Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
21222324252627282930
Phased deployment strategies
EEPC deployment (first time installation) can be done in various phases with different policy settings
for different corporate environments. A model policy setting is explained in the recommended policy
settings sections.
Phased deployment (first time installation)
There can be a number of scenarios where the PBA creates challenges during the EEPC deployment.
For a safe and smooth deployment and activation process, you can easily create different sets of EEPC
system policies and do the deployment in various phases.
During the first time installation, it is a best practice to create the first set of policy settings with
Encryption set to None and Automatic Booting enabled. You can create a second set of policy settings which
enables the encryption and the PBA.
When the first set of policies is in use, the client systems are unprotected.
High level process
After deploying the EEPC packages, create an EEPC system policy with the following settings:
Select the encryption option as None under Encryption tab | Encrypt.
Enable the Enable Automatic Booting option under Log On tab | Endpoint Encryption.
Enable Add local domain users option under Log On tab | Endpoint Encryption.
Enforce this policy to the client systems. This activates EEPC, but encrypts no disks and requires no
authentication.
You can now configure the second set of policy with the required encryption option other than None
and autobooting disabled.
Use the automatic booting policy as the default. In this mode, the Add Local Domain Users feature
captures all Windows domain accounts that access the system. These accounts are added as valid
Pre-Boot enabled accounts to be used in the Pre-Boot environment.
Create a query in ePolicy Orchestrator to find all systems that need to stop autobooting and assign
the second policy to these systems.
Send an agent wake-up call from ePolicy Orchestrator to apply the policy with Pre-Boot
Authentication to all required systems.
The systems will start with PBA as and when the new policy is received.
This phased deployment will temporarily enable automatic booting and then when the query is run, it
enables the Pre-Boot Authentication policy. This ensures that EEPC gets activated when the system is
in the field and ensures that the end user's account gets added as a valid Pre-Boot account before
encrypting and activating PBA.
This kind of phased deployment can be very useful as and when the administrator meets with
challenges such as patching cycles, re-imaging process, deploying product and managing other
autoboot scenarios.
Perform phased deployment in batches of systems from the System Tree.
3
Software configuration and policies
Phased deployment strategies
24
McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide