McAfee Endpoint Encryption provides superior encryption across a variety of endpoints such as desktops and laptops. The Endpoint Encryption solution uses strong access control with Pre-Boot Authentication (PBA) and a NIST-approved algorithm to encrypt data on endpoints. Encryption and decryption are completely transparent to the end user and performed without hindering system performance. Administrators can easily implement and enforce security policies that control how sensitive data is encrypted. These policies allow the administrators to monitor real-time events and generate reports to demonstrate compliance with internal and regulatory requirements.
Endpoint Encryption has the advantage over other competitive encryption products because it engages encryption prior to loading of the Windows or Mac operating system, while data is at rest.
Trial Installation Requirements
During the installation of this McAfee endpoint suite, the Endpoint Encryption for PC client and associated management files were checked into your McAfee ePO server. A deployment task was automatically created for you as well. Note that after deployment of Endpoint Encryption, a reboot is required.
- Register your Active Directory server
- Set Windows authorization in McAfee ePO
- Modify policies
- Test for successful deployment and encryption on an endpoint
- Consider additional requirements for pre-boot network stack
Before you begin
Registering Windows Active Directory (this section is taken directly from the product readme)
Use this option to register a Windows Active Directory. You must have a registered AD to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic user account creation.
This is the procedure for registering a Windows Active Directory.
- Log on to the McAfee ePO server as an administrator.
- Click Menu | Configuration | Registered Servers then click New Server The Registered Server Builder wizard opens.
- From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user friendly name) and any details, then click Next. The Details page appears.
- Type the Server name. Note: The Server name is the name or IP address of the system where the Windows Active Directory is present
- Type the User name.
Note: User name should be of the format: domain\Username for Active Directory accounts.
- Type the Password and confirm it. Note: Default settings for the User name attribute, Group name attribute, and Unique ID attribute are provided automatically.
- Click Test Connection to ensure that the connection to the server works, then click Save. Note: Fields with * mark are mandatory.
Configuring automation task for LDAP synchronization (this section is taken directly from the product readme)
You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and endpoint software. This is the procedure for creating the server task.
- Log on to the McAfee ePO server as an administrator.
- Click Menu | Automation | Server Tasks. The Server Tasks page opens.
- Click Actions | New Task. The Server Task Builder wizard opens.
- On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears.
- From the Actions ;drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values.
Note: If you are not using SmartCards, it is a best practice to delete the contents of the User Certificate field (leave it blank).
- Click Next. The Schedule page appears.
- Schedule the task, then click Next. The Summary page appears.
- Review the task details, then click Save.
Configure EEPC Product Settings Policy
This policy controls the behavior of the EEPC agent. It contains things like the policy for enabling encryption, enabling automatic booting, and controlling the theme for the pre-boot environment. In McAfee ePO go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption from the Product drop-down list. Then choose Product Settings from the Category drop-down list. Locate the My Default policy and click Edit Settings.
Recommended Product Settings
- General Tab
- Enable the policy (check the box)
- Disable Endpoint Encryption Go activation dependency (do not check the box)
- This is a great feature for production deployments, but adds time and complexity in test environments. Only use this option if you are familiar with the EE Go tests and know how to use EE Go.
- Allow Temporary Automatic Booting (check the box)
- Disable expiring users who do not login (do not check the box)
- Allow users to create endpoint info file (check the box)
- Encryption Tab
- Encrypt: All Disks
- Encryption Provider Priority: PC Software
- LogOn Tab
- Enable Automatic Booting: disabled (leave unchecked) Note: if you enable this feature, you will not see the pre-boot authentication. We refer to this as autoboot mode.
- Log on Message: Put your organization's legal disclaimer here. Tip: for a pilot phase, put your admin or helpdesk phone number here.
- Do not display previous user name at log on: enable
- Always display on screen keyboard: disable
- Add local domain users: enable - this is the option that automatically provisions the Windows users (currently logged in and all cached profiles) as valid pre-boot accounts. Select the option to add all previous and current local domain users of the system.
- Enable accessibility: disable
- Disable pre-boot authentication when not synchronized: disable
- Read username from smartcard: disable
- Note: For test environments I assume that you are using password authentication and not smartcards.
- Enable SSO: enable
- Must match user name: enable
- Using smart card PIN: disable
- Synchronize Endpoint Encryption Password with Windows: enable
- Allow user to cancel SSO: disable
- Lock workstation when inactive: disable
- Recovery Tab
- Enabled: enable
- Key size: low
- Message: put your helpdesk phone number here, or instruct the user to use the self recovery option
- Allow users to re-enroll self-recovery information at PBA: disable
- Boot Options Tab
- Enable Boot Manager: disable
- Always enable pre-boot USB support: disable
- Always enable pre-boot PCMCIA support: disable
- Graphics mode: automatic
- Theme Tab: keep the default
- Out-of-Band Tab
- Eanble at PBA: enable
Note: Out-of-Band use cases require Intel AMT hardware and McAfee ePO Deep Command 1.5. Additional considerations are discussed below.
- Encryption Providers Tab
- User compatible MBR: disable
- Fix OS boot record sides: disable
- Use Windows system drive as boot drive: disable
- Enable Pre-Boot Smart Check: disable
- This is a great feature for production deployments, but adds time and complexity in test environments. Only use this option if you are familiar with Pre-Boot Smart Check and know how to use Pre-Boot Smart Check.
