Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.
The pre-boot authentication screen controls which users can access a system that is encrypted with McAfee EEPC. The process of deciding which user accounts are allowed to authenticate to a particular machine's pre-boot environment is referred to as provisioning. In this post, I'll describe all the user provisioning options available in EEPC and also recommend a best practice approach.
There are three ways to provision a user to a system
- Individual assignment via the Encryption Users screen in ePO
- Group Users assignment via the Encryption Users screen in ePO
- Automatically add users found on the endpoint via the Add Local Domain Users policy option in the product settings policy
Note: User provisioning is only required for pre-boot authentication. You do not need to provision helpdesk technicians if their only job is to do remote password recoveries or other server-side operations. If someone is never going to physically touch an encrypted system, then they do not need to be provisioned to it.
This method allows the administrator to assign a single user to a single system. This is best used as an ad-hoc method for provisioning users to systems. Because it is not an automated solution, it should not be your primary method of user provisioning.
To assign an individual user (or group of users) to a single system, go to menu > data protection > endpoint encryption users. Then select the system to which the user should be added, and click actions > endpoint encryption > add user(s). The next screen will prompt you to browse Active Directory and select your user(s), group or OU that you wish to assign.
Group Users Assignment
This method is similar to the individual assignment method, but it allows you to assign the user or users to an entire group of system in the system tree. This is particularly useful for field support technicians. Anyone who may have to login to the pre-boot environment of any system in the environment should be added as a group user to the appropriate group in the system tree (or the My Organization level if they should be able to login to all systems in the environment).
To establish a group user for a group of systems, go to menu > data protection > endpoint encryption users. Choose the appropriate group in the system tree in the left pane, then select the Group Users tab in the right pane. Then click actions > endpoint encryption > add user(s). The next screen will prompt you to browse Active Directory and select your user(s), group or OU that you wish to assign.
Automatic Assignment on the Endpoint
Manually assigning individual users for each system in your environment would be a time consuming undertaking. EEPC v6 automates this process with a new feature called Add Local Domain Users in the system settings policy. If enabled, the agent will enumerate the currently logged in Windows user and all the cached profiles on the endpoint. This data will then be sent to ePO and ePO will automatically provision those users to that system. This is the best way to provision end users to systems and should be done in almost all cases. Some special systems, like loaner laptops or classroom PCs, will require a different user provisioning strategy.
To enable the Add Local Domain Users Feature, go to menu > policy > policy catalog and select Endpoint Encryption from the drop-down menu. Then select the product settings policy and go to the Log On tab. Then check the box for Add local domain users.
Provisioning Best Practice
The best practice for user provisioning is to assign administrators to the system using the Group Users feature, and to add end users to the system by using the Add Local Domain users feature. All new deployments should start with this methodology and then modify only when needed. To do this, you simply need to enable Add Local Domain Users in your policy before you start the deployment. You also need to setup the group users for the different groups in your system tree.
When using the Group Users feature, be sure to limit the number of users provisioned as group users. Where possible, only provision group users who will actually have physical interaction with the system. Avoid global access groups if at all possible (i.e. don't just assign all of your administrators as group users at the My Organization level of the system tree). As a rule of thumb, do not assign more than 200 group users to any individual system. You can do more than this but you'll have to increase the size of the PBFS (in menu > configuration > server settings > endpoint encryption) and you'll also have to understand the increased load this will put on ePO.