassword parametersNumber of finger enrollments allowed

Security level for biometric authenticatioRetry limit for biometric authenticationData Recovery optionsAuthentication mode—one-factor or two-factorCredential issuance settings for certificator RSA SecurID tokens

24

Deploying McAfee Encrypted USB DevicesThe deployment cycle


Issue devices to usersYou issue devices by adding users to the device. When you add a user, you can specify the private partition size (if applicable). The usage profile is applied to the device when you create the first user. The usage profile determines whether or not the end user must be present during the issuance process to personalize the device with a fingerprint, password, or both. You can also allow users to personalize their own devices—called user self-personalization. For more information, see “Personalization” on page 25.

When you issue devices to users, you can also issue credentials. For more information, see “Issuing and managing credentials” on page 39.

Deliver devices to recipientsA generated e-mail notifies end users of their device delivery (and its initial password if applicable). However, you must still ensure that the correct device is delivered to the target end user. Since devices contain no physical markings to identify the user to whom it has been issued, it is recommended that you tag each issued device. Tags can be a paper printout or sticker that identifies the intended recipient. If you want assistance in setting up this process, contact McAfee Professional Services.

Other issuance tasks: Remove users from devicesManage usage profiles including applying a new profile, editing, deleting, or deacti-vating a profileRevoke users or devices

PersonalizationThe personalization phase prepares a device for daily use by end users once they receive an issued device. Personalization tasks can include enrolling fingers for biometric authentication, changing the initial password, or both. The following two types of deployment are available to complete the personalization process:

Face-to-face—the end user must be physically present with the Issuance Officer to personalize the device. Face-to-face deployment provides strong identity proof-ing because Issuance Officers can verify that the correct user is authorized for the device. User self-personalization—users personalize their devices independently using a self-serve wizard in the client. Users who must authenticate with only one factor will automatically receive a notification e-mail with a temporary password once a device has been issued. The temporary password is required to complete the self-serve wizard. Users who require two-factor authentication, must call the Help Desk to receive an authorization code to complete the self-personalization process. The user will provide the Help Desk Operator with a confirmation code when the self-personalization process is complete.The phone call allows the Help Desk Operator to confirm the identity of the user and ensure that they are added to the Manager system.

UsageDuring the usage phase, devices are in use daily by end users for various functions, such as unlocking the device and updating finger enrollments or passwords. End users can also call the Help Desk to rescue their device if they can no longer authenticate to it. Other tasks that administrators can perform include:

25

Deploying McAfee Encrypted USB DevicesThe role of the administrator


Revoking a device—flags the device in the device database to alert administrators and Help Desk operators. Administrators must physically remove the device to stop a user from using it.Revoking a user—flags the user in the device database to alert administrators and Help Desk operators that the user should not be using a device. This will also pre-vent the same user from being issued other devices. Administrators must physically remove the device to stop a user from using it.Removing a user—removes a user from the device. This does not affect other users if there are multiple users on the device.Recovering data—the process by which a security officer can get data off of a device without the user being presentRescuing devices—the process by which a Help Desk operator assists an end user who cannot authenticate to the device. Updating software on the read-only partition

The role of the administratorYou can separate administrative tasks into roles so that each role is responsible for a different set of tasks. Separating roles is useful when you want to control access to specific tasks. It also ensures that one person does not have control over the entire deployment process.

For auditing purposes, Manager creates a log of all administrative operations.

When you install Manager, you can separate it into four modules according to the following roles:

Initialization OfficerIssuance OfficerHelp Desk OperatorSecurity Officer

Initialization OfficerInitialization officers can erase devices and perform tasks involved in the Initialization phase of deployment. For more information, see “Initialization” on page 23.

Issuance OfficerIssuance Officers can perform tasks involved in the Issuance phase of deployment, including setting user profiles, creating users and corporate administrators and security policies. They can also remove users or revoke users or devices. For more information, see “Issuance” on page 24 and “Personalization” on page 25.

Help Desk OperatorHelp Desk Operators provide authorization codes to users to complete the personalization process for two-factor authentication. They also assist users in device rescue operations. Rescuing typically involves communicating with end users by phone to validate their identities and give them the authorization code to rescue their devices. For more information about rescuing devices, see “Rescuing devices” on page 45.

26

Deploying McAfee Encrypted USB DevicesHelp Desk support


Security OfficerSecurity Officers perform data recovery operations. Data recovery is different from device rescue operations. Data recovery is done for auditing purposes where user information needs to be examined. The device user is not required to be present. In contrast, during a device rescue the Help Desk Operator cannot access or examine private user data. For more information about data recovery, see “Recovering data” on page 45.

Help Desk supportWhen a user calls the Help Desk, it is important that the Help Desk Operator confirms the identity of the user using acceptable corporate criteria. Manager can help the Operator confirm that the user has the correct device by matching the serial number to the user.

To ensure the security of this process, a Help Desk Operator must do the following before providing the authorization code to end users to rescue the device:

Have users identify themselves and the serial number of their device.Confirm that this information is consistent with the data in the device database. Apply other corporate identification criteria as specified by your company.

When the Help Desk Operator is satisfied that the criteria is acceptable and has confirmed the identity of the caller, he can release the authorization code to the user.

For more information, see “Rescuing devices” on page 45.

27

Initializing devices

Device initialization is the first phase in a deployment of McAfee Encrypted USB
Devices. McAfee Encrypted USB Manager configures each device with the parameters set in the initialization profile that you apply to the device. The initialization officer is responsible for creating initialization profiles and applying them to devices.

Creating initialization profilesEditing and deleting initialization profilesApplying initialization profiles to devicesErasing devices

Note: While initialization profiles control the device configuration, usage profiles control how users and private partitions are configured on a device. In an initial deployment, Issuance Officers apply usage profiles to devices during the second phase of deployment where devices are issued to users. For more information see, “Issuing devices to users” on page 33.

Creating initialization profilesYou must create an initialization profile before you can initialize a device. Initialization profiles contain the policies that determine how a device is configured. As a general guideline, create one company profile and apply this to most devices.

Initialization profiles are created by entering the parameter information in a new profile or by copying an existing profile and saving it as a new name. You can set the following parameters in a initialization profile.Table 1-1: Initialization profile settings

Profile setting Description

Profile name Provide a descriptive name for the profile.

Device Type Indicates the type of device, such as McAfee Zero Footprint Biometric Encrypted USB, to which you want to add the profile.

Allow Public Partition Lets you set up a public partition. The default setting is “NO”.

Public Partition Size (MB)

If you set up a public partition, type the size in the text box.

Read-Only Drive Type Specifies whether the device is recognized as a removable or fixed drive. The default setting for a new profile is “Removable”. It is recommended that you use the default setting. However, if using devices on computers running Windows 2000, set the drive type to “Fixed” to ensure that the device autorun feature operates correctly.

The first time you use an initialization profile from an earlier release of Manager, the profile will be automatically configured to use the “Removable” drive type. You will be notified if Manager switches a device type from fixed to removable or from removable to fixed.

28

Initializing devicesCreating initialization profiles


Note 1: To update a device with a new portable content file after the device has been issued to users, you must create a portable software package and install it on the device. For more information, see “Creating a portable software package” on page 51.Note 2: McAfee Standard Encrypted USB does not have a read-only partition. You must install the client on the client workstation for this device. For more information, see “Installing the client” on page 21.

Note 3: McAfee Standard Driverless Encrypted USB does not support partition sizing. The read-only image is built-in and you cannot upgrade or modify it. Also, this device does not use a management code.

To create a new initialization profile1 From the main menu of Manager, click Device Initialization.2 In the Other Tasks area, click Manage Initialization Profiles.3 Click Add and follow the instructions on the Device Initialization Profiles page.

To copy an initialization profile1 Follow steps one and two from the “To create a new initialization profile” on page

29. 2 From the Existing Profiles list, click the profile you want to copy, and then click

Copy. 3 Follow the instructions on the Device Initialization Profiles page to complete the

procedure.

Read-Only Partition Size

When sizing the read-only partition, include adequate space to accommodate the addition of future programs. Resizing later can be difficult if there is no available space on the device since resizing a partition requires you to reformat the drive. The recommended space allocation for the read-only partition is 80MB to 100MB.

Read-Only Volume Name

Specifies the name that is assigned to the read-only drive when you open a file manager, such as Microsoft Windows Explorer.

Image Type Specifies if the content to add to the read-only partition is saved to a directory or a portable content file. A default portable content file is included with Manager to use as a template. The file includes McAfee applications that you can configure using the Portable Content Manager. You can also add other applications. For more information, see “Creating a portable content file” on page 49.

