McAfee Endpoint Encryption provides superior encryption across a variety of endpoints such as desktops and laptops. The Endpoint Encryption solution uses strong access control with Pre-Boot Authentication (PBA) and a NIST-approved algorithm to encrypt data on endpoints. Encryption and decryption are completely transparent to the end user and performed without hindering system performance. Administrators can easily implement and enforce security policies that control how sensitive data is encrypted. These policies allow the administrators to monitor real-time events and generate reports to demonstrate compliance with internal and regulatory requirements.
Endpoint Encryption has the advantage over other competitive encryption products because it engages encryption prior to loading of the Windows or Mac operating system, while data is at rest.
Trial Installation Requirements
During the installation of this McAfee endpoint suite, the Endpoint Encryption for PC client and associated management files were checked into your McAfee ePO server. A deployment task was automatically created for you as well. Note that after deployment of Endpoint Encryption, a reboot is required.
- Consider additional requirements for pre-boot network stack
Before you begin
Registering Windows Active Directory (this section is taken directly from the product readme)
Use this option to register a Windows Active Directory. You must have a registered AD to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic user account creation.
This is the procedure for registering a Windows Active Directory.
- Log on to the McAfee ePO server as an administrator.
- Click Menu | Configuration | Registered Servers then click New Server The Registered Server Builder wizard opens.
- From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user friendly name) and any details, then click Next. The Details page appears.
- Type the Server name. Note: The Server name is the name or IP address of the system where the Windows Active Directory is present
- Type the User name. Note: User name should be of the format: domain\Username for Active Directory accounts.
- Type the Password and confirm it. Note: Default settings for the User name attribute, Group name attribute, and Unique ID attribute are provided automatically.
- Click Test Connection to ensure that the connection to the server works, then click Save. Note: Fields with * mark are mandatory.
Configuring automation task for LDAP synchronization (this section is taken directly from the product readme)
You can create many tasks that run at scheduled intervals to manage the McAfee ePO server and endpoint software. This is the procedure for creating the server task.
- Log on to the McAfee ePO server as an administrator.
- Click Menu | Automation | Server Tasks. The Server Tasks page opens.
- Click Actions | New Task. The Server Task Builder wizard opens.
- On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears.
- From the Actions ;drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values.
Note: If you are not using SmartCards, it is a best practice to delete the contents of the User Certificate field (leave it blank).
- Click Next. The Schedule page appears.
- Schedule the task, then click Next. The Summary page appears.
- Review the task details, then click Save.
Configure EEPC Product Settings Policy
This policy controls the behavior of the EEPC agent. It contains things like the policy for enabling encryption, enabling automatic booting, and controlling the theme for the pre-boot environment. In McAfee ePO go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption from the Product drop-down list. Then choose Product Settings from the Category drop-down list. Locate the My Default policy and click Edit Settings.
Recommended Product Settings
- Encryption Tab
- Theme Tab: keep the default
- Encryption Providers Tab
- This is a great feature for production deployments, but adds time and complexity in test environments. Only use this option if you are familiar with Pre-Boot Smart Check and know how to use Pre-Boot Smart Check.
Configure EEPC User Based Policy (UBP) Settings
This policy controls the parameters for EEPC user accounts. It contains things like the policy for selecting a token type (password, smartcard, biometric, etc.), and password content rules. In McAfee ePO go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption from the Product drop-down list. Then choose User Based Policies from the Category drop-down list. Locate the My Default policy and click Edit Settings.
Recommended User-Based Policy Settings
- Authentication Tab
- Password Tab
- Password Content Rules Tab
- Self Recovery
Add Group Users
Group Users are EEPC user accounts that will be provisioned to every encrypted machine. These are meant as admin accounts that can be used for troubleshooting or support. In this example, they are essentially back door accounts that can log in to any system that you encrypt. For production, we would not recommend having back door accounts but it tends to make things easier during an evaluation or proof of concept.
This is the procedure for adding Group Users.
- Go to Menu | Data Protection | Endpoint Encryption Users.
- Select the My Organization level from the system tree in the left pane.
- Click on the Group Users tab, the list will be blank.
- Click on Actions | Endpoint Encryption | Add Users.
- You can now add individual users, groups of users, or all the users in an OU. Typically, you only want to select one or two accounts for this role.
- Select the gray button in the first row; this will allow you to add individual users.
- You are now browsing the Active Directory structure that we added by registering the AD server earlier.
- Browse AD for your account and check the box next to it. Do this again for any other accounts that you want to have pre-boot access to all of your encrypted systems. Then click OK.
- Click OK again to proceed.
- Your Group Users list should now show the accounts you selected.
Note: If you choose to add a group or an OU, you will not see the individual user names. Instead, you will see the DN of the group or OU.
Note: All EEPC user accounts, even Group User, accounts get assigned the default password upon creation. You will have to use 12345 the first time you login with these accounts.
The deployment task will push both the Endpoint Encryption Agent and the EEPC v7 component to the selected systems. The install is silent, but the user will be prompted to reboot when the install is complete.
- End user sees message to reboot.
- System reboots (you will not yet see pre-boot authentication because the EEPC software is not yet active).
- The McAfee system tray icon will have a new option called Quick Settings and a sub-option Show Endpoint Encryption Status.
- The status will show Inactive until the agent syncs with the McAfee ePO server. This is referred to as an ASCI event. It can be manually triggered on the endpoint by opening the McAfee Agent Status Monitoring and clicking Collect and Send Props. It can also be triggered from the server by doing an agent wake up call. Finally, you can simply wait for the scheduled ASCI event (the default is 60 minutes).
- After an ASCI, the status will switch to Active and encryption will start. Encryption will not start until this sync is complete. This ensures the keys are backed up in McAfee ePO so they can be used for recovery.
- The user can continue working during encryption. They will notice a performance impact similar to that of a scheduled, on-demand virus scan. Once the entire disk is encrypted, the technology will be completely transparent to the end user.
- It is safe to reboot during encryption.
- When the user reboots, they will see the pre-boot authentication screen.
- They should login with their windows username and they will then be prompted to create a password for the pre-boot authentication. We expect that most users will enter their current windows password, but any password that meets the complexity requirements will be accepted.
- The user will then be prompted to register their self-recovery answers.
- The system then boots to Windows. This first boot also establishes SSO. On future reboots, the user will only have to login to the pre-boot environment, then the McAfee software will auto-login to Windows for the user (this is SSO).
Use McAfee ePO to Report Encryption Status
McAfee ePO provides all the management and reporting tools for EEPC.
Procedure 1 - Check the status of a disk on a single system. This is useful for incident response situations, where you simply have to prove that a "missing" laptop was fully encrypted.
- In McAfee ePO, go to System Tree.
- Click on name of system.
- Read properties, verify that Endpoint Encryption for PC is listed under installed products.
- Scroll down to see the summary information for Endpoint Encryption. This screen lists the state of the software (active/inactive), the encryption provider, and the algorithm.
- Click the more button to get further details, this reveals two more tabs: Properties and Disks.
- The Properties tab shows the same information as the summary info seen on the previous screen.
Procedure 2 - Track the progress of your deployment or determine the number of encrypted systems
- In McAfee ePO, go to Menu | Reporting | Queries.
- Expand the Shared Groups list.
- Select Endpoint Encryption.
- Run the first query in the list: EE Disk Status.
Note: This reports the crypt state for all disks on systems that have the EE Agent installed. If you want to find systems that don't have the EE Agent installed, simply run the EE Encryption Provider query.