Configure EEPC User Based Policy (UBP) Settings
This policy controls the parameters for EEPC user accounts. It contains things like the policy for selecting a token type (password, smartcard, biometric, etc.), and password content rules. In McAfee ePO go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption from the Product drop-down list. Then choose User Based Policies from the Category drop-down list. Locate the My Default policy and click Edit Settings.
Recommended User-Based Policy Settings
- Authentication Tab
- Token type: password only
- Certificate rule: N/A
- Logon hours: disable
- Password Tab
- Change default password: disable - this leaves the default password as 12345 for all new users
- Do not prompt for default password: enable - this prevents the end user from having to remember and enter the default 12345 password. Instead they will simply be prompted to create a new password the first time they see the pre-boot authentication screen.
- Password Change - disable all of these since we are using SSO and don't want to cause conflict with Windows password requirements
- Enable Password history: disable
- Prevent change: disable
- Require change every: disable
- Incorrect Passwords
- Timeout password entry after X attempts: disable
- Invalidate password after 10 attempts: enable
- Password Content Rules Tab
- Password length: use default
- Enforce password content: use default
- Password content restrictions: use default
- Self Recovery
- Enable self recovery: enable
- Invalidate self recovery after No. of invalid attempts: enable, set to 10
- Questions to be answered: 3
- Logons before forcing user to set answers: 0
- Questions: use default
Add Group Users
Group Users are EEPC user accounts that will be provisioned to every encrypted machine. These are meant as admin accounts that can be used for troubleshooting or support. In this example, they are essentially back door accounts that can log in to any system that you encrypt. For production, we would not recommend having back door accounts but it tends to make things easier during an evaluation or proof of concept.
This is the procedure for adding Group Users.
- Go to Menu | Data Protection | Endpoint Encryption Users.
- Select the My Organization level from the system tree in the left pane.
- Click on the Group Users tab, the list will be blank.
- Click on Actions | Endpoint Encryption | Add Users.
- You can now add individual users, groups of users, or all the users in an OU. Typically, you only want to select one or two accounts for this role.
- Select the gray button in the first row; this will allow you to add individual users.
- You are now browsing the Active Directory structure that we added by registering the AD server earlier.
- Browse AD for your account and check the box next to it. Do this again for any other accounts that you want to have pre-boot access to all of your encrypted systems. Then click OK.
- Click OK again to proceed.
- Your Group Users list should now show the accounts you selected.
Note: If you choose to add a group or an OU, you will not see the individual user names. Instead, you will see the DN of the group or OU.
Note: All EEPC user accounts, even Group User, accounts get assigned the default password upon creation. You will have to use 12345 the first time you login with these accounts.
The deployment task will push both the Endpoint Encryption Agent and the EEPC v7 component to the selected systems. The install is silent, but the user will be prompted to reboot when the install is complete.
- End user sees message to reboot.
- System reboots (you will not yet see pre-boot authentication because the EEPC software is not yet active).
- The McAfee system tray icon will have a new option called Quick Settings and a sub-option Show Endpoint Encryption Status.
- The status will show Inactive until the agent syncs with the McAfee ePO server. This is referred to as an ASCI event. It can be manually triggered on the endpoint by opening the McAfee Agent Status Monitoring and clicking Collect and Send Props. It can also be triggered from the server by doing an agent wake up call. Finally, you can simply wait for the scheduled ASCI event (the default is 60 minutes).
- After an ASCI, the status will switch to Active and encryption will start. Encryption will not start until this sync is complete. This ensures the keys are backed up in McAfee ePO so they can be used for recovery.
- The user can continue working during encryption. They will notice a performance impact similar to that of a scheduled, on-demand virus scan. Once the entire disk is encrypted, the technology will be completely transparent to the end user.
- It is safe to reboot during encryption.
- When the user reboots, they will see the pre-boot authentication screen.
- They should login with their windows username and they will then be prompted to create a password for the pre-boot authentication. We expect that most users will enter their current windows password, but any password that meets the complexity requirements will be accepted.
- The user will then be prompted to register their self-recovery answers.
- The system then boots to Windows. This first boot also establishes SSO. On future reboots, the user will only have to login to the pre-boot environment, then the McAfee software will auto-login to Windows for the user (this is SSO).
Use McAfee ePO to Report Encryption Status
McAfee ePO provides all the management and reporting tools for EEPC.
Procedure 1 - Check the status of a disk on a single system. This is useful for incident response situations, where you simply have to prove that a "missing" laptop was fully encrypted.
- In McAfee ePO, go to System Tree.
- Click on name of system.
- Read properties, verify that Endpoint Encryption for PC is listed under installed products.
- Scroll down to see the summary information for Endpoint Encryption. This screen lists the state of the software (active/inactive), the encryption provider, and the algorithm.
- Click the more button to get further details, this reveals two more tabs: Properties and Disks.
- The Properties tab shows the same information as the summary info seen on the previous screen.
Procedure 2 - Track the progress of your deployment or determine the number of encrypted systems
- In McAfee ePO, go to Menu | Reporting | Queries.
- Expand the Shared Groups list.
- Select Endpoint Encryption.
- Run the first query in the list: EE Disk Status.
Note: This reports the crypt state for all disks on systems that have the EE Agent installed. If you want to find systems that don't have the EE Agent installed, simply run the EE Encryption Provider query.