POC Installation Guide for McAfee Endpoint Encryption for Files and Folders 4.2.x
This documents guides you step by step to set up a EEFF POC environment, covering the most common use cases.
Any feedback on the document is more than welcome!
First of all, thank you for this document - it is fantastic and has helped me a great deal. I am new to EEFF and have been playing around (recent community post here) with it a little bit (as well as Device Control elements of DLPe). This kind of documentation is the kind that ends up giving people good experiences with the products - a job well done!
I have a little feedback, leading on to a couple of questions, below -
Page 5, section 1.2
"Create ePO server task for Active Directory Sync"
"Register Active Directory Server with ePO"
Page 37, step 9
Screenshot shows standard scheduled policy enforcement, and not policy update - would expect to see
"Agent received POLICY package from ePO server"
"Enforcing newly downloaded policies"
Section 7 could include testing relating to a)user copying files to the USB (including to the 'unprotected files' folder, which should be allowed with the 'allow encryption with offsite access' and not allowed with the 'enforce encryption with offsite access' protection levels) and b)disconnecting USB and reconnecting to host without EEFF (emulating the offsite bit). Potentially also include a demonstration of 'enforce encryption (onsite access only)' - from a slightly selfish perspective I am not sure what the purpose of the default key 'decrypt' is, if any custom keys I create have to be assigned in 'granted keys' category, and what purpose of 'ignore existing content' is - I would assume if selected, it would leave existing content untouched and encrypt the remainder of the device? The Product Guide advises "Enter the encryption key or browse to and select the encryption key" - which I think is a documentation error...
Following the above, am I correct in thinking:
- EEFF keys (with the exception of a recovery key, if required) are not used in any way, and do not need to be granted, when using either of the offsite (allow or enforce) protection options in USB removable media category?
Will be moving on to folder encryption etc tomorrow :-)
Once again - thanks for this document, given the number of views it has, it has likely helped a good number of people!
Thanks for your feedback. We will look at incoporating your feedback in the next version of this document. You might find the Best Practices Guide useful as well, here goes the link for the latest version : https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25077/en_US/...
* Removing the "Enforce Encryption (onsite access only)" policy will not be enough to decrypt content on the USB device. You need the policy with the "Decrypt" option to do that
* Yes, selecting "Ignore existing content" will ensure only files copied later to the USB stick are encrypted and the existing content is left untouched
* Yes, your understanding is correct w.r.t. requirement of keys for offsite access protection options
Thanks for the link to the best practises guide! I was unaware that version 4.3 was out and the product had been renamed!
With regards to decrypting data via the 'enforce encryption (onsite access only)' policy, I am assuming that when the policy is pushed to an endpoint, that endpoint a)is aware of the original key used to encrypt, and b)must still be granted access to that key via the grant keys policy?
Yes, the key must still be available.
Here goes the link which provides details on File & Removable Media Protection 4.3 : https://community.mcafee.com/docs/DOC-5913