A new feature being reintroduced to Endpoint Encryption 7.0 is for the ability to activate Endpoint Encryption for PC without the requirement for the machine to connect to ePO. The feature, which existed in EEPC 5.x, will again allow administrators with the ability to encrypt a machine with only the installation files, which is handy for machines that do not have access to the corporate network. This does not however mean that they need to remain unmanaged – if a machine is able to connect to ePO in the future it can be managed the same as the rest of the machine population whereby it will receive policy changes and report on its encryption status.
NOTE: For more information please alse see the FAQ's on Offline Activation https://community.mcafee.com/docs/DOC-4375
There is also a Video on this this located on the McAfee You Tube Channel by clicking the following link:
There are a number of files that are needed to be able to successfully perform Offline Activation:
EEPC Agent Installer files
EEPC Plug-in installer files
EEPC File for creation of offline Activation Package
McAfee Agent Installer File
McAfee ePO Server Public Key
User Configuration File
Step 1: Obtain necessary files from EEPC software download package
Step 2: Create user configuration file
Step 3: Export ePO server public key and McAfee Agent installer package
Step 4: Create offline activation package
Step 5: Run EEPC installer files (MfeEEAgentxx.msi and MfeEEPcxx.msi)
Step 6: Reboot and run offline activation
Offline Activation Package Creation Process
Per the main steps listed above, here are the tasks that must be performed to both gather and create the files required as well as installing EEPC V7 in Offline Activation mode. When gathering or creating the files it is advisable to create a folder to hold all the offline files that are required
1. Gather the files from the EEPC Software download Package
The following files can be obtained from the EEPC software download Package obtained from the McAfee Downloads site.
- Copy the files MfeEEAgent32.msi or MfeEEAgent64.msi
- Copy the files MfeEEPC32.msi or MfeEEPC64.msi
- Copy the EpeOAgenxml.exe (from Admin tools)
2. Create the User Configuration File
You need to have at least one user account within the offline activation package to activate EEPC offline on a client system that is not connected to McAfee ePO. For adding these users, you need to first add them to a user configuration file, then use that file while creating the offline package.
Create the following file: Userlist.txt
The construct of the file is: Name: token-type i.e. Rbhanwadia:Password
Supported token-types are (Password, Gemalto, ActivID, PIV and CAC)
NOTE: The token type is Case Sensitive
3. Export the ePO Public Key
- Login to ePO Console
- Click Policy Catalog from the upper Menu Bar
- Select Endpoint Encryption v7 from the Product Dropdown list
- Export the My Default Product Settings Policy by clicking the Export link, then save the My Default policy as ePO_Policy.xml
4. Create the McAfee Agent Installer Package
- Login to ePO Console
- Click System Tree from the top menu bar.
- Click System Tree Actions
- Click New Systems
- Select Create and download agent installation package
If you need to embed credentials you can insert them on this screen.
- Click OK and save the Framepkg.exe package
The folder with the files that have been created, extracted or copied in the above steps should look like the following
5. Create the offline activation Package
Open a command prompt and navigate to the folder with the files created above. If you are unsure of the commands that can be run the help subset menu can be displayed by typing
Note this will also display the current parameters that are set.
- Type the following to use the user configuration file and enable SingleSignOn
“EpeOaGenXml.exe --user-file UserList.txt” –Sso trueThis will run the creation script and will create the file called OfflineActivation.exe in the same folder.6. Install the files on the client machine
- Copy the files from the offline Package folder to the client machine
- Install MfeEEAgent32.msi (MfeEEagent64.msi on 64bit)
- Install MfeEEPc32.msi (MfeEEPc64.msi on 64bit)
- This install will require a reboot
- Reboot the machine
- Run the OfflineActivation.exe file this will take approx. 2-3 minutes, this will open a command prompt shell and then exit upon completion.
7. Verification of EEPC Offline Activation
To verify the offline Activation has completed check for the following:
- EEPC recovery Key - Check the on the root of the c:drive for the recovery key called EERecovery.xml
- Check the MfeEpe log file – location c:\program files\McAfee\Endpoint Encryption Agent\MfeEpe.log. The following an excerpt from the file to show success
When you restart the machine with Autoboot set to false you will have to login with the username specified and enter the default password and will be prompted to change the password, the following is the example of the PBA (pre-boot Authentication Screen), this will be default behaviour for booting the client.
8. Managed Client from McAfee ePO
If you want to make this client managed by McAfee ePO install the framepkg.exe that was created above, once this connects to ePO this will be a managed install and receive the Endpoint Encryption Policy from the McAfee ePO Console. Additional server tasks are required such as Registering the LDAP server and running the EE sync task, for this please refer to the Endpoint Encryption Product guide. Once this machine is managed by McAfee ePO the recovery key will be transferred to McAfee ePO so that you can use this in the event that the key is required for recovery.