Portable Software Image

Browse to the location of the portable software image that you want to load on the read-only partition of the device.

Device Management Code

If you want to change the default management code, “RECYCLE”, type a new code in the text box. The management code is required to perform device management processes such as, erasing the device, upgrading firmware, or updating device software.

Profile Status Indicates whether the profile is active or inactive. Inactive profiles cannot be applied to devices.

Table 1-1: Initialization profile settings


29

Initializing devicesEditing and deleting initialization profiles


Editing and deleting initialization profilesFor auditing reasons you cannot edit or delete an initialization profile that has been applied to a device; you can only view them in read-only mode. To modify an existing initialization profile you can copy it to a new profile and edit the new copy. For more information see, “To copy an initialization profile” on page 29.

You can change the status of a profile from active to inactive. Only active profiles can be added to devices. By default, when you create an initialization profile the profile status is active. Deactivating a profile removes it from the list of active profiles but does not delete it from Manager.

To edit an initialization profile1 From the main menu of Manager, click Device Initialization.2 In the Other Tasks area, click Manage Initialization Profiles.3 From the Existing Profiles list, click the profile you want to edit, and then click

Edit.4 Follow the instructions on the Device Initialization Profiles page to complete the

procedure.

To delete an initialization profile1 From the main menu of Manager, click Device Initialization.2 In the Other Tasks area, click Manage Initialization Profiles.3 From the Existing Profiles list, click the profile you want to delete, and then click

Delete.

If the initialization profile has been applied to a device, you cannot delete it.

To deactivate an initialization profile1 From the main menu of Manager, click Device Initialization.2 In the Other Tasks area, click Manage Initialization Profiles.3 From the Existing Profiles list, click the profile you want to deactivate, and then

click Edit.4 In the Profile Status area, click to clear the Active check box.

Note 1: If you want to reactivate a profile, repeat the first 3 steps in the procedure “To deactivate an initialization profile”. In Step 4, click the Active check box.

Note 2: To view a list of active or inactive profiles, on the Manage Initialization Profiles page, click the appropriate option button.

Applying initialization profiles to devicesYou initialize a new device by applying an initialization profile to the device. New devices are not registered in the Manager system and have no device users.

You can update registered devices—those that are part of the Manager system and may have device users—by applying a different initialization profile. Non-registered devices—those that have device users but are not registered in the Manager system—are automatically imported to the system when you apply the initialization profile.

Updating or importing a device by applying an initialization profile does not remove current users or data from the device.

30

Initializing devicesErasing devices


Important If you import a non-registered device you cannot rescue the device or recover data from existing users. You can erase a device when you import it. For information about removing all users and device data, see “Erasing devices” on page 31.

Note: For information about creating initialization profiles, see “Creating initialization profiles” on page 28.

To apply an initialization profile to a new device1 Plug the device into the USB port of the initialization computer.2 In Manager, click Device Initialization and then click Manage Devices.3 Follow the instructions on the New Device Initialization page.

To update a registered device with a different profile1 Plug the device into the USB port of the initialization computer.2 In Manager, click Device Initialization, and then click Manage Devices.3 Follow the instructions on the Update Device page.

To import a non-registered device and apply an initialization profile1 Plug the device into the USB port of the initialization computer.2 In Manager, click Device Initialization, and then click Manage Devices.3 Follow the instructions on the Import Device page.

Note 1: If the device requires a firmware upgrade, Manager displays the Firmware Upgrade page. You must upgrade the firmware before you can proceed. For more information, see “Upgrading device firmware” on page 44. McAfee Standard Driverless Encrypted USB does not allow you to upgrade its firmware.

Note 2: For non-registered devices that are locked, you will be required to unlock the device by authenticating to it as an administrator.

Erasing devicesErasing a device deletes all current device users, keys, and authentication mechanisms from the device and resets it to a default state. All data on the device will be unrecoverable. You can erase users on a registered or non-registered device that you want to import or re-initialize.

Once you erase a device, you can initialize it as a new device. For registered devices, if you do not initialize the device after erasing it, the device remains in the Manager system and is marked as “erased”. However, for licensing purposes, the erased device still uses a device license. You can initialize the device at a later time. For information about initializing a new device, see “To apply an initialization profile to a new device” on page 31.

To erase a device1 Plug the device into the USB port of the initialization computer.2 In Manager, click Device Initialization, and then click Manage Devices.

One of the following pages will be displayed depending on the state of the device:Import Device—if the device is not registered in the Manager systemUpdate Device—if the device is registered in the Manager system

3 Under Next Action, click Erase Device and follow the instructions on the page.

31

Initializing devicesErasing devices


Note 1: For non-registered devices that are locked, you will be required to unlock the device by authenticating to it as an administrator. You must also provide the device management code.

Note 2: If the device requires a firmware upgrade, Manager displays the Firmware Upgrade page. For information about upgrading firmware, see “Upgrading device firmware” on page 44.

32

Issuing devices to users

Device issuance is the second phase in a deployment of McAfee Encrypted USB Devices.
McAfee Encrypted USB Manager configures each device with the settings in the usage profile that you apply to the device. The Issuance Officer is responsible for creating usage profiles and applying them to devices.

Creating usage profilesManaging usage profilesApplying new usage profiles to devicesAdding users to devicesRemoving users from devicesRevoking users and devices

Creating usage profilesUsage profiles define the security and usage policies of the device. You must create a usage profile before you add users to a device. You can create different profiles to accommodate different types of user groups. For example, one usage profile may be for single-user devices and one for multi-user devices with shared partitions.

Usage profiles are created by entering new user settings or by copying an existing profile and saving it as a new name. The usage profile settings that are available vary according to the device type you select. You can set the following parameters in a usage profile. Table 1-1: Usage profile settings


Profile name Indicates the name associated with this usage profile. You can specify names according to user types.

Device type Lets you select the device type for the profile, for example, McAfee Zero Footprint Biometric Encrypted USB.

Provisioning Mode Determines the process by which the user will personalize the device—by enrolling fingers, setting passwords or both. For more information, see “Personalization” on page 25. Options include:

User self-personalization—users personalize their own device using a self-serve wizard in the client. Face-to-face—users personalize their device in the presence of an Issuance officer.

Number of users on device

Controls how many users you can add to the device to a maximum of four. McAfee Standard Driverless Encrypted USB devices allow only one user.

Password policies Allows you to increase the complexity of the password by setting rules. For more information, see “Password policies” on page 35.

Shared private partitions When you activate private partition sharing, users save files to the same partition space.

33

Issuing devices to usersCreating usage profiles


To create a usage profile1 From the main menu of Manager, click Device Issuance.2 In the Other Tasks area, click Manage Usage Profiles.3 Click Add, and complete the instructions on the pages that follow.

Number of fingers per user

Total number of fingerprints each user can enroll. Maximum biometric enrollments per device is six.

Biometric Security Level The biometric security level applies to all users. It is expressed as a False Match Rate (FMR) probability such as, “1 in 10,000”. FMR is the probability that two different fingers are incorrectly matched.

A low FMR means higher security because the device requires a closer match between two fingerprints. Therefore, “1 in 10,000” is more secure than “1 in 1,000”. However, a low FMR also means that the device may reject a genuine user because the sensor is less tolerant of small fingerprint deviations due to dirt, improper placement of the finger, and so on. Conversely, a high FMR means the device is less likely to reject a genuine user but more likely to incorrectly match two different fingerprints. If some users have difficulty authenticating to the device at the desired level of security, it is recommended that you also assign them a password.

Biometric retry limit When the retry limit is reached, only the user whose biometric is blocked is prevented from accessing the device using biometric authentication. Password authentication is still available. For example, a retry limit of one will block users after two failed attempts. Retry limits can range from 1 to 255, or infinite.

It is recommended that you set biometric retry limits higher than password retry limits since biometric authentication failures are not always the fault of the user. When a user exceeds a retry limit while trying to authenticate to the device, the following action occurs:

Note: Biometric false rejections (when a genuine user is not validated during an authentication attempt even when using an enrolled finger) can occur with any biometric system. The false rejection rate increases with higher biometric security levels. Therefore, it is recommended that you set a high biometric retry limit to minimize the chances of blocking access to the device for biometric users due to false rejections. Setting a low retry limit can easily result in blocked access, especially if a low False Match Rate (FMR) is set for the biometric security level. See also, Biometric Security Level.

Data Recovery Indicates whether you can recover data for a device user and use the Help Desk to rescue the device if the user can no longer authenticate to it. If you select None (data destruction), data recovery and device rescue is not available. Device rescue is not available with McAfee Standard Driverless Encrypted USB devices.

Authentication Mode Defines whether users must authenticate using one factor (biometric or password) or two factors (biometric and password).

Enable Certificate Issuance

Specifies whether you can issue certificates from your Certificate Authority to users using Manager. This setting is enabled by default. For more information, see “Creating credential profiles” on page 39.

Enable RSA SecurID Token Issuance

Specifies whether you can issue RSA SecurID tokens to users. This setting is enabled by default. For more information, see “Setting up Manager to use RSA SecurID tokens” on page 16.

Table 1-1: Usage profile settings


34

Issuing devices to usersCreating usage profiles


To copy a usage profile1 From the main menu of Manager, click Device Issuance.2 In the Other Tasks area, click Manage Usage Profiles.3 From the Existing Profiles list, click the profile you want to copy, and then click

Copy. 4 Complete the instructions on the pages that follow.

Note: While usage profiles control how users and private partitions are configured on a device, device settings such as, public and read-only partition sizes, are configured using initialization profiles. Initialization Officers apply profiles during the first phase of deployment where devices are initialized. For more information, see “Initializing devices” on page 28.

Password policiesYou can increase the strength of a password by changing the complexity of the rules that users must follow when setting a password. Complex password rules increase security by reducing the probability that an unauthorized person could breach the password and access a device. The following table describes the password rules available with Manager. Table 1-2: Password rules and definitions

Rule Definition

Password retry limit Number of failed password authentication attempts allowed before users are blocked from unlocking the device. For example, a retry limit of one will block users after two failed attempts. Only the user whose password is blocked is prevented from using a password to unlock the device. Biometric authentication (if applicable) is still available if the biometric retry limit has not been exceeded. Retry limits can range from 1 to 255, or infinite. However, for McAfee Standard Driverless Encrypted USB devices the maximum retry limit is 10.

Minimum password length

Minimum number of valid characters (4–40) the password can contain.

Minimum special characters

Minimum number of special characters (0-15) required in the password. Valid characters include: ~ ‘ ! @ # $ % ^ * ( ) _ - + = { }[ ] | \ : ‘ “ , . / ? & ; < >.

Minimum numeric characters

Minimum number of numeric characters (0–15) required in the password, for example (1234567890).

Minimum alphabetical characters

Minimum number of alphabetical characters (0–15) required in the password (includes uppercase and lowercase).

Minimum uppercase characters

Minimum number of uppercase characters (0–15) required in the password.

Minimum lowercase characters

Minimum number of lowercase characters (0–15) required in the password.

Reuse threshold Minimum number of different passwords that a user must set before he can reuse a previous password.

Minimal lifetime (minutes)

Minimum number of minutes the user must wait before a newly changed password can be changed again. This rule prevents users from changing their password and then quickly changing it back to the original password to avoid using the new password.

Maximum lifetime (days) Maximum number of days (0–65534 or infinite) for which a newly changed password is valid. The user must change the password when the maximum lifetime expires.

35

Issuing devices to usersManaging usage profiles


Managing usage profilesYou can only edit or delete usage profiles that have not been assigned to a user. Once you assign a profile to a user, you can view it only in read-only mode. To edit a usage profile that has been assigned to users, you must copy it to a new profile and edit the new copy. For more information, see “To copy a usage profile” on page 35.

You can change the status of a profile from active to inactive. Only active profiles can be added to devices. By default, when you create a usage profile the status is active. Deactivating a profile removes it from the list of active profiles but does not delete it from Manager.

To edit a usage profile1 From the main menu of Manager, click Device Issuance.2 In the Other Tasks area, click Manage Usage Profiles.3 From the Existing Profiles list, click the profile you want to edit, and then click

Edit.4 Enter the new parameters in the appropriate text boxes and click Next to save the

changes to the profile.

To delete a usage profile1 From the main menu of Manager, click Device Issuance.2 In the Other Tasks area, click Manage Usage Profiles.3 From the Existing Profiles list, click the profile you want to delete, and then click

Delete.

If the usage profile has been applied to a user, a message appears indicating that you cannot delete this profile.

To deactivate a usage profile1 From the main menu of Manager, click Device Issuance.2 In the Other Tasks area, click Manage Usage Profiles.3 From the Existing Profiles list, click the profile you want to deactivate, and then

click Edit.4 In the Profile Status area, click to clear the Active check box.

Note 1: If you want to reactivate a profile, repeat the first 3 steps in the procedure “To deactivate a usage profile”. In Step 4, click the Active check box.

Note 2: To view a list of active or inactive profiles, on the Manage Usage Profiles page, click the appropriate option button.

Applying new usage profiles to devicesYou apply the usage profile to a device for the first time when you add the first user. For information about adding users, see “Adding users to devices” on page 37.

You can change the usage profile by applying a different profile to a device after it has been issued to users. However, you can apply a new usage profile only if it is compatible with the current user configuration on the device. If the profile is not compatible, for example, the number of biometric enrollments allowed per user is less than the number of fingers that are already enrolled for a user, you can change the user configuration on the device or use a compatible usage profile.

36

Issuing devices to usersAdding users to devices


To apply a new usage profile1 Plug the device into the USB port of the issuance computer.2 From the main menu of Manager, click Device Issuance.3 Click Apply New Usage Profile and follow the instructions on the Change Usage

Profile page.

Adding users to devicesYou can issue devices only to users in the corporate directory. You can add users to multiple devices or multiple users to one device (if the usage profile is configured for multiple users). When you add the first user, you also specify which usage profile to apply to the device. For more information about usage profiles, see “Creating usage profiles” on page 33.

Some McAfee Encrypted USB Devices have private partitions to which users can save data. You can specify the private partition size and whether or not you want the user to share the partition with other users on the device. When you add multiple users to a device, each with a private partition, the available partition size automatically changes after each user is added to reflect the remaining disk space. If applicable, you can also add credentials for each user.

With face-to-face personalization, users must be present when you add them to personalize the device. With user self-personalization, the user personalizes the device when they receive it using the self-serve wizard in the client. For more information, see “Personalization” on page 25.

To add a user1 Plug the device into the USB port of the issuance computer.2 From the main menu of Manager, click Device Issuance.3 Click Add User to Device and complete the instructions on the pages that follow.4 If you want to issue credentials to a user after you add the user to the device, on

the Device Issuance—Operation Complete page, click Add User Credentials to Device.

5 Complete the instructions on the pages that follow. The Add User Credentials to Device link will not display if Manager is not config-ured to issue credentials to users. For more information about credentials, see “Issuing and managing credentials” on page 39.

Note: You can locate users to add to devices using the corporate directory. The User Directory Search page lets you search for users by first and last name and provides a list of the search results. You can use wildcard characters in the search value strings.

Removing users from devicesYou can remove users from devices as necessary. If you want to delete all users from a device to reconfigure it, you must erase the device. For more information, see “Erasing devices” on page 31.

After you remove a user, the private data belonging to the user is unrecoverable (unless it is shared with another user on the same device). Removing a user is not the same as revoking a user. Revoking a user flags the user in the Manager system. The flag alerts administrators and Help Desk operators to indicate that the user does not have privileges to use the device. For more information, see “To revoke a user” on page 38.

37

Issuing devices to usersRevoking users and devices


To remove a user1 Plug the device into the USB port of the issuance computer.2 From the main menu of Manager, click Device Issuance.3 Click Remove User from Device and complete the instructions on the Remove

User from Device page.

Revoking users and devicesIssuance Officers can revoke users or devices to alert administrators and Help Desk Operators that either a user should not be using a device or the device should not be used.

Revoking a userYou can revoke a user if there are multiple users on one device or if the user has been added to multiple devices. Revoking a user flags the user in the Manager system. The flag alerts administrators that the user does not have privileges to use the device. It also prevents Help Desk operators from rescuing a device for a user who has been revoked. After you revoke a user, you must obtain the device to complete the revocation process.

You can reinstate a revoked user to remove the flag in the Manager system. Reinstating a user removes only the Revoke user flag in the Manager system. However, if you have removed a user from the device, you cannot reinstate him. You must add the user to the device. For more information, see “Adding users to devices” on page 37.

To revoke a user 1 In Manager, click Device Issuance.2 Under Other Tasks, click Revoke User from System and complete the instruc-

tions on pages that follow.

To reinstate a user1 In Manager, click Device Issuance.2 Under Other Tasks, click Revoke User from System and complete the instruc-

tions on pages that follow.

Revoking a deviceYou can revoke a device to terminate the usage of the device, for example, if the user leaves the company or the user’s role has changed and use of the device is no longer necessary. You must physically remove a device to stop the user from using it. However, you can revoke the device using Manager to flag the device as “revoked”. Flagging the device alerts administrators and prevents Help Desk operators from rescuing a revoked device. After you revoke the device you can recover data or erase the device.

