Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

 

Introduction

Out Of Band User Management is a new feature in EEPC v7. It is one of the three new Out Of Band management features that are available if you have Intel vPro hardware and McAfee Deep Command in place. The idea of user management is to allow helpdesk administrators solve EEPC user issues (e.g. forgotten passwords) without need to use the challenge/response process. Using the network stack provided by Intel vPro and McAfee Deep Command allows us to transfer keys over the network, instead of transmitting them verbally. This is a major time saver. Traditional challenge/response helpdesk calls took about 25 minutes, and now we can do those same operations in about 2 minutes - that's more than a 10X reduction!

 

The main benefit of Out Of Band User Management is that it eliminates the need to do the challenge/response process.

All Previous Versions
EEPC v7
user management 006.pnguser management 007.png

 

 

Reset User Password

Currently Out Of Band User Management consists of one feature, and that is the ability to reset a user's password. When this feature is used, the user's token is reset to the value that the administrator enters in ePO. If the policy is set to not require a default password, then the user will not have to enter this password. Instead, they will simply see a screen that asks them to enter a new password, and then confirm that password in a second password entry field. The important thing to note here is that the process of entering challenge/response codes is gone. Instead, the administrator simply creates a new password in ePO and then we use the network stack provided by Intel vPro and McAfee Deep Command to send that new value to the system.

 


Workflow

  1. Administrator selects system(s) in System Tree. If the administrator does not know the system name, then the administrator can ask the end user to provide it. This information is now displayed in the EEPC pre-boot environment recovery screen. To get to this screen, simply click on Options > Recovery in the pre-boot login screen.
  2. Actions > Endpoint Encryption > Out Of Band User Management
  3. Administrator chooses to reset user's password token
  4. Administrator selects user
  5. Administrator creates temporary password for user
  6. McAfee ePO writes the action to the Out Of Band Work Queue
  7. The EEPC pre-boot environment will attempt to establish a secure connection with ePO
    1. This can take up to 5 minutes if the system is booted and currently in the EEPC pre-boot environment
    2. If you reboot the system, it will attempt a connection immediately
  8. McAfee ePO delivers the new password data to the EEPC pre-boot environment. Note that this takes up to 30 seconds after boot, so the user will have to wait for an on-screen indicator before they attempt to login with the new password.
  9. There are now two paths for using the new password
    1. If the password policy is set to not require the use of default passwords, then the user does not need to enter the password entered in ePO by the administrator. Instead, the user will simply be able to create a new password in the pre-boot environment.
    2. If the password policy is set to require the use of default passwords, then the user will have to enter the password that the administrator entered in ePO. After this, the user will be immediately required to enter a new password.
  10. The Windows OS loads

 

 

Demo Video

 

Other Resources

EEPC v7.0 FAQ - Integration with Intel AMT for Out of Band Management