POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment

(1)

1

POC Installation Guide for McAfee EEFF v4.1.x

using McAfee ePO 4.6

(2)

2

This POC guide provides a step-by-step instruction on how to download, install and use Endpoint Encryption File and Folder v4.1.x (EEFF 4). It covers three main areas Removable media encryption, Using folder policies for local and network encryption and also user driven actions. This POC guide does not cover upgrading from Version 3.x for information on upgrading please refer to the Migration Guide (EEFF_4.0_Migration_Guide.pdf) which can be downloaded from the McAfee download site.

For additional detailed subjects refer to the standard set of documents that are able to be downloaded from the McAfee Site and the Best Practices for McAfee Endpoint Encryption for Files and Folders v4.0 (EEFF 4). The links for these documents are referenced in Section 11 below.

This guide will cover the following user cases

 Endpoint Encryption for Removable Media (EERM)

 Local Folder Encryption using Folder Encryption

 Network Folder Encryption

 User Driven Actions

Please be aware that the screenshots in this document may not reflect the latest available version of Endpoint Encryption for Files and Folders. But it’s based on the functionality of Endpoint Encryption for Files and Folders 4.1 or higher.

1.1 System requirements

(5)

5 1.2 High level process

 Navigate to the product software download site and use temporary grant number to gain access.

 Download ePolicy Orchestrator v4.6

 Download McAfee Agent 4.6

 Install ePolicy Orchestrator v4.6

 Check EEFF extensions in to ePO 4.6

 Check EEFF packages in to ePO 4.6

 Register your Active Directory server

 Create ePO server task for Active Directory Sync

 Create client tasks to deploy the EEFF components

 Create EEFF Keys

 Create Policies

 Test for successful deployment and encryption on an endpoint

1.3 Troubleshooting Considerations

For the POC it is recommended to make the following changes on the endpoint systems which will assist in using the dump files create by Windows Operating Systems

Configure Dump files settings on endpoint systems

Windows XP

1 Select Control panel | System | Advanced 2 Click Settings button for Startup and Recovery 3 Deselect Automatically Restart under system Failure

4 Under “Write debugging information” (drop down list), select “Kernel dump”. Windows 7

1 Select Control Panel | System and Security | System 2 Select Advanced system settings (option on left) 3 Click Settings button for Startup and Recovery.

4 Under section Write debugging information Select Kernel dump.

5 Deselect Automatically Restart under System Failure, this will ensure the endpoint system stops after dump has been written and provides time to boot up into “Safe Mode”

Obtaining Dump files

(6)

6 For additional information please refer to

http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx

This article also makes reference to a Microsoft KB:

http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3b244139

2 Downloading software

Upon receiving your grant number you’ll need to access the software download portal from the following link below.

https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

(7)

7 2.1 Download ePolicy Orchestrator v4.6 & Documentation

Download ePO 4.6 (minimum Patch 2 or higher)

(8)

8 2.2 Download McAfee Agent 4.6 & Documentation

Download McAfee Agent 4.6

(9)

9

2.3 Download McAfee EEFF 4.1

(10)

10 3 Installation of ePO Components

This POC guide will assume you have already installed McAfee ePO 4.6 and Agent to the system. If this has not been performed please refer to McAfee ePO product and installation documents.

The following files should be what have been downloaded during section 2 above. If you are missing any of the following files please revisit the download section.

EEFF software files

Before you begin

 Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers.

 Ensure your ePO server version is at 4.6 with Patch 2 or higher

 Ensure your McAfee Agent version is at least McAfee Agent 4.6 or higher

 Note the hostname or IP address of an Active Directory Domain Controller / AD Server

 Read the readme for known issues and other important information

 Consider engaging McAfee professional services to assist in your production installation The files required for the extensions are:

1. EEFF-extension-4.1.0.577.zip 2. MfeEEFF_Client_4.1.0.577.zip

3. help_eeff_410.zip (optional, but recommended)

3.1 Check in the EEFF extension into ePO 4.6

1 Log on to the ePolicy Orchestrator server as an administrator.

2 Click Menu | Software | Extensions | Install Extension the Install Extension dialog box appears.

(11)

11 5 Click Install Extension

6 Click Browse and select the extension file (help_eeff_410.zip) 7 Click OK

The Install Extension page appears with the extension name and version details.