If the device has multiple users and you want to only revoke one user, see “Revoking a user” on page 38.

To revoke a device1 In Manager, click Device Issuance.2 Under Other Tasks, click Revoke Device from System and complete the instruc-

tions on the pages that follow.

38

Issuing and managing credentials

The following devices are USB secure token devices that provide secure key storage
and strong authentication:
McAfee Zero Footprint Biometric Encrypted USBMcAfee Zero Footprint Non-Biometric Encrypted USBMcAfee Encrypted USB Hard Disk

Each device can support multiple credentials. However, McAfee Standard Driverless Encrypted USB and McAfee Standard Encrypted USB devices do not support credential issuance.

Before you can use credentials with McAfee Encrypted USB Manager, you must set up your environment to connect with the appropriate servers. For more information, see “Setting up Manager to use certificates” on page 13.

Credentials allow users to access or send secure information, for example by signing or encrypting e-mail messages, or logging on to a computer to access remote resources. Credentials are managed in Manager using credential profiles. Once you create the profile, you can issue credentials to users.


Creating credential profilesCopying, editing and deleting profilesIssuing credentials to usersRemoving credentialsPerforming a key recovery operation

Creating credential profilesCredential profiles define the type of credential, such as certificates or RSA SecurID tokens, that you want to issue to end users. You must create the appropriate profiles before you can issue certificates or RSA SecurID tokens. You should provide a descriptive profile name so that Issuance Officers can determine which certificates and RSA SecurID tokens to issue to users based on the name of the profile.

Certificate profilesWhen you create a certificate profile, you must specify the server for the Certificate Authority (CA) that will issue the certificates. You define which certificate template to use for each certificate profile that you create. The list of available certificate templates is provided by the Certificate Authority. For information about how to create signing and encryption certificates for Manager, see “Setting up Manager to use certificates” on page 13.

Signing certificates are installed, and their keys generated on the device. On-board key generation ensures that the private key does not exist elsewhere. Device key generation provides the maximum assurance of non-repudiation. You do not need to create a backup for signing certificates.

39

Issuing and managing credentialsCopying, editing and deleting profiles


Special configuration of the CA and the certificate template is required to support a key backup system. When you create the certificate profile, you must indicate if the Certificate Server profile is configured to use key backup (key archival). For more information, see “Setting up a key recovery system” on page 14. For information about performing a key recovery operation, see “Performing a key recovery operation” on page 42.

To create a certificate issuance profile1 In the Provisioning Tasks area on the main menu of ACCESS Enterprise Manager,

click User Credentials.2 In the Other Tasks area, click Manage Credential Profiles.3 Click Add, and then click Certificate Issuance Profile.4 Complete the instructions on the pages that follow.

RSA SecurID profilesWhen you create an RSA SecurID profile to issue RSA SecurID tokens, you must provide the URL for the McAfee RSA Web Service. The Web Service provides a link between Manager and the RSA Authentication Manager. For more information about setting up the Web Service, see “Setting up Manager to use certificates” on page 13.

To create an RSA SecurID profile1 In the Provisioning Tasks area on the main menu of ACCESS Enterprise Manager,

click User Credentials.2 In the Other Tasks area, click Manage Credential Profiles.3 Click Add, and then click RSA SecurID Profile.4 Complete the instructions on the pages that follow.

The following URL string is an example of the McAfee Encrypted USB Manager RSA Web Service URL that is required to create the profile.http://{WebServer}/McAfeeRSAWebService/RSAManagerService.asmx

Copying, editing and deleting profilesYou can duplicate a credential profile to create a new profile with the same settings as the existing one.

To copy a credential profile1 From the main menu of Manager, click User Credentials.2 In the Other Tasks area, click Manage Credential Profiles.3 From the Existing Profiles list, click the profile you want to duplicate, and then

click Copy.4 Complete the instructions on the pages that follow.

To edit a credential profile1 From the main menu of Manager, click User Credentials.2 In the Other Tasks area, click Manage Credential Profiles.3 From the Existing Profiles list, click the profile you want to edit, and then click

Edit.4 Enter the new parameters on the pages that follow.

40

Issuing and managing credentialsIssuing credentials to users


To delete a credential profile1 From the main menu of Manager, click User Credentials.2 In the Other Tasks area, click Manage Credential Profiles.3 From the Existing Profiles list, click the profile you want to delete, and then click

Delete.

Note: You cannot delete a credential profile after you have used the profile to issue a credential to a user.

Issuing credentials to usersYou can issue RSA SecureID tokens and certificates to users by:

Issuing credentials directly on the device. You can issue the credential when you add users during the issuance process. Credentials are automatically available for use after the user personalizes the device. After the device is in use, the user must first authenticate to the device before you can issue a credential.Saving the credential to a file and delivering the file to end users. End users must then import the credentials manually to the device. Files are password protected. Certificate files use the file format PKCS #12. RSA SecurID tokens use the file for-mat SDTID. Certificate and RSA SecurID token files are protected with a user AES key. The end user is not asked to provide a password when he has already authen-ticated to the device.

To issue credentials directly on the device1 If you want to issue credentials when you add a user to the device, complete the

procedure to add a user (see page 37). On the Device Issuance—Operation Complete page, click Issue Credentials To User.

2 If you want to issue credentials after the device is in use, insert the device; the user must authenticate to the device if it is not yet unlocked. Click User Credentials on the main page of Manager, and then click Issue Credentials to User.

3 Select the appropriate certificates, RSA SecurID tokens or both and click Next. The wizard adds the selected credentials to the user.

To save credentials to a file1 Remove any connected devices. Otherwise Manager will attempt to issue the cre-

dential to a user on the connected device.2 On the main page of Manager, in the Provisioning Tasks area, click User Cre-

dentials.3 Click Issue Credentials to User and complete the instructions on the pages that

follow.

Note 1: When you finish creating the file, you must distribute it to the end user so that the user can import the credential to the device. For information about importing a certificate to a device, see “To import the recovered certificate file to the device” on page 43.

Note 2: It is recommended that you create a specific folder for credential files if you create multiple files.

41

Issuing and managing credentialsRemoving credentials


Removing credentialsWhen you remove credentials, the user must first authenticate to the device. If the device has multiple users, you can select the user whose credentials you want to remove. All credentials, including certificates and RSA SecurID tokens, are removed from the selected user.

To remove credentials1 Plug the device into the USB port of a computer with Manager.2 On the main page of Manager, in the Provisioning Tasks area, click User Cre-

dentials.3 Click Remove Credentials from User and complete the instructions on the pages

that follow.

Performing a key recovery operationYou can recover your decryption key and re-import the recovered encryption key pair and certificate to the device. Key recovery is required to access encrypted data or e-mail messages if the original key is no longer available.

Special configuration of the Certificate Authority (CA) and the certificate template is required to support a key backup system. For more information, see “Setting up a key recovery system” on page 14.

The CA Administrator must perform the following steps to perform the key recovery operation.

Copy the serial number for the certificate you want to recover.Locate the certificate using the key recovery tool application and recover the key.Provide the recovered key file and password to the user to import to the device.

To copy the certificate serial number1 Log on to the Certificate Server as the user who owns the key recovery certificate

that was created when the Certificate Authority was configured. See, “Create a Key Recovery Certificate” on page 14.

2 In the Microsoft Management Console, click to the expand the Certification Authority node by clicking the Plus (+) sign.

3 Click the Certificate Authority and then double-click the Issued Certificates folder.

4 Locate the certificate you want to recover by searching for a certificate issued to the desired user using the certificate template “McAfee Encryption”.

5 Right-click the certificate and click Open. 6 On the Details tab, click Serial number. 7 Select the serial number from the lower pane and press CRTL+C to copy the value

to the clipboard.

To locate and recover the certificate1 To start the key recovery tool application, click the Start button, and then point to

Programs. Point to Windows Resource Kit Tools, and then click Command Shell.

2 Type krt.exe.3 In the key recovery tool application, for search criteria, select Certificate Serial

Number and in the Value box, press CTRL+V to paste the serial number from the

42

Issuing and managing credentialsPerforming a key recovery operation


clipboard. You can also search by Requester name (for example, <domain>\<user-name>) or by UPN (for example, <username>@test.McAfee.com).

4 Click Search to find the certificate recovery information. 5 Select the certificate from the list and press Recover. 6 Type a file name and password for the key/certificate recovery file. 7 Provide the file name and password to the user whose keys you just recovered.

The end user must now import the file to the device.

