My searchfu has failed me.
Currently running 5.2.6 and will be staying at this level for the forseeable future due to the fact that not everyone will be in an AD. Did not use McAfee Agent nor ePO for deploying EEPC.
Setting up a test environment to have agents connect to an ePO server so that the McAfee AV product can be deployed and all McAfee products monitored for reports/actions.
ePO is on one server. EEM on another.
changes the sdmcfg.ini file to point at the ePO server. Therefore cryption and audit information is not being updated.
The EEPC client shows a successful connection to the ePO server in the logs. In EEM the machine shows up as disabled.
At the moment I only have a little over 2K machines that are encrypted. After next year that will probably be 5-6K machines total. More if they bring smartphones into the fold. For AV I will have to deploy to about 6K machines in the next few months.
Is there a way to get EEPC reporting back to the server that has EEM installed? Am I going to have to put both products on a single server?
Thank you in advance for any guidance/constructive feedback.
when you install the Mcafee Agent the SDMCFG.ini file is updateing to point from the EEM Server to the ePO server? or are you updating the SDMCFG.ini file manually to point to the ePO Server?
The products do not mix naturally so this would be very strange behaviour.
Typically here is how it should work
EEPC installed on machine running happily doing its thing.
Mcafee Agent Pushed to machine so it can be managed and report system information back to ePO.
When you check the SbDe5.zip extension into ePO it adds the required tables to the ePO database to show the encryption information in the machine properties.
At no time "should" deploying McAfee Agent interfere with EEPC or vis versa.
how did sdmcfg.ini get changed to point to a different server? Did you drop a file into EEM in a file set by any chance?
A tough thing to fix now - you really need to deploy a correct file back to the machines from outside EEM - use your software distribution package of choice etc, even a login script maybe.
Deploying the MA etc won't change this file - it's something totally separate.
I had another machine that had been processed part of the way as the other. However, it was done before I imported the reporting extensions into ePO AND (wait for it) before I made a test package of EEPC 5.2.6 to deploy to another test machine. The online install set was created in EEM and then out into the package that I created (as per the documentation, `McAfee® ePO 4 / Endpoint Encryption Deployment and User Guide'). I wanted to test pushing out the encryption package to new machines.
The test client deploy task was not meant to be put into the group. Fortunately the ePO is still in a test environment and only the one machine was impacted by my goof.
Task ended up being assigned to the computer and that must have changed it on the machine. The second machine I have here has the proper server assigned to it even though it is also running Endpoint Encryption 5.2.6, McAfee Agent 4.5, and having ePO 4.5 on the test server. Nothing like having the Internet so one can admit their goofs in public.
Thanks for the replies. Hopefully what I typed up makes sense. If there are any questions feel free to throw them at me.
Is there a way to have it point to the correct server after deploying EEPC 5.2.6? I looked in the xml file and do not see anything in that. The install package that I used in making the deployment package was created on the production EEM server (which is, as noted before) a completely different server from the ePO test environment. If I could limit the amount of sneakernet going on for the encryption deployment it would make my life a bit easier.
you need to deploy the package that was already used on the machine - the problem is you posted out a new sdmcfg.ini file, pointing all your clients somewhere new. You need to get a copy of the original file and get that back on all the machines so they point back to the original server.
Yes but where would I set that?
The reason I ask is that the EEPC.EXE was created as an online installation set in EEM. The correct server was chosen for the connection and the perform silently and reboot automatically options were checked. I then copied that EXE into the Deployment folder at the root of C and included the pkgCatalog.z, PkgCatalog.xml, and the de-detect.mcs files. The xml file was modified and I put everything together using eposign. I then checked the package in and verified by checking the list in the repository. Finally I created a new task as per the instructions in the guide mentioned previously.
you can't "set it" - it's created when you create your install package from EEM.
you indicated at the beginning that you had working EEPC5 machines who were talking to a server running EEM, but suddenly started talking to your EPO server? Or is this not the case?
When you set up your EEM, you would have created a "server object" and that's what you picked when you built your EEPC package - usually that server object has the DNS name of the physical box you are running the SBDBServer server on - it would be odd to do anything else.
EEPC 5 machines already deployed before the Agent was installed, correct. The machine in question was communicating to the correct server where EEM resides. I went through the installation package creation and the correct server appeared in the appropriate place. The server object also has the address that has been assigned since it was originally set up.
So I guess the question still is: Why did it change? I hope to have the one machine returned to me tomorrow with a new image. I will try to reproduce the behavior. Would creating the signed package on the ePO server have an impact?
DNS name. Unfortunately the person who originally set up the environment did so by IP address. The IP is going to change so I also have to set getting that squared away.
Thanks for all of the help so far, it is very appreciated.