The McAfee Agent Policies

The McAfee Agent is the distributed component of McAfee ePolicy Orchestrator (McAfee ePO). It downloads and enforces policies, and executes client-side tasks such as deployment and updating. The Agent also uploads events and provides additional data regarding each system’s status. It must be installed on each system in your network that you wish to manage. The agent collects and sends event information at intervals to the McAfee ePO server. It also installs and updates the endpoint products, and applies your endpoint policies. Systems cannot be managed by McAfee ePO unless the McAfee Agent is installed.

Install Requirements
Read the introduction to McAfee ePO prior to moving forward with this instruction.

Assigning a McAfee Agent Policy Globally

The following policy allows for remote viewing of the McAfee Agent log via browser and increases the Agent to Server Connection Interval (ASCI) from the default of 60 minutes to 120 minutes.

One reason to modify the Agent to Server Connection Interval on a group of systems might be to lessen the impact on already taxed WAN connections to remote sites, or simply because you are managing many thousands of systems. See more information on the McAfee Agent in the Quick Tips video Controlling Agent Communication.

  1. Click the System Tree button on the favorites bar.
  2. Highlight My Organization.
  3. Click the Assigned Policies tab.
    1. From the Product drop-down menu, select McAfee Agent.
    2. On the line that lists General, click Edit Assignment.
    3. For Inherit from, select Break inheritance and assign the policy and settings below.
    4. From the Assigned Policy drop-down menu, select POC – General.
    5. Click Save. The policy is now assigned to that group and all its subgroups.

NOTE: To view the McAfee Agent Log on a remote system, type the following your web-browser: http://<computer_name_or_IP_address>:8081 where 8081 is the default port for the Agent Wake Up call. If you changed this port number during McAfee ePO installation, then use the port you specified. This can be very useful when you need to view the log for a system on the other side of the country. You can test this function after deploying the Agent.

Deploy the McAfee Agent
Before deploying the McAfee Agent, you should verify both communication between the server and systems, and access to the default Admin$ share directory on the client. If your test systems are not part of a domain, you can simply copy Framepkg.exe to your client systems and execute it locally when we reach that step. Framepkg.exe is located on the McAfee ePO server in one of the following directories:

C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409 or
C:\Program Files(x86)\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409

  1. Check that you can ping client systems by name. This demonstrates that the server can resolve client names to an IP address.
  2. Assuming Active Directory Domain, check for remote access to the default Admin$ share on the client systems:

    From the McAfee ePO server click Start | Run, then type \\computer-name\admin$, where computer-name is the NetBIOS name of one of the client systems. If the systems are properly connected over the network, your credentials have sufficient rights, and the Admin$ shared folder is present, a Windows Explorer dialog box opens.

  3. If an active firewall is running on any client systems, you may need to create an exception for Framepkg.exe. Alternatively, you can disable the client firewall temporarily.

Deploying the McAfee Agent
As previously mentioned, a Windows domain is not a requirement to use McAfee ePO, but there are certain advantages when used in the context of a domain. One of those is the push installation of the management agent known as the McAfee Agent. McAfee ePO pushes this installer to Admin$ share on your test systems and installs with Domain Admin credentials you specify. In fact, this is the only installation that uses a push method. Once the Agent is installed, clients will pull the various endpoint protection components for installation.

It is assumed you have a limited number of test systems (under 50), so we will push the Agent to all the machines in the System Tree.

  1. Click the System Tree button on the favorites bar.
  2. Highlight the My Organization group.
  3. Click the Systems tab.
  4. Change the Preset drop-down to This Group and All Subgroups to view all the systems.
  5. Check the box next to the column heading System Name. This selects all the systems.
  6. Click Actions | Agent | Deploy Agents.
  7. For Credentials for agent installation: type credentials that have rights to install software on client systems, such as a Domain Administrator account (domain\administrator), and click OK. If desired, you can select the option Remember my credentials for future deployments.
  8. The Server Task Log appears showing the status of the Agent push. It will take a few minutes for the McAfee Agent to install and for client systems to retrieve and execute the installation packages for the endpoint products. When first installed, the Agent determines a random time up to 10 minutes before its initial communication to the McAfee ePO server to retrieve policies and tasks.

Note: You can drag and drop commonly used items from the Actions button onto the taskbar at the bottom of the McAfee ePO interface, as shown in the following figure.

Verifying Agent Communication with ePolicy Orchestrator
Once the initial agent-server communication has occurred, the agent polls the server once every 60 minutes by default. This is known as the Agent to Server Communication Interval or ASCI. Earlier we applied a policy that changed that interval to 120 minutes. At each interval the Agent polls McAfee ePO to upload client events and retrieve any policy or task changes, or new installation instructions.

With an ASCI of 120 minutes, an agent that polled the server 30 minutes ago will not pick up any new policies for another 90 minutes. However, you can always force systems to poll the server with an Agent Wake Up Call. The Wake Up Call is useful when you need to force a policy change sooner than the next communication would occur. It can also be used to force clients to run tasks on demand, such as an immediate update or scan.

Sending an Agent Wake Up Call
Send a Wake Up Call to force polling by clients who have not yet communicated with the McAfee ePO server.

  1. Click the System Tree button on the favorites bar.
  2. Highlight the My Organization group.
  3. Click the Systems tab.
  4. Change the Preset drop-down to This Group and All Subgroups to view all the systems.
  5. If the IP addresses and user names are listed, the agent on the client system is communicating with the server.
  6. If five to ten minutes pass and systems do not display an IP address and user name, select all systems, click Actions | Agent | Wake Up Agents, and click OK.
  7. You may need to click the Refresh button in the McAfee ePO console to view status change for your systems.

Note: If sending a Wake Up Call fails to populate the client’s IP address and user name, other environmental factors might be preventing the initial agent deployment. If this happens, simply copy the agent installer, Framepkg.exe, located on the ePolicy Orchestrator server, and run it locally on your test systems. Verify that a host or network firewall is not blocking agent communication to the server. There are many additional ways to deploy the McAfee Agent, such as login scripts or third-party deployment tools. See the ePolicy Orchestrator Product Guide for additional information.