Note: For security reasons, it is recommended that you provide the file and password to the user separately. For example, send the file in an e-mail message and provide the password to the user by phone.

To import the recovered certificate file to the deviceThis procedure is typically performed by the end user.

1 Plug in the device and authenticate to the device to unlock it. 2 From the read-only partition, start the client. 3 On the main menu, click Manage Digital Identities.4 Click Manage Virtual Security Token, and then click Import from PKCS#12

file.5 Type the file name and password that was used when the certificate and key pair

was recovered. The CA Administrator should have provided the file and password to you.

6 Click Import. 7 Delete the PKCS#12 file when the import process has completed successfully.

43

Managing devices

This chapter discusses tasks that are typically performed after the initial deployment
when end users are using their devices. Different administrative roles may complete each task if your company has divided McAfee Encrypted USB Manager into modules according to administrative roles. For example, Issuance Officers are typically responsible to revoke users and devices while Initialization Officers typically perform firmware upgrades and create software update packages. For more information about administrative roles, see “The role of the administrator” on page 26.

Viewing device database statisticsUpgrading device firmwareRecovering dataRescuing devicesViewing device informationGenerating reports

Viewing device database statisticsManager tracks device and user statistics. For devices, you can verify information such as, the total number of devices in the system and details about how many devices are revoked, not initialized, initialized but not issued, and issued to users. For users, you can verify information such as, the total number of distinct users and details about the number of device users, revoked users, imported device users, and created device users.

To view device database statisticsFrom the main page of Manager, click Database Statistics.

Upgrading device firmwareManager can automatically detect if a device requires a firmware upgrade. If the firmware on a device needs upgrading, you must perform the upgrade before you can proceed with other initialization tasks.

For information about initialization tasks, see “Initializing devices” on page 28.

To upgrade device firmware1 Plug the device into the USB port of the initialization computer. 2 In Manager, click Device Initialization, and then click Manage Devices.

The Firmware Upgrade page automatically appears to start the upgrade process.

Note 1: For non-registered devices that are locked, you will be required to unlock the device by authenticating to it as an administrator. You may also be required to provide the device management code.

44

Managing devicesRecovering data


Note 2: Upon successful completion of the upgrade process, disconnect the device and reconnect it to activate the new firmware.

Recovering dataEncrypted data may need to be recovered for security audits or due to employee termination. A Security Officer (or administrator with appropriate access rights) can recover data on a device that belongs to another user without the user being present. Manager must be installed on the workstation where you insert the device with the data to recover. The usage profile on the device must be configured to allow data recovery. For more information, see “Usage profile settings” on page 33.

Manager resets the user’s password on the device to allow you to access the data.

To recover data1 On the main page of Manager, click Data Recovery.2 Follow the instructions on the Data Recovery page to complete the process.3 When the process finishes, you can proceed with data retrieval by authenticating to

the device and accessing the data on the user’s private partition.

Rescuing devicesThe client provides end users with information about how to contact the Help Desk. Help Desk Operators can rescue devices for end users who can no longer authenticate to the device. For example, users may be prevented from authenticating if they have exceeded the number of authentication attempts allowed for the device or have forgotten their passwords.

When you rescue a device you provide an authorization code to the end user that resets the end user’s password so that he can authenticate to the device. Once the user enters the authorization code, he will receive a short confirmation code and a temporary password. You must get the confirmation code from the user. When you enter the confirmation code, Manager confirms that the rescue operation was successful for the end user. You can rescue users only if the usage profile on the device is configured to allow Help Desk data recovery. For more information, see “Usage profile settings” on page 33.

Manager provides the serial number of the device and the registered device users. You can use this information to confirm the identity of the end user. Some companies use additional criteria to confirm the end user’s identity. If a user has multiple devices, the Help Desk Operator must select the correct device to rescue. You can identify the correct device by matching the serial number with the serial number that the end user sees on the screen.

To rescue a device1 On the main page of Manager, click Help Desk.2 Complete the instructions on the pages that follow.

Note: McAfee Standard Driverless Encrypted USB does not support device rescue operations.

45

Managing devicesViewing device information


Viewing device informationYou can view information about users and the device. All information is read-only.

To view device information1. On the main page of Manager, under Operational Tasks, click Hardware and

Software Information.2. On the Hardware and Software Information page, click one of the following

options:

Users—provides authentication and partition information for each user, such as the number of finger enrollments allowed, password and two-factor status, and private partition size.Device Settings—contains biometric and hardware information such as retry limits and security levels, and the device serial number. Also includes summa-ries for initialization and usage profiles and password rules.Disk Partitions—outlines the overall allocation of disk space on the device.Product Versions—lists the version for all software and hardware associated with the device.

Generating reportsManager includes six pre-defined reports. Reports use the comma-separated value (CSV) format. The following table describes the reports that are available with Manager.

By default, generated reports are located in the Reports folder in the directory path: C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1 (where “C” is the drive where you installed Manager). You can change the output folder and file name for each report.

Table 1-1: Manager Reports

Report Name Description

Audit Report This report provides details about the operations recorded in the audit database, such as audit unique ID, operator name, LDAP CN, LoggedIn Windows user name, initialization profile, and so on.

Device issuance operations Provides details about device issuance operations, such as date and time of issuance, user name, operator name, device serial number and device type, and usage profile name.

Devices Lists all devices, including device serial number and device type, firmware version, and initialization profile name.

Issued devices List of issued devices per user. Includes user name, device serial number and device type, and name of usage profile.

Users who use two-factor authentication

Lists all users who must authenticate to their device using two-factor authentication. Includes user name, device serial number, and two-factor authentication status.

Users with two-factor authentication devices not personalized

Lists all users who have not personalized the device they were issued (for two-factor authentication). Personalizing a device involves enrolling a finger and changing the initial password. The report includes user name, device serial number and two-factor authentication status.

46

Managing devicesGenerating reports


To generate a report1 On the main page of Manager, click Reports.2 From the Available Reports list, click the report you want to generate, and then

click Next.3 If you want to change the location where the generated report is saved, on the

Report Settings page, click the browse button and locate the appropriate folder.4 If you want to change the default name of the report, type the new name in the

Output File text box. 5 Click Generate.

47

Managing portable content

Portable content is added to the read-only partition when you initialize a device. You
can store portable content in a directory or you can create a portable content file (.pcf). A portable content file combines directories and applications for the read-only partition into one file. When you deploy new devices, you should create a portable content file before you start the initialization process. However, you can also update the portable content on an issued device.
You can manage portable content files using the Portable Content Manager (PCM).

Note: You cannot change the content on the read-only partition for McAfee Standard Driverless Encrypted USB devices.

About the Portable Content ManagerThe PCM provides a graphical interface that lets you create a portable content file and add or delete content, such as applications or files specific to your company. The content, or directories, are represented by tree nodes in the navigation pane. Directories (including files and subdirectories) exist on the root level of the portable content file. You can also export content from the portable content file to another directory on your computer or network.

McAfee applicationsThe default portable content file that installs with McAfee Encrypted USB Manager includes three McAfee applications: Connector, Web Login Config, and the client (for both Windows and Mac). You can configure properties for each McAfee application in the following ways:

Add menu items to the Connector menuType the Help Desk phone number in the clientCreate Web forms that will be automatically completed using credentials that are stored on the device


Creating a portable content fileExporting portable contentUpdating portable content on devicesConfiguring Web Login ConfigConfiguring the Connector menuConfiguring the client

Creating a portable content fileA default portable content file is included on the Manager Installation CD. When you create a new file, the Portable Content Manager (PCM) opens a copy of the default file to use as a template. You can edit the copy of the default file by opening and saving it as the new template. You can create subsequent portable content files based on this template.

48

Managing portable contentCreating a portable content file


You should create a portable content file before you initialize a device. For more information about initializing devices, see page 28.

To create a portable content file1 From the main menu of ACCESS Enterprise Manager, click Device Initialization.2 In the Other Tasks area, click Portable Content Manager.

A new portable content file automatically opens using the default template.3 If you want to add or delete content, see page 49.4 If you want to configure properties for an McAfee application, see one of the follow-

ing:“Configuring Web Login Config” on page 51“Configuring the Connector menu” on page 54“Configuring the client” on page 57

5 On the File menu, click Save and type a name in the File Name text box.

Note 1: When you modify properties in a portable content file, click Apply to confirm your changes. However, you must save the file to permanently add your changes.

Note 2: To refresh the file, press F5 or click the View menu, and then click Refresh.

To change the default portable content file1 In the PCM, on the File menu, click Open and click the portable content file that

you want to use as the default file.2 Modify the file to add content or configure existing applications. 3 On the File menu, click Save As and save the file to the following location using

the file name, DefaultReadOnlyImage.pcf.

C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1\PortableCon-tentFiles (where C is the drive on which you installed Manager)

Adding and deleting contentYou can add content, such as directories or an application, to a portable content file. PCM displays new content as a directory in the navigation pane on the left side of the PCM window. Directories must have unique names as the file system cannot accept two directories with the same name.

You can also delete content from a portable content file.

To add content1 In the PCM, on the Action menu, click Add Content. 2 In the directory browser, locate the directory to add and click OK. 3 If you want to use a new name for the folder, type the name and press ENTER.

Tip 1: To view the files in a directory, on the Action menu, click Explore. You can also right-click the directory and click Explore. You cannot explore McAfee applications using the PCM.

Tip 2: To manage files that are located at the root level of the portable content file, click Explore Root on the Action menu.

To delete contentIn the navigation pane of the PCM, click the item you want to delete and then on the Action menu, click Delete.

Tip: You can also delete content by right-clicking the item and clicking Delete.

49

Managing portable contentExporting portable content


Copying, renaming, and moving items in the navigation paneYou can copy, rename, or move items in the navigation pane of the portable content file. When you move a menu item in Connector you change the order in which menu items display when you start the application.

To copy an itemClick the item that you want to copy, and then on the Action menu, click Duplicate.

Tip: You can also right-click the item to copy, and then click Duplicate.

To rename an itemClick the item to rename, and then on the Action menu, click Rename.

Tip: You can also right-click the item, and then click Rename.

Note: When renaming input fields in the Web Login Config application, you can change the name in the Name text box in the right pane. For text fields, you can change the name in the Text box.

To move an item Click the item to move, and then on the Action menu, click one of the following:

Move UpMove Down

Tip: You can also move an item by right-clicking it and clicking Move Up or Move Down.

Exporting portable contentYou can export the contents of a portable content file to another location.

To export portable content1 On the File menu in the PCM, click Export to Directory.2 Browse to the destination directory to which you want to copy files and click OK.

Note: When the destination directory name is the same as the name of the exported directory, PCM merges the content of the two directories. However, files in the exported directory will overwrite any existing files with the same name in the destination directory.

Updating portable content on devicesYou can update the portable content on the read-only partition of an issued device. Updating involves creating and distributing a new portable software package for end users to install.

Note: McAfee Standard Encrypted USB does not have a read-only partition. You must install the client on the client workstation for this device. The client cannot update software on the client workstation. For more information, see “Installing the client” on page 21.

50

Managing portable contentConfiguring Web Login Config


Creating a portable software packageA portable software package combines initialization profile data, a new portable content file (or directory) and installation instructions into one update file (.upd). When you create the package, you must use the same initialization profile that was first applied to the devices you want to update. The initialization profile contains the management code that is required to install the software update on the device. The profile also determines the required size of the read-only partition to ensure that the new software package will fit on the partition.

You can configure the software package to automatically delete all existing software files on the read-only partition before adding new files. If you do not delete all existing files, the new files are added to the existing files. Any files with the same name are replaced.

Caution Before you update the read-only partition of an issued device, it is highly recommended that you test and validate the software package you want to install. You can contact Professional Services to ensure that the new package is compatible with other image components.

To create a portable software package1 In Manager, click Device Initialization, and then click Create Portable Soft-

ware Package.2 Follow the instructions in the Portable Software Package wizard.

Note: The Software Update Package Filename is the target file that you will distribute to end users.

Caution Editing or deleting any files required to run the client software is not recommended as this could affect the function of the program.

Distributing the portable software packageYou are responsible to distribute the update package to end users using an appropriate method, such as sending it as an e-mail message attachment or saving the file to an accessible network folder.

Installing the portable software packageEnd users are responsible for updating their devices with a new software package. After receiving the update package, end users can install the package using the Connector menu.

To install a portable software package1 In the notification area of the Windows taskbar, click the Connector icon and click

Update Software.2 Follow the instructions in the install wizard.

Configuring Web Login ConfigThe applications that you configure in the Web Login Config directory allow users to log on and gain access to remote resources. For example, a user could access a virtual private network (VPN) by logging on to a Citrix Presentation Server that is protected with RSA SecurID. Credentials, such as token information, user name, password, and domain name, are the login requirements for these applications.

51



When you configure Web login pages, you can define and map credentials to fields in Web forms. You can add multiple forms and URLs that allow the use of generic text, passwords, and RSA SecurID credential types. Only the browser that is packaged with Manager is supported.

Note: The Portable Content Manager (PCM) provides a graphical interface that lets you configure Web Login Config.

Creating applicationsApplications contain credential information that you can link to Web forms. An application can contain multiple forms. Credentials for the application are organized in groups and saved in the private store of the device. When you add new applications, you must also add credentials and forms. For more information, see “Adding credentials” on page 52 and “Adding forms” on page 53.

To create an application1 In the left pane of the PCM, click Web Login Config.2 On the Action menu, click New Application.3 Type a name for the application and press ENTER.

Tip: You can also right-click Web Login Config and click New Application.

Note: You can modify the Connector menu to include the new application. End users can then start the program from the menu. For more information, see “Configuring the Connector menu” on page 54

Adding credentialsAfter you define a new application, you must add credential groups. A credential group can contain one or more credentials. End users will enter their credentials in the client before they log on to an application.

To add a credential group1 Click the application to which you want to add a credential group.2 On the Action menu, click New Credential Group.3 Type a name for the credential group and press ENTER.4 If you want to change the type of credential group from Generic to RSA SecurID,

select RSA SecurID from the Type box in the Properties pane. Click Apply.An RSA SecurID credential is automatically added to the credential group. RSA SecurID credential groups have predefined input field values that you cannot edit. See “Adding forms” on page 53.

Tip: You can also right-click the application name or Credentials section and click New Credential Group.

To add credentials to a credential group1 Click the credential group to which you want to add credentials.2 On the Action menu, click New Credential.3 Type a name for the credential and press ENTER.4 Click the credential you added in step 2 and select a credential type in the Type

box on the Properties pane.

Tip: You can also right-click the credential group name and click New Credential.

52



Adding formsForms contain both text and input fields. Text fields are used by the Web browser to help recognize Web pages by comparing text on the page to text you provide. Input fields also help to recognize Web pages and provide the corresponding credentials required by the page. You can configure the form to automatically submit credential information.

To add a form1 Click the application to which you want to add a form.2 On the Action menu, click New Form.3 Click the new form from the left pane in the PCM.4 In the Properties pane, complete the appropriate property settings. For more

information, see Table 1-1 on page 53.5 Click Apply.

Tip: You can also right-click the application name or the Forms section and click New Form.

To add a text field1 In the Forms section of the application, click the form to add the text field to and

on the Action menu, click New Text Field.2 Click the new text field and in the Text box on the Properties pane, type the text

that should or should not match text found on the Web page.3 If the text should match, click The form DOES contain this text.

If the text should NOT match, click The form DOES NOT contain this text.

4 Click Apply.

Tip: You can also right-click the form section and click New Text Field.

To add an input field1 In the Forms section of the application, click the form to add the input field to and

on the Action menu, click New Input Field.2 Click the new input field and complete the properties in the Properties pane. For

more information about input field properties, see Table 1-2 on page 54.3 Click Apply.

Table 1-1: Form properties

Property Description

Name Indicates the name of the form. Default name is “new_form”.

Title Used to recognize the title of a Web page.

URL Used to recognize the URL (or a substring thereof) for the Web page.

Ex. It will still match when browsing to http://www.google.com/ even if the URL attribute was entered as http://www.google

Automatically Submit Indicates whether to automatically submit the form. Selecting the check box activates the “Submit—HTML Attributes” section.

Type Type of the HTML element that is responsible for submitting the form. Note: typically, the text required in this field is “submit”.

Name Name of the HTML element that is responsible for submitting the form.

Value Value of the HTML element that is responsible for submitting the form.

53

Managing portable contentConfiguring the Connector menu


4 If the input field is also the HTML element that is responsible for submitting the form, click Use for Auto-Submit to copy the input field’s attributes to the Submit HTML Attributes in Form properties.

Tip 1 You can also specify auto-submission when you set form properties. For more information, see “Adding forms” on page 53.

Tip 2: You can also right-click the form section and click New Input Field.

Note: If you do not complete each check box in the HTML Attributes section, the page will not compare that attribute. For example, if you select only the attributes Type and Name, only fields that match Type and Name are returned. If you want to include a blank value in a text box, select the appropriate check box and type ““ in the text box. For example Value=””.

