Product Guide Management of Native Encryption 1.0 For use with ePolicy Orchestrator 4.6.6, 5.0.0, 5.0.
COPYRIGHT Copyright © 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Introduction 7 Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Features . . . . . . . . . . . . . . . . . . .
Contents Queries as dashboard monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . View the standard MNE reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create MNE custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View the standard MNE dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . Create custom MNE dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . MNE client events . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction ® McAfee Management of Native Encryption (MNE) is a management product that allows McAfee® ePolicy Orchestrator® (McAfee ePO™) administrators to manage Apple FileVault, which is an encryption product from Apple that provides encryption on Macintosh (Mac) systems.
1 Introduction Features Product extensions and packages The MNE extension that is installed on McAfee ePO allows managing and reporting of FileVault on Mac systems by deploying policy to client systems. The MNE software package that is checked in to the master repository on the McAfee ePO server is the actual product that is installed on the client system, and applies the policy received from McAfee ePO. Features You can manage FileVault through MNE using these features.
2 Installing MNE You need to perform a set of tasks to complete the installation process on the required client systems and manage them using McAfee ePO. Contents Overview of the installation process Requirements Installing the product Uninstalling the product Migrating from EEMac to MNE Reporting FIPS status to client systems Overview of the installation process The installation and deployment process consists of these tasks.
2 Installing MNE Requirements Requirements Make sure that your client systems meet these requirements before you install and deploy MNE. Table 2-1 System requirements Systems Requirements McAfee ePO server systems See the product documentation for your version of McAfee ePO. Client systems for MNE • CPU: Works on all Intel-based Macs • RAM: 1 GB minimum • Hard Disk: 1 GB minimum free disk space Table 2-2 Software requirements Software Requirements McAfee ePO McAfee ePO 4.6.6, 5.0.0, and 5.0.
Installing MNE Installing the product 2 Deploy McAfee Agent for Mac through SSH You can deploy McAfee Agent for Mac to client systems through Secure Shell (SSH). Before you begin To deploy McAfee Agent for Mac to your system, you must enable SSH (remote login). SSH can be enabled on your Mac system by enabling the Remote Login option under System Preferences | Sharing | Remote Login. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator.
2 Installing MNE Installing the product Check in the MNE software packages The software package must be checked in to the master repository so that you can use McAfee ePO to deploy the software to your client systems. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Software | Master Repository, then click Actions | Check In Package. 3 From the Package type list, select Product or Update (.
Installing MNE Installing the product 2 10 Next to Tags, select the required platforms that you are deploying the packages to, then click Next: • Send this task to all computers • Send this task to only computers that have the following criteria — Use one of the edit links to configure the criteria. 11 On the Schedule page, select whether the schedule is enabled, specify the schedule details, then click Next. 12 On the Summary page, review the summary, then click Save.
2 Installing MNE Uninstalling the product 3 Enable Manage FileVault | Turn On (Enable) FileVault. You can also enable other policy options, as required. For more information, see the Product policies section. 4 Next to Client Messaging, enable the Display the following message when enabling FileVault option, and type a message that displays to the user after FileVault is enabled on the client system. This step is optional.
2 Installing MNE Uninstalling the product 3 Select a system, then click Actions | Agent | Modify Policies on a Single System to open the Policy Assignment page for that system. 4 From the Product drop-down list, select McAfee Management of Native Encryption 1.0.0. The policy Categories under MNE are listed with the system’s assigned policy. 5 Select the Product Setting policy category, then click Edit Assignments.
2 Installing MNE Uninstalling the product 10 Next to Tags, select the desired platforms that you are removing the packages from, then click Next: • Send this task to all computers • Send this task to only computers that have the following criteria — Use one of the edit links to configure the criteria. 11 On the Schedule page, select whether the schedule is enabled, specify the schedule details, then click Next. 12 On the Summary page, review the summary, then click Save.
Installing MNE Migrating from EEMac to MNE 2 Manually uninstall MNE from the client system You can manually uninstall MNE from the client system, although McAfee ePO has all the required features for removing the product from the client system. Before you begin • You must have administrative privileges to perform this task. Task • From the command-line, type this command sudo /usr/local/McAfee/uninstall MNE. This removes the MNE software package from the client system.
2 Installing MNE Reporting FIPS status to client systems 18 Management of Native Encryption 1.
3 Managing policies You can manage the MNE client systems from McAfee ePO through a combination of product policies. You assign policies to the required client systems to make sure that systems are managed and function as specified. What is a policy? A policy is a collection of settings that you create in McAfee ePO and assign it to the required MNE clients to make sure that client systems are configured and perform accordingly.
3 Managing policies Product policies Product policies On the Policy Catalog page, the policies for the Management of Native Encryption 1.0.0 product appear under the FileVault Product Settings category. Table 3-1 Product policies Settings Description FileVault Management Manage FileVault — Allows you to manage FileVault and receive reports from the client system. • Turn On (Enable) FileVault — Allows you to turn on FileVault on client systems and manage accordingly.
3 Managing policies Create a policy Table 3-1 Settings Product policies (continued) Description Display the following message when enabling FileVault — The user receives a predefined message when FileVault is activated. Display the following login banner — The user sees a predefined login banner after authenticating into FileVault.
