We currently use the LDAP synchronization to pull in users/computers into our ePO System Tree structure. We have a few domains in our System Tree and a fairly flat AD structure. Due to this type of structure, it would require multiple policies setup on all these domain subgroups under My Organization (System Tree). This would make things very cumbersome and require us to change the policies in various different places if we needed to revise it at a later time. This would also require us to move systems around to apply different policies and due to the LDAP synchronization, it would throw everything off. We decided to leverage the tagging capabilites in ePO 4.6 to deploy the EEAgent and EEPC client, along with assigning EEPC policies to the systems. We created a tag to Encrypt and a tag for Autoboot. Once the Encrypt tag is applied to a machine, the EEAgent and EEPC client are deployed to the system and once installed, the EEPC policies will be pushed down as long as users are assigned on the encryption level. If we remove the Encrypt or Autoboot tags, the system will start decrypting and the EEAgent and EEPC client will be removed once the decryption is completed. Should the computer be encrypted, if we were to apply the Autoboot tag, we can force our autoboot policy to be pushed down to the system and allow the PBA to be bypassed.
Is anyone else utilizing the ePO tagging features to deploy or maintain EEPC? If so, have you faced any challenges with this type of setup?
We also utilized the ePO Web API to write Python scripts that allow us to easily apply tags for encryption and autoboot, while also allowing us to clear tags to start decryption of a system. We have scripts that automate much of what can be done in the ePO console. Unfortunately, due to the Web API limitations, we are unable to automate the challenge/response system via our Python Scripts. A product enhancement request has been submitted and we hope this will be considered in a future release.
I currently use tags to deploy and manage EEPC and it works quite well provided system sorting is consistent. I use ePO 4.5 Patch 5 and EEPC 6.1.2. EE:ALDU is turned on in policy. I created an Unsupported Products xml check for the existing encryption product.
Process is basically:
1. System is identified and first tag is applied manually. Wake up call is performed manually.
2. System sorting moves system to a Directory folder where a task installs the EEPC agent (policy on this folder also changes ASCI to 20 minutes)
3. Once installed and reported to ePO, server task runs a query (every 20 minutes) where this system will appear as a result. Server task action is to apply the next tag and clear the previous tag.
4. Repeat steps 2-3 for EEPC software, EEPC activation, and EEPC completion.
All systems requiring encryption have a tag that sorts them to one folder (which gets EEPC "on" policy). If they don't have the tag, they won't be encrypted.
Things to keep in mind:
-If you use queries, make sure they are consistent from beginning to end. I started with a more stringent first query but not-so-stringent second and third queries, and found the path of least resistence was the weakest query. I ended up with systems skipping a step as a result and had to do clean-up.
-Use an increased ASCI during the deployment process. It has to strike a balance to ensure scalability. Often times, a 5 minute ASCI does not allow policy enforcement to complete on a system before the next ASCI/PE cycle and things take longer. I have found 20 minutes (with a 10 minute PE interval) strikes the best balance.
-I have found it best to monitor EEPC Activation as a step in the process, because automatic does not mean foolproof. Once a system is activated (systems state changes to Active), the system is moved to the Encrypted pool.
Our biggest challenge has been identifying systems to be encrypted solely through data populated from the McAfee Agent, thus Step 1 above is completely manual. Our imaging team is able to create a task sequence to install EEPC based on a WMI query of chassis type, and with near 100% certainty install it on a laptop. Supposedly "Is Laptop" does the same thing but translates the results into Yes/No. This method provides significant time savings in not relying on ePO as a software distribution platform.