A new feature being reintroduced to Endpoint Encryption 7.0 is for the ability to activate Endpoint Encryption for PC without the requirement for the machine to connect to ePO. The feature, which existed in EEPC 5.x, will again allow administrators with the ability to encrypt a machine with only the installation files, which is handy for machines that do not have access to the corporate network. This does not however mean that they need to remain unmanaged – if a machine is able to connect to ePO in the future it can be managed the same as the rest of the machine population whereby it will receive policy changes and report on its encryption status.

 

NOTE: For more information please alse see the FAQ's on Offline Activation https://community.mcafee.com/docs/DOC-4375

 

 

There is also a Video on this this located on the McAfee You Tube Channel by clicking the following link:

 

Capture.PNG

There are a number of files that are needed to be able to successfully perform Offline Activation:

 

Files

Description

MfeEEAgent32.msi or

EEPC Agent Installer files

MfeEEAgent64.msi

MfeEEPc32.msi or

EEPC Plug-in installer files

MfeEEPc64.msi

EpeOaGenxml.exe

EEPC File for creation of offline Activation Package

Framepkg.exe

McAfee Agent Installer File

ePO_policy.xml

McAfee ePO Server Public Key

Userlist.txt

User Configuration File

 

Overview

Step 1: Obtain necessary files from EEPC software download package

Step 2: Create user configuration file

Step 3: Export ePO server public key and McAfee Agent installer package

Step 4: Create offline activation package

Step 5: Run EEPC installer files (MfeEEAgentxx.msi and MfeEEPcxx.msi)

Step 6: Reboot and run offline activation

 

 

Offline Activation Package Creation Process

Per the main steps listed above, here are the tasks that must be performed to both gather and create the files required as well as installing EEPC V7 in Offline Activation mode.  When gathering or creating the files it is advisable to create a folder to hold all the offline files that are required


1.     Gather the files from the EEPC Software download Package

 

The following files can be obtained from the EEPC software download Package obtained from the McAfee Downloads site. 

  • Copy the files MfeEEAgent32.msi or MfeEEAgent64.msi
  • Copy the files MfeEEPC32.msi or MfeEEPC64.msi
  • Copy the EpeOAgenxml.exe (from Admin tools)

 

2.     Create the User Configuration File

 

You need to have at least one user account within the offline activation package to activate EEPC offline on a client system that is not connected to McAfee ePO. For adding these users, you need to first add them to a user configuration file, then use that file while creating the offline package.

Create the following file: Userlist.txt

The construct of the file is:           Name: token-type  i.e. Rbhanwadia:Password

 

pic1.png

 


Supported token-types are (Password, Gemalto, ActivID, PIV and CAC)

NOTE: The token type is Case Sensitive

 


3.     Export the ePO Public Key

  • Login to ePO Console
  • Click Policy Catalog from the upper Menu Bar

      pic2.png

  • Select Endpoint Encryption v7 from the Product Dropdown list

     pic3.png

  • Export the My Default Product Settings Policy by clicking the Export link, then save the My Default policy as ePO_Policy.xml

 

pic4.png

 

4.     Create the McAfee Agent Installer Package

  • Login to ePO Console 
  • Click System Tree from the top menu bar.
  • Click System Tree Actions
  • Click New Systems
  • Select Create and download agent installation package

    

pic5.png

 

 

If you need to embed credentials you can insert them on this screen.

  • Click OK and save the Framepkg.exe package


The folder with the files that have been created, extracted or copied in the above steps should look like the following

pic7.png


 

5.     Create the offline activation Package

Open a command prompt and navigate to the folder with the files created above. If you are unsure of the commands that can be run the help subset menu can be displayed by typing

“EpeOaGenXml.exe --help”

  pic8.png

 

Note this will also display the current parameters that are set.


  • Type the following to use the user configuration file and enable SingleSignOn

“EpeOaGenXml.exe --user-file UserList.txt” –Sso trueThis will run the creation script and will create the file called OfflineActivation.exe in the same folder.6.     Install the files on the client machine

  • Copy the files from the offline Package folder to the client machine
  • Install MfeEEAgent32.msi (MfeEEagent64.msi on 64bit)
  • Install MfeEEPc32.msi (MfeEEPc64.msi on 64bit)
  • This install will require a reboot
  • Reboot the machine
  • Run the OfflineActivation.exe file this will take approx. 2-3 minutes, this will open a command prompt shell and then exit upon completion.

 
  pic9.png

 

 

7.     Verification of EEPC Offline Activation

To verify the offline Activation has completed check for the following:

  • EEPC recovery Key - Check the on the root of the c:drive for the recovery key called EERecovery.xml
  • Check the MfeEpe log file – location c:\program files\McAfee\Endpoint Encryption Agent\MfeEpe.log.  The following an excerpt from the file to show success

 

      pic10.PNG

 

 

When you restart the machine with Autoboot set to false you will have to login with the username specified and enter the default password and will be prompted to change the password, the following is the example of the PBA (pre-boot Authentication Screen), this will be default behaviour for booting the client.

 

 

pic11.png

 

 

8.     Managed Client from McAfee ePO

 

If you want to make this client managed by McAfee ePO install the framepkg.exe that was created above, once this connects to ePO this will be a managed install and receive the Endpoint Encryption Policy from the McAfee ePO Console.   Additional server tasks are required such as Registering the LDAP server and running the EE sync task, for this please refer to the Endpoint Encryption Product guide.  Once this machine is managed by McAfee ePO the recovery key will be transferred to McAfee ePO so that you can use this in the event that the key is required for recovery.

 

 

      pic12.png