Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE

Table Of Contents

Table 3-1 Recommended Product Settings Policies (continued)

Policy

Options

Recommendations

and hence EEPC is activated, even if the administrator has not explicitly assigned

the user to the client system.

If you select this option, at least one user should be added to the client system for a

successful EEPC or EEMac activation on the client. The activation doesn't happen

until a user logs on to Windows or Mac OS X as domain user. This domain should

have been registered in McAfee ePO.

• Enable Accessibility (Windows BIOS systems only) — Leave this option selected

(enabled). This option is helpful to visually challenged users. If selected, the system

gives a beep as a signal when the user moves the focus from one field to the next

using mouse or keyboard, in the Pre‑Boot environment. The USB audio functionality

allows the visually impaired users to listen to an audio signal (spoken word) as a

guidance when the user moves the cursor from one field to the next, in the Pre‑Boot

environment. The USB speakers and headphones can be used to listen to the audio

signal.

This is not applicable to EEMac.

• Disable pre‑boot authentication when not synchronized — Leave this option checked (enabled).On

selecting this option, the user is blocked from logging on to PBA in the client system,

if the client system is not synchronized with the McAfee ePO server for the set

number of days. When the user is blocked from logging on to PBA, the user should

request the administrator to perform the Administrator Recovery to unlock the client

system. This allows the client system to boot and communicate with the McAfee ePO

server.

The client system will continue to block the user from logging on to the system until

the synchronization with ePolicy Orchestrator happens. This is specially useful to

prevent unauthorized access to laptops that have been misplaced, lost or stolen.

• Get username from token — Leave this option checked (enabled). On selecting this option,

the available user information on the client system is automatically retrieved from the

inserted smartcard; hence the Authentication window does not prompt for a

username. The user can then authenticate just by typing the correct PIN.

You need to enable the matching rules that are required for matching smartcard user

principle name (UPN) with EEPC usernames.

This feature is supported on the Gemalto .Net V2+ tokens, and PIV and CAC tokens.

This is not applicable to EEMac.

• Match certificate user name field up to @ sign — Match the certificate user name up to the @

sign of the user name. For example, if the UPN is SomeUser@SomeDomain.com

and the EEPC user name is SomeUser, a match is found.

• Hide user name during authentication — On selecting this option, the EEPC user name does

not appear in the Authentication window.

• Enable SSO — Leave this option checked (enabled).

This is not applicable to EEMac.

• Must match user name — Leave this option checked (enabled). This option ensures the

SSO details are only captured when the user’s Endpoint Encryption and Windows

user names match. This ensures that the SSO data captured is replayed for the

Software configuration and policies