cancel
Showing results for 
Search instead for 
Did you mean: 

DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Hey guys,

we running Drive Encryption 7.1.3.604. It works so far when a 'regular' user is added to the system. Regular means, no UBP enforcement enabled.

For administrative and support tasks, we need a user (let's say 'admin-user' on every system, which has a UBP enabled, that let the passwork never expire. The password of 'regular' users will expire after a specific period.

SO I created an extra userbased policy, which has the specific setting for this scenario. More over I created a policy assignment rule, which assigns this policy to this only user, which has to be on every system. Last but not least I ran the report 'de users' to enable UBP enforcement to this user.

But, I'm not able to assign this user (with UBP enforcement enable) to a system. I am able to do so, if I disable the UBP enforcement.

I tried two ways for adding the 'admin-user':

- encryption users -> select system -> add user -> sync

- encryption users -> select group/OU -> group users -> add the the user -> sync

(if I do this with a 'regular' user, it works flawlessly)

If I look into the settings on the client (drive encryption status -> save computerimformation) only the 'regular' user is shown.

My question is: what do I have to do, to add the 'admin-user' (with no password expiration) to any system of a specific group/OU?

I appreciate any help. Thanks!

Aaron

1 Solution

Accepted Solutions

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Sorry for the late reply, but I was busy with other things and stuff ...

I have opened a case with Drive Encryption Technical Support and they gave me some tips you already gave me, but also this:

Menu -> Configuration -> Server Settings -> User Policies -> Database Mirroring has to be enabled (it wasn't before)

He told me it has something to do with performance improvement and so on (he looked it up in an old case from 2015). At first I didn't believe it, because I couldn't imaging, why this setting should has an influence to my issue, but it was definitely resposible, because after enabling this (and running the mentioned server task again) it worked flawlessly.

Now everything works as desired

So thank you very much for your help !!

11 Replies
McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

After enabling UPB in DE: Users for the user and creating the policy assignment rule, the ePO Server Task "DE: Force update for UBP enforcement users" must be run. This task by default is set to run daily and should be changed to run hourly.

More information can be found in KB84452

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Thanks at first

Just for better understanding: when do I have to run this server task? before assigning a user with UBP to a system or afterwards?

I ran the server task now, but the user still doesn't appear in the 'client status file'. (sync was complete). The UBP-user is assigned directly to the system and not as a groupuser.

Can you please tell me the correct order for the steps I have to do to add an user (with UBP) to a system, which already has a regular user.

Thanks you!

McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

1. Configure Policy Assignment Rule for user (This can be done before or after assigning the user)

2. Assign the user

3. Edit and enable the UBP option for the user in DE: Users

4. Run "DE: Force update for UBP enforcement users" task

McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Aaron,

Can you get the MfeEpe.log from the client system?

     C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log

This should give us a little more insight as to what is occurring on the client system.

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

I did it in this mentioned order, but still no success 😕

Attached to this post you will find the requested file. Because have an German operating system, some entries are German 😉

Additionally, I also attached a screenshot of the policy assignment rule. Maybe there is a mistake?

McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 7 of 12

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

The log shows that the UBP isn't available for the user:

2016-12-21 08:19:41,122 WARNING EpoPlugin                       userHandler: OptIn user (i.e. non-default UBP user) [1\6776dc310b394051825e3f14417c5f08] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored.

I noticed this is a User Directory user so I tested in my environment and was successful in adding a user with the UBP option enabled.

2016-12-21 18:03:10,409 INFOEpoPlugin                       enforceUserPolicy: User (1\3f9f303bba3c48d08399bf14da777833) added to policy store.
2016-12-21 18:03:10,424 INFOEpoState                       == Start of policy enforcement ==
2016-12-21 18:03:10,424 INFOStatusService                   Policy enforcement has started
2016-12-21 18:03:21,690 INFOUserLib                         userLib: user testubp (3F9F303BBA3C48D08399BF14DA777833) successfully added

I also verified I could make it fail by either not having a PAR or running the "DE: Force update for UBP enforcement users" task:

2016-12-21 18:02:32,206 WARNING EpoPlugin                       userHandler: OptIn user (i.e. non-default UBP user) [1\3f9f303bba3c48d08399bf14da777833] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored.

Either the Policy Assignment Rule isn't working correctly or the UPB enforcement task is failing. Can you look at the Server Task Log for the  "DE: Force update for UBP enforcement users" and verify the task successfully completed and view the "Log Messages" to see if there was any explicit failures?

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Well, that's strange...

Oh yes, I forgot to mention, that we only use local users with the "User Directory", so no LDAP.

I checked the "Server Task Log" and every entry for the task "DE: Force update for UBP enforcement users" shows, that it was successfully completed and the same do the log messages:

12/22/16 4:00:07 PM  Started: Check and update machines for configured UBP enforcement users.

12/22/16 4:00:07 PM  Completed: Check and update machines for configured UBP enforcement users. (DE: Force update for UBP enforcement users)

Here are more details about our settings:

Users are created in the user directory (local, no LDAP). There are only a few settings to make:

- cn (identical to logon name)

- logon name (identical to cn)

- attribute account control is no checked, but at some accounts yes and some, but I guess, that it makes no difference, right?

- display name (first and last name of the person)

After creating, the accounts were enabled (actions -> enable user).

The regular user is assigned to the system in this way:

encryption users > select system -> actions -> drive encryption -> add user -> select user in the first field (users)

perform an agent wakeup (for sync):

system tree -> select system -> wake up agents -> no settings changed (not superagent wake-up call, randomization 0, options is checked, force policy update (tried with checked and not checked), retry interval 30s, abort after 5min)

On the client the agent monitor shows different things (as normally) and drive encryption status shows that the policy enforcement is in progress and after a second it's done.

If I add another regular user, the drive encryption status shows, that there are things to create for the new user (similar, I dont remember the true words) and after some minutes (or another sync) it's fine and the second user can logon to the system in drive encryption.

But if the the user has ubp the policy enforcement is just done, but shows the error in the mfeepe.log (tried it just a few minutes ago and same behaviour)

The 'admin' user (with ubp) was created and assigned the same way (directly to the system and not as a group user). Enabling the UBP enforcement for the 'admin' user was successfull.

I also removed all system assignents for the 'admin' user, but still no luck.

Do you have any other ideas, what could be the issue? What could make the UBP incomplete? Do you need more details for something?

Note: the 'admin' user has such symbols '-' in it's cn and logon name. Like 'it-admin'. Could this maybe a problem?

Highlighted
McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

I suspect the issue is likely the policy for the user isn't making it to the client machine. At this point I think we need to review the logs on the ePO server, any Agent Handlers, and the client system. Seems like something unusual is going on with the policy assignment and it could be in failing in several different places.

Please open a case with Drive Encryption Technical Support. If it isn't resolved when I get back in the office on Tuesday after Christmas, give me the last 4 of the case number and I will take a peek.

Re: DE 7.1.3 Adding users with UBP enabled does not work

Jump to solution

Sorry for the late reply, but I was busy with other things and stuff ...

I have opened a case with Drive Encryption Technical Support and they gave me some tips you already gave me, but also this:

Menu -> Configuration -> Server Settings -> User Policies -> Database Mirroring has to be enabled (it wasn't before)

He told me it has something to do with performance improvement and so on (he looked it up in an old case from 2015). At first I didn't believe it, because I couldn't imaging, why this setting should has an influence to my issue, but it was definitely resposible, because after enabling this (and running the mentioned server task again) it worked flawlessly.

Now everything works as desired

So thank you very much for your help !!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community