I am trying to set up user based encryption for different departments. As such, I have created a key for each department. Now I am unsure regarding the Grant Key Policy. Should all departmental keys be placed into one Grant Key Policy or should there be a separate Grant Key Policy for each department? The documentation does not provide much insight and I want to make sure to follow best practices. Also, is it necessary to create a task to push out the EEFF policy to client systems, and if so how is this accomplished? Thank you.
I recommend that you read this post and watch the video https://community.mcafee.com/community/business/data/epoenc/blog/2011/09/19/getting-started-with-end... The video shows how to assign specific keys to specific people using policy assignment rules. That is the best route for departmental keys. It also has a link to a KB that explains the policy creation workflow.
In short, policy assignment rules (user based) are what you are looking for. So that means you will have to create a grant keys policy for each department, and then go into policy assignment rules and associate each of those grant keys policy with the correct people/departments based on their AD group membership.
Also i recommend to get a well defined name convention for eeff keys for best practices, and align the group membership name with that eeff. If you maintain a good name convention you can obtain a better managment to apply the keys..