Showing results for 
Search instead for 
Did you mean: 

How To Provision Users to Machines in Endpoint Encryption for PC v6

Level 12
0 5 742

Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

The pre-boot authentication screen controls which users can access a system that is encrypted with McAfee EEPC. The process of deciding which user accounts are allowed to authenticate to a particular machine's pre-boot environment is referred to as provisioning. In this post, I'll describe all the user provisioning options available in EEPC and also recommend a best practice approach.

There are three ways to provision a user to a system

  • Individual assignment via the Encryption Users screen in ePO
  • Group Users assignment via the Encryption Users screen in ePO
  • Automatically add users found on the endpoint via the Add Local Domain Users policy option in the product settings policy

Note: User provisioning is only required for pre-boot authentication. You do not need to provision helpdesk technicians if their only job is to do remote password recoveries or other server-side operations. If someone is never going to physically touch an encrypted system, then they do not need to be provisioned to it.

Individual Assignment

This method allows the administrator to assign a single user to a single system. This is best used as an ad-hoc method for provisioning users to systems. Because it is not an automated solution, it should not be your primary method of user provisioning.

To assign an individual user (or group of users) to a single system, go to menu > data protection > endpoint encryption users. Then select the system to which the user should be added, and click actions > endpoint encryption > add user(s). The next screen will prompt you to browse Active Directory and select your user(s), group or OU that you wish to assign.

individual assignment.png

Group Users Assignment

This method is similar to the individual assignment method, but it allows you to assign the user or users to an entire group of system in the system tree. This is particularly useful for field support technicians. Anyone who may have to login to the pre-boot environment of any system in the environment should be added as a group user to the appropriate group in the system tree (or the My Organization level if they should be able to login to all systems in the environment).

To establish a group user for a group of systems, go to menu > data protection > endpoint encryption users. Choose the appropriate group in the system tree in the left pane, then select the Group Users tab in the right pane. Then click actions > endpoint encryption > add user(s). The next screen will prompt you to browse Active Directory and select your user(s), group or OU that you wish to assign.

group users.png

Automatic Assignment on the Endpoint

Manually assigning individual users for each system in your environment would be a time consuming undertaking. EEPC v6 automates this process with a new feature called Add Local Domain Users in the system settings policy. If enabled, the agent will enumerate the currently logged in Windows user and all the cached profiles on the endpoint. This data will then be sent to ePO and ePO will automatically provision those users to that system. This is the best way to provision end users to systems and should be done in almost all cases. Some special systems, like loaner laptops or classroom PCs, will require a different user provisioning strategy.

To enable the Add Local Domain Users Feature, go to menu > policy > policy catalog and select Endpoint Encryption from the drop-down menu. Then select the product settings policy and go to the Log On tab. Then check the box for Add local domain users.

add local domain users.png

Provisioning Best Practice

The best practice for user provisioning is to assign administrators to the system using the Group Users feature, and to add end users to the system by using the Add Local Domain users feature. All new deployments should start with this methodology and then modify only when needed. To do this, you simply need to enable Add Local Domain Users in your policy before you start the deployment. You also need to setup the group users for the different groups in your system tree.

When using the Group Users feature, be sure to limit the number of users provisioned as group users. Where possible, only provision group users who will actually have physical interaction with the system. Avoid global access groups if at all possible (i.e. don't just assign all of your administrators as group users at the My Organization level of the system tree). As a rule of thumb, do not assign more than 200 group users to any individual system. You can do more than this but you'll have to increase the size of the PBFS (in menu > configuration > server settings > endpoint encryption) and you'll also have to understand the increased load this will put on ePO.

Level 10

I don't have access to the newly released Mac OS X FDE. Do you know if it will have the "Add Local Domain Users" feature in its policy settings?


Level 7

The artile above says "Some special systems, like loaner laptops or classroom PCs, will require a different user provisioning strategy."

How do you suggest provising users on loner laptops?  I am responsible for deploying EEPC on all the laptops in our organization, some are loners, some are workstations and I can not figure out the best way provision users to the systems.

From what I understand all users assigned to a system using the individual assignment and group users assignment have the same password (the one that is in the user based policy) so if I assign 200 people to a system using these methods, they will all have the same policy until the password is changed?  Is this correct?  


Level 12

Hi rmmiles. EE Mac does not include an "Add Local Domain Users" feature. This is a high priority product enhancement request and is planned to be in a future release. If you wouldn't mind, could you log your request for this feature on - this is the portal that our product managers use to prioritize feature requests.

Level 12

Hi victoria77. Loaner PCs have been a long standing problem for us full disk encryption vendors. Pre-boot authentication makes it a difficult task, and as a result many companies simply disable pre-boot authentication on their loaner laptops. This is not a secure solution, however, so we don't recommend that you do that. The more secure options are to...

  1. Make user provisioning a part of the loaner laptop "check out" process. This involves giving an administrator the limited ability to assign users to laptops. Then when a user wants to borrow a laptop they have to talk to this adminsitrator and get their account added. While they are talking to the administrator, they can do the challenge/response sequence to get into the OS and then sync down their user account (since the admin would have just provisioned them).
  2. You can also deploy shared accounts to these systems and then instruct users to use those accounts to login. Obviously, shared accounts are less secure and you would be wise to change those passwords frequently.
Level 7

Hi, thank you for the post. I have a question, how can you add local users? I mean local users from a machine outside the domain ?

Thanks in advanced.


Carlos Perez