DE v7.1 FAQ: User Directory

Version 2

    General

     

    Q: What is the User Directory

    Extend your ePO managed drive encryption to systems with unmanaged, non-domain users. In addition to users managed in Active Directory, Drive Encryption can now also leverage these ePO managed users for pre-boot authentication.

     

    User data is now synchronized from Active Directory and cached locally in ePO. This eliminates the need for constant round trips from ePO to Active Directory and results in significant performance improvements for user based policy checks.

     

     

    Q: Does this remove the dependency on Active Directory?

    Yes.

     

     

    Q: As an Administrator, do I need to do anything special to enable the User Directory?

    You need to install the User Directory extension. You can do this before or after you have upgraded to DE v7.1 as long as the ePO pre-requisites are met (ePO v.4.6.7 or ePO 5.1)

     

     

    Q: How does the User Directory look like in ePO? Is it like the System Tree for Machines, but for Users?

    Yes.

     

     

    Q: Is McAfee Drive Encryption the only product to use the User Directory? Or can other McAfee products use it?

    Currently Drive Encryption only uses it, but other McAfee point products can use it in the future.

     

     

    Q: Is there a minimum version of ePO that is required for the User Directory functionality?

    ePO 4.6.7 or ePO 5.1.

     

     

    Q: Where can I seemore information?

    You can view the video posted to the Community at thefollowing URL:

    https://community.mcafee.com/videos/1700

     

     

    Users and OU’s

    These questions are not specific to McAfee Drive Encryption.They are applicable to all McAfee Products that make use of the User Directory.

     

    Q: Can Users be created in the User Directory?

    Yes.

     

     

    Q: Can a user be deleted, disabled, edited from the User Directory?

    Yes.

     

     

    Q: Once a user is disabled, is it possible to enable them again?

    Yes.

     

     

    Q: Is it possible to assign a certificate to a user?

    No.

     

     

    Q: Why would I want to assign a certificate with a user?

    One example, PKI based smart card

     

     

    Q: Can OU’s be created in the User Directory?

    Yes.

     

     

    Q: Can users be added to or removed from a OU?

    Yes.

     

     

    Q: Can a user belong to more than one OU?

    A user can only be part of one OU at a time.

     

     

    Q: Can a user be moved from one OU to another OU?

    Yes.

     

     

    Q: Can OU’s be nested?

    Yes.

     

     

    Q: When I select a OU, can I see all of the users that make up that OU (including nested OU’s)?

    You can see all the users from sub OU’s, but not all the nested OU’s. From the distinguished name you can see which sub OU each user comes from.

     

    ePO Permissions

     

    Q: Can I specify/limit what actions each administrator can perform in the User Directory?

    In ePO permissions are grouped into permission sets.  Users are assigned to each permission set.  As long as admins are assigned to different permission sets they can have different permissions.

     

     

    Q: To what level of granularity can I specify?

    User Directory supports read/write and read only permissions.  It is not possible to restrict access to specific actions, except by granting read only access or revoking all permissions.

     

    Drive Encryption Usage

    These questions are related to how McAfee Drive Encryption uses the user and OU information from the User Directory.

     

     

    Q: Do I manage users in the same way in version 7.0 and version 7.1?

    The workflow is exactly the same. Nothing changes from a workflow perspective.

     

     

    Q: When I’m managing users do I see a whole list of users regardless of whether they are from Active Directory or the User Directory?

    Yes.

     

     

    Q: When I perform an encryption related action on a user, does it matter if that user has come from Active Directory or the User Directory?

    No, the workflow for both is identical.

     

     

    Q: Can I assign users and/or OU’s from the User Directory to a machine for pre-boot authentication?

    Yes.

     

     

    Q: What happens when a user is disabled in the User Directory?

    The same as if a user in Active Directory was disabled.

     

     

    Q: What happens when a user is deleted from the User Directory?

    The same as if a user was deleted in Active Directory.

     

     

    Scripting

     

    Q: Does the ePO WebAPI change for User : Machine assignments?

    No.

     

     

    Q: Are the actions in the User Directory scriptable?

    Yes.

     

     

    Migration from EEPC v5.x

     

    Q: Is there any conceptual difference between the standalone users in EEPC v5.x and the users in the User Directory?

    No, conceptually they are the same.

     

     

    Q: Is it possible to migrate EEPC v5.x Standalone users to the User Directory?

    Yes.