Configuring the Connector menuEnd users typically start applications, such as the client, from the Connector menu—located in the notification area of the Windows taskbar. You must update the Connector configuration to add menu items for all applications that end users will open using the Connector menu. For example, you can add a menu item that opens a company time sheet or intranet site.

Two main areas that require configuration are:

Table 1-2: Input field properties

Properties Description

Require this field for the form to be recognized

Determines whether the browser will use this field to recognize the Web form.

Automatically fill this field with a credential

Determines whether to use this field to automatically provide the the Web field with a credential. When the command is checked, the Credential section is activated.

Credential: Group The credential group that contains the credential information to complete the Web field.

Credential: Credential The credential to use to complete the Web field. If the associated credential group is an RSA SecurID credential type, the following credentials are available:

SecurID Next PASSCODESecurID Next TokencodeSecurID PASSCODESecurID TokencodeSecurID User

Auto-submit the form even if this field is empty

When selected, it submits the form even if the specified credential is empty.

HTML Attributes: Type Type of HTML element that is responsible for submitting the form.

HTML Attributes: Name Type of HTML element that is responsible for submitting the form.

HTML Attributes: Value Type of HTML element that is responsible for submitting the form.

Connector menu

54



General section—contains property settings for the Connector menu.System Tray Menu—contains the menu items and submenus that display in the Connector menu.

Note: The Portable Content Manager (PCM) provides a graphical interface that lets you configure the Connector menu. However, if necessary, you can open the Connector configuration file (connector.ini) in a text editor and edit the contents directly.

GeneralProperties in the General section of Connector control the actions and look of the menu.

To configure general menu properties1 In the left pane of the Portable Content Manager, click the General item in the

Connector application.2 In the Properties section of the right pane, edit the applicable properties and click

Apply.

The following table describes the General properties available for configuration.Table 1-3: General property settings for Connector menu


Show icon Specifies whether or not a tray icon will appear when Connector is running.

Allow Exit Indicates if the Connector menu will include the option to close the program.

Read-Only Detection Detects and reports changes to the read-only partition in order to alert the end user that some changes may be lost if saved only on this partition.

Alternate Icon

File Name Indicates the file that contains the icon to use in the tray on the taskbar.

Resource ID A text string that identifies the alternate icon.

Additional Configuration: Public

File Name Specifies the location of an additional configuration file for the public store.

Allow Auto Run Allows you to disable the autorun capability for the public store so that you can add menu items to the taskbar tray but disable the autorun feature.

Additional Configuration: Private

File Name Specifies the location of an additional configuration file for the private store.

Allow Auto Run Allows you to disable the autorun capability for the private store so that you can add menu items to the taskbar tray but disable the autorun feature.

Safe Eject Warning

Title Indicates the title of the message box that appears when a user tries to eject the device without first closing all other applications running on the device.

Message Text that appears in the message box when trying to eject the device while other applications are still running on the device.

55



System Tray MenuYou can add or edit properties for menu items in the Connector menu. For example, you can set parameters that terminate a program when a user disconnects the device or prohibit access to a program when the device is in a specific state, such as blocked or locked. Submenus must have at least one menu item or the PCM will not save the submenu entry.

Figure 1-1: Example of Connector menu and submenu items

To add a menu item1 In the PCM, right-click the System Tray Menu in the Connector application, and

then click New Menu Item. 2 Type a name for the menu item and press ENTER. 3 Click the new menu item and add or change the properties in the Properties sec-

tion of the right pane.See Table 1-4 on page 56 for details about menu properties.

4 Click Apply to save the settings.

To edit menu item properties1 In the PCM, click the Plus (+) sign to expand the System Tray Menu in the Con-

nector application and click the menu item you want to edit. 2 In the Properties section of the right pane, edit the property and click Apply.

The following table describes menu item properties that you can configure.Table 1-4: Menu item properties


Label The name that you want to appear in the Connector menu for the application.

Location Location where the executable file is stored. Options include: Current, FullPath, Read-only, Public, Private. If FullPath is specified, then the EXE is not modified.

Exe File The executable file that starts when you click the menu item.

Arguments A value or expression that should run with the executable file when started.

Show Command Specifies the behavior of the program when started (Normal, Maximize, Minimize, Hide).

Menu Default Specifies if this item will run when the end user double-clicks the system tray icon

Warn On Safe Removal Specifies whether the end user can safely disconnect the device if this application is running.

Menu item

Submenu items

56

Managing portable contentConfiguring the client


Configuring the clientThe client contains a number for the Help Desk at your company. End users dial this number when they cannot access their device or to complete the personalization process. You should modify the Help Desk phone number in the portable content file before you initialize a device.

The default portable content file for Manager includes a copy of the client for Mac. If end users do not use Mac computers, you can delete this application to reduce the time it takes to initialize a device.

To configure the Help Desk contact number1 In the left pane of the Portable Content Manager, click the Plus (+) sign to expand

the tree node for the client. 2 Click the Configuration menu item.3 In the Properties area of the right pane, type the Help Desk phone number in the

Help Desk Contact text box, and then click Apply.

Note: The Portable Content Manager (PCM) provides a graphical interface that lets you configure the client.

Disable When Indicates the device state during which this menu item is disabled.

Hide When Indicates the device state during which this menu item is hidden.

Terminate On Removal

Enabled Specifies whether this application will terminate when the user disconnects the device.

Window Class Recognizes Class elements for the corresponding application. If specified, Connector sends a “close message” so that the application will stop. Otherwise, the application is forced to quit.

For applications, such as the client (and others), you can leave this field blank as forcing the application to quit is acceptable.

Window Title Recognizes Title elements for the corresponding application. If specified, Connector sends a “close message” so that the application will stop. Otherwise, the application is forced to quit.

For applications, such as the client (and others), you can leave this field blank as forcing the application to quit is acceptable.

Auto-Run

Enabled Specifies whether the menu item will run when Connector starts.

Delay (ms) Sets the number of milliseconds to wait until the application starts.

Table 1-4: Menu item properties


57

Glossary

client Program used by end users that allows them to set passwords and enroll fingers for device authentication.

binding The process by which a device becomes registered in the McAfee Encrypted USB Manager system using initialization.

corporate identifier A unique string that is assigned to a company that owns the Manager deployment. The string is used to identify devices that are managed by the company and bound to the Manager license.

data recovery The process of recovering and examining encrypted data on an issued device by a Security Officer.

device erasure The process of removing all users and authentication information from a device. Erasing renders all sensitive information inaccessible, and resets the device to a default state.

device database The central repository that contains information on currently managed devices.

device initialization The process of configuring a device according to an initialization profile.

device issuance The process of binding a device to a user according to the usage profile.

device personalization The process by which end users set their authentication mechanisms including passwords and finger enrollments.

device reinstatement Granting the privilege of using an issued device back to a device user.

device rescue The process of re-enabling the authentication mechanism of an end user to a device. Not available with McAfee Standard Driverless Encrypted USB.

58

device revocation Removes the privilege of using an issued device.

DSN Data Source Name; contains information about a database that is required by the ODBC to connect to the database.

face-to-face personalization A method whereby users must be present with an Issuance Officer to set up a password and enroll a biometric (if applicable).

Help Desk operator An administrative role that supports users who call about device problems.

importing devices The process of bringing in an unmanaged device that is currently being used in the managed Manager system.

Initialization Officer An administrative role that can initialize devices.

initialization profile A set configuration of parameters not related to security that define how a device is configured.

Issuance Officer An administrative role that can issue devices to users

LDAP Lightweight Directory Access Protocol; the standard used by Manager to connect to corporate directories.

management code The code that allows a device to be erased and firmware added.

ODBC Open Database Connectivity; the standard interface used by Manager to connect to the device database.

one-factor authentication A method used to authenticate to a device that requires a user to provide either a valid password or a valid biometric (if applicable) to access a device.

password complexity The degree to which a password is susceptible to unauthorized security breaches. Complex password rules

GlossaryMcAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

increase the strength of a password and reduce the risk of unauthorized access to a device.

portable software update A package that can be distributed to end users to update the read-only partition of issued devices.

Security Officer An administrative role with the authority to recover and examine encrypted data from an issued device.

two-factor authentication A method used to authenticate to a device that requires a user to provide both a valid password and a valid biometric to access the device.

usage profile A set of security and user configuration parameters that define how devices may be issued and used.

user revocation Removal of the privilege to use or to have a device issued for a particular user.

user self-personalization A method whereby users can set up their password and enroll a biometric (if applicable) on the device using a self-serve wizard in the client.

