McAfee EETech for Mac 6.2 User Guide

(1)

McAfee EETech for Mac 6.2

(2)

COPYRIGHT

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

(3)

Introducing McAfee EETech for Mac 6.2

With data breaches on the rise, it is important to protect information assets and comply with privacy regulations. McAfee Endpoint Encryption for Mac delivers powerful encryption that protects data from unauthorized access, loss, and exposure.

EETech for Mac is McAfee’s disaster recovery tool used in conjunction with Endpoint Encryption for Mac (EEMac). This allows to recover a non-booting Endpoint Encryption installation. The software presents a user interface with a number of options that are used to fix or recover the data on an encrypted hard disks.

NOTE:EETech for Mac 6.2 is to be used with EEMac 6.2 only. EETech for Mac 1.0 or 1.1 will not work with EEMac 6.2.

Audience Using this guide

Understanding the daily authorization code

Audience

This guide is mainly intended for qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required.

Using this guide

This guide helps corporate security administrators to understand the disaster recovery tool McAfee EETech for Mac. This document includes procedures to recover data from systems that are unrecoverable.

Understanding the daily authorization code

Some recovery operations in EETech require administrative access. The user can get this access by typing a four-digit code into the authorization screen.

This code changes everyday and can only be retrieved by contacting McAfee support (mysupport.mcafee.com).

NOTE:All EETech operations require authentication. However, only the administrative operations require authorization with the four-digit daily authorization code.

(5)

• Using the disk information utility to identify encrypted regions on the disk • Setting the encryption algorithm used by EETech

• Setting the boot disk on which EETech will perform its operations The following operations do require the daily authorization code:

• Removing endpoint encryption, this includes decrypting the disk as well • Repairing disk information

• Using the crypt sectors and force crypt sectors utilities to manually encrypt or decrypt specific sectors

• Editing the disk crypt state

(6)

EETech for Mac 6.2

This chapter explains some of the common tasks that can be undertaken using McAfee’s disaster recovery tool, McAfee EETech for Mac. Make sure that you exercise caution for all EETech procedures.

Contents

Installing EETech on USB disk Booting from the EETech USB disk Authorizing with daily authorization code Authenticating with token

Exporting the recovery information file from McAfee ePO Authenticating with recovery file

Performing self-recovery with token authentication Performing emergency boot

Removing encryption and boot sector with token authentication Removing encryption and boot sector with file authentication Viewing the workspace

Encrypting or Decrypting sectors Repairing preboot

Installing EETech on USB disk

To use the EETech recovery tool on EEMac installed clients, the user must install the EETech software on a dedicated USB disk.

NOTE:Any existing data on the USB disk will be deleted on installing the EETech software.

Before you begin

Before proceeding with this task, make sure you have these prerequisites ready. • Blank USB disk

• EpeTechEfi.efi

Task

1 Insert a blank USB disk into a Mac system to install the EETech software. 2 From Finder, open Applications | Utilities | Disk Utility.

(7)

4 Select the existing 1 Partition in the Volume Scheme list and type the name EETech for the partition.

5 Select how to format the partition that will be erased or created. 6 Click Apply. This initializes the inserted USB disk.

7 When the USB initialization is complete, copy the EpeTechEfi.efi file to the USB disk. 8 Open a terminal prompt and type the following command:

sudo bless --folder "/Volumes/EETech/" --file "/Volumes/EETech/EpeTechEfi.efi" --label "McAfee EETech"

9 Enter the password if prompted.

10 Disconnect (unmount) and remove the USB disk.

Booting from the EETech USB disk

EETech is accessed through the EETech USB disk. When the user boots the unrecoverable system with the EETech installed USB disk, the first page that appears is the McAfee EETech interface.

Task

1 Insert the EETech USB boot disk into the unrecoverable system.

2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot Menu appears.

3 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears.

Authorizing with daily authorization code

You need to gain administrative access to EETech using the daily authorization code. This code is only required for certain tasks in EETech, so retrieve the code when the recovery procedure in this document states that it is required.

Make sure that the system’s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have these prerequisites ready.

• The EETech USB disk.

• The daily Authorization/Access code.

NOTE:Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support.

Task

1 Boot the unrecoverable system with the EETech USB boot disk while holding down the Option (or alt) key. The Boot Menu appears.

2 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears.

EETech for Mac 6.2

(8)

3 Click Authorize under Authorization. The Authorize dialog box appears. 4 Type the daily Authorization/Access Code and click OK. On typing the correct

authorization code for the day, the Authorization status changes to Authorized.

Authenticating with token

You need to authenticate the recovery tasks using the Endpoint Encryption user credentials for the system.

Task

3 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears. 4 Click Token under Authentication. The Endpoint Encryption Logon window appears

and prompts for the Endpoint Encryption user credentials of the system.

5 Type the Username and Password for the client system, then click Logon. On typing the correct credential, the Authentication status changes to Authenticated with Token.

Exporting the recovery information file from McAfee

ePO

You need to export the recovery information file (.xml) for the required system from ePolicy Orchestrator, to perform the recovery tasks .

Every EEMac installed system that is managed through the ePolicy Orchestrator server has a recovery information file in the server. Any user trying to authenticate the recovery procedures on the client systems should get the recovery file from McAfee ePO administrator for EEMac.

You must have appropriate permissions to perform this task. Before proceeding with this task, make sure you have these prerequisites ready.

• FAT-32 formatted USB disk.

Task

1 Insert the FAT-32 formatted USB disk to the system where ePolicy Orchestrator is present. 2 Log on to ePolicy Orchestrator as an administrator.

(9)

3 Click Menu | Systems | System Tree. The Systems page appears. Select the required group under System Tree pane on the left.

4 Select the required System, then click Actions | Endpoint Encryption | Export Recovery Information. The Export Recovery Information confirmation page appears. 5 Click Yes to export the recovery information file. The Export Recovery Information

page appears with the Export information (.xml) file. 6 Right-click the .xml file and save it to the inserted USB disk.

NOTE:The Recovery Information File has a general format of client system name.xml.

Authenticating with recovery file

You need to authenticate the recovery tasks using the Recovery Information File (.xml). The administrator needs to export the Recovery Information File for the required system from ePolicy Orchestrator.

NOTE:Using the wrong recovery key file might damage an encrypted drive. Make sure that you are using an appropriate recovery file for the system.

• The Recovery Information File (.xml).

Task

1 Insert the EETech USB boot disk containing the Recovery Information File (.xml) into the unrecoverable system.

NOTE:It is the same EETech USB boot disk that will have the Recovery Information File (.xml) as well.

3 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears. 4 Click File under Authentication, then browse and select the Recovery Information

File (.xml) from the USB disk.

5 Click OK. On selecting the right file, the Authentication status changes to Authenticated with File.

Performing self-recovery with token authentication

You might need to perform self-recovery in the client computer, if the user's password or the logon token have been lost, to recover the user.

EETech for Mac 6.2

(10)

The user must have successfully enrolled for self recovery on the client system to perform this task. This task should be performed by the client user on the client computer.

Make sure that the system’s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have this prerequisites ready.

• The EETech USB boot disk.

Task

1 Insert the EETech USB boot disk into unrecoverable system.

2 Boot the unrecoverable system whilst holding down the Option (or alt) key. The Boot Menu appears.

3 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears. 4 Click Token under Authentication. The Endpoint Encryption Logon window appears

and prompts for the Endpoint Encryption credentials of the user.

5 Click Options | Recovery. The Recovery dialog box appears with Self-Recovery as the default option.

6 Type the Username and click OK. The Recovery dialog box appears with the questions that the user answered while enrolling for the self-recovery.

7 Type the answers for the prompted questions and click Finish. The Change Password dialog box appears.

8 Type and confirm the New Password and click OK. The Logon window appears and prompts for the Endpoint Encryption credentials of the user. The user can now type the newly set password and authenticate.

Performing emergency boot

You can perform the emergency boot when an EEMac installed system fails to boot or when the Endpoint Encryption logon is corrupt.

Before proceeding with this task, make sure you have these prerequisites ready. • The EETech USB boot disk.

• The Recovery Information File (.xml). • The daily Authorization/Access code.

Task

NOTE:It is the same EETech USB boot disk that will have the Recovery Information File (.xml) as well.

(11)

3 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears. 4 Authorize with daily Authorization code and confirm the authorization status.

5 Click File under Authentication, then browse and select the Recovery Information File (.xml) from the USB disk, then click OK. On selecting the right file, the

Authentication status changes to Authenticated with File.

NOTE:The authentication can also be achieved using the token authentication. 6 Click Emergency Boot under Actions. The confirmation message EETech will now

emergency boot into the operating system appears. 7 Click OK to confirm the emergency boot.

NOTE:This may modify the GPT partition. When the client system boots into Mac OS X, if it is connected to the ePolicy Orchestrator server, then the system synchronizes with the server and fully repairs itself. The Endpoint Encryption System Status will now appear as Recovery and you can confirm the Endpoint Encryption System Status by clicking the Encryption (lock) icon | McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client.

The Endpoint Encryption System Status Recovery will change to Active after the first successful communication of the client with McAfee ePO server.

NOTE:If the McAfee Agent is unable to establish connection with ePolicy Orchestrator, continue to use the EETech Emergency Boot option to boot the system until a connection to the server is established.

Removing encryption and boot sector with token

authentication

The Remove EE function can be used to completely decrypt the system and remove the Pre-Boot portion of the Endpoint Encryption software.

Use this task when:

• Mac OS X becomes corrupt

• You cannot access the data of an encrypted system

• Encryption or decryption fails due to an operating system error

• The EETech USB boot disk.

EETech for Mac 6.2

(12)

Task

5 Authenticate with Token and confirm the authentication status. 6 Click Remove EE under Actions. The Remove EE window appears.

7 Click Remove to begin the removal. This removes encryption and boot sector from the client system, however, this does not remove Endpoint Encryption client files. It might take a few hours depending on the system performance and the storage capacity of the drive or partition.

Removing encryption and boot sector with file

authentication

When the Endpoint Encryption software does not work, you might have to remove the encryption and boot sector from the client system.

CAUTION:This procedure should only be attempted under the guidance of McAfee Support. For this method, the system's recovery information file should be exported from the ePO server.

• The USB disk containing the Recovery Information File (.xml) • The daily Authorization/Access code.

Task

5 Authenticate with Recovery Information File (.xml) and confirm the authentication status.

6 Click Remove EE under Actions. The Remove EE window appears.

7 Click Remove to begin the removal. This removes encryption and boot sector from the client system, however, this does not remove Endpoint Encryption client files. It might take a few hours depending on the system performance and the storage capacity of the drive or partition.

EETech for Mac 6.2

(13)

Viewing the workspace

The workspace contains the bytes loaded from the sectors on the disk or from a file. This option opens the Workspace window which allows the users to read sector ranges from the disk and to view the contents. This can also be used to inspect, encrypt, and decrypt sectors of the disk. By default, there is nothing loaded into the workspace. The workspace is not a view of the disk, rather it is only a view of what the user loads into it. The user can choose to load the contents of sectors or the contents of a file. Once the user loads any of these, it is displayed in the workspace.

CAUTION:It is entirely the responsibility of the qualified system administrators and security managers to take appropriate precautions before performing this task. The user needs to take maximum care while performing this task, otherwise, it may cause the system to become corrupt and that might result in the loss of data. Contact McAfee support for assistance on how to use the EETech workspace.

• Recovery Information File (.xml) or Authentication Token

Task

5 Authenticate with Token or Recovery Information File (.xml) and confirm the authentication status.

6 Click Workspace under Actions. The Workspace window appears with these options: • Load From File — It loads a previously saved workspace that was not encrypted and

replaces the current contents of the workspace. It just loads the bytes and displays them.

• Save To File — This option saves the current content (bytes) of the workspace in a file.

• Load From Disk — This loads the bytes from the sectors on the disk.

• Save To Disk — This option saves the current content (bytes) of the workspace on the specified sectors of the disk.

• Zero Workspace — This option fills the current content of the workspace with zeros. • Encrypt Workspace — This option encrypts the entire contents of the workspace. • Decrypt Workspace — This option decrypts the entire contents of the workspace. 7 Click First Sector to view the first sector from the sectors loaded on the workspace.

(14)

8 Click Previous Sector to view the previous sector of the current sector loaded on the workspace.

9 Click Next Sector to view the next sector of the current sector loaded on the workspace. 10 Click Last Sector to view the last sector from the sectors loaded on the workspace.

Encrypting or Decrypting sectors

This option allows you to safely verify which sectors are encrypted on the disk. This option follows the crypt list to validate the ranges you submit, so it does not encrypt sectors which are currently encrypted, and will not decrypt sectors which are currently not encrypted. This option supports power fail protection.

Crypt Sectors option cannot be used if Endpoint Encryption has become corrupt on the disk, or the crypt state has been corrupted, however, the Force Crypt Sectors option can be used in such cases.

While changing the encryption state with this option, it effects with appropriate modifications to the disk Crypt List. For example, while you encrypt a new range, it creates a new Region definition. While you decrypt within an existing Region, the existing region is split into two, if you completely decrypt a region, it removes the Region from the crypt list.

CAUTION:It is entirely the system administrator's responsibility, to take appropriate precautions before performing this task. The user needs to take maximum care while performing this task, otherwise, it may cause the system to become corrupt and that might result in the loss of data.

• Recovery Information File (.xml) or Authentication Token

Task

6 Click Crypt Sectors and select the disk from the Select Disk list, then type the Start Sector and the Number of Sectors.

7 Click Encrypt/Decrypt to encrypt or decrypt a range of sectors.

NOTE:Follow the same procedure for Force Crypt Sectors.

EETech for Mac 6.2

(15)

Repairing preboot

The EETech for Mac tool provides this operation that is used to verify and rebuild the contents of the NVRAM variables that are used to load the EE Pre-Boot drivers and start the Pre-Boot Authentication.

• The USB disk containing the recovery information file (.xml)

Task

6 Click Repair preboot under Actions. The Warning window appears.

7 Click OK in the Warning window to confirm that you want to rebuild the contents of the NVRAM variables.

NOTE:After you authenticate through file or token and use the Repair preboot option, it replaces the code portion of the NVRAM variables with the one that was present after installing and activating Endpoint Encryption for Mac.

CAUTION:Repair preboot should be performed on a system where the boot disk is not encrypted, else an error message Missing Operating System is displayed.

(16)

Glossary

There are a number of options that an administrator needs to be aware of while using EETech for Mac. Those options and their functionalities are listed in the table below.

Description Topic

Disk Information • Disk Power Fail Status — Endpoint Encryption for

Mac tracks the progress of encryption on the drive to make sure that if power is lost during encryption, the process is recoverable.

• Status — Determines whether the drive is currently

in powerfail state. A status of Inactive indicates that the current encryption process has finished. • Disk Crypt List

• Crypt List Region Count — The number of

defined crypted areas of this logical disk. This usually corresponds to the number of partitions on the drive.

• Region — Each region is defined as follows:

• Start Sector — The physical start sector

of the region

• End Sector — The last physical sector

included in the region

• Sector Count — The number of sectors

included in this region

• Disk Partitions — A section per Logical partition on

this physical drive as follows:

• Partition Count — The unique partition number.

• Partition Type — The file system detected on

this partition.

• Partition Bootable — Whether the partition is

bootable or not.

• Partition Recognized — Whether the partition

is recognized as viable.

• Partition Drive Letter — The detected drive

letter of this partition.

• Partition Start Sector — The physical start

sector of the partition.

• Partition End Sector — The physical end sector

of the partition.

• Partition Sector Count — The number of sectors

in the partition.

• Partition Bus Type — Bus type used in particular

partition.

The EETech for Mac tool provides an operation that can be used to verify and rebuild the contents of the NVRM

(17)

Description Topic

variables that are used to load the EE Pre-Boot drivers and start the Pre-Boot Authentication.

This is a diagnostic feature which is part of the EETech Mac tool. This displays the contents of the NVRAM variables.

NVRAM info

Before using this option call McAfee Technical support for assistance.

Force Crypt Sectors

Unlike the Crypt Sectors | Encrypt/Decrypt option, the Force Crypt Sectors option does not consider the disk crypt state. It simply performs the operation blindly according to user input. Force Crypt does not support power fail, nor does it apply any logic or parameter validation on the input.

You should use the Force Crypt Sectors option only when everything else fails. For example, when the on-disk structures are completely corrupted.

CAUTION:This option will cause irretrievable data loss if used incorrectly. If you are forced to use this option, you should make a recording of each operation you apply to support in data recovery.

CAUTION:Make sure that there is no possibility of losing power while using this option as this option does not support power fail protection.

The disk crypt state contains information about which range of sectors are encrypted. This option allows you to change the ranges.

CAUTION:Call McAfee Technical support for assistance before using this option, because using this option inappropriately will cause irretrievable data loss.

CAUTION:Make sure that there is no possibility of losing power while using this option as this option does not support power fail protection.

Edit Disk Crypt State

(18)

Index

A

Authenticate from file13, 14, 15

Authenticate from token13, 14

authentication9 Authentication8 Authentication Code10 Authorization7 Authorization Code7 C

Create EETech USB Disk6

Crypt Sectors14 D Decrypt13, 14 E EE credential11 EETech4, 10

EETech for Mac6

EETech USB disk7

Emergency Boot10

Encrypt13, 14

Endpoint Encryption for Mac4

export8 F file authentication12 R recovery change password9 self-recovery9 Recovery6

recovery information file8, 9

Recovery Information file12, 15

Recovery Information File10