3.2 Check in the EEFF client package into ePO 4.6

1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Software | Master Repository

3 Click Actions | Check In Package. The Check In Package wizard opens.

4 Select Product or Update (.ZIP) from the Package type list, then browse to and select the package file (MfeEEFF_Client_4.1.0.577).

5 Click Next. The Package Options page appears.

6 Click Save to begin checking in the package. Wait while the package is checked in.

(12)

12 4 Registering Windows Active Directory

Use this option to register a Windows Active Directory. You must have a registered LDAP server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic and manual user account assignment.

Before you begin

Make sure you have the appropriate rights to modify the server settings, permission sets, users, and registered servers.

Note!

As there are no changes made to the AD schema a read-only account can be used for the POC an individual account can be used, for production a Service Account is recommended.

Task

For option definitions, click? in the interface.

1 Log on to ePolicy Orchestrator server as an administrator.

2 Click Menu | Configuration | Registered Servers, then click New Server. The Registered Server Builder wizard opens.

3 From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user-friendly name) and any details, click Next. The Details page appears. 4 Select Active Directory from LDAP server type, then type the Domain name or the Server name.

Note!

Use DNS-style domain name. While using DNS-style domain name, ensure that the McAfee ePO system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present.

5 Type the User name.

Note!

The User name should be of the format: domain\Username for Active Directory accounts. 6 Type the Password and confirm it.

(13)

(14)

14 5 Using the Product Deployment task to deploy products to managed systems

Use these tasks to deploy products to managed systems with the Product Deployment client task. ePolicy Orchestrator allows you to create this task for a single system, or for groups of the System Tree.

Task

1 Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then click Actions | New Task. The New Task dialog box appears.

2 Ensure that Product Deployment is selected, click OK.

3 Type a name for the task you are creating and add any notes

(15)

15 5 Next to Products and components set the following:

Products and components: Endpoint Encryption for Files and Folders 4.1.0 Action: Install

Language: Language Neutral Branch: Current

6 Click Save.

7 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required group in the System Tree. (TORENC)

8 Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears.

(16)

16 10 Next to Tags, select the desired platforms to which you are deploying the packages, click Next

(17)

(18)

18 6 Deploying EEFF to client machines

There are two methods to deploy EEFF to the endpoint System. This can be accomplished through ePO or directly from the endpoint system.

6.1 Via a Wake up agent Creating and scheduling client tasks

Task

1 Click Menu | Systems | System Tree | Systems, select the desired group in the System Tree, then click on the machine

2 Select system (Win701)

(19)

19 4 Select Force complete policy and task update

5 Click OK

6 Check the Agent status monitor on the endpoint system 6.2 Perform following on the Endpoint System

1 Right click McAfee Shield

2 Select McAfee Agent Status Monitor

(20)

20 3 When Prompted Reboot the system

The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation

(21)

21 6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders 4.1 has been installed

6 Click OK

6.3 Installing EEFF from the Endpoint System 1 Right click McAfee Shield

(22)

22 4 When prompted Reboot the system

The reboot is required for EEFF to enable the kernel level driver. When the machine has rebooted perform the following to confirm the installation

5 Click About

6 The following will be displayed confirming McAfee Endpoint Encryption for File and Folders 4.1 has been installed

(23)

23 7 User Case: Endpoint Encryption for Removable Media (EERM)

Endpoint Encryption for Removable Media will allow for password authentication and portable access to any USB removable media.

EERM policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the EERM policy at the system tree level. Please refer to KB for further detailed information on EERM http://mysupport.mcafee.com

for updated articles referring to EERM

For the purposes of EERM there are options for recovering a key encrypted with EERM

7.1 Creating a EEFF key for EERM recovery

Task

1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.

(24)

24 3 Type a name EERM Recovery Key and description for the key Used for EERM recovery.

4 Select Never expire key or an expiration date as required.

(25)

(26)

26 7.2 EERM Policy Creation

Use this task to create the policy for EERM, login to McAfee ePO

Task

For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Catalog

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select Removable Media (UBP) Category from the drop-down lists.

(27)

27 5 Set the following settings

 Select Use McAfee Endpoint Encryption for Removable Media (EERM)

 Protected Area Entire device and when a device size is greater than 64Gb set to User Managed

 Select Make unprotected files, folders and devices read-only (on a client machine with EEFF installed)

(28)

28 7 Select EERM Recovery Key from the drop down menu

9 Click OK

Step 10 is optional!

