McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE User's Guide

Best Practices GuideMcAfee Endpoint Encryption for PC 6.2SoftwareFor use with ePolicy Orchestrator 4.5, 4.6 Software

The overall experience and tasks of an administartor and users in installing and using EEPC are exactlythe same regardless of whether the target syste

5Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement pageappears with Enable and Disable options.6Select En

information about installing or using McAfee ePO, see the ePolicy Orchestrator product documentationfor versions 4.5 and 4.6.Supported environments fo

3Software configuration and policiesWhen planning for a rollout and deployment of EEPC, we recommend that you understand thefollowing important tasks

Active Directory configurationEEPC users are not created from the McAfee ePO server. They are assigned to the client systems froman Active Directory (

The McAfee ePO server allows the administrator to filter user accounts that can be imported into EEPC,based on a portion of LDAP. For example, if the

EE LDAP Server User/Group SynchronizationMake sure you use the correct user attribute format in the EE LDAP Server User/GroupSynchronization task. Mat

User CertificateThe User Certificate attribute is used by the McAfee ePO Server to determine which certificate shouldbe sent from ePolicy Orchestrator

Recommended Product Settings PolicyThe Product Settings Policy controls the behavior of the EEPC client. For example, it contains theoptions for enabl

Table 3-1 Recommended Product Settings PoliciesPolicyOptionsRecommendationsGeneral Tab• Enable Policy — Leave this option checked (enabled). This pol

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsLog On Tab• Enable Automatic Booting — Leave this option unch

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsYou need to enable the matching rules that are required for m

Recommended User-Based Policy SettingsThe User-Based Policy controls the parameters for EEPC user accounts. For example, it contains theoptions for se

Table 3-2 Recommended User Based Policy SettingsPolicyOptionsRecommendationsAuthentication Tab• Token type: Select Password only. There are a number

Phased deployment strategiesEEPC deployment (first time installation) can be done in various phases with different policy settingsfor different corpor

Auto bootingAuto Booting (Enable Automatic Booting) is used by administrators for re-imaging process, patchingcycles, and product deployments. Many so

3Software configuration and policiesPhased deployment strategies26McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide

4Deployment and activationThe purpose of this section is to provide guidance with troubleshooting on why the Windows operatingsystem will not start; e

Basic preparations and recommendationsThe following recommendations will make sure that your data is protected during and after theencryption process.

Administrators should also run performance testing during the pilot test.McAfee professionals did not come across any performance related issues with

ContentsPreface 5About this guide ...5Audience ...5Conventions ...

6Add a user to the client system. Decide whether to add the users manually in ePolicy Orchestratoror to add users using the Add local domain user opti

You can also create two separate tasks to deploy the packages, providing you wait for the firstdeployment (EEAgent) to complete before deploying the s

When enabled, the EEAgent queries the client system for the currently/previously logged on domainusers to the client. The EEAgent will then send the c

EEPC activation sequenceWhen EEAgent and EEPC are successfully deployed, the users will be prompted to restart their system.The restart can be cancele

In short, the SSO option facilitates the user with the single authentication to the Operating Systemeven when PBA is enabled. Though it requires an ex

5Operations and maintenanceManaging your systems in different batches, branches or groups will make a great impact for EEPCdeployment. It is a good pr

What if a user is disabled from LDAP?If a user account that is initialized on the client system, and is later removed from LDAP, then it will beautoma

node does not have any users assigned to the client system. The administrator must therefore assignusers to allow login, or enable the Add local domai

What happens to Machine Keys when moving systems from one branch to anotherin ePolicy Orchestrator?The LeafNode is not deleted from ePolicy Orchestrat

Before you begin• Make sure that your LDAP server is configured and registered in ePolicy Orchestrator.• Make sure that you schedule and run the EE LD

Upgrade to EEPC 6.2 ...457 Use ePolicy Orchestrator to report client status 47Track the progress of the deployment and en

• Longer ASCI interval• Password only deployments should remove certificate query from EE LDAP User/Group Synchronization task.The User Certificate at

6Migration and upgradeEEPC 6.2 has an improved architecture and interface.Due to these improvements, some functionality from earlier versions of the p

Importing the systems or users from 5.x.x database into the McAfee ePO server• Make sure that 5.x.x and 6.2 are connected to the same LDAP server duri

General recommendations• Retain the 5.x.x database for some time, so that you can access it case any loss or theft of adevice after the migration.• Mi

• It is important to understand the export options; Machines and Users in the export wizard. You canselect any one of the options to export the requir

attributes. The results are color-coordinated, so that it is easy for the administrator to analyze theresults.• Green indicates a single match• Orange

What happens to a partially encrypted 5.x.x system after the migration?A partially encrypted 5.x.x system gets fully encrypted or decrypted as per the

7Use ePolicy Orchestrator to report clientstatusMcAfee ePolicy Orchestrator provides comprehensive management and reporting tools for EEPC.Administrat

EEPC makes this task easy. An administrator can log on to McAfee ePO and, in just a few clicks, beable to produce a report showing that the missing co

IndexAabbreviations 7about this guide 5activation 27AD 14, 30add local domain users 18, 31, 34–36add users 14Agent wake-up call 33algorithm 45ASCI 9,

PrefaceThis guide provides the information on best practices on using EEPC.Contents About this guide Find product documentationAbout this guideT

OOpal 9, 36operations 35OU 14, 31Ppassword 22, 31PBA 7, 11, 18, 27, 31, 33–35, 41permission sets 38, 44phased deployment 13, 24pilot test 28policiesPr

00

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and trou

1IntroductionMcAfee Endpoint Encryption for PC (EEPC) provides superior encryption across a variety of endpointssuch as desktops and laptops. The EEPC

Table 1-1 Abbreviations (continued)Titles DesignationsEEM Endpoint Encryption ManagerEEPC Endpoint Encryption for PCePO ePolicy OrchestratorLDAP Lig

2Design philosophyThe McAfee ePO server is a central store of configuration information for all systems, servers, policies,and users.Each time the adm