Endpoint Encryption for Removable Media (EERM) is a subset of functionality within the Endpoint Encryption for Files and Folders (EEFF) product. While EEFF can encrypt any file or folder in any location (loca drive, network share, etc..), EERM was designed specifically to encrypt USB sticks and other removable media storage devices. One of the main benefits of EERM is its portability. The software is completely self-contained on the USB stick and does not require the host computer to have any other McAfee software installed. A user can encrypt the device on one PC and access the data from any other PC, as long as they know their password.
To achieve this portability, McAfee had to design a completely independent authentication system for the USB stick. This authentication system is separate from the authentication used by EEFF and EEPC (McAfee's full disk encryption software). For customers who use all of the products, the different authentication systems can be a source of confusion. The main thing to know is that EERM is designed to work completely independent of the other McAfee software and their authentication systems. It is possible to inter-mix the authentication systems from the different products (and there are some benefits to this approach if you also use EEPC), but I'll save that topic for another blog post.
Customers often ask us how to setup EERM so that the end user only sees the authentication screen for their USB stick and never sees any other McAfee encryption login screen. The trick for this is to simply disable all the non-EERM features in the EEFF policy. What follows is a step-by-step guide to enabling the EERM features and disabling all the other features in an EEFF policy.
- No interaction between EEFF and EEPC is desired
- Installed EEFF version is at least 3.2.x
- Unlike regular EEFF policies, this policy does not need to be assigned to user accounts.
- The policy is included in the exe and therefore will be enforced after install. The only way to change this policy is to run a new exe or login to EEFF on the client and synchronize. This will display a login prompt and the user should login with an account who has a different EEFF policy assigned.
High Level Process
- Configure EEFF policy
- Create install set from that policy
- Deploy install set to endpoint
- Policy will be enforced for any USB stick (or other removable media) inserted into PC
Step By Step Procedure
Log in to McAfee Endpoint Encryption Manager (EEM) > Navigate to Policies tab > Expand EEFF policy group > make new policy or edit existing policy
- Show about option on system tray menu
- Disable forcing of logon on first boot
File Extensions Tab
- Leave blank
- Leave blank
Removable Media Tab
- Use McAfee Endpoint Encryption for Removable Media (EERM)
- Entire Device
- Allow Recovery Password (optional)
- Allow User Questions (recommended)
- Make unprotected files and folders Read-Only (recommended)
- Uncheck all options
- Enabling any option on this screen will cause an additional EEFF authentication to be presented to the user. This happens because this uses the traditional EEFF (not the EERM) authentication mechanism.
- Uncheck the enable inactivity timeout
User Local Kyes
- Leave blank
- Preserve file times
- Uncheck all
*See the EEFF Quickstart Guide for instructions on making the installation set.
End User Experience
When the end user inserts a USB stick, the policy will prompt them to decide if they want to encrypt the device. If they choose yes, encryption will begin. If they choose no, then the device will be made read-only (is is configurable by policy).
The user then must complete the initialization process. In this step the password and recovery options are set.
When the user clicks the Initialize button, the USB stick is formatted and a new volume is created. If the USB stick contained data, it is backed up in the user's temp directory and restored to the encrypted volume when initialization is complete.
When the operation is complete, the user simply clicks OK.
Once the removable media is initialized by EERM, all data copied to it will reside in an encrypted container. Opening this container requires authentication. If autorun is enabled, the login screen will appear automatically when the USB stick is inserted. If autorun is disabled, then the user will have to navigate to the root of the drive and run the MfeEERM.exe.
Encrypted files have their names shown in green. These files will be decrypted on-the-fly when they are copied from the encrypted media to a PC. That PC does not need to have any software installed to view the file(s).