cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 5

Trusted User & Self-Justification

Hi.  Couple of questions.

If I create a list of trusted users, this allows those accounts to be UPDATERS, right?  Regardless if there is a rule or not for that particular application, right?

If I enable self-justification, this will prompt for EVERYONE unless there is an express rule to block it (then nothing will show).  If the user is not an UPDATER, then they will not be able to install, right?

Is there any way to marry these two together -- specifically, if a trusted user tries to install something that they (and they alone) are prompted to for justification and then allowed to install.

Otherwise, the best bet is use trusted users with no self-justification and roll up the data using the associated updater label, right?

Please advise if there is a better way to track what trusted users are installing or if some amalgamation of the above is the way to go.

4 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Trusted User & Self-Justification

Hi @mlajoie 

If users are defined as UPDATER, they have full rights to make changes on a System.

Using Self-Justification, users can request admins to either approve or deny the blocked binary.

Users with UPDATER rights do not follow Self-Justification. Its only meant for normal users.

If changes are desired, then you may use Solidcore's Updater Mode or Specify the binary as an updater and later remove it.

I hope this helps.

Thanks

 

mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Trusted User & Self-Justification

Thanks for the reply. One follow-up question. How do I create a report of the *users* who installed software?
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Trusted User & Self-Justification

is there not a way to create a report of *who* or *what* installed software?  please advise.

Kenchee_etf
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Trusted User & Self-Justification

Hello @mlajoie 

If you are looking for some report to tell you what is being installed by this user in order for you to track it like you do in Control Panel, unfortunately that may not be possible with MACC.

That may be good product enhancement idea, but at the moment I am unable to find any configuration to achieve that.

One thing, that can be done, as workaround, is to filter SolidCore events based on user name of trusted user to see what changed under his Workflow ID, considering that the user will be Updater, however, there is couple things that may be problematic here.

First, you have to make sure that events are not filtered or at least that they are not filtered when they come from your trusted users. For example, if you trusted user uses MSI installed for let say Firefox, the event you may expect to see, if nothing is filtered, is "Installation Allowed" and for user name and Workflow ID you will have your user listed there.

The problem is that during the upgrade of OS for example, it can be countless numbers of those events and they may cause lot of troubles for your ePO so they are filtered by default, for example in "McAfee Default" policy you have rule group "McAfee" where event "Installation Allowed" if file begins with "%systemroot%\Installer\".

If you have that in place unmodified, you will not have event from your users, but if you don't have anything your ePO may be overwhelmed with every installation and update event that uses PKG_MODIFICATION.

Also please note that I mentioned MSI packages for installation and reason for that is because some software will use EXE instead and they may not use conventional way of installation, like Notepad++, and "Installation Allowed" event will not be generated, however, if filters are not in place, you will see registry modification done by it where this installation is writing uninstall registry key so you may see what is being installed indirectly.

The problem here also is that those events are filtered by default and reason for it is because they come in overwhelming number that can significantly affect your ePO.

Last example of installation I tried is the one where we have EXE installer that doesn't use MSI and doesn't make any modification that are regularly tracked like FileZilla install files. That installation performs PROCESS_CREATED, FILE_CREATED, FILE_MODIFIED and FILE_DELETED actions that are logged in MACC s3dialog logs, but none of them is sent to ePO.

Reason is really simple, if all of those actions were reported back to ePO, there is no conventional machine who would be able to handle it due to share amount of data there and because of the way how FileZilla install itself, your admin will be able to install software, but there is no event for you to query in ePO in order to know about it.

I hope this answers your question.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community