cancel
Showing results for 
Search instead for 
Did you mean: 

Deleting Endpoint Encryption tokens via webapi call

Hello everybody,

we're using McAfee Entpoint Encryption with ePO 5.3.2. Our workstations are almost all encrypted with ee. While having problems at the beginning of the rollout of the preboot authentication, we deactivated the preboot stage on nearly all systems. In the meantime nearly all local passwords of the users of the preboot stage are out of sync, because the users had to change their AD-passwords through our policy.

Now we would like to activate the preboot stage again. By simply activating it, the user is confronted with problems to go through the preboot stage, because the password in the preboot stage is out of sync, as I said. If we delete the token via the ePO Console manually, it is possible to go through the preboot stage for the user by setting the password and reconfigure his selftoken. This procedure is not handable in our company, because we have too much user. We would like to use the webapi, but I think there is no command for deleting the token for a user. I detected two commands, which come very close to what we want:

eeadmin.resetSelfRecovery userDn - Drive Encryption reset users self-recovery token.

eeadmin.changeUserPassword userDn newPassword [oldPassword] - Drive Encryption change user's password

While using resetSelfRecovery Command, the user is only allowed to reset his selftoken. This is not what we want.

While using changeUserPassword Command, I get no impact of using that command. For example, I set the password to "12345" (or similar). Nothing happens obvisously. Can somebody explain what that command realy does?

So, is there someone, who can help us? We need to reactivate the preboot stage for a lot of users. The best way would be to have a command for the webapi, to reset the users token.

I will be very glad for comments and help!

Chris00r

5 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Deleting Endpoint Encryption tokens via webapi call

Successfully moved from Business to Encryption: ePO Managed .> Discussions

I moved it to ePO Encrypted as you mentioned such.

Cliff
McAfee Volunteer
Highlighted
McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Deleting Endpoint Encryption tokens via webapi call

The eeadmin.changeUserPassword command should reset the token if youdo not specify the old password.

Drive Encryption 7.1 Scripting Guide (PD24869)

"If you don't specify the old password, users are reinitialized, leading to the loss of token, logon, Single-Sign-On (SSO), Self-Recovery, and password history data. This requires the users to reinitialize their data at next logon."

However, you can just reset the token for the entire lot via the DE: Users query. Although you cannot use the select all button, you can select the first entry, scroll to the last entry, press and hold Shift and select the last entry then select Actions | Drive Encryption | Reset Token.

Re: Deleting Endpoint Encryption tokens via webapi call

Hi there, thank you for your comments!

As I mentioned, I already tried to use the command eaadmin.changeUserPasswort:

eeadmin.changeUserPassword userDn newPassword [oldPassword] - Drive Encryption change user's password

The old password is an optional parameter. It has to specified the userDN (thats exactly clear) and the NewPassword. Without specifying the NewPassword, the webrequest ends with failed-state. So if I specify a password, let it be "12345" for example, the webrequest ends with success-state. Everything seems to be good, BUT: There NO effect on the EE client system. In the log, I can not recognize a change. It has no effect, exactly NO effect. If the client reboots, the user is NOT prompted to renew his credentials, furthermore the user is not able to use the specified passwort "12345" by me. The user is able to use "his old password" (if it had existed or rather that, what the user specified in the past). So on the whole the command "changeUserPassword" does not help us solving the problem.

McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Deleting Endpoint Encryption tokens via webapi call

I just tested and received a different behavior than you. I ran the following command from a browser and did not specify the old password:

https://unityepo.unity.local:8443/remote/eeadmin.changeUserPassword?userDn=CN=jhall2,OU=DomainAdmins...

I received this message:

OK: Succeeded

After waiting about 5 minutes to allow the database to process the request, I performed a collect and send props on the client and waited for policy enforcement to complete. I then saw this in the MfeEpe.log:

2017-03-07 15:32:24,868 INFO   EpoState   == Start of policy enforcement ==

2017-03-07 15:32:25,165 INFO   EpoPlugin   userHandler: requesting updates for user A472B39FDF4F154AA299DA98F66ECCF7: token data, self recovery data, logon data, sso data

2017-03-07 15:32:51,666 INFO   StatusService   updating Drive Encryption users

2017-03-07 15:32:51,760 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had logon data updated

2017-03-07 15:32:51,822 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had token data updated

2017-03-07 15:32:51,885 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had SSO data updated

2017-03-07 15:32:51,947 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had UBP updated

2017-03-07 15:32:52,572 INFO   EpoState   == End of policy enforcement ==

Upon the reboot, the users password was reset to the value entered into the command and not reset back to the default password.

This was tested with the MDE 7.2.0.457 extensions. I am researching this behavior further.

Re: Deleting Endpoint Encryption tokens via webapi call

Hi,

thank you for your help!

I tested nearly the same command as you wrote. I also received OK: Succeeded, my MfeEpe.log has following entries:

2017-03-08 08:02:29,978 INFO    EpoPlugin                            userHandler: processing user updates/requests

2017-03-08 08:02:30,337 INFO    EpoPlugin                            userHandler: requesting updates for user *ID*: token data, self recovery data, logon data, sso data

2017-03-08 08:02:30,337 INFO    EpoPlugin                            Sending user updates for *USER* (*ID*) to ePO

2017-03-08 08:02:30,353 INFO    EpoPlugin                            userHandler: dispatching ESUserList event to McAfee Agent

2017-03-08 08:02:30,353 INFO    EpoPlugin                            userHandler: Note, press Send Events button in McAfee Agent to hasten delivery (see KB71865).

2017-03-08 08:02:30,681 INFO    StatusService                        Ereignis zum Synchronisieren von aktualisierten Benutzerdaten wird erstellt.

2017-03-08 08:02:38,811 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_LOGON

...

2017-03-08 09:20:42,537 INFO    EpoState                             == End of policy enforcement ==

The Entries with "...has had ... updated are missing in my logs.

I am using the same version number and extension like you.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community