10 Define an individual text for pop up message when inserting an unprotected removable media device by editing the Customize UI Text displayed on inserting media text box

(29)

29 Note!

In case of using the default message, the message will be displayed in the language based on the operating system and which is supported by Endpoint Encryption for Files and Folders. As soon as an individual text is configured there would be the need to configure a separate policy for every language.

(30)

30 7.3 Grant Key for EERM

Use this task to grant key for EERM, login to McAfee ePO

Task

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select Grant Keys (UBP) Category from the drop-down lists.

(31)

31 8 Select the EERM Recovery Key

9 Click the button

10 Selected key will appear under selected keys, select the EERM Recovery key

(32)

32

7.4 Password Rules for EERM

Task

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select Password Rules Category from the drop-down lists.

(33)

33 8 Set Password rules to your needs

Note!

Password rules applies for EERM, User Local Keys and Self-Extractor files 7.5 Assign Policy via the System Tree

Use this task to assign a policy to multiple managed nodes within a group. The policy that is used in the Use case is created at the System Tree level. These types of policies can be assigned via Policy Assignment Rules (PAR) by create a User PAR or System PAR. For more information on using Policy Assignment Rules for assignment of policies please refer to following KB Articles:

KB 72719 How to create Endpoint Encryption for Files and Folders 4.x Policies

(34)

34

Task

1 Click Menu | Systems | System Tree | Systems, then select the desired group in the System Tree.

2 Click Assigned Policies

3 Select Endpoint Encryption for Files and Folders 4.1.0 from product drop-down list.

(35)

35 5 Click Edit Assignments to change policy assignment if needed.

(36)

36 7.6 Enforce policy update via Agent Wake-Up

Task

2 Select System by selecting the check box

3 Click Wakeup Agent

(37)

37 5 Click OK

6 Check the Agent status monitor on the endpoint system to ensure the policy gets updated. 7 Right click McAfee Shield

8 Select McAfee Agent Status Monitor…

(38)

38 7.7 Using McAfee EERM

To check if the EERM policy got enforced perform the following 1 Right click McAfee Shield

2 Select McAfee Manage Features | Endpoint Encryption for Files and Folders

2 Expand Simple policies note the following settings enabled:

 Recovery key for EERM devices {xxxxxxxx}

 Use entire device for EERM

 Removable media work mode fail over

 Removable media work mode limit

 Make unprotected EERM files read only

(39)

39 When you insert a non-protected removable device on a client with EEFF installed and the policy for removable media enabled, a notification dialog box appears prompting to initialize the device. Alternatively, you can initialize the removable media using McAfee Endpoint

Encryption for Files and Folders client console. 7.8 Use this task to initialize a removable media.

(40)

40 3 Provide a volume label.

4 In the Authentication section select Authentication Password and enter a password. • For the password method, type a password that conforms to the My Default | Password Rules policy.

• For the Authentication certificate method, select a digital certificate from the drop-down menu.

Note!

(41)

41 5 Select Initialize

If there is already data on the removable device following screen is displayed and asks if you want to back up the existing data.

6 Options available are Yes, No and Cancel click Yes

If the following screen is displayed the password does not meet the complexity rules defined in the My Default | Password Rules policy, please reenter a valid password

(42)

(43)

43 7.9 Recovery access to EERM

To recover access to a device encrypted by EERM perform one of the following two tasks on the endpoint point system.

7.9.1

EERM Password Recovery via Pop GUI

1 Plug in the Device, the following will be displayed

2 Click Recover

(44)

44 4 Enter Password and repeat Password. If the password supplied does not meet the minimum complexity an informational window will be displayed.

5 Click OK

7.9.2

EERM Password Recovery via McAfee Tray Icon

(45)

45 2 Click Recover Media

3 Click Recover

4 The Recovery key option will be the only available. Click Recovery

5 Enter Password and repeat Password. If the password supplied does not meet the minimum complexity an informational window will be displayed.

(46)

46 7.10 Moving an Encrypted file protected with EEFF key to EERM protected Device

Note!

When moving a file from an endpoint system that has been protected with an EEFF Key to an EERM protected device, the file will be protected with EERM protection to provide usability and portability.

