Hi All, I work for an education authority which support schools (over 350) at elementary and high school level. We are going to create an encryption solution using the latest build of mee which needs to be centrally managed and provide...
1. centrally managed database 2. fde for laptops 3. helpdesk key recovery function for users 4. specific allocation of licences, e.g 35 to one school, 17 to another in one db. 5. central reporting to report on all encrypted laptops/non encrypted, prove laptop was encrypted in the event of loss. hopefully to log machines bios serial, hdd serial etc.
our deployment problems/challenges
• schools Broadband is provided by a regional consortium through which all schools are connected on class b addresses • our mee db/ePO server will reside within this network
• no global active directory • some schools have active directory of their own • some schools have private NATd 172/192 networks • many schools will have computers with the same name, e.g laptop01/laptop02 • most of these laptops will be used by local users which will probably be local administrators • many of these users will have the same windows username, e.g. teacher, teaching assistant
Our dream scenario
• in our EEOD create a user group per school and a device group per school • create an EEPCclientinstallation.exe per school • school user runs EEPC client install on laptop with their school EEPCclientinstallation.exe • • install captures computer name and creates device in our EEOD in correct school group recording device serial, mac address etc. • • install captures local username, creates user in our EEOD in correct school group, also captures users security questions, pet name etc. • • full disk encryption is applied to device • • EEPC client synchs users security questions with our server • school user can can then phone us for password recovery if they forget theirs
We've put some of this to mcafee and been advised some is doable, some isn't and autodomain will help with some but I think it needs a significant amount of script modification to work like...
• In our EEOD create a user group and device group specific to school • modify autodomain script so that it • • creates user in our EEOD during install • • creates device in our EEOD during install • • captures our security questions stored against hidden field function in users record in our EEOD • • captures laptop hdd serial, bios serial, asset tag, etc, NO WHERE TO STORE THIS AGAINST DEVICE IN THE EEOD? Can I update the description field of a device through script? • create an EEPCclientinstallation.exe per school • create dns entry routable by the clients when in school, e.g. mee.int.myorg.com (10. address) • create dns entry routable by the clients when on the internet e.g. mee.ext.myorg.com (internet facing ip) • make port port 5555 accessible on each • install an EndpointEncryptionServer at each school with NAT network to route between clients and our EEOD, e.g. mee.school1.myorg.com • on each package they would have 2 servers to user, normally our internal and external or for schools with NAT our external and the Encp
does this seem feasable, any comments about the world of pain here?
Seems pretty good to me. Get your acc manager to set up a conf call with me and we will talk through it. The biggest prob I can see is name duplication between schools. Maybe you can use email addresses rather than names if that is indeed an issue? Rememer, you can't pass an audit if you cant reconcile an event to a person, so no generic user names are really allowed. Simon Hunt.
yes there will definately be name duplication, due to many laptops being imaged with PCXXXX as computer name and default local user called teacher.
any ideas? I am in the UK so not sure a conf call is possible?
I have seen the solution deployed on our corporate side where we have AD and duplicate device names become created after a RIS if the tech doesn't delete the device first, e.g. PC2001 gets a PC2001_001 created.
if at install we capture unique data from the laptop into the device description field through script such as the MAC, service tag, hdd serial this will satisfy audit requirement to say pcXXXX with dell service tag ssfSWF and hdd serial was encrypted on 2009-08-11 before being lost/stone on 2009-10-12
and for the user we can ask them payroll no, pet name, mother maiden name etc.
this will give us enough info to identify users who have been prepended, alan.smith_001 etc (not all teacher have a school email address) when they call in for password recovery.
ideally the installation will talk them through the questions then give them their EEPC username on screen and talk through the single sign on process so they don't use their windows username again?
I'm not sure how it will work if another user wants to use the laptop?
Did you have any ideas about this duplicate device issue as we cannot dictate to our schools their computer naming convention
I see that the device description can be altered by command line so we thought our best bet was to populate with stuff like Computer Name Computer UUID (unique ID) BIOS Asset Computer Serial Number Hard Disk Serial Number
it's not a duplicate device, it's entirely separate.
it will add a 0001,0002 etc if it finds there's already a machine in the ODB using that name. It can't tell if it's really a different machines entry, or it's entry from a previous install (either good or failed).
cleaning this kind of stuff up is one of the functions of AutoD - you can probably rip that logic out and use it in your own script if you like. It will recycle/clearkey/delete old entries as it goes.
BUT in your case, you don't know if two machines really have the same name or not. You might want to adapt your script to rename each machine not with its network name, but with a name based on the location - ie "bedford-<networkname>" etc.
Do you state that AutoD can also rename a computer if it finds the same one already existing in the data base?
for instance, if LAP1 already exists, will AutoD be able to rename the new LAP1 to LAP1_01 at runtime when the 2nd entry is being created?
thanks to let me know... i have found a few reasons where AutoD is suspected to fail in my scenario and this is just one of them. in case you need a fully compiled scenario sheet where we do not feel AutoD is the solution, i can let you know...
Yes, but autod will always try to make the machine's EEM name the network name, so it won't work in your situation where you can't guarantee the uniqueness of the machines.
you'd have to substitute the name logic for something particular to your environment.
Since you're rolling out so few machines over so many sites, I think the best bet would you to simply do it manually - create an install set and admin team for each site, lock them to certain groups so they don't go wandering into other sites machines, and let them create users and deploy as they want.
sure you could script all this, but you have to balance how long it will take to write and test the scripts, vs how long it would take you just to press the buttons and do it.