Hey guys,
we running Drive Encryption 7.1.3.604. It works so far when a 'regular' user is added to the system. Regular means, no UBP enforcement enabled.
For administrative and support tasks, we need a user (let's say 'admin-user' on every system, which has a UBP enabled, that let the passwork never expire. The password of 'regular' users will expire after a specific period.
SO I created an extra userbased policy, which has the specific setting for this scenario. More over I created a policy assignment rule, which assigns this policy to this only user, which has to be on every system. Last but not least I ran the report 'de users' to enable UBP enforcement to this user.
But, I'm not able to assign this user (with UBP enforcement enable) to a system. I am able to do so, if I disable the UBP enforcement.
I tried two ways for adding the 'admin-user':
- encryption users -> select system -> add user -> sync
- encryption users -> select group/OU -> group users -> add the the user -> sync
(if I do this with a 'regular' user, it works flawlessly)
If I look into the settings on the client (drive encryption status -> save computerimformation) only the 'regular' user is shown.
My question is: what do I have to do, to add the 'admin-user' (with no password expiration) to any system of a specific group/OU?
I appreciate any help. Thanks!
Aaron
Solved! Go to Solution.
Sorry for the late reply, but I was busy with other things and stuff ...
I have opened a case with Drive Encryption Technical Support and they gave me some tips you already gave me, but also this:
Menu -> Configuration -> Server Settings -> User Policies -> Database Mirroring has to be enabled (it wasn't before)
He told me it has something to do with performance improvement and so on (he looked it up in an old case from 2015). At first I didn't believe it, because I couldn't imaging, why this setting should has an influence to my issue, but it was definitely resposible, because after enabling this (and running the mentioned server task again) it worked flawlessly.
Now everything works as desired
So thank you very much for your help !!
After enabling UPB in DE: Users for the user and creating the policy assignment rule, the ePO Server Task "DE: Force update for UBP enforcement users" must be run. This task by default is set to run daily and should be changed to run hourly.
More information can be found in KB84452
Thanks at first
Just for better understanding: when do I have to run this server task? before assigning a user with UBP to a system or afterwards?
I ran the server task now, but the user still doesn't appear in the 'client status file'. (sync was complete). The UBP-user is assigned directly to the system and not as a groupuser.
Can you please tell me the correct order for the steps I have to do to add an user (with UBP) to a system, which already has a regular user.
Thanks you!
1. Configure Policy Assignment Rule for user (This can be done before or after assigning the user)
2. Assign the user
3. Edit and enable the UBP option for the user in DE: Users
4. Run "DE: Force update for UBP enforcement users" task
Aaron,
Can you get the MfeEpe.log from the client system?
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log
This should give us a little more insight as to what is occurring on the client system.
I did it in this mentioned order, but still no success 😕
Attached to this post you will find the requested file. Because have an German operating system, some entries are German 😉
Additionally, I also attached a screenshot of the policy assignment rule. Maybe there is a mistake?
The log shows that the UBP isn't available for the user:
2016-12-21 08:19:41,122 WARNING EpoPlugin | userHandler: OptIn user (i.e. non-default UBP user) [1\6776dc310b394051825e3f14417c5f08] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored. |
I noticed this is a User Directory user so I tested in my environment and was successful in adding a user with the UBP option enabled.
2016-12-21 18:03:10,409 INFO | EpoPlugin | enforceUserPolicy: User (1\3f9f303bba3c48d08399bf14da777833) added to policy store. |
2016-12-21 18:03:10,424 INFO | EpoState | == Start of policy enforcement == |
2016-12-21 18:03:10,424 INFO | StatusService | Policy enforcement has started |
2016-12-21 18:03:21,690 INFO | UserLib | userLib: user testubp (3F9F303BBA3C48D08399BF14DA777833) successfully added |
I also verified I could make it fail by either not having a PAR or running the "DE: Force update for UBP enforcement users" task:
2016-12-21 18:02:32,206 WARNING EpoPlugin | userHandler: OptIn user (i.e. non-default UBP user) [1\3f9f303bba3c48d08399bf14da777833] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored. |
Either the Policy Assignment Rule isn't working correctly or the UPB enforcement task is failing. Can you look at the Server Task Log for the "DE: Force update for UBP enforcement users" and verify the task successfully completed and view the "Log Messages" to see if there was any explicit failures?
Well, that's strange...
Oh yes, I forgot to mention, that we only use local users with the "User Directory", so no LDAP.
I checked the "Server Task Log" and every entry for the task "DE: Force update for UBP enforcement users" shows, that it was successfully completed and the same do the log messages:
12/22/16 4:00:07 PM Started: Check and update machines for configured UBP enforcement users.
12/22/16 4:00:07 PM Completed: Check and update machines for configured UBP enforcement users. (DE: Force update for UBP enforcement users)
Here are more details about our settings:
Users are created in the user directory (local, no LDAP). There are only a few settings to make:
- cn (identical to logon name)
- logon name (identical to cn)
- attribute account control is no checked, but at some accounts yes and some, but I guess, that it makes no difference, right?
- display name (first and last name of the person)
After creating, the accounts were enabled (actions -> enable user).
The regular user is assigned to the system in this way:
encryption users > select system -> actions -> drive encryption -> add user -> select user in the first field (users)
perform an agent wakeup (for sync):
system tree -> select system -> wake up agents -> no settings changed (not superagent wake-up call, randomization 0, options is checked, force policy update (tried with checked and not checked), retry interval 30s, abort after 5min)
On the client the agent monitor shows different things (as normally) and drive encryption status shows that the policy enforcement is in progress and after a second it's done.
If I add another regular user, the drive encryption status shows, that there are things to create for the new user (similar, I dont remember the true words) and after some minutes (or another sync) it's fine and the second user can logon to the system in drive encryption.
But if the the user has ubp the policy enforcement is just done, but shows the error in the mfeepe.log (tried it just a few minutes ago and same behaviour)
The 'admin' user (with ubp) was created and assigned the same way (directly to the system and not as a group user). Enabling the UBP enforcement for the 'admin' user was successfull.
I also removed all system assignents for the 'admin' user, but still no luck.
Do you have any other ideas, what could be the issue? What could make the UBP incomplete? Do you need more details for something?
Note: the 'admin' user has such symbols '-' in it's cn and logon name. Like 'it-admin'. Could this maybe a problem?
I suspect the issue is likely the policy for the user isn't making it to the client machine. At this point I think we need to review the logs on the ePO server, any Agent Handlers, and the client system. Seems like something unusual is going on with the policy assignment and it could be in failing in several different places.
Please open a case with Drive Encryption Technical Support. If it isn't resolved when I get back in the office on Tuesday after Christmas, give me the last 4 of the case number and I will take a peek.
Sorry for the late reply, but I was busy with other things and stuff ...
I have opened a case with Drive Encryption Technical Support and they gave me some tips you already gave me, but also this:
Menu -> Configuration -> Server Settings -> User Policies -> Database Mirroring has to be enabled (it wasn't before)
He told me it has something to do with performance improvement and so on (he looked it up in an old case from 2015). At first I didn't believe it, because I couldn't imaging, why this setting should has an influence to my issue, but it was definitely resposible, because after enabling this (and running the mentioned server task again) it worked flawlessly.
Now everything works as desired
So thank you very much for your help !!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA