Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.
Endpoint Encryption Go is a pre-flight inspection utility designed to reduce failure rates during an Endpoint Encryption deployment. EE Go performs a series of tests on a target system and then reports the results back to McAfee ePO. If the system passes all tests, then the administrator knows that it is safe to encrypt that system with full disk encryption. This kind of pre-installation checking is unique in the industry and we are proud to offer it at no charge to our Endpoint Encryption customers. The purpose of this post is to introduce the product and lay out an automated process for using the data collected by EE Go in your Endpoint Encryption for PC deployment.
What are the EE Go Tests?
Put simply, full disk encryption will cause unhealthy disks in your environment to fail. Encryption doesn't "break" the disk, instead it simply exposes an already existing failure. The same failures would occur if you filled the disk with data, or if you ran a chkdsk /r. The problem with chkdsk, however, is that it is a volatile test. If you run it on an unhealthy disk, then the disk will fail as a result of the chkdsk. This creates a challenge for administrators because there isn't a non-volatile test to predict hard disk failures. EE Go changes that. EE Go queries the S.M.A.R.T attributes (specifically the PredictFailure attribute) of the disk to determine the health of the disk or its readiness to support full disk encryption. This test is non-volatile and happens instantly. This is a big improvement over chkdsk, which is a volatile test and takes a long time to run - robbing your end users of valuable productivity time!
McAfee ePO Communication
Endpoint Encryption for PC uses data channels for communication with ePO during installation and activation. If there is a problem with the data channels, EE Go will discover it and report on it.
Full disk encryption products cannot co-exist on a system. Given the mature state of the market and the availability of free full disk encryption products, it is likely that at least some systems in your deployment will be at risk for this incompatibility. To guard against this risk, EE Go will check for the existence of competitive products on each system. By default, it checks for the following products: SafeBoot (legacy McAfee EEPC), HP ProtectTools 2009, Microsoft BitLocker, Pointsec, Truecrypt, GuardianEdge, Symantec Endpoint Encryption, SafeGuard Easy and PGP Whole Disk Encryption.
Other Hard Disk Characteristics
EE Go will test the hard disk to see if it is a self-encrypting drive. If the hard disk featured hardware based encryption, then an administrator probably wouldn't want to add software FDE on top of that. In a future release, EEPC will natively manage OPAL compliant self-encrypting drives but until then we will simply report on their existence in your environment. EE Go will also test the hard disk to ensure that our MBR can be created on the disk. This test is critical because the product will not function if it cannot modify the MBR.
Installation and Deployment
Endpoint Encryption Go is not part of the EEPC download package. It needs to be downloaded and installed like any other McAfee product, and it can be installed before or after installing EEPC (there is no dependency). EE Go gets its data from the endpoints, so it must be deployed to those endpoints in order to report data back to ePO. The default EE Go policy is suitable for all deployments, so there is no need to configured the policy. Just install the extension and package, and then deploy EE Go to your endpoints. Please note that EE Go does not require a reboot; it will start working immediately.
Once EE Go is deployed to an endpoint, the following will happen:
- EE Go service will start
- EE Go performs the checks in this order
- Initiate a Data Channel connection from client to server
- Wait for Data Channel response to client from server (waits for 30 minutes)
- Check if the drive is an OPAL compliant self-encrypting drive
- Check for incompatible products
- Check hard disk health
- Enumerate hard disk partitions and check for available free space on the boot partition
- EE Go will wait for the next ASCI
- On ASCI EE Go will send the results of all tests to ePO
Note: If the first ASCI happens while EE Go is in the middle of a test, it will simply send the data on the next ASCI
Note: EE Go continually runs these checks every time the EE Go service starts. This happens on every reboot, but can also be manually triggered by simply restarting the service.
Understand the Data
The EE Go extension includes a set of queries and a default dashboard that display the EE Go data. The most important dashboard monitor is the one in the upper-left: Endpoint Encryption Go Compliance. This indicates if systems have passed all of the EE Go tests. Generally speaking, you only want to deploy EEPC to systems that have passed all the tests. Systems that have passed all the tests will return a status of "Success" and later we will setup automation that deploys EEPC only to the systems that return this status.
The Data Channel Status dashboard monitor indicates the number of systems that have passed or failed the Data Channel test. The Incompatible Products dashboard monitor lists all of the incompatible products that have been found. The Test Failures dashboard monitor lists all of the test failures that have been detected. Both the the Incompatible Products and Test Failures dashboards only show failures, so these won't be very interesting unless you have some failures in your environment.
Endpoint Encryption Go Compliance
This indicates the system's overall readiness for an EEPC deployment. It considers all the checks represented in the Incompatible Products monitor and the Test Failures monitor. If it passes all of these checks, then it will get a status of Success. These systems are safe to deploy EEPC to and we recommend building a tag for these systems so that you can target your EEPC deployment to just these systems - more on that below.
Endpoint Encryption Data Channel Status
Because EEPC uses the Data Channel to back up its encryption key during the installation process, it is critical to know if the data channel is working. EE Go will check this on the client side, and that result is captured in the Test Failures monitor. If you want to initiate a manual check from the server, you can also do that. The results from such a manual check will be represented in the Data Channel Status monitor. Because this monitor is used for manual checking done on an ad-hoc basis, its data is not considered by the Endpoint Encryption Go Compliance logic.
Endpoint Encryption Incompatible Products
This monitor displays any incompatible products found in the environment, and provides a count that indicates the number of system that have the incompatible product installed. If a system is represented in this monitor, then it will have a status of "Failed" in the Endpoint Encryption Go Compliance monitor.
Endpoint Encryption Test Failures
This monitor lists the number of test failures in the environment. If a system is represented in this monitor, then it will have a status of "Failed" in the Endpoint Encryption Go Compliance monitor.
Data Channel (Client to Server)
This indicates if the client was able to initiate a data channel connection to the ePO server. This might fail if the endpoint has no network connection, or if the ePO server was down or too busy to receive connections. Remember that this test failure may occur after EEPC has been successfully deployed to the system. EE Go continues running its checks even if they have been previously successful or if EEPC is already installed and active.
Data Channel (Server to Client)
This indicates if the client received a response from the server within the 30 minute window that it waits. This is the most common failure that we see because systems are often times off the corporate network and connected to an access point that does network address translation, making it impossible for ePO to initiate a session with the client. This situation usually remedies itself by the end user simply connecting to the corporate network or connecting via VPN. Again, this may not indicate an actual problem because the system could have passed the test previously but cannot pass the test again in its current state. Given the nature of the tes, we actually expect to see failures in the real world (unless users are always connected to the network or connected via VPN).
This indicates if we can enumerate the partitions on the disk and if there is enough free space on the boot partition to create our pre-boot file system. If either test fails on a system, that that system will be represented in this monitor.
Not Installed / Enabled
This simply indicates if EE Go is installed on a system, so all systems without EE Go installed will be represented in this monitor.
This provides a total count of all systems that were found to have competitive products installed.
This indicates if the drive passed our disk health check. This test simply queries the S.M.A.R.T. attributes and reads the predict failure attribute. If it is yes then it fails this test and those systems get represented in this monitor.
This is a simple check that evaluates the hard drive to see if it is an OPAL compliant self-encrypting disk. If it is, then it fails this check and those systems get represented in this monitor.
Automatically Deploy EEPC to Systems that Pass All EE Go Tests
McAfee ePO doesn't just store the data collected by EE Go, it also makes it actionable. By leveraging tagging, a custom query and a server task we can create a zero-touch system that automatically deploys EEPC to systems that pass all EE Go tests.
High Level Process
- Make an EEGO tag
- Make a custom query that finds all EE Go "Success" systems
- Make a server tasks that applies the EEGO tag to those systems
- Make a deployment task that deployes EEPC to those systems
Step By Step Procedure
Login to ePO and Select Menu > Systems > Tag catalog and select Tag Actions > New Tag. Then make a new tag called EEGO. Since this will be a custom tag, you can simply click next on steps two and three and simply save the tag on step four. Later, we will use a custom query to decide which machines should get this new EEGO tag.
Next go to Menu > Reporting > Queries and Reports. Then click New to create a new report. On the first step of the Query Builder, select System Management > Managed Systems and then click Next.
Note: Do not duplicate any of the default EE Go queries when creating this query. You must start with a new query.
On step two of the Query Builder, select List > Table and keep the default value for the Sort by field (Agent GUID). On step three of the Query Builder, simply remove all columns other than System Name. Step four of the Query Builder is when EE Go data gets involved. For the filter, select EEGo Compliance and set the values to Equals and Success. To ensure that the query only processes new data, use a second filter to limit the results to only those systems that do not already have the EEGO tag applied. This is done by selecing Tags and then setting the values to Does not have tag and EEGO. The filters are shown below. Once they are set, simply click Save. Then name the query EE GO: Compliance Success, and give it a description. Finally, click Save to finish the process.
Next go to Menu > Automation > Server Tasks. Select New task and start the Server Task Builder. First, name the task and give it a description.
For Actions, select Run Query and then select the EE GO: Compliance Success query that you just created.
For Sub-Actions, select Apply Tag and then select your recently-created EEGO tag. Then click Next to proceed.
Set a schedule for the server task and complete the Server Task Builder.
You can then run the task to confirm that it properly tags your systems. The Log Messages will display the number of systems that have been tagged.
You can then go to the System Tree to confirm that the tag has been applied.
Now that the systems are being tagged, the final step is to make a tag-based Deployment Task. This is done in the Client Task Assignment Builder. Simply select "Send this task only to computers which have the following criteria" and then choose "Has any of these tags" and select EEGO.
Under these conditions, any system newly-tagged with the EEGO tag will receive the deployment task on the next ASCI.
Remember that EE Go will continually test the system and report those results to McAfee ePO. As a result, you may want to have other automated tasks in place. For example, a hard disk may have been healthy and gotten encrypted six months ago. If that hard disk starts to go bad now, EE Go will know this and report it to ePO. However, the administrator now has an at risk system in the environment. To remedy this situation, the administrator could setup automatic alerting in ePO - keying on systems that are encrypted but suddenly start reporting S.M.A.R.T failures in EE Go. The administrator do more than alert in that situation; they could also automatically switch the policy to a decrypt policy.
I have also attached a PowerPoint presentation that walks through the process by showing a screenshot of each step in the process.
Special thanks to Fausto Oliveira for supplying the dashboard image and to Scott Taschler for helping me with the custom query.
Endpoint Encryption Data Channel StatusS
EE Go Setup.pptx 1.4 MB