Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

 

 

Now that EEPC is managed by ePO, there is a new interface for setting up administrative roles. Like previous versions, administrators have very granular control over what encryption adminstrators can do. In this article I'll show how to setup four common roles, but the product is capable of allowing dozens of unique admin roles.

 

The Roles

Endpoint Encryption Administrator: has full control of EEPC, but cannot manage any other software in ePO

Endpoint Encryption Helpdesk: can do EEPC password resets, but nothing else

Endpoint Encryption Engineer: can do password resets and export recovery files for use with EE Tech

Endpoint Encryption Auditor: can view EEPC reports but do nothing else

 

Note: it is not necessary to create a role for end users.

 

Before You Begin

  • Ensure ePO has a registered Active Directory server. You can check by logging into ePO. Then go to Menu > Configuration > Registered Servers. A registered AD server will have the type "LDAP server" in the right panel. If you don't see one, you must add one before you proceed.
  • Ensure User Auto Creation is enabled in ePO. Go to Menu > Configuration > Server Settings. Click on User Auto Creation. It is set to No by default, so you may need to click Edit and switch it to Yes.

 

High Level Process

  1. Create ePO permission set for EEPC (one set per role)
  2. Assign AD users or groups to the set
  3. Edit the permissions for the set

 

 

Step By Step Procedure

Create Endpoint Encryption Roles

Log in to ePO

 

Go to Menu > User Management  > Permission Sets

rbac001.PNG

Name the Permission Set. Use one of the four roles: EEPC Admin, EEPC Helpdesk, EEPC Engineer, or EEPC Auditor

rbac002.PNG

Then click Add to browse Active Directory. Select the group or OU that contains the users for this permissio set.

 

rbac003.PNG

 

Then click OK, then Save to proceed. The Permission Set is now created and has members, but their access level is at zero - by default they have access to nothing. The next step is to grant them access to the appropriate administrative functions.

 

The roles are listed in the left panel and can be modified by simply selecting the role, then browsing the right panel and clicking Edit where appropriate.

 

EEPC Admin Role

  • Endpoint Encryption (enable all features)
    • Change and view policy settings
    • Change and view user management
    • Allow clear SSO
    • Allow force user password change
    • Allow reset token
    • Allow viewing of user recovery information
    • Allow administrative recovery
    • Allow export of machine recovery information
  • Audit Log
    • View audit log
  • Client Events
    • View client events
  • Dashboards
    • Edit public dashboards; create and edit personal dashboards; make personal dashboards public
  • LDAP
    • Browse LDAP servers
  • Queries
    • Edit public queries; create and edit personal queries; make personal queries public
  • Server Tasks
    • Create, edit, view, run, and terminate Scheduler tasks; view Scheduler tasks results in the Server Task Log
  • Systems
    • Enable view system tree tab
    • Enable wake up agents; view agent activity log
  • System Tree Access
    • Access depends on design of system tree hierarchy

 


Endpoint Encryption Helpdesk Role

  • Endpoint Encryption
    • Allow administrator recovery

     level1-access.PNG

 

 

Endpoint Encryption Engineer Role

  • Endpoint Encryption
    • View policy settings
    • View user management
    • Allow administrator recovery
    • Allow export of machine recovery information

     level2-access.PNG

 

Endpoint Encryption Auditor Role

Simply duplicate or use the Executive Reviewer permission set that is provided by default in ePO. The auditor may be interested in determining if a specific user's laptop was encrypted, and this can be done. However, the process merits its own blog post.

 


Logging In

To validate the new permission sets, simply log off of ePO and log in with a user that is in one of the new roles.

 

Note: use the domain\username format when logging in to ePO.

 

Example: mcafeedemo2\georgeadkins is a member of the EEPC Helpdesk group, so when he logs in he goes directly the the administrator recovery (password reset) screen.

rbac009.PNG

 

rbac010.PNG