Like all other endpoint security products, McAfee Deep Command requires that extensions be installed and packages be checked-in to McAfee ePO. Please see section three of the McAfee ePO Deep Command 1.5 Product Guide for instructions on installing the extension and checking-in the packages in McAfee ePO.
The product is listed on the McAfee download site as McAfee ePO Deep Command. This guide does not make use of the ePO DC Gateway component or the ePO SCCM component. You only need the ePO DC, ePO DC Reports, and RCS Manager extensions, along with the ePO DC Client package. Please note that the packages are automatically checked-in when you install the extensions.
The following prerequisites are required to complete the steps in this document:
- Access to the McAfee download site or Software Manager
- A valid grant number with access to McAfee ePO Deep Command
- McAfee ePO 4.6.4 or later
- McAfee Agent 4.5.1 or later
- Intel SCS 8.0 or later
- Compatible AMT configuration profile
- AMT credentials (digest or kerberos)
- McAfee Agent must be installed on the Intel SCS server
- Administrative access to your internal Microsoft Certificate Authority
- Administrative access to your Intel SCS server
The core installation and configuration steps in this document include:
- Modify WMI permissions on Intel SCS server
- Modify DCOM permissions on Intel SCS server
- Configure Certificate Authority to automatically issue certificates
- Install Deep Command extensions in ePO
- Deploy RCS Manager to Intel SCS Server
- Export root certificate from your Microsoft Certificate Authority
- Edit Intel AMT Credentials in ePO
- Deploy RCS Manager to the Intel SCS Server
Modify WMI Permissions on Intel SCS Server
If you are using remote configuration to configure your AMT clients, then you will have to grant certain WMI permissions to all domain computers in your environmeent. This is not necessary if you are not doing remote configuration.
Please see page 45 of the Deep Command Product Guide for these instructions.
Modify DCOM Permissions on Intel SCS Server
If you are using remote configuration to configure your AMT clients, then you will have to grant certain DCOM permissions to all domain computers in your environmeent. This is not necessary if you are not doing remote configuration.
Please see page 47 of the Deep Command Product Guide for these instructions.
Configure Certificate Authority to Automatically Issue Certificates
McAfee ePO Deep Command does not support pending certificate requests. Therefore, the Microsoft Certificate Authority must be configured to automatically issue certificates.
Please see page 39 of the Deep Command Product Guide for these instructions.
Install Deep Command Extensions in ePO
Instructions for installing the Deep Command extensions can be found in section three of the product guide.
- Required components
- EPODC_Reports - McAfee ePO Deep Command Discovery and Reporting Extension
- EPODC - McAfee ePO Deep Command Management Framework Extension
- Optional components
- EPODCRCS - McAfee ePO Deep Command RCS Manager Extension
- If you are going to do remote configuration of your AMT clients, then you must install this extension. You must also deploy the RCS Manager agent to your Intel SCS server.
- If you are going to use an alternative configuration method for AMT, then you do not need to use the RCS Manager.
- help_edc - McAfee ePO Deep Command Help Extension
- Intel_SCS - Intel Setup and Configuration Software (Intel SCS)
- You may find a more current release at www.intel.com/go/scs
- MKV - McAfee KVM Viewer
- This is a standalone application. It can be run from any system.
- EPODCRCS - McAfee ePO Deep Command RCS Manager Extension
Deploy RCS Manager to Intel SCS Server
If you are doing remote configuration for your AMT clients, then ePO needs to get information from the Intel SCS server. McAfee ePO gets information from the Intel SCS Server through an application that runs on the SCS server. This application is called the RCS Manager and it is dependent upon the McAfee Agent being installed on the SCS Server.
Please see page 51 of the Deep Command Product Guide for these instructions.
Export Root Certificate from your Microsoft Certificate Authority
If you do not have a Microsoft Certificate Authority with Web Enrollment enabled in your environment, please see McAfee Deep Command Installation Guide Appendix A.
The public root certificate for your Microsoft Certificate Authority must be installed on all server components used by McAfee Deep Command and must also be checked in to McAfee ePO. Use the following task to export the public root certificate from the Microsoft Certificate Authority.
Login to your Microsoft Certificate Authority server. Launch the Server Manager and expand Roles > Active Directory Certificate Services. Right-click your Certificate Authority (RootCA in this example) and select Properties.
Select the General tab. Select your certificate (Certificate #0 in this example) and click View Certificate.
Select the Details tab. Then click Copy to File to start the certificate export process.
You will see the Certificate Export Wizard. Click Next to proceed.
In the Export File Format screen, select Base-64 encoded X.509 (.CER). Then click Next to proceed.
In the Files to Export screen, select a destination for the file. Then click Next to proceed.
In the Completing the Certificate Export Wizard, simply click Finish to complete the process.
Edit Intel AMT Credentials in ePO
The final step to enabling McAfee ePO to communicate with Intel AMT is to ensure the correct credentials are supplied. You need to supply the root certificate that you exported in the steps above, and you need to provide AMT credentials.. For more details on the Trusted Root Certificates, please refer to https://community.mcafee.com/docs/DOC-4182.
Intel AMT credentials can be found in the McAfee ePO console by selecting Menu > Configuration > Server Settings. On the left side of the console, select Intel® AMT Credentials
If using a Digest credential, such as the ePO_DC account defined earlier, provide the credential and password as follows:
If using a Kerberos or Domain User credential, enter a specific domain\user account. In the example below, ent\itproadmin is used.
More resources for installing McAfee Deep Command 1.5
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist