McAfee Device Control Trial Installation & Walkthrough

McAfee Device Control protects your data from falling into the wrong hands via removable storage devices and media, such as USB drives, MP3 players, CDs, and DVDs. It enables you to specify and categorize which devices may or may not be used and enforce what data can and cannot be transferred to these devices — in the office, at home, or on the move. Device Control provides content- and context-aware, device-blocking capabilities such as:

  • Comprehensive device and data management — Control how users copy data to USB drives, iPods, recordable CDs and DVDs, Bluetooth and infrared devices, imaging equipment, COM and LPT ports, and more.

  • Granular controls — Specify which devices can and can’t be used, define what data can and can’t be copied onto allowed devices, and restrict users from copying data from specific locations and applications.

  • Centralized management — Centrally define, deploy, manage, and update security policies and agents throughout your enterprise. Set device and data policies by user, group, or department.

  • Advanced reporting and auditing capabilities — Support compliance with detailed user- and device-level logging. Gather details such as device, time stamp, and data evidence for prompt and proper audits.

To learn more about Device Control features, please download the data sheet.


Trial Installation Requirements

In an Active Directory domain, you can leverage user based policies with Device Control. In Workgroup mode, only local user or machine-based policies are possible. During the installation of this McAfee endpoint suite, the Device Control client and associated management files were checked into your ePO server. A deployment task was automatically created for you as well. Note that after deployment of Device Control, a reboot is required.


Use Cases

Post-Installation Configuration
The installer automatically checks McAfee Device Control into the ePolicy Orchestrator software repository; however, additional steps need to be taken to properly configure Device Control for use. The following steps take you through the installation of the McAfee DLP Management Tools.

Initializing the DLP Interface

  1. In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy.
  2. The McAfee DLP Endpoint Management Tools installer runs, and, after a brief delay, the DLP Management Tools Setup wizard appears. Depending on your browser settings, you may be prompted to install the ActiveX control.
  3. Click Install, then click Next on all defaults provided in the wizard, and then click Finish.
  4. Click OK on the dialog box that states “DLP Global Policy is Unavailable”.
  5. When a first-time initialization page appears, click Cancel. (If you clicked Next, just click Cancel at your earliest opportunity.)

Entering the License Key for Device Control
A license key for Device Control was provided as part of the download. The key is located in a file called McAfeeDC93LicenseKey.txt in the \PostInstall directory where you unzipped the installer. The following steps detail the processes for entering the license key.

  1. On the McAfee DLP Endpoint policy console menu bar, select Help | Update License. The View and Update License window displays the current (default) activation key and expiration date.
  2. Click Update
  3. Type or paste the Activation Key in the text box and click Apply. A warning that you must log on again for the change to take effect appears.
  4. Click OK to close the message box, and click Close to close the Update License window, then log off ePolicy Orchestrator.
  5. Log on to ePolicy Orchestrator to complete the upgrade.
  6. From the Agent Configuration menu, select Edit Global Agent Configuration.
  7. Go to the File Tracking tab and select Device Control and full content protection.
  8. Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service modules are selected. Select the remaining modules you require to enable them and click OK. Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow its operation unnecessarily.
  9. On the Toolbar, click Apply in the upper left corner of the page. The policy changes are applied to ePolicy Orchestrator.
  10. In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.

Evidence and Whitelist Folders
Two folders must be created and shared, and their properties and security settings must be configured appropriately. The folders do not need to be on the same computer as ePolicy Orchestrator, but it is usually convenient to put them there. Create the following directory structure on the ePolicy Orchestrator server:

  • c:\dlp_resources\
  • c:\dlp_resources\evidence
  • c:\dlp_resources\whitelist

Configure the Share Names and Permissions
Configuration of the folders on Windows 2008 Server for Device Control requires specific security settings.

Configuring the Evidence Folder

  1. Right-click the evidence folder and select Properties.
  2. Select the Sharing tab, then click Advanced Sharing. Select the Share this folder.
  3. Modify the Share name to evidence$. NOTE: The $ ensures that the share is hidden.
  4. Click Permissions. With the default user name Everyone selected, allow Full Control, and then click OK.
  5. Select the Security tab, and then click Advanced.
  6. On the Permissions tab, click Change Permissions, and then deselect the Include inheritable permissions from the object's parent option.
  7. A confirmation message explains the effect this change will have on the folder. Click Remove. The Permissions tab on the Advanced Security Settings dialog box now shows all permissions eliminated.
  8. Click Add to select an object type.
  9. In the Enter the object name to select text box, type Domain Computers, then click OK. The Permission Entry dialog box is displayed.
  10. In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply to option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers.
  11. Click Add again to select an object type.
  12. In the Enter the object name to select text box, type Domain Admins (or another security group if desired), then click OK to display the Permission Entry dialog box.
  13. In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply to option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Admins.
  14. Click OK, and then Close on the remaining dialog boxes.

Configuring the Whitelist Folder

  1. Right-click the whitelist folder and select Properties.
  2. Select the Sharing tab, then click Advanced Sharing. Select the Share this folder.
  3. Modify the Share name to whitelist$, and click OK. NOTE: The $ ensures that the share is hidden.
  4. Click Permissions. With the default user name Everyone selected, allow Full Control, and then click OK.
  5. Select the Security tab, and then click Advanced.
  6. On the Permissions tab, click Change Permissions, and then deselect the Include inheritable permissions from the object's parent option.
  7. A confirmation message explains the effect this change will have on the folder. Click Remove. The Permissions tab on the Advanced Security Settings dialog box now shows all permissions eliminated.
  8. Click Add to select an object type.
  9. In the Enter the object name to select text box, type Domain Computers, then click OK. The Permission Entry dialog box is displayed.
  10. In the Allow column, select List Folder/Read Data. Verify that the Apply to option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers.
  11. Click Add again to select an object type.
  12. In the Enter the object name to select text box, type Domain Admins (or another security group if desired), then click OK to display the Permission Entry dialog box.
  13. In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply to option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Admins.
  14. Click OK, and then Close on the remaining dialog boxes.

Finalizing Configuration

  1. In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy.
  2. Select Tools | Options and select the Whitelist tab. Update the field with the applicable whitelist share that was created. Click OK.
  3. Select Agent Configuration | Edit Global Agent Configuration and select the Evidence tab. Update the field with the applicable evidence share that was created. Click OK.
  4. Click the Apply at the top left of the DLP Policy interface to save all settings.

NOTE: The Deployment task for your Workstations and Laptops groups already included Device Control, but it was deployed without a policy. You will need to create a policy in order to control permitted actions regarding removable devices such as USB drives, iPods, cameras, and other devices.