7.11 Trouble Shooting tips for EERM

When attempting to initialize a device to be protected by EERM fails a typical error will likely result in the following

The following should be checked as a possibility

1 Ensure the Recovery has been granted access to be used for recovery, check the Grant Key Policy in ePO or check the manage features for the available keys

2 Check the File system on the device to ensure the File system is recognized 3 Check the Device Hardware

(47)

47

7.12 Check EERM reporting capabilities

Task

1 Click Menu | Reporting | Queries & Reports | Shared Groups | EEFF Queries, select Run from the Removable Media Device Events

System Information

 User Info (DomainName\UserName)

 Time Stamp

 Agent GUID Initialization

 Initialization State (FAILED, CANCELLED, SUCCESSFUL)

 Backup State (NONE, FAILED, CANCELLED, SUCCESSFUL)

 Backup Size

 Time taken for initialization

 Time taken for backup

 Size of protected part (Valid only when initialization has completed successfully)

 User Response (ACCEPTED, REJECTED (when user selects to Yes/No for EERM initialization prompt))

Device Information

 Size (Bytes)

 File System of device (FAT, NTFS, EERM : in case EERM protected devices)

 Vendor Name

 Product Name

 Exempted (YES, NO, UNKNOWN)

(48)

48

7.12.1 Create a customized report “Top 10 removable media users”

Task

For option definitions, click? in the interface. 1 Click Menu | Reporting | Queries & Reports 2 Click Actions | New

3 Click Endpoint Encryption for Files and Folders from Feature Group 4 Click Removable Media Device Events | Next

5 Click Single Group Summary Table from Display Result As

6 Choose Number of Removable Media Device Events from the Values are: drop down list 7 Choose User Name from the Labels are drop down list

8 Choose 10 as Maximum items

(49)

49 10 Add User Name to the Selected Colums

11 Click Next

(50)

50 8 User Case: Folder Encryption for Local Folders

EEFF policies can be assigned in a number of ways using User Policy Assignment rules, System Policy assignment rules or by simply assigning the EERM policy at the system tree level. Please refer to Knowledge Base articles for further detailed information on this subject.

8.1 Creating a key for all Enterprise Users

Task

For option definitions, click? in the interface

1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears

(51)

51 3 Type a name Corp Key and description for the key, Key for all Domain Users

(52)

52 5 Click OK

The Corp Key just created will be displayed in the Key management, note the State of the key is Active

Repeat Steps above 2 thru 5 for creating a Key for HR

1 Click Actions | Create New Key. The Create a New Key dialog box appears 2 Type a name HR key and description for the key, Key for HR

(53)

53 8.2 Creating Policy for Folder Encryption

Use this task to create the policy for folder encryption, login to McAfee ePO

Task

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select Folder Encryption (UBP) from the drop-down lists.

(54)

54 5 Type Corp Document Policy add a Description in the notes field

6 Click OK

(55)

55 8 The policy options will be displayed for the path Click the Right Arrow

Select [Documents]

10 Click Browse next to Key:

11 Select Corp key by using the browse button

(56)

56 Repeat Steps above 2 thru 8 for creating a folder policy for HR

2 Click Duplicate on the McAfee Default policy. Duplicate Existing Policy window is displayed 3 Type HR Folder Policy add a Description in the notes field

4 Click OK

5 Click HR Folder Policy

6 The Folder Encryption Options will be displayed for the path Enter UNC path to Share 7 Click Browse next to Key:

(57)

57 8.3 Grant Key for Corp Key

Use this task to make Corp Key available via Grant Key policy

Task

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select Grant Keys (UBP) Category from the drop-down lists.

(58)

58 5 Select the Corp Key

6 Click the button

7 Selected key will appear under selected keys, select the Corp key

(59)

59 8.4 Assigning Policy to Systems

Use this task to assign the policy to machines

Task

For option definitions, click? in the interface. 1 Click Menu | Policy | System Tree

2 Click My Organization | Assigned Policies to assign the folder policy to this group

(60)

60 4 Select Corp Documents Policy from the Drop list Assigned Policy

(61)

61 8.5 Wake up agent to enforce policy update

Task

(62)

62 4 Select Force complete policy and task update

5 Click OK

(63)

63 8.6 Using Folder Policy for Corp Users

To check the EERM policy received from ePO perform the following 1 Right click McAfee Shield

2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS]

Available Keys EERM Recovery Key and Corp Key

(64)

(65)

65 9 User Case: Folder Encryption for HR Share

Use this task to create the policy for folder encryption, login to McAfee ePO. The HR key that will be used was created in 8. If this step was missed please revisit Section 8.1 Creating a key for all Enterprise Users – Step 6.

Task

For option definitions, click? in the interface. 1 Click Menu | Policy | Policy Assignment Rules

2 Click New Assignment Rule

(66)

66 4 Select User Based Rule Type

5 Click Add Policy

6 Select Product Endpoint Encryption for Files and Folders Category Folder Encryption Policy HR Folder

7 Click +

(67)

67 9 Click Next. This will display the Policy Assignment builder

10 Click next to group Membership

(68)

68 12 Find HR group Select the HR group

13 Click OK

(69)

69 15 Click Save. The HR Policy Assignment Rule will show

9.1 Wake up agent to enforce policy update

Task

(70)

70 3 Click Wakeup Agent

4 Select Force complete policy and task update 5 Click OK

(71)

71 9.2 Using Folder Policy for Corp Users

To check the EERM policy received from ePO perform the following 1 Right click McAfee Shield

2 Expand Folder Policies and Available keys, note the following settings should be enabled Folder Policies should display [MYDOCUMENTS] and \\epo46srv\HR

Available Keys EERM Recovery Key and Corp Key and HR Key

(72)

72 You can see visually the files in the my documents are encrypted represented with the Padlock icon.

(73)

73 10 User Driven Actions

There are additional options that can be provided to users to allow for additional Functionality that are controlled by the user on the end point system. These are optional functionally controlled via policy through ePO. Some of the most common features include:

 Creation of Self Extracting files

 Explicit Encryption

 Explicit Decryption

Use this task to turn on User Driven Options, login to McAfee ePO

Task

2 Select the Product as Endpoint Encryption for Files and Folders 4.1.0 3 Select General (UBP) Category from the drop-down lists.

(74)

74 5 Select Allow Explicit Encrypt | Allow Explicit Decrypt

(75)

75 10.1 Wake up agent to enforce policy update

3 Click Wakeup Agent

(76)

76 5 Click OK

To check the EERM policy received from ePO perform the following on the endpoint system. 10 Right click McAfee Shield

(77)

77 Enable “Decrypt”: Yes

(78)

78 10.2 Explicit Encryption

The Encrypt option on the context menu allows you to manually encrypt a file or a folder. This option is unavailable to the users if the file or the folder has been encrypted by policy.

Perform this task from the endpoint System

1 Right Click a file

2 Select McAfee Endpoint Encryption

3 Select Encrypt

4 Select Key to use for Encryption the list is derived from the available keys provided by the policy – Choose Corp Key from drop down list

5 Select OK

(79)

79 10.3 Explicit Decryption

The Decrypt option on the context menu allows you to manually decrypt a file or folder. This option is unavailable to the users if the folder has been encrypted by policy.

Perform this task from the endpoint System.

Right Click a file that has been encrypted with EEFF, denoted by the padlock icon, looking at the properties and selecting the Encryption Tab will provide the details of which key was used for encrypting the file

3 Select Decrypt

(80)

80 10.4 Creation of Self Extractors

Self-Extractors are password-encrypted executable files that can also be decrypted on non-EEFF client systems. The password used to create the Self-Extractor is required to read it. You can change the name of the Self-Extractor. By default, it is named as its source file/folder with the *.exe extension.

3 Select Create Self-Extractor (filename.xxx.exe)

4 Enter a Password and Confirm

(81)

81 5 Click OK

The file will be successfully created

(82)

82 11 Conclusion

This POC guide has provided a step by step guide on how to install and configure McAfee Endpoint Encryption for Files and Folder, along with step by step instructions on how to configure the following User Cases:

 Endpoint Encryption for Removable Media (EERM)

 Local Folder Encryption using Folder Encryption

 Network Folder Encryption

 User Driven Actions 11.1 Further Information

For further information please refer to the following documentation and reference material: Release Notes readme_en-us.html

Product Guide eeff_410_product_guide_en-us.pdf User Guide eeff_410_user_guide_en-us.pdf Migration Guide eeff_410_migration_guide_en-us.pdf

Other Useful Links Knowledge Based articles

https://kc.mcafee.com/corporate/index?page=home (Searchable)

https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=3&pl=0 (by Product)

McAfee Use Case for EERM

https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/14/how-to-handle-removable-media-encryption-with-endpoint-encryption-for-files-and-folders-41

McAfee Support Site

https://mysupport.mcafee.com/Eservice/Default.aspx

McAfee Product Download Site

http://www.mcafee.com/us/downloads/downloads.aspx

McAfee Technical Video Channel

POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment