Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE

Table 3-1 Recommended Product Settings Policies (continued)

Policy

Options

Recommendations

Log On Tab

• Enable Automatic Booting — Leave this option unchecked (disabled). If you enable this

feature, the client system does not have the PBA. This is normally referred as

Autoboot mode. It could be useful to enable this option when the administrator needs

to manage the autobooting scenarios. There are multiple scenarios where you can

have this option enabled or disabled. For instance, during rollout to minimize the end

user impact or during patch cycles to allow the patches to be installed and the reboots

If you enable this option, be aware that the McAfee Endpoint Encryption software does

not protect the data on the drive when it is not in use.

• Log on Message — This could be an appropriate place to display your organization's legal

disclaimer or any other appropriate messages.

For a pilot phase, you can have your administrator or helpdesk phone number here.

• Do not display previous user name at log on — Leave this option checked (enabled).

• Enable on screen keyboard — Leave this option checked (enabled), especially for tablets or

on screen mouse device systems.

•

Add local domain users

• Disabled — Selecting this option does not add any local domain users to the client

system.

• Add all previous and current local domain users of the system — This option adds the previously/

currently logged in domain users to the client system. If this is enabled, the EEAgent

queries the system for the local users (who have the permission to logon to the

localhost) who have logged on to the client. EEAgent then sends the collected data

to the McAfee ePO server. The users are then added to EEPC users in ePolicy

Orchestrator. (This works only with Active Directory)

•

Only add currently logged on local domain user(s); activation is dependent on a successful user assignment

— Leave this option selected (enabled). On selecting this option, only the domain

users who are logged on to the current Windows session, are added to the system

and hence EEPC is activated, even if the administrator has not explicitly assigned the

user to the client system.

If you select this option, at least one user should be added to the client system for a

successful EEPC activation on the client. The activation does not happen until a user

logs on to Windows.

• Enable Accessibility — Leave this option selected (enabled). This functionality allows

visually impaired users to listen to voice as guidance when the user moves the cursor

from one control to the next, in the Pre-Boot environment.

• Disable PBA when not synchronized — Leave this option checked (enabled). When selecting

this option, the user is blocked from logging on to PBA in the client system, if the

client system is not synchronized with the ePolicy Orchestrator for the set number of

days. In this case, to log on to the client system, you need to perform the

Administrator (machine) recovery.

• Get username from token — Leave this option checked (enabled). On selecting this option,

the available user information on the client system, is automatically retrieved from the

inserted smartcard; hence the Authentication window does not prompt for a

username. The user can then authenticate just by typing the correct PIN.

Software configuration and policies