Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
31323334353637383940
What if a user is disabled from LDAP?
If a user account that is initialized on the client system, and is later removed from LDAP, then it will be
automatically deleted/ignored from the client when the next EE LDAP User/Group Synchronization task
runs. To authenticate through the client PBA with a disabled or deleted LDAP user name, you should
once again add the user to the LDAP and initialize the same user name on the client with the default
password.
This does not remove the users from the EEUsers list in ePolicy Orchestrator, however, it removes/
deletes/ignores the users from the client system based on the option set in the Server Settings.
Is it possible to just disable the EEPC user when removed from LDAP?
It is not possible to disable an EEPC user when it has been removed from LDAP. The user is removed
from the EE Users list if deleted in LDAP during the next EE LDAP Server User/Group Synchronization task.
What if the EEPC user assignment is deleted/removed?
If the EEPC user assignment is deleted from a system, the user might still be assigned back to the
client system if the Add local domain users option is enabled in the Product Settings Policy. For this to work, the
user must have logged on to Windows at least once and the domain to which client system is
connected should have been registered in ePolicy Orchestrator. You can also manually add users using
Add EE: Users option in ePolicy Orchestrator.
Manage Machine Keys
The purpose of encrypting the client's data is to control access to the data by controlling access to the
encryption keys. It is important that keys are not accessible to users.
The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as
Machine Keys. Each system has its own unique Machine Key. The Machine Key is stored in ePolicy
Orchestrator database to be used for client recovery when required.
For more information about reusing machine keys, refer to the KnowledgeBase article https://
kc.mcafee.com/corporate/index?page=content&id=KB71839.
Machine Key re-use
Machine key re-use option is used to activate the system with the existing key present in the McAfee
ePO server. This option is highly useful when a boot disk gets corrupted and the user cannot access
the system. The boot disk corrupted system's disks other than the boot disks can be recovered by
activating it with the same key from McAfee ePO.
Machine key re-use is not applicable to systems having self-encrypting (Opal) drives.
What happens to Machine Keys when an EEPC-active system is re-imaged?
All existing data of the system is lost and hence the machine Key is lost when an EEPC-active system
is re-imaged.
What happens to the Machine Key when you delete an EEPC-active system from
ePolicy Orchestrator?
The Machine Key remains in the ePolicy Orchestrator database; however, the key association with the
client system is lost when the client system is deleted from ePolicy Orchestrator. When the client
system reports back to ePolicy Orchestrator during the next ASCI, it will appear as a new node. A new
5
Operations and maintenance
Manage Machine Keys
36
McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide