Best Practices GuideMcAfee Endpoint Encryption for PC 6.2SoftwareFor use with ePolicy Orchestrator 4.5, 4.6 Software
The overall experience and tasks of an administartor and users in installing and using EEPC are exactlythe same regardless of whether the target syste
5Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement pageappears with Enable and Disable options.6Select En
information about installing or using McAfee ePO, see the ePolicy Orchestrator product documentationfor versions 4.5 and 4.6.Supported environments fo
3Software configuration and policiesWhen planning for a rollout and deployment of EEPC, we recommend that you understand thefollowing important tasks
Active Directory configurationEEPC users are not created from the McAfee ePO server. They are assigned to the client systems froman Active Directory (
The McAfee ePO server allows the administrator to filter user accounts that can be imported into EEPC,based on a portion of LDAP. For example, if the
EE LDAP Server User/Group SynchronizationMake sure you use the correct user attribute format in the EE LDAP Server User/GroupSynchronization task. Mat
User CertificateThe User Certificate attribute is used by the McAfee ePO Server to determine which certificate shouldbe sent from ePolicy Orchestrator
Recommended Product Settings PolicyThe Product Settings Policy controls the behavior of the EEPC client. For example, it contains theoptions for enabl
Table 3-1 Recommended Product Settings PoliciesPolicyOptionsRecommendationsGeneral Tab• Enable Policy — Leave this option checked (enabled). This pol
COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee
Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsLog On Tab• Enable Automatic Booting — Leave this option unch
Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsYou need to enable the matching rules that are required for m
Recommended User-Based Policy SettingsThe User-Based Policy controls the parameters for EEPC user accounts. For example, it contains theoptions for se
Table 3-2 Recommended User Based Policy SettingsPolicyOptionsRecommendationsAuthentication Tab• Token type: Select Password only. There are a number
Phased deployment strategiesEEPC deployment (first time installation) can be done in various phases with different policy settingsfor different corpor
Auto bootingAuto Booting (Enable Automatic Booting) is used by administrators for re-imaging process, patchingcycles, and product deployments. Many so
3Software configuration and policiesPhased deployment strategies26McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide
4Deployment and activationThe purpose of this section is to provide guidance with troubleshooting on why the Windows operatingsystem will not start; e
Basic preparations and recommendationsThe following recommendations will make sure that your data is protected during and after theencryption process.
Administrators should also run performance testing during the pilot test.McAfee professionals did not come across any performance related issues with
ContentsPreface 5About this guide ...5Audience ...5Conventions ...
6Add a user to the client system. Decide whether to add the users manually in ePolicy Orchestratoror to add users using the Add local domain user opti
You can also create two separate tasks to deploy the packages, providing you wait for the firstdeployment (EEAgent) to complete before deploying the s
When enabled, the EEAgent queries the client system for the currently/previously logged on domainusers to the client. The EEAgent will then send the c
EEPC activation sequenceWhen EEAgent and EEPC are successfully deployed, the users will be prompted to restart their system.The restart can be cancele
In short, the SSO option facilitates the user with the single authentication to the Operating Systemeven when PBA is enabled. Though it requires an ex
5Operations and maintenanceManaging your systems in different batches, branches or groups will make a great impact for EEPCdeployment. It is a good pr
What if a user is disabled from LDAP?If a user account that is initialized on the client system, and is later removed from LDAP, then it will beautoma
node does not have any users assigned to the client system. The administrator must therefore assignusers to allow login, or enable the Add local domai
What happens to Machine Keys when moving systems from one branch to anotherin ePolicy Orchestrator?The LeafNode is not deleted from ePolicy Orchestrat
Before you begin• Make sure that your LDAP server is configured and registered in ePolicy Orchestrator.• Make sure that you schedule and run the EE LD
Upgrade to EEPC 6.2 ...457 Use ePolicy Orchestrator to report client status 47Track the progress of the deployment and en
• Longer ASCI interval• Password only deployments should remove certificate query from EE LDAP User/Group Synchronization task.The User Certificate at
6Migration and upgradeEEPC 6.2 has an improved architecture and interface.Due to these improvements, some functionality from earlier versions of the p
Importing the systems or users from 5.x.x database into the McAfee ePO server• Make sure that 5.x.x and 6.2 are connected to the same LDAP server duri
General recommendations• Retain the 5.x.x database for some time, so that you can access it case any loss or theft of adevice after the migration.• Mi
• It is important to understand the export options; Machines and Users in the export wizard. You canselect any one of the options to export the requir
attributes. The results are color-coordinated, so that it is easy for the administrator to analyze theresults.• Green indicates a single match• Orange
What happens to a partially encrypted 5.x.x system after the migration?A partially encrypted 5.x.x system gets fully encrypted or decrypted as per the
7Use ePolicy Orchestrator to report clientstatusMcAfee ePolicy Orchestrator provides comprehensive management and reporting tools for EEPC.Administrat
EEPC makes this task easy. An administrator can log on to McAfee ePO and, in just a few clicks, beable to produce a report showing that the missing co
IndexAabbreviations 7about this guide 5activation 27AD 14, 30add local domain users 18, 31, 34–36add users 14Agent wake-up call 33algorithm 45ASCI 9,
PrefaceThis guide provides the information on best practices on using EEPC.Contents About this guide Find product documentationAbout this guideT
OOpal 9, 36operations 35OU 14, 31Ppassword 22, 31PBA 7, 11, 18, 27, 31, 33–35, 41permission sets 38, 44phased deployment 13, 24pilot test 28policiesPr
00
Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and trou
1IntroductionMcAfee Endpoint Encryption for PC (EEPC) provides superior encryption across a variety of endpointssuch as desktops and laptops. The EEPC
Table 1-1 Abbreviations (continued)Titles DesignationsEEM Endpoint Encryption ManagerEEPC Endpoint Encryption for PCePO ePolicy OrchestratorLDAP Lig
2Design philosophyThe McAfee ePO server is a central store of configuration information for all systems, servers, policies,and users.Each time the adm
Comments to this Manuals