Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
31323334353637383940
Table Of Contents
Deploy the EEAgent and EEPC packages to the client system.
Activate EEPC and restart client system.
Best practices and recommendations for using Intel
®
AMT and EEPC
Enable CIRA only when it is necessary for the security requirements of your organization.
Limit the usage of EEDeep unlock feature during wakeandpatch cycles to the smallest time/
number of reboots.
While performing any outofband action, do not power off or disconnect the client system from
network until the system successfully boots into Windows.
Note that the timebased outofband actions, for example unlock on schedule, are based on the
clock on the server. They are not based on the local time of the client system even if it is on
another time zone.
Outofband: remediation — Always allow Automatic disk image to be used when possible.
Outofband: user management — Even though password policy is not enforced on the temporary
password, make sure to follow the enterprise password policy for setting the temporary password.
Phased deployment strategies
Endpoint Encryption deployment (first time installation) can be done in various phases with different
policy settings for different corporate environments. A model policy setting is explained in the
recommended policy settings sections.
Phased deployment (first time installation)
There can be a number of scenarios where the PBA creates challenges during the Endpoint Encryption
deployment. For a safe and smooth deployment and activation process, you can easily create different
sets of EEPC/EEMac system policies and do the deployment in various phases.
During the first time installation, it is a best practice to create the first set of policy settings with
Encryption set to None and Automatic Booting enabled. You can create a second set of policy settings which
enables the encryption and the PBA.
When the first set of policies is in use, the client systems are unprotected.
High level process
After deploying the Endpoint Encryption packages, create an Endpoint Encryption system policy
with the following settings:
Select the encryption option as None under Encryption tab | Encrypt.
Enable the Enable Automatic Booting option under Log On tab | Endpoint Encryption.
Enable Add local domain users option under Log On tab | Endpoint Encryption.
Enforce this policy to the client systems. This activates Endpoint Encryption, but encrypts no disks
and requires no authentication.
You can now configure the second set of policy with the required encryption option other than None
and autobooting disabled.
Use the automatic booting policy as the default. In this mode, the Add Local Domain Users feature
captures all Windows domain accounts that access the system. These accounts are added as valid
PreBoot enabled accounts to be used in the PreBoot environment.
Software configuration and policies
Phased deployment strategies
3
McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide
31