McAfee ePO 4 / Endpoint Encryption

DeploymentandUserGuide

1|

McAfee,Inc.
McAfee,Inc.3965FreedomCircle,SantaClara,CA95054,USA Tel:(+1)888.847.8766 FormoreinformationregardinglocalMcAfeerepresentativespleasecontactyourlocalMcAfeeoffice, orvisit: www.mcafee.com
COPYRIGHT
Copyright 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Attributions
Refer to the product Release Notes.

Contents
Preface ........................................................................................... 4
About This Guide ..................................................................................... Audience ................................................................................................. Conventions ............................................................................................ Contact information.................................................................................. 4 4 4 4

ePO Endpoint Encryption Deployment and Reporting......................6

Endpoint Encryption Integration to ePolicy Orchestrator ...................................... 6 The Endpoint Encryption Reports ............................................................... 6 Setting up Deployment and Reporting in ePolicy Orchestrator .............................. 7 Location of the files on the CD ................................................................... 7 Endpoint Encryption Install Sets ................................................................ 8 Summary ................................................................................................ 8 Gather the files to prepare the Pkgcatalog.z file ........................................... 9 Edit the Pkgcatalog.xml file ....................................................................... 9 Create the pkgcatalog.z file using eposign.exe ............................................ 11 Create the deployment zip file and check it in ............................................. 11 Create the deployment task ..................................................................... 12 Running Reports ........................................................................................... 13 Endpoint Encryption for Files and Folders Reports ....................................... 13 Endpoint Encryption for PC ....................................................................... 13 Adding the reports to the Dashboard ......................................................... 14

Preface

Preface
About This Guide
This guide provides information on configuring Endpoint Encryption deployment and reporting through the ePolicy Orchestrator.

Audience
This information is intended primarily for network administrators who are responsible for their companys security program, and assumes the customer has used ePolicy Orchestrator.

Conventions
This guide uses the following conventions:
Bold Condensed
Courier Italic Blue All words from the interface, including options, menus, buttons, and dialog box names. The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt). Emphasis or introduction of a new term; names of product manuals. A web address (URL); a live link. Supplemental information; for example, an alternate method of executing the same command. Important advice to protect your computer system, enterprise, software installation, or data.

Note Caution

Contact information
Download Site http://www.mcafee.com/us/downloads/ Product Upgrades (Valid grant number required) Security Updates (DATs, engine) HotFix and Patch Releases
For Security Vulnerabilities (Available to the public) For Products (ServicePortal account and valid grant number required)

Product Evaluation McAfee Beta Program Technical Support http://www.mcafee.com/us/support/ KnowledgeBase Search
http://knowledge.mcafee.com/

McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe Customer Service Web
http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html

4|

Preface
Phone US, Canada, and Latin America toll-free: +1-888-VIRUS NOor+1-888-847-8766 Monday Friday, 8 a.m. 8 p.m., Central Time

Professional Services
Enterprise http://www.mcafee.com/us/enterprise/services/index.html Small and Medium Business http://www.mcafee.com/us/smb/services/index.html

|5

ePO Endpoint Encryption Deployment and Reporting

ePO Endpoint Encryption Deployment and Reporting

Endpoint Encryption Integration to ePolicy Orchestrator
Version 4 of ePolicy Orchestrator allows the administrator to deploy Endpoint Encryption for Files and Folders and Endpoint Encryption for PC. It also includes the ability to report the encryption status of machines that have Endpoint Encryption installed. WARNING:TheePolicyOrchestratorisnotcompatiblewithversions4.xofEndpointEncryption(formerly SafeBoot).

The Endpoint Encryption Reports

Endpoint Encryption for Files and Folders (EEFF)
Version Check This report will check each machine and report on whether or not Endpoint Encryption for Files and Folders is installed. The report also displays which version is running.

Endpoint Encryption for PC (EEPC)

Installed Version This report will check each machine and report on whether or not Endpoint Encryption for PC is installed. The report also displays the Endpoint Encryption for PC version and whether or not the client is active (running).

Summary
This report checks all machines and their encryption status, e.g. is the machine fully encrypted (i.e. are all drives fully encrypted). It also displays the number of drives in an each encrypted state, e.g. full encryption, partially encrypted, in progress and not encrypted.
* NOTE: The In Progress status indicates a machine that is in the process of either decrypting, or, encrypting.

6|

ePO Endpoint Encryption Deployment and Reporting

Drive Check
This report lists all machines that have Endpoint Encryption for PC installed including the encryption status of each drive. It also reports on machines that do not have EEPC installed by placing Unknown in the Drive and Encryption columns.

Setting up Deployment and Reporting in ePolicy Orchestrator

This section explains how to configure deployment and reporting of Endpoint Encryption on the ePolicy Orchestrator. Follow these steps whether you are deploying or reporting on either Endpoint Encryption for Files and Folders or Endpoint Encryption for PC.

Location of the files on the CD

The reporting configuration files
The sbde5.zip and sbce3.zip files contain the report configuration for Endpoint Encryption for PC (sbde5) and Endpoint Encryption for Files and Folders (sbce3) respectively. They are located on the CD at the following locations: EPO\Endpoint Encryption for Files and Folders\EPO4\Sbce3.zip EPO\Endpoint Encryption for PC\EPO4\Sbde5.zip

Installing the extensions

To run the Endpoint Encryption reports you must first install the extensions (the reporting zip files). 1. 2. 3. 4. 5. 6. From the ePolicy Orchestrator Console, click the Configuration button. Click the Extensions button on the toolbar. Click the Install Extension option at the bottom left of the console. Click the Browse button and locate the zip file. Select the file and click Open. Click the Ok button to install the extension.

Files required to build the pkgcatalog.z file

The paths below contain the files on the CD required to build the pkgcatalog.z file.

|7

ePO Endpoint Encryption Deployment and Reporting

Endpoint Encryption for Files and Folders Files Use these files to configure deployment and reporting for Endpoint Encryption for Files and Folders: \ePO\Endpoint Encryption for Files and Folders\Package folder contains the ce-detect.mcs, the pkgcatalog.xml and the eposign.exe files. Endpoint Encryption for PC Files Use these files to configure deployment and reporting for Endpoint Encryption for PC: \ePO\Endpoint Encryption for PC\Package folder contains the dedetect.mcs, the pkgcatalog.xml and the eposign.exe files.

Endpoint Encryption Install Sets

Before completing your Endpoint Encryption install set you must ensure that the Perform installation silently and Automatically restart machine options are checked. If they are not then the install to the client machine will fail. See the Create Installation Set screenshot below.

Figure1TheEndpointEncryptionCreateInstallationSetscreenshot

Summary
1. 2. 3. 4. 5. 6. Ensure the report configuration files have been installed. Prepare the Endpoint Encryption install set. Gather the files to prepare the pkgcatalog.z file. Edit the pkgcatalog.xml file. Create the pkgcatalog.z file using eposign.exe. Create the deployment zip file and check it in.

8|

ePO Endpoint Encryption Deployment and Reporting

7. 8. Verify the Endpoint Encryption deployment zip file has been checked in. Create the deployment task.

Gather the files to prepare the Pkgcatalog.z file

Follow these steps to consolidate the necessary files into the ePolicy Orchestrator deployment format. You will require the following files: Eposign.exe pkgcatalog.XML Detection scripts (ce-detect.mcs - Endpoint Encryption for Files and Folders or de-detect.mcs Endpoint Encryption for PC) Endpoint Encryption Install set, e.g. SBDE.exe (Filename determined by Administrator) 1. Create the install set from the Endpoint Encryption Manager. Refer to the Endpoint Encryption for Files and Folders Administration Guide or the Endpoint Encryption for PC Administration Guide for further details. 2. Create a folder on the server c:\ drive and call it Deployment. The Deployment folder becomes a working directory and contains subsequent Endpoint Encryption packages that you create. You may create this directory in a location of your choice and name it as you wish. This guide uses the example of the c:\Deployment. NOTE:Eachpackagecreatedshouldbeuniqueandmustnotoverwritetheexistingversion.The Deploymentfoldershouldthereforecontainauniquelynamedsubfolderforeachpackage,e.g.0001,0002, Package1orPackage2,etc.Theexampleusedhereis0001. 3. Copy the eposign.exe file from the CD, to the Deployment folder on the c:\ drive. 4. 5. Create a new subfolder within the Deployment folder, e.g. 0001. Copy the pkgcatalog.xml and detection scripts from the CD, to the Deployment subfolder, e.g. \Deployment\0001 6. Copy the Endpoint Encryption install set to the \Deployment\0001 subfolder.

Edit the Pkgcatalog.xml file

Follow these steps to edit the pkgcatalog.xml file: NOTE:Youmustaddtheuniquecodetothe<ProductID> </ProductID> lineinthefile.Inthis example,itis0001;however,youcouldnameitanythingwithinthefourcharacterlimit.SeetheEndpoint EncryptionforFilesandFolderspkgcatalog.xmlexamplebelow.

|9

ePO Endpoint Encryption Deployment and Reporting

Finally,keeptheproductnames<ProductName> </ProductName>intheXMLfileaminimallength. IftheyaretoolongtheywillpushoutthetablesintheePolicyOrchestrator.Seetheexamplebelow, highlightedinyellow. Youmustalsoensureyoueditthe<InstallCommand> </InstallCommand>linewiththecorrect EndpointEncryptioninstallfilenameandincludethe/silentcommand.Seetheexamplebelow, highlightedinyellow.
- <PkgCatalog> - <ProductPackage> <ProductID>SBCE____30000001</ProductID> <ProductName>EEFF</ProductName> <ProductDescription>0</ProductDescription> - <ProductDetection> - <DetectionScript> <Name>ce-detect.mcs</Name> </DetectionScript> <ProductVersion>3.0.0</ProductVersion> <PlatformID>WNTW:4:0:4|WNTS|W2KW|W2KS|WXPHE|WXPW|WXPS|WVST</PlatformID> </ProductDetection> <ConflictSoftwareList /> - <LangPackage> <Priority>1</Priority> <PackageType>Install</PackageType> <LangID>0000</LangID> <InstallType>command</InstallType> <InstallCommand>SbCe.exe /silent</InstallCommand> <MaxReboot>1</MaxReboot> <RebootReturnCode>0</RebootReturnCode> </LangPackage> - <Translation> <TranslationID /> - <TranslationItem> <LangID /> <TranslationString /> </TranslationItem> </Translation> </ProductPackage> </PkgCatalog>

1. 2.

Open the pkgcatalog.xml in the c:\Deployment\0001 file using Notepad. Edit the Product ID and add the unique number to the name, for example, if the product ID is <ProductID>SBCE____3000</ProductID> then change this to include the unique number for the package, for example, <ProductID>SBCE____30000001</ProductID>. Follow these steps with a new four-character code each time you create a package. This ensures that all future packages are unique.

WARNING:YoumustnotchangetheProductIDotherthanaddthefourcharacteruniqueIDattheend, otherwise,reportingwillfail.Seetheexampleabove.

10 |

ePO Endpoint Encryption Deployment and Reporting

3. Edit the <InstallCommand> </InstallCommand> line with the file name of the Endpoint Encryption install set and include the /silent command, otherwise the install will fail. NOTE:youcanalsoedittheproductnamefromEndpointEncryptionforFilesandFolderstoEEFFforSales dependingonwhothedeploymentistargetedat,forexample.ThisnamewillappearontheePolicy Orchestratorandwillhelpidentifythedeploymentpackage. 4. Save the pkgcatalog.xml file.

Create the pkgcatalog.z file using eposign.exe

Follow these steps to create the ePolicy Orchestrator deployment format, i.e. the pkgcatalog.z file. You must run this command from a Command prompt. 1. 2. 3. 4. Click on the Start option followed by Run. Enter Cmd in the Open dialog box and click the Ok button. Type cd \deployment at the command prompt. From the c:\deployment directory enter the following Eposign command: eposign c:\deployment\0001\pkgcatalog.xml .mcs /a 5. This will take the files from the c:\Deployment\0001 folder and roll them into the pkgcatalog.z file.

Create the deployment zip file and check it in

The deployment zip file contains the detection scripts, the pkgcatalog.xml, the Endpoint Encryption install file and the pkgcatalog.z file. 1. Create a zip file from the detection scripts, the pkgcatalog.xml, the Endpoint Encryption install file and the pkgcatalog.z file stored in the c:\Deployment\0001 folder. 2. 3. 4. 5. 6. 7. From the ePolicy Orchestrator Console, click the Software button. Click the Check In Package button. Click the Browse button and locate the deployment zip file created at step 1. Select the zip file and click the Open button. Click the Next button. Click the Save button to save check in the zip file.

| 11

ePO Endpoint Encryption Deployment and Reporting

Check the Endpoint Encryption files has been checked in

Follow these steps to verify the Endpoint Encryption file appears in the ePO Repository. 1. From the ePolicy Orchestrator Console click on the Software button. This will display the contents of the master repository. 2. Scroll down the list to verify the Endpoint Encryption file is there.

Create the deployment task

1. 2. 3. 4. 5. 6. 7. From the ePolicy Orchestrator Console, click the Systems button. Click the Client Tasks option. Click New Task. This will start the Client Task Builder screen. Enter a name and description (optional) for the task. Select the Product Deployment (McAfee Agent) as the Type. Click Next to continue. From the Configuration window select the target platform and product to be deployed. 8. 9. Click Next to continue. Set your required schedule options for this deployment.

10. Ensure the Enable option is checked. NOTE:thistaskwillrunatthenextagentservercommunicationfortherelevantagents.Ifyouwishtorun thetasksooner,thenclicktheScheduletypeandselectRunimmediately. WARNING:Tocompletetheinstallation,allEndpointEncryptionproductsrequirearebootwhendeployed. IfCEandDEaredeployedsimultaneously,whenoneproductreboots,theCMAmayforgetwhatitwas doing;thiswillresultinthesecondproductnotbeingdeployeduntilthedeploymenttaskrunsagain. Therefore,alldeploymenttasksinvolvingEndpointEncryptionproductsshouldbesettorunonaregular basis. 11. Click the Next button to continue. 12. Click the Save button to save this deployment task or choose the Back button to change the Schedule, Configuration or Description.

12 |

ePO Endpoint Encryption Deployment and Reporting

Running Reports
Endpoint Encryption for Files and Folders Reports
Installed Version
This report will check each machine and report on whether or not Endpoint Encryption for Files and Folders is installed. It also displays which version is running. 1. 2. 3. Click the Reporting button from the main toolbar. Click EEFF Installed Version from the left hand Queries menu. Click the Run button. The report will appear as a pie chart. Click on the pie chart to view the detail of this report.

Endpoint Encryption for PC

Installed Version
This report will check each machine and report on whether or not Endpoint Encryption for PC is installed. It also displays the Endpoint Encryption for PC version and whether (or not) the client is active (running). 1. 2. 3. Click the Reporting button from the main toolbar. Click EEPC Installed Version from the left hand Queries menu. Click the Run button. The report will appear as a pie chart. Click on the pie chart to view the detail of this report

Summary
This report checks all machines and their encryption status, e.g. is the machine fully encrypted (i.e. are all drives fully encrypted). It also displays the number of drives in an each encrypted state, e.g. full encryption, partially encrypted, in progress* and not encrypted. *NOTE:TheInProgressstatusindicatesamachinethatisintheprocessofeitherdecrypting,or, encrypting. 1. 2. 3. Click the Reporting button from the main toolbar. Click EEPC Install Summary from the left hand Queries menu. Click the Run button. The report will appear as a pie chart. Click on the pie chart to view the detail of this report.

| 13

ePO Endpoint Encryption Deployment and Reporting

Drive Check
This report lists all machines that have Endpoint Encryption for PC installed including the encryption status of each drive. It also reports on machines that do not have DE installed by placing Unknown in the Drive and Encryption columns. 1. 2. 3. Click the Reporting button from the main toolbar. Click EEPC Drive Check from the left hand Queries menu. Click the Run button. The report will appear as a pie chart. Click on the pie chart to view the detail of this report.

Adding the reports to the Dashboard

Version 4.0 of ePolicy Orchestrator allows the administrator to report on the status of Endpoint Encryption for Files and Folders and Endpoint Encryption for PC. These admin reports can be made accessible from the Dashboard option. Note: You must have installed the reporting extensions to complete this procedure. See Installing the extensions. Add them as buttons on the Dashboard toolbar: 1. 2. 3. 4. Select the Dashboard option. Click the Options drop down button. Select the Manage Dashboards option. Click the report from the My Dashboards left hand column, e.g. Endpoint Encryption for Files and Folders or Endpoint Encryption for PC. 5. Click the Make Active button (bottom right). This will add the report to the Dashboard toolbar.

14 |

ePO Endpoint Encryption Deployment and Reporting

Figure2TheDashboardwithEndpointEncryptionReportsforPC WARNING:TheePolicyOrchestratorisnotcompatiblewithversions4.xofEndpointEncryption(formerly SafeBoot).

| 15