Transcription
Dell Endpoint Security Suite Enterprise for MacAdministrator Guide v2.0
Notes, cautions, and warningsNOTE: A NOTE indicates important information that helps you make better use of your product.CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.WARNING: A WARNING indicates a potential for property damage, personal injury, or death. 2012-2018 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarksmay be trademarks of their respective owners.Registered trademarks and trademarks used in the Dell Encryption, Endpoint Security Suite Enterprise, and Data Guardian suite ofdocuments: Dell and the Dell logo, Dell Precision , OptiPlex , ControlVault , Latitude , XPS , and KACE are trademarks of Dell Inc.Cylance , CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel , Pentium , Intel CoreInside Duo , Itanium , and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe , Acrobat , andFlash are registered trademarks of Adobe Systems Incorporated. Authen tec and Eikon are registered trademarks of Authen tec.AMD is a registered trademark of Advanced Micro Devices, Inc. Microsoft , Windows , and Windows Server , Internet Explorer ,Windows Vista , Windows 7 , Windows 10 , Active Directory , Access , BitLocker , BitLocker To Go , Excel , Hyper-V ,Outlook , PowerPoint , Word , OneDrive , SQL Server , and Visual C are either trademarks or registered trademarks ofMicrosoft Corporation in the United States and/or other countries. VMware is a registered trademark or trademark of VMware, Inc. in theUnited States or other countries. Box is a registered trademark of Box. Dropbox is a service mark of Dropbox, Inc. Google , Android ,Google Chrome , Gmail , and Google Play are either trademarks or registered trademarks of Google Inc. in the United States andother countries. Apple , App Store , Apple Remote Desktop , Boot Camp , FileVault , iPad , iPhone , iPod , iPod touch , iPodshuffle , and iPod nano , Macintosh , and Safari are either servicemarks, trademarks, or registered trademarks of Apple, Inc. in theUnited States and/or other countries. EnCase and Guidance Software are either trademarks or registered trademarks of GuidanceSoftware. Entrust is a registered trademark of Entrust , Inc. in the United States and other countries. Mozilla Firefox is a registeredtrademark of Mozilla Foundation in the United States and/or other countries. iOS is a trademark or registered trademark of CiscoSystems, Inc. in the United States and certain other countries and is used under license. Oracle and Java are registered trademarks ofOracle and/or its affiliates. Travelstar is a registered trademark of HGST, Inc. in the United States and other countries. UNIX is aregistered trademark of The Open Group. VALIDITY is a trademark of Validity Sensors, Inc. in the United States and other countries.VeriSign and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S.and other countries and licensed to Symantec Corporation. KVM on IP is a registered trademark of Video Products. Yahoo! is aregistered trademark of Yahoo! Inc. Bing is a registered trademark of Microsoft Inc. Ask is a registered trademark of IAC Publishing,LLC. Other names may be trademarks of their respective owners.Administrator Guide2018 - 08Rev. A01
Contents1 Introduction.5Overview. 5FileVault Encryption and Dell Volume Encryption. 5Contact Dell ProSupport. 52 Requirements.7Encryption Client. 7Encryption Client Hardware. 7Encryption Client Software.8Advanced Threat Prevention. 10Advanced Threat Prevention Hardware.10Advanced Threat Prevention Software. 10Advanced Threat Prevention Ports. 10Compatibility. 113 Tasks for the Encryption Client.14Install/Upgrade the Encryption Client.14Prerequisites. 14Interactive Installation/Upgrade. 15Command Line Installation/Upgrade.16Activate the Encryption Client. 19View Encryption Policy and Status.19View Policy and Status on the Local Computer.20View Policy and Status in the Management Console.23System Volumes.24Enable Encryption. 24Encryption Process.24Recycling FileVault Recovery Keys. 28User Experience. 28Migrate from Dell Volume Encryption to FileVault Encryption. 30Recovery. 30Mount Volume.31Accept New System Configuration. 32FileVault Recovery. 34Removable Media.37Supported Formats. 37Encryption External Media and Policy Updates. 38Encryption Exceptions.38Errors on the Removable Media Tab. 38Audit Messages.38Collect Log Files for Endpoint Security Suite Enterprise. 39Uninstall the Encryption Client for Mac. 39Activation as Administrator.39Endpoint Security Suite Enterprise for Mac Administrator GuideContents3
Activate. 40Activate Temporarily. 40Encryption Client Reference.40About Optional Firmware Password Protection.40Using Boot Camp.41How to Retrieve a Firmware Password.43Client Tool. 434 Tasks. 46Install Advanced Threat Prevention for Mac. 46Prerequisites. 46Interactive Installation for Advanced Threat Prevention.46Command Line Installation for Advanced Threat Prevention. 49Troubleshooting Advanced Threat Prevention for Mac. 51Verify the Advanced Threat Prevention Installation. 52Collect Log Files for Endpoint Security Suite Enterprise. 53View Advanced Threat Prevention Details. 53Threats tab. 53Exploits tab. 54Events tab.55Provision a Tenant.55Provision a Tenant.56Configure Advanced Threat Prevention Agent Auto Update. 56Advanced Threat Prevention Client Troubleshooting. 57Advanced Threat Prevention Provisioning and Agent Communication.575 Glossary. 604Endpoint Security Suite Enterprise for Mac Administrator GuideContents
1IntroductionThe Endpoint Security Suite Enterprise for Mac Administrator Guide provides the information needed to deploy and install the clientsoftware.Topics: Overview FileVault Encryption and Dell Volume Encryption Contact Dell ProSupportOverviewEndpoint Security Suite Enterprise for Mac offers Advanced Threat Prevention at the operating system and memory layers and encryption,all centrally-managed from the Dell Server. With centralized management, consolidated compliance reporting, and console threat alerts,businesses can easily enforce and prove compliance for all of their endpoints. Security expertise is built in with features such as pre-definedpolicy and report templates, to help businesses reduce IT management costs and complexity. Endpoint Security Suite Enterprise for Mac - a suite of software for client encryption of data and Advanced Threat Prevention. Policy Proxy - used to distribute policies Security Server - used for client encryption software activations Security Management Server or Security Management Server Virtual - provides centralized security policy administration, integrateswith existing enterprise directories and creates reports. For the purposes of this document, both Servers are cited as Dell Server, unlessa specific version needs to be cited (for example, a procedure is different using Security Management Server Virtual).These Dell components inter-operate seamlessly to provide a secure mobile environment without detracting from the user experience.Endpoint Security Suite Enterprise for Mac has two .dmg files - one for the Encryption client and one for Advanced Threat Prevention. Youcan install both or one only.FileVault Encryption and Dell Volume EncryptionDell Encryption can manage Mac FileVault full disk encryption or Dell Volume Encryption, which is Dell's proprietary implementation of fullvolume encryption. The appropriate option depends on the encryption requirements of the enterprise and the operating system. Bothoptions require that the Dell Volume Encryption policy be set to On. For more information on policies, see AdminHelp.With macOS High Sierra, only FileVault encryption is supported, which Endpoint Security Suite Enterprise will manage. If a computer hasthe Dell Volume Encryption policy set to On and Encrypt Using FileVault for Mac set to Off, a policy conflict message displays on theEncryption client. The administrator must set both policies to On. See Migrate from Dell Volume Encryption to FileVault Encryption.With macOS Sierra and earlier versions, the option to manage FileVault encryption, along with Dell Volume Encryption, is available withEndpoint Security Suite Enterprise for Mac. For more information about encryption policies, see Mac Encryption Dell Volume Encryption.Contact Dell ProSupportCall 877-459-7304, extension 4310039 for 24x7 phone support for your Dell product.Endpoint Security Suite Enterprise for Mac Administrator GuideIntroduction5
Additionally, online support for Dell products is available at dell.com/support. Online support includes drivers, manuals, technical advisories,FAQs, and emerging issues.For phone numbers outside of the United States, check Dell ProSupport International Phone Numbers.6Endpoint Security Suite Enterprise for Mac Administrator GuideIntroduction
2RequirementsClient hardware and software requirements are provided in this chapter. Ensure that the deployment environment meets the requirementsbefore continuing with deployment tasks.Topics: Encryption Client Advanced Threat PreventionEncryption ClientEncryption Client HardwareMinimum hardware requirements must meet the minimum specifications of the operating system.Hardware 30 MB of free disk space 10/100/1000 or Wi-Fi network interface cardmacOS Sierra 10.12.6 and earlier System disk must be partitioned with the GUID Partition Table (GPT) partition schemeMust be formatted with a Mac OS X Extended Journaled (HFS )NOTE:With macOS Sierra or earlier, only Dell Volume Encryption is supported.macOS High Sierra 10.13.5 - 10.13.6 System disk must be partitioned with the GUID Partition Table (GPT) partition schemeCan be formatted with one of these:– Mac OS X Extended Journaled (HFS )– Apple File System (APFS)NOTE:With macOS High Sierra, due to changes in the partition structure, only FileVault Encryption is supported.Endpoint Security Suite Enterprise for Mac Administrator GuideRequirements7
Encryption Client SoftwareThe following table details supported software.NOTE:If you intend to perform a major operating system upgrade when using the Dell Volume Encryption (not FileVault encryption), a decryptand uninstall operation is needed followed by regular installation of the Encryption client for Mac on the new operating system.Upgrades to macOS High Sierra support FileVault only.Operating Systems (64-bit kernels) Mac OS X El Capitan 10.11.6 macOS Sierra 10.12.6 macOS High Sierra 10.13.5 - 10.13.6If a customer upgrades to v8.16 or higher and then to High Sierra with the Dell Volume Encryption policy set to On and Encrypt UsingFileVault for Mac set to Off, a policy conflict message displays on the Encryption client. The administrator must set both policies to On.With Mac OS X El Capitan and macOS Sierra, when using Dell Volume Encryption (not FileVault encryption), you must disable Apple'sSystem Integrity Protection (SIP).NOTE:For information on disabling, see Interactive Installation/Upgrade and Activation, step 5. Before disabling, see Apple's help for how thisimpacts security.NOTE:If you are using a network user account to authenticate, that account must be set up as a mobile account to fully configure FileVault 2management.Encrypted MediaThe following table details the operating systems supported when accessing Dell-encrypted external media.NOTE:Encryption External Media supports: FAT32 exFAT HFS Plus (Mac OS Extended) formatted media with Master Boot Record (MBR) or GUID Partition Table (GPT) partition schemes.See Enable HFS Plus.NOTE:External media must have 55 MB available, plus open space on the media that is equal to the largest file to be encrypted, to hostEncryption External Media.Windows Operating Systems (32- and 64-bit) Supported to Access Encrypted Media Microsoft Windows 7 SP18Endpoint Security Suite Enterprise for Mac Administrator GuideRequirements
- Enterprise- Professional- Ultimate Microsoft Windows 8- Enterprise- Pro- Windows 8 (Consumer) Microsoft Windows 8.1 - Windows 8.1 Update 1- Enterprise- Pro Microsoft Windows 10- Education- Enterprise- Pro Version 1607 (Anniversary Update/Redstone 1) through Version 1803 (Spring Creators Update/Redstone 4)NOTE:After Windows 10 updates, Data Guardian requires the latest major version of CBFS Connect to ensure continued operation.Mac Operating Systems (64-bit kernels) Supported to Access Encrypted Media Mac OS X El Capitan 10.11.6 macOS Sierra 10.12.6NOTE:Encryption External Media on macOS Sierra 10.12.6 requires Encryption Enterprise v8.15. macOS High Sierra 10.13.5 - 10.13.6NOTE:Encryption External Media on macOS High Sierra 10.13.x requires Encryption Enterprise v8.16 or higher.With Mac OS X El Capitan and macOS Sierra, when using Dell Volume Encryption (not FileVault encryption), you must disable Apple'sSystem Integrity Protection (SIP).NOTE:For information on disabling, see Interactive Installation/Upgrade and Activation, step 4. Before disabling, see Apple's help for how thisimpacts security.Endpoint Security Suite Enterprise for Mac Administrator GuideRequirements9
Advanced Threat PreventionUninstall other vendors' antivirus, antimalware, and antispyware applications before installing the Advanced Threat Prevention client, toprevent installation failures.Advanced Threat Prevention HardwareMinimum hardware requirements must meet the minimum specifications of the operating system.Hardware 500 MB free disk space, depending on operating system2 GB RAM10/100/1000 or Wi-Fi network interface cardAdvanced Threat Prevention SoftwareThe following table details supported software.Operating Systems (64-bit kernels) Mac OS X Mavericks 10.9.5Mac OS X Yosemite 10.10.5NOTE:Mac OS X Mavericks 10.9.5 and Mac OS X Yosemite 10.10.5 are supported with Advanced Threat Prevention only, not theEncryption client. Mac OS X El Capitan 10.11.6 macOS Sierra 10.12.6 macOS High Sierra 10.13.5 - 10.13.6NOTE:Refer to Encryption Client Software for specific macOS High Sierra versions supported with the Encryptionclient.NOTE:There is no support for case-sensitive file systems.Advanced Threat Prevention Ports The Advanced Threat Prevention agents are managed by and report to the management console SaaS platform. Port 443 (https) isused for communication and must be open on the firewall in order for the agents to communicate with the console. The console ishosted by Amazon Web Services and does not have any fixed IPs. If port 443 is blocked for any reason, updates cannot be downloaded,so computers may not have the most current protection. Ensure that client computers can access the URLs, as follows.10Endpoint Security Suite Enterprise for Mac Administrator GuideRequirements
UseApplicationProtocolAll Communication onTCP443Allow all https traffic to *.cylance.comOutboundCompatibilityThe following table details compatibility with Windows, Mac, and Linux.n/a - Technology does not apply to this platform.Blank field - Policy is not supported with Endpoint Security Suite Enterprise.FeaturesPoliciesWindowsmacOSLinuxAuto Quarantine (Unsafe)xxxAuto Quarantine(Abnormal)xxxAuto UploadxxxPolicy Safe ListxxxMemory ProtectionxxxStack PivotxxxStack ProtectxxxOverwrite Codexn/aRAM Scrapingxn/aMalicious PayloadxFile ActionsMemory ActionsExploitationProcess InjectionRemote Allocation ofMemoryxxn/aRemote Mapping ofMemoryxxn/aRemote Write to Memoryxxn/aRemote Write PE toMemoryxn/an/aRemote Overwrite Codexn/aRemote Unmap ofMemoryxn/aRemote Thread CreationxxRemote APC Scheduledxn/an/aEndpoint Security Suite Enterprise for Mac Administrator GuideRequirements11
FeaturesPoliciesWindowsDYLD InjectionmacOSLinuxxxn/aEscalationLSASS Readxn/aZero AllocatexxExecution ControlxxPrevent service shutdownfrom devicexxKill unsafe runningprocesses and their subprocessesxxxBackground ThreatDetectionxxxWatch for New FilesxxxMaximum archive file sizeto scanxxxExclude Specific FoldersxxxCopy File SamplesxProtection SettingsxApplication ControlChange WindowxFolder ExclusionsxxAgent SettingsEnable auto-upload of logfilesxEnable DesktopNotificationsxActive ScriptxPowershellxOffice MacrosxBlock Powershell consoleusagexApprove scripts in thesefolders (and subfolders)xLogging LevelxSelf Protection LevelxAuto UpdatexRun a Detection (fromAgent UI)xxxScript Control12Endpoint Security Suite Enterprise for Mac Administrator GuideRequirementsn/a
FeaturesPoliciesWindowsmacOSLinuxDelete Quarantined (Agent xUI and Console UI)Disconnected ModexxDetailed Threat DataxCertificate Safe Listxxn/aCopy malware samplesxxxProxy SettingsxxxManual Policy Check(Agent UI)xxEndpoint Security Suite Enterprise for Mac Administrator GuideRequirements13
3Tasks for the Encryption ClientInstall/Upgrade the Encryption ClientThis section guides you through the the Encryption client for Mac installation/upgrade and activation process.There are two methods to install/upgrade the Encryption client for Mac. Select one of the following: Interactive Installation/Upgrade and Activation - This method is the easiest method to install or upgrade the client software package.However, this method does not allow any customizations. If you intend to use Boot Camp or a version of operating system that is notyet fully supported by Dell (through .plist modification), you must use the command line installation/upgrade method. For informationabout using Boot Camp, see Using Boot Camp. Command Line Installation/Upgrade - This is an advanced installation/upgrade method that should only be used by administratorsexperienced with command line syntax. If you intend to use Boot Camp or a version of operating system that is not yet fully supportedby Dell (through .plist modification), you must use this method to install or upgrade the client software package. For information aboutusing Boot Camp, see Using Boot Camp.For more information on the Installer Command options, see the Mac OS X Reference Library at http://developer.apple.com. Dell highlyrecommends using remote deployment tools, such as Apple Remote Desktop, to distribute the client installation package.NOTE:Apple often releases new versions of operating systems between releases of Endpoint Security Suite Enterprise for Mac. To supportas many customers as possible, a modification of the com.dell.ddp.plist file is allowed to support these cases. Testing of theseversions begins as soon as Apple releases a new version, to ensure that they are compatible with the Encryption client for Mac.PrerequisitesDell recommends that IT best practices are followed during the deployment of client software. This includes, but is not limited to, controlledtest environments for initial tests and staggered deployments to users.Before beginning this process, ensure the following prerequisites are met: Ensure that the Dell Server and its components are already installed.If you have not yet installed the Dell Server, follow the instructions in the appropriate guide below.Security Management Server Installation and Migration GuideSecurity Management Server Virtual Quick Start Guide and Installation Guide Ensure that you have the Security Server and Policy Proxy URLs handy. Both are needed for client software installation and activation. If your deployment uses a non-default configuration, ensure that you know the port number for the Security Server. It is needed forclient software installation and activation. Ensure that the target computer has network connectivity to the Security Server and Policy Proxy. Ensure that you have a domain user account in the Active Directory installation configured for use with the Dell Server. The domainuser account is used for client software activation. Configuring Mac endpoints for domain (network) authentication is not required. To enforce encryption on the client computer, first select the appropriate encryption option for your organization.14Endpoint Security Suite Enterprise for Mac Administrator GuideTasks for the Encryption Client
Dell EncryptionFileVault encryptionFor macOS Sierra and earlier versions, select this option to do the Select this option to do the following:following:– Encrypt Fusion Drives– Encrypt all partitions on the boot drive– Use Preboot Authentication– Skip Preboot Authentication– Deploy an Apple-supported solution– Use 256-bit encryptionNOTE:NOTE:If a Mac has a Fusion Drive, you must enable FileVault toIf you use Dell Volume Encryption, you must disableencrypt that drive.System Integrity Protection (SIP). See InteractiveInstallation/Upgrade and Activation, step 4.Encryption policy settings must reflect the encryption option you select. Before setting encryption policies, be sure that you understandthe Encrypt Using FileVault for Mac and Volumes Targeted for Encryption policies. To use either Dell Volume Encryption or FileVaultencryption, the Dell Volume Encryption policy must be On.For more information about encryption policies, see Mac Encryption Dell Volume Encryption.Interactive Installation/Upg
Mac Operating Systems (64-bit kernels) Supported to Access Encrypted Media Mac OS X El Capitan 10.11.6 macOS Sierra 10.12.6 NOTE: Encryption External Media on macOS Sierra 10.12.6 requires Encryption Enterprise v8.15. NOTE: NOTE: Endpoint Security Suite Enterprise for Mac Administrator Guide
