Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

 

 

For many organizations, a full disk encryption deployment is done for one reason: safe harbor. In order to be compliant with most data protection regulations, the IT staff must be able to produce evidence that a suitable technical measure was in place to protect sensitive information on the missing computer. In short, full disk encryption is not enough. The organization must encrypt the device and be able to prove the device is encrypted after it is reported lost or stolen.

 

McAfee Endpoint Encryption for PC makes this task easy. An administrator can log into McAfee ePO and, in just a few clicks, be able to produce a report showing that the missing computer was encrypted.

 

High Level Process

  • Log in to ePO
  • Locate the system in the System Tree
  • View system properties
  • Drill-down to encryption properties
  • Show encryption status


 

Finding The User's Machine in ePO

Encryption status is stored as a property of the machine, not the user. To prove a missing computer is encrypted, you must find the machine in ePO and view its properties.

 

Method 1: If you know the machine name, simply type it into the quick find field in ePO.Go the system tree and type all or part of the machine name.If you only know part of the name, do not use wildcards or asterisk (*). ePO will return all systems whose name contains the string that you type.

001 quick find.png

 

Click on the system to view its properties. This screen can be used to determine if the EEPC software is installed and active on the system.008 more.png

 

Then click the More button to see the disk encryption status for that system. In this case, the system has one disk and it is fully encrypted.

009 disk details.png

 

 

 

 

 

Method 2: If you only know the username, you can use ePO to identify all of that user's machines. This involves making a custom query in ePO. It is a good practice to make this query and save it for use in incident response scenarios. Go to Menu > Reporting > Queries to star the query builder. Click the New Query button. This starts the four step query building process.

 

Select Endpoint Encryption, then choose Endpoint Encryption - Disk Status. Then click Next.

002 disk status.png

 

Select Table. Then click Next.

003 table.png

 

Choose the columns Users, System Name, State (Disk), State (System), Last Communication. Then click Next.

004 columns.png

 

Choose User Name, and type the name of the user who lost their computer.Then click Run.

Note: Typically, sAMAccountName is used to uniquely identify users in ePO.

005 filter.png

 

The results will display all the computers that the specified user has recently logged in to. The additional columns show disk encryption status, agent activation status, and last communication time.

006 run.png

 

If you click on the result, you will get more information about that system's encryption status. You can see the disk size and serial number. You can also click links to specific volume information, and to all of the system's properties. Note: some fields are blank in this picture because the disk was a virtual disk.

007 drill down.png

 

Conclusion

There are many ways to retrieve encryption status information from ePO. These two methods are the ones that I think are the simplest and the easiest to build processes around. I think it is also a good idea to save the custom query (that we made in method two) without filtering on a user. This will give you a list of all users and machines in your environment and their encryption status. You may also be wondering where dashboards fit into this. I see dashboards as a way to track progress during deployments and upgrades. For this particular use case, a custom query or individual system drill-down is more useful than a dashboard.