McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE Betriebsanweisung

Best Practices GuideMcAfee Endpoint Encryption 7.0 Patch 1SoftwareFor use with ePolicy Orchestrator 4.6 Software

The overall experience and tasks of an administrator and users in installing and using EEPC are exactlythe same regardless of whether the target syste

Task1Click Menu | Reporting | Queries. The Queries page opens.2Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE query lis

How Endpoint Encryption worksA boot sequence is executed by the BIOS (Windows) or firmware (Mac) leading to the starting of thebootable operating syst

information about installing or using McAfee ePO, see the ePolicy Orchestrator product documentationfor version 4.6.Supported environments for McAfee

1Install the EEGO extension (EEGO.ZIP) in McAfee ePO. Repeat the same procedures used forinstalling the product extension.2Check in the EEGO software

3Software configuration and policiesWhen planning for a rollout and deployment of EEPC/EEMac, we recommend that you understand thefollowing important

Active Directory configurationEndpoint Encryption users are not created from the McAfee ePO server. They are assigned to the clientsystems from an Act

EE LDAP Server User/Group SynchronizationMake sure you use the correct user attribute format in the EE LDAP Server User/GroupSynchronization task. Mat

EE LDAP Server User/Group Synchronization task logThe administrator can also view a log of this particular server task by double clicking the particul

The McAfee ePO server allows the administrator to filter user accounts that can be imported intoEEPC/EEMac, based on a portion of LDAP. For example, i

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee

Recommended Product Settings PolicyThe Product Settings Policy controls the behavior of the Endpoint Encryption client. For example, itcontains the op

Table 3-1 Recommended Product Settings Policies PolicyOptionsRecommendationsGeneral Tab• Enable Policy — Leave this option checked (enabled). This po

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsspecifying the Windows or Mac drive letters/volume names. Part

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsLog On Tab• Enable automatic booting — Leave this option unche

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsand hence EEPC is activated, even if the administrator has not

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsuser for which it was captured. When you select the Enable SSO

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsBoot OptionsTab(Windowsonly)• Enable Boot Manager — Leave this

Table 3-1 Recommended Product Settings Policies (continued)PolicyOptionsRecommendationsEncryptionProviders Tab(Windowsonly)• Use compatible MBR — Lea

Recommended User-Based Policy SettingsThe User‑Based Policy controls the parameters for Endpoint Encryption user accounts. For example, itcontains the

Table 3-2 Recommended User Based Policy Settings PolicyOptionsRecommendationsAuthentication Tab• Token type: Select Password only. There are a number

ContentsPreface 5About this guide ... 5Audience ... 5Conventions ...

Table 3-2 Recommended User Based Policy Settings (continued)PolicyOptionsRecommendationsPassword ContentRules Tab• Password length — Use default.• En

• Deploy the EEAgent and EEPC packages to the client system.• Activate EEPC and restart client system.Best practices and recommendations for using Int

• Create a query in ePolicy Orchestrator to find all systems that need to stop autobooting and assignthe second policy to these systems.• Send an agen

4Deployment and activationThe purpose of this section is to provide guidance with troubleshooting on why the Windows or Macoperating system will not s

Basic preparations and recommendationsThe following recommendations will make sure that your data is protected during and after theencryption process.

• Create and test the customized EETech WinPE V1 or V3 or V4 (for UEFI systems) Disk with EEPCdrivers installed.• Create and test an EETech Standalone

High level process of the installationThis section lists the steps and considerations involved in Endpoint Encryption deployment andactivation.This pr

Order of the EEAgent and Endpoint Encryption deploymentIt is not mandatory to have two different tasks for the product deployment. You can create one

So, it is always better to execute the deployment using a single task wherein you need to deploy theEEAgent package first then the EEPC/EEMac package.

End user experienceThe deployment task pushes both the Endpoint Encryption Agent and the EEPC/EEMac components tothe selected systems. The installatio

6 Migration and upgrade 51Best practices for migration and upgrade ... 51Export user assignments from 5.x.x database ...

When enabled, the EEAgent queries the client system for the currently/previously logged on domainusers to the client. The EEAgent will then send the c

Endpoint Encryption activation sequenceWhen the EEAgent and EEPC/EEMac packages are successfully deployed, the users will be prompted torestart their

Single Sign On (SSO)The EEPC client system then boots to Windows. This first boot establishes SSO (if it has beenenabled). On future restarts, the use

Skip Unused SectorsSkip Unused Sectors is one of the new features of offline activation that is introduced in EEPC 7.0Patch 1. For more information ab

4Deployment and activationSkip Unused Sectors44McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide

5Operations and maintenanceManaging your systems in different batches, branches or groups will make a great impact for EndpointEncryption deployment.

What if a user is disabled from LDAP?If a user account that is initialized on the client system, and is later removed from LDAP, then it will beautoma

What happens to the Machine Key when you delete an Endpoint Encryption activesystem from ePolicy Orchestrator?The Machine Key remains in the ePolicy O

How to destroy the recovery information for an Endpoint Encryption installedsystem?When you want to secure‑erase the drives in your Endpoint Encryptio

You can create different permission roles and assign them with different Endpoint Encryption Permission Setsto different users.Figure 5-1 Endpoint En

PrefaceThis guide provides the information on best practices on using McAfee Endpoint Encryption.Contents About this guide Find product document

• Longer ASCI interval• Password only deployments should remove certificate query from EE LDAP User/Group Synchronizationtask.The User Certificate att

6Migration and upgradeEEPC 7.0 Patch 1 has an improved architecture and interface.Due to these improvements, some functionality from earlier versions

Importing the systems or users from 5.x.x database into the McAfee ePO server• Make sure that 5.x.x and 7.0 Patch 1 are connected to the same LDAP ser

General recommendations• Retain the 5.x.x database for some time, so that you can access it case any loss or theft of adevice after the migration.• Mi

• It is important to understand the export options; Machines and Users in the export wizard. You canselect any one of the options to export the requir

attributes. The results are color‑coordinated, so that it is easy for the administrator to analyze theresults.• Green indicates a single match• Orange

What happens to a partially encrypted 5.x.x system after the migration?A partially encrypted 5.x.x system gets fully encrypted or decrypted as per the

7Use ePolicy Orchestrator to report clientstatusMcAfee ePolicy Orchestrator provides comprehensive management and reporting tools for EndpointEncrypti

Track the progress of the deployment and encryption statusThe progress of the EEPC/EEMac deployment and the number of encrypted drives can be easilyde

Endpoint Encryption makes this task easy. An administrator can log on to McAfee ePO and, in just afew clicks, be able to produce a report showing that

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and trou

7Use ePolicy Orchestrator to report client statusReport encryption status from McAfee ePO60McAfee Endpoint Encryption 7.0 Patch 1 Software Best Pract

IndexAabbreviations 8about this guide 5activation 33AD 16, 36add local domain users 20, 39, 42, 45, 46add users 16Agent wake-up call 41algorithm 55AMT

McAfee ServicePortal, accessing 6migration 51OOpal 9, 46operations 45OU 16, 39Ppassword 28, 39PBA 7, 11, 20, 33, 39, 41, 42, 45, 51permission sets 48,

00

1IntroductionMcAfee Endpoint Encryption provides superior encryption across a variety of endpoints such asdesktops and laptops. The Endpoint Encryptio

• AD/LDAP• The associated Endpoint Encryption communicationThis document encapsulates the professional opinions of Endpoint Encryption certified engin

2Design overviewThe McAfee ePO server is a central store of configuration information for all systems, servers, policies,and users.Each time the admin