3 Managing policies Assign a policy to a system Assign a policy to a system You can assign a policy from the Policy Catalog to any system or system group. Assignment allows you to define policy settings once for a specific need, then apply that policy to multiple locations. When you assign a new policy to a particular group, all child groups and systems that are set to inherit the policy from this assignment point, get the set policies. Task For option definitions, click ? in the interface.
Managing policies Enforce MNE policies on a system 3 Enforce MNE policies on a system Enable or disable policy enforcement on a client system. Policy enforcement is enabled by default, and is inherited in the System Tree. For more information about performing this task, see the product documentation for your version of McAfee ePO. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator.
3 Managing policies Enforce policies to a group 24 Management of Native Encryption 1.
4 Managing client systems System management allows you to import system information into McAfee ePO. This is useful in the process of installing MNE and viewing the list of FileVault users. Client systems are managed by McAfee ePO through a combination of product policies. You can identify systems that require the same policy settings, and place them in a system group. This grouping allows you to update the policy settings to all systems in that group at the same time.
4 Managing client systems Move systems between groups Option Action Credentials for agent installation Type valid credentials to install the agent: • Domain — Type the domain of the system. • User name — Type the user name. • Password — Type the password. Number of attempts Type an integer for the specified number of attempts, or use zero for continuous attempts. Retry interval Type the interval in number of seconds between two attempts.
Managing client systems How to run the MER tool Table 4-1 4 System actions Option Description FileVault Recovery You can recover a system, if a user reports accessibility issues to that system. To recover a system, select the required system in the System Tree, then click Actions | Management of Native Encryption | FileVault Recovery to open the recovery key for that system. You must send that recovery key to the user, so that the user can recover the system.
4 Managing client systems How to run the MER tool 28 Management of Native Encryption 1.
5 Managing MNE reports MNE queries are configurable objects that retrieve and display data from the database. These queries can be displayed in charts and tables. Any query results can be exported to a variety of formats, any of which can be downloaded or sent as an attachment to an email message. Most queries can be used as dashboard monitor.
5 Managing MNE reports Create MNE custom queries Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Reporting | Queries & Reports. 3 On the Groups pane, under the Shared Groups category, select Management of Native Encryption. You can view these standard reports: Query Description Report FileVault Status Displays the FileVault status of the client systems.
5 Managing MNE reports View the standard MNE dashboard 6 On the Columns page, from the Available Columns pane, select the columns to be included in the query, then click Next. If you had selected Table on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table. 7 On the Filter page, from the Available Properties pane, select the required properties to narrow the search results, then click Run.
5 Managing MNE reports MNE client events 4 Next to Dashboard Name, type a name for the dashboard. 5 Next to Dashboard Visibility, select one of these options, as required: 6 • Private — To make the dashboard visible to a specific set of users. • Public — To make the dashboard visible to all the users. • Shared with the following permission set(s) — To make the dashboard visible to the specified permission set(s). Click OK.
5 Managing MNE reports MNE client events Event ID Event Description Event Type 35221 This event is reported in McAfee ePO when disabling FileVault is failed as the recovery key is unavailable, and the user must manually disable FileVault. Error 35222 This event is reported in McAfee ePO when disabling FileVault is failed as the recovery key is invalid, and the user must manually disable FileVault. Error 35223 This event is reported in McAfee ePO when the Mac serial number is not found.
5 Managing MNE reports MNE client events 34 Management of Native Encryption 1.
6 Recovering systems System recovery is a process of recovering a user's system from system crashes, system malfunctions, accessibility issues, and more. If a user reports any such problems, you must provide the recovery key of the system to the user for the user to recover the system using FileVault recovery tools that is provided by Apple. We don't provide support for FileVault recovery tools. If you encounter any problems with this recovery process, we recommend that you contact Apple Support.
6 Recovering systems Perform system recovery Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Systems | System Tree | Systems tab, select the required system, then click Actions | Management of Native Encryption | Import FileVault recovery key to open the Import FileVault recovery key by Machine Node page. 3 In the Enter recovery key field, type the recovery key of the system that you obtained. 4 Click Ok.
6 Recovering systems Perform system recovery 3 On the Enter serial number page, type the Serial number of the system that you received from the user, then click Next. This step is not applicable if you access FileVault recovery through the System Tree menu, because the serial number of the system is automatically populated. The recovery key of the system appears on the Response code from serial number page. 4 Provide the recovery key to the user so that the user can recover the system.
6 Recovering systems Perform system recovery 38 Management of Native Encryption 1.
Index A I about this guide 5 agent wake-up call, sending 13 installation MNE extensions 11 C M client events, viewing 29 client systems actions 26 adding and importing 25 managing 25 moving 26 recovering 35, 36 client, MNE deactivating 14 installing 9, 10 migrating 17 uninstalling 17 McAfee Agent for Mac, downloading and deploying 11 conventions and icons used in this guide 5 D dashboards, MNE creating 31 viewing 31 disk status reporting 29 documentation audience for this guide 5 product-specific,
Index reports, MNE (continued) viewing 29 requirements, MNE 10 Technical Support, finding product information 6 U S ServicePortal, finding product documentation 6 software package, MNE removing 14–16 software packages, MNE checking in 12 deploying 12 40 T Management of Native Encryption 1.
0-00
