cancel
Showing results for 
Search instead for 
Did you mean: 
sbsnwnm1
Level 7

Encrypting Laptops when connected to docking stations

Jump to solution

Hi,

Has anyone come across the below issue?

I have been encrypting some laptops which have been connected one by one to our network via a USB docking station.  The docking station has its own MAC address.  The issue I am seeing is that because the docking station has it's own MAC address each laptop that is connected is picking up the same IP and MAC address in EPO and wiping the previous laptops password recovery information from EPO.

I have modified the matching criteria to use MAC/IP and DNS name, but i'm not 100% sure this is working either.  Any ideas?

Another issue I would like clarification on is, quite a few laptops are not connected to our corporate network very often, so after 30 days EPO removes machines that haven't been in contact in the time frame.  When EPO removes these laptops, does the recovery information also disappear?

Thanks,

Nick

0 Kudos
1 Solution

Accepted Solutions
SafeBoot
Level 21

Re: Encrypting Laptops when connected to docking stations

Jump to solution

password recovery is all about users - you didn't delete the user, you deleted a machine

Yes, if you delete the machine from EPO, and it does not re-connect and retrieve its key, you'll find it harder (but not impossible) to recover - you'll need to work out the key check value, export the key using the API etc.

Rather than delete them after 30 days, maybe you should move them to another group, and use a more generous timescale before actually wiping them out to make recovery a little easier?

0 Kudos
5 Replies
dwebb
Level 12

Re: Encrypting Laptops when connected to docking stations

Jump to solution

I can't help with the docking station issue, but if you're on 6.2 then the recovery keys will be persisted indefinitely.  However, once the machine has been removed from ePO, you will have to get the keycheck value from the disk (using EETech) and then use the scripting API to query the recovery key from ePO (sample python files are included to show how to do this).

V7 adds the ability to fetch a recovery key by keycheck value to the EEAdmin UI.

HTH

0 Kudos
SafeBoot
Level 21

Re: Encrypting Laptops when connected to docking stations

Jump to solution

sounds like the same problem VPN users have - https://kc.mcafee.com/corporate/index?page=content&id=KB52949&actp=search&viewlocale=en_US&searchid=...

You would be best talking to your platinum support person about this, or asking questions at

Though this is affecting your EEPC rollout, it's actually an EPO/McAfee Agent function.

0 Kudos
sbsnwnm1
Level 7

Re: Encrypting Laptops when connected to docking stations

Jump to solution

Thanks for the answer from both of you.  The docking station issue does indeed appear to be the same issue as VPN users.

Just so I am clear about the other issue.  If a laptop is encrypted and hasn't been seen for 30days and is then deleted from EPO via a scheduled task, I am no longer able to perform an Encryption Recovery from within EPO?  I have to manual be at the laptop with a EETech disk to do a recovery?

I did a quick test and deleted a laptop from EPO and then tried a password recovery and this worked.  Does it take some time to delete the data?

0 Kudos
SafeBoot
Level 21

Re: Encrypting Laptops when connected to docking stations

Jump to solution

password recovery is all about users - you didn't delete the user, you deleted a machine

Yes, if you delete the machine from EPO, and it does not re-connect and retrieve its key, you'll find it harder (but not impossible) to recover - you'll need to work out the key check value, export the key using the API etc.

Rather than delete them after 30 days, maybe you should move them to another group, and use a more generous timescale before actually wiping them out to make recovery a little easier?

0 Kudos
sbsnwnm1
Level 7

Re: Encrypting Laptops when connected to docking stations

Jump to solution

Hi Safeboot,

Yes I think moving them to another group and excluding them from our reports is the best step forward.  After all, we are only encrypting 600 laptops anyway.

Thank you for your help and clarification.

0 Kudos