Our customers tell us that the majority of help desk costs for Drive Encryption are typically related to end user password reset management. Leverage the new “Endpoint Assistant” companion apps for iOS and Android to completely offload the pre-boot password reset related help desk costs to end users. Enable end users to securely reset pre-boot passwords even when on a plane with no access to a telephone to call help desk.
Q: How long does it take for a user to reset their password using the App?
Approximately one minute. They can reset their password without needing to call the helpdesk, and can even reset their password while they have no network connectivity.
Q: How does it work?
The user registers their phone with their system, essentially creating a trusted relationship between the two. When the user forgets their password in pre-boot, they simply start the App and perform a password recovery in pre-boot.
Q: How does the user set up this relationship between the phone and the system?
If enabled by policy, the pre-boot environment will display a QR code. All the user needs to do is scan the QR code using the Endpoint Assist app and it will create the trusted bond between the phone and the system.
Q: An end user wanted to register the smartphone but selected "Finish" before completing registration. The user is trying to register with Enpoint Assistant but the registration screen is not shown. What can the user do in this case?
The user can click on "Switch User" and select the checkbox that says "Register smartphone". After logon, the registration screen will be displayed again.
Q: What is the exact procedure if the user forgets their password?
The user will click on the recovery button in pre-boot. They will then be presented with a QR code that they scan with the Endpoint Assist app. The App will provide them with a response code that they then type into pre-boot. They can now reset their password.
Q: How is the data managed by the App protected? Can someone steal both my phone and laptop and easily get into the laptop using this functionality?
There is a policy setting where an Administrator can specify the protection of the data. It can range from no protection, to having a complicated PIN for access to the App. This is separate to any authentication that a user may have for access to the phone itself. Consider this a second layer of protection.
Q: Can someone brute force the PIN on the App?
They can always try, but after three failed attempts the App will wipe all of the App related data permanently.
Q: If this was a careless End User, could they set up the relationship between the phone and system again?
Yes. Using exactly the same procedure they used the first time.
Q: What happens if a user forgets their PIN?
The user has two choices. They can enter a wrong PIN three times, which will force the app to wipe everything. Alternatively they can uninstall the App, and install it again. In either case they can then re-register the system.
Q: If I have multiple laptops can I set up a relationship with all of them and my phone?
Yes, the Endpoint Assist App can support up to 100 different systems on a single phone.
Q: WIth Single Sign On (SSO) enabled, is the user required to re-enter his/her Windows authentication credentials after resetting the pre-boot password using the Endpoint Assistant?
Yes, this is because the SSO credentials are cleared in this case. This operation is similar to the existing Admin assisted recovery mechanism. Hence the end user is expected to re-enter his/her Windows authentication credentials after successfully passing pre-boot.
Q: Does Drive Encryption 7.1 provide a mechanism for the Admin to have a view into the “users” who registered their smartphones/tablets?
Yes, when users click on “Finish” following registration at pre-boot, an audit event is generated. Two end user actions related to EA are captured:
User Registration : User registers the smartphone or tablet with the system using the McAfee Endpoint Assistant application
User Recovery : System was recovered using the McAfee Endpoint Assistant application
Q: Where can I find the EA audit event information on ePO?
Under “DE: Product Client Events”
Q: How many languages does the App support?
Currently the Endpoint Assist app is only available in English.