I am having some difficulty provisioning users to machines in EEPC 6.1. Most of the machines I am setting up are loner laptops. These machines require access for:
1) the user
3) IT Security (will use admin recovery for this)
I have set up EEPC according to the instructions in the unofficial quickstart guide and have also read DLarson's "How to Provision Users to Machines in EEPC v6". In that blog it states that loner laptops will require a different provisioning strategy than is recommended in the blog, but does not suggest what that strategy should be.
There are 3 ways to provision a user to a system:
1) Individual assignment via the Encryption Users screen in ePO - using the password in the User Based Policy
2) Group Users assignment via the Encryption Users screen in ePO - using the password in the User Based Policy
3) Automatically add users found on the endpoint via the Add Local Domain Users policy option in the product settings policy - this seems to only work for users that are currently logged in or have been logged in and does not appear to work if you add a group of users. If I add a user account to the admin group on the laptop and do not log in with it before encrypting, I am unable to log into system with this account after the system is encrypted. Is that how it is suppose to work?
My problem is this -- if I use option #1 and #2 for the users and admin, they have the same password. It is a problem to have 20 administrators with the same password and unlikely to be able to get them all to log in to change it for every system. Option #3 will not work for groups of users and I would have to get the user to log into the laptop before encrypting in order to have their account added.
How is everyone else provisioning user accounts in EEPC? Am I missing something? Any help would be GREATLY appreciated.
Solved! Go to Solution.
For all of your new builds, you should follow this best practice: https://community.mcafee.com/blogs/danlarson/2009/11/25/eepc-v6-best-practice-temporarily-enable-aut...
Doing this will hide the pre-boot authentication until an actual user of the system logs in and gets added by the Add Local Domain Users feature. Remember, this feature is persistent so it will keep running and keep adding new users all the time (unless you turn it off). So your admin will get added right away, but the pre-boot auth will not appear for a while. The idea is that the Add Local Domain Users feature will have enough time to run so that it picks up the actual user of the system prior to the pre-boot auth getting enabled by the new policy.
If you assign the 50+ admins as group users, there will be some risk of them using the default password until all 50 admins actually login once and change their password. The only way to mitigate this risk is to simply not deploy those admin accounts to all of the systems. Remember, any admin can get into any system by using the challenge/response recovery procedure, so it isn't really necessary to actually assign them as pre-boot users.
As for the loaners, you'll have to come up with a manual process. One simple way is to just turn on the pre-boot and make the "loaner" process include a call to the helpdesk whereby the user gets added to that one system on the fly (i.e. they'll be locked out of the pre-boot until they call the helpdesk, the helpdesk will do a challenge/response to get them in and then add their user account in ePO and then do a sync).
you are missing something
all your machines are going to talk to each other and exchange password change information - so once someone changes their pwd on one machine, it will tell all the others about the change.
Thanks for your quick reply. I feel like I am missing a alot.
But in order for what you said to work, everyone in the group users and individual users will have to change their password on at least one machine before their password is no longer the one in the user based policy? I don't want anyone to be able to log in as someone else because they know what the default password is.
Could you confirm (or deny) that what I have found about the add Local Domain Users is true (or false) - if you add an account to a system before encrypting, but do not log in, then encrypt, you will not be able to log in with this account? I am wondering if this is the design or if there is something wrong with my set up.
yes, you have to change your password before it's not the default - that's what happens in any password based system?
no, what you've found should not be true - what error message did you get?
I think it would be best if you got your professional services team back in to help you set things up properly - it would seem like they left without really handing over all the knowledge you need?
I have changed the password so it is not the default, but everyone added using group users and individual users via the Encryption Users screen in ePO will still have the password that is set is the user based policy, correct?
The error message is Error EE050002 Unknown User.
We have not been using a professional services team. Maybe we should
the error simply means you're typing a user name not recognized by the system, so either it's not an assigned user, or you set up your AD interface to import the user using some other format of their name like lastname, firstname etc.
The user names are in the administrators group on the system and are valid accounts in AD.
If I assign a user using group users and individual users via the Encryption Users screen in ePO I am able to log in, but the accounts I added to the system before encryption (the Add Local Domain Users option is selected,) give me the Unknown User Error. The account I was using to install the encryption software works fine though. When I registered the AD server and tested the connection it was suscessful.
AD is using samaccountname for the username and display name.
I'm not sure how you added accounts to a system prior to installing it? Usually you'd add accounts at a higher level - like an OU level for example and use the policy relationships?
the add local domain users (ie, users from the domain who have local cached profiles, NOT Local users) can only be applied after activation, because before then, how would it know who they are?
Once again, thanks for your reply.
I was referring to adding the local domain accounts to the system before installing EEPC (using My Computer / Manage on the system) . After I added the local domain accounts to the system, I ran the task to install the EEPC agent and then the software. Once the hard drive was fully encrypted, I rebooted and tried to log in as one of the local domain users. I got the unknown user error. I then logged in as myself and verifyed the local domain users were present on the computer, forced an update on the system from both the system and the ePO console and rebooted again. I am still unable to log in using a local domain account.
The EEAgent does not seem to be collecting the currently/previously logged in domain users information and sending it to the ePO server.
You can check to see if the local domain users have been assigned to the machine. Login to ePO
If it was added then it will appear it..