Transcription
McAfee ePO 4 / Endpoint EncryptionDeployment and User Guide1
McAfee, Inc.McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USATel: ( 1) 888.847.8766For more information regarding local McAfee representatives please contact your local McAfee office,or visit:www.mcafee.comCOPYRIGHTCopyright 2008 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into anylanguage in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSIONINTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE,MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECUREMESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELDare registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are thesole property of their respective owners.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERALTERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THESALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVEDSEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THESOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAYRETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.AttributionsRefer to the product Release Notes.
ContentsPreface . 4About This Guide .Audience .Conventions .Contact information.4444ePO Endpoint Encryption Deployment and Reporting.6Endpoint Encryption Integration to ePolicy Orchestrator . 6The Endpoint Encryption Reports . 6Setting up Deployment and Reporting in ePolicy Orchestrator . 7Location of the files on the CD . 7Endpoint Encryption Install Sets . 8Summary . 8Gather the files to prepare the Pkgcatalog.z file . 9Edit the Pkgcatalog.xml file . 9Create the pkgcatalog.z file using eposign.exe . 11Create the deployment zip file and check it in . 11Create the deployment task . 12Running Reports . 13Endpoint Encryption for Files and Folders Reports . 13Endpoint Encryption for PC . 13Adding the reports to the Dashboard . 14
PrefacePrefaceAbout This GuideThis guide provides information on configuring Endpoint Encryption deployment andreporting through the ePolicy Orchestrator.AudienceThis information is intended primarily for network administrators who are responsiblefor their company’s security program, and assumes the customer has used ePolicyOrchestrator.ConventionsThis guide uses the following conventions:Bold CondensedAll words from the interface, including options, menus, buttons, and dialogbox names.CourierThe path of a folder or program; text that represents something the usertypes exactly (for example, a command at the system prompt).ItalicEmphasis or introduction of a new term; names of product manuals.BlueA web address (URL); a live link.NoteSupplemental information; for example, an alternate method of executingthe same command.CautionImportant advice to protect your computer system, enterprise, softwareinstallation, or data.Contact informationDownload Site http://www.mcafee.com/us/downloads/Product Upgrades (Valid grant number required)Security Updates (DATs, engine)HotFix and Patch ReleasesFor Security Vulnerabilities (Available to the public)For Products (ServicePortal account and valid grant number required)Product EvaluationMcAfee Beta ProgramTechnical Support http://www.mcafee.com/us/support/KnowledgeBase Searchhttp://knowledge.mcafee.com/McAfee Technical Support ServicePortal (Logon credentials required)https://mysupport.mcafee.com/eservice enu/start.sweCustomer ml4
PrefacePhone — US, Canada, and Latin America toll-free: 1-888-VIRUS NOor 1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central TimeProfessional ServicesEnterprise .htmlSmall and Medium Business http://www.mcafee.com/us/smb/services/index.html 5
ePO Endpoint Encryption Deployment and ReportingePO Endpoint Encryption Deploymentand ReportingEndpoint Encryption Integration to ePolicyOrchestratorVersion 4 of ePolicy Orchestrator allows the administrator to deploy EndpointEncryption for Files and Folders and Endpoint Encryption for PC. It also includes theability to report the encryption status of machines that have Endpoint Encryptioninstalled.WARNING: The ePolicy Orchestrator is not compatible with versions 4.x of Endpoint Encryption (formerlySafeBoot).The Endpoint Encryption ReportsEndpoint Encryption for Files and Folders (EEFF)Version CheckThis report will check each machine and report on whether or not Endpoint Encryptionfor Files and Folders is installed. The report also displays which version is running.Endpoint Encryption for PC (EEPC)Installed VersionThis report will check each machine and report on whether or not Endpoint Encryptionfor PC is installed. The report also displays the Endpoint Encryption for PC version andwhether or not the client is active (running).SummaryThis report checks all machines and their encryption status, e.g. is the machine fullyencrypted (i.e. are all drives fully encrypted). It also displays the number of drives inan each encrypted state, e.g. full encryption, partially encrypted, in progress and notencrypted.* NOTE: The In Progress status indicates a machine that is in the process of either decrypting,or, encrypting.6
ePO Endpoint Encryption Deployment and ReportingDrive CheckThis report lists all machines that have Endpoint Encryption for PC installed includingthe encryption status of each drive. It also reports on machines that do not have EEPCinstalled by placing “Unknown” in the Drive and Encryption columns.Setting up Deployment and Reporting in ePolicyOrchestratorThis section explains how to configure deployment and reporting of EndpointEncryption on the ePolicy Orchestrator. Follow these steps whether you are deployingor reporting on either Endpoint Encryption for Files and Folders or Endpoint Encryptionfor PC.Location of the files on the CDThe reporting configuration filesThe sbde5.zip and sbce3.zip files contain the report configuration for EndpointEncryption for PC (sbde5) and Endpoint Encryption for Files and Folders (sbce3)respectively. They are located on the CD at the following locations:EPO\Endpoint Encryption for Files and Folders\EPO4\Sbce3.zipEPO\Endpoint Encryption for PC\EPO4\Sbde5.zipInstalling the extensionsTo run the Endpoint Encryption reports you must first install the extensions (thereporting zip files).1.From the ePolicy Orchestrator Console, click the Configuration button.2.Click the Extensions button on the toolbar.3.Click the Install Extension option at the bottom left of the console.4.Click the Browse button and locate the zip file.5.Select the file and click Open.6.Click the Ok button to install the extension.Files required to build the pkgcatalog.z fileThe paths below contain the files on the CD required to build the pkgcatalog.z file. 7
ePO Endpoint Encryption Deployment and ReportingEndpoint Encryption for Files and Folders FilesUse these files to configure deployment and reporting for Endpoint Encryption for Filesand Folders:\ePO\Endpoint Encryption for Files and Folders\Package folder containsthe ce-detect.mcs, the pkgcatalog.xml and the eposign.exe files.Endpoint Encryption for PC FilesUse these files to configure deployment and reporting for Endpoint Encryption for PC:\ePO\Endpoint Encryption for PC\Package folder contains the dedetect.mcs, the pkgcatalog.xml and the eposign.exe files.Endpoint Encryption Install SetsBefore completing your Endpoint Encryption install set you must ensure that thePerform installation silently and Automatically restart machine options arechecked. If they are not then the install to the client machine will fail. See the CreateInstallation Set screenshot below.Figure 1 ‐ The Endpoint Encryption Create Installation Set screenshotSummary8 1.Ensure the report configuration files have been installed.2.Prepare the Endpoint Encryption install set.3.Gather the files to prepare the pkgcatalog.z file.4.Edit the pkgcatalog.xml file.5.Create the pkgcatalog.z file using eposign.exe.6.Create the deployment zip file and check it in.
ePO Endpoint Encryption Deployment and Reporting7.Verify the Endpoint Encryption deployment zip file has been checked in.8.Create the deployment task.Gather the files to prepare the Pkgcatalog.z fileFollow these steps to consolidate the necessary files into the ePolicy Orchestratordeployment format. You will require the following files:Eposign.exepkgcatalog.XMLDetection scripts (ce-detect.mcs - Endpoint Encryption for Files and Folders orde-detect.mcs – Endpoint Encryption for PC)Endpoint Encryption Install set, e.g. SBDE.exe (Filename determined byAdministrator)1.Create the install set from the Endpoint Encryption Manager. Refer to theEndpoint Encryption for Files and Folders Administration Guide or the EndpointEncryption for PC Administration Guide for further details.2.Create a folder on the server c:\ drive and call it Deployment. The Deploymentfolder becomes a working directory and contains subsequent EndpointEncryption packages that you create. You may create this directory in alocation of your choice and name it as you wish. This guide uses the exampleof the c:\Deployment.NOTE: Each package created should be unique and must not overwrite the existing version. TheDeployment folder should therefore contain a uniquely named sub folder for each package, e.g. 0001, 0002,Package1 or Package2, etc. The example used here is 0001.3.Copy the eposign.exe file from the CD, to the Deployment folder on the c:\drive.4.Create a new subfolder within the Deployment folder, e.g. 0001.5.Copy the pkgcatalog.xml and detection scripts from the CD, to theDeployment subfolder, e.g. \Deployment\00016.Copy the Endpoint Encryption install set to the \Deployment\0001 subfolder.Edit the Pkgcatalog.xml fileFollow these steps to edit the pkgcatalog.xml file:NOTE: You must add the unique code to the ProductID /ProductID line in the file. In thisexample, it is 0001; however, you could name it anything within the four‐character limit. See the EndpointEncryption for Files and Folders pkgcatalog.xml example below. 9
ePO Endpoint Encryption Deployment and ReportingFinally, keep the product names ProductName /ProductName in the XML file a minimal length.If they are too long they will push out the tables in the ePolicy Orchestrator. See the example below,highlighted in yellow.You must also ensure you edit the InstallCommand /InstallCommand line with the correctEndpoint Encryption install filename and include the /silent command. See the example below,highlighted in yellow.- PkgCatalog - ProductPackage ProductID SBCE 30000001 /ProductID ProductName EEFF /ProductName ProductDescription 0 /ProductDescription - ProductDetection - DetectionScript Name ce-detect.mcs /Name /DetectionScript ProductVersion 3.0.0 /ProductVersion PlatformID WNTW:4:0:4 WNTS W2KW W2KS WXPHE WXPW WXPS WVST /PlatformID /ProductDetection ConflictSoftwareList / - LangPackage Priority 1 /Priority PackageType Install /PackageType LangID 0000 /LangID InstallType command /InstallType InstallCommand SbCe.exe /silent /InstallCommand MaxReboot 1 /MaxReboot RebootReturnCode 0 /RebootReturnCode /LangPackage - Translation TranslationID / - TranslationItem LangID / TranslationString / /TranslationItem /Translation /ProductPackage /PkgCatalog 1.Open the pkgcatalog.xml in the c:\Deployment\0001 file using Notepad.2.Edit the Product ID and add the unique number to the name, for example, ifthe product ID is ProductID SBCE 3000 /ProductID then change thisto include the unique number for the package, for example, ProductID SBCE 30000001 /ProductID . Follow these steps with a newfour-character code each time you create a package. This ensures that allfuture packages are unique.WARNING: You must not change the Product ID other than add the four character unique ID at the end,otherwise, reporting will fail. See the example above.10
ePO Endpoint Encryption Deployment and Reporting3.Edit the InstallCommand /InstallCommand line with the file name of theEndpoint Encryption install set and include the /silent command, otherwise theinstall will fail.NOTE: you can also edit the product name from Endpoint Encryption for Files and Folders to EEFF for Salesdepending on who the deployment is targeted at, for example. This name will appear on the ePolicyOrchestrator and will help identify the deployment package.4.Save the pkgcatalog.xml file.Create the pkgcatalog.z file using eposign.exeFollow these steps to create the ePolicy Orchestrator deployment format, i.e. thepkgcatalog.z file. You must run this command from a Command prompt.1.Click on the Start option followed by Run.2.Enter Cmd in the Open dialog box and click the Ok button.3.Type cd \deployment at the command prompt.4.From the c:\deployment directory enter the following Eposign command:eposign c:\deployment\0001\pkgcatalog.xml .mcs /a5.This will take the files from the c:\Deployment\0001 folder and roll them intothe pkgcatalog.z file.Create the deployment zip file and check it inThe deployment zip file contains the detection scripts, the pkgcatalog.xml, theEndpoint Encryption install file and the pkgcatalog.z file.1.Create a zip file from the detection scripts, the pkgcatalog.xml, the EndpointEncryption install file and the pkgcatalog.z file stored in thec:\Deployment\0001 folder.2.From the ePolicy Orchestrator Console, click the Software button.3.Click the Check In Package button.4.Click the Browse button and locate the deployment zip file created at step 1.5.Select the zip file and click the Open button.6.Click the Next button.7.Click the Save button to save check in the zip file. 11
ePO Endpoint Encryption Deployment and ReportingCheck the Endpoint Encryption files has been checked inFollow these steps to verify the Endpoint Encryption file appears in the ePORepository.1.From the ePolicy Orchestrator Console click on the Software button. This willdisplay the contents of the master repository.2.Scroll down the list to verify the Endpoint Encryption file is there.Create the deployment task1.From the ePolicy Orchestrator Console, click the Systems button.2.Click the Client Tasks option.3.Click New Task. This will start the Client Task Builder screen.4.Enter a name and description (optional) for the task.5.Select the Product Deployment (McAfee Agent) as the Type.6.Click Next to continue.7.From the Configuration window select the target platform and product to bedeployed.8.Click Next to continue.9.Set your required schedule options for this deployment.10. Ensure the Enable option is checked.NOTE: this task will run at the next agent‐server communication for the relevant agents. If you wish to runthe task sooner, then click the Schedule type and select Run immediately.WARNING: To complete the installation, all Endpoint Encryption products require a reboot when deployed.If CE and DE are deployed simultaneously, when one product reboots, the CMA may ‘forget’ what it wasdoing; this will result in the second product not being deployed until the deployment task runs again.Therefore, all deployment tasks involving Endpoint Encryption products should be set to run on a regularbasis.11. Click the Next button to continue.12. Click the Save button to save this deployment task or choose the Back buttonto change the Schedule, Configuration or Description.12
ePO Endpoint Encryption Deployment and ReportingRunning ReportsEndpoint Encryption for Files and Folders ReportsInstalled VersionThis report will check each machine and report on whether or not Endpoint Encryptionfor Files and Folders is installed. It also displays which version is running.1.Click the Reporting button from the main toolbar.2.Click EEFF Installed Version from the left hand Queries menu.3.Click the Run button. The report will appear as a pie chart. Click on the piechart to view the detail of this report.Endpoint Encryption for PCInstalled VersionThis report will check each machine and report on whether or not Endpoint Encryptionfor PC is installed. It also displays the Endpoint Encryption for PC version and whether(or not) the client is active (running).1.Click the Reporting button from the main toolbar.2.Click EEPC Installed Version from the left hand Queries menu.3.Click the Run button. The report will appear as a pie chart. Click on the piechart to view the detail of this reportSummaryThis report checks all machines and their encryption status, e.g. is the machine fullyencrypted (i.e. are all drives fully encrypted). It also displays the number of drives inan each encrypted state, e.g. full encryption, partially encrypted, in progress* and notencrypted.* NOTE: The In Progress status indicates a machine that is in the process of either decrypting, or,encrypting.1.Click the Reporting button from the main toolbar.2.Click EEPC Install Summary from the left hand Queries menu.3.Click the Run button. The report will appear as a pie chart. Click on the piechart to view the detail of this report. 13
ePO Endpoint Encryption Deployment and ReportingDrive CheckThis report lists all machines that have Endpoint Encryption for PC installed includingthe encryption status of each drive. It also reports on machines that do not have DEinstalled by placing “Unknown” in the Drive and Encryption columns.1.Click the Reporting button from the main toolbar.2.Click EEPC Drive Check from the left hand Queries menu.3.Click the Run button. The report will appear as a pie chart. Click on the piechart to view the detail of this report.Adding the reports to the DashboardVersion 4.0 of ePolicy Orchestrator allows the administrat
EPO\Endpoint Encryption for Files and Folders\EPO4\Sbce3.zip EPO\Endpoint Encryption for PC\EPO4\Sbde5.zip Installing the extensions To run the Endpoint Encryption reports you must first install the extensions (the reporting zip files). 1. From the ePolicy
