I'm curious what different practices people are using for importing users into McAfee Endpoint Encryption. For example, are you importing a group or OU that has users you know need to use encrypted systems? Or are you bringing in all users regardless of memberships?
How are you handling disabled users (for those who don't delete accounts)?
We had recently done a migration / import of an AD domain for a plant in Mexico. Everything went fairly well.
A few weeks later, all the safeboot users from that plant were calling in saying that they could not log in. It took us a few hours to track down that the admin in the old domain would expire accounts every 60 days, and every 45ish days would just move the expire date out another 60 for employees there were still employed. It was his 'auto disable' routine.
That's when we figured out that safeboot pulled in the 'disabled' status from AD.
Best practice (for speed anyways) is, from what I've been told, to sync against groups and not OUs. Just importing users that actually need encryption saves licenses as all accounts (both computer and user accounts) take up a license whether in use or not.
On which builds are the disabled users not being treated as disabled by Endpoint Encryption?
Turift - it is happening for me. I went to check and didn't read the property correctly. Active Directory has "This account is disabled" which is checked, and then looked in M.E.E. and didn't see the check, but the phrase is opposite (you check to Enable, not to disable), so I was just temporarily confused
But disabled accounts obviously take up a license, too. I'll probably come up with some process where we audit accounts and if they've been disabled longer than some period of time we'll remove them from the OU or Group for Endpoint Encryption in AD and delete the object in the console.
If you can't find a good OU or Group to find your valid encryption users, you could look for a way to exclude people that would never use one. Something like (|(EmpStatus=Contractor)(AccountStatus=Retiree)). You may have to make adjustments for AD, as we use a generic LDAP connector.