EEPC v7.0 FAQ - Offline Activation

Version 1

    General

     

     

    Q: What is offline activation?

    Offline activation is the ability to activate EEPC without a connection to ePO.

     

     

    Q: What versions of EEPC will support offline activation?

    EEPC v7.0 will support offline activation. EEPC v6.x requires a connection to ePO for activation.

     

     

    Q: Does this functionality work on both Windows and Mac OS X?

    Currently offline activation is only offered on Windows. A future version will introduce the offline activation functionality on Mac OS X.

     

     

    Q: Why does EEPC v6.x require a connection to ePO for activation?

    The connection to ePO at the time of activation is required for many reasons, but primarily to ensure:

    • The client has the latest policy
    • The client has the latest list of users and their associated token
    • The encryption key can be safely stored in ePO for recovery purposes

     

    The last bullet point is very important. If for whatever reasons during the initial encryption there was a problem that required a recovery, then all of the necessary information would be present in ePO. This would give the administrator the greatest chance of success. If this information was not in ePO then recovery might not be possible.

     

     

    Q: What use cases are best suited for offline activation?

    There are three primary use cases addressed by offline activation. They are:

    1. In-House provisioning
    2. Provisioning by a third party
    3. A remote device that will never connect to ePO

    There are other use cases where offline activation can be useful, however EEPC v7.0 focuses on these three use cases.

     

     

    Q: What is the in-house provisioning use case?

    You may have your own provisioning process in house that states that a device needs to have the OS installed, as well as all company approved applications, and must be fully encrypted before it is handed to the end user. At the point of provisioning you may not have network connectivity as the devices may be sitting on a shelf in a separate room.

     

     

    Q: What is the provisioning by a third party use case?

    You may have an external third party to provision your devices. In this scenario, you don't want to open up your firewall to allow connections to ePO, yet you have a requirement that all laptops need to be encrypted before delivery.

     

     

    Q: What is the use case for a remote device that will never connect to ePO?

    You may have a client, used in a remote location, that has no network connectivity but it may be collecting sensitive data and needs to be encrypted. You can distribute a CD with the MSI's required to install McAfee Agent, EEPC and also an Offline Activation package. These can then be run to install and activate EEPC and encrypt the device.

     

     

    Q: What is the high level process for offline activation?

    1. An administrator will create an offline package on the ePO server. This package will contain the first policy that needs to be created, and a list of "offline users".
    2. Once the package is created it can be distributed to the necessary clients, along with the MSI's needed to install EEPC. Once EEPC is installed successfully, the offline package will be run and the policy will be applied and enforced.
    3. You can now log on with the "offline users" in pre-boot.

     

     

    Q: Should I consider a device activated by offline activation as an unmanaged device?

    Yes, because you won’t necessarily see them in ePO and you won’t be able to manage them in ePO.

     

     

    Q: Does this mean that there is a standalone, non-managed version of EEPC?

    No. Offline activation may allow you to create a standalone device that is encrypted per a specific policy however after the first policy enforcement is complete you cannot update the policy or the users. There is no local console and no method to update the policy or user information. A key recovery mechanism is however supported (see below in this FAQ).

     

     

    Q: How does the product get installed if ePO is not deploying the product?

    For offline activation, the only important fact is that EEPC can be installed on the device. How that is achieved is a decision that can be made by each customer. Whether that is providing a CD/DVD to end users with MSI’s they can run, or a more automated method is the choice for each customer to consider for their environment.

     

     

    Q: What needs to be installed on the client?

    1. McAfee Agent
    2. McAfee Endpoint Encryption Agent
    3. Endpoint Encryption for PC
    4. Offline Package that was created by the Administrator

     

     

    Q: Can you connect a device activated through offline activation to ePO at a later time?

    Yes. You can always connect a device activated with an offline activation to ePO at a later time for management.

     

     

    Q: What happens when an offline activated device connects to ePO?

    Assuming that the offline activation was done for provisioning purposes, the device will at one point in time connect to ePO. When the device can successfully communicate with ePO, the client will move into an "online" mode. Online mode being defined as a normal connection between the McAfee Agent and ePO; consider it the same as a normal install.

     

    It will discard the offline policy that was enforced, and it will also discard all offline users. It will receive the real policy from ePO, the list of assigned users as per a normal activation, and save its encryption key in ePO. You could view it as a second, but automatic activation.

     

    The important point to remember is that all of the offline information is discarded if the user is not known to the ePO server prior to connection. If the offline user is known to the ePO Server the ePO policies will be deployed, but any data they have stored while in off-line mode will not be discarded.

     

     

    Q: Are there any audit log in ePO to find information on a device activated via offline activation?

    No, as the device has never communicated with ePO then there will be no information about that device.

     

     

    Q: In the event a device only activated via offline activation, can you prove that it was encrypted?

    If the device has never communicated with ePO then there will be no information in ePO that can be used for auditing purposes in the event of loss or theft. Once the device communicates with ePO and goes into an online mode then all of the normal information will be present in ePO to prove the encrypted state of the device.

     

     

    Users

     

     

    Q: What is an offline user?

    An offline user is a user who will be used for the purpose of pre-boot authentication that exists only in a specific offline package.

     

     

    Q: How is that different to a normal user in EEPC?

    Offline users exist only in that specific offline package. These users do not exist in Active Directory, and basically do not exist anywhere except this offline package.

     

     

    Q: Does Add Local Domain Users (ALDU) work with offline activation?

    No ALDU does not work with offline activation. ALDU is a two-step process that requires ePO to perform the user/device assignment. As ePO is not available with offline activation then ALDU cannot complete and cannot be used.

     

     

    Q: Can I add more users to an offline activated system after activation is complete and it’s been out in the field for a while?

    No.

     

     

    Q: Can I use tokens other than a password for my offline users?

    Passwords and smartcards that support Self-Initialization can work in offline activation. Smartcards that are PKI only cannot work, as there is no backend to retrieve the necessary information to authenticate the user. Biometric support is not possible.

     

    Self-Initializing tokens are identified in the EEPC Supported tokens KB71555 (https://kc.mcafee.com/corporate/index?page=content&id=KB71555)

     

     

    Q: For an offline user, do they also start with the default password?

    Yes.

     

     

    Q: What happens when an offline user forgets their password? Can they be recovered?

    End users will have the possibility to use the local recovery functionality to recover.

     

     

    Q: What happens if the administrator disabled Local Recovery?

    The user is now locked out. If there is another user on the system they can use, then they may be able to boot the device. Alternatively, connect the device to ePO but this requires being able to boot into Windows.

     

     

    Q: What happens if the end user has forgotten both their password and their local recovery answers?

    The user is now locked out. If there is another user on the system they can use,

    then they may be able to boot the device. Alternatively, connect the device to ePO but this requires being able to boot into Windows.

     

     

    Q: What happens to these offline users when the offline system attaches to ePO?

    When a device which was enabled by offline activation successfully communicates with the ePO server that generated the McAfee agent, EEPC and Offline Activation package  then it will discard all of the offline users and ask ePO to provide the assigned users.

     

     

    Q: So if I had an offline user called “Bob” and an AD user called “Bob”, when they went from offline to online what would happen to the password for “Bob”?

    Assuming that the AD User Bob has signed into the device at least once, and ALDU was active on the ePO policy, then Bob would be assigned to the device after the offline user Bob was discarded.

     

    From this point, the AD User Bob can have two possibilities. If this is the first time they’re logging in at pre-boot they will have the default password. If this is not their first device and ePO already has credentials for Bob, then those credentials from ePO will be on the device.

     

     

    Policies

     

     

    Q: How can I define the initial policy for offline activation?

    It is defined in parameters to the offline package creation utility.

     

     

    Q: Is an offline policy exactly the same as a policy as one defined in ePO?

    No, there are some policy settings that require interaction. For example, Add Local Domain Users. These policy settings cannot be used in an offline activation.

     

     

    Q: What policy options can be set in an offline policy?

    The following settings are available for an offline policy:

    • Backup the Device Key?
    • Path to the recovery key?
    • Enable temporary AutoBoot?
    • Enable AutoBoot?
    • Don’t display the previous username?
    • Enable SSO?
    • Enable boot manager?
    • PBFS Size?
    • Opal PBFS Size?
    • Require use changes their password?
    • Username must match Windows logon username?
    • Enable self-recovery?
    • User smartcard PIN?
    • Enable USB in pre-boot?

     

     

    Q: Can I update the policy of an offline activated system after activation is complete and it’s been out in the field for a while?

    No. Offline activation will only enforce the first policy. There are no possible updates after the first policy is applied.

     

     

    Q: What happens to the offline policy once the offline system attaches to ePO?

    When a device which was enabled by offline activation successfully communicates with the ePO server that generated the McAfee agent, EEPC and Offline Activation package then it will discard the offline policy and ask ePO to provide the appropriate policy.

     

     

    Encryption Keys

     

     

    Q: What happens to the encryption keys during offline activation

    When the administrator configures the offline activation package there is an option available to indicate whether the keys are saved or not.  The decision of whether to save the keys or not, and if saving them to which location, is solely at the discretion of the administrator. It is not something the end user can choose or manipulate.

     

     

    Q: If I save an encryption key from a device that has completed the offline activation process; can I import that into ePO for recovery purposes?

    No, you cannot import it into ePO however you can store all of your keys in a secure location and use ePO to decrypt them and generate the necessary recovery XML files.

     

     

    Q: Once I’ve received that encrypted key, how can it be used?

    An administrator can decrypt it and export the information in the XML format used by the EEPC recovery tools.

     

     

    Q: What happens to the encryption key for the device in the in-house provisioning use case?

    In this scenario you may or may not want to save the key. Remember that on the first connection to ePO it will upload the key. As this scenario primarily covers new devices, if any physical defect is found causing the disk to crash, or you become locked out of a device, there is very little user data (if any at all) to lose.

     

    You could save the key to a USB stick, or a specific network share in case a recovery is required.

     

     

    Q: What happens to the encryption keys for the device in the provisioning by a third-party scenario?

    In this scenario it is likely that you don't want the third party to have the ability to save the encryption key, so you would specify to not save the key anywhere. If the third party had copies of each encryption key for all of the devices in your organization, that would be considered a security risk. As this scenario primarily covers new devices, if any physical defect is found causing the disk to crash, or you become locked out of a device, there is very little user data (if any at all) to lose.

     

     

    Q: What happens to the encryption keys for the device in the situation where it will never connect to ePO?

    In this scenario it is very likely that you will want to save the encryption key to a USB stick or to the hard disk. Again, this is an optional step purely at the discretion of the administrator. It is then your responsibility to ensure that the encryption key is safely transported to ePO for safekeeping. This can be achieved by any mechanism that your organization approves for the transportation of encryption keys.  Once the ePO administrator has a copy of the saved key, it can later be used for recovery purposes.

     

     

    Q: What happens if the encryption keys cannot be saved due to some other fault?

    In this scenario the hard disk on the client will need to be re-formatted and the Offline Activation process restarted.

     

     

    Q: When the encryption key is written to a file on a disk, is it stored in plain text?

    No. The encryption key is always encrypted so that in the event that a third party intercepted the key it would not be useful for them. Nor would they have a way to identify to which device it belonged.

     

     

    Q: What can decrypt the encryption key?

    The only location where the encryption key for an offline activation can be decrypted is the ePO server that created the offline package.  No other ePO server can decrypt the key.

     

     

    Q: Do all offline activations have the same encryption key?

    No, during the first policy enforcement the encryption key will be generated. This will ensure that all offline activations have a different key.

     

     

    Recovery

     

     

    Q: How does recovery work for offline activation?

    If the administrator has selected to save the encryption key, the key will be written in an encrypted manner to a file on a disk. It is then the responsibility of the end user to transfer that encrypted key to the administrator using a company-approved method. Once the administrator has the encrypted key, they can decrypt it when necessary using the ePO server that created the offline package. The result of this decryption process is a standard XML file that can be used with the EEPC recovery tools.

     

     

    Q: What recovery options are available for an offline activation?

    The only recovery options are the local recovery and the EEPC recovery tools.

     

     

    Q: What if the administrator disabled local recovery?

    Then the only choice is to use the EEPC Recovery tools to correct any issue with the device. It is also possible to connect the device to ePO, at which point the users and policies would be replaced with the information provided by ePO. However this requires the ability to boot into Windows.

     

     

    Q: What recovery options are available if local recovery is disabled and I don’t have the saved encryption key, or cannot decrypt it?

    There are no additional recovery options for offline activation.