cancel
Showing results for 
Search instead for 
Did you mean: 
peter_eepc
Level 15

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

Policy enforcement?

EEv6-Enforcement.png

Also, make sure that you can add EE as single user from AD. No need to have EE pre-boot:

EEv6-LDAP-Users.png

0 Kudos
SafeBoot
Level 21

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

peter makes a good point - though you don't need pre-boot authentication for the crypto to activate, it will NOT activate without any user accounts assigned.

remember, autoboot mode (no authentication) does not offer any protection from data disclosure regulations, and really defeats the point of encrypting the drive in the first place.

Again, no users assigned means EEPC will not activate.

0 Kudos
babatola
Level 7

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

Thanks peter. I have gone through the guide over and over and the issue has not changed.

However i would review the settings again to ascertain that policies are enforced. thanks for the screen shots.

I assigned user manually, but i would undergo the entire process again.

Safeboot: I do not feel too comfortable with pre-boot authentication and that is why we have disabled preboot authentication. We have been posed with several challenges like hardware support/driver for certain mouse and keyboard......so we are trying to bypass all that to reduce the operating issues. We understand the implications of not enabling this feature, however we would avoid a "necessary evil" at this stage....hahahahha

Also, another important factor for not enabling preboot authentication is SSO. It is not so straightforward as the guide claims and this would cause unnecessary downtime for users.

We dont wanna end up creating a 9a.m DOS attack and support engineers running helter skelter

Features like: (1) ability to pause the encryption, when encrypting a drive (2) command line uninstall command for the product

0 Kudos
SafeBoot
Level 21

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

why would you want to pause the encryption? I assume you mean the initial encryption of the drive, not in general?

0 Kudos
babatola
Level 7

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

Having a re-think on the "pause" feature, it really might not be necessary but you would agree with me that a command line uninstall command should be in place. As it I can only remove eepc via epo or during a a recovery!!!!! aaaarghh.

0 Kudos
SafeBoot
Level 21

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

I'm not sure any crypto product has a command line uninstall feature - it makes it too easy for end users to remove it. One of the fundimental points of centrally managed product is that they are centrally managed, and encryption is a little different, in the sense that it's easy to remove the product, but hard to remove the crypto ;-)

if we allowed people a simple uninstall method, they would end up with non-booting machines - we'd have to allow for command line decryption and uninstall, which opens things up to end users disabling products without administrators knowing.

If you are an engineer, you can remove the encryption without needing EPO using EETech (the disaster recovery toolkit)? Is that what you are looking for?

0 Kudos
peter_eepc
Level 15

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

I think it is intentional for EEPC to be very difficult to remove. Even by person with local admin rights.

Treat ePO as a specialised security toolbox for your PC. No more self-repairs.

0 Kudos
babatola
Level 7

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

You both got a point....but i am always SCARED of that unlucky day where your epo is down and you critically need to get the eepc off......the whole EETech procedure is more or less tedious and it relies on the ePO anyway( you would always have to generate a key)


The uninstall procedure would not be available to users....strictly technical.


I believe engineers needs a safe haven( more like a backdoor process, hahahhahah)


Thanks guys, really appreciate....point noted! stick with ePO and EEtech.


However I would be uploading the log file for safeboot later on, and peter I would be reviewing the entire process again.

0 Kudos
babatola
Level 7

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

Safeboot, EEPC and others,


Here is a sample of the log file you requested for. i was able to lay my hands on one, finally.....this a log file of one of the client system.(Windows XP)

0 Kudos
SafeBoot
Level 21

Re: EEPC v6.0.1: Endpoint Encryption is Inactive

I could not find a record of you assigning a policy or any users to the machine? Maybe you can start by checking those two.

2010-4-29 16:30:58,117 DEBUG MfeEpeHost 
From uuid
= 5145540F-1BA8-4F52-895D-617839C2869E
From Service =
MfeEpeEncryptionService
To uuid = 61FC150F-2C47-4100-9B9B-146EC568E74E

To Service = MfeEpeEncryptionInformationServiceClient Message =

<element
xsi:type="ns1:ESGetSystemInfoRsp">
      <sendTo serviceName="MfeEpeEncryptionInformationServiceClient"
serviceUUID="61FC150F-2C47-4100-9B9B-146EC568E74E"
xsi:type="ns1:MfeEpeAddress">
      </sendTo>
      <from
serviceName="MfeEpeEncryptionService"
serviceUUID="5145540F-1BA8-4F52-895D-617839C2869E"
xsi:type="ns1:MfeEpeAddress">
      </from>
      <system
xsi:type="ns1:ESSystem">
            <uuid>
            </uuid>
            <fqdn>
            </fqdn>
            <ipAddress>
            </ipAddress>
            <policyIdent>
            </policyIdent>
            <encryptionProvider>
            </encryptionProvider>
            <progressPercentage>
                  0
            </progressPercentage>
            <state>
                  Inactive
            </state>
            <themeLocation>
            </themeLocation>
      </system>
</element>

0 Kudos