POC Installation Guide for McAfee EEFF v4.2.x using McAfee epo 4.6 and epo New Deployments Only Windows Deployment

Similar documents
McAfee File and Removable Media Protection 6.0.0

McAfee File and Removable Media Protection Installation Guide

McAfee File and Removable Media Protection Product Guide

Intel Security/McAfee Endpoint Encryption

Resolution: The DataChannel servlet no longer stops working, regardless of the state of the DataChannel extension.

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

Installing Client Proxy software

McAfee epolicy Orchestrator Release Notes

Deploying the hybrid solution

McAfee MER for EPO 3.1 Walkthrough Guide. About this guide This guide provides information on how to use McAfee MER for EPO 3.1.

Migration Guide. McAfee File and Removable Media Protection 5.0.0

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

McAfee Management of Native Encryption 3.0.0

McAfee Firewall Enterprise epolicy Orchestrator Extension

MOVE AntiVirus page-level reference

Endpoint Intelligence Agent 2.2.0

McAfee Drive Encryption Installation Guide. (McAfee epolicy Orchestrator)

McAfee Data Loss Prevention Endpoint

McAfee Endpoint Security Threat Prevention Installation Guide - macos

McAfee Red and Greyscale

McAfee Change Control and McAfee Application Control 8.0.0

McAfee epolicy Orchestrator Release Notes

VMware Mirage Web Management Guide. VMware Mirage 5.9.1

McAfee Security Connected Integrating epo and MFECC

McAfee Host Intrusion Prevention Administration Course

IBM Endpoint Manager Version 9.0. Software Distribution User's Guide

McAfee Endpoint Encryption

VMware Mirage Web Manager Guide

McAfee SiteAdvisor Enterprise 3.5.0

McAfee Change Control and McAfee Application Control 6.1.4

McAfee Drive Encryption Administration Course

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

McAfee Client Proxy Installation Guide

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

Product Guide. McAfee Endpoint Upgrade Assistant 1.4.0

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

Boot Attestation Service 3.0.0

McAfee Client Proxy Product Guide

Copyright 2017 Softerra, Ltd. All rights reserved

Firewall Enterprise epolicy Orchestrator

McAfee epolicy Orchestrator Update 2

Cisco CTL Client Setup

Release Notes McAfee Application Control 6.1.0

Cisco CTL Client setup

Perceptive TransForm E-Forms Manager

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

VMware Mirage Web Management Guide

McAfee VirusScan and McAfee epolicy Orchestrator Administration Course

McAfee Application Control Windows Installation Guide

Package Manager. Package Manager Overview

McAfee MVISION Endpoint 1808 Installation Guide

ZENworks 2017 Update 2 ZENworks Agent Reference. February 2018

Configuring an IMAP4 or POP3 Journal Account for Microsoft Exchange Server 2003

BackupVault Desktop & Laptop Edition. USER MANUAL For Microsoft Windows

Identity Firewall. About the Identity Firewall

McAfee MVISION Endpoint 1811 Installation Guide

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

Sophos Enterprise Console advanced startup guide

Configuration Note. AudioCodes One Voice for Microsoft Skype for Business. CloudBond 365. Backup and Restore Functionality. Version 9.

Veritas System Recovery 18 Management Solution Administrator's Guide

McAfee epo Deep Command

Server Edition USER MANUAL. For Microsoft Windows

ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk. November 2018

McAfee Boot Attestation Service 3.5.0

Installation Guide. 3CX CRM Plugin for ConnectWise. Single Tenant Version

Migrating vrealize Automation 6.2 to 7.2

Client Installation and User's Guide

Release Notes McAfee Change Control 8.0.0

Server Edition. V8 Peregrine User Manual. for Microsoft Windows

McAfee Application Control/ McAfee Change Control Administration

ForeScout Extended Module for IBM BigFix

Package Manager. Managing Cisco VXC Manager Packages CHAPTER

McAfee Host Intrusion Prevention 8.0

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Physical Imaging Rapid Recovery - Bare Metal Restore

McAfee Endpoint Security Threat Prevention Installation Guide - Linux

Sophos Central Device Encryption. Administrator Guide

IBM Security SiteProtector System SecureSync Guide

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

Device Manager. Managing Devices CHAPTER

McAfee Data Protection for Cloud 1.0.1

McAfee Security for Microsoft Exchange Hotfix Release Notes

Migrating vrealize Automation 6.2 to 7.1

McAfee Application Control and McAfee Change Control Linux Product Guide Linux

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

Microsoft SQL Installation and Setup

EASYHA SQL SERVER V1.0

McAfee Agent 5.6.x Product Guide

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Managing Client Proxy

Application Notes for Installing and Configuring Avaya Control Manager Enterprise Edition in a High Availability mode.

HP Database and Middleware Automation

McAfee Endpoint Security

Remote Support Security Provider Integration: RADIUS Server

VMware Horizon FLEX Client User Guide

Client Installation and User's Guide

CONFIGURING SQL SERVER 2008 REPORTING SERVICES FOR REDHORSE CRM

10ZiG Technology. Thin Desktop Quick Start Guide

Setup. About Window. About

Transcription:

POC Installation Guide for McAfee EEFF v4.2.x using McAfee epo 4.6 and epo 5.0.1 New Deployments Only Windows Deployment 1

Table of Contents 1 Introduction 4 1.1 System requirements 4 1.2 High level process 5 1.3 Troubleshooting Considerations 5 2 Downloading software 6 2.1 Download epolicy Orchestrator v4.6 & Documentation 7 2.2 Download McAfee Agent 4.6 (or above) & Documentation 8 2.3 Download McAfee EEFF 4.2 9 3 Installation of epo Components 10 3.1 Check in the EEFF extension into epo 4.6 10 3.2 Check in the EEFF client package into epo 4.6 11 4 Registering Windows Active Directory 12 5 Using the Product Deployment task to deploy products to managed systems 14 6 Deploying EEFF to client machines 18 6.1 Via a Wake up agent Creating and scheduling client tasks 18 6.2 Perform following on the Endpoint System 19 6.3 Installing EEFF from the Endpoint System 21 7 User Case: Removable Media Encryption 24 7.1 Creating a EEFF key for Removable USB Media recovery 24 7.2 Policy Creation 27 7.3 Grant Key for Removable USB Media Policy 30 7.4 Password Rules for Removable USB Media Encryption 32 7.5 Assign Policy via the System Tree 33 7.6 Enforce policy update via Agent Wake-Up 36 7.7 Using McAfee Removable Media Encryption 38 7.8 Use this task to initialize a removable media. 39 7.9 Recovery access 44 7.9.1 Password Recovery via Pop GUI 44 7.9.2 Password Recovery via McAfee Tray Icon 45 7.10 Moving an Encrypted file protected with EEFF key to protected USB Device 47 7.11 Troubleshooting tips 47 7.12 Check USB Reporting capabilities 49 7.12.1 Create a customized report Top 10 removable media users 50 8 User Case: Folder Encryption for Local Folders 52 8.1 Creating a key for all Enterprise Users 52 8.2 Creating Policy for Folder Encryption 55 8.3 Grant Key for Corp Key 59 8.4 Assigning Policy to Systems 61 8.5 Wake up agent to enforce policy update 63 8.6 Using Folder Policy for Corp Users 65 9 User Case: Folder Encryption for HR Share 67 2

9.1 Wake up agent to enforce policy update 71 9.2 Using Folder Policy for Corp Users 73 10 User Driven Actions 75 10.1 Wake up agent to enforce policy update 77 10.2 Explicit Encryption 80 10.3 Explicit Decryption 81 10.4 Creation of Self Extractors 82 11 Conclusion 84 11.1 Further Information 84 3

1 Introduction This POC guide provides a step-by-step instruction on how to download, install and use Endpoint Encryption File and Folder v4.2.x (EEFF 4). It covers three main areas Removable media encryption, Using folder policies for local and network encryption and also user driven actions. This POC guide does not cover upgrading from Version 3.x.For information on upgrading please refer to the Migration Guide (EEFF_4.x_Migration_Guide.pdf) which can be downloaded from the McAfee download site. For additional detailed subjects, refer to the standard set of documents available on the McAfee Site and the Best Practices for McAfee Endpoint Encryption for Files and Folders v4.x (EEFF 4). The links for these documents are referenced in Section 11 below. This guide will cover the following use cases Removable Media Encryption Local Folder Encryption using Folder Encryption Network Folder Encryption User Driven Actions Please be aware that the screenshots in this document may not reflect the latest available version of Endpoint Encryption for Files and Folders. But it s based on the functionality of Endpoint Encryption for Files and Folders 4.2 or higher. 1.1 System requirements McAfee epolicy Orchestrator 4.6 (minimum Patch 6) McAfee epo 4.6 Patch 2 can be used if Role Based Key Management is not required McAfee epo 5.0 Patch 1 support is also offered with EEFF v4.2 McAfee Agent for Windows 4.8 (minimum Patch 1) McAfee Agent for Windows 4.6 (minimum Patch 1) can be used if Key Cache Expiry is not required 4

1.2 High level process Navigate to the product software download site and use temporary grant number to gain access. Download epolicy Orchestrator v4.6 Download McAfee Agent 4.6 (or above) Install epolicy Orchestrator v4.6 Check EEFF extensions in to epo 4.6 Check EEFF packages in to epo 4.6 Register your Active Directory server Create epo server task for Active Directory Sync Create client tasks to deploy the EEFF components Create EEFF Keys Create Policies Test for successful deployment and encryption on an endpoint 1.3 Troubleshooting Considerations For the POC it is recommended to make the following changes on the endpoint systems which will assist in using the dump files create by Windows Operating Systems Configure Dump files settings on endpoint systems Windows XP 1 Select Control panel System Advanced 2 Click Settings button for Startup and Recovery 3 Deselect Automatically Restart under system Failure 4 Under Write debugging information (drop down list), select Kernel dump. Windows 7 1 Select Control Panel System and Security System 2 Select Advanced system settings (option on left) 3 Click Settings button for Startup and Recovery. 4 Under section Write debugging information Select Kernel dump. 5 Deselect Automatically Restart under System Failure, this will ensure the endpoint system stops after dump has been written and provides time to boot up into Safe Mode Obtaining Dump files If a crash occurs and the dump file written, press Ctrl-Alt-Delete and boot up in Safe Mode using F8. Make sure to select just Safe Mode and not SafeMode with networking! Once the machine boots into Safe Mode, restart and boot up normally again and copy the C:\windows\memory.dmp to a safe location (please also zip this file). The reason for booting into Safe Mode is that EEFF encrypts the pagefile.sys (which is partially used for the dump file), which will make Windows unable to recognize it. In Safe Mode, the EEFF driver is not active and will not encrypt the pagefile. 5

For additional information please refer to http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dumpfiles.aspx This article also makes reference to a Microsoft KB: http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b244139 2 Downloading software Upon receiving your grant number you ll need to access the software download portal from the following link below. https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us Type in your grant number on the product download website to access the evaluation software required. 6

2.1 Download epolicy Orchestrator v4.6 & Documentation Download epo 4.6 (minimum Patch 6 or higher) Download Documentation 7

2.2 Download McAfee Agent 4.6 (or above) & Documentation Download McAfee Agent 4.8 Download Documentation 8

2.3 Download McAfee EEFF 4.2 The document.zip contains following documents: 9

3 Installation of epo Components This POC guide will assume you have already installed McAfee epo and the McAfee Agent to the system. If this has not been performed, please refer to McAfee epo product and installation documents. The following files should be what have been downloaded during section 2 above. If you are missing any of the following files please revisit the download section. EEFF software files Note: The migration utility is in its own directory. Before you begin Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers. Ensure your epo server version is at 4.6 with Patch 6 or higher Ensure your McAfee Agent version is at least McAfee Agent 4.8 Patch 1 or higher Note the hostname or IP address of an Active Directory Domain Controller / AD Server Read the readme for known issues and other important information Consider engaging McAfee professional services to assist in your production installation The files required for the extensions are: 1. EEFF-extension-4.2.x.zip 2. MfeEEFF_Client_4.2.x.zip 3. help_eeff_4x.zip (optional, but recommended) 3.1 Check in the EEFF extension into epo 4.6 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Software Extensions Install Extension the Install Extension dialog box appears. 3 Click Browse and select the extension file (EEFF-extension-4.2.x.zip) 4 Click OK 10

5 Click Install Extension 6 Click Browse and select the extension file (help_eeff_42x.zip) 7 Click OK The Install Extension page appears with the extension name and version details. 3.2 Check in the EEFF client package into epo 4.6 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Software Master Repository 3 Click Actions Check In Package. The Check In Package wizard opens. 4 Select Product or Update (.ZIP) from the Package type list, then browse to and select the package file (MfeEEFF_Client_4.2.x). 5 Click Next. The Package Options page appears. 6 Click Save to begin checking in the package. Wait while the package is checked in. 7 The new package appears in the Packages in Master Repository list on the Master Repository page. 11

4 Registering Windows Active Directory Use this option to register a Windows Active Directory. You must have a registered LDAP server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic and manual user account assignment. Before you begin Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers. Note! As there are no changes made to the AD schema a read-only account can be used for the POC an individual account can be used, for production a Service Account is recommended. Task For option definitions, click? in the interface. 1 Log on to epolicy Orchestrator server as an administrator. 2 Click Menu Configuration Registered Servers, then click New Server. The Registered Server Builder wizard opens. 3 From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user-friendly name) and any details, click Next. The Details page appears. 4 Select Active Directory from LDAP server type, then type the Domain name or the Server name. Note! Use DNS-style domain name. While using DNS-style domain name, ensure that the McAfee epo system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present. 5 Type the User name. Note! The User name should be of the format: domain\username for Active Directory accounts. 6 Type the Password and confirm it. 7 Click Test Connection to ensure that the connection to the server works 12

8 Click Save. 13

5 Using the Product Deployment task to deploy products to managed systems Use these tasks to deploy products to managed systems with the Product Deployment client task. epolicy Orchestrator allows you to create this task for a single system, or for groups of the System Tree. Task For option definitions, click? in the interface. 1 Click Menu Policy Client Task Catalog, select McAfee Agent Product Deployment as Client Task Types, then click Actions New Task. The New Task dialog box appears. 2 Ensure that Product Deployment is selected, click OK. 3 Type a name for the task you are creating and add any notes 4 Next to Target platforms, select the type(s) of platform to use the deployment. Windows is selected by default 14

5 Next to Products and components set the following: Products and components: Endpoint Encryption for Files and Folders 4.2.0 Action: Install Language: Language Neutral Branch: Current 6 Click Save. 7 Click Menu Systems System Tree Assigned Client Tasks, then select the required group in the System Tree. (TORENC) 8 Click Actions New Client Task Assignment. The Client Task Assignment Builder wizard appears. 9 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select the task you created for deploying product. (Deploy EEFF) 15

10 Next to Tags, select the desired platforms to which you are deploying the packages, click Next 11 On the Schedule page, select whether the schedule is enabled, and specify the schedule details, click Next. (for pushing out the deployment task through a wake-up agent, Set schedule type to Run Immediately 16

12 Review the summary, then click Save. The client task will have been associated to the System Tree group. 17

6 Deploying EEFF to client machines There are two methods to deploy EEFF to the endpoint System. This can be accomplished through epo or directly from the endpoint system. 6.1 Via a Wake up agent Creating and scheduling client tasks Task For option definitions, click? in the interface. 1 Click Menu Systems System Tree Systems, select the desired group in the System Tree, then click on the machine 2 Select system (Win701) 3 Click Wakeup Agent 18

4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system 6.2 Perform following on the Endpoint System 1 Right click McAfee Shield 2 Select McAfee Agent Status Monitor The agent status monitor will show the deployment task that was received via the wake up call from epo 19

3 When Prompted Reboot the system The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation 4 Right click McAfee Shield 5 Click About 20

6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders 4.2 has been installed 6 Click OK 6.3 Installing EEFF from the Endpoint System 1 Right click McAfee Shield 2 Select McAfee Agent Status Monitor 3 Click Collect and Send props 21

22

4 When prompted Reboot the system The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation 5 Click About 6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders 4.2 has been installed 7 Click OK 23

7 User Case: Removable Media Encryption Options Allow Encryption (with offsite access) and Enforce Encryption (with offsite access) of the Removable Media Policy allow for password authentication and portable access to any USB removable media. These options were formerly known as EERM (Endpoint Encryption for Removable Media). Removable Media policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the policy at the system tree level. Please refer to KB for further detailed information http://mysupport.mcafee.com for updated articles referring to Removable Media Encryption 7.1 Creating a EEFF key for Removable USB Media recovery Task For option definitions, click? in the interface. 1 Click Menu Data Protection EEFF keys. The EEFF Key Management page appears. 2 Click Actions Create New Key. The Create a New Key dialog box appears. 24

3 Type a name EERM Recovery Key and description for the key Used for recovery. 4 Select Never expire key or an expiration date as required. 5 Click OK 25

The key just created will be displayed in the Key management, note the State of the key is Active 26

7.2 Policy Creation Use this task to create the policy for Removable USB Media, login to McAfee epo Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Removable Media (UBP) Category from the drop-down lists. 4 Click My Default. The policy options will be displayed 27

5 Set the following settings Select Enforce Encryption (with offsite access) Protected Area set to User Managed 6 Authentication Methods set to Either. Recovery Methods select Use recovery key and click the browse button at the right 7 Select EERM Recovery Key from the drop down menu 9 Click OK Step 10 is optional! 28

10 Define an individual text for pop up message when inserting an unprotected removable media device by editing the Customize UI Text displayed on inserting media text box Following message will appear if the Customize UI Text displayed on inserting media text box is blank: Note! In case of using the default message, the message will be displayed in the language based on the operating system and which is supported by Endpoint Encryption for Files and Folders. As soon as an individual text is configured there would be the need to configure a separate policy for every language. 11 Click Save. 29

7.3 Grant Key for Removable USB Media Policy Use this task to grant key, login to McAfee epo Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Grant Keys (UBP) Category from the drop-down lists. 7 Click My Default 30

8 Select the EERM Recovery Key 9 Click the button 10 Selected key will appear under selected keys, select the EERM Recovery key 11 Click Save 31

7.4 Password Rules for Removable USB Media Encryption Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Password Rules Category from the drop-down lists. 7 Click My Default 32

8 Set Password rules to your needs Note! Password rules applies for EERM, User Local Keys and Self-Extractor files 7.5 Assign Policy via the System Tree Use this task to assign a policy to multiple managed nodes within a group. The policy that is used in the Use case is created at the System Tree level. These types of policies can be assigned via Policy Assignment Rules (PAR) by create a User PAR or System PAR. For more information on using Policy Assignment Rules for assignment of policies please refer to following KB Articles: KB 72719 How to create Endpoint Encryption for Files and Folders 4.x Policies KB 72775 Policy assignment interpretations in Endpoint Encryption for Files and Folders 4.x at https://kc.mcafee.com 33

Task For option definitions, click? in the interface. 1 Click Menu Systems System Tree Systems, then select the desired group in the System Tree. 2 Click Assigned Policies 3 Select Endpoint Encryption for Files and Folders 4.2.0 from product drop-down list. 4 Make sure that the My Default policy is assigned for Removable Media and grant Keys 34

5 Click Edit Assignments to change policy assignment if needed. 6 Click Save 35

7.6 Enforce policy update via Agent Wake-Up Task For option definitions, click? in the interface. 1 Click Menu Systems System Tree Systems, select the desired group in the System Tree, then click on the machine 2 Select System by selecting the check box 3 Click Wakeup Agent 4 Select Force complete policy and task update 36

5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor 9 Check if policies have been updated 37

7.7 Using McAfee Removable Media Encryption To check if the policy got enforced perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features Endpoint Encryption for Files and Folders 2 Expand Removable Media Policies, and check the policy on the client Formatted: Font: (Default) Arial, 11 pt, Font color: Black When you insert a non-protected removable device on a client with EEFF installed and the policy for removable media enabled, a notification dialog box appears prompting to initialize the device. Alternatively, you can initialize the removable media using McAfee Endpoint Encryption for Files and Folders client console. 38

7.8 Use this task to initialize a removable media. 1 Right click McAfee Shield 2 Select McAfee Manage Features Endpoint Encryption for Files and Folders Formatted: Font: (Default) Arial, 11 pt, Font color: Black 39

Formatted: Font: (Default) Arial, 11 pt, Font color: Black 2 On the left pane, click Initialize device. The Initialize Removable Media window appears. 40

3 Provide a volume label. 4 In the Authentication section select Authentication Password and enter a password. For the password method, type a password that conforms to the My Default Password Rules policy. Note! The recovery methods available depends on the removable media encryption policy enforced on the system or the user. 5 Select Initialize Existing data on the device will not be affected. An encrypted container will be created and a directory called Unprotected Files will also be created. All existing data will be moved to the unprotected files directory. 41

6 Options available are Yes, No and Cancel click Yes If the following screen is displayed the password does not meet the complexity rules defined in the My Default Password Rules policy, please reenter a valid password 7 This will create the new volume 42

8 Confirmation the Initialization is complete will be displayed 43

7.9 Recovery access To recover access to an encrypted USB device, perform one of the following two tasks on the endpoint point system. 7.9.1 Password Recovery via Pop GUI 1 Plug in the Device, the following will be displayed 2 Click Recover 3 Because the policy is set to use a recovery key and because the key is available on this system, the key is immediately used and the device is unlocked. Click OK 44

4 Enter Password and repeat Password. If the password supplied does not meet the minimum complexity an informational window will be displayed. 5 Click OK 7.9.2 Password Recovery via McAfee Tray Icon 1 Right click McAfee Shield 2 Select McAfee Manage Features Endpoint Encryption for Files and Folders 45

2 Click Recover Media 3 Click Recover 4 The Recovery key option will be the only available. Click Recovery 5 Enter Password and repeat Password. If the password supplied does not meet the minimum complexity an informational window will be displayed. 6 Click OK 46

7.10 Moving an Encrypted file protected with EEFF key to protected USB Device Note! When moving a file from an endpoint system that has been protected with an EEFF Key to an EERM protected device, the file level encryption will be removed. Instead, the file will be protected by residing in the encrypted EERM container. Removing the dual encryption makes it possible to access that file from systems that do not have the EEFF client software installed. 7.11 Troubleshooting tips When attempting to initialize a device to be protected, there might be an error seen which is shown below; The following should be checked as a possibility 1 Ensure the Recovery has been granted access to be used for recovery, check the Grant Key Policy in epo or check the manage features for the available keys 2 Check the File system on the device to ensure the File system is recognized 3 Check the Device Hardware 47

If the above does not resolve the issue with initialization a SR will have to be raised with McAfee Support in this instance it is advisable to obtain the trace file, refer to the product guide. 48

7.12 Check USB Reporting capabilities Task For option definitions, click? in the interface. 1 Click Menu Reporting Queries & Reports Shared Groups EEFF Queries, select Run from the Removable Media Device Events System Information User Info (DomainName\UserName) Time Stamp Agent GUID Initialization Initialization State (FAILED, CANCELLED, SUCCESSFUL) Backup State (NONE, FAILED, CANCELLED, SUCCESSFUL) Backup Size Time taken for initialization Time taken for backup Size of protected part (Valid only when initialization has completed successfully) User Response (ACCEPTED, REJECTED (when user selects to Yes/No for EERM initialization prompt)) Device Information Size (Bytes) File System of device (FAT, NTFS, EERM : in case EERM protected devices) Vendor Name Product Name Exempted (YES, NO, UNKNOWN) Protected (only EERM protected devices are considered protected) (YES, NO, UNKNOWN) 49

7.12.1 Create a customized report Top 10 removable media users Task For option definitions, click? in the interface. 1 Click Menu Reporting Queries & Reports 2 Click Actions New 3 Click Endpoint Encryption for Files and Folders from Feature Group 4 Click Removable Media Device Events Next 5 Click Single Group Summary Table from Display Result As 6 Choose Number of Removable Media Device Events from the Values are: drop down list 7 Choose User Name from the Labels are drop down list 8 Choose 10 as Maximum items 9 Click Next 50

10 Add User Name to the Selected Colums 11 Click Next 12 Click Run to show the results 51

8 User Case: Folder Encryption for Local Folders EEFF policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the EERM policy at the system tree level. Please refer to Knowledge Base articles for further detailed information on this subject. 8.1 Creating a key for all Enterprise Users Task For option definitions, click? in the interface 1 Click Menu Data Protection EEFF keys. The EEFF Key Management page appears 2 Click Actions Create New Key. The Create a New Key dialog box appears 52

3 Type a name Corp Key and description for the key, Key for all Domain Users 4 Select Never expire key or an expiration date as required 53

5 Click OK The Corp Key just created will be displayed in the Key management, note the State of the key is Active Repeat Steps above 2 thru 5 for creating a Key for HR 1 Click Actions Create New Key. The Create a New Key dialog box appears 2 Type a name HR key and description for the key, Key for HR 3 Select Never expire key or an expiration date as required 4 Click OK 54

8.2 Creating Policy for Folder Encryption Use this task to create the policy for folder encryption, login to McAfee epo Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Folder Encryption (UBP) from the drop-down lists. 4 Click Duplicate on the McAfee Default policy. Duplicate Existing Policy window is displayed 55

5 Type Corp Document Policy add a Description in the notes field 6 Click OK 7 Click Corp Documents Policy 56

8 The policy options will be displayed for the path Click the Right Arrow Select [Documents] 10 Click Browse next to Key: 11 Select Corp key by using the browse button 12 Click Save 57

Repeat Steps above 2 thru 8 for creating a folder policy for HR 2 Click Duplicate on the McAfee Default policy. Duplicate Existing Policy window is displayed 3 Type HR Folder Policy add a Description in the notes field 4 Click OK 5 Click HR Folder Policy 6 The Folder Encryption Options will be displayed for the path Enter UNC path to Share 7 Click Browse next to Key: 8 Select the HR key by using the browse button 9 Click Save 58

8.3 Grant Key for Corp Key Use this task to make Corp Key available via Grant Key policy Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select Grant Keys (UBP) Category from the drop-down lists. 4 Click My Default 59

5 Select the Corp Key 6 Click the button 7 Selected key will appear under selected keys, select the Corp key 8 Click Save 60

8.4 Assigning Policy to Systems Use this task to assign the policy to machines Task For option definitions, click? in the interface. 1 Click Menu Policy System Tree 2 Click My Organization Assigned Policies to assign the folder policy to this group 3 Click Edit Assignment on Actions 61

4 Select Corp Documents Policy from the Drop list Assigned Policy 5 Click Save 62

8.5 Wake up agent to enforce policy update Task For option definitions, click? in the interface. 1 Click Menu Systems System Tree Systems, select the desired group in the System Tree, then click on the machine 2 Select system (Win701) 3 Click Wakeup Agent 63

4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor 64

8.6 Using Folder Policy for Corp Users To check the EERM policy received from epo perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features Endpoint Encryption for Files and Folders 2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS] Available Keys EERM Recovery Key and Corp Key 3 Open My Documents 65

You can see visually the files in the my documents are encrypted represented with the Padlock icon. 66

9 User Case: Folder Encryption for HR Share Use this task to create the policy for folder encryption, login to McAfee epo. The HR key that will be used was created in 8. If this step was missed please revisit Section 8.1 Creating a key for all Enterprise Users Step 6. Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Assignment Rules 2 Click New Assignment Rule 3 Type a name for the New Policy Assignment Rule and Description 67

4 Select User Based Rule Type 5 Click Add Policy 6 Select Product Endpoint Encryption for Files and Folders Category Folder Encryption Policy HR Folder 7 Click + 8 Select Product Endpoint Encryption for Files and Folders Category Grant Keys (multislot) Policy HR Grant Key Policy 68

9 Click Next. This will display the Policy Assignment builder 10 Click next to group Membership 11 Click Browse Button next to group membership 69

12 Find HR group Select the HR group 13 Click OK 14 Click Next 70

15 Click Save. The HR Policy Assignment Rule will show 9.1 Wake up agent to enforce policy update Task For option definitions, click? in the interface. 1 Click Menu Systems System Tree Systems, select the desired group in the System Tree, then click on the machine 2 Select system (Win701) 71

3 Click Wakeup Agent 4 Select Force complete policy and task update 5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 72

9.2 Using Folder Policy for Corp Users To check the EERM policy received from epo perform the following 1 Right click McAfee Shield 2 Select McAfee Manage Features Endpoint Encryption for Files and Folders 2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS] and \\epo46srv\hr Available Keys EERM Recovery Key and Corp Key and HR Key 3 Open My Documents 73

You can see visually the files in the my documents are encrypted represented with the Padlock icon. Open the \\epo46srv\hr share you can see the documents are encrypted with the HR KEY. Copy a file from the HR share to the C:\drive. Login as a non HR user, you should not have access to the files in the HR share. 74

10 User Driven Actions There are additional options that can be provided to users to allow for additional Functionality that are controlled by the user on the end point system. These are optional functionally controlled via policy through epo. Some of the most common features include: Creation of Self Extracting files Explicit Encryption Explicit Decryption Use this task to turn on User Driven Options, login to McAfee epo Task For option definitions, click? in the interface. 1 Click Menu Policy Policy Catalog 2 Select the Product as Endpoint Encryption for Files and Folders 4.2.0 3 Select General (UBP) Category from the drop-down lists. 4 Click My Default. The policy options will be displayed 75

5 Select Allow Explicit Encrypt Allow Explicit Decrypt 6 Click Save 76

10.1 Wake up agent to enforce policy update 1 Click Menu Systems System Tree Systems, select the desired group in the System Tree, then click on the machine 2 Select system (Win701) 3 Click Wakeup Agent 4 Select Force complete policy and task update 77

5 Click OK 6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield 8 Select McAfee Agent Status Monitor To check the EERM policy received from epo perform the following on the endpoint system. 10 Right click McAfee Shield 11 Select McAfee Manage Features Endpoint Encryption for Files and Folders 12 Expand Simple Policies, note the following settings should be enabled 78

Enable Decrypt : Yes Enable Encrypt : Yes Enable Self Extractors: Yes 79

10.2 Explicit Encryption The Encrypt option on the context menu allows you to manually encrypt a file or a folder. This option is unavailable to the users if the file or the folder has been encrypted by policy. Perform this task from the endpoint System 1 Right Click a file 2 Select McAfee Endpoint Encryption 3 Select Encrypt 4 Select Key to use for Encryption the list is derived from the available keys provided by the policy Choose Corp Key from drop down list 5 Select OK This can also be used if a file is to be encrypted with the HR key therefore making it shareable only by the group that has been granted access to the key. 80

10.3 Explicit Decryption The Decrypt option on the context menu allows you to manually decrypt a file or folder. This option is unavailable to the users if the folder has been encrypted by policy. Perform this task from the endpoint System. Right Click a file that has been encrypted with EEFF, denoted by the padlock icon, looking at the properties and selecting the Encryption Tab will provide the details of which key was used for encrypting the file 1 Right Click a file 2 Select McAfee Endpoint Encryption 3 Select Decrypt The file is decrypted in this instance the padlock icon has been removed 81

10.4 Creation of Self Extractors Self-Extractors are password-encrypted executable files that can also be decrypted on non- EEFF client systems. The password used to create the Self-Extractor is required to read it. You can change the name of the Self-Extractor. By default, it is named as its source file/folder with the *.exe extension. 1 Right Click a file 2 Select McAfee Endpoint Encryption 3 Select Create Self-Extractor (filename.xxx.exe) 4 Enter a Password and Confirm If the following screen is displayed the password does not meet the complexity rules defined in the My Default Password Rules policy, please reenter a valid password 82

5 Click OK The file will be successfully created To use the file click on the file and you will be prompted for the password 83

11 Conclusion This POC guide has provided a step by step guide on how to install and configure McAfee Endpoint Encryption for Files and Folder, along with step by step instructions on how to configure the following User Cases: Removable Media Encryption Local Folder Encryption using Folder Encryption Network Folder Encryption User Driven Actions 11.1 Further Information For further information please refer to the following documentation and reference material: Release Notes readme_en-us.html Product Guide eeff_420_product_guide_en-us.pdf User Guide eeff_420_user_guide_en-us.pdf Migration Guide eeff_420_migration_guide_en-us.pdf Other Useful Links Knowledge Based articles https://kc.mcafee.com/corporate/index?page=home (Searchable) https://mysupport.mcafee.com/eservice/productdocuments.aspx?strpage=3&pl=0 (by Product) McAfee Use Case for Removable USB Media Encryption https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/14/how-tohandle-removable-media-encryption-with-endpoint-encryption-for-files-and-folders-41 McAfee Support Site https://mysupport.mcafee.com/eservice/default.aspx McAfee Product Download Site http://www.mcafee.com/us/downloads/downloads.aspx McAfee Technical Video Channel http://www.youtube.com/mcafeetechnical 84

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback