Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
12345678910
Table Of Contents
The overall experience and tasks of an administrator and users in installing and using EEPC are exactly
the same regardless of whether the target system has an Opal drive or a normal HDD. The installation
of the product extension, deployment of the software packages, policy enforcement, and the method
of management are all the same for both systems with Opal and HDD.
Endpoint Encryption Policies
Endpoint Encryption is managed through the McAfee ePO server, using a combination of Product
Settings, UserBased and Add Local Domain User Settings policies.
The McAfee ePO console allows the administrator to enforce policies across groups of computers, or a
single computer. Any new policy enforcement through McAfee ePO overrides the existing policy that is
already set on the individual systems. There are three types of policies: Product Settings, UserBased
Policies, and Add Local Domain User Settings. Product Settings Policies are specific to a system or a
group of systems. User Based Policies are specific to a user, or a group of users, on a system or a
group of systems. Add Local Domain User Settings are specific to adding a blacklist of users to the
ALDU functionality.
The Product Settings Policy controls the behavior of the EEPC/EEMac installed systems. For example, it
contains the options for enabling encryption, enabling automatic booting, and controlling the theme
for the PreBoot environment.
The UserBased Policy controls the parameters for EEPC/EEMac user accounts. For example, it contains
the options for selecting a token type (including password and smartcard) and password content rules.
Using Add Local Domain User Settings Policies, you can use the Add Local Domain User Settings policy
and add a blacklist of users to the ALDU functionality. Users added to the blacklist are excluded from
the list of users assigned by the ALDU function.
Configure UBP enforcement
By default, all users inherit the default UserBased Policy assigned to a system and are prevented from
using Policy Assignment Rules for EEPC UBP in order to provide maximum system scalability. User
Based policies should be kept to a minimum when possible since UBPs impact performance and
activation time. For EEMac the UBP enforcement feature is same as the Product Setting policy.
Before you begin
You must have appropriate permissions to perform this task.
To allow a user to use a nondefault User Based Policy, you must enable UBP enforcement for that
user. This allows Policy Assignment Rules to be executed to select a specific nondefault UBP for the
user. If not enabled, Policy Assignment Rules are not performed and the user inherits the default UBP.
Failing to assign UBP using Policy Assignment Rule to users, with UBP enforcement enabled, might
cause EEPC activation to fail.
User Based Policies in Endpoint Encryption 7.0 Patch 1
A requirement of EEPC 7.0 Patch 1 is that you need to specify which groups of users are allowed or
not to use the Policy Assignment Rules. The allowed users get their required User Based Policies. Users
that are not allowed to use the Policy Assignment Rules inherit the default User Based Policies
assigned to the system.
For EEMac the Policy Assignment Rule selection criteria only uses System Properties, which allows you
to assign the rule to System(s) in a group. Because of this only a single policy can be assigned to a Mac
system at a time. As a result, all users on the Mac client will have the same policy setting.
2
Design overview
Endpoint Encryption Policies
10
McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide