With Endpoint Encryption for PC (EEPC) v6 we have achieved 100% ePO integration. This means we now have a deployment tool, and some very powerful automation tools for targeting an encryption deployment to laptops only. Now, it is important to note that many customers also deploy full disk encryption to their desktops. However, many customers want to deploy to their highest risk machines first - and this means laptops.
This procedure leverages new functionality in ePO 4.5 that allows deployment tasks to be assigned to tags, instead of to individual systems or groups of systems. This means you don't have to re-organize your system tree or make a new group called "Encrypted Laptops". Instead, ePO does the work for you. It finds the laptops and deploys EEPC to them, regardless of where they are in the system tree.
High level process
- Create new tag called "Laptop"
- Assign the new tag to laptops
- Tie the EEPC deployment task to the Laptop tag
Before you begin
- Ensure you have properly installed the EEPC v6 extensions in ePO 4.5. EEPC v6 is not compatible with ePO 3.6.1 or 4.0
- Follow the EEPC installation guide and readme to create your policies and deployment tasks. Note: you can make a new task or modify an existing one for this procedure.
- Manually deploy to a few test nodes to ensure all components are working properly
Step By Step Procedure
Go to Menu-->Systems-->Tag Catalog
Name the tag Laptop.
From the Criteria list, choose Is Laptop and set the value to Equals and Yes.
On the Evaluation tab, choose the second option: On each agent-server communication and when a "Run Tag Criteria" action is taken.
On the preview tab, choose to Apply the tag now to all systems that match the tag criteria.
You can now see the new tag and some information about its relevance in your environment.
You are now done creating the tag and tagging the systems in your environment. For maximum effectiveness and accuracy, wait for all endpoints to do an agent-server communication before proceeding. This will ensure all laptops get tagged. The next step is to create a deployment task that only applies to systems with the Laptop tag.
Go to the System Tree, and from the My Organization level go to the Client Tasks tab. Then click the New Task button.
In the Client Task Builder screen, name the task and select the Type: Product Deployment. Then select the second option for Tags: Send this task to only computers which have the following criteria.
Then click edit next to the Has any of these tags option. This will bring up a list of all available tags. Choose your new Laptop tag from the drop-down list. Click OK.
This will return you to the Client Task Builder screen, but now you should see the word Laptop in the Has any of these tags line. Once verified, click Next.
In the Configuration screen, select Endpoint Encryption Agent for Windows from the drop-down list. Then click the + button, and select Endpoint Encryption for PC from the second drop-down list. Then click Next to proceed.
From the Schedule screen, choose to enable the task and choose Run Immediately from the drop-down list. This will result in all laptops getting EEPC pushed to them on their next agent-server communication. If you want to further control when and how laptops get EEPC deployed to them, I recommend leaving the task disabled until those decisions have been made.
You are now done building the task and can view the summary.
If you have experience with this procedure and can provide additional advice or feedback, pleaes do so in the comments. Thank you!
)
