I am having trouble figuring out how to manage the polices for Endpoint encryption.
We have 3 different policies that are required for EE. One that has update number of sides turned on, one that has Update MBR enabled, and a third that has both of these options turned off. A machine that gets the wrong policy will fail to boot, or blue screen or otherwise not boot correctly.
As far as I can tell, policies can be difined on the individual machine or the group of machines in the system tree - and those are the only two options. I already have machines organized in the system tree for the other McAfee products we have. I have a group for really locked down machines, and then varying degrees of openness for HIPS and antivirus rules. I can't figure out how to introduce Endpoint Encryption into that mix. I now need to have a policy that is focusd entirely on the type of hardware. If it is a Lenovo laptop it has to get a certain EE policy. If it is a Dell laptop, it needs a different EE policy. But the Lenovo and the Dell might need to be in the same policy configuration for HIPS and VSE. Additionally, the computers auto sort on what OU they are in AD.
How should I be applying the EE policies. I would like it if I could tag a machine with a certain value and that tag would mean that It would apply a certain EE policy. Like I could have three tags for the three required types of endpoint encryption policies. Then depending on which tag the machine had applied - it would get the correct policy. I don;t think there is a way to do that though. I am totally stuck trying to figure out how to organize this. I don't want to assign policies at the individual computer level as that is way too much trouble to handle + I think it would be problematic in the future if the policy needed to change. There is a feature to filter tasks by tags. I am planning to use that feature for deployment. I will set up a EE deployment task and assign it to the computers that have a particular tag, but I don't think policies can work the same way.
I am curriuos to know how others are managing this. I am totally at a loss on how to do it.
There are two challenges here:
Tasks can work with tags, but not policies.
There are also Policy Assignment Rules, but those are for UBP's only, which criteria's are very limted.
So unless you create complex grouping scheme (with each category combination possible), there would be no way to achive what you want.
I think you would like to have dynamic groups, depending which particular product (or even each specific function) you want to manage at the moment.
Yes, that is the problem as I understand it as well.
What is the solution? The only thing I can think of is to make a single Endpoint Encryption policy and if the laptop can work with that policy then it can be encrypted, and if it can't it can't. And if it can't be encrypted it goes in the dumpster. No way I ever get a policy like that passed, by the way so I have to make this work somehow.
Applying a policy based on tag would be the best solution - I know that is not currently an option. I wouldn't mind manageing the tags manually. I'd just have 3 tags - EE-GroupA, EE-TypeB etc. I just don't want to (CANNOT!) organize my clients into specific groups solely for the purpose of EE based solely or partially on Model type. What about all the other McAfee products I have to manage? With them, it is not as big a deal if a policy is incorrectly assigned, you can just fix it. If an EE client gets assigned to a wrong policy, the machine will likely blue screen and take 6-12 hours to fix.
So I am just currious about what other people are doing about this problem. A machine can't be in two places in EPO at once. Every machine in the same group gets the same policies, so how can this be managed with Endpoint Encryption needing policies that are specifically hardware based as opposed to management rules or department or Active Directory OU based like all the other McAfee products. I can't figure out how to make it work.
If you're willing to manage the tags I don't see why this wouldn't work:
Create a query to pull machines based on the tags you assign.
Create an automation task that runs the query, set the subtask to 'Assign Policy'.
Schedule it to run periodically.Message was edited by: woodsjw on 1/4/10 2:33:45 PM GMT-08:00
That's a great idea about applying policy. Did you try it yourself? I would like to explore further, but:
How would you automatically assign tag, based on WMI reported computer model string?
How would you automatically assign tag, based on successfully executed ePO task (or installed EE plugin)?
In a nutshell, what is the best way to ePO program this process:?
1. Detect systems that have certain computer model strings and no EEv6 installed
2. Depending on computer model, deploy EE plugin first
3. Once EE plugin is installed properly, install EEPC
4. Once EEPC is installed, apply appropriate (to previously detected computer model type) EEPC policy
Do we really need to use tags as process semaphores and scheduled server tasks as process triggers; or is there a better way to do it?
That's the challenge really....identifying the system model. My response was based on the OP's comment that they were willing to manage the tags manually. I'd sure love to automate the tag assignment. But I don't know how to do it either.
I'm sure Dan Larson posted a blog on exactly how to do tag based policy assignment right here in the community forum?
not quite tag based policy, but tag based deployment. Still, perhaps some mileage in it for you?Message was edited by: SafeBoot on 1/5/10 11:56:02 AM GMT-05:00
It is not that. Tag based task deployment is simple and standard.
Challenge is to get tags created automatically based on WMI computer model type.
Other challenges exist as per my previous post.
I've read it and it is a starting point. But I've found the IsLaptop property to be unreliable. I have to say though that I don't yet have enough PC's in the 4.5 test environment to see if it's more accurate than it is in 4.0. In 4.0 it identifies all of our ultra small form factor Dell Optiplex's as laptops. I went through and created my own based on mobile processor models which I'm sure is still not 100% accurate, but it's close. It also does not address the OP's real problem of identifying particular make/models of laptops.
MA 4.5 has the ability to report back custom fields that are entered in the registry. If you are able to put the device model in the registry, then this could be used to apply a tag and then used to apply the policy.
custom props are stored here, HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps\
I have attached the MA 45 manual. See page 28 onwards.