Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.
For many organizations, a full disk encryption deployment is done for one reason: safe harbor. In order to be compliant with most data protection regulations, the IT staff must be able to produce evidence that a suitable technical measure was in place to protect sensitive information on the missing computer. In short, full disk encryption is not enough. The organization must encrypt the device and be able to prove the device is encrypted after it is reported lost or stolen.
McAfee Endpoint Encryption for PC makes this task easy. An administrator can log into McAfee ePO and, in just a few clicks, be able to produce a report showing that the missing computer was encrypted.
High Level Process
- Log in to ePO
- Locate the system in the System Tree
- View system properties
- Drill-down to encryption properties
- Show encryption status
Finding The User's Machine in ePO
Encryption status is stored as a property of the machine, not the user. To prove a missing computer is encrypted, you must find the machine in ePO and view its properties.
Method 1: If you know the machine name, simply type it into the quick find field in ePO.Go the system tree and type all or part of the machine name.If you only know part of the name, do not use wildcards or asterisk (*). ePO will return all systems whose name contains the string that you type.
Then click the More button to see the disk encryption status for that system. In this case, the system has one disk and it is fully encrypted.
Method 2: If you only know the username, you can use ePO to identify all of that user's machines. This involves making a custom query in ePO. It is a good practice to make this query and save it for use in incident response scenarios. Go to Menu > Reporting > Queries to star the query builder. Click the New Query button. This starts the four step query building process.
Select Endpoint Encryption, then choose Endpoint Encryption - Disk Status. Then click Next.
Select Table. Then click Next.
Choose the columns Users, System Name, State (Disk), State (System), Last Communication. Then click Next.
Choose User Name, and type the name of the user who lost their computer.Then click Run.
Note: Typically, sAMAccountName is used to uniquely identify users in ePO.
The results will display all the computers that the specified user has recently logged in to. The additional columns show disk encryption status, agent activation status, and last communication time.
If you click on the result, you will get more information about that system's encryption status. You can see the disk size and serial number. You can also click links to specific volume information, and to all of the system's properties. Note: some fields are blank in this picture because the disk was a virtual disk.
There are many ways to retrieve encryption status information from ePO. These two methods are the ones that I think are the simplest and the easiest to build processes around. I think it is also a good idea to save the custom query (that we made in method two) without filtering on a user. This will give you a list of all users and machines in your environment and their encryption status. You may also be wondering where dashboards fit into this. I see dashboards as a way to track progress during deployments and upgrades. For this particular use case, a custom query or individual system drill-down is more useful than a dashboard.