Q: What is the End User Self Recovery functionality on Mac OS X?
The End User Self Recovery is new functionality introduced in Encryption version 7.0 that will allow an end user to self-remediate most of the pre-boot issues without needing to contact the help desk. This should allow them to get back up and running quickly.
Q: What is the goal of this functionality?
The goal of this functionality is to allow for an end user to self-remediate their issue and get back up and running again quickly without needing to call the helpdesk for support. They should be able to do this in a simple manner, which is intuitive for Mac users.
Q: Is this only available on Mac or is it available on Windows?
This is only available on Mac OS X with version 7.0. It is not available currently in Windows. Product Management is considering this for inclusion in a future release.
Q: What functionality does this offer?
This offers two distinct features for end user self recovery. The two features are:
Emergency Boot on the client
Q: Ok, to be clear. Does this mean that this functionality is installed on every client?
Yes. This functionality will be installed on each client when they perform an upgrade to v7.0 or a fresh install.
Q: Does this require a minimum version of Mac OS X to work?
Yes. This will only work on Lion and Mountain Lion.
Q: How does it work?
When the device is booting, the end user should hold down the “Option” key. This will bring up a list of bootable partitions, and this is a standard Mac feature. What the end user should see are three options:
Recovery HD (The standard Mac OS X Recovery)
The end user just needs to click on McAfee Recovery to use the Self Recovery feature.
Q: Side question, why can’t I see my encrypted volumes in this list? Technically they are bootable.
Yes they may be bootable but you won’t see them because they are encrypted. They will be bootable after the user has successfully authenticated
Q: What is the Self-Healing Pre-Boot?
In a situation where an encrypted Mac is not booting into the McAfee pre-boot environment as expected, the self-healing feature gives the end user a way to force the system to enter the McAfee pre-boot environment. Once this is done, the user can authenticate to the McAfee pre-boot environment and then get into OS X.
The self-healing feature will also reconfigure the EFI so that it automatically boots to the McAfee pre-boot environment on the next reboot.
Q: So how does it work?
At a high level, the pre-boot is created in a separate partition. When the end user holds down the Option key when their Mac boots it will show the list of bootable partitions, one of which will be “McAfee Preboot”. If the user selects this partition they will see the pre-boot environment that they know and expect. They can now authenticate and boot into the Operating System.
Q: So if I break my Mac, all I have to do is this one operation and it will be back up and running again?
Correct. After a successful authentication, the pre-boot will shut down and ensure that on the next power cycle or reboot that the McAfee pre-boot will show correctly.
Q: Is the pre-boot that is displayed when I use this option any different to the pre-boot I see every time I start my machine?
No, they are in fact the very same.
Q: Will this help if an end user manually resets their NVRAM/PRAM variables?
Correct. If an end user decides to manually clear their NVRAM/PRAM variables then their machine will not boot correctly as the pre-boot environment will not show. If they use this functionality they will be back up and running very quickly, and without a call to the helpdesk.
Q: Will this help if an end user runs a firmware update and their machine stops working?
Not all firmware updates will have an impact on the pre-boot environment. Generally the firmware updates that do are the SMC updates and they clear the NVRAM variables. You end up in the same situation as the previous question.
Q: So if I have an end user who blindly applies any patch/update from Apple, they can recover themselves quickly and easily without calling the helpdesk?
Yes, that is correct.
Q: So will this address every possible error condition resulting from a firmware update?
Unfortunately, no. But that is why the second option “McAfee Recovery” is also present on each device.
Q: Will this help if an end user performs a major operating system upgrade?
No it won’t. When an end user performs a major OS upgrade (for example Lion to Mountain Lion) the install procedure will first write a new image to the disk and then reboot into that image to continue the installation procedure. That image cannot be read (as it is encrypted) and so the process breaks. At this time to perform a major OS upgrade you need to decrypt your Mac.
Emergency Boot on the Client
Q: What is the Emergency Boot on the Client?
This functionality allows an end user to perform an emergency boot of their machine without needing any external media. All of the necessary functionality is available on their client in a bootable partition that is created when McAfee Endpoint Encryption activates on the machine.
Q: So how does it work?
At a high level, this recovery tool is created in a separate partition. When the end user holds down the Option key when their Mac boots it will show the list of bootable partitions, one of which will be McAfee Recovery. If the user selects this partition it will start this tool and allow them to perform an emergency boot.
Q: Why would an end user want to do this?
If their PBFS has become corrupted, or the self-healing pre-boot did not correct their boot issue then this is another option to get the user back into the OS. It is obviously the more drastic of the two options, however in an emergency situation it could be useful.
Q: So what does this tool allow you to do?
All an end user can do is authenticate and then perform an emergency boot. No other functionality is available.
Q: Do they need to authenticate before they perform this action?
Yes, they must authenticate before an emergency boot is performed. If they didn’t it could be a security flaw that could be exploited.
Q: How can an end user authenticate?
If the end user remembers their credentials they can authenticate with their username + token combination. If they do not remember their credentials or the PBFS is corrupted to such a state where this is not possible, it is also possible to authenticate with the recovery XML file generated from ePO. In this second option, it would require interaction with the helpdesk to retrieve the necessary XML file.
Upon successfully authentication they will be allowed to perform an emergency boot.
Q: The end user authenticates and presses the Emergency Boot button, what happens next?
The tool will perform an emergency boot and then it will boot into Mac OS X, exactly the same as if EETech performed the emergency boot.
Q: Is there any difference between this tool and EETech? Is this EETech on the client?
Yes, it is not EETech on the client. It is a subset of the functionality to only allow for an Emergency Boot. The Emergency Boot functionality is exactly the same regardless of whether it is performed from this tool, or from EETech.
Q: If they do an emergency boot, do they need a connection to ePO once OS X has booted to fully correct the issue?
Once the emergency boot is complete and the end user is back into OS X, the product essentially needs to rebuild the PBFS and to do that it needs to connect to ePO to retrieve the policies, users, tokens, etc.
Q: What happens if they are travelling and can’t get a connection to ePO over the Internet or VPN?
If they can’t connect to ePO then every time they need to boot their machine they will need to perform the emergency boot. The pre-boot environment will not be fully functional again until the client has had the opportunity to completely sync with ePO.
Q: Can an end user decrypt their machine using this functionality?
No they cannot. They can only perform an emergency boot.