59

Index

Symbols.pcf file

adding content 49deleting content 49

Aabout

applications in .pcf file 48Connector 54McAfee Encrypted USB Manager 8Portable Content Manager 48RSA Web Service 16Web Login Config 51

active profiles 36ADAM

configuring 12adding

certificate profiles 39credentials 52initialization profiles 28input fields 53menu items to Connector 56portable content 49portable software package 51text fields 53usage profiles 36users to devices 37

AES key 41applications

about 48adding credentials 52adding forms 53creating for Web login 52

authenticatingone-factor 34two-factor 34

authenticationoptions for device database 12rescuing devices 45

authorization codemanaging devices 45

Bbackup

encryption keys 42binding

definition 58biometric

false rejections 34

60

finger enrollments 34biometric retry limit

setting 34

Ccapabilities of Manager 7CD image

creating new 21certificate

registering for enrollment agent 14Certificate Authority 39

issuing certificates with Manager 13certificate file

importing to device 43certificate template

configuring 14certificates

creating profiles for 39issuing to users 41removing 42

changinginstallation setup 21usage profiles 36

clientadding Help Desk number 57definition 58

client for Mac 57codes

authorization 45confirmation 45

configuration filesmodifying 19

configuringADAM 12certificate template 14Connector 54TokenIssuance file 17

confirmation coderescuing devices 45user self-personalization 25

Connectoradding menu items 56configuring 54setting General properties 55

contentadding to portable content file 49deleting from portable content file 49

copyingcredential profiles 40

IndexMcAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

initialization profiles 29portable content file 50usage profiles 35

corporate identifierdefinition 58

creatingcertificate profiles 39initialization profiles 28new CD image 21ODBC DSN 20portable content file 48portable software package 51usage profiles 33

credential group 52credential profiles

copying 40deleting 40editing 40

credentialsadding to applications 52deleting 42issuing to users 41saving to file 41

Ddata recovery

definition 58how to 45setting in usage profile 34

Data Source Namecreating 20

databaseauthentication options 12creating for Manager 11definition 58

deactivating profiles 36default portable content file 48deleting

all users 31credential profiles 40credentials 42device software 51initialization profiles 30portable content 49usage profiles 36users 37

deploying devices to users 33deployment cycle

about 23initialization 23issuance 24personalization 25usage 25

device databaseSee database

device licenses 10device profiles

See initialization profilesdevice reinstatement

definition 58device rescue

definition 58device revocation

61

definition 58devices

adding users 37creating usage profiles 33erasing 31issuing credentials 41issuing to users 33McAfee Standard Driverless Encrypted USB 5number of users allowed 33recycling 31removing users 37rescuing 45supported 7viewing statistics 44

directoryviewing contents of .pcf file 49

distributing software package for read-only parti-tion 51

drive typesetting for read-only partition 28

DSNdefinition 58

Eediting

credential profiles 40initialization profiles 30menu items in Connector 56usage profiles 36

encryption keysrecovering 42

enrollingnumber of fingerprints 34

enrollment agentregistering for certificate 14

erasing devices 31Explore Root

menu command 49exporting portable content 50

Fface-to-face personalization

about 25definition 58setting 33

False Match Rate 34false rejection rate

biometric 34features

Manager 7new in McAfee Encrypted USB Manager 2.4 6new in McAfee Encrypted USB Manager 3.0 5new in McAfee Encrypted USB Manager 3.1 5

filesadding to portable content file 49creating portable content 48deleting from .pcf file 49

fingerprintsnumber to enroll 34

fingersincorrectly matched 34

Fixed drive type 28forms


adding input fields 53adding text fields 53adding to applications 53

GGeneral settings in Connector 55generating reports 46

Hhardware version 46Help Desk

adding phone number 57rescuing devices 45

Help Desk Operatordefinition 58the role of 26

high False Match Rate 34Host Agents

configuring RSA SecurID Web Service 16

Iimporting

license file 10non-registered devices 31recovered certificate file 43

importing devicesdefinition 58

initializationdefinition 58reducing time required 57

Initialization Officerdefinition 58the role of 26

initialization profilesetting drive type 28

initialization profilescopying 29creating 28definition 58deleting 30editing 30

initializing devices 28input fields

adding to forms 53installation setup

modifying 21installing

Manager 19software packages 51

installing RSA Web Service 16IP address or domain-based access 18issuance

definition 58Issuance Officer

definition 58the role of 26

issuingcertificates with Manager 13credentials to users 41devices to users 33

Kkey archival 42

62

keysrecovering 42

LLDAP

definition 58licenses 10low False Match Rate 34

MMac

using with the client 57management code

definition 58Manager

about 8modifying configuration files 19running SQL script 11

maximum finger enrollments per user 34McAfee Encrypted USB Manager

benefits 6features 7installing 19product overview 8upgrading 22

McAfee RSA Web Servicesecuring 17

McAfee Standard Driverless Encrypted USB 5menu items

adding to Connector 56Microsoft SQL Server

upgrading scripts 22modifying

installation setup 21usage profiles 36

Nnew features

McAfee Encrypted USB Manager 2.4 6McAfee Encrypted USB Manager 3.0 5McAfee Encrypted USB Manager 3.1 5

OODBC

creating DSN 20definition 58

one-factor authenticationdefinition 58setting 34

Pparameters

setting for users 33partitions

public 29read-only 29setting private partitions 37sharing 33viewing size of 46

passwordretry limit 35rules 35

password complexity


definition 58PCM

configuring Connector 55personalization

about 25definition 58face-to-face 33user self-personalization 33

phone numberadding for the client 57

PKCS#12 files 41portable content file

adding items to 49creating 48deleting items from 49displaying root contents 49exporting 50refresh 49viewing files in a directory 49

Portable Content Managerabout 48

Portable Security Devicessupported 7

portable software packagecreating 51definition 59distributing 51updating 51

private partitionssetting size 37sharing 33

profilescopying

credentials 40initialization 29usage 35

creatingfor certificates 39RSA SecurID 40

deactivating 36deleting

credentials 40initialization 30usage 36

editingcredentials 40initialization 30usage 36

initialization 28usage 33

programscreating software updates 51distributing updates 51installing software updates 51

propertiessetting in Connector 55

provisioning modeface-to-face personalization 33user self-personalization 33

Rread-only drive type 28read-only partition

63

installing software 51recovering

keys 42recovering data 45recycling devices 31refreshing

portable content file 49registering

enrollment agent certificates 14Removable drive type 28removing

all device users 31credentials 42devices 38initialization profiles 30portable content 49usage profiles 36users 37

reportsgenerating 46

requirements for system 8rescuing devices 45retry limit

setting for biometric 34setting for password 35

rootmanaging portable content 49

RSA SecurID profile 40RSA SecurID tokens 16RSA Web Service 16RSA Web Service URL 40rules

setting for passwords 35running reports 46

Sscript

running for Manager 11SDTID files 41security

database authentication options 12setting biometric security level 34

Security Officerdefinition 59the role of 27

settingbiometric retry limit 34biometric security level 34database authentication options 12password retry limit 35password rules 35properties in Connector 55two-factor authentication 34

sharing private partitions 33size

private partitions 37public partition 29read-only partition 29

softwareinstalling on devices 51supported 8updating 51

software packages


creating 51distributing 51

software version 46SQL Server

creating Manager database 11statistics

devices 44users 44

supportHelp Desk 45role of Help Desk Operator 26

supporteddevices 7software 8

system requirements 8

Ttemplate

configuring for certificates 14creating for portable content file 48

text fieldsadding 53

TokenIssuance file 17tokens

removing 42troubleshooting

rescuing devices 45two-factor authentication

definition 59setting 34with user self-personalization 25

Uupdating

device software 51updating device software 51upgrading

Microsoft SQL Server 22portable software package 51

upgrading McAfee Encrypted USB Manager 22URL

RSA Web Service 40usage profiles

copying 35creating 33definition 59deleting 36editing 36provisioning mode 33setting data recovery 34

user revocationdefinition 59

user self-personalizationabout 25definition 59setting 33

usersadding to devices 37allowed per device 33creating usage profiles 33erasing all from device 31granting access to RSA Web Service 17issuing credentials to 41

64

issuing devices to 33number of finger enrollments 34removing from devices 37viewing device statistics 44viewing number of 46

Vvariables

configuring in TokenIssuance 17version number 46viewing

device configuration 46device license information 10device statistics 44directory contents 49partition information 46user information 46version information 46

WWeb Login Config

about 51Web Service

securing McAfee RSA Web Service 17setting for RSA 16

Windows Integrated Authenticationenable for RSA Web Service 17

workstationsgranting IP address or domain-based access 18

mcafee encrypted usb manager adminb2b-download.mcafee.com/products/evaluation/... · mcafee...

Documents