Manualshelf

Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE
41424344454647484950
Table Of Contents
What if a user is disabled from LDAP?
If a user account that is initialized on the client system, and is later removed from LDAP, then it will be
automatically deleted/ignored from the client when the next EE LDAP User/Group Synchronization task
runs. To authenticate through the client PBA with a disabled or deleted LDAP user name, you should
once again enable/add the user to the LDAP and initialize the same user name on the client with the
default password.
This does not remove the users from the EEUsers list in ePolicy Orchestrator, however, it removes/
deletes/ignores the users from the client system based on the option set in the Server Settings.
Is it possible to just disable the Endpoint Encryption user when removed from
LDAP?
It is not possible to disable an Endpoint Encryption user when it has been removed from LDAP. The
user is removed from the EE Users list if deleted in LDAP during the next EE LDAP Server User/Group
Synchronization task.
What if the Endpoint Encryption user assignment is deleted/removed?
If the Endpoint Encryption user assignment is deleted from a system, the user might still be assigned
back to the client system if the Add local domain users option is enabled in the Product Settings Policy. For this
to work, the user must have logged on to Windows/Mac at least once and the domain to which client
system is connected should have been registered in ePolicy Orchestrator. You can also manually add
users using Menu | Data Protection | Encryption users | Add Users option in ePolicy Orchestrator.
Manage Machine Keys
The purpose of encrypting the client's data is to control access to the data by controlling access to the
encryption keys. It is important that keys are not accessible to users.
The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as
Machine Keys. Each system has its own unique Machine Key. The Machine Key is stored in ePolicy
Orchestrator database to be used for client recovery when required.
For more information about reusing machine keys, refer to the KnowledgeBase article https://
kc.mcafee.com/corporate/index?page=content&id=KB71839.
Machine Key reuse
Machine key reuse option is used to activate the system with the existing key present in the McAfee
ePO server. This option is highly useful when a boot disk gets corrupted and the user cannot access
the system. The disks other than the boot disks of the corrupted system can be recovered by
activating it with the same key from McAfee ePO.
The Machine key reuse feature is not applicable to EEMac, selfencrypting (Opal) drive systems, and
UEFI systems.
What happens to Machine Keys when an Endpoint Encryption active system is
reimaged?
All existing data of the system is lost and hence the machine Key is lost when an Endpoint Encryption
active system is reimaged.
5
Operations and maintenance
Manage Machine Keys
46
McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide