McAfee ePO Deep Command 1.5 Installation Guide - Install Deep Command Server Components

Version 1

    Introduction

    Like all other endpoint security products, McAfee Deep Command requires that extensions be installed and packages be checked-in to McAfee ePO. Please see section three of the McAfee ePO Deep Command 1.5 Product Guide for instructions on installing the extension and checking-in the packages in McAfee ePO.

     

    The product is listed on the McAfee download site as McAfee ePO Deep Command. This guide does not make use of the ePO DC Gateway component or the ePO SCCM component. You only need the ePO DC, ePO DC Reports, and RCS Manager extensions, along with the ePO DC Client package. Please note that the packages are automatically checked-in when you install the extensions.

     

    The following prerequisites are required to complete the steps in this document:

    • Access to the McAfee download site or Software Manager
    • A valid grant number with access to McAfee ePO Deep Command
    • McAfee ePO 4.6.4 or later
    • McAfee Agent 4.5.1 or later
    • Intel SCS 8.0 or later
      • Compatible AMT configuration profile
      • AMT credentials (digest or kerberos)
    • McAfee Agent must be installed on the Intel SCS server
    • Administrative access to your internal Microsoft Certificate Authority
    • Administrative access to your Intel SCS server

     

     

    Process Overview

    The core installation and configuration steps in this document include:

    • Modify WMI permissions on Intel SCS server
    • Modify DCOM permissions on Intel SCS server
    • Configure Certificate Authority to automatically issue certificates
    • Install Deep Command extensions in ePO
    • Deploy RCS Manager to Intel SCS Server
    • Export root certificate from your Microsoft Certificate Authority
    • Edit Intel AMT Credentials in ePO
    • Deploy RCS Manager to the Intel SCS Server

     

     

    Modify WMI Permissions on Intel SCS Server

    If you are using remote configuration to configure your AMT clients, then you will have to grant certain WMI permissions to all domain computers in your environmeent. This is not necessary if you are not doing remote configuration.

     

    Please see page 45 of the Deep Command Product Guide for these instructions.

     

     

    Modify DCOM Permissions on Intel SCS Server

    If you are using remote configuration to configure your AMT clients, then you will have to grant certain DCOM permissions to all domain computers in your environmeent. This is not necessary if you are not doing remote configuration.

     

    Please see page 47 of the Deep Command Product Guide for these instructions.

     

     

    Configure Certificate Authority to Automatically Issue Certificates

    McAfee ePO Deep Command does not support pending certificate requests. Therefore, the Microsoft Certificate Authority must be configured to automatically issue certificates.

     

    Please see page 39 of the Deep Command Product Guide for these instructions.

     

     

    Install Deep Command Extensions in ePO

    Instructions for installing the Deep Command extensions can be found in section three of the product guide.

    • Required components
      • EPODC_Reports - McAfee ePO Deep Command Discovery and Reporting Extension
      • EPODC - McAfee ePO Deep Command Management Framework Extension

     

    • Optional components
      • EPODCRCS - McAfee ePO Deep Command RCS Manager Extension
        • If you are going to do remote configuration of your AMT clients, then you must install this extension. You must also deploy the RCS Manager agent to your Intel SCS server.
        • If you are going to use an alternative configuration method for AMT, then you do not need to use the RCS Manager.
      • help_edc - McAfee ePO Deep Command Help Extension
      • Intel_SCS - Intel Setup and Configuration Software (Intel SCS)
      • MKV - McAfee KVM Viewer
        • This is a standalone application. It can be run from any system.

     

     

    Deploy RCS Manager to Intel SCS Server

    If you are doing remote configuration for your AMT clients, then ePO needs to get information from the Intel SCS server. McAfee ePO gets information from the Intel SCS Server through an application that runs on the SCS server. This application is called the RCS Manager and it is dependent upon the McAfee Agent being installed on the SCS Server.

     

    Please see page 51 of the Deep Command Product Guide for these instructions.

     

     

    Export Root Certificate from your Microsoft Certificate Authority

    If you do not have a Microsoft Certificate Authority with Web Enrollment enabled in your environment, please see McAfee Deep Command Installation Guide Appendix A.

     

    The public root certificate for your Microsoft Certificate Authority must be installed on all server components used by McAfee Deep Command and must also be checked in to McAfee ePO. Use the following task to export the public root certificate from the Microsoft Certificate Authority.

     

    Login to your  Microsoft Certificate Authority server. Launch the Server Manager and expand Roles > Active Directory Certificate Services. Right-click your Certificate Authority (RootCA in this example) and select Properties.

    https://community.mcafee.com/servlet/JiveServlet/showImage/102-3298-4-23037/step3b16.png

    Select the General tab. Select your certificate (Certificate #0 in this example) and click View Certificate.

    https://community.mcafee.com/servlet/JiveServlet/showImage/102-3298-4-23039/step3b17.png

    Select the Details tab. Then click Copy to File to start the certificate export process.

    https://community.mcafee.com/servlet/JiveServlet/showImage/102-3298-4-23040/step3b18.png

    You will see the Certificate Export Wizard. Click Next to proceed.

     

    In the Export File Format screen, select Base-64 encoded X.509 (.CER). Then click Next to proceed.

    https://community.mcafee.com/servlet/JiveServlet/showImage/102-3298-4-23042/step3b20.png

    In the Files to Export screen, select a destination for the file. Then click Next to proceed.

    https://community.mcafee.com/servlet/JiveServlet/showImage/23050/step3b21.png

    In the Completing the Certificate Export Wizard, simply click Finish to complete the process.

     

     

    Edit Intel AMT Credentials in ePO

    The final step to enabling McAfee ePO to communicate with Intel AMT is to ensure the correct credentials are supplied. You need to supply the root certificate that you exported in the steps above, and you need to provide AMT credentials.. For more details on the Trusted Root Certificates, please refer to https://community.mcafee.com/docs/DOC-4182.

     

    Intel AMT credentials can be found in the McAfee ePO console by selecting Menu > Configuration > Server Settings. On the left side of the console, select Intel® AMT Credentials

     

    If using a Digest credential, such as the ePO_DC account defined earlier, provide the credential and password as follows:

    026.png

    If using a Kerberos or Domain User credential, enter a specific domain\user account.  In the example below, ent\itproadmin is used.

    027.png

     

     

     

    More resources for installing McAfee Deep Command 1.5

     

    McAfee ePO Deep Command 1.5 Installation Guide - Introduction

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment

    Step 2: Install Intel SCS

    Step 3: Install McAfee ePO Deep Command Server Components

    Step 4: Deploy Deep Command

     

    Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.

     

    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist