Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
41424344454647484950
Table Of Contents
Single Sign On (SSO)
The EEPC client system then boots to Windows. This first boot establishes SSO (if it has been
enabled). On future restarts, the user will login to PBA only. Once authenticated, SSO will autologin to
Windows.
In short, the SSO option facilitates the user with the single authentication to the Operating System
even when PBA is enabled. Though it requires an extra step, disabling SSO is the more secure
configuration.
When the Must match username option is enabled, both the EEPC user name and the Windows user name
should match for SSO to work, regardless of which domain the user is part of. This user can even be a
local user.
When the Synchronize Endpoint Encryption password with Windows option is enabled, the EEPC password is reset
to the Windows password, however, be aware if the Password history option is enabled, and the EEPC
password is same as the Windows password, then synchronization will not occur.
On changing the EEPC password, the synchronization will not be reset. Synchronization of the password
will occur only when there is a change in the Windows password.
Activate Endpoint Encryption using Add local domain users
Using the Add local domain users option, you can activate Endpoint Encryption on the client systems
without manually adding users in ePolicy Orchestrator.
The Mac client systems that are added to Active Directory through Directory Utility application are only
supported by the ALDU feature. The ALDU feature is not supported on Mac systems that use third party
tools like CentrifyDC for Mac, AdmitMac to connect to the Active Directory. EEMac supports ALDU
blacklisting using regular expressions.
Task
1
Configure the Product Settings Policy with the Add local domain users option enabled.
2
Log on to the client system. After the agent to server communication interval, the Add local domain
users feature adds the previously/currently logged on domain users to the client system.
3
Endpoint Encryption is activated in the client system during the next ASCI. You can now restart the
client to log on using the PBA page.
This option provides automatic user assignment, which helps the administrators in not having to
manually assign users to client systems in the McAfee ePO console. The recommended best practice
is to manually assign at least one user to all systems to ensure that Endpoint Encryption activation
happens successfully even if the Add local domain user option fails to function as configured. However, if
this option is configured correctly, it will not fail. A general recommendation would be to manually
add a group of support users to all systems, then activate Endpoint Encryption using the Add local
domain users option. You can remove these users at a later stage after completing the deployment.
4
Deployment and activation
Activate Endpoint Encryption using Add local